“Patching” the Gender Gap – the SenseCy Ladies Talk Cyber

It is no secret that the Infosec industry is predominantly male, with almost 90% of employees being men (according to a recent survey.) But even as we write this post, things are slowly changing and there is more talk about the “gender gap” than there is about the “skills gap” (a quick question for an industry filled with bright minds – if there is a skills gap and not enough male employees to fill it, doesn’t it make sense to recruit and train more women?) At least in our small company, things are very different. In fact, at SenseCy, women comprise over 50% of the workforce and we are recruiting more every month.

We gathered our female cyber analysts for a joint interview to discuss their views on the industry, the challenges they face and to decide once and for all why should women find Infosec interesting?

legsMeet Tanya, our cybercrime analyst; Tatiana, our OSINT analyst; Hila, our hacktivism analyst; Sheila, our customer relations manager; and Gal, our technological projects manager.

What Do You Like About Your Job?

Most of us agree that we like working in this dynamic field, where we find ourselves learning something new every day. It is exciting to work in such a fast-paced environment. We love accumulating more knowledge and feel that each feed, project, post, etc. contributes to our understanding of the field.

We also love that everything we do here is also relevant and applicable to our personal daily lives.

“Even” the technical stuff is becoming more interesting to those of us who do not have a technological background as it is put into context and the more we learn, the more interesting it gets. We also feel that we are part of the “good guys” (/girls), fighting for a good cause.

Sheila: “I am the first Turkish cyber analyst at SenseCy; I tell everybody this and I am very proud to hold this title. Over time, as I delve deeper into topics and follow the news on these issues, then the technological knowledge helps me and becomes more interesting. When I do not understand something, I find it boring, but when I understand it is more interesting, because it makes sense to me.

Do You Think You Are Viewed Differently As a Woman Working in This Industry?

Tanya: “We moved offices the other day and while I was using an electric screwdriver to disassemble my desk, three guys came up to me offering to do the exact same job I was already doing…”

While we agree that it is true that most computer classes are taken by boys, and even though most of us come from Intelligence and have less of a technological background, we still take courses and learn all the time, so it is not something that is “impossible” for women to learn. On the contrary, there is so much information, so many forums, blogs and tutorials, where one can learn and ask questions. Information is readily available for those having the motivation to learn.

Sadly, there is a preconception today amongst youth – both boys and girls – that STEM (Science, Technology, Engineering, and Mathematics) professions are “just too hard.” This should change. We should bring computer science to “the people”, so that more people will strive to acquire knowledge in the field, and women can really contribute toward achieving this goal (for example in projects like “Girls Who Code“.)

As evidenced in our team composition, “Cyber” is a very broad term and there are many different opportunities in the field for people with different expertise and backgrounds.

Tanya: “I think that part of the social differences are biologically inherent, but at the same time, from a younger age girls are less drawn or encouraged to study computers.”

Gal: “I do not think computers require masculine thinking; women used to be the predominant workforce in the field before things changed.”

There is no doubt that men and women are viewed differently. There are subtle assumptions that we all make, even if we are not fully aware of them. So it is important to be more aware of our behavior and underlying assumptions. Therefore, such posts and conversations can raise awareness and contribute to advancing women in the field.

It is sometimes a matter of perception – when we think about an Infosec professional, the image that comes to mind is that of the uber-geek typing complex code lines on the computer. But this could change to accommodate other images that include women. This could change the mind-set of girls and women pursuing a career path in Information Security and also the perception of employers of possible candidates for the job.

From this:

DudeTo this?

 

Girl

Balancing Home and Office

Today’s global markets and the mobile BYOD technological environment have both advantages and disadvantages. For mothers (and fathers) it allows more flexibility as they can work from home. That said, for some of us it helps to disconnect once we are home, like for Hila. Gal says she needs the balance between home and work, and going back to work after childbirth kept her sane: “SenseCy (then Terrogence) is a great workplace for new mothers. They offered me a lot of flexibility and really did their best to accommodate my needs. I worked from home for two months and now I work a half day and clock more hours in the evening. They also hired me when I was seven months pregnant. I think it pays companies to invest in mothers, as they will be very committed to their job.”

