The process of managing software vulnerabilities inside the enterprise - tracking flaws and determining which ones to fix first - has long been complicated by the sheer number of patches that must be assessed, applied, tested and rolled out, says Wolfgang Kandek, CTO at the security firm Qualys.

In the early days of patch management, many information security pros focused on the severity of a vulnerability and attempted to first patch those rated as being most severe, he says. But in recent years, Kandek says, there's been an increased focus on pragmatism - concentrating on the 60 or so flaws per year that attackers will be actively targeting.

"The best way of doing things is going after vulnerabilities that are actually being exploited in the wild - not so much looking at the severity. What's in use? What do the bad guys attack? ... Do you have it in your network? And if you do, those are the ones that you would want to go after," he says.

In this audio interview with Information Security Media Group conducted at the Infosecurity Europe conference in London, Kandek also discusses:

Prioritizing which vulnerabilities to patch first; The difference between remediating flaws in enterprise software and hardware versus defending against malware; The case for simplifying enterprise environments.

Kandek is the chief technology officer at Qualys. During his 13-year tenure there, he has also served as its vice president of engineering, vice president of operations and director of network operations. Before that, he held positions at MyPlay, iSyndicate and IBM.

By nature of its name and reputation, the so-called "dark web" has acquired a unique reputation. Danny Rogers of Terbium Labs discusses some of the key myths and realities about the dark web, as well as how organizations should monitor it.

"There certainly are a lot of pervasive myths about the dark web," says Rogers, CEO and co-founder of Terbium Labs. "I've heard everything from '23 people control the whole dark web,' which is kind of absurd, all the way to 'the dark web is many times larger than the rest of the legitimate internet,' which is also not true."

What is true is that the dark web is large, growing, and it's a well-traveled marketplace for data exfiltrated from breached organizations. And this is where organizations need to pay attention to the dark web, Rogers says.

"Monitoring the dark web is actually a key element of knowing what your security posture currently is, and knowing if you have a problem you probably didn't know about," he says. "Whatever sort of information you have on your network, if you're [breached], the odds are very strongly that some indicator of compromise will end up on the dark web."

In an interview about demystifying the dark web, Rogers discusses:

Key myths and realities of the dark web; How organizations should monitor the dark web; What to do with information that is found.

Rogers is the co-founder and CEO of Terbium Labs, an information security and data intelligence startup based in Baltimore, Maryland. He is a computational physicist with experience supporting defense and intelligence community cyber operations, as well as startup experience in the defense, energy, and biotechnology sectors. He is an author and expert in the field of quantum cryptography and has published numerous patents and papers on that and other subjects. Prior to co-founding Terbium Labs, he managed a portfolio of physics and sensor research projects at the Johns Hopkins University Applied Physics Laboratory.

Breach Notification , Data Breach

Script Kiddies or Russia? Internet Already Awash with Voter Records Jeremy Kirk (jeremy_kirk) • August 30, 2016    

No other American election has encompassed so much cybersecurity intrigue. The latest news, reported by Yahoo, finds that the FBI warned state electoral boards on Aug. 18 to safeguard their voter registration records after two states were targeted by cyber attacks.

See Also: 12 Top Cloud Threats of 2016

News outlets have already reported the attacks against Illinois and Arizona. The FBI warning likely reflects rising concern within the U.S. government around the security of the election in light of the attacks against various Democratic Party organizations in June. Those attacks have widely been pinned on Russian intelligence, although no definitive evidence has emerged (see Did Russia - or Russian-Built Malware - Hack the DNC?).

The four-page advisory says one state's systems were targeted using SQL injection, a script-kiddie method for pulling information out of a database. The attack, one of the most common web-based ones, takes advantage of SQL databases that don't filter certain types of commands, which can be exploited to direct the database to spill its contents.

