Xbox owners are deserting Microsoft consoles for the PlayStation 4
April 8, 2016 Instant messaging service Whatsapp has now announced that it will use end-to-end encryption to scramble all users’ communications and ensure they can only be decrypted by the recipient’s device. This has huge implications for intelligence agencies as we are only too aware following the FBI/Apple debate around the San Bernadino gunman’s iPhone. Indeed, public opinion is generally divided over end-to-end encryption although security experts around the world are reluctant to weaken encryption mechanisms to allow security agencies to read communications. Here to comment on this news is Richard Anstey, EMEA CTO at . Richard Anstey, EMEA CTO at : “This announcement by WhatsApp reflects a growing consumer awareness of the purpose and merits of encryption. It’s a win for privacy advocates, but undoubtedly a cause of frustration to governments across the world. Following the Apple/FBI scandal, and the return to prominence of the Snooper’s Charter in the UK, encryption has beenpushed into the mainstream despite encryption algorithms having been around for years. End-to-end encryption is a very simple concept: as soon as a message leaves a sender’s device, the characters are scrambled into a series of letters and numbers which mean nothing to everyone except the recipient who holds the only key that can now interpret the message. “End-to-end encryption is already posing a problem for intelligence agencies which are pushing for “backdoors” to decrypt messages between terrorists, some of which may be exchanged on WhatsApp. However, security experts across the world – including myself – are very reluctant to weaken encryption mechanisms, because this would have a wider knock-on effect in day-to-day life – both personal and professional. It can cause all sorts of sensitive information to become less protected from hackers, criminals and unfriendly nation states.” About Intralinks (NYSE: IL) is a leading, global technology provider of secure enterprise contentcollaboration solutions. Through innovative Software-as-a-Service solutions, Intralinks software is designed to enable the exchange, control and management of information between organisations securely and compliantly when working through the firewall. More than 3.1 million professionals at 99% of the Fortune 1000 companies have depended on Intralinks' experience. With a track record of enabling high-stakes transactions and business collaborations valued at more than $28.1 trillion, Intralinks is a trusted provider of easy-to-use, enterprise strength, cloud-based collaboration solutions. Comments are closed
April 7, 2016 Malware continues to become a growing and increasingly costly risk to mobile users today, with one in every 30 mobile browsing transactions, and one in every seven mobile app sessions proving to be potentially harmful. In fact, roughly 5.9 percent of subscribers encounter a risky website every day and are transmitted through URLs and mobile apps that mobile users access daily according to our . Even more concerning is that teens and children populations are especially vulnerable as the proliferation of mobile devices, online and app activity increase dramatically. And because mobile is ingrained in all we do and how we live, it’s become increasingly difficult to identify and mitigate the growing volume of attacks targeted at this vector. While there are vendors out there who represent various parts of the ecosystem and focus on everything from mobile device management (MDM) to endpoint security, communication service providers (CSPs) are in a unique position in theindustry because they are at the heart of the digital experience and can stop threats at the network level. CSPs have access to a goldmine of network user data that can be used to better understand a range of user profiles when it comes to risky behavior. When armed with relevant data, CSPs can gain insights into who might be most susceptible to engaging with sites that may contain malware, spyware or phishing scams, and intervene with network-based solutions that can minimize that user’s specific risks. By offering network-based security services, CSPs have the opportunity to provide added value to their subscribers and protect users based on their personal mobile habits and behaviors. At the same time, they gain a unique opportunity to monetize the network, increase ARPU and even reduce churn. What’s the big deal? In large part, mobile security is an afterthought for consumers and business people who don’t have the time to manage multiple subscriptions, update to the latest softwareversion or worry about where they click (even if it appears to be from someone you trust). As opposed to the case for fixed networks, while some regulators already require mobile operators to provide basic security against mobile malware, a large majority do not. And while every mobile user is at risk of security threats, no two users are alike in their risky behavior and in turn, the security measures needed for them to remain safe. What user profiles are at the greatest risk? We found that on average, mobile subscribers have about 72 interactions on three different websites on any given day. Whether it be a social networking platform, a trending game, news application or e-commerce website, every time a user touches content on a website or mobile app, they’re leaving themselves vulnerable to attack. The key to understanding who is at risk is the ability to accurately identify profile groups that represent common mobile user perceptions, expectations and behaviors. Segmenting mobilesubscribers by demographics and usage classifications can help CSPs to determine the types and level of security risks each unique customer might encounter within the network as they go about their typical daily business. When you get down to the data, there are some interesting trends around which profiles are at greatest risk – and it might not be who you most expect. According toconducted by Allot Communications, business people display the riskiest online behavior, with 79 percent of businessmen and 67 percent of businesswomen utilizing potentially risky mobile apps on a daily basis. These numbers are followed closely by youths and millennials, 67 percent of which also access questionable apps on a regular basis, putting their mobile devices and personal information at risk. While mobile app downloads are oftentimes protected, their outgoing use is not, fooling certain users into believing they are accessing harmless apps when in truth, they are leaving themselves susceptible tomobile threats with each and every use. Take clicking a link on a social site like WhatsApp for example; while the app download itself is protected, accessing that outside link may not. Why is this important? More and more, CSPs are faced with the task of keeping their subscribers secure from the oncoming slew of cyber threats that continue to increase both in size and sophistication. Fortunately, CSPs can be highly effective when it comes to halting cyber attacks. In the face of widespread, emerging, and more persistent online threats, operators can utilize subscriber data to protect users from malware and other Internet-borne threats that can harm reputation and productivity, damage mobile devices, comprise personal data, and cause financial loss. When armed with relevant data and information surrounding customer behavior — for example, knowing if the user is a business woman on the go or a child accessing educational apps — CSPs are able to engage with subscribers to identify how tominimize their specific security risks. With the insider knowledge available through subscriber data comes the ability to offer individualized security services to protect subscribers from harmful malware. CSPs can provide services anywhere from network-based anti-malware to parental controls to protect consumers against cyber attacks that can cause the loss of personal and professional content. For example, rather than providing security per app, safeguarding users at the network level allows security measures to provide a protective blanket for all mobile online activity. With access to a user’s unique mobile preferences and use cases, and the ability to analyze each individual, CSPs are better positioned than ever to protect their subscriber base. This not only secures the users themselves, but also gives CSPs a competitive advantage over other providers that may not be utilizing this critical user data to fight off threats to user privacy and content. By analyzing network data,filtering users into highly targeted categories, and offering network security that provides an umbrella over users’ complete online activity, CSPs are given a major advantage when it comes to thwarting off cyber crime in their networks and keeping users consistently protected in the face of malware. About Yaniv Sulkes Yaniv Sulkes is a telecommunications professional engaged in designing, developing, productizing and marketing industry leading solutions for over 15 years. Sulkes currently serves as the AVP of marketing for Allot Communications. Prior to Allot, Sulkes managed a large-scale telecom engineering project and served in different software engineering capacities. Sulkes has an M.Sc. in Electrical Engineering and B.Sc. in industrial engineering and management from Tel-Aviv University. Comments are closed
April 7, 2016 According to a Service Max survey, 75 per cent of people who typically call out a field service technician because the product has broken, not for maintenance purposes. What this means for field service professionals is that when a customer calls, they’re likely needing a rapid fix. That’s why the first-time fix rate is the holy grail of field service providers. As head of managed service provider IT Specialists (ITS), I’ve found that to keep second site visits to a minimum and improve the customer experience, field service managers should avoid these mistakes. Mistake #1: Inefficiently Managing Spare Inventory The Service Max survey referenced above indicated that if an engineer had to return to the customer site, 61 per cent of the time, it was because the technician didn’t have the parts needed to solve the issue. At ITS, we solve this problem by assigning engineers to four regions across the UK. We also use nine regional depots located across the country, whichenables engineers to store and gather replacement parts quickly for customers. This strategy has enabled us to offer low on-site response times tied to service level agreements and to achieve a first-time fix rate greater than 92 per cent (according to Aberdeen Group, the average for best-in-class field service organisations is 88 per cent). Mistake #2: Mismanaging Engineers’ Skills Investing in training and additional certifications will widen the organisation’s pool of engineers who are equipped to work on certain equipment or software. To ensure each assignment is a proper fit for the engineer’s unique skills and certifications, the business can approach the dispatch process methodically and strategically. For example, senior engineers can use their experience with the business and their familiarity with engineers’ capabilities to schedule site visits. Mistake #3: Not Offering Preventative Services Even better than achieving a first-time fix is preventing a system malfunction in thefirst place. This is particularly important if the customer has recovery time objectives to meet for business continuity and disaster recovery purposes. At ITS, we use the remote management tool N-able, which is installed on the customer’s servers and desktops and allows us to monitor most of the customer’s systems. If a potential issue occurs, our technical support team can respond to the issue before the customer is even aware it exists. For example, we use N-able to manage printers for Howden’s Joinery, a UK-based manufacturer and supplier of kitchens and joinery products. Previously, Howden’s printers were not networked, consumables were unmonitored, supplies replenishment was not automated, and paper use was not cost-effective. Having implemented monitoring software (after networking the printers), we are now able to address any issues with the printers and manage the supply of consumables. Mistake #4: Succumbing to Business As Usual It’s all too easy to fall into a routine ofperforming processing a certain way because “that’s how we’ve always done it,” but it’s important to continually generate fresh ideas and solutions for business challenges. The organisation could hold a monthly review meeting where heads of the department review the past month’s performance and conduct real-time SWOT analyses on every aspect of the business. The meeting could encompass performance reviews, business threats, resource planning, development opportunities, and statutory and legal responsibilities. ITS uses these meetings to generate innovative ways to solve client problems as well. For instance, road freight company Baxter Freight wanted us to not only provide new hardware and build a network but also brainstorm ways to future-proof their business. The plans had to benefit both ITS and Baxter Freight, with products that were cost-effective for both businesses. Working together, the ITS team created a strategy for improving Baxter Freight’s business resilience. The strategyincluded plans to adopt larger products, such as a managed cloud-based disaster recovery as a service platform, as the business became more established. Mistake #5: Failing to Familiarise Engineers With Product Offerings Whether engineers are supporting a product sold by the organisation or providing a service offered by a managed service provider (MSP), they need to be familiar with all the products and services the organisation provides. Using this knowledge, the engineer can suggest other solutions that can solve the client’s unique business challenges. For instance, an MSP’s engineer might go on-site to repair a server and hear the client mention that the organisation is having trouble coping with data sprawl and is considering virtualising some of their environment. The engineer knows that the MSP offers cloud-based infrastructure as a service (IaaS), so the engineer can suggest that as a solution. While plugging services that are unrelated to field service might seemcounterproductive, doing so shows the customer that the organisation is able to meet the client’s business objectives. In turn, the client is more likely to continue a relationship with the business. Mistake #6: Neglecting Regulatory Requirements Regulatory compliance is a pressing concern for organisations across multiple industries. That’s why field service organisations need to be able to demonstrate that they can meet regulatory requirements. The organisation might choose to adopt a business continuity standard or undergo a third-party accreditation process to achieve a certification such as ISO 9001 for quality management systems or ISO 27001 for information security management systems. By avoiding these pitfalls, field service organisations will increase their first-time fix rates, improve their ability to prevent issues before they occur and help clients meet their business goals. About Matt Kingswood Matt Kingswood is the Head of Managed Services of Midlands and London-based ,a nationwide Managed IT services provider. ITS is part of the US Reynolds and Reynolds company which has a strong heritage in data backup and recovery services. In his position, Matt is responsible for developing Managed IT services within the UK and is currently focused on the next generation of cloud and recovery products, and . Matt has more than 20 years of experience in the information technology industry, and was formerly CEO of The IT Solution – a full service IT Supplier acquired by ITS. Since joining ITS, he has led efforts to introduce a range of managed services based on the new ITS cloud platform. Previously Matt had a career in technology for several top tier investment banks before founding and selling several companies in the IT services industry. Matt has an MBA from The Wharton School of the University of Pennsylvania and a Master’s in computer science from Cambridge University. Comments are closed
