Three Ways to Take Home the Gold When It Comes to Cybersecurity at the Olympics

The Winter Olympics have officially kicked off in Pyeongchang, South Korea – where the best athletes from around the world showcase their talents and vie for Gold as they represent their countries on the world stage.Although sometimes overlooked, the Olympic Games – and other high-profile events – become ground zero for another global talent race: cybercrime.

The Olympics are a massive undertaking – requiring additional help to be recruited to make sure the host-city is able to accommodate all of the athletes and attendees, under a tight timeline (i.e. building and maintaining the Olympic Village, stadiums, public transportation and lodging). Additional help is also required of the organizations who are broadcasting, sponsoring and advertising the Games. These professionals are not necessarily security experts, which attackers are both aware of and ready to take advantage of.

With the threat landscape and complexity of attacks continually increasing, here are the top three ways to go for the gold when it comes to getting you, your organization and your customers cyber-secure for the Olympic Games:

1) Put a Training Timeline in Place

Just as the cyclical nature of the Olympic Games presents a timeline for malicious actors to design their attacks around, it provides host-city organizations, attending organizations, and participating organizations a two-year timeline to develop threat intelligence. Organizations should be utilizing this timeline to their advantage: it gives them the (rare) opportunity to prepare for attack.

It’s best to put timeline in place to plan ahead and actually train for the likely attack scenarios, as well as preparing a response strategy in anticipation of when the unexpected happens. This two-year timeline leaves no excuse for putting cyber defenders in a position where they experience their first cyberattack scenario when it happens in real-life – requiring them to combat aggressive attackers under pressure (and manage it effectively). Instead, take advantage of the time in between each event to provide cyber defenders with real-life training scenarios, so they can be properly prepared for combat. Tokyo is following this best-practice and is already providinghands-on simulated training for cybersecurity professionals and citizens in preparation for the 2020 Tokyo Olympic and Paralympic games.

2) Evaluate and Identify Your Attack Surface

It’s important to realize that cybercrime is not getting smaller, as the attack surface continues to morph and grow. Therefore, it is critical to determine your own attack surface (which directly relates to your engagement level) – and then ensure that this surface is protected.

The first important step towards assessing your attack surface is identifying the likely targets for the events in question. This will most likely depend on where your engagement with the event exists. Are you a sponsor, are you engaging in business at the event with potential customers at risk, or did you send employees? Individuals often overlook that major events are a major risk –  even if the individual isn’t officially participating themselves. Why? The individual could still have high-value internal resources or employees that will be engaged or participate with the event. For example, is one of your C-level executives will be at the Olympics in South Korea? What preparation have you done to insulate that asset from potential threats at the event – whether they be physical or cyber? It’s time to think ahead and be on the offensive side of the equation.

3) Implement Training at the Individual Level Based on Attack Surface

Depending on the surface area of your attack surface, here are recommended, proactive approaches to ensure protection during future Olympics Games:

Hold a security training class for all employees planning to attend the Olympic Games

Educate attendees about the vulnerabilities associated with the Olympic Village and Stadiums. It will be important to explain that malicious actors are rethinking their approach to cyberattacks and how they execute on them. Thinking about the current trends in cybersecurity – here are two areas to focus on with attendees: 1) identify where IT links to OT or IoT within Olympic sites, and 2) beware of phishing scams and entering through the least protected link.

Secure your CEO

40 percent of organizations believe that C-level executives are the greatest risk to their organization being hacked. Furthermore, C-level executives are the most at-risk of cyberattacks when working outside the office – with airports, hotels and airplanes among the riskiest venues. If your CEO or members of your C-Suite are attending the event, hold a training seminar before they depart for the event to educate them about the threats associated with attending the Games – from “Checking-in” to the host city on social media to connecting to unsecured Wi-Fi during their travel and stay. In addition, pull together a one-pager with security tips and official sites for them to reference while they are abroad.

Educate all employees/customers of the vulnerabilities associated with digitally engaging with the Olympic Games

Make sure your employees and customers are aware of all of the phishing and malware campaigns associated with digitally engaging with the Games. With the Games happening overseas, it is imperative that they know the signs and can differentiate what is safe and what is not. This can be applied to planning to joining social media conversations around the events, purchasing merchandise, or even streaming content from their devices.

The Takeaway

Start planning now for the events on the horizon; hopefully you thought ahead for Pyeongchang – but remember Tokyo 2020 isn’t that far way. Plan, train, evolve from tabletop exercises to cyber simulators, educate your employees on the threats and have a plan for response. At the end of the day, athletes don’t win because they just show up – they win because of the rigorous training, planning, and relentless execution that comes from true focus on the objective. For this month’s Games and all that come after, we need to become World Class Cyber Athletes.

About the author: Ben Carr, is the VP of Strategy at Cyberbit. Ben is an information security and risk executive and thought leader with more than 20 years of results driven experience in developing and executing long-term security strategies.

Copyright 2010 Respective Author at Infosec Island

SAP Cyber Threat Intelligence Report – February 2018

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • The second set of SAP Security Notes in 2018 consists of 26 patches with the majority of them rated medium.
  • Missing authorization check is the most common vulnerability type this month, again.

SAP Security Notes – February 2018

SAP has released the monthly critical patch update for February 2018. This patch update closes 26 SAP Security Notes (14 SAP Security Patch Day Notes and 12 Support Package Notes). 7 of all the patches are updates to previously released Security Notes.

14 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Five of the released SAP Security Notes received a High priority rating, two was assessed at Low, and 19 fixes were rated medium.

SAP Security Notes Distribution by Priority (September 2017-February 2018)

The most common vulnerability type is Missing authorization check.

SAP Security Notes Distribution by Vunerability Types – February 2018

SAP users are recommended to implement security patches as they are released.

Issues that were patched with the help of ERPScan

This month, three critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli, Vahagn Vardanyan, and Vladimir Egorov were closed.

You can find their details below.

  • A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.
  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380). Update is available in SAP Security Note 2547431. An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). Update is available in SAP Security Note 2572940. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks.

Critical issues closed by SAP Security Notes in February

The most dangerous vulnerabilities of this update can be patched with the help of the following SAP Security Notes:

  • 2525222: SAP Internet Graphics Server (IGS) has an Security vulnerabilities (CVSS Base Score: 8.3 Unrestricted File UploadCVE-2018-2395, DoS CVE-2018-2394, CVE-2018-2396, CVE-2018-2391, CVE-2018-2390, CVE-2018-2386, CVE-2018-2385, CVE-2018-2384, XXE CVE-2018-2393, CVE-2018-2392, Log Injection CVE-2018-2389, Information Disclosure CVE-2018-2382, CVE-2018-2387). Depending on the vulnerability, attackers can use Denial of service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result or use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorised access to OS filesystem. and another vectors. Install this SAP Security Note to prevent the risks.
  • 2589129: SAP HANA Extended Application Services has an Security vulnerabilities  (CVSS Base Score: 7.1 CVE-2018-2374, CVE-2018-2375, CVE-2018-2376, CVE-2018-2379, CVE-2018-2377, CVE-2018-2372, CVE-2018-2373). An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks. Install this SAP Security Note to prevent the risks.
  • 2562089: SAP ABAP File Interface has a Directory Traversal vulnerability  (CVSS Base Score: 6.6 CVE-2018-2367). An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island

Federal Judge Says Embedding a Tweet Can Be Copyright Infringement

Rejecting years of settled precedent, a federal court in New York has ruled [PDF] that you could infringe copyright simply by embedding a tweet in a web page. Even worse, the logic of the ruling applies to all in-line linking, not just embedding tweets. If adopted by other courts, this legally and technically misguided decision would threaten millions of ordinary Internet users with infringement liability.

This case began when Justin Goldman accused online publications, including Breitbart, Time, Yahoo, Vox Media, and the Boston Globe, of copyright infringement for publishing articles that linked to a photo of NFL star Tom Brady. Goldman took the photo, someone else tweeted it, and the news organizations embedded a link to the tweet in their coverage (the photo was newsworthy because it showed Brady in the Hamptons while the Celtics were trying to recruit Kevin Durant). Goldman said those stories infringe his copyright.

Courts have long held that copyright liability rests with the entity that hosts the infringing content—not someone who simply links to it. The linker generally has no idea that it’s infringing, and isn’t ultimately in control of what content the server will provide when a browser contacts it. This “server test,” originally from a 2007 Ninth Circuit case called Perfect 10 v. Amazon, provides a clear and easy-to-administer rule. It has been a foundation of the modern Internet.