Nine-to-five working hours are outdated and managers should look at achievements at work rather than just the hours employees put in. Unless there is something urgent, our managers do not mind when and where we do our job, as long as we do it well and meet deadlines.

The two mothers in the group agree that work is their resting time (we can drink coffee, use the restroom and talk to adults.)

Do We Actually Need More Women in Cyber? And if so, How Can We Encourage Them to Join Us?

Tatiana says that the requirements for the job are sometimes very high and it is not suitable for everyone. You have to invest a lot of time studying and always stay updated on what is going on.

Hila says we need more people in general in IS, while Tanya thinks it is best to have a 50%-50% work environment.

Yotam (SenseCy’s Sales and Marketing manager, who helped record the interview, but could not resist jumping in) says: “Women must be part of the solution, because cyber security is a global issue that affects all of us. We are all targets for hackers, so if 50% of the population is excluded from the discussion, it will be very difficult to make a difference. Also, I think women are more patient and responsible, so they are up for the job.”

Cyber security is a problem in all sections of the population and in different industries, so we must all be aware of the dangers.

Gal (responding to Tatiana’s comment): “I think most women underestimate themselves and do not apply for jobs with high requirements, while men try anyway. Also, we ask for lower salaries.”

Tanya: “It is not just us; sometimes employers have a lower motivation to hire women of child-bearing age, because they know they will have to deal with maternity leave and children, etc.”

Gal: “It is also our mind-set that must change; women today often start families in their thirties, so we have a decade to invest in our career and to gain an advantage in our field of occupation. Sandberg said ‘Don’t leave before you leave.’ I see a lot of young women already planning their career path according to their pre-existing children. I think that is a mistake. Make use of this time to acquire an interesting well-paid profession.”

Tanya: “I think that sometimes women should carefully plan the balance between career and family life, as in our competitive society slowing down in the career race can put future promotions at risk. This is especially true for women who want to have more than one child and allocate time to stay home with them.”

Tanya continues: “I feel that today women are encouraged to invest more in their careers and if I talk about children, they look at me awkwardly. A lot of women postpone having families because of their careers. For me, ‘feminism’ is more about being able to make your own choice, and not about doing everything that a man does.”

Hila: “There are financial considerations – sometimes it has nothing to do with feminism. Today, in most families both parents have to work to survive financially.”

To Summarize

Sheila: “I came here because of my Turkish skills, but stayed and learned other skills.”

Hila: “I came straight from the military, where I felt that men ran everything. Here at SenseCy, I do not feel that this is the case.”

Tatiana: “I think we should start educating our girls from an early age.”

Gal: “I feel that SenseCy has more diversity compared to other Israeli hi-tech companies. It is very interesting and inspiring to work in such a heterogeneous company with so many different language speakers and a balance between men and women. What I would love to see more of in the future is more women taking a role in leading this field as managers and entrepreneurs.”

Two New Banking Trojans Offered for Sale on the Russian Underground

It is the time of summer vacations in East Europe now, and we definitely see a certain recession in the underground cybercrime business. Just as “regular” people in Russia, cybercriminals also spend a week or two by the sea or in their dachas (chalets), after hard work round the clock during the year. We are witnessing this recession not only in the decrease of trade activity, but also in the lack of support for some services offered on the forums, long absence of several high ranked members from the boards etc.

Considering this situation, it was quite exceptional to see almost simultaneously the appearance of two new Banking Trojans on one of the Russian underground forums. Although offered by different sellers, the names of both of them are derived from the Greek Mythology – Kronos and Kratos. Kronos is the father of Zeus, the most important Greek God, while Kratos was a far less important figure. The prices match the significance of the gods – Kronos costs $7,000 (a special release price till July 18th is $5,000, and one-week trial is offered for $1,000, on your own domain), while Kratos is available for only $2,000.

Let us look deeper at the features of the above mentioned Trojans, as they are described by the sellers.

