May 27, 2015

3 Infosec Notes From Our Time At the MIT Sloan CIO Symposium

Moderator Prof. Stuart Madnick makes introductory remarks for the cybersecurity panel, featuring Shape VP of Product Shuman Ghosemajumder, CSO of Schneider Electric George Wrenn, COO of 1E Nick Milne-Home, and CSO of ADP Roland Cloutier. 

Last week, Shape Security attended the MIT Sloan CIO Symposium. Hundreds of CEOs, CIOs, and senior IT professionals from all over the world met to discuss the issues that keep them up at night. 

Here we have distilled for you the three most captivating points discussed during the cybersecurity panel. 

3. “We are approaching a cybersecurity perfect storm,” said George Wrenn, CSO of European electricity distribution leader Schneider Electric.

Wrenn believes the convergence of  “aging infrastructure, the interconnection of everything, the increasing sophistication of cybercriminals, and the unfixed security weaknesses of the early Internet age” leaves consumers and enterprises vulnerable to attack for the foreseeable future. Not only will it be difficult to address these issues individually, but it will be near impossible to survive a severe, multi-platform attack. 

2. “No IT leader wants to stand in the way of innovation or customer satisfaction,” said Roland Cloutier, CSO of payroll services leader ADP

To prevent and survive future attacks, enterprises must shift their focus to mitigating risk over short-term rewards. Customer growth and user retention will only get a company so far if the danger of a breach is always looming. To combat this attitude, product and security leaders must lower risk tolerance across all departments and work together to establish a realistic baseline - for example, a threshold of affected users or records lost.

1. “Adversaries have better technology capabilities than security professionals do sometimes,” said Roland Cloutier, CSO of payroll services leader ADP

Today’s attackers are well-funded entities armed with thousand-node botnets, sophisticated malware, and an entire darknet economy willing to do anything for the right price. This leaves enterprises stuck implementing reactive security measures. The eventual worst-case scenario would be a major national attack that would spur enterprises, governments, and regulatory bodies to produce and enact new security standards. Although the situation would be devastating, the outcome could lead to better protections for consumers.

Take a look at the other events where Shape is attending, exhibiting, and presenting on our website: https://shapesecurity.com/events 

April 28, 2015

5 Things We Learned At RSA

1. KBA and NSA are shaping tech startups
General Keith B. Alexander, who retired as NSA Director in 2014, has become the founder and CEO of a new startup, Ironnet. During his RSA session this year, he talked about how to heal the wounds to the tech community and what gift he’d send Snowden if he were given the opportunity. For the tech community, he recommended classified briefings to get technology companies the facts. For Snowden, he said he would send him the oath, which was met with loud applause from the audience. Take a look at the FCW article here.

2. Breaches are happening, even during RSA
On the 2nd day of RSA, a major hotel chain notified their 18 million members via email that their accounts had been reset out of an abundance of caution. According to us at Shape, it seems possible, even likely, that account checkers had been used to hijack 200 accounts at the hotel chain. Take a look at the Shape blog post on account checkers.

3. Taking security up one level - to the Board
Everyone seemed to like and agree with what was said at the presentation, “A CISO's Perspective on Talking to the Board about Cybersecurity”. See what WSJ wrote about it here.

4. Password management is hard
Shape’s own Zhiwei Li spoke about password managers, exposing several vulnerabilities (now plugged) and discussing which manager would be the best manager in various cases. Take a look at his presentation slides.

5. Botnets are alive and well despite takedowns
Botnets are alive and well, despite takedowns. The federal agencies behind the takeover of a major Zeus botnet (12 governments, 13 companies, 4 non-profits and 3 USG federal agencies) said the criminal enterprises have learned and adapted to build more sophisticated and evasive botnets. Check out the list of agencies involved on the RSA session summary page.

It was a great show for Shape Security. If you go to a lot of conferences, like we do, then we'll be seeing you at Blackhat in Vegas, and again at RSA in San Francisco in 2016.

April 9, 2015

Join our RSA session




The Emperor’s New Password Manager: Security Analysis of Password Managers

Friday, April 24, 2015
9:00 AM – 9:50 AM
West
Room: 3009

Session abstract: We conducted a security analysis of popular web-based password managers. Unlike local password managers, web-based password managers run in browsers. We identify four key security concerns and representative vulnerabilities. Our attacks are severe: in four out of the five password managers we studied, attackers can learn credentials for arbitrary websites. This work is a wake-up call for developers.

Speaker: Zhiwei Li, Research Scientist @ Shape

More information

RSA 2015 Evening Events



Join one of our parties. Shape is sponsoring three parties at RSA – one party each day. The first party is truly incredible. The details are after the jump!

Meet Shape at RSA 2015

April 20-24 • Moscone Center, San Francisco, CA

RSA 2015 is around the corner. Will you be attending? Come meet with Shape Security and learn more about our technology. We have a booth, are hosting a private meeting suite at the St. Regis hotel, and offering free expo passes to everyone with our discount code. Read more details below.


Shape Booth




February 25, 2015

Use of Stolen Creds Is Most Dangerous Web Threat, Verizon Finds


Use of stolen credentials is the biggest web threat, says the most recent Verizon Data Breach Report

Learn more about this threat below.

February 19, 2015

Hijacking 1 million accounts for $3

Our last post covered how credential stuffing poses a significant danger to consumer and enterprise websites.

But how much does it cost to actually execute this powerful attack?

Learn about how an adversary can hijack one million accounts for less than a fast food meal.


February 18, 2015

Rising Attack Vector: Credential Stuffing

Credential stuffing is a growing threat to the web community. As more companies are offering their goods and services online, customers practicing bad password hygiene are in danger of having their account stolen whenever a website is breached.

Read more about the rise of credential stuffing below.


February 2, 2015

3 Steps for CISOs to Protect Login Accounts



Tweets like the one below are becoming more and more common. This frustrated consumer lost $100 from a gift card account he had with his favorite retailer. Besides the direct financial loss in replacing these stolen funds, the retailer also incurred call center costs and brand damage (this tweet represents just one of many related to hijacked accounts).



As web security moves from an IT problem to a C-Level and board problem, CISOs should create a strategy for protecting their customers and their enterprise from account hijackers. Below we provide 3 easy checks that companies can use to secure their customer credentials.


January 26, 2015

Gartner Identifies Shape Security as New Deflection Technique

Avivah Litan

Avivah Litan, Gartner Research VP and Distinguished Analyst, highlights Shape Security her latest blog post. 

To read more about her analysis on solutions for automated attacks, read below.