Judge Katherine Forrest rejected the Ninth Circuit’s server test, based in part on a surprising approach to the process of embedding. The opinion describes the simple process of embedding a tweet or image—something done every day by millions of ordinary Internet users—as if it were a highly technical process done by “coders.” That process, she concluded, put publishers, not servers, in the drivers’ seat:

[W]hen defendants caused the embedded Tweets to appear on their websites, their actions violated plaintiff’s exclusive display right; the fact that the image was hosted on a server owned and operated by an unrelated third party (Twitter) does not shield them from this result.

She also argued that Perfect 10 (which concerned Google’s image search) could be distinguished because in that case the “user made an active choice to click on an image before it was displayed.” But that was not a detail that the Ninth Circuit relied on in reaching its decision. The Ninth Circuit’s rule—which looks at who actually stores and serves the images for display—is far more sensible.

If this ruling is appealed (there would likely need to be further proceedings in the district court first), the Second Circuit will be asked to consider whether to follow Perfect 10 or Judge Forrest’s new rule. We hope that today’s ruling does not stand. If it did, it would threaten the ubiquitous practice of in-line linking that benefits millions of Internet users every day.

The False Teeth of Chrome’s Ad Filter

Today Google launched a new version of its Chrome browser with what they call an ad filter“—which means that it sometimes blocks ads but is not an ad blocker.” EFF welcomes the elimination of the worst ad formats. But Google’s approach here is a band-aid response to the crisis of trust in advertising that leaves massive user privacy issues unaddressed. 

Last year, a new industry organization, the Coalition for Better Ads, published user research investigating ad formats responsible for bad ad experiences.” The Coalition examined 55 ad formats, of which 12 were deemed unacceptable. These included various full page takeovers (prestitial, postitial, rollover), autoplay videos with sound, pop-ups of all types, and ad density of more than 35% on mobile. Google is supposed to check sites for the forbidden formats and give offenders 30 days to reform or have all their ads blocked in Chrome. Censured sites can purge the offending ads and request reexamination. 

The Coalition for Better Ads Lacks a Consumer Voice

The Coalition involves giants such as Google, Facebook, and Microsoft, ad trade organizations, and adtech companies and large advertisers. Criteo, a retargeter with a history of contested user privacy practice is also involved, as is content marketer Taboola. Consumer and digital rights groups are not represented in the Coalition.

This industry membership explains the limited horizon of the group, which ignores the non-format factors that annoy and drive users to install content blockers. While people are alienated by aggressive ad formats, the problem has other dimensions. Whether it’s the use of ads as a vector for malware, the consumption of mobile data plans by bloated ads, or the monitoring of user behavior through tracking technologies, users have a lot of reasons to take action and defend themselves.

But these elements are ignored. Privacy, in particular, figured neither in the tests commissioned by the Coalition, nor in their three published reports that form the basis for the new standards. This is no surprise given that participating companies include the four biggest tracking companies: Google, Facebook, Twitter, and AppNexus

Stopping the Biggest Boycott in History

Some commentators have interpreted ad blocking as the “biggest boycott in history” against the abusive and intrusive nature of online advertising. Now the Coalition aims to slow the adoption of blockers by enacting minimal reforms. Pagefair, an adtech company that monitors adblocker use, estimates 600 million active users of blockers. Some see no ads at all, but most users of the two largest blockers, AdBlock and Adblock Plus, see ads whitelistedunder the Acceptable Ads program. These companies leverage their position as gatekeepers to the user’s eyeballs, obliging Google to buy back access to the blocked part of their user base through payments under Acceptable Ads. This is expensive (a German newspaper claims a figure as high as 25 million euros) and is viewed with disapproval by many advertisers and publishers. 

Industry actors now understand that adblocking’s momentum is rooted in the industry’s own failures, and the Coalition is a belated response to this. While nominally an exercise in self-regulation, the enforcement of the standards through Chrome is a powerful stick. By eliminating the most obnoxious ads, they hope to slow the growth of independent blockers.

What Difference Will It Make?

Coverage of Chrome’s new feature has focused on the impact on publishers, and on doubts about the Internet’s biggest advertising company enforcing ad standards through its dominant browser. Google has sought to mollify publishers by stating that only 1% of sites tested have been found non-compliant, and has heralded the changed behavior of major publishers like the LA Times and Forbes as evidence of success. But if so few sites fall below the Coalition’s bar, it seems unlikely to be enough to dissuade users from installing a blocker. Eyeo, the company behind Adblock Plus, has a lot to lose should this strategy be successful. Eyeo argues that Chrome will only filter 17% of the 55 ad formats tested, whereas 94% are blocked by AdblockPlus.

User Protection or Monopoly Power?

The marginalization of egregious ad formats is positive, but should we be worried by this display of power by Google? In the past, browser companies such as Opera and Mozilla took the lead in combating nuisances such as pop-ups, which was widely applauded. Those browsers were not active in advertising themselves. The situation is different with Google, the dominant player in the ad and browser markets.

Google exploiting its browser dominance to shape the conditions of the advertising market raises some concerns. It is notable that the ads Google places on videos in Youtube (instream pre-roll) were not user-tested and are exempted from the prohibition on auto-play ads with sound.” This risk of a conflict of interest distinguishes the Coalition for Better Ads from, for example, Chrome’s monitoring of sites associated with malware and related user protection notifications.

There is also the risk that Google may change position with regard to third-party extensions that give users more powerful options. Recent history justifies such concern: Disconnect and Ad Nauseam have been excluded from the Chrome Store for alleged violations of the Store’s rules. (Ironically, Adblock Plus has never experienced this problem.)

Chrome Falls Behind on User Privacy 

This move from Google will reduce the frequency with which users run into the most annoying ads. Regardless, it fails to address the larger problem of tracking and privacy violations. Indeed, many of the Coalition’s members were active opponents of Do Not Track at the W3C, which would have offered privacyconscious users an easy optout. The resulting impression is that the ad filter is really about the industry trying to solve its adblocking problem, not about addressing users’ concerns.

Chrome, together with Microsoft Edge, is now the last major browser to not offer integrated tracking protection. Firefox introduced this feature last November in Quantum, enabled by default in Private Browsing mode with the option to enable it universally. Meanwhile, Apple’s Safari browser has Intelligent Tracking Prevention, Opera ships with an ad/tracker blocker for users to activate, and Brave has user privacy at the center of its design. It is a shame that Chrome’s user security and safety team, widely admired in the industry, is empowered only to offer protection against outside attackers, but not against commercial surveillance conducted by Google itself and other advertisers. If you are using Chrome (1), you need EFF’s Privacy Badger or uBlock Origin to fill this gap.

(1) This article does not address other problematic aspects of Google services. When users sign into Gmail, for example, their activity across other Google products is logged. Worse yet, when users are signed into Chrome their full browser history is stored by Google and may be used for ad targeting. This account data can also be linked to Doubleclick’s cookies. The storage of browser history is part of Sync (enabling users access to their data across devices), which can also be disabled. If users desire to use Sync but exclude the data from use for ad targeting by Google, this can be selected under ‘Web And App Activity’ in Activity controls. There is an additional opt-out from Ad Personalization in Privacy Settings.

The Only Gold Russia Can Win at the Winter Olympics Is for Cyber-Hacking

Russia has already come out swinging against the IOC and WADA in attempted retaliation for being banned from the 2018 Olympics. Unfortunately, their old tricks appear to be decreasing in effectiveness. Each time Russia leaks information in connection to doping commissions, it garners less news attention and is increasingly being viewed as a failed operation.

Stumbling into the games makes Russia the most unpredictable threat actor vying for the title of “most disruptive to the Olympic games” this year. Other major contenders? Non-state actors and organized crime groups. Absent from this list, despite popular opinion, is who many view as the heavy favorite going into 2018, North Korea.

Likely to win Bronze: Your second runner up this year is likely to be organized crime. In the past decade or so they have made a consistent appearance with fraud and scams going after the visitors to the games. This year has the potential for them to expand their operations into match fixing, due to the increased reliance on electronic measurements to determine winners. This years judging scandal might be centered around a hacked timer rather than judges from Old Europe.