April 7, 2016 To work on the Incapsula team at Imperva is to be exposed to DDoS attacks all of the time. From watching 100 Gbps assaults making waves on computer screens around the office, to having our inboxes bombarded with reports of mitigated assaults, DDoS is just another part of our awesome daily routine. Yet, every once in a while an attack stands out that makes us really take notice. These are the ones we email each other screenshots of, discuss with the media and write about in our blog. Often, these assaults are canaries in a coal mine for emerging attack trends. It’s one of these canaries that I want to talk about here—an attack that challenges the way we think about application layer DDoS protection. A bit about application layer DDoS attacks Broadly speaking, layer 7–aka application layer–DDoS attacks are attempts to exhaust server resources (e.g., RAM and CPU) by initiating a large number of processing tasks with a slew of HTTP requests. In the context of this post itshould be mention that, while deadly to servers, application layer attacks are not especially large in volume. Nor do they have to be, as many application owners only over-provision for 100 requests per second (RPS), meaning even small attacks can severely cripple unprotected servers. Moreover, even at extremely high RPS rates—and we have seen attacks —the bandwidth footprint of application layer attacks is usually low, as the packet size for each request tends to be no larger than a few hundred bytes. Consequently, even the largest application layer attacks fall way below 500 Mbps. This is why some security vendors and architects pitch that it is safe to counter them with filtering solutions that don’t necessarily offer additional scalability. A ginormous HTTP POST flood The attack that challenged this theory occurred a few weeks ago, when one of our clients—a China-based lottery website—was the target of a HTTP POST flood attack, which peaked at a substantially high rate of 163,000RPS. Attack traffic in RPS (requests per second) As significant as this request count was, the real surprise came when we realized that the assault was also consuming bandwidth at 8.7 gigabits per second (!)—a record for an application layer attack and definitely the largest we had ever seen or even heard about up until that point. Attack traffic in Gbps (gigabits per second) Looking to understand how an application layer attack could reach such heights, we inspected the malicious POST requests. What we found was a script that randomly generated large files and attempted to upload (POST) them to the server. By doing so, the perpetrators were able to create a ginormous HTTP flood, consisting of extremely large content-length requests. These appeared legitimate, up until the TCP connections were established and the requests could be inspected by —our application layer DDoS mitigation solution. The attack campaign was launched from a botnet infected with a malware variant. From there, itwas accessing the website under the guise of a Baidu spider, as seen above. Overall, the attack traffic originated from 2,700 IP addresses. The bulk were located in China, as evidenced by the map below. Why 8.7 Gbps DDoS spells trouble for hybrid DDoS protection When taken out of context, an 8.7 Gbps attack may not seem like cause for concern—especially these days, when security service providers, , regularly share reports of 200, 300 and 400 Gbps assaults. However, these attacks are all network layer- they’re expected to be large. On the other hand, a multi-gigabit application layer assault is an unforeseen threat. As such, it can succeed where a much larger network layer attack would fail. This is because application layer traffic can only be filtered after the TCP connection has been established. Unless you are using an off-premise mitigation solution, this means that malicious requests are going to be allowed through your network pipe, which is a huge issue for multi-gig attacks. Acase in point are hybrid DDoS protection solutions, in which an off-premise service is deployed to counter network tier threats, but an customer-premises equipment (CPE) is used to mitigate application tier attacks. The bottleneck in hybrid DDoS protection topology While conceptually effective, the Achilles heel of this topology is network pipe size. For example, to successfully mitigate a ~9 Gb layer 7 attack—like the one described—a CPE would require a 10 Gb uplink. Otherwise, the network connection would simply get clogged with DDoS requests, which cannot be identified as such until they establish a connection with the appliance. An insufficient uplink in this situation would result in a denial of service, even if the appliance filters the requests after they go through the pipe. Granted, some of the larger organizations today do have a 10 Gb burst uplink. Still, perpetrators could easily ratchet up the attack size, either by initiating more requests or by utilizing additionalbotnet resources. Hence, the next attack could easily reach 12 or 15 Gbps, or more. Very few non-ISP organizations have the size of infrastructure required to mitigate attacks of that size on-premise. Furthermore, application layer attacks are easy to sustain. Recently we witnessed one that extended for over , while even ten days of burst creates a nightmare in overage fees. From a financial point-of-view, this is one of the main reasons why DDoS mitigation solutions exist—to offer cost-effective scalability as an alternative to paying for high commits and overages. The canary in the coal mine Experience has shown that effective DDoS methods are rarely an exception to the rule. As we speak, the aforementioned attacking botnet remains active and the technique used in the attack is still being employed. Furthermore, it is likely to become more pervasive as additional botnet operators discover its damage potential. The existence of these threats make another good case for off-premisemitigation solutions that terminate HTTP/S outside of the network perimeter. They are unrestricted by your network’s pipe size and are able to scale on-demand to filter any amount of application layer traffic. This is exactly what happened with the above mentioned 8.7 Gbps layer 7 assault, when our Website Protection was able to handle the specific HTTP flood attack vector automatically and out-of-the-box. Having said that, we do realize that some organizations are under regulatory obligation to terminate HTTPS encryption on-premise, and have no choice but to use mitigation appliances. If this is the case, our best advice is to consider upgrading your uplink so that it can at least counter attacks below 10 Gbps. One way or another, this assault is a reminder to consider scalability when strategizing defense plans against application layer attacks. Further details about the attack can be found on . About Imperva (NYSE:IMPV), is a leading provider of cyber security solutions that protectbusiness-critical data and applications. The company’s SecureSphere, Incapsula and Skyfence product lines enable organizations to discover assets and risks, protect information wherever it lives – in the cloud and on-premises – and comply with regulations. The Imperva Application Defense Center, a research team comprised of some of the world’s leading experts in data and application security, continually enhances Imperva products with up-to-the-minute threat intelligence, and publishes reports that provide insight and guidance on the latest threats and how to mitigate them. Imperva is headquartered in Redwood Shores, California Comments are closed
April 6, 2016 Security researchers and hackers are caught up in an endless game of cat and mouse, with threats constantly evolving to thwart even the most stalwart of defences. Traditional methods of combatting new threats, reliant on signature based approaches to detecting malicious files, URLs, or IP addresses, are failing to block more sophisticated attacks resulting in an overwhelming number of attacks slipping under the radar. Even the much acclaimed sandbox approach has recently come under attack, as hackers are finding innovative new ways to detect that code is running in a virtual environment and to lay dormant until released from captivity. It’s not just the tactics that have dramatically changed, so too has the nature of ‘end points’ themselves. Today they are just as likely to reside in the cloud or be a mobile or tablet owned by the employee, as a traditional laptop or PC. And as the IoT comes of age the number and nature of end points in need of protection could spiralout of control. The stark reality is that traditional security defences that use static signature-based methods to determine whether a file is malicious or benign are simply not up to the job. What’s more analysing the binary structure of suspected malicious code to identify similarities with different files or families of malware is only marginally more effective, since attackers can quickly adapt and create more variations on the theme that will render statistical, mathematical models almost as useless as a normal static signature. A new, more robust, disruptive approach that focuses on the actual core of malware, its behaviour – which cannot change as easily as its hash or other static indicators – is way overdue. A new Era of Endpoint Protection Enter the next generation of end point (NGEPP) solutions, which – like their cybercriminal adversaries – have dramatically evolved their modus operandi. Their emphasis is on a behaviour-based approach to malware detection which – unlikethe signature, or sandbox approach -is not content to concentrate solely on mitigation; but focuses instead on offering real-time prevention, detection and mitigation along with forensic analysis across the entire attack lifecycle. The ability to see what is running on an endpoint, and how every application or process is behaving, is key to combatting the detection problem. What’s more this analysis needs to happen at the scene of the crime, namely the end point itself. Like any disguise, it’s a lot easier to change your appearance than it is to change the way you act. By tracking the behaviour of a threat in real-time from the point of detection, to mitigation, remediation and forensic analysis, security teams are able to start to bring advanced malware and zero day exploit threats under control. Recognising the ‘Masters of Disguise’ So how does NGEPP work? A layer of pre-emptive protection initially stops existing known threats in their tracks at the point of entry, replacing thecapabilities traditionally provided by antivirus or host-based IPS. The sheer volume of new threats that surface daily, including new forms of malware, zero day exploits or insider threats using tools like Powershell to avoid detection, mean you need to go much deeper than simply protecting against known threats, to detecting previously unknown threats. New end point technology is capable of detecting these new, stealthy threats not by what they are, but by how they act, regardless of what disguises they might use to try and evade detection. Tackling these unknown, targeted attacks requires real-time monitoring and analysis of application and process behaviour as well as the ability to determine the context of the attack to minimise the possibility of false positives. This inspection needs to occur even when the user is offline to avoid the possibility of USB or other infected digital devices becoming the source for an attack. In this way, even attacks which have never been seenbefore can be detected and stopped at their source. However, to complete the task it’s vital to ensure that the final steps of mitigation and forensic analysis are performed in order to complete the whole process and prevent the possibility of any reoccurrence. In order to avoid any negative residual impact, the NGEPP should be capable of responding to an attack in a variety of different ways such as: quarantining a file, killing a process, disconnecting an infected machine from the network or shutting it down completely. This needs to be automated to ensure that it occurs before the threat has a chance to ‘phone home’ to a command and control server to deliver its payload, or move laterally. Rolling Back Time To ensure the network returns to its former state and doesn’t harbour any unwanted vestiges of the attackers visit such as modified files or an encrypted hard disk from a ransomware attack, the end point software should be capable of rolling back to a pre-attack status. Thefinal part of the puzzle is figuring out what caused the attack and that’s the forensics part. It’s vital to be able to quickly analyse the scale and scope of the attack, pinpointing who was targeted and with what type of threat. These learnings accelerate the remediation process and help organisations avoid a similar situation occurring further down the road. With the advent of new regulations like the EU Data Protection Regulations looming on the horizon, it has never been more important to secure and protect sensitive data. Businesses everywhere are waking up to the fact that legacy security approaches are becoming less and less effective against an arsenal of constantly evolving attacks by cybercriminals, nation states, and terrorist organizations. As the risks and regulatory fines escalate dramatically, a new generation of security companies are rising to the challenge and proving worthy adversaries to hackers. NGEPP promise to provide the mousetrap to put an end to theeternal cat and mouse game of one-upmanship that has dogged the security profession for far too long and to put security professionals back in control of their IT environment once again. About Tomer Weingarten Tomer co-founded , a next generation endpoint security company in 2013. He is responsible for the company’s direction, products, and services strategy. Before SentinelOne, Tomer led product development and strategy for the Toluna Group as a VP of Products. Prior to that he held several application security and consulting roles at various enterprises, and was CTO at Carambola Media. Comments are closed