Illinois lost 200,000 voter records, according to Yahoo's report. As a result of the attacks, Illinois shut down its voter registration system on July 13. "This was a highly sophisticated attack most likely from a foreign (international) entity," according to a message sent to Illinois election authorities that was shared on Facebook. Arizona also shut down parts of its voter registration system, and malicious software was found.

While the U.S. government has a heightened sensitivity over election-related cyber attacks, these incidents should still be put in perspective, according to one cybersecurity expert.

Thomas Rid, a professor in the Department of War Studies at King's College London, initially called the FBI alert "big" but later clarified on Twitter: "This is 'big' - but I should not have said so. Our overreaction to a trivial and inconsequential SQL trick is the real problem here."

The FBI warning gives specific IP addresses where the attacks originated, which are now being studied by security analysts. Attackers often use proxy or hacked computers to launch attacks, so IP addresses can be misleading on their own as evidence of the real origin of an attack.

Security companies and organization have vast caches of data on malicious IP addresses, which can sometimes provide useful historical information. Attribution, however, is always tricky. For example, some experts have taken issue with the technical data that some say show the Democratic Party's problems stemmed from Russian interference.

Arizona officials say the FBI told them that Russians were behind the attacks against the state's network, Washington Post reported. The attackers did not compromise an Arizona state or county network, but had stolen a username and password for an election official in Gila Country, the publication reported.

Personal Data at Risk

But if voter-registration system hackers wanted voter registration records, they could have tried an easier approach than a SQL injection attack - such as just using Google.

Voter registration records contain personal information including name, address, birthdates and party affiliation. In many states, the information is completely public and also available to political campaigns. As a result, that data often gets splashed all over the internet.

For example, Tom Alciere of New Hampshire runs a batch of websites containing the voter registration records for Florida, Colorado, Connecticut, Delaware, Michigan, Ohio, Oklahoma and Rhode Island.

Alciere is factual but unapologetic about the websites: "In a free country, a person can freely communicate true facts lawfully obtained from a public record," according to a Q&A pertaining to the state of Florida.

The FBI alert is predated by a much larger repository of voting information appearing online in December. That's when security researcher Chris Vickery found a 300 GB database containing 191 million U.S. voter records, which was virtually the entire country's population of eligible voters - and then some. The database wasn't password-protected, and anyone could access it (see 191 Million U.S. Voter Registration Records Exposed?).

The publication CSOonline traced the database, finding it was developed by NationBuilder, a company that develops software for campaigns and nonprofit organizations. NationBuilder offers a database of 190 million voters for its customers. It appeared that someone obtained this database and then posted it online. The database was eventually removed.

Motivation Remains Unclear

If it's faster to get the personal information of tens of thousands of voters online than it is to get a pizza delivered, would a state-sponsored attacker bother with plucking a couple of hundred thousand Illinois records and also trying to breach Arizona's systems?

Rid suggests that just interfering with any voting system is going to garner a lot attention, even if the technical details of the attack are mundane.

"Any voting-system hack is therefore likely to have an out-of-proportion psychological effect," he writes on Twitter.

1--Interfering with any voting-related system is bound to get a lot of attention, even if actual technical facts don't merit that attention

Still, the attacks beg questions as to whether the probes could be a prelude to a deeper one intended to affect the integrity of election systems. To be sure, even a well-timed ransomware attack could potentially cause disruptions in November if it scrambled voter records.

Hackers are targeting election data is a worrisome turn of events, but a breach of voter records isn't likely to hurt the election process, says Andrew McConnell, vice president of security solutions at AsTech Consulting in San Francisco. Disrupting the U.S. election using cyber attacks would take a lot more effort, he contends.

"All I see is yet another database breach," McConnell says. "If the hackers are going to turn this into election tampering somehow, the apparatus that fraud would require is of greater concern to the electoral process than this breach. It's not at all trivial to turn lists of registered voters into fraudulent election results."