Reaching for the Silver: The safe money is on non-state actors (hacktivists, cyberterrorists, and fame seekers) to be the cause of the largest cyber disruptions to the games. They usually use large global events as a springboard for their agendas and are unusually hard to predict and model because of the relative obscurity of most of these actors. Having the element of surprise, a swashbuckling attitude, and a successful outcome being defined as any disruption, makes these actors the hardest to stop and generally the most prolific.

And the outside contender for Gold: We have the wild card Russia. They have the technical sophistication to out perform these other two groups but the question is – Is their heart really in the competition? The declining effectiveness of doxing, combined with recurring punishments could push the Kremlin to up its game. They have proven a willingness to unleash destructive malware in multiple countries for multiple reasons. Even if they just repackaged the self-propagating principles of the NotPetya attack with the payload concepts of the TV5Monde attack. They have the capability to shut down the broadcast of the games. If they decide that the Olympics is no longer a neutral arbiter of friendly competition but rather a politicized organization dominated by anti-Russian sentiments, Moscow could very well debut a few cyber tricks never before seen.

Who’s not taking home any honors? Noticeably absent from this list is North Korea. Cyber threats from groups linked to North Korea have been in the news practically every month in the run up to the games, so if anyone has a shot of pulling off something spectacular it was this group of well-funded and motivated actors. Fortunately for the South Korean defenders they appear to have withdrawn themselves from contention. Kim Jong Un’s strategy of rapprochement means that if negotiations are going where he wants them to, the DPRK cyber menace is likely in standby mode. South Korea, by sacrificing part of its women’s hockey team, made the overall games significantly safer.

Will South Korea prevent any of these threat groups from gaining the notoriety they seek? The country’s capability to deal with these types of intrusions far exceeds that of Brazil during the 2016 Rio games. From a vulnerability and defensive capabilities standpoint, the overall cyber interruption to the 2018 Winter Olympics should be low compared to previous games.

However, given the onslaught of high caliber tools and exploits released over the last year, the ability of the security teams to keep up with all of the needed patches and other security controls will still be a big challenge for South Korea and will be more difficult than in past years.

Like all good competitions, this one will likely be decided by which groups have focused more on the fundamentals. If South Korea has kept their house in order and focused on the fundamentals of network security, they stand a good chance of surviving the short duration of the Olympic games. If they have focused too much on elaborate concepts and advanced skills at the detriment of those fundamentals, they stand a strong chance of falling short when the real games begin.

About the author: Ross is the Senior Director for Intelligence Services at Cybereason. Before joining Cybereason in 2016, he served as a Technical Lead and Cyber Lead for the United States Department of Defense.

Copyright 2010 Respective Author at Infosec Island

Think GDPR Won’t Affect Your U.S. Company? Guess Again

When the EU General Data Protection Regulation (GDPR) deadline arrives in May, companies that handle information belonging to European Union residents will have to adhere to a strict new set of guidelines – regardless of whether the company is based within the EU or outside the 28 member countries.

This may be news for some: One in four U.S. cybersecurity professionals believe their firm won’t need to comply with GDPR, according to a recent survey. Organizations that fall under the GDPR mandate could be fined up to 4% of annual global turnover or €20 Million (whichever is greater) in the event of a breach. While this is a worst-case scenario, it should be enough to get the attention of most companies that do business with EU citizens.

Does your company need to comply?

It’s surprising that so many U.S. firms simply aren’t worried, as the GDPR represents a significant change in the way data must be handled.

An important change in the GDPR involves the geographic scope of this new law. To summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.

Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply. Second, a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects "personal data" – aka personally identifiable information (PII) — as part of a marketing survey, for example, then the data would have to be protected GDPR-style.

What kinds of U.S.-based companies are likely to fall under the GDPR’s territorial scope?

U.S.-based hospitality, travel, software services and e-commerce companies will need to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized online content should review their web operations.

U.S. companies without a physical presence in an EU country typically collect most of the personal data belonging to EU data subjects over the web. Are users in, say, Amsterdam who come across a U.S. website automatically protected by the GDPR? Here’s where the scope of requirements becomes a little more complicated: The organization would have to target a data subject in an EU country. Generic marketing doesn’t count.

For example, a Dutch user who searches the web and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply. Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a “.nl” from the Netherlands — would certainly seal the case.

Do your GDPR “homework”

The best offense is a good defense. Companies that can show they essentially “did their homework” in following the GDPR requirements — with the paperwork to back it up — will be better off in the event of a violation where fines are involved. When the Article 40 “Codes of Conduct” — allowing compliance to existing data security standards count towards GDPR — are officially approved by the regulators, companies may receive “partial credit” for their compliance.

In short, Article 40 says that standards associations can submit their security controls, say PCI DSS, to the European Data Protection Board (EDPB) for approval. If a controller then follows an officially approved “code of conduct”, then this can dissuade the supervising authority from taking actions, including issuing fines, as long as the standards group — for example, the PCI Security Standards Council — has its own monitoring mechanism to check on compliance.

While we'll have to wait for more guidance, the point is that EU regulators will eventually let companies leverage their efforts (and investments) in meeting standards such as PCI DSS or ISO 27001 for GDPR compliance.

Take stock of your data

The GDPR also mandates "data minimization" — not keeping data when it's no longer needed or even collecting it in the first place when it's not completely necessary for a business function. Most companies already have a policy for deleting "stale" data, though they may not follow through by applying those policies.  GDPR says that this IT practice is not just a good idea, but the law!

So companies that proactively automate their retention and disposition policies for their files will be better prepared for compliance — and they will also better protected from insider threats and cyber attacks.

Unfortunately, many organizations have lost track of where their most sensitive information lives and who has access to it – over 70% of folders we analyzed  on corporate servers contained stale data and almost half had 1000 files with PII, credit card credentials, and other data on file servers accessible to everyone.

With just a few months left to go, 60% of cyber security professionals in the EU and 50% of respondents in the U.S. say they face some serious challenges in being compliant with the GDPR by the May deadline.

Organizations are running out of time to take stock of how exposed their data is to attack. Now is the time to reduce your risk profile by locking down sensitive data, removing users that no longer need access, and deleting or archiving stale data – plan to maintain a least-privilege model to keep data secure.

Ignorance is not bliss when it comes to the GDPR, and organizations that have fallen behind in their preparations must ramp up their compliance activities or they could take a serious financial hit once the regulations take effect. Start taking control now.

About the author: Ken Spinner joined Varonis in 2006 and leads all technical pre- and post- sales engineering activities for Varonis customers worldwide. Ken’s career spans 30 years with organizations ranging from startups to Fortune 500 industry leaders. Prior to Varonis, Ken held leadership and senior engineering roles at Neoteris, Netscreen, Juniper Networks, BlueCoat Systems and Merck.

Copyright 2010 Respective Author at Infosec Island

Advancing the Usability of PKIs

Public Key Infrastructure (PKI) certificates have long served as the optimal method for securing the servers on the web and, increasingly, Internet of Things (IoT) devices. Deploying and updating PKIs used to be a largely manual process that required the time and attention of IT personnel. Today, there are tools that can automate those tasks, which makes securing the connections between networks, devices and their users simpler and more cost-effective. 

Certificates can be used to encrypt data at rest. PKI also enables the authentication of users, systems, and devices without the need for tokens, password policies, or other cumbersome user-initiated factors. In mutual authentication scenarios, certificates will uniquely identify devices which enhances authorization and secure device-to-device communication.  As a result, certificates ensure that any data or messages transferred cannot be altered.

The challenge for an enterprise becomes determining what exactly it’s trying to protect, particularly as more companies embrace the IoT trend. PKIs ensure that the basic security requirements for data confidentiality, data integrity, and data accessibility are properly configured for all devices.

That’s becoming more complex, and virtually impossible to perform via manual processes. Why? Because of the sheer number of devices that are coming online.

By 2020, over 25 billion devices will be connected to the Internet, and each one of those connections must be secure to mitigate risks and protect organizations and individuals from malicious attacks.

To give you a better sense of scale, consider that 10 years ago, Certificate Authorities issued approximately 10 million certificates that verify a digital entity’s identity on the Internet worldwide. Today, just one company may request 10 million certificates for its realm of devices and services. That’s where the math starts to get complicated.

After all, PKI is built on math, leveraging algorithms to direct the inspection and validation of the signatures that enable secure communication and data-sharing between devices and networks. Fortunately, technology has advanced to enable computers to handle the complex algorithms used to inspect and validate the secure connection to a device or web site.