April 5, 2016 Never before has Mac OS X been as heavily targeted by cybercriminals as now. Whereas infections like browser hijackers and ad-serving malware aren’t newcomers on the Mac arena, crypto ransomware appears to be making first baby steps toward the invasion of this huge niche. The term denotes a cluster of malicious programs that stealthily infiltrate into computers, encode the victim’s personal files and extort money, usually Bitcoins, in exchange for a secret decryption key. Windows users have been suffering from file-encrypting Trojan assaults for years, with the early incidents recorded back in 2011. As opposed to that, Apple’s strong focus on code verification and elaborate security mechanisms held back the nastiest of attacks. Maintaining the status quo, however, turned out to be a nontrivial challenge. Ironically enough, it is white hat researchers who pioneered in creating Mac ransomware, and perpetrators simply followed suit. A Wake-Up Call In November 2015, aBrazilian security enthusiast Rafael Salema Marques demonstrated that Mac OS X isn’t bulletproof against ransomware plagues. He spread the word about his proof-of-concept where a program he dubbed Mabouia was able to get around the defenses of a Mac machine and wreak havoc with files in a matter of minutes. The PoC infection is written in C++ and applies 32 rounds of XTEA block cipher to encrypt data and thereby render it inaccessible. Just like real-world ransomware, it generates a 128-bit private key, transmits it to a C2 server and recommends a sleek recovery service requiring a fee. Marques also added some ransom pricing flexibility to the mix, playfully offering three different payment models to hypothetical targets. The “Not as Important Plan” implies the decryption of 20 files and a handshake for $50; the “Important Plan” presupposes the recovery of 100 files plus a hug for $70, and the “VIP Plan” guarantees the decoding of all files and a kiss as a bonus for $100. All of theabove go with “lifetime support” which is particularly funny. Mabouia is executed when a Mac user extracts a ZIP archive, which can be delivered over a phishing email disguised as a missed delivery notification, a payroll or similar eye-catching subject. Since the app only targets files stored in the User folder, it can do without elevated privileges to make changes to data. All in all, this PoC should have raised some flags because it was the first viable crypto malware tailored for Mac. The author provided his full code to Apple and Symantec so that the security researchers could prep countermeasures for likely attacks that aren’t purely educational. The lesson, however, hasn’t been learned, and the bad guys ended up outsmarting the industry. The Menace Gets Loose Things started getting out of hand as the first real-world Mac ransomware emerged in early March 2016. Referred to as KeRanger, the strain initially circulated over a poisoned downloader of Transmission 2.90, an edition ofa popular open-source BitTorrent client compatible with Mac OS X. The hackers had managed to compromise the official Transmission web page and replace the legit application’s DMG file with a malicious loader. Consequently, everyone who installed the aforementioned version ended up catching the ransomware. Unimpeded distribution of the KeRanger app stemmed from the fact that it was signed with a valid Mac developer certificate. Apple’s Gatekeeper, therefore, didn’t identify or block it on the early stage of the campaign. For some reason, the infection remains in a dormant state for three days after its code is executed on a target Mac box. Then, it traverses the hard drive in order to spot files matching a certain predefined range of extensions. It looks for personal documents, images, videos, databases and other potentially important data. KeRanger continues the onslaught by reaching out to its Command & Control via The Onion Router technology and obtaining a unique encryption key. Thevictim’s files ultimately become encrypted with 2048-bit RSA algorithm. This crypto is asymmetric, which means that the criminals’ server is the only place keeping the private decryption key. The ransomware displays a document named README_FOR_DECRYPT.txt, which instructs the infected Mac user on how to recover the data. In particular, the victim needs to send 1 BTC, or around $400, to redeem what’s locked. KeRanger operators only accept Bitcoins, because it guarantees the anonymity of payment transactions and helps them evade tracking by the law enforcement. To prove that the deal is real, the scammers can decrypt one file for free. To their credit, Apple withdrew the rogue app development certificate shortly after the malicious campaign commenced. KeRanger in its original form and shape is, therefore, unable to bypass Gatekeeper and run on Mac machines at this point. The vendor of the Transmission applet promptly adopted measures as well, cleaning up their website from malware andposting a notification about the necessity of an immediate upgrade to a safe version 2.92. And yet, the fact that the incident took place keeps a question mark hanging over the efficiency of ransomware response mechanisms. Evolution of Mac Ransomware In fact, there are other breeds of Mac ransomware at large, but those are browser lockers rather than crypto viruses, and the damage isn’t nearly as high. The infamous FBI MoneyPak malware affects Safari on infected Macs by displaying a persistent page that impersonates the FBI. The warning message contains false accusations of illegal user activity such as a violation of copyright and distribution of prohibited adult content. It also says that all file were encrypted, but that’s total bluff. All it takes to resolve the issue is reset Safari. As opposed to ridiculously primitive browser lockers, the Mabouia proof-of-concept and KeRanger are the first samples of Mac ransomware code that actually encrypts victims’ files. As it turned out,Apple’s security barriers aren’t much of an insurmountable obstacle for cybercriminals. This obvious progress in attack vectors and techniques gives us a glimpse of what the future holds: ransomware may start targeting Mac OS X and will quite likely become a number one security concern for Mac aficionados in the near future. About David Balaban David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.Comments are closed
April 5, 2016 The threat landscape in 2016 is almost completely unrecognisable from that of ten years ago. Today’s landscape is populated by actors who are well resourced, highly determined and increasingly sophisticated, not to mention motivated by anything from ideology (hacktivists and cyber terrorists), geopolitical gain (state-sponsored hackers) or, most popularly, money. While there are still the worms and viruses of old popping up, most cyber criminals have all but abandoned these vectors in favour of more targeted, covert and successful attacks. Targeted attacks and Advanced Persistent Threats (APTs) first surfaced publically in around 2010, when the so-called Operation Aurora attacks on Google and others foreshadowed the firm’s exit from China. Stuxnet quickly followed and suddenly the floodgates were open. Typically beginning with a “spear phishing” email or social media message using social engineering techniques, malware is the triggered to download onto the system. Themalware will quietly load in the background without the user’s knowledge, escalating privileges inside the network until it finds the data it’s looking for. Attackers spend time researching their targets on the internet to hone their phishing lures, and are increasingly zeroing in on IT administrators, whose privileged accounts will give them unlimited access. They also spend time researching possible vulnerabilities on the system so that the malware can bypassing existing defences. The cybercriminal underground that sits beneath all of this on the “Dark Web” of anonymisation networks like Tor and I2P and private forums is a immense, enigmatic beast. Estimates have put its size between 4-500 times the size of the “surface” web. There cybercriminals buy and sell stolen credit cards, identities, exploit kits and other attack tools which have democratized the ability to launch sophisticated targeted campaigns. The fact that enterprises are now hugely more exposed to such threats through aflood of new vulnerabilities appearing every month, and through an explosion of new cloud services and applications, makes the bad guys’ jobs even easier. That organisations have to secure these increasingly complex environments with minimal budget is just the icing on the cake. Yet the stakes are higher than ever. The average cost of a data breach in 2015, up 23% in just two years. The repercussions are immense: loss of brand and shareholder value, damage to customer loyalty, legal costs, financial penalties, and remediation and clean-up costs to name but a few. Target that losses related to its massive breach totalled $148m, a staggering amount but one that just begins to scratch the surface. A losing battle? Given the size, scale and sheer organisation of the cybercrime underground – notwithstanding the threat from state-sponsored attackers and hacktivists – it’s not surprising that the security industry is continuously on the back foot. Its adversaries are more agile, and have theelement of surprise and the cloak of anonymity on their side. Slowly the security industry has adapted – building new solutions which moved away from the old static AV signature-based model. Firstly, by developing heuristics detection – which spotted malware based on characteristics in its code – and also through behavioural-based techniques. There’s also been a shift to cloud-based threat prevention systems which stop or block threats before they hit the network. The new generation of tools pioneered by the likes of FireEye and Trend Micro are designed to stop those all-important zero-day threats often used in targeted attacks – that is, those which exploit as-yet-unseen flaws. Sandboxing executes an unknown threat in a virtual environment in near-realtime to see if it’s dangerous or not. Security vendors have also been developing tools which leverage big data analysis of customer data and threats in the wild to identify and correlate new malware. Such is the sheer volume of threatsthat these companies need vast data centers and computing power to even stay on a par with the cybercriminals. Security is broken Yet, after all that investment software security vendors still admit that the best security stance for a CSO today is to accept that they have already been breached. If a hacker is determined enough they will get into your organisation. The best the industry can do is to provide systems which try to spot when this has happened as soon as possible in an effort to minimise the risk of data loss. It is easy to see why organisations are reducing their security budgets when security software clearly is clearly broken. Did you know: Your pc/mobile device can be compromised just by visiting a malicious webpage? Targeted attacks go undetected for months or even years Around are clicked on, irrespective of volume Opening a malicious PDF or Word attachment could lead to a covert, multi-year data breach The increased 56% in 2015 Apple products are not immune. There arehundreds of thousands of new malware strains discovered every day. The pace of malware creation is increasing all the time: the volume of malware found last year accounts for one third of all malware ever written. From this is it easy to see why security is broken. Organisations need to find a new way of stopping these attacks, and if software-based solutions aren’t working then it is time for stronger, more resilient hardware-based solutions. About Cesare Garlati Chief security Strategist, Cesare is an internationally renowned leader in mobile and cloud security. He is the former Vice President of mobile security at Trend Micro and Co-chair of the Mobile Working Group at Cloud Security Alliance. The prpl Foundation is an open-source, community-driven, collaborative, non-profit foundation supporting the next gen connected devices industry that supports and provides guidance for a hardware-led security approach to IoT. Comments are closed
