Bring it! Show us what you’ve learned, what you’re made of, what you think. Last year’s virtual event was outstanding, and opened the doors for so many more attendees to submit. The Diana Initiative features a diverse speaker line-up covering a wide range of topics – why not yours! There will be multiple speaking tracks. Speakers have a choice of a 20 minute slot or a 50 minute slot. Please review the details and process below and submit your talk! For any CFP questions, email [firstname.lastname@example.org]
Feb 15th, 2021: Call For Papers Opens
March 21st, 2021: First Round closes
April 7th, 2021: First Round notifications sent
May 7th, 2021: Second Round closes
May 22nd, 2021: Second Round notifications sent
Submission Guidelines: Papers that don’t meet these may be rejected
Speaker Email (this is how we will contact you) Hidden from reviewers
Speaker biography (150 words or less per speaker) Hidden from reviewers
Abstract for your talk (200 words or less) Please refrain from including identifying information
Detailed talk outline Please refrain from including identifying information Break your talk idea down into subheading with bullet points to provide detail on what it is, why it matters, what attendees will take away as learning or something they can apply. Show approximate speaking times for each section. Less is not more when it comes to the outline and selling your concept.
Whether this would be your first speaking engagement at a conference
Whether this talk has been previously given at another conference
Oops! Security researchers found a PIN bypass attack using a chip and PIN secured VISA card without requiring the PIN. It exploits “serious” vulnerabilities that are known in the EMV contactless protocol, using an Android app in a man-in-the-middle attack that intercepts and manipulates the NFC or WiFi communications. The good news: Mastercard was notified in advance and attackers need the planets to align to pull this off. But it’s valid.
Gone but not forgotten. Actually still very much active and beaconing home. Iranian APT malware “Foudre” and “Tonnerre” were found operating on a server in a Dutch data center. They install a backdoor onto compromised Windows x86 and x64 machines for cyber espionage. Tonnerre is equipped for persistence, data exfil and all the spygame fun that Iranian APTs are notoriously good at.
Update to CRA email removal: 100k online accounts were suspended as a precaution when login credentials were found being sold on dark web forums. No breach.
SolarWinds Update: per Bleeping Computer’s article today, the SolarWinds attackers could get access to source code for some components used by Azure, Intune and Exchange. It could lead to gaining API keys, credentials and security tokens embedded in the source code. I’ll just leave that with you 😲
Since yesterday a growing number of Canadians are reporting being locked out of their accounts for Canada Revenue’s online platform, with the message their email address has been removed. That is disturbing because that can be a preliminary safety measure in response to an information leak or attempted hack. More disturbing if it is issued with no further explanation and tax season is upon us. The CRA has said this is not a breach but is a security precaution “in the context of ongoing investigative work”and that those users locked out will receive a letter by regular mail to help them unlock their account. And unfortunately it seems there is no getting through on the phone lines 😞
Now, the CRA had a breach involving CERB payments fraud last August and did the same thing, shutting down online services, before announcing it. Precedent?
Spy pixels are tracking pixels or web beacons that hide in the content of an email, tiny image files that just blend right in. So when the recipient opens the email, the tracking pixel is automatically downloaded. Great for marketers and business to measure customer engagement but awful for privacy. Users can prevent them from triggering by not configuring browsers to prevent or not allow images to automatically upload.
I am not a marketer and I have a decidedly different view on privacy because I do security for a living. That said, I have had concerns about the use of trackers in emails for sometime, and it’s only getting worse. When I see “automatically downloads” I think of how attackers enable macros and malware, steganography tactics. Call me paranoid.
Nicole Perlroth is currently a cybersecurity reporter with the New York Times. This book has been years in the making, a history of dark secrets that are rarely divulged, let alone recorded, about cyber arms deals. A history of and cautionary tale on the development of the cyber weapons industry, with America at the center of things.