Unfortunately, the cyberattacks targeting those systems are also becoming more sophisticated and hitting more frequently. That is why a critical aspect of the effective use of PKI is updating those certificates as the threat landscape changes. In other words, PKI usage is not something to “set and forget”, and today requires thoughtful security planning in the process. Too often, a cloud service provider will experience a system outage simply because someone forgot to renew a certificate. The blame falls on a faulty manual process.

Therefore, the way PKI becomes more usable is by partnering with a Certificate Authority (CA) that can introduce and manage automation technologies to relieve IT of those responsibilities. IT and users should not have to worry about “breaking” something because they were not paying attention to the right discussion forum or right threads about new attacks. 

This can also be especially valuable in development environments, where developers are checking code in and out. PKIs enable each developer to sign what they are accessing, thereby creating chains of trust. This can be very useful to both open source projects, and to protecting a company’s download site from being hijacked and falling victim to a DNS attack.

If your organization is going to rely on PKI, it’s important to also leverage the benefits that automation can provide. This is where partnering with a CA can help, both today and tomorrow. CAs take on the responsibility of managing PKIs, which includes participating in forums and working groups to ensure that PKIs evolve to meet the ever-changing threat landscape. This relieves enterprises of having to take on those responsibilities, so they can focus on their strategic business priorities.

About the author: Dan Timpson is DigiCert Chief Technology Officer, responsible for DigiCert's technology strategy and driving development that advances PKI innovation for SSL and IoT customers. Timpson’s team focuses on continuous improvement to deliver a comprehensive digital certificate management platform for DigiCert customers that includes standards-based, automated certificate provisioning for devices and APIs for seamless integration with third-party systems.

Copyright 2010 Respective Author at Infosec Island

Hackers Wreak Havoc in 2017, is 2018 Ready to Battle?

With a new year upon us, it’s time to reflect back on a rather turbulent 365 days in the cybersecurity space. Between leaked Game of Thrones episodes, WannaCry ransomware and new strains of the Mirai Internet of Things botnet, cyberattacks reached alarming heights in 2017. This increases the burden on companies to adapt to a rapidly changing threat landscape.


So, what will 2018 look like?


IoT must brace for impact


IoT adoption has exploded in 2017 and shows no signs of slowing. Gartner predicts that 20 billion devices will be connected to the internet by 2020. One of the most worrisome aspects of the IoT explosion is just how susceptible these devices are to hacking. Many devices rely on default passwords that often go unchanged, making them easy targets for hackers to gain access. Hackers are creating armies of nefarious botnets comprised of hundreds of thousands of devices to use in DDoS attacks against organizations around the world. Healthcare is particularly vulnerable to IoT hacking — connected medical devices are hard to update and often run on older versions of operating systems. As manufacturers bring new IoT devices to market, they must make security a priority. The current state of mind of ignoring basic security measures threatens the security and stability of the internet as a whole.


Hacker motivations shift from curious to criminal  


Hacker motivations have moved from the curious individual to organized crime and nation state actors, where hacking is a day job. We’ve long suspected this would be the case, but it’s becoming increasingly clear that the level of sophistication and tenacity shown by these attackers is far beyond opportunistic hacking. It becomes the source of a paycheck, which is both good and bad for defenders. On one hand, professional support is often less motivation for hackers to push boundaries and find new vulnerabilities, meaning they’ll use the same proven tactics in their efforts. However, this new breed of attackers benefit from having greater resources and more confederates to help build out specific tools. When push comes to shove, organized hackers will be much more dangerous than individuals or small groups could ever be.


Security Biometrics are still a mixed bag


New and innovative security solutions, such as biometrics in the form of touch and Apple's Face ID, are gaining momentum as an option to protect personal data. But the effectiveness of biometrics is still up for debate. When a system containing your biometric data is compromised, you cannot change a thumb print in the same way you can change a password. Additionally, the complexities surrounding individual health data are increasingly becoming a concern. Activity trackers like Fitbits and Apple Watches are the quintessential example, allowing us to record heart rate, blood pressure and more. But that data can be used against us, either by someone who steals the data or by an employer who legally collects the data and decides an employee is a health risk. There are years of wrangling to come from the legal and ethical standpoint of this data.


If 2017 taught us anything, it’s that we have a long way to go to get ahead of adversaries. The biggest impact a security team can make in the new year is to understand how effectiveness of their protections are against the evolving threats. The controls that were seen as effective in 2017 might no longer be what’s needed to protect against the threats 2018 will bring.


Copyright 2010 Respective Author at Infosec Island

Global Security Threats You Need to Know About in 2018

In the year ahead, businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, businesses need to manage risks in ways beyond those traditionally handled by the information security function, since new attacks will most certainly impact both shareholder value and business reputation.

After reviewing the current threat landscape, there are five dominant security threats that we at the Information Security Forum believe businesses need to prepare for in 2018. 

These include, but are not limited to:

  • Crime-As-A-Service (CaaS) Expands Tools and Services
  • The Internet of Things (IoT) Adds Unmanaged Risks
  • Supply Chain Remains the Weakest Link in Risk Management
  • Regulation Adds to Complexity of Critical Asset Management
  • Unmet Board Expectations Exposed by Major Incidents

We’ve provided an overview for each of these areas below:

1. Crime-As-A-Service (CaaS) Expands Tools and Services

Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide, with cryptoware in particular becoming the leading malware of choice for its threat and impact value.The resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls.

2. The Internet of Things (IoT) Adds Unmanaged Risks

Organizations will adopt IoT devices with enthusiasm, not realizing that these devices are often insecure by design and therefore offer many opportunities for attackers. In addition, there will be an increasing lack of transparency in the rapidly-evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend. It will be problematic for organizations to know what information is leaving their networks or what data is being secretly captured and transmitted by devices such as smartphones and smart TVs. When breaches occur, or transparency violations are revealed, organizations will be held liable by regulators and customers for inadequate data protection. In a worst-case scenario, when IoT devices are embedded in industrial control systems, security compromises could result in harm to individuals or even loss of life.

3. Supply Chain Remains the Weakest Link in Risk Management

Supply chains are a vital component of every organization’s global business operations and the backbone of today’s global economy. However, security chiefs everywhere are concerned about how open they are to an abundance of risk factors. A range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised. In the coming year, organizations must focus on the weakest spots in their supply chains. Not every security compromise can be prevented beforehand, but being proactive now means that you— and your suppliers—will be better able to react quickly and intelligently when something does happen. To address information risk in the supply chain, organizations should adopt strong, scalable and repeatable processes — obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes. This readiness may determine competitiveness, financial health, share price, or even business survival in the aftermath of a breach.

4. Regulation Adds to Complexity of Critical Asset Management

New regulations, such as the European Union General Data Protection Regulation (GDPR), will add another layer of complexity to the issue of critical information asset management that many organizations are already struggling with. The GDPR aims to establish the same data protection levels for all EU residents and will focus on how organizations handle personal data. Businesses face several challenges in preparing for the reform, including a widespread lack of awareness among internal stakeholders. The additional resources required to address the obligations are likely to increase compliance and data management costs while pulling attention and investment away from other important initiatives. In the longer term, organizations will benefit from the uniformity introduced by the reform. But it is not just in the area of privacy where legislation will bite.  The increasing burden of compliance and legislative variances across jurisdictions will increase the burden for multi-nationals and those businesses targeting international trade.

5. Unmet Board Expectations Exposed by Major Incidents

Boards will expect that their approval of increased information security budgets will have enabled the Chief Information Security Officer (CISO) and the information security function to produce immediate results. However, a fully secure organization is an unattainable goal, and many boards are unaware that making substantial improvements to information security will take time – even when the organization has the correct skills and capabilities. Consequently, the expectations of boards will quickly accelerate beyond their information security functions’ ability to deliver. Misalignment between a board’s expectations and the reality of the security function’s ability to deliver will be most cruelly exposed when a major incident occurs. Not only will the organization face substantial impact, the repercussions will also reflect badly on the individuals and collective reputations of the board members.

Don’t Be Left Behind

Today, the stakes are higher than ever before, and we’re not just talking about personal information and identity theft anymore. High level corporate secrets and critical infrastructure are constantly under attack and organizations need to be aware of the emerging threats that have shifted in the past year, as well as those that they should prepare for in the coming year.

