Category: Blog

I was fortunate to be on a panel to discuss the Software Supply Chain with Richard Rushing, Bryan Hurd and Richard Greenberg (moderator) for the ISSA Los Angeles chapter on Wednesday (1/19/21). Click here to view the recording, https://www.youtube.com/watch?v=y3wqCc34tME.

Supply chain security can refer to suppliers who provide services, staffing, support, or who develop software/hardware. The supply chain is varied and different across industry segments and organizations. If you consider the development of applications or electronics, there may be a long list of companies who contribute to the final product. The longer the supply chain and the less visibility you have into (or ability to assess) each supplier, the higher the overall complexity and resulting risk to your organization.

Let’s consider the software that we use in our own organizations. There is a lot of it. Do you have a complete inventory of the software you have running on your endpoints, or supporting business processes? Having a granular software inventory and an approved enterprise application catalog is a starting point. The granular information you need includes: “Who owns and makes decisions about the application?” “Who supports and patches it?” “Who budgets for and pays for licenses?” “What is the application architecture and how does it communicate?” Having a central trusted software inventory (this may differ between desktops and servers) is a starting point. Read More

Armis announced the discovery of five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. The vulnerabilities, dubbed CDPwn, affect a wide variety of Cisco equipment. Read More

Cyber threats to buildings/data centers include data issues: compromise, exfiltration and denial-of-service. Control system cyber threats to data centers have focused on the Internet-connected building control systems. However, there are other control system cyber threats to data centers that have not been addressed and have actually caused data center damage.

Read more, https://www.realcomm.com/advisory/904/1/control-system-cybersecurity-and-what-it-means-to-buildings.

I get a lot of spam. A lot of phishing attacks. Gmail does a pretty good job of filtering them out. Last week the prevalent phishing attack was an attempt to get you to ‘complete the process of unsubscribing’. This attempt at social engineering was obviously timed to coincide with the European deadline for GDPR compliance, which led many individuals to unsubscribe rather than opt-into marketing.

This week brings us a phishing attack that might scare your pants off, at first glance. Most Americans have probably had their username and password leaked at some point. So, when you receive an email that starts off by listing your password, you might sit up and take notice. I received this email because one of my accounts was associated with a password breach, so I know this has to be circulating big time! (It was for a password I also changed over a year ago.)

Many Americans have visited an adult website at some point in the past. When you marry up the two, you have a very convincing phishing email that then requests you send a cryptocurrency ransom to prevent a video of what you supposedly were watching along with footage from your computer’s camera. Here is an example phishing email:

Don’t fall for this scam. But, what you can do is to visit a site like Have I Been Pwned to see if your email is associated with any breaches, so you can be sure to change any passwords that might have been leaked in the past. Stay safe and secure!

 

I have a thought that blockchain and PKI could provide election integrity.

The goal would be to provide one vote per citizen, and some ideal blockchain method would ensure this. Along with PKI (some hash or encryption which is unique) every citizen would be able to validate how they voted (it could be a receipt with a code/QR code which they could retain). The government could not reverse that and see how any individual voted, only that they voted one time. There would need to be a process for a voter to dispute their vote, in the case it is falsified.

The devil is in the details. I think this would need to be a distributed blockchain managed by the government, but which citizens could also participate in, or a third party.

There are political and technical issues to overcome, clearly. However\, I believe that it is possible. It would mean a national standard for elections, but it could also maintain voting at voting stations as well as voting online.

This may come close to essentially having a Voter ID (no more intrusive than having a Social Security Number or Drivers License), however it could also be validated at the polling place. The more nodes involved, the harder it would be to cheat the system.

I am investigating this with experts. If the answer is that the technology will not support what I envision, that is fine. I think that we have experts and the technology to pull it off. At the same time, I recognize that any connected/networked system can be vulnerable to attack. I believe that the more we have a distributed ledger of election transactions, the harder it is to subvert the system.

This would involve a change to how we vote, to a degree, and certainly a change to the underlying technology used nationally. States would need to buy into the process and when technology needs to be replaced, it is not necessarily inexpensive. But, I think we have the technology to ensure people cast their vote and it is properly counted. I am working with experts to contemplate how this might be done.

This does not solve the problem of voters being influenced to vote a certain way, but I think it could provide a secure and immutable way to have votes counted. One vote per person.

What do you think? Nothing is perfect, but I think this would be an improvement and very difficult to subvert on a large scale. There would be some forensic record of tampering, since there would be many distributed nodes recording transactions, with appropriate anonymity.