Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

All Articles

Stephan Chenette, AttackIQ

2 Mar 2016 - Doesn’t matter what or how many layers you have until you know for sure they’re protecting you.

After witnessing significant customer frustration, lack of confidence and skepticism over security products, there exists a need for a vendor to provide answers and test assumptions.

“Instead of promising another product to protect you, we offer a product that validates everything you have in place now, and in the future, and helps consolidate into a solid security program with only what is essential to help you manage,” said Stephan Chenette, CEO AttackIQ. “There are 75 security products. On average they ship through hundreds of thousands of alerts, of which fewer than 20% are actionable. There aren’t enough security people to manage all of the security products. There is a huge need to automate security testing.”

So Chenette founded a firm that offers continuous security testing, challenges the infrastructure and products, and helps measure risk, validate, and provide assurance. Founded in 2013, the firm came out of stealth mode only after working with hundreds of companies in various industries.

The platform allows organizations to run security unit tests to challenge every assumption about security posture. Chenette claims it’s the first purpose-built community platform that allows organizations to use their security knowledge for repeatable and consistent tests of their security programs on an ongoing basis.

“So many alerts are myths. In every day data breaches, it’s not only the technology that fails, it’s the humans and their processes that fail also,” he said. “If we have security products you assume are working, you need to test that assumption. Most organizations instead of validating what they have works, they add more products until security becomes unmanageable.”  

Unified security testing that is powered by the AttackIQ research team and the security community includes a repository of curated security tests organizations can use to test their own programs, both on premise and in the cloud. They can safely attack and improve their defense in depth strategies.

Another goal of AttackIQ is to help every organization improve its security and spend money wisely, regardless of budget size. The correct way to buy technology is to decide what is at risk, and then build security around the valuable assets in the organization.

Testing is the missing component. You have to test what you’ve put in place, which allows you to become more resilient and secure. Finding the gaps and blind spots in your infrastructure lets you improve what works and to what degree.

“Most companies go from being skeptical to the belief that they’ve never had this before,” Chenette said. “With the FireDrill platform you can test your AV for example, in minutes. Hundreds of templates help you validate your security. Sign up for the platform, deploy agents, and begin validating your infrastructure.”

Scenarios range from validating firewall egress points, to safely testing adversarial techniques inside an organization defense in depth strategy. The goal is to validate the security controls, while exposing gaps and blind spots so an organization can improve its security and continue to retest.

“What was true yesterday might not be true today,” said Chenette. “Networks change, configurations change, machines come in and out of networks. They must be tested continually.”

It’s designed so that in less than five minutes you can sign up, deploy test points, and validate the security controls in your organization.

You have access to reports, and direct outputs via a number of different mechanisms. An organization can use any data FireDrill has to integrate into its workflow.

Fully API-driven, it’s built to integrate well with other components of an organization… technology agnostic.

“It’s no longer about the promise of technology… we have to stop the guessing game and test our assumptions,” Chenette said. “Stop guessing and start knowing.”

Simon Witts

24 Feb 2016 - Automated platform agnostic peer to peer encryption allows users to remove themselves from the equation.

Four men with technology backgrounds are out to increase everybody’s privacy through peer to peer encryption by default that is invisible to users, and therefore very easy to use.

•  Simon Witts is an enterprise seller
•  Leon Schumacher is an enterprise buyer
•  Volker Birk is a software architect in the security space
•  Sandro Kochli builds service-based companies around open source software

“At the core a security product has to be an open source project to be taken seriously,” said Simon Witts, Head of Sales, Pretty Easy Privacy. “Leon and Volker run crypto classes to teach people how to use encryption. Their idea was, what happens if it’s encrypted by default? Couldn’t you just write algorithms to do the key management and keep it easy? That’s what we’ve been doing for four years.”

Distributed through GPL, PEP is easily added. The open source distributions of PEP are a Thunderbird plugin called Enigmail and K9 with PEP. Being device based, it’s fully peer to peer.

“Think of it as a little engine that automates everything that’s going on,” Witts said. “Started as an Outlook plugin or iOS or Android device, it works against any email backend. It covers email and messaging including SMS text, sending as securely as it can.”

If you’ve got PGP it will use that, or if you have SMIME, or if you have OTR it will use that… whatever there is it will pick up and use it, because it’s completely automatic. It’s meant to be unobtrusive – automatic installation and operation.

If users want to, they can set things, but they don’t have to.

The only difference is PEP offers the privacy status encrypted yellow button. On the left the incoming status is unencrypted. Reply is automatically encrypted, as shown in the right slide.

“Once I reply my key goes with it and in future we’re encrypting both ways,” said Witts. “I’m automatically sending it encrypted. Every communication I send and receive from him will be encrypted.

“On the next image, if I click the unencrypted button, I can see on the list it’s Terry the investment banker, who pep hasn’t exchanged keys with.

Users don’t have to do any of this, as PEP sends encrypted when it can and unencrypted when it can’t.”

“If you force encryption then Terry gets a nice little email that asks him to download a reader,” Witts said. “So you can push privacy with a reader similar to Adobe Reader. “Or you can go in and manage the privacy status manually of any user with a handshake. We use trust words. We can exchange PGP fingerprints, although we can make it as simple as five trust words. I get on the phone with a person we know there is no man in the middle, then all communications are green and there are no attack vectors at that point.”

Use the same concept of trust words to form device groups. Put PEP on your Windows PC and iPhone or Android, and it automatically pops up to ask if you want that device to join that group. It automatically detects and provides the trust words. At that point your keys are shared amongst all devices.