By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately. This will be of the highest importance in 2018 and beyond.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments.

Copyright 2010 Respective Author at Infosec Island

The IT Security Lessons from 2017

George Santayana famously observed that: “Those who cannot remember the past are condemned to repeat it.”  In a year where data breaches escalated, and cyber-criminals found yet more ways to infiltrate the enterprise network, this quote came to mind.

So, as 2017 draws to a close let’s look back over the year and reflect and evaluate past events in cyber security, and understand how they happened, so that we can hopefully prevent them from happening again in 2018.

Data breaches continue to happen

As I have already alluded to, data breaches increased in number and severity over the past year. People may have become desensitized to the news, but the number of personal records stolen or lost is staggering. In 2017 alone Uber, Amazon, the US Government, Equifax and Yahoo – to name just a few – all experienced breaches, and there seemed to be another high profile case every month. Investigating and remediating these incidents is costly, with the latest estimates placing the cost of the Equifax breach at $110million alone.

Additionally, we saw simple configuration mistakes leading to breaches in Amazon Web Services. Financial publishing firm Dow Jones & Company and military intelligence agency, INSCOM, for example, left their Amazon S3 buckets accessible and available to any AWS user.

Scrambling for GDPR

2017 saw businesses scrambling to gear up for the General Data Protection Regulation (GDPR) which will come into force in May 2018. It will apply to organizations that are based in or operate across the EU, or which have operations, customers, suppliers or partners within the EU.

GDPR can fine organizations if they fail to adequately safeguard customer data against a breach or fail to report it to the supervisory authority within 72 hours. The fine can be up to €20m, or 4% of the firm’s annual turnover – whichever is greater – which clearly gives regulators a very large stick to use on companies that do not comply.  

What is yet to be seen is how the European regulators decide to exercise their legal powers. Come May 25th we might see investigations and fines handed down to any company that loses personal records, and we could see jurisdiction fights as European regulators try to fine businesses that are based in the US. Equally, the threat of large penalties may not be realized: it will be interesting to see how it all plays out.  

IoT and the bots

Throughout 2017, attacks on IoT systems were rife, and I believe they will only increase in 2018. At the heart of many of these attacks were Botnets, which were deployed to hundreds of thousands of IoT devices. In 2017 we saw new variants of the Mirai botnet, including Reaper, and new botnets like Satori, all of which specifically targeted IoT devices.  

By increasingly allowing IoT devices onto their enterprise network, enterprises are also offering an open back door for bot attacks. Worryingly, recent estimates suggest that up to 75% of organizations globally are infected by bots, and with IoT devices set to increase, we certainly haven’t seen the worst of it yet.  

Indeed, Gartner estimates that 8.4 billion devices were connected to the internet in 2017, and a further 2.8billion will be connected in 2018. These new IoT devices usually have little to no security controls built in, so every additional internet controlled thermostat, door lock, vending machine, air conditioning unit that goes online is another attack vector available to attackers.

To prevent bots working their way onto your enterprise networks, make sure to use up-to-date anti-malware and implement layered defenses to limit their lateral movement if they do manage to infiltrate the network. Additionally, next-generation firewalls can monitor network traffic and look for suspicious activity, block suspicious traffic and cut off from their command and control centers. Intelligent network segmentation, separating IoT devices from the rest of the network, will also help to mitigate risk.

Ransomware is here to stay

2017 was also the first year that businesses globally felt the full force of major ransomware attacks. WannaCry impacted businesses and public services across the globe, Cerber convinced many victims to pay up to unlock their encrypted files and NotPetya, claimed many victims including US based pharmaceutical giant Merck, causing at least $300million of damage.

Threatened by the loss of potentially sensitive files that may not be backed up, some businesses have been paying the criminals’ ransom demands. But of course, paying the attackers not only funds criminal activity, it fuels further attacks. So, ransomware is far from behind us.  

As with bots, there are numerous security best practices that can prevent, or at least greatly reduce, the impact of the next ransomware attack, including segmenting the network, regular data backups, patching, and security awareness training for employees.

The reality is that data breaches, botnets, ransomware and human errors won’t be going away anytime soon, and organization must remain vigilant. But by looking back at the events of 2017, IT teams can take steps to reduce the chances of falling foul of these attacks moving forward. After all, learning from history can help stop events from repeating again in the future.

About the author: Professor Avishai Wool is the CTO and co-founder of AlgoSec.

Copyright 2010 Respective Author at Infosec Island

Reclassifying Semi-Auto Rifles under the National Firearms Act

I originally wrote this article in summer 2016, and have been revising and tweaking it every time there’s a mass shooting in the news. This has been a lot lately. It has become a very sad and depressing thing to constantly bump the date on this content, knowing that it will simply fall on deaf ears again and again. Some days it feels as though the value our country puts on human life is so very little. It gets harder and harder to convince myself that there is still good in our society, but in the midst of these horrifying tragedies, the good still manages to emerge.

I’ve been a long time responsible gun owner, by the old definition of what that used to mean. Like a vast majority of them, I’ve wanted more controls on semi-automatic rifles – particularly, assault rifles, for a long time. Indeed, there’s Kool-Aid on both sides about assault weapons, and both have some questionable notions about them. The extreme left seems to have developed an irrational fear and hatred of all guns and the extreme right believes the only solution to guns are more guns and more people learning to use them (something that didn’t help the Fort Hood victims one bit). Consider this alternative perspective from someone who’s spent over 15 years shooting and working on guns, obtained NRA certifications to supervise ranges and carry concealed weapons, and up until a few years ago – when I sold the rights to it – produced the #1 ballistics calculator in the App Store.

There is a lot to chew on here, but if you follow this article to the very end, I think you’ll see how it all comes together to a solution that would address this very complex problem should Congress ever act. It’s important first to lay the groundwork necessary to build up to these working points.

Different From Any Other Rifle?

One of the key claims the gun industry makes is that an assault rifle is only cosmetically different than any other rifle – this is fundamentally untrue. They are very different from a functional and design perspective, as are other rifles that have been designed as weapons systems for combat. This class of rifle is designed as a modular weapons system to make parts field-replaceable, and can be modified into different configurations based on combat needs. This makes them difficult to define by specific features, but also easy to modify into more lethal (and often outlawed) forms.


From a ballistics perspective, assault rifles were originally designed with military ammunition in mind; this ammunition has very different properties from typical hunting ammunition. Assault rifles are typically chambered for high velocity, lightweight rounds, originally designed to wound at medium range rather than kill – because a wounded soldier is more expensive than a dead one. They fragment and tumble inside the body upon impact, causing severe internal damage far beyond the initial point of impact. In contrast, hunting ammunition is often lower velocity, heavier ammunition designed to avoid tumbling or fragmenting, in order to ensure the necessary amount of ballistic energy is concentrated into the strike radius of the target. The ammunition commonly used in assault rifles typically over-penetrates at close-range, making them terrible for home-defense or even hunting applications, but the weapon of choice for causing severe physical damage.

Comparison of the difference in energy between a typical military round (top) and a popular hunting round (bottom). At close range, such hunting rounds have more than twice the energy as the military round, but travel at a much slower velocity. The material composition of these rounds are designed to concentrate the energy into one region of the animal, rather than fragment and tumble, which would cause severe internal damage (and ruin the game). By contrast, military rounds are lighter and fragment, causing severe internal damage; their only effective use is in combat scenarios. Some attempts have been made to make the platform more hunter-friendly by chambering certain models for popular hunting rounds, such as the .308 Winchester or .300 Beowulf, however the vast majority of rifles are still chambered for, and the barrels still pressure-rated for, the original NATO-spec combat ammunition.

Cycling and Heat Dissipation

Assault rifles are typically designed to cycle quickly to allow for rapid fire, and like most infantry weapons, do so without a significant risk of overheating due to their barrel design. Infantry rifles have barrels that are designed to dissipate heat quickly to withstand rapid fire without degrading, and can tolerate the higher pressures needed in order to shoot high-velocity rounds. Direct impingement, one of a few popular systems used in assault rifles, uses the blowback from the round to cycle the action quickly by injecting the gas directly into the bolt carrier, allowing the firearm to be designed lighter and shorter (more compact) than conventional piston-operated rifles, and can fire more rounds over the life of the firearm with reduced wear. Both the barrel materials, as well as techniques such as chrome-lining help further lengthen life and reduce the corrosion and wear caused by high rates of fire and subsequent overheating combined with the high pressure of the round.