April 4, 2016 In a world of technological dependence, I like most other professionals suffer from increasing degrees of paranoia, and fear that my person, presence, and logical footprint may be subject to some form of compromise, interception, or manipulation from any one of many exposures – a Paranoid State which has driven my acquisition and use of multiples of security defences with which I reduce my surface of attack from State-Sponsored invaders of all colours be they Chinese driven by Titan Rain type events, American under the banner of Prism; or any other manifesting out of the criminal-ventures which could have impact on my personal, and financial wellbeing. So, having established that I am suffering from what I feel is an informed state of healthy paranoia, I have taken a number of steps to secure my operational use of technology by employment of a number of easy to use solutions which underpin a desired level of a safe technological lifestyle encompassing: Mobility > e-Mail >Telephony > Messaging To accommodate a level of serenity, I have evolved usage of, or recommend the following applications and tools, and start the conversation with focus on securing mobile telephony, repressing opportunities for all to enable of modicum of security into the life of the common man [and woman] when they make that call: Mobile Telephony: On occasions where there is need to ensure that the mobile calls I make from my Cell Phone are subject to enhancement of security, over the basic service, I employ the Blackphone solution out of the Silent Circle stable [This security enhancement comes in two offerings. Number 1 being hardware based device of the Blackphone cell-phone, fully enabled with their own modified circuitry, chipset, and in-built security functionality. Option 2 is in the form of a localised software installation on your own cell-phone, which in my case is an IPhone 6s. Whilst in both cases the user can make insecure none-encrypted calls to Granny, the keyfeature is, where the conversation is sensitive the Blackphone user may go secure and invoke the required level of VPN encapsulation to protect conversations. This providing a Black-to-Black fully fledged end-to-end secure communications channel; or Black-to-None–Black end device, which would be secured to the point of the Silent Circle Server presence only, with the onward unsecured channel out of that environment being delivered to the none complaint none Blackphone device – but then here half security is better than none. This service works well, is low cost at around $10 per month, is stable and represents for me a very good ROI. e-Mail Security: When it comes to security of a cross-platform e-Mail system, with focus on all users who deserve to have the choice of using a mail platform that enables them with a level of defence without the need to get too tech. Here I often recommend Protonmail [Protonmail is service delivered out of Switzerland, and serves up the functionality toaccommodate various levels of security and of course encryption. As with Blackphone Protonmail-to-Protonmail provides a fully secured channel between service enabled users. However, with Protonmail-to-none Protonmail environment, again as with the Blackphone the second leg of the logical journey is insecure. But here the user may impose a higher level of security by selecting additional levels of encrypted control which require the recipient to enter a password to decrypt the secured content. But this solution goes further and also allows the sender to set time-to-live rules against the communication, and to label the type of communication [e.g. Business, or Private etc.]. At Fig 1 below shows some of the key features of the mail application in action: Fig 1: Secure Messaging: We all utilise text messaging from time to time, and in this space my solution of choice comes in the guise of Wickr which supports iOS, Windows, Mac, Linux 32 & 64 bit, and of course Android [Again here wehave a very capable tool which enhances the security profile of this common activity by encryption, as well as other supporting key security features such as time-to-live, and Secure Shredding. Easy to use, and is also available for use in the corporate space with their Enterprise solution – great features, and highly recommended. [See below Fig 2] Fig 2 – Wickr Mobility and the VPN: Beit personal, or business related, we all encounter the dangers of connecting to public access points in hotels, airports, and of course on public transport. On such occasions as this, as soon as we go promiscuous over Wi-Fi, our communications are potentially open to man-in-the-middle attacks which can sniff out our passwords, and other such private/personal details. It is in this space my personal option of choice is to employ the very robust solution IPVanish [to secure my channels before I touch any potentially hostile, open link [and trust me I know having been compromised myself at time of an urgentrequirements]. IPVanish is an easy to use security tool which mitigates what can be a significant and dangerous exposure when embarking on travels. Se Fig 3. Fig 3 The above are just a few tools which are available to be used by even the most none-tech-savvy person who wishes to implement a tad of security to protect their logical-life. It may not be the ultimate desire of everyone to be Paranoid, but in my cases it does help with relaxation at night. About Professor John Walker Visiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia [to 2015], Independent Consultant, Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts (RSA), Board Advisor to the Digital Trust, Writer for SC Magazine UK, Originator of DarkWeb Threat Intelligence, CSIRT,Attack Remediation and Cyber Training Service/Platform, Accreditation Assessor and Academic Practitioner and Accredited Advisor to the Chartered Society of Forensic Sciences in the area of Digital/Cyber Forensics. Twitter: John Walker is also our Expert Panel member. To find out more about our panel members visit the page. Comments are closed
April 4, 2016 That the CMS Wordpress is a common choice in blog platforms everybody knows, but what we see is that this use most of the time is implemented with no security countermeasures (according to the OWASP Top Ten 2013 – The Ten Most Critical Web Application Security Risks, the category Security Misconfiguration is in the fifth position), even when the website was already compromised before. To avoid some of the threats and increase the security level we inform below some of the best practices in hardening of CMS Wordpress: Use strong passwords: with letters, numbers and special characters, and longer than 12 characters. Is important to avoid to use common informations about yourself like your birthday or something related and also words found in a conventional dictionary even if it is in another language. Avoid to use out of date and/or unknown (with no recommendation) plugins and themes, or that was obtained through piracy (commonly used to spread web malwares). Also search ifit has a and if you found any of your plugins or themes in this list and don’t have pack/update after the date shown, deactivate it as soon as possible. Also is possible to configure automatized update on the configuration file of Wordpress, more details access . Keep daily or weekly (or the period of your choice) backup routines (automatically) that store the files in other server (remote), try to use sftp or SSH to proceed the transfer of this – . Put your website behind of a WAF (), that will analyse all the HTTP requests (often GET and POST) and blockade the bad ones (that matched in a malicious network signature). A well known open source WAF is the Apache ModSecurity. Put script verification/detection mechanisms in all the comments text boxes and subscribe newsletter or contact form to avoid SPAM incidents by the website. Adds blank index.php within of the directories, because is common to host the website in shared server which isn’t possible personalize the web serviceconfiguration and the directory listing option is often enabled. Normally creates this file in the directories “wp-includes”, “wp-content”, “wp-content/plugins”, “wp-content/themes” and “wp-content/uploads”. Put digital certificate in all the pages of your website (HTTPS, prefer TLS order than SSL v3.0 (CVE-2014-3566)) both publicly accessible and restricted. More details . Avoid to use more than one website within an account (commonly in Plesk or cPanel systems), because if only one was compromised the invasion will spread to the others and this security incident will have a huge impact in all your business. About Icaro Torres Icaro Torres is a technologist of network computer and postgraduate in information security, that works in the HostDime Brazil with technical support and audit/security of the systems hosted in Datacenters of the company. He is contributing in the OWASP with translation projects and in the chapter in his city. He continuously studies about web applicationsecurity, pentest and malware analysis. Comments are closed
April 1, 2016 The rapid development of drone technology and growing awareness of their potential threat has lead to a burgeoning drone detection market. Technology providers offer reliable detection mechanisms, but now organizations face a new challenge: How do you respond to an alert? Each drone countermeasure has its own pros and cons, and choosing the right one is no easy matter. Just as there are multiple drone detection mechanisms, there are also multiple drone countermeasures. When creating a drone response plan, organizations have to take into account legalities associated with the airspace around them, as well as the feasibility and pros and cons of each countermeasure. No single response is ideal for every threat or even every organization within a single industry. Counter-drone measures can be divided into three categories: 1. Regulation, Manufacturing Standards (Registration, License Plates, Pilot License, etc.) This approach involves using a drone’s registration andlicense plates to report the pilot. A drone detection system should feature a camera that records every intruding drone. The recording is saved with all the other data, including date and time. The recording and data can be recalled at any time, such as for investigative purposes. This countermeasure offers a number of advantages. It allows the organization to identify the owner and, because the incident is addressed through the authorities, there is more transparency and less liability for the reporting organization. It also means fewer pilot failures because the drone isn’t directly attacked. Of course, this approach is only feasible if the drone is registered and has license plates. This is unlikely to be the case in high-risk scenarios involving terrorists or criminals. No-Fly Zones/Geo-Fencing A geo-fence is a virtual barrier that prevents drones from flying in defined areas. A software program defines the boundaries of a no-fly zone via global positioning system (GPS) or radiofrequency identification (RFID). The primary advantage of geo-fencing is that it can reduce the risk of unintended threats by preventing drones from entering the no-fly zone. However, not all drones use this technology, it can be circumvented and there are several other approaches that make it hard to use reliably today. 2. Passive measures Passive measures involve reducing the threat posed by the presence of a drone without actually disrupting the drone. If the drone is detected on time you can: send security personal to intercept the drone, lead people to safety, block the drone’s view, lock cell doors and gates in the case of a correctional facility, and search the site for dropped objects. This approach offers several advantages. Depending on the application, it can be highly effective. It doesn’t require approval from authorities and can be combined with the countermeasures previously mentioned. It reduces the risk of someone getting hurt as a result of a crash. However, thereinlies this countermeasure’s number one disadvantage: The drone is not stopped. A dangerous payload may still be delivered and, in the meantime, productivity takes a hit as you attempt to mitigate the risk to your people and other assets. 3. Active measures Active measures physically stop the detected drone. This is their number one advantage. In most cases when drones are stopped they present a crash risk, which can cause physical harm and even fatalities, especially in heavily populated areas. Another drawback is that in most countries these can only be used by law-enforcement in the case of an imminent threat. Active Countermeasures include: Jammer, Spoofer Jamming or spoofing a drone’s radio connection or GPS is currently the most practicable and effective active countermeasure which will cause the drone to either return to its start position, sheer away, land or crash. Unfortunately, there’s no way to tell until you do it. This drone countermeasure can also affect other radio andGPS connections in the vicinity and is difficult to execute with drones in auto pilot mode. It’s also subject to approval by your local authorities. However, jamming or spoofing does offer an additional advantage beyond taking down the drone: It leaves open the possibility of eventually tracking down the pilot. Firearms, electromagnetic pulse (EMP), laser You can also choose to take down intruding drones using firearms, EMP or laser. In this case, the drone is destroyed and crashes. Firearms are only effective at low range, so they have minimal use cases, and are subject to approval by your local authorities – as well as EMPs and lasers. These are military technologies and therefore not economically viable. Counter-Drone Taking down an intruding drone with a counter-drone reduces the risk of a crash. However, it requires having a competent pilot at the ready, 24/7 to respond to intruders. In addition, the counter-drone must be extremely powerful. Both of these factors make thiscountermeasure cost prohibitive for most organizations. Net canon The final active countermeasure offers the benefit of stopping intruding drones without minimal crash risk. It involves shooting a net over the drone from the ground with a net cannon. Unfortunately, this approach also offers the greatest disadvantages in that it is only effective at low range and has a low success rate. As you can see, choosing the most effective drone countermeasure is no easy task. However, just as the most effective drone detection systems combine detection methods to ensure accuracy under varying conditions and to reduce false positives, they should also offer you flexibility in deploying a variety of drone countermeasures. Organizations should also look for a provider who will serve as a consultative partner in identifying the appropriate countermeasure for your use cases. About Jörg Lamprecht01 CEO, Co-Founder, In 1996, while still studying maths and computer sciences at the University ofKassel, Jörg Lamprecht set up his first company, Only Solutions GmbH, with Rene Seeber and another fellow-student. The software company really lived up to its name: one of the products it developed was the first search engine for pictures on the internet, which was used – among other things – to trace missing children. Only Solutions was later renamed Cobion and now belongs to IBM. In 2006, Jörg founded Qitera. In 2011, he discovered the emerging market for drones and responded by founding Aibotix, a company that produces unmanned aircraft for professional use by surveyors and engineers. Aibotix was sold to the Hexagon group from Sweden in February 2014. At Dedrone, Jörg uses his expertise as founder and manager for leading the areas business development, sales and marketing. His special focus is on setting up international partner and distribution networks.