Anti-Malware , Fraud , Technology

Roman Seleznev, Son of Russian Legislator, Caused $169 Million in Fraud Mathew J. Schwartz (euroinfosec) • August 29, 2016     Convicted hacker Roman Seleznev. Source: Department of Justice

Russian hacker Roman Valerevich Seleznev has been convicted of stealing data from more than 2 million U.S. payment cards and defrauding 3,700 financial institutions in the United States of at least $169 million.

See Also: The Inconvenient Truth About API Security

On Aug. 25, after an eight-day trial, a federal jury in the state of Washington convicted 32-year-old Seleznev, a.k.a. "Track2," of hacking into point-of-sale devices and installing malware to steal payment card details and route them to a servers based in Russia, Ukraine and McLean, Va. According to court documents, Seleznev gathered up the stolen card data in batches - or "bases" - then sold them on carder forums, also known as dump sites, including one called "2pac.cc" that he allegedly ran.

Seleznev's operation ran from October 2009 to October 2013, federal prosecutors said, adding that many of his victims were small businesses, some of which were forced into bankruptcy by the attacks. Seleznev had pleaded not guilty to related charges (see Free Defense for Alleged $18M Hacker?).

The federal jury convicted Seleznev on 38 counts - 10 counts of wire fraud, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices, eight counts of intentional damage to a protected computer and two counts of aggravated identity theft - according to the U.S. Justice Department.

Seleznev is due to be sentenced Dec. 2 by U.S. District Judge Richard A. Jones of the Western District of Washington. He could face decades in prison.

Indicted in 2011

Seleznev was first indicted in Washington federal court in March 2011 on 40 charges relating to the theft and sale of at least 2 million payment card numbers. At least some of the information used to charge him came via the Justice Department's investigation into the notorious virtual currency system Liberty Reserve, which was based in Costa Rica.

After Liberty Reserve was forcibly shut down in May 2013 - authorities accused the site of laundering $6 billion - law enforcement promised to "follow the money." They said they found that the service had been used by some of Seleznev's customers to route him payments. "Among the Liberty Reserve accounts maintained by [Seleznev] were two accounts that received over $17.8 million U.S. dollars in payments for the sales of stolen credit card data," according to court documents," the Justice Department says.

Informal Extradition

Seleznev was detained at an airport in Maldives - an island nation in the Indian Ocean - in July 2014 while on vacation. He was then flown by U.S. Secret Service agents to the U.S. territory of Guam, where he was arrested. The Russian government characterized the episode as kidnapping.

U.S. law enforcement agencies, however, refer to this occasional practice instead as informal extradition, "because kidnapping is such a dirty word," according to Verizon security evangelist Mark Rasch, who created the computer crime unit at the U.S. Department of Justice (see FBI Hacker Hunt Goes 'Wild West').

Son of Russian Legislator

Seleznev is the son of Russian legislator Valery Seleznev, who's part of the country's Liberal Democratic party, which is often described as a far-right ultranationalist party.

Valery Seleznev initially denied that the man who had been arrested on related charges in 2014 could have been his son, saying his son had no knowledge of computers or a U.S. visa. After news reports confirmed that his son had been detained, and then arrested on U.S. soil, he told state-operated Russian news agency RIA Novosti that the episode amounted to "a terrible, monstrous nonsense."

Investigators Recovered Laptop, iPhone

Prosecutors said that a laptop in Seleznev's possession at the time of his arrest contained 1.7 million payment card details. In a March 2015 motion, they also supplied the court with photographs of Seleznev posing with stacks of 5,000-ruble notes - each bill worth about $85 - as well as luxury cars. They said the photos were retrieved from the laptop, as well as an iPhone that was in his possession when he was arrested by the U.S. Secret Service.

According to court documents filed by federal prosecutors, Saleznev maintained an extravagant lifestyle, including owning high-end automobiles, regularly flying to exotic locales and staying in fancy hotels, as well as owning multiple properties, including two apartments in the Indonesian island and province Bali, for which he paid $790,000.