In contrast, hunting rifles typically overheat after a small number of rounds, and lose accuracy quickly by design due to the cost and lightweight carry needs balanced with hunting regulations often limiting the hunter to three or five rounds anyway. The action found in most hunting rifles are bolt, lever, or sometimes pump … bolt typically offering the most consistency, tightest chamber, and least amount of internal movement (all of which affect accuracy). Bolts have an action that don’t generate movement while the bullet is leaving the barrel, including the casing, which is held in place, and they don’t need to absorb energy or redirect gas to cycle the next round, allowing each shot to remain perfectly consistent. Bolts allow for a lighter trigger pull without affecting safety, and are usually considered the most reliable of all types of actions.

Recently, accurized versions of semi-automatic rifles have come into the market that can match that of a bolt action in performance, but lacking the other mentioned benefits. This again has been more of a propaganda strategy by the industry to usher military style firearms into the hunting community to legitimize them.

Detachable Magazines

Lastly, assault rifles accept a detachable magazine that allows for quick reloading in combat, but serves no practical purpose elsewhere. There are some low capacity hunting magazines, however even these seem to have their origins in shorter military magazines designed for prone firing. A majority of hunting rifles are direct loaded through the chamber for best accuracy, or loaded into an internal magazine, which satisfies virtually all sporting needs.


Some would argue that AR15s are used by hunters, however this is part of a larger inside effort to justify assault rifles by means of adoption into the hunting community. A hunting version of an AR15 could be made functionally less lethal as hunters are limited to five rounds; this would look more like a California compliant AR15, in which the magazine well were welded shut, and the rifle would have to be manually loaded with five rounds at a time. If hunters insist that they require the AR15 platform to hunt a deer, the detachable magazine can and should be eliminated from the design to justify this. California has already proven this is possible, and the rifle can not accommodate a 30rd magazine, even if one were purchased or 3D printed.

So in spite of the propaganda to the contrary, military rifles have quite different functional characteristics from your average rifle, and if they weren’t more deadly than a hunting rifle, there wouldn’t be such a market for them among die-hard survivalists, anti-government militias, or misguided home defense users. If assault rifles weren’t so effective at killing, people wouldn’t rush out to panic buy them every time a democrat is elected, or any time there is civil unrest.

Little Justifiable Use

My gun collection is a lot smaller than it used to be. I used to own several of the AR-15s I’m referring to, as well as AR-10s (the .308 version of an AR-15). Some people buy them either because they’re ex-military and comfortable with the platform, but many more mistakenly for home defense, or for various domestic war scenarios (militia, civil war, invasion, disasters, and other doomsday plans). I bought mine because they’re fun to shoot at the range, and I was fascinated by the platform. I have extensive experience with how they work, how they don’t work, how to rebuild one, how to be safe with one, and how to disarm someone being reckless at the range with one. Unfortunately, most aren’t this well versed when they purchase an infantry rifle, and probably don’t know very much about them, or how to be safe with them. At the end of the day, a rifle being “fun to shoot” or fascinating isn’t a valid reason to leave them unregulated. After all, silencers and machine guns are fun too, but they are heavily regulated.

Small arms in general (even fully automatic ones) aren’t any good for “defending” a country against a tyrranical government, in spite of what the gun industry has sold as a militia-man image. Our government has taken down countries with armies of full automatics, ground to air missiles, and much heavier weaponry than civilians can legally own in the US. SWAT teams have taken down groups with such weapons within the United States, as well. It is pure fantasy to think that a group of people with these firearms could possibly keep the government “in check” or even at bay for very long. A similar belief is somehow assault weapons will prevent another genocide. Germany’s solution to Hitler wasn’t to do away with firearms regulation. Germany’s solution to Hitler was a national reckoning, which many are still feeling, and a cleanup of the society by means of denazification through the ongoing occupation and reconstruction of Germany under the Potsdam Agreement. Society was forced to change. Against a Nazi regime, banning gun registration would have had zero impact against a force of evil such as Hitler’s; this is merely another point of propaganda sold by people that haven’t studied history.

I don’t hate guns, but I do hate that anyone can get access to a semi-automatic rifle easier than they can get certain types of cold medicine. I don’t believe that having sensible controls on access to firearms constitutes tyranny. The nature of society will dictate how much control needs to be applied. As Ben Franklin (who gun owners love to misquote) once said, “Only a virtuous people are capable of freedom. As nations become more corrupt and vicious, they have more need of masters.” Franklin would be rolling over in his grave if he saw the narrative of today’s NRA. We’ve become so desensitized to how violent society in the United States has become, that many think this is the peaceful norm. Travel to any other civilized country, and you will be shocked to see what a peaceful people are really like.

Relevant Statistics

Many argue that assault rifles are statistically insignificant. It’s quite true, the number of people killed with rifles is much lower than handguns. What the statistics don’t show is the ratio of random mass homicides between handguns and rifles. Handguns are at the top of the list of homicides in general, but that gap is much narrower when you’re talking specifically about mass murders. When it comes to random mass murders in the United States, not only do more and more lately involve an assault rifle, but the most heinous of all mass murders – those involving school children, public crowds, and other complete innocents – are almost exclusively committed with assault rifles. It is these random massacres that we should be analyzing, not the majority of other homicides that have no bearing on the public at large.

The Assault Weapons Ban

The question, of course, is how you can control access to assault weapons and do it effectively, and in a way that will matter in light of all of the panic-buying that occurs after every tragedy. The Federal Assault Weapons Ban of 1994 was a miserable failure, primarily because democrats are, by nature, terrible at writing firearms legislation. Future attempts to renew the ban were just as embarrassing, watching our country’s representatives completely fail to even explain the scary features they were banning. As a result of the AWB’s poor construction, gun manufacturers ended up designing slight variants of the popular firearms covered in the ban. For example, an AR-15 with a muzzle brake instead of a flash hider, fixed stocks, and without a bayonet lug. While the legislation may have cut back on drive-by-bayonetings, it did virtually nothing to remove any of the firearms it banned from circulation. Magazine bans were a similar embarrassment. Due to loopholes in the legislation, large caches of 30rd magazines (and 90rd drums) were easily imported and sold in virtually every gun shop during the ban. During the entire period of the AWB, gun owners sat comfortably with either pre-ban AR-15s or post-ban XM-15s that were identical in functionality, and with a safe full of legally owned 30rd magazines, laughing at the senators who wrote the legislation, who wouldn’t know an assault weapon if they sat on one. Should the same ban be reinstated today, things like magazine bans are even less likely to succeed with 3D printing, and the industry has become much wiser in how to skirt around the “scary features” laws.

Therein lies the core issue: there’s no legal definition for the term “assault weapon” or “assault rifle”; it’s difficult to define, too, because of their modular platform. Outside of the legal world, gun rights activists will tell you that this term is exclusive to machine guns, but even this is simply not true. Consider the AR-15 again: While the “AR-15” is the semi-automatic version of the popular full-auto M-16 rifle (the AR actually stood for “ArmaLite”, the original manufacturer), the military also got quite sick of their soldiers wasting so much ammunition (without hitting anything), and began issuing rifles with either tri-burst mode (instead of “full” auto) or in some cases exclusively semi-auto, along with teaching better marksmanship. All three configurations have been used in combat, and all three are assault rifles by any reasonable definition. Other than minor variations between manufacturers, the only parts that are mechanically different are the fire control components: an auto-sear, an M-16 bolt, and the spur (“J” hook) on the trigger. These components determine whether you get one bullet per pull, tri-burst, or a spray. Gun owners often seek out the Colt 6920 because it’s closest to the milspec of the M-16, and even has the cutout in the lower receiver for an auto-sear, to be converted to fully automatic. To call one of these an assault rifle and not the others because of its configuration is childish, and more Kool-Aid circulated among gun owners.