March 30, 2016 Notes from the Battlefield: Cybercriminals vs. Business Travelers and How to Keep Your Data Safe It used to be that a business trip was just a business trip, complete with pay-per-view TV in bed, tiny bottles of shampoo and room service for anyone feeling extravagant. Yet in today’s era of global business travel, mobile devices, and ever-more-sensitive digital data, a seemingly innocuous stay in a hotel could result in disastrous security breaches for business travelers and the companies they represent. What are the security concerns currently affecting executive travelers, and how did they creep undetected into the hospitality industry to muck up a relatively good thing? More importantly, what can executives and security professionals do to fight back? Tinker, Tailor, Soldier, Spy following a spate of cyber attacks that targeted executive-level guests at luxury hotels in Asia. First recorded in 2007, the attacks came to light more fully a few years later whenresearchers got reports about a cluster of customer infections. Here’s how it works: Attackers infiltrate hotel WiFi networks and fool users into downloading malicious software that looks like a bona fide software update. Once the user downloads the virus, an advanced key-logging tool is installed that enables the hackers to track passwords. They relentlessly spearphish specific targets in order to compromise systems and use a P2P campaign to infect as many victims as possible. To evade detection, the hackers delete their tools from the hotel network after the operation is finished. The original DarkHotel attacks were striking due to their sophistication and the suggestion of a state-sponsored campaign. High-profile executives from businesses, government agencies and NGOs were among the targets, with located in Japan, Taiwan, China, Russia and South Korea. Researchers believe that the initial DarkHotel campaign was likely the work of a nation-state campaign, with signs that itmay have originated in South Korea. Not Just for the 1% Anymore: DarkHotel For the Rest of Us The cloak and dagger nature of the original DarkHotel campaign and its possible tie-in to government spying make it all too easy for more run-of-the-mill companies and executives to continue along their merry way, harboring the illusion that DarkHotel won’t affect them. Sadly, that’s simply not the case. Cyber attacks on luxury hotels have expanded greatly since they were first discovered, potentially numbering in the thousands, among hundreds of hotels worldwide. Starwood Hotels became a recent casualty of cybercrime late last year when , enabling unauthorized parties to access payment card data of customers. Corporate executives with valuable personal assets make enticing targets for hotel hackers. However, cyber criminals often set their sights on a bigger target: the victim’s corporate assets. It’s easy to see how enterprise data is at risk given that hackers can gain access toeverything on a victim’s mobile devices. They can also install malware targeting files, photos, built-in cameras and microphones, enabling a level of cybercrime unthinkable in the past. And don’t forget that a hotel’s reservation database and keycard system can provide useful access to customer information. Not surprisingly, a new wave of cyber criminals has turned hotel hacking into a veritable free for all, often lying in wait to cherry-pick their targets. There are businesses hacking competitors, governments hacking businesses, and governments hacking each other. And let’s not forget regular old cyber thieves who are simply out to make a buck. As malevolent as it may seem, DarkHotel is a part of a digital ecosystem and the outgrowth of new ways of computing. What trends in today’s technology landscape have allowed them to take root? The Evolving Digital Landscape: DarkHotel 2.0 Two key technology trends have emerged that account for much of the DarkHotel phenomenon and explainwhy business travelers and their enterprise endpoints are exposed to significant security risks. First, executive travelers are connecting to data and services using their own mobile devices. This widespread practice has increased hacking possibilities exponentially, with enterprise data especially at risk as executives work and check in with their corporate offices from the road. Not only do users often have several devices – smartphones, tablets, laptops, and wearables – but they’re weakly protected and regularly in use. They also handle large volumes of increasingly sensitive data. This is alarming since hackers can extract unencrypted or weakly encrypted data from devices, and even modify a device to obstruct security measures. The second trend in mobile computing presents a much bigger problem and involves executives using cellular or public WiFi networks rather than corporate networks. By taking data outside of corporate firewalls/IPS/NAS or DOS network protection, users areincurring risks to not only their own devices, but to others connected to the same business network. Whether hotels own and operate their network infrastructure or use a managed services firm, most carry little to no security and don’t encrypt their public networks. Sometimes hotels also have routers susceptible to easy hacking. Hackers take advantage of the fact that every wireless device is designed to trust the network to which it connects. The threat is real: , resulting in exposure to commjacking of an estimated 10,000,000 laptops. Accordingly, “man-in-the-middle” attacks where hackers lure users to connect to fake public or cellular WiFi networks have become the preferred strategy for so-called “commjackers” that target hotels and other public spaces such as coffee shops and airports. Whereas hijacking a public WiFi or cellular network was once time consuming, complex, exorbitant, big and bulky, the tools of the hacking trade have gotten simpler, cheaper, smaller and morepowerful. Using inexpensive open source tools and widely available network equipment, even novice hackers can now easily commit man-in-the-middle attacks. Videos available on YouTube, attracting millions of views, describe the steps needed to accomplish this, with the tools needed to commjack networks now being sold online for nominal cost. With the means so simple and the rewards so rich, it’s no surprise that DarkHotel have taken off. Where does this leave business executives who have sensitive data to protect? Fighting Back: Security Strategies to Help Executive Travelers Stay in the Game There are various common sense strategies that executive travelers can adopt to safeguard their mobile devices. All devices should be equipped with anti-malware and anti-virus solutions and include password protection, encryption, data backup and remote data wipe capabilities. Other smart protective measures include using a VPN or IPSec and paying attention to SSL certificates when conductingsensitive, online activity. Multi-factor authentication with one-time use tokens are a good safeguard and users should always delete saved public networks. It’s also important that travelers double-check update alerts that pop up on their computer during hotel stays. Enterprise IT departments can also play a role in ensuring digital security. Executives should outline their travel plans to their IT personnel, who may have access to intelligence on cyber threats. Security professionals can also check devices upon the executive’s return for signs of hacking, and implement training to help executives minimize security risks while traveling. Still, the above strategies can only do so much absent safe WiFi and cellular connectivity. Fortunately, enterprises can also take steps to secure the network used by executives who are on the road. To accomplish this, companies need comprehensive network protection equivalent to a corporate Firewalls/IPS/NAS. Enterprise IT departments canpurchase and deploy such solutions that operate in conjunction with existing anti-malware solutions. Telcos and MSSPs are increasingly doing the same to provide network-level security on top of their core business services, software installation and maintenance. Using monitoring solutions available on the market, users can install a software agent on their mobile devices to detect malicious networks in real-time and prevent devices from connecting to compromised hotspots. Such security packages can deliver real-time threat maps and enable companies to plan their response protocols. Enterprise security solutions are also available to protect against remote-based commjacking, where hackers remotely take control over routers and cellular base stations to access voice and data traffic. Help for Those Who Help Themselves Many of the original DarkHotel techniques remain in use today, with the addition of some new strategies. Like bedbugs, hackers are evolving alongside the strategiesdesigned thwart them. Fortunately, while the risks posed to business travelers by DarkHotel are alarming, it is possible to secure data and prevent potentially astronomical losses to corporate data, assets and IP. What can’t be mitigated are the risks posed by inaction, where business travelers and their companies simply hope for the best and cross their fingers that hackers won’t hit them. In today’s mobile-first world, executive travelers who haven’t been hit already probably will be soon. About Dror Liwer Chief Security Officer, Dror is the co-founder and Chief Security Officer of Coronet. He has extensive management, business development and technological experience building and leading technology-centric, client-facing organizations. As a senior technology executive, he has a proven track record of building organizations, motivating teams, and working with senior non-technology executives, applying his unique blend of strategic direction-setting and tactical executioncapabilities.
March 30, 2016 The kerfuffle over naming of vulnerabilities like Badlock and ShellShock misses the mark on why this is a good thing for the industry. Given the sheer volume and scale of the application security problem companies face today, anything that draws attention to the seriousness of the state we’re in is a good thing. I’d argue that the moniker ‘Heartbleed’ created so much buzz that it forced companies to evaluate their own exposure because Boards and senior management had heard of it and were asking. Would the same be true if it were simply known as CVE-2014-0160? Of course, we don’t want to take this so far that the power of the naming gets oversaturated, like your favorite song on heavy radio rotation. It is almost impossible to comprehend why application security isn’t getting more attention. In 2014 alone, there were eight major breaches through the application layer, resulting in more than 450 million personal or financial records stolen. And we aren’t talking aboutsmall breaches at companies no one has heard of. Target, JPMorgan Chase, Community Health and TalkTalk are four examples of companies that have suffered breaches due to vulnerabilities in software. With such high-profile breaches, you would think more people would be paying attention. And if naming serious vulnerabilities in a memorable way helps achieve this then that’s a benefit for the whole industry. Chris Wysopal, CTO, Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market – without compromising security.Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global softwareinfrastructures.Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands. Comments are closed
March 30, 2016 Major web browsers are to consider blocking the cryptographic hash function Secure Hash Algorithm (SHA)-1 from as early as June this year as it becomes increasingly vulnerable to forgery attacks. In light of this Oscar Arean, technical operations manager of disaster recovery provider , advises businesses to act now in order to protect customer data. The SHA algorithm was developed by the US National Institute of Standards and Technology (NIST) to be used when digitally signing signatures. In effect, it acts as a ‘fingerprint’ making it easy to tell if a document has been modified. Until recently, many believed the complex algorithm would be immune from hackers due to the significant costs of attacking SHA-1. However, with the advent of increasingly affordable cloud computing, this figure has dropped drastically, as Arean explains: “Around three years ago, researchers estimated that a practical attack against SHA-1 would cost around $700,000 using commercial cloudcomputing services. But recently researchers estimated that this could cost between renting the Amazon EC2 cloud platform – well within the reach of the cyber criminal’s budget. Because of the increased danger of malicious tampering with SHA-1 encrypted documents, Google, Microsoft and Mozilla have decided to stop trusting SHA-1 through their respective web browsers, with actions potentially being taken to block access by as early as this summer (June 2016). “This will obviously have a big impact on those businesses still using SHA-1. Some websites’ password verification, proof-of-work and message integrity processes are still based on the SHA-1 algorithm, meaning that sensitive customer information is at significant risk from dangerous cyber-attacks. Moreover, with the major web browsers snubbing SHA-1 certificates, potential visitors would be blocked or refused access if trying to visit a SHA-1 encrypted site. The results are thus either a breakdown of trust from a website’s users,or a complete lack of traffic due to incompatibility with modern browsers. Clearly, both are severely damaging to any website’s business and so website managers need to act quickly to ensure their encryption methods are up to date, secure and trusted by both consumers and web browsers.” Thankfully, Arean explains, upgrading SHA-1 to SHA-256 can alleviate these security and compatibility concerns. The process can be straightforward as well, and rests upon working with a strong certificate provider and educating a user base about these changes: “Organisations looking to upgrade their website’s encryption services need only to contact their certificate provider and purchase the SHA-256 certification. That’s really it – the provider can make the necessary encryption changes and sign off, as an independent third party, that your site’s hashing algorithm is legitimate. “When educating your users about this change, the situation can become more complicated. Old browsers or operating systems,such as Windows XP SP2, do not support SHA-2. As such, websites need to be clear that after the upgrade, users will need to use new browsers, such as Firefox, which are still compatible with their hardware while supporting the secure SHA-256.” Arean concluded: “Websites that are yet to upgrade to the SHA-256 model need to act quickly – a failure to move away from SHA-1 could mean the end for sites using the now insecure hashing algorithm. It’s imperative businesses action this now by making the necessary upgrades.” About Databarracks provides ultra-secure, award winning Disaster Recovery, Backup and Infrastructure services from UK-based, ex-military data centres. Databarracks is certified by the Cloud Industry Forum, ISO 27001 certified for Information Security and has been named as a “Niche Player” in Gartner’s 2015 Magic Quadrant for DRaaS. Comments are closed
March 29, 2016 USB Thief, a new threat to data, is capable of stealthy attacks against air-gapped systems and also well protected against detection and reverse-engineering. researchers have discovered a new data-stealing Trojan malware, detected by ESET as Win32/PSW.Stealer.NAI and dubbed USB Thief. This malware exclusively uses USB devices for propagation, without leaving any evidence on the compromised computer. Its creators have also employed special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze. “It seems that this malware was created for targeted attacks on systems isolated from the internet,” comments Tomáš Gardoň, ESET Malware Analyst. The fact that USB Thief is run from a USB removable device means that it leaves no traces, and thus, victims don’t even notice that their data were stolen. Another feature – and one that makes USB Thief unusual – is that it is bound to a single USB device which prevents it fromleaking from the target systems. On top of all that, USB Thief has sophisticated implementation of multi-staged encryption that is also bound to features of the USB device hosting it. That makes USB Thief very difficult to detect and analyze. USB Thief can be stored as a plugin source of portable applications or as just a library – DLL – used by the portable application. Therefore, whenever such an application is executed, the malware will also be run in the background. “This is not a very common way to trick users, but very dangerous. People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy,” warns Tomáš Gardoň. Additional details about the USB Thief Trojan can be found with Tomáš Gardoň or in a on ESET’s official IT security blog, WeLiveSecurity.com. About ESET Since 1987, has been developing security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfoliocovers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. Comments are closed
March 29, 2016 Over the last decade we’ve seen a significant increase in mobile technology and it is now becoming the heart of customer experience; forcing retailers to figure out how the digital and physical relationships can work together. Retailers must now decide whether to equip their personnel with mobile devices, introduce more self-service kiosks or expand mobile technology even further; all in the aid of delivering a personalised approach and improving the in-store experience for shoppers. So how has mobility become so important and where it will need to go to meet the expectations of consumers? Rise in mobility It is considered by the end of 2016 more consumers will be browsing on mobile devices than on traditional computers for the very first time. This trend has greatly increased since smartphones first appeared ten years ago and has encouraged consumers to expect the same level of engagement from their retailers. Some retailers have taken this on board, resulting in a riseof instore mobility, but most haven’t. Leaving customers wanting more; a recent study[1] found 93 per cent of consumers would like to see more stores using instore mobile technology, highlighting its lack of uptake so far. Impact on customer experience So far the rise of mobility has seen a significant impact on customer experience. 73 per cent of consumers feel retailers which offer instore mobile technology provide superior customer service, with a further 64 per cent more likely to shop at a retailer which provided instore mobile technology. This highlights how increasing mobility in store is having a positive impact on customer experience; which will soon result in increased satisfaction for shoppers, eventually driving sales. What the future holds As highlighted, one element of the future which is guaranteed is that shoppers expect to see more retailers using instore mobile technology. However retailers must understand the type of technology to implement and consider whatrequirements shoppers of the future will have. 65 per cent of consumers are keen to see instore mobile technology that can order online if a product is not available. This is an interesting reverse to what most consider as the normal omnichannel approach of ordering online and collecting instore. 63 per cent of consumers have also stated they prefer mobile point of sale (PoS) compared to a traditional cashier checkout, with a further 72 per cent preferring mobile PoS as it offers faster checkout times or no queues. When considering these shopper expectations it is clear to see mobility has made a strong impact on customer experience and will be at its heart going forward. Retailers must now take these facts on board and plan a future mobility strategy to meet the expectations of the next generation of customer. About Nassar Hussain, Managing Director for Europe and South Africa at SOTI is the world's most trusted provider of Enterprise Mobility Management (EMM) solutions, with morethan 15,000 enterprise customers and millions of devices managed worldwide. SOTI's innovative portfolio of solutions and services provide the tools organizations need to truly mobilize their operations and optimize their mobility investments. Comments are closed
escalating, while . Nation-state actors are likely to be the culprits. CrowdStrike’s also predicts that in 2016, specific nation-state actors will likely target agriculture, healthcare and alternative energy sectors “not just for intellectual property, but also for know-how such as building native supply chains and administrative expertise.” The ramifications of the security incidents on critical infrastructure don’t just include disruption of critical operations and critical business applications. An ESG survey found that 32 percent of organizations also of confidential information. The fallout for an organization may lead to increased regulatory scrutiny and government penalties because of laws such as . Many of the attacks happen because of the lack of analytical security systems. In a SANS Institute survey of critical infrastructure organizations, less than a third felt they had excellent or very good visibility into their networks’ threats while 40 percent rated their visibilityas OK, poor or very poor. Traditional, signature-based security solutions no longer hold up to today’s sophisticated threats, especially as more data moves to the cloud. That means organizations needs to get serious about advanced analytical systems that can correlate various processes and policies — and help provide the kind of detection and response that antimalware and other single-layer technologies simply can’t handle. The increased targeting of critical infrastructure should be a wake-up call. It’s only a matter of time before a disastrous attack wreaks havoc. Organizations need to up the ante on their cybersecurity and shift the focus on detecting all security breaches and bringing situational awareness to incidents — especially those that may pose incredible harm. About Sekhar Sarukkai Sekhar Sarukkai is a co-founder and the chief scientist at , driving the future of innovation and technology. He has more than 20 years of experience in enterprise networking, security and cloudservices development.