Kronos

Kronos, first published on June 10th, is claimed not to be based on Zeus source code, or other known banking Trojans, thus suggesting a new generation of financial malware. The extremely high price supports this suggestion.

It has a ring 3 rootkit which is compatible both with x86 and x64 systems and includes formgrabber for the last versions of the popular browsers (IE, FF and Crome). Kronos’ web injections are configured in Zeus’ format, so the adjustment of old injections for the new Trojan is supposed to be pretty simple. As for security features, the Trojan is capable of bypassing proactive AV protection, as well as bypassing user-mode sandboxes and rootkits.

Among the disadvantages of this Trojan, the seller mentions the lack of VNC module and the discrepancy of Opera browser. Nevertheless, a vigorous discussion about Kronos developed on the forum and gained mostly positive feedback.

On July 8th, the seller posted the results of AV scan that he performed to his product – it was detected by 10 out of 35 vendors, as a generic malware.

Kronos in action - a snapshot from a video published by the seller

Kronos in action – a snapshot from a video published by the seller

Kratos

Kratos’ sales started on July 7th. It is based on Karberp’s bootkit, without relying on Zeus source code, and has the php Citadel’s administration panel.

The seller describes the main concept of his product as blocking AV detection (depends on a successful installation of ring0 bootkit). It works on both x86 and x64 OS, and based on modulatory system – one of them is injecting module for all version of FF, IE and Chrome browsers. As to security functions, the Trojan bypasses UAC protection and has a unique, 16kb, RSA signature key.

Kratos’ seller emphasizes the fact that the change in one of the protocols (compared to Zeus), allowed compression of the traffic, thus opening the possibility of connection to TOR browser.

The thread about Kratos on one of Russian underground forums

The thread about Kratos on one of Russian underground forums

In both cases, the discussions still continue. We still have not seen feedbacks from satisfied purchasers, but in general both of the Trojans were accepted with positives responses.

#OpSaveGaza – Interim Summary

Written by Yotam Gutman

When the cannons roar, the muses stay silent (but the hacktivists hack).

As we reported last week, operation “Protective Edge” instigated a flurry of activity by Muslim hacktivists, targeting Israel. In the following post we will review the activities which took place so far and try to characterize them.

Attacker Types

Attackers can by divided into three types: individuals, hacktivist groups and cyber terror organizations. Individuals usually join larger campaigns by hacktivists groups and show their support on social media sites.

Hacktivist groups taking a stance make extensive use of Facebook as a “command and control” platform. The largest “event” dubbed #OpSaveGaza was created by Moxer Cyber Team, a relatively new group who probably originated from Indonesia whose event page has 19,000 followers.

Moxer Cyber Team event page

Moxer Cyber Team event page

The event included many lesser known Islamic groups, mainly from Indonesia, who did not participate in previous campaigns against Israel. Another event page by the Tunisian AnonGhost announced that the attack will include 38 groups from around the Muslim world. The campaign is planned to continue until the 14th of July.

Cyber terror organization in the form of the SEA (Syrian Electronic Army and ICR (Islamic Cyber Resistance) have not officially declared their participation in the campaign but have waged several high profile attacks, such as hacking into the IDF spokesman blog and Twitter account (SEA) and leaking a large database of job seekers (ICR).

Attacker Tools

The participants in this campaign use similar tools as previous campaigns – Generic DDoS tools, SQLi tools, shells and IP anonymization tools.

Results (Interim Summary)

#OpSaveGaza campaign included to date mainly defacement attacks (about 500 sites have been defaced), DDoS attacks of minor scale and some data dumps. Two interesting trend we’re seeing are recycling older data dumps and claiming it to be a new one, and posting publicly available information which was allegedly breached.

Summary

We estimate that these activities will continue until the hostilities on the ground subside, with perhaps more substantial denial of service or data leak attempts.

To the Rescue? Muslim Hacktivists Prepare Cyber Retaliation against Operation “Protective Edge”

Following the escalation between Israel and the Hamas regime in Gaza, Muslim hacktivists have announced the launch of several cyber campaigns against Israeli targets.

