ShmooCon: Hackers and frozen hotel rooms (Day 0)

Washington, D.C. – This weekend, hundreds of hackers will head to the Washington Hilton for ShmooCon – the annual conference that for many is the first security event they’ll attend this year. Be sure to watch the blog this weekend for updates and news from the conference floor.

It’s cold, inside and out.

After an early flight, I got lucky when I arrived at the Washington Hilton this morning, because my room was already available. However, once I got in, the room was freezing, easily as cold inside as it was outside. Turns out, someone left the window open. So while I wait for the chill to leave the air, I figured a cup of coffee and a quick update would be in order.

With that said, here’s a recap of some interesting news items this week, as well as a preview of things to come at ShmooCon.

LastPass users vulnerable to clever Phishing attack

At ShmooCon on Saturday, Sean Cassidy, the CTO of Praesidio will demonstrate a clever attack against LastPass, which is possible thanks to a security trade off and easily spoofed UX elements. Cassidy also plans to release a program called LostPass at the end of his talk, which will replicate the attack. For those who can’t attend, Salted Hash will recap the talk itself.

Speaking of Phishing…

A study released by Cloudmark yesterday, which included 300 IT decision makers, showed at Phishing is their top security concern (20%) or among the top three concerns (42%). However, the interesting thing about the data is that 84-percent of the participants said they’ve had at least one successful targeted Phishing attack against their organization in the last 12 months.

While not shocking in the slightest, this stat is nothing to scoff at.

Awareness training can only do so much, but the fact of the matter is, when the Phishing attempt is detailed and targeted, most awareness programs fail to address that aspect of an attack.

Moreover, targeted attempts leverage fear and control, and most employees are not trained to ignore a request that by all appearances comes from the CEO or upper management. Most will comply, because to do otherwise puts their job at risk.

That gap is slowly going away though, and many of the awareness programs that have come to the attention of Salted Hash in the last six months or so address this concern, and encourage employee empowerment – but it isn’t a universal control, so the longer a Phishing campaign lasts, and the more targeted it is, the higher the odds of success.

New York has a strange legal proposal for encrypted phones…

Legislators in New York have proposed a bill dealing with phones and encryption. The bill doesn’t demand backdoors, but it will block the sale of phones that use encryption that can’t be bypassed by the manufacturer.

The proposed bill is here.

If it passes, the law becomes effective immediately and retroactive to January 1. Companies that violate it will face fines of $2,500 USD per device sold in New York.

Considering that both Apple (iOS 8) and Google (Android 6.0) have released operating systems that encrypt by default, and neither of them will bypass those protections, consumers in New York are going to have to make some tough calls when it comes to getting a new phone – such as whether or not they want to drive to New Jersey.

The bill is just a proposal, and this isn’t the first time New York lawmakers have come up with an off-the-wall idea. But even if it does pass as it’s presented, the proposal doesn’t explain how the state will deal with consumers who purchased a device out of town or online.

In related political news, Nick Leiserson and Jen Ellis will be doing a panel on Saturday at ShmooCon “on potential legislative developments, how the security community can get involved in the debate, and what the process is for creating cybersecurity legislation.”

That talk starts at 2:00 p.m.

NRC has generic security contracts…

A new report from the Office of the Inspector General (OIG) claims the Nuclear Regulatory Commission’s cybersecurity center isn’t optimized to protect the agency’s network in the current threat environment.

The key point made by the OIG is that the nation’s unclassified nuclear computer systems are vulnerable to attack because of generic security contracts that don’t spell out who is responsible for keeping an eye on them.

In a statement, Tim Erlin, Director of IT Security and Risk Strategy for Tripwire said:

“It’s always less costly to build security in from the beginning instead of bolting it on at the end. This adage is true of both code and contracts. When IT outsourcing relationships are formed, information security is rarely at the top of the list of priorities.

“Securing computing systems isn’t a static task that can be easily described in contractual language. While there are best practices that can be specified, a reference to an established framework that can keep up with the changing threat environment may be a better approach.”