March 23, 2016 Denial of service attacks are so common now that “DoS attack” hardly needs explanation, even to the lay person. The phrase “DoS attack” instantly conjures images of banking sites that refuse to load, and gaming consoles unable to connect. The other instant reaction is to think of the attackers such as , the , or the . However, not all denial-of-service is the product of a coordinated attack. Many forms of DoS are organic by-products of completely normal traffic. So-called “normal traffic” includes everything from legitimate customers, business partners, search-index bots,data-mining scraper-bots, and other more malicious automated traffic. As we know, anywhere from 40- 70 percent of any given web site’s traffic is automated traffic. Combined with often unpredictable surges in legitimate user traffic, maintaining the availability of any Internet-based service is daunting. This brings up a topic of frequent debate. Who should be responsible for managing availability—thesecurity team or the infrastructure and application development teams? The security triad of “confidentiality, integrity, and availability” (CIA) dictates that security practitioners work to ensure availability. The scope of this duty extends beyond availability issues caused by malicious attacks. Attackers regularly perform reconnaissance to identify vulnerabilities in availability. These vulnerabilities range from capacity of ISP links and firewall performance, to DNS server availability and application performance. Sizing ISP links and firewall throughput are well-understood and easily quantified aspects of availability planning. The latter areas of DNS capacity and application performance are oft-overlooked areas of application security. Application security practices are maturing to address remediating OWASP Top 10 vulnerabilities such as injections, scripting, or poor authentication and authorization handling. However, many application security scans do not include identifyingprocessor-intensive and bandwidth-intensive URLs, as these aspects of application performance monitoring (APM) might be seen as the sole responsibility of the application development and/or server administration teams. After all, it’s their job to ensure the code is optimized and the server capacity is available, or is it? Unfortunately, while server infrastructures are more elastic thanks to virtualization and applications are often built to take advantage of that compute power, without proper monitoring and regular scanning weaknesses in application capacity can quickly lead to serious outages. A single underperforming URL or other web application widget can affect the load of an entire server or farm of servers. Further, application dependencies can cause more serious race conditions, leading to widespread impact. Proactively scanning the web applications to identify underperforming URLs not exposed in software QA or user acceptance testing enables the security team to addadditional protections to heavy or processor-intensive URLs. These protections range from additional log and alert thresholds to more aggressive bot detection and dynamic traffic throttling. Without such preventative measures, a marketing campaign, Cyber Monday, or an eventful news day can cause denial of service conditions unrelated to any malicious attack patterns. Many, if not most, traditional security measures are derived from understanding the normal state of traffic and then identifying anomalous patterns. This methodology is implemented in everything from IP address blacklisting and whitelisting, attack signature checking, SYN flood detection, and source/destination ACL’s. However, these methods fall short when the cause of DoS is rooted in well-formatted requests for legitimate services. Since the majority of traffic on Internet-facing web sites is automated, filtering out malicious or illegitimate automated traffic offers protection resource-intensive features of the webapplication. Profiling web applications for resource-intensive components–similar to the approach of attackers—also provides additional insight. Gaining insights into fragile application components enables more effective monitoring, resulting in increased server response times. These can be used as metrics for more dynamic response to potential L7 DoS conditions. Security and availability are intrinsically linked. Leveraging components of the infrastructure such as application delivery controllers (ADCs), application performance monitoring (APM) solutions, and other availability tools is vital to a comprehensive security practice. Even if these solutions might not have security, threat, or firewall in the product name. About Brian A. McHenry As a Senior Security Solutions Architect at , Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers, the F5 sales team, and the F5 product teams, providing a hands-on, real-world perspective.
March 17, 2016 I clearly remember the first time I saw a computer. Someone was playing a video game called Demo Rush 3 at a church. I remember staring at him, not understanding what he was doing. I couldn’t help but wonder how the game actually worked. This fleeting, early moment ignited a passion in me that was to inspire one of my life’s defining journeys. To relate this story, allow me to go back to the beginning. My father died when I was a young boy, and it was decided early on that my siblings and I would move to a village so that we could live with my auntie and further our education. There were 12 of us living in a two-bedroom house with no running water. But I had other things on my mind. I was determined to stay in school and get an education. Each day, I woke up very early to walk the three kilometers separating my auntie’s house from school. I remember sharp stones poking into my bare feet because I didn’t have any shoes to wear. Despite this fact, or maybe because of it, Ihave fond memories of that period of time in my life. We all loved each other very much. In this supportive environment, I learned the values of hard work, of helping others, and of being resourceful. I wouldn’t have traded any of it for the world. Fast forward a few years. One of my first memories with computers is when I learned to type on a keyboard. I was 15 years old, and I knew that I didn’t have enough money to access a computer at an internet cafe or training center let alone to buy an actual keyboard. A solution came to me when I spotted a box with a picture of a keyboard on it. I cut out the computer keyboard picture and carried it around with me so that I could teach myself how to type. As my high school teacher taught the class to type on real keyboards, I practiced moving my fingers to learn all the letters and symbols across my makeshift cardboard keyboard. It was in high school that my curiosity for computers really took off. In 2005, a high school friend named Micheale
their heads together to address some of their common problems, I was surprised by how many executives were hedging their company’s data loss bets with cyberinsurance policies. A changing landscape While certainly helpful, cyberinsurance isn’t the panacea CISOs might be hoping for. Data breaches have reached near-daily frequency, and the costs continue to climb. As such, cyberinsurance premiums are going up – sometimes by more than 30% – as are the policy conditions and exclusions. Insurers are also raising deductibles and setting limits on coverage. This has impacted more severely, due in large part to the number of recent costly breaches in those business sectors. Other factors also affect the cost of cyberinsurance, such as the mandated requirements for breach disclosure and notifications, which varies by industry. This can significantly run up the costs of a data breach well into the tens or hundreds of millions of dollars, driving some insurers to cap coverage at $100 million forrisky customers. Thus, insurance payouts may only cover a portion of the costs, which typically include: Breach notifications to affected customers Voluntary or mandatory credit monitoring services PR and communications services Forensic investigations Lawsuits IT remediation Fines and other penalties Brand and reputation damage Loss of business Loss in market capitalization The long-term repercussions Beyond the cost of the data lost, there are other factors to consider, such as damage to brand reputation and loss of customer trust, which can last for years and are much harder to quantify. And the general public isn’t going to care that the business saved money when their personal data was compromised. They’re going to want to know how it happened, when it happened, and what the company is going to do to prevent it from happening again. If customers don’t feel secure doing business, they’ll go elsewhere. Having cyberinsurance won’t change that, nor will it save a CISO’s job should adata breach occur. This is not to say that cyber liabilitity insurance doesn’t have a place in the corporate quiver; it does. However, a legal hedge against a data breach is not the best way to go as it’s a reactive, not proactive, strategy. Cyberinsurance should only be viewed as one component in a more comprehensive cybersecurity strategy to protect the organization against a breach. Companies still need to build a proper defense to prevent a data breach from happening in the first place – or at least minimize its effects. This is best accomplished by following cybersecurity best practices, such as identifying the critical data assets, restricting or limiting access to them, applying a layered defense approach, monitoring the data assets for unapproved access or activity, and responding promptly to any suspicious activity. No insurance policy in the world is that multi-talented. About Daren Glenister Daren Glenister is the Field CTO for (NYSE: IL), a leading global SaaS provider ofcontent management and collaboration solutions. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product roadmap and the evolving secure collaboration market. Glenister brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions. In the past, he has led technical and consulting businesses for CA Technologies, Symantec (Bindview), BMC Software Intellinet and Sterling Software. Follow him on Twitter: @DarenGlenister.