Now, I have strange tastes in bedtime stories. For years, “Countdown to ZeroDay”, the fabulous history on Stuxnet by Kim Zetter, has been my favourite. Seriously, I did read it to my kids. They’ve sadly outgrown bedtime stories but I haven’t and this book by Nicole Perlroth has everything I could ask for: dark topics, disturbing truths, and echoing thoughts I’ve expressed to the disbelief or disinterest of others (I wasn’t paranoid enough lol)I’ll be sharing tasty morsels as I make my way through.
Ransomware operators are following that mass migration to the Cloud. Researchers at RiskSense released a report showing a shift in targets to move up the stack, tracking data-dense applications and software as a service, web frameworks and open source tools.
Ransomware attacks are also affecting perimeter technologies, which include VPNs, remote access services and zero trust. And for that initial access, a reported 125 active Ransomware groups are leveraging some critical vulnerabilities, 124 CVEs with active exploits, to gain RCE and privilege escalation. These tactics bypass the need to engage a user. Read the RiskSense report for more details.
Which segues to this topic. The modern programming languages we use are modular, with interchangeable blocks or plugins to provide key functions for text, networking or doing math. The code is shared and available through open source repositories and platforms like GitHub. Per the article, 99% of codebases have components from open source and as much as 70% of code used by enterprises comes from open source.
Welcome to the realities of Third party code, and security issues have become headlines. It’s compromised in Magecart attacks. It’s a conduit for attackers to poison and distribute their malware downstream. Fact is, the flaws and vulnerabilities in that code are now in the attackers’ sights. “The inventory, version and configuration of services in a cloud environment should be looked at as part of the supply chain, including the scripts used by DevOps to provision them”.
TrickBot has levelled up again, this time making its well-equipped BazarBackdoor malware even more evasive but writing it in the Nim programming language, specifically the backdoor component. As conventional AV won’t be looking for this more obscure language just yet, don’t let it slip on in.
More surveillance malware targeting Android users, the vast majority of mobile users. This malware can severely compromise a user’s safety by accessing SMS messages and encrypted messages from WhatsApp (widely used) as well as geolocation. People everywhere rely on encrypted messaging services and the ability to shield their location for personal protection. Attackers learn from each other and copy what works. Lessons in here to extrapolate and apply more broadly.
Impressive work by Lookout security researchers linking the surveillanceware to APT group Confucius in their latest report.
Patch Tuesday Quick Hits: 56 just from Microsoft. 3 critical and high severity TCP/IP bugs that are magnets for exploit. Two for .NET framework which are manual patches. And the critical one for WindowsDNS server. May the patching gods smile upon you
We live in an increasingly interconnected digital world, where relationships and connections need to be understood and monitored at the system level, up through business and personal levels. Trust but verify. Attackers will be actively seeking out dependency vulnerabilities, leverage automated downloads and target open source repositories.
With automation, trust and expectation are bigger factors than we realize. Security researchers Alex Birsan and Justin Gardner highlight “Dependency Confusion” and how this can become something we missed.
WordPress Advisory: Critical vulnerability found in NextGen Gallery plugin. Cross-site request forgery and potential remote code execution will lead to more than tears. Over 800k installs out there and 530k still need to patch.
Let this serve as more than just a cautionary tale because next time the consequences could be deadly. An unknown attacker gained remote access and tried to increase the quantity of sodium hydroxide, or lye, in the water treatment plant. Apparently the specialized ICS and SCADA systems running the plant were “outdated, unpatched and available for review on the internet, leaving them incredibly vulnerable to compromise.”
ICS and SCADA were not designed to be internet-facing, so that when facilities using them get set up online, the necessary security, monitoring and controls are not in place. It’s easy for attackers to scan for and find exposed instances, increased by the need for remote work.
Attacks on critical infrastructure have increased over the past year, either as a crime of opportunity by low-level attackers or by highly targeted attacks by nation states, such as Iran’s attack on Israeli water systems in 2020.