Unlike the real Middle-East, where Muslims from different factions fight each other, when it comes to assaulting Israel they are happy to join forces. While several groups have launched campaigns to show their solidarity with the Palestinians, the most prominent are AnonGhost with #OpSaveGaza and Anonymous Arabe that launched #Intifada_3, alongside Moroccan Tigers Team.

#OpSaveGaza is scheduled to peak on July 11, but attacks have already commenced against government, financial and Telcos, and is combining hackers from Malaysia in the East to Tunisia in the West.

#OpSaveGaza

#OpSaveGaza

#intifada_3 is lead by Anonymous Arabe and Moroccan Tigers Team, and is promising to launch daily attacks against an assortment of sites with defacement and DDoS attacks.

#intifiada_3

#intifiada_3

We expect the attack attempts to intensify in line with the progress of the armed conflict.

An Aid to the Aspiring Cyber Intelligence Analyst (Part 2)

We recently published the first section of the terms table and felt it was insufficient, so we are following up with the second section, delving deeper into the underground cyber world of illicit trade, hacking and malware.

Cyber intelligence phrases

Anonymous versus ISIS – Hacktivism against Cyber Jihad

For the past few weeks, members of Anonymous and supporters of ISIS have been battling each other over the social media networks.

First, several Twitter accounts were created under the hashtag #No2ISIS to protest against ISIS activity in Iraq. Then, on June 21, 2014, an Anonymous-affiliated group called TheAnonMessage uploaded a public press release via YouTube about a cyber-attack targeting countries that support ISIS, such as Saudi Arabia, Qatar and Turkey.

On July 1, 2014, the Twitter account @TheAnonMessenger tweeted that the #No2ISIS cyber operation would continue until Anonymous decided otherwise.

The pro-Islamic Hilf-ol-Fozoul Twitter account also accused ISIS of being a protégé of the U.S.

Contrastingly, several Muslim hackers that support ISIS responded to the Anonymous declarations by adding the hashtag #OpAnonymous to their tweets. To boot, a very active hacker nicknamed Kjfido tweeted this message to Anonymous members.

Kjfido presents himself as a cyber-jihadist and an official member of the ISIS Electronic Army.It should be mentioned that there is no evidence that the ISIS Electronic Army actually exists, although there is a Twitter account by the name @electonic_ISIS that tweets about ISIS activity and its agenda.

Gartner Identifies Machine-Readable Threat Intelligence as One of the Top 10 Technologies for Information Security in 2014

Last week Gartner, a leading information technology research and advisory company, highlighted the top ten technologies for information security and their implications for security organizations in 2014. Analysts presented their findings during the Gartner Security & Risk Management Summit, held here through June 26.

http://www.gartner.com/newsroom/id/2778417

The top ten technologies for information security are:

  1. Cloud Access Security Brokers
  2. Adaptive Access Control
  3. Pervasive Sandboxing (Content Detonation) and IOC Confirmation
  4. Endpoint Detection and Response Solutions
  5. Big Data Security Analytics at the Heart of Next-generation Security Platforms
  6. Machine-readable Threat Intelligence, Including Reputation Services
  7. Containment and Isolation as a Foundational Security Strategy
  8. Software-defined Security
  9. Interactive Application Security Testing
  10. Security Gateways, Brokers and Firewalls to Deal with the Internet of Things

We at SenseCy are great believers in article 6.

We have been providing contextual intelligence for the past several years (and will continue to do so), but felt that it was time to take this to the next level by providing structured feeds that can link directly into SIEM and other security infrastructure and automate to a greater degree the threat intelligence implementation process. Although we believe that M2M will take a greater role in cyber security, the role of the analyst will not be diminished, as there will be a greater need to analyze and filter the results prior to us releasing the feed to our clients (to maintain a very low false-positive alert rate). We also aim to engage the malware supply chain at an earlier phase than most, effectively obtaining and analyzing malware before widespread distribution, thus allowing our clients to prepare their security infrastructure by adding concrete identification parameters prior to infection.