Requirements for a Solution

The biggest issues in terms of access to assault weapons, or really firearms in general are:

  • Very little identity collected about buyer and/or false identities; most background is declarative- an applicant can simply lie
  • Very little background required to pass a NICS check
  • Nearly instantaneous turnaround
  • No record of private transfers
  • Ban legislation is not retroactive (won’t affect panic buying, 3D printing, or 80% receivers)
  • Don’t want to accidentally ban certain hunting/sporting rifles

The issue with assault rifles isn’t so much their existence; it’s a matter of who’s owning them. There are certainly a large number of responsible gun owners out there who are not committing mass murders. At the same time, there are many disturbed individuals, probably many of whom are already under investigation, or have been in and out of mental institutions, indoctrinated by conspiring militia groups, or have other issues that most of society wouldn’t think should have access to an assault weapon. A handgun to protect themselves? A shotgun? A bolt action? Perhaps (depending on a case-by-case) – but an assault rifle? That’s in a different class of its own… capable of killing a much larger group of people in a shorter period of time. Yet we still don’t treat them any legally different than a 12-gauge shotgun, or even a plinker gun.

A Legal Class of Its Own

And that’s the problem: Firearms like the AR-15 really aren’t in any legal class of their own, like machine guns are. The same person who can buy a shotgun for home protection can also buy an AR-15 – a combat rifle (with the exception of the full auto) – capable of killing a lot of people much faster than a shotgun.

In the 1920s and 30s, it was legal to simply buy a machine gun off the shelf, and you could order rifles out of the Sears catalog… organized crime had adopted machine guns like the Thompson submachine gun, and they were used in a number of violent massacres, the most famous being the Valentine’s Day Massacre, which killed seven people. This was addressed with a piece of legislation called the National Firearms Act (NFA). This was augmented over time, including in 1968 (with an import ban), and again in 1986 (banning newer registrations). Essentially where things stand now are that you can legally purchase a machine gun manufactured prior to 1986, but must go through a rather rigorous process to demonstrate that you are a law abiding citizen, allow certain information to be collected about you, be fingerprinted, obey certain transportation rules, and essentially register the firearm with BATFE. Wikipedia does a good job explaining the process:

All NFA items must be registered with the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). Private owners wishing to purchase an NFA item must obtain approval from the ATF, obtain a signature from the Chief Law Enforcement Officer (CLEO) who is the county sheriff or city or town chief of police (not necessarily permission), pass an extensive background check to include submitting a photograph and fingerprints, fully register the firearm, receive ATF written permission before moving the firearm across state lines, and pay a tax.[22] The request to transfer ownership of an NFA item is made on an ATF Form 4.[23] Many times law enforcement officers will not sign the NFA documents. There have been several unfavorable lawsuits where plaintiffs have been denied NFA approval for a transfer. These lawsuit include: Lomont v. O’Neill,[24] Westfall v. Miller,[25] and Steele v. National Branch.[26] In response, fourteen states have enacted laws which require the CLEO to execute the NFA documents, including Utah, Kansas, Arizona, Alaska, North Dakota, Oklahoma, Louisiana, Arkansas, Kentucky, Tennessee, Ohio, West Virginia, North Carolina and Maine.[27][28][29]

In other words, there is already a system in place to perform strict checks of individuals looking to own highly lethal firearms that were at one point considered too dangerous to arbitrarily just sell to anyone at a gun shop. The NFA also applies to silencers, sawed off shotguns, and other types of firearms. There’s also no way to simply lie your way through this check. It doesn’t hinge upon the applicant declaring their background; it is a true background check, and requires a local chief law enforcement officer’s signoff.

The alleged bump-fire components used in Las Vegas were, at one point, controlled by the BATFE under a 2006 decision labeling one such device (the Akins Accelerator) as a machine gun. Why the BATFE didn’t continue to aggressively pursue these newer devices as such is a mystery. When the Akins Accelerator was ruled a machine gun, BATFE went after the customer list and owners were forced to surrender the springs that made them work. Because it’s such a modular platform, however, any new devices to assist with fully automatic fire can easily be developed and attached to an otherwise semiautomatic rifle; 3D printing makes it even easier to create such a bump-fire device. The problem at the core of controlling full automatic fire, then, is to control semi-automatic fire.

The NFA provides the groundwork for what could serve as a central point of regulation of semi-automatic firearms (and possibly even detachable magazines that hold more than a certain number of rounds), and once in place for semi-autos, could be built upon to impose better background checks or other much needed inspections.

Banning vs. Reclassification

Instead of banning any firearms, classifying any semi-automatic long gun under the blanket of the NFA would cause the same NFA process to be mandated in order for gun owners to own or possess them. If you wanted to be more specific, infantry rifles should be identified with these characteristics:

  • Long gun
  • Semi-Automatic fire control components
  • Accepts either [a detachable magazine] or [ a fixed magazine holding more than five rounds ]
  • Centerfire (optional)

You may also choose to only include centerfire rifles, rather than rimfire (such as little .22 plinker guns). On the other hand, a .22 is all too often treated like a toy when it is lethal as well. There are too many gun owners, in my opinion, who treat .22 like a lollipop and let their kids shoot them in the backyard, when in reality they can do a lot more than put an eye out.

Resolving the Shortcomings of Another AWB

Going the NFA route instead of a ban would resolve the shortcomings of assault weapons legislation. You wouldn’t be banning scary configurations of the same rifle, or trying to fit firearms into a specific taxonomy (which we know is a futile effort). Instead, we’d address the problems of ownership:

  • Very little identity collected about buyer and/or fake identification

Under NICS, you provide only very basic info, and it’s easy to get around a background check if you use a fake ID. Since the gun shop is responsible for taking that information down, fake identification goes a long way. The checks are mostly declarative as well; that is, the buyer has to disclose whether or not they’re disqualified from purchasing a firearm, as in many cases the information is simply not available to NICS due to the limited information provided. Even if they’re not using a fake identity, there’s very little information given; no fingerprints, no photo – the only thing that goes to NICS is a name and address (even social security number is optional), which is one reason things like dishonorable discharge (as in the case of the recent Texas shooter) don’t show up.

Under NFA, you also submit a photo, fingerprints, have an extensive background check to either purchase an assault rifle, or to register an existing one during an initial “amnesty” window. In many cases, one would also require a letter from the chief of police etc). To help ensure that the identity is not fake, there is also a transfer fee which requires a payment, and so a check, credit card, or other paper trail will have to exist tying to the individual’s identity.

Here is the link to the ATF Form 4 and the FD-258 fingerprint card.

  • Very little background required to pass a NICS check

The NFA system is more extensive, but can be made even more so on background checks by opening up mental health records and tying into a number of federal databases that NICS presently isn’t very well tied into. NICS checks only go to the feds for long guns purchases, and goes to the state for handguns. This is why you can buy a long gun in any state, but can only buy a handgun from your home state. Information sharing isn’t so great between the two, from what I’ve heard, and there have been attempts to rectify that.

By looping in the local CLEO (chief law enforcement officer), you have additional local background that can become part of the background check. Were the police called to the applicant’s home 30 times in the past year? Was the child expelled from school for violent behavior? The CLEO can address this before the applicant is ever allowed access to the firearm.

  • Nearly instantaneous turnaround

NFA takes 6-12 months on average, so the applicant won’t be able to take possession of the firearm until after the background check has concluded. This is what happens with machine guns already when purchased from class-3 dealers. Those planning terrorist attacks, such as in Orlando, are going to have to plan well in advance. Also of note, those with escalating violent tendencies may already be on the edge by the time they purchase the firearm, leading to a crime or other event prior to the check concluding, that would disqualify them from ever taking possession.

Since the NFA system doesn’t run at light speed, like NICS does, the time is there to interface with investigatory agencies so that they are made aware when someone under investigation or on a watch list are looking to purchase an assault weapon. This would also result in a mandatory waiting period for assault rifles, but not affect other firearms.

At the moment, NICS is insufficient for information sharing: it’s instantaneous, giving no preparation time, and in many cases, the law forbids the information from NICS to be forwarded to investigative agencies.

  • No record of private transfers
  • Ban legislation is not retroactive (doesn’t affect panic buying)

The Assault Weapons Ban made the mistake of grandfathering rifles. When the NFA first went into effect, however, machine gun owners were given a window where they could register their machine guns. Once that window closed, any unregistered MGs were considered illegal, and there are stiff penalties for possessing an unregistered machine gun. You can’t even bring such a gun to the range because you have to carry it around with the ATF form and a stamp. Many ranges check these if they see a machine gun, and there are also a number of ATF stings / monitoring going on at many ranges. In other words, that gun will have to move completely underground, and most gun owners hate that idea. Within half a generation, unregistered assault weapons will end up in the hands of the owners’ children, but they will be in the same boat – subject to prison if they do not turn it in or have it destroyed. This also snuffs out private sales of unregistered assault weapons, as there would be no legal way to register it outside of the initial registration window. In other words, once that window closes, if you don’t register a rifle, it turns into a stolen car – it’s a hot item, and very few are likely to touch it. There is a significant financial incentive for gun owners to register existing firearms, in this case, as all of their panic buying will lose considerable value otherwise.