March 14, 2016 Advertisements and marketing are inseparable concepts. It’s embedded e-commerce content that allows various online services to exist without charging their customers a penny. There are unspoken guidelines that the interested parties follow along the way, such as avoiding the redundancy of ads and only promoting commodities that are safe. Ideally, these campaigns aren’t overly intrusive, both the service providers and the end users are satisfied. This remarkable equilibrium, however, is amazingly easy to disrupt. Malicious programs categorized as adware drastically diminish one’s online experience by injecting obnoxious ads into all websites that the person visits. Note the fundamental difference between regular advertisements and the ones spawned by adware. The former are authorized and generated on the server side while the latter are isolated strictly to a particular computer. Since the evil counterparts aren’t bound by regulations of any sort, they tend to getsuperfluous and may even cram up the greater part of an arbitrary web page. Virus-borne items include ads above the fold, coupons, banners, price comparison charts, bogus software updates, inline text and full-page interstitials. Such a diversity enables the cyber criminals to get the biggest bang from their ad click fraud campaigns, but the infected users suffer the consequences big time. Although adware removal may be a challenge to perform, below are the techniques worth adopting to get rid of nasty ads on sites. Windows uninstall functionality should be the starting point. This feature is built into the operating system and allows removal of any installed program in a couple of clicks. All it takes is go to Control Panel from Windows Start menu, select Uninstall a Program, examine the software list, pick the malicious entry and hit Uninstall. Some malware, though, obfuscates its presence on a PC and may not be listed, in which case it’s recommended to proceed to the next step.Manual removal from web browsers is very efficient when it comes to adware troubleshooting. Since it’s the web browsing facet that gets hit by these infections in the first place, spotting and trashing the offending browser add-on is one of the prerequisites of a successful cleanup. Nevertheless, adware can add a scheduled task to reanimate the extension after such action on the user’s end. A full reset of the affected browser’s configuration is, more efficient, moreover, it remediates the unwanted changes. In Google Chrome, this option is under Advanced Settings; in Mozilla Firefox, you need to go to Help – Troubleshooting Information; and in Internet Explorer, it’s under the Advanced tab of the Internet Options interface. Please be advised all personalized browsing data will be obliterated as a result of this procedure. Registry troubleshooting may be necessary because adware usually creates new registry entries to persevere on the PC. This way, its executable is automatically
Intelligence Three main reasons why change control and system integrity monitoring are vital to maintaining Cyber Security: Firstly, once our Vulnerability Mitigation and secure configuration work has been implemented, we now need that to remain in effect for ever more. So we need a means of assessing when changes are made to systems, and to understand what they are and if they weaken security. Secondly, any change or update could impact functional operation, so it is vital we have visibility of any changes made. And finally, if we can get visibility of changes as they happen – and especially if we have a means of reconciling these with details of known expected planned changes – then we have a highly sensitive breach detection mechanism to spot suspicious action when it happens All leading Cyber Security policies/standards call for change control and system integrity monitoring for all these reasons – it is key. Promote and enforce an IT Security Police Encryption (BitLocker) CyberSecurity isn’t just the responsibility of the IT team and their security kit, but must be an organization-wide competence. Children grow-up being taught about food hygiene, it isn’t just the remit of professional chefs. Unfortunately, it takes generations for this kind of knowledge to become universally assimilated, so until Cyber Security hygiene itself becomes a basic life skill for all, it will be down to the workplace to educate. To this end, in case you don’t already have flyers/posters for Cyber Security education there are plenty of resources available, again the SANS Institute provide a bunch of these that are free to use and very good. Separate but related is the subject of data encryption – it slows everything down and gets in the way on a daily basis BUT it can prove a lifesaver if there is a breach that results in data theft. Loss of a company laptop is a pain, but the loss of confidential data could result in anything from acute embarrassment to fines and lawsuits. Again,plenty of commercial options exists and there is also a free of charge MS option for this too in BitLocker. You can use it to encrypt all drives or just data on local and removable drives. In an enterprise environment this is controlled via Group Policy and as such, can also be audited automatically in the same way that vulnerabilities can be assessed. Used correctly, this same audit report can not only provide the recommended settings to use when first implementing BitLocker, but it will also highlight any drift from your preferred corporate build standard, along with all the other security settings needed to protect systems. Finally – Don’t be too thrown off course by the latest ‘must-haves’ The final piece of advice really is to focus on getting the fundamentals right and not chase the latest, niche or point products. If the maxim of ‘there is no such thing as 100%’ security is accepted then how are you going to achieve Cyber Security? The only answer is that it will need to bemanaged as a layered and 360 degree discipline, comprising technology and processes to first instigate and then maintain security. Vulnerability Management, System Hardening, Change Control and Breach Detection are some of the absolutely essential components needed – the good news is that this can all be automated and just the ‘need to know’ exceptions reported for investigation. Final words: Get your technology right for the general, everyday security before investing too much time and money into the latest ‘hot’ product. About New Net Technologies is a global provider of data security and compliance solutions. Clients include NBC Universal, HP, RyanAir, Arvato and the US Army. NNT Change Tracker Gen 7™ provides continuous protection against known and emerging Cyber Security threats in an easy to use solution. Unlike traditional scanning solutions, Change Tracker Gen 7™ uses automated File Integrity Monitoring agents to provide continuous real-time detection of vulnerabilities. And ifthe unthinkable happens, immediate notification is provided when malware is introduced to a system or when any other breach activity is detected. Operating at a forensic level within the IT infrastructure, Change Tracker™ works across all popular platforms.
March 10, 2016 Following the publication of the second draft of the Investigatory Powers Bill, has pulled together a summary of the changes that have been made. These relate to recommendations made by the three committees that scrutinised the bill. Privacy Committee recommendations: The Intelligence & Security Committee called for an entire section of the Bill dedicated to addressing privacy safeguards, clearly setting out the universal privacy protections which apply across all the investigatory powers. Key changes: Part 1 now contains a short overview of the safeguards throughout the Bill. This doesn’t go as far as the ISC’s recommendation that protections should form the backbone of the deal. The Home Office has instead simply added the word “privacy” to the subheading and provided a summary of privacy protections rather than an overarching statement recognising the supremacy of privacy. Encryption Committee recommendations: Reports called for further clarity and reassurance on theface of the Bill or within the Codes of Practice that end-to-end encrypted services and products would not be affected by Section 189 notices in the Bill. Key changes: The language on encryption has been amended, section 189 proposing that obligations be placed on CSPs – “relating to the removal of electronic protection applied by a relevant operator to any communications or data” – has been changed. Obligations now apply “to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data”. Definitions Committee recommendations: Highlighted the concerns within industry as to the overly broad and confusing definitions of terms such as “data”, “internet connection records” (ICRs) and “related communications data”. Key changes: The definition of the term “data” has been changed in line with the Joint Committee’s recommendation. The new definition makes clear that the term “data” in the revised Bill includes “data which isnot electronic data and any information (whether or not electronic)”. Extraterritoriality Committee recommendations: The bill must complement rather than conflict with the aim of creating an international legal framework for the lawful acquisition of data by government agencies. The Bill should be viewed as an international piece of legislation, with global implications. Key changes: Little has changed, although there are greater and more consistent safeguards on proportionality and conflicts of law for overseas providers, extraterritorial provisions that undermine long term objectives still remain. Internet Connection Records Committee recommendations: Reports expressed concerns about the definitions and technical feasibility of retaining ICRs. The draft Bill contained inconsistent definitions of ICRs that created uncertainty within industry as to their technical feasibility. Key changes: The Bill now has a single definition of ICRs that remains consistent throughout the course of theBill, with references to internet connection records appearing in both the and retention sections of the Bill. About techUK represents the companies and technologies that are defining today the world that we will live in tomorrow. More than 850 companies are members of techUK. Collectively they employ approximately 700,000 people, about half of all tech sector jobs in the UK. These companies range from leading FTSE 100 companies to new innovative start-ups. The majority of our members are small and medium sized businesses.
March 10, 2016 A flaw in the Oracle database listener, if not mitigated, could allow an attacker to take complete control of an Oracle database through an attack known as TNS Poison Attack. This vulnerability is remotely exploitable without authentication credentials. This classic man-in-the-middle (MITM) vulnerability has been published as security alert CVE 2012-1675 and received a CVSS base score of 7.5. It impacts confidentiality, integrity and availability of the database. Joxean Koret discovered this vulnerability in 2008 and publicly disclosed in 2012. TNS Poison Attack vulnerability exploits Oracle listener’s database service registration functionality. Oracle database users connect to the database services through Oracle TNS Listener which acts as a traffic cop. A malicious attacker, residing on the same network as the database, registers a malicious service with the database listener with the same service name as legitimate database service. No credentials are required toregister a database service with the listener. An attacker can use Oracle database software or easily available other tools to register a malicious database service. After completion of the malicious database service registration with the same name as legitimate service name, Oracle listener has two services to choose from – a legitimate service and a malicious service. With two database services available, Oracle listener switches to the load balancing traffic cop mode, directing users alternatively to the legitimate service and the malicious service. At least, 50% of the user sessions are directed to the malicious service. Database user sessions, which are now communicating through the malicious service, can be hijacked by the attacker. An attacker is in the middle. All communication from the users to the database is now passing through the malicious attacker. Attack post stablished. Attacker has full purview of what users are communicating with the database. At a minimum, theattacker can view and steal the data. Additional SQL commands may be injected to broaden the scope or carry out additional attacks. If a database user communicating with the database happens to be a privileged user with the DBA role, then the attacker has complete control of the database. Database compromised. Mission accomplished. TNS Poison Attack is mitigated through Valid Node Checking Registration (VNCR) setting which permits service registration from only known nodes or IPs. Specific mitigation steps depend on the version of the database that you are running as shown below: Oracle Database Releases 12.1 or above: If you are running Oracle database 12.1 or above, then you don’t need to further read this article unless you are just curious. The default Oracle listener configuration in Oracle 12c would protect you against this vulnerability. Although you don’t need to specify VALID_NODE_CHECKING_REGISTRATION_<listener_name> parameter to LOCAL in listener.ora, I would suggest thatyou explicitly do so just to make sure, as shown below: LISTENER_DB = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.100.100)(PORT=1521)) ) ) VALID_NODE_CHECKING_REGISTRATION_LISTENER_DB=LOCAL This parameter ensures that databases that are on the same server as the listener are permitted to register services with the listener. No remote registration of the services is permitted. If a malicious attacker attempts to register a service with the listener from a remote server, you will see the following error message in the listener log: Listener(VNCR option 1) rejected Registration request from destination 192.168.200.131 12-NOV-2015 17:35:42 * service_register_NSGR * 1182 Oracle clustering solution, Oracle RAC, requires remote registration of services. In order to protect Oracle RAC from TNS poison Attack, you also need to set REGISTRATION_INVITED_NODES_<listener name> to specify IP addresses of the nodes from which remote registration is required.Oracle Database Release 11.2.0.4: If you are running Oracle database 11g R2 11.2.0.4, then you must mitigate this risk through listener configuration. As illustrated above, you need to set VALID_NODE_CHECKING_REGISTRATION_<listener_name> to LOCAL. Alternate values for this parameter are ON or 1 and accomplishes the same objective. The default value for this parameter is OFF, leaving the door open to an attack. As mentioned above, if you are running RAC, then you also need to set REGISTRATION_INVITED_NODES_<listener name> to allow instance registration from trusted/valid nodes. Oracle Database Release 11.2.0.3 or older releases: Before I describe the mitigation for older releases, let me mention that you should not be running Oracle databases 11.2.0.3 or older. Oracle has already de-supported older releases. No security patches are available for older database releases. You should upgrade as soon as possible. Oracle, however, does provide a workaround for older releases through Class of
In fact, 57 percent of companies surveyed have received inquiries from customers, clients and/or insurance providers about the organisation’s state of cybersecurity. Protiviti’s survey found that there are two critical success factors when establishing and maintaining an effective cybersecurity plan: A high level of engagement by the board of directors in information security risks; and Including the evaluation of cybersecurity risk in the current audit plan. Companies with at least one of these success factors in place have a stronger risk posture to combat cyber threats. For example, 92 percent of organisations with a high level of board engagement in information security risks have a cybersecurity risk strategy in place, compared to 77 percent of other organisations. Similarly, 83 percent of companies that include cybersecurity risk in the annual audit plan have a cybersecurity risk policy, versus 53 percent that do not include cybersecurity risk in their audit plans. Ten Years ofInternal Audit Over the past ten years, internal audit professionals have assessed their competency in more than thirty areas of audit process knowledge and general technical knowledge in Protiviti’s survey. Areas that continue to surface as top priorities year-over-year include: ISO 27000, data analysis technologies, various areas of auditing IT, technology-enabled auditing and fraud risk management. As for 2016, technology issues dominated the priority list for internal auditors. The top 10 priorities for internal audit are: ISO 2700 (information security) Mobile applications NIST Cybersecurity Framework GTAG 16 – Data Analysis Technologies Internet of Things Agile Risk and Compliance ISO 14000 (environmental management) Data Analysis Tools – Statistical Analysis Country-Specific ERM Framework Big Data/Business Intelligence “With most of the top priorities identified relating to IT risks, it’s clear that auditing IT remains important to internal audit functions and to the state of anorganisation’s overall risk profile,” added Peters. Companies are trying to ensure business-as-usual systems are secure and effective as well as working to drive change through the introduction of new technologies, greater digitisation and mobilisation of internal and customer-facing systems. These factors, coupled with the increasing are driving internal audit to increase its IT audit capabilities each year and raising technology issues up the priority list for internal audit. It is essential for internal audit functions to act now in order keep pace with this change’’ About Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000 ® and 35 percent of Fortune Global 500 ® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works withsmaller, growing companies, including those looking to go public, as well as with government agencies.
