News

Review: Cyber Smart

Cyber Smart

Do you believe you’re not interesting or important enough to be targeted by a cybercriminal? Do you think your personal data doesn’t hold any value? Bart R. McDonough proves why those beliefs are wrong in his book Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals.

McDonough, CEO and Founder of Agio, is a cybersecurity expert, speaker and author with more than 20 years of experience in the field, and this is his debut book.

Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals

He starts by debunking the most common cybersecurity myths, like the one mentioned above. Whether you like it or not, you are important, and your data is important. Also, everything has a price.

McDonough explains all the possible risks and threats you could encounter in a connected world, who are the bad actors, what their goals are and, most importantly, their attack methods.

The author presents five golden rules – or, as he calls them, “Brilliance in the Basics” habits – you should be complying with to maintain a good cybersecurity hygiene: update your devices, enable two-factor authentication, use a password manager, install and update antivirus software, and back up your data.

The second half of the book gives you detailed and specific recommendations on how to protect your:

  • Identity
  • Children
  • Money
  • Email
  • Files
  • Social media
  • Website access and passwords
  • Computer
  • Mobile devices
  • Home Wi-Fi
  • IoT devices
  • Your information when traveling.

McDonough doesn’t use scare tactics that could possibly make you want to forego all technology and go live in the woods. On the contrary, he wants you to embrace it and understand that even if the online world poses so many threats, there’s a lot you can do to protect yourself.

Who is this book for?

You don’t need to be a cybersecurity professional to understand this book. Its language is simple and it offers many comprehensible everyday examples and detailed tips. It’s a book you should definitely have in your home library, also for future reference.

The author has a very clear message: don’t just sit back and hope bad actors will pass you over. Be proactive and take all the possible and necessary steps to secure your data and your devices.

Arlo: An open source post-election auditing tool

The Cybersecurity and Infrastructure Security Agency (CISA) is teaming up with election officials and their private sector partners to develop and pilot an open source post-election auditing tool ahead of the 2020 elections.

The tool, known as Arlo, is being created by VotingWorks, a non-partisan, non-profit organization dedicated to building secure election technology.

About Arlo

Arlo is open source software provided free for state and local election officials and their private sector partners to use.

The tool supports numerous types of post-election audits across various types of voting systems including all major vendors.

Arlo provides an easy way to perform the calculations needed for the audit: determining how many ballots to audit, randomly selecting which ballots will be audited, comparing audited votes to tabulated votes, and knowing when the audit is complete.

The first version of Arlo is already supporting pilot post-election audits across the country, including several from this month’s elections.

Some partners of this pilot program include election officials in Pennsylvania, Michigan, Missouri, Virginia, Ohio, and Georgia. Additional partners will be announced in the coming weeks.

Improving post-election auditing

CISA’s investment is designed to support election officials and their private sector partners who are working to improve post-election auditing in the 2020 election and beyond.

“Heading into 2020, we’re exploring all possible ways that we can support state and local election officials while also ensuring that Americans across the country can confidently cast their votes,” said CISA Director Christopher Krebs.

“At a time when we know foreign actors are attempting to interfere and cast doubt on our democratic processes, it’s incredibly important elections are secure, resilient, and transparent. For years, we have promoted the value of auditability in election security, it was a natural extension to support this open source auditing tool for use by election officials and vendors, alike.”

“We’re very excited to partner with CISA to develop Arlo, a critical tool supporting the implementation of more efficient and effective post-election audits. Because Arlo is open-source, anyone can take it and use it and anyone can verify that it implements audits correctly,” said Ben Adida, Executive Director of VotingWorks.

Onapsis Reveals Oracle E-Business Suite Vulnerability

Onapsis, the leading provider of business application protection have revealed new threat research into a recently discovered vulnerability on Oracle E-Business Suite – Oracle PAYDAY.

The attack scenarios exploit two vulnerabilities with CVSS scores of 9.9 out of 10 in Oracle EBS, Oracle’s ERP software installed at up to 21,000 companies. Onapsis discovered and reported the vulnerabilities to Oracle, which issued patches earlier this year. Onapsis estimates that 50% of Oracle EBS customers have not deployed the patches. The fact that Oracle runs mostly on Java, means that the attack would be relatively simple to carry out by anyone with knowledge of Java and Oracle EBS.

The Onapsis threat research details two attack scenarios:

  • Malicious manipulation of the wire transfer payment process through unauthenticated access (which would bypass segregation of duties and access controls), though which an attacker can change approved EFTs in the EBS system to reroute invoice payments to an attacker’s bank account, leaving no trace.
  • Creating and printing approved bank checks through the Oracle EBS check printing process and disabling and erasing audit logs to cover up the activity.

The severity of this vulnerability is evident from the significance of ERP systems such as Oracle to global business function. Indeed, 77% of global revenue will pass through an ERP system at some point, of which Oracle’s several thousand EBS customers are just a proportion. In 2017, Oracle themselves conducted a simulation, Oracle selected a realistic financial structure derived from a typical large enterprise based on more than 25 years’ experience with ERP deployments. This simulation found that it was possible to create 1,000,000 payments per hour, through 7,000,000 Imported Invoice Lines. Therefore, successful PayDay exploits may go unnoticed amongst so many transactions.

Commenting on this threat report. Mariano Nunez, CEO and Co-founder of Onapsis said:

“This threat research demonstrates something which has historically been chronically underreported in IT and cyber security: That business-critical applications, specifically ERP systems, used by the world’s largest and most relied upon organisations are vulnerable to attackers stealing potentially billions. The advice we would provide to any users of Oracle EBS in the wake of this disclosure would be to utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations, and to then deploy the appropriate patches and compensating controls.”             

The threat report is available here, and the demo video demonstrating how users can manipulate the process can be found here.

All companies using Oracle should ensure that they are running the latest patch to ensure complete protection against any vulnerability.