An all-out ban does nothing to address the millions of firearms already owned, however going the direction of the NFA forces all of them to be accounted for, or the owner risks the change of criminal prosecution if they’re ever caught with an unregistered “assault weapon”.

As personal, private transfers go, those of machine guns are also illegal, unless they go through the NFA process for the new owner. In other words, there’s a paper trail now any time an assault weapon is sold, and the government is aware of who is in possession of it, as well as has their prints, photo, and other information. Today, you aren’t required to give any account for where a gun came from, whether it was purchased legally, whether a background check was done – a gun could literally show up on the street, and there is no accountability at all.

3D Printing and 80% Builds

As far as 3D printing and 80% builds go, today pretty much anyone can legally build their own semi-automatic rifle today. The gun industry manufactures 80% receivers, which are lower receivers without final machining, just to keep them legal enough to where they don’t constitute a firearm. They can be purchased over the counter (or mail order) without pesky criminal background checks, then completed into final firearms with minor machining. All of the other components of the rifle can then be purchased and assembled into a working rifle, skirting NICS or any other safeguards in place, just like a private sale. They have the added benefit of not needing to be registered (or even engraved with a serial number) unless you sell them; only when you sell them do they require an ATF Form 1. Gun owners have stocked up both on complete lower receivers (which are traceable and engraved) as well as 80% receivers (which are not usually traceable or engraved) in the event of an all out “ban” to eventually build out into complete rifles.

The way that NFA restrictions are structured, it prevents gun owners from arbitrarily building their own restricted firearms (for example, machine guns or short barreled rifles) without approval from the ATF (and only manufacturers are ever allowed to build new machine guns). By classifying semi-auto rifles under NFA, the same restrictions get applied to AR-15s (or other semi-automatic rifles), forcing registration of existing, complete stripped lowers, and banning home-brew builds without registration. All that poor-man’s panic buying will have served no little purpose, as every lower receiver will ultimately need to be registered just as a complete rifle would, otherwise it becomes a worthless, unsellable unregistered firearm that the owner can’t even take to the range.

Extending NFA to cover the manufacture of detachable magazines may also help to curb home-brew fabrication.

  • Don’t want to accidentally ban certain hunting/sporting rifles

The BATFE has the ability to issue rulings and make exceptions for specific hunting / sporting rifles they don’t want to consider assault weapons. Their ruling process occurs in writing and they’ve handed down a number of specific rulings as new products are introduced (they’ve done this with machine guns, silencers, and other items already covered under NFA). This allows legislation to be drafted broader, so that it can be imprecise enough to cover all semi-automatic long guns with detachable magazines (for example), but grant the power to the BATFE to make exceptions for any rifle they believe falls more into a “hunting” category.

Would it Have Made an Impact?

Based on what facts are available, it would have likely prevented the most recent school shooting in Parkland, FL at a number of different points (including likely the local CLEO from signing off). It would have prevented a number of other recent shootings where there were signs of mental health issues, dishonorable discharge, and other trails on record that the BATFE would have seen during their background check.

Paddock, the Las Vegas shooter, bought 33 guns in the 12 months leading up to the shooting; some reports suggest he made a bulk purchase in 2016. The NFA process is slow and often takes six months or more to obtain a single tax stamp; along with a $200 tax stamp fee, fingerprints for every application, extensive background check, and other delays, it’s likely Paddock would have been able to only transfer a small number of semi-automatic rifles within that time frame assuming he passed all checks and wanted to go through the hassle. He obviously didn’t want to go through the hassle, though: Paddock chose a low budget means of obtaining full auto fire; a means that the ATF had flirted with outlawing, but didn’t follow through on. He could have purchased real (and more reliable) full auto machine guns under the NFA, but he didn’t. Had he made several purchases, it would have put him on BATFE’s radar. Instead, he stayed off the grid by “hacking” together a less reliable, and slower fire version of a full auto. If semi-automatic rifles had fallen under the NFA program, there’s a good chance he would have had the same aversion to the NFA process as he obviously had with buying machine guns and not purchased semi-auto rifles. His goal was to avoid detection.

The economics of the NFA can also be a powerful effect on most recent mass murders. During and after machine gun registration under NFA, and particularly after new registrations were closed off in 1986, the prices of those firearms were driven up substantially to 10-20 times their original price. A full auto machine gun today costs anywhere from $10,000 – $20,000 to purchase simply due to supply and demand. Semi-automatic rifles, had they fallen under the NFA, could become an issue of supply and demand, making them both more difficult and more expensive to get a hold of. In other words, assault rifles end up being an exclusivity. By this alone, the NFA would have unquestionably prevented several other mass murders from occurring, likely including Sandy Hook.

Even without the economic effects, however, the simple fact that the process requires both government visibility and accountability would have prevented a number of criminals from otherwise taking possession. The more thorough background check element of the NFA would have prevented the recent Texas church shooting; here, the shooter had already been denied a concealed carry permit due to such a background check, yet was still able to purchase the rifle. Had the rifle been under NFA, he wouldn’t ever have been allowed to take possession of it. Obviously, there’s something in the system about him that was enough to fail a background check had he been put through a real one.


I’ve watched the gun community change dramatically over the years, and today’s gun culture is far detached from the once even-tempered, responsible gun owner that is its heritage. The beliefs that gun owners hold to as truths today are not rightfully the values of the founding fathers, but rather a product of good marketing. While the NRA has long spent hundreds of millions selling the freedom loving militia-man image to gun owners, founding fathers like Ben Franklin took the position that the more vicious people became, the heavier regulation they required. A recent study concluded that the people who feel most empowered by guns are white, socially alienated, financially unstable individuals who have a strong belief that violence against government may be necessary, and oppose mental health checks. This is exactly the crowd today’s NRA seems to be catering to.

The gun industry, meanwhile, manipulates many into buying more of their products to protect themselves from the gun crimes that happen in this country they helped create. They’ve lobbied to make sure criminals can get firearms so that they can sell the same firearms to others to protect themselves against the criminals: this is not far from how organized crime operates.

The belief that our identity as a country somehow has to be intertwined with the right to kill each other is the biggest fallacy we’ve ever been sold by capitalism. This faulty belief system is largely why nothing has moved in legislation for decades, even in light of ongoing random acts of mass murder in this country. Sandy Hook was really the point of no return for our country. As we watched our government and NRA’s non-response to the murder of 20 school children, I knew then and there that we’d never do anything meaningful to control mass murder in this country. Sandy Hook was the day politicians and lobbyists alike demonstrated they had no soul. At the end of the day, this is not a patriotic battle we’re fighting, it’s a battle of industry dollars.

The end result of reclassifying semi-automatic rifles is that you are not denying gun owners what they perceive as their right to own these firearms, nor do you have to care about all of the panic buying that happens every time there is a massacre. Let people panic buy all they want. The NFA can be applied in a fully retroactive way, as it was with machine guns. It requires no attempt at confiscation (which would fail miserably), and gives responsible gun owners a window to decide whether they want their assault rifles enough to submit to reasonable accountability.

The far right in the gun community will argue that this is tyranny, and that the people should be given absolute power. I disagree. We are not living in Hitler’s Germany, and if we were, that mindset would have been on the wrong side of history. If you’re going to possess an infantry rifle, you ought to be subject to some accountability by those entrusted with governing the people. The ones who don’t think they should be accountable to anyone are the ones who shouldn’t own guns.

More people have died from gun violence in this country than in all of our major wars combined. Think about it: This means more people have died because of gun rights than all the people who ever died for gun rights. Unacceptable. What’s more unacceptable is that it only took the murder of seven (7) individuals in the Valentines Day Massacre to get the ball rolling for the NFA and its sweeping gun legislation… yet 58+1 died in the Vegas massacre, 28 in Texas, 17 in Florida, and we’ve lost whatever humanity we once had to even bat an eye.

The fact that we are only into February and have already had 18 school shootings this year is a sign of just how ineffective our government has become. The fact that politicians are dodging the issue yet again is evidence to just how soulless.

God will judge us all if we continue to allow this.

Social Media Auto Publish Powered By :