“We can’t assume a user knows what a key is, let alone manage them, so we keep things simple and automatic,” said Witts. “The viral nature is when people push privacy and it spreads.

PEP covers email, messaging, and text, and it does so peer to peer. How you decide to store the key is your decision. Most companies will store email on the server unencrypted, because they are behind the firewall, and we only want it encrypted in transit.

There are about 20 options IT can play around with if they want to. Individuals will not see it.

“We let them configure Outlook exactly how they want it,” Witts said. “The Outlook becomes the master config, configuring all devices. IT loves that, because it gets all devices conjured the way IT wants. Being encrypted by default makes it easy, because it’s automated. We make it as secure as possible automatically, unless the user wants otherwise.”

Stu Sjouwerman

16 Feb 2016 - Education remains the best defense against phishing attacks.

In its most recent white paper, The Phishing Breakthrough Point, KnowB4 had Lydia Kostopoulos, a professor at Khalifa University, run a six-month scientific study.

“We sent five people phishing emails to see if there was a breakthrough point at which people actually recognize a phish,” said KnowB4 founder and CEO, Stu Sjouwerman. “You train them, and continue to phish them. The numbers are interesting— at first 15% of users are phish prone, and then it drops to 1-2%. This is independently verified.”

Exploited WordPress sites are used to disseminate malware. As a popular website platform, especially amongst non-technical users, WordPress is often not well defended. Both its popularity and often poor defense also make WordPress sites popular targets.

Sometimes visitors to WordPress sites are redirected to sites compromised with exploit kits, such as TeslaCrypt ransomware.

[Note: while we are against the death penalty at Securbuzz, our convictions waiver when some criminal sullies the name of arguably the greatest scientific inventor of the 20th century.]

Further towards its mission to educate users about the prevalence of phishing, KnowB4 released a tool administrators can grab and deploy in their environments.

It gives users a button on their Outlook ribbon. If they see a phishy message they click that button. It deletes the suspect email from their inbox, and sends it to the Incident Response (IR) team for examination. In small organizations that’s the IT guy.

Through this alert button, which users can choose to send KnowB4 copies, a new type of phish was discovered.

•    You get an email with an attachment.
•    There is no bad link.
•    The text is a social engineering attack to lure you into opening the attachment.
•    In the attachment is nothing malicious.
•    There’s a picture of an invoice, and a link you have to click to see the invoice.
•    The attachment is a second social engineering attack.
•    The link goes to a legitimate website, which has been compromised and also isn’t on any blacklist yet that any filter would catch.

“So this slips through every filter, because none of it is malicious,” said Sjouwerman. “No spam filter, no email, no proxy server will catch this. That’s what we get back from the phish alert button. You can’t catch it… the only thing you can do is train your users.”

3 Feb 2016 - Your alarm installation may help intruders instead of hindering them.


There is always a point at which someone can break in. The best you can hope for is to make it so difficult that a thief moves on to an easier target.

Some customers don’t realize the importance of covering everything. They install locks (which can be picked) and an alarm system, then rely on a single phone line to deliver the message. When the phone line is cut, so is the alarm panel ability to contact the monitoring station.

Alarm companies offering so-called “free alarm systems” are merely amortizing the initial cost of components and installation by charging a high monthly monitoring fee. It’s less expensive to purchase the system up front and pay a lower monthly monitoring fee.

Choosing the “free” system can put your home or business in danger of break-in, because an unscrupulous company might cut corners to get your account. 

“A long time ago I had a customer with alarms in all of the houses he built,” said Vladimir Khayutin, president of BAX Security. “In one house he had 10 or 15 motion sensors, lots of contacts, several keypads, and multiple panels.

“I called a publicly-traded alarm company and pretended to be that customer. Most alarm companies try to install fewer devices, because they don’t want to scare customers with high prices. So they don’t offer everything that’s necessary.”

A typical “Free” system includes two contacts, one motion sensor, one keypad, an alarm panel, backup battery, and siren. 
That might be a problem – people with places in their homes that easy to break in. 
For example, BAX Security has a hair salon customer. Next door is a convenience store. Before the salon had an alarm, thieves broke in, broke through the wall, and stole $35,000 worth of cigarettes from the convenience store next door.

“So the hair salon called me for an alarm,” Khayutin said. “They have two doors and a front window. I recommended a door contact, a motion detector aimed at the window, and a second motion detector aimed at the back door. They didn’t want to pay another $50, so they didn’t get the second motion.”

Months later someone who obviously knew the system broke into the neighboring barber shop… cut the wall into the hair salon… and cut the wall into the convenience store utility room, where there was no motion sensor. 

Once in the utility room undetected, the thieves had ample time in which to cut the lines to the phone and cellular backup dialer. And then they stole cigarettes again.

“That’s why I think it’s a good idea to have the area near the panel properly secured, to prevent access to the panel and communication device,” said Khayutin.

Alarm system components aren’t the only area in which people demonstrate how cheap they can be.

Combined Internet/telephone packages have increased the popularity of VoIP, which Khayutin doesn’t recommend it to his customers for alarm monitoring.

“If there’s static on the phone line, it doesn’t work all the time,” he said. “You can’t use downloading software, because the line is noisy. Another problem is that when power is out, so is VoIP. Cellular dialers are more reliable, and come with their own backup batteries.”

Dodi Glenn, PC Pitstop

20-January-2016 Support scammers are telephoning victims as well as advertising online.

Read More