March 7, 2016 It was way back in 2011 when I spoke of the key security challenges on the CISO’s radar in the basic forms of: Malware The Insider Threat’s & Spam Complimented of course by other generic security challenges which appear on a daily basis. Way back in 2011 I did acknowledge that whilst these were nevertheless important in the overall scheme of the Security Mission, wondered if they did consume far too much interactive intervention and security bandwidth with responding to the manifestation of active compromise and security breaches – with much focus on the reactive, rather than the proactive. At that time I was also questioned the value of, what were [are] at times the association of those innate Security Dashboards and Balance Score-Card’s which represent the anticipated snap-shot of real-time and real-life exposure mitigation and ‘management’ to be presented to the executive [tick-box-security], and I wondered if something was being missed at the lower level of thesecurity challenge. However, now four and a bit years on, with the benefit of hindsight, I am realising that the manifestations of the unknown unknowns of insecurity seem to have been allowed to evolve, and to gain ground in the adverse landscape of Cyber Crime, and the all thigs offensive mission strands for. In my experience since the 2011 observations, I can again fully attest with proof that whilst the aforementioned areas of security management are a common find’s, they have sadly been updated by manifestations of newly-grown insecurities, and the landscape of adversity is now still outstripping the balanced approach of acceptance of compliance/governance which is being driven out of tower like security missions which still seems to be missing the point – which has not evolved the required level of Poacher/Gamekeeper imaginative mind-set – allowing real-time threats to expose the business, clients, and assets alike. In the wake of the known threats which have been encountered todate, some of the unknown unknowns have now been promoted to the known unknown status. These being complimented by the advent of extreme levels of successful attacks in the form of high-consumption attacks, multiples of successful Ransomware incursions, Cyber Attacks, and Hacking against high gain, prominent targets who spend what may been considered a fortune on their failing defences – and yet they are still exposed! The problem may well be created out of the low level of imaginative direction which comes from those who are the incumbent of the organisations security strategy – playing by the rules of engagement behind the shield of Governance/Compliance, and the good old ISO/IEC 27001 as the bible to fight off all Cyber Ill’s – a little like David being given a pencil and clipboard to go fight Goliath! It is time to start to apply enhanced levels of imaginative hostile and offensive thinking, where imagination represents the most valuable armament in the armoury of the securityprofessional, and hopefully the CISO. Levels of imagination which will manifest in offensive thinking which seeks to understand the unknown unknown areas of subliminal and invisible threats. Such as the exposure presented by the much-tolerated OSINT capabilities, metadata leakage, and other such hidden forms which so often allow the would be attacker to gain a valuable insight into the belly of the organisation. For example take the high profile bank who are so exfiltration enabled, they knowingly publish, and make available high value objects of intelligence on a daily basis, making the job of any hacker, or other such cyber-miscreant a much easier task to effect. However, sadly this high profile organisation are not alone in this space, with many others following on their cyber-tails, with their logical-ass hanging out of the open window. And on the subject of poor security, let us not forget that even in this day of BWYW [Bring Whatever You Want] to work, where there are still manyorganisations who simply do not understand, and still support the introduction of the known threat of that little thumb drive. But then when you look to some organisations in the Oil and Gas Industry who have been aware such introduced devices are carrying Hacking Tools, and the occasional form of low-grade [acceptable] Malware which are actually ignored, one may well start to feel the onslaught of professional frustrations creep in! Not a case of ‘Who Dares Wins’, but more a circumstance of ‘Who Care’s who loses’. The fundamental bottom line is still the bad guys are winning with the tool of evolved imagination – and they are entering battle ground with many security management types are, on occasions completely devoid of what amounts to the ability to demonstrate Cyber Defensive thinking – allowing risks to populate, manifest, and take their bite out of the soft posteriors of the company there are incumbent to protect – and before you start to shout at me with a ‘how dare he’ evensuggest such a thing’ – may I pre-empt the fury and state, ‘he dares, because he has seen on an all to regular occasions’. 2016 is the year in which we should recognise that Cyber is starting to look like a dirty word. It is a word which is associated with the world of insecurity, rather than that of security, and it is a word which has entered the vocabulary of the public with an adversarial slant. It is in the year of 2016 in which we must recognise that it is the responsibility of those in the Profession of Digital Security that we are potentially the group holders of the keys to global stability – and ‘if’ we are going to do it, we ‘must’ assure we do not cut corners and do it ‘right’. If not, there is simply no point to even trying! About John Walker Visiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia [to 2015], Independent Consultant, Practicing Expert Witness, ENISA CEI ListedExpert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts (RSA), Board Advisor to the Digital Trust, Writer for SC Magazine UK, Originator of DarkWeb Threat Intelligence, CSIRT, Attack Remediation and Cyber Training Service/Platform, Accreditation Assessor and Academic Practitioner and Accredited Advisor to the Chartered Society of Forensic Sciences in the area of Digital/Cyber Forensics. Twitter
March 7, 2016 There is no such thing as static security – all security products become vulnerable over time as the threat landscape evolves. Any ‘deploy once, update infrequently or never’ security solution is inherently flawed. Which is why every switched on organisation routinely updates its anti-virus and anti-malware solutions, hardens its infrastructure and updates its policies. So why is SIP security still based upon a one off implementation of a Session Border Controller (SBC)? From denial of service attacks to toll fraud, SIP trunking is inherently vulnerable. And in an era of near continuous security breaches, that vulnerability continues to change and escalate. No technology or communications environment is static – and SIP security should be treated with the same urgency as anti-virus and infrastructure hardening. Paul German, CEO, , insists it is time to think differently about SIP security – before it is too late. The breaches go on Another day, another security breach. The theft of 15 million T-Mobile customers’ data from credit checking firm Experian, the exposure of the personal data of US based Uber drivers, the hack of Samsung Pay, the denial of service (DoS) attack on HSBC – all of these events have occurred within very recent history. The scale of hacking and data theft is unprecedented and new are continually being found and compromised. Today’s threat levels are high and, given the constant publicity and public scrutiny, only the most foolhardy organisations would ignore the need to safeguard infrastructure. Yet in what is a continually changing and evolving threat landscape, inconsistencies in security policies and practices are creating new vulnerabilities. Why, for example, are organisations totally committed to continuously updating anti-virus (AV) and solutions yet will happily install a Session Border Controller (SBC) to protect VoIP calls and never consider it again? If there is one thing that every security expert will confirm, it isthe continuously changing nature of the threat landscape – and a security product’s ability to safeguard a company declines from day one. In an era of near ubiquitous VoIP calls, when companies are routinely falling prey to toll fraud and denial of service attacks, it is time to ask why network providers and security vendors continue to downplay the vulnerability of SIP. Static Fallacy The deploy once, update many times model adopted by AV, web security and email security over the past two decades is well established and organisations recognise the clear vulnerabilities associated with failing to update routinely. Companies understand the importance of buying not just a security product but a vendor’s continuous research into emerging threats and a commitment not only to routine updates but also emergency patches in response to new hacking vulnerabilities. In effect, when it comes to a continuously changing security situation, organisations recognise the need to buy products andsolutions that utilise research, existing users and community to stay ahead of the hacker. So why are other aspects of the communications network and infrastructure, including routers and switches, still subject to the static – implement once, update never – approach? Does this mean these areas are impregnable once protected? While some vendors may like to imply this is the case – it is not. Toll fraud and denial of service cost businesses £25.5 billion every year globally – £1.2 billion in the UK alone¹, and, again, the threats continually evolve. For example, hackers are routinely undertaking port scanning in the hope of finding a way in – any organisation that has left SIP ports open is likely to be found out, and compromised, very quickly. The scale of attack may surprise UK businesses: security consultancy Nettitude’s recent report revealed that attacks on VoIP servers represented 67% of all attacks it recorded against UK-based services – in contrast, SQL was the second mostattacked service, accounting for just 4% of the overall traffic. With 84% of UK businesses considered to be unsafe from hacking according to NEC, the implications are significant and extend far beyond the obvious financial costs of huge phone bills or the increasingly common Telephone Denial of Service threats, also known as ransom events used to extort money. From eavesdropping sensitive communications with malicious intent such as harassment or extortion to misrepresenting identity, authority, rights and content – such as modifying billing records – or gaining access to private company and customer contacts, hackers are increasingly looking for more than basic call jacking. Ahead of the Game The cyber security market is set to be worth $170.21 billion by 2020² – with a strong bias towards securing email, desktops and web services. Yet while the adoption of VoIP is now at record levels, SIP security investment remains low. When hackers are looking for the easiest way in – this lack
March 7, 2016 Nearly were released every day in 2014, with no signs of slowing down, according to Symantec’s Internet Security Threat Report. Malware, worms and other viruses can spread through a company’s network like wildfire. Getting your system and network back up and running only scratches the surface of expenses. Malware can cause data breaches and compromise customers’ security and hold you liable for damages. According to the 2015 Cost of Data Breach Study’s global analysis, the average total cost of a data breach for participating companies in the study increased 23 percent to $3.79 million. The idea of data isolation isn’t a new, but it has expanded beyond simple and separate servers and networks into a more sophisticated medium. Take a look at what data isolation is all about and why it matters. Isolate your security zones Ask yourself how many of your workstations and servers need to be connected. Isolating your data as much as possible can keep malware from spreading and
– electric or gas meters that provide real-time data, via an internet connection, to the consumer and the electricity company regarding each user’s consumption. This allows better management of electricity supplies by tailoring them to the live demand, thereby reducing overall cost as well as the impact and incidence of power outages. Indeed, smart cities are dependent on machine-to-machine (M2M) interactions and decision-making. This is, in part, a product of the sheer number of inputs and the frequency and speed with which associated calculations need to be completed. In the case of the energy grid, it would be impossible for a human operator to process all the data necessary to make decisions at the speed required by the system. However, while M2M decision-making (M2MD) is an unavoidable and beneficial feature of smart cities, it is also one of the greatest risks. New city, new risk M2MD is a highly promising means of ensuring efficient automation across smart cities. However, giventhe absence of human operators, the risk of a cascading error is significant. A cascading error refers to the potential for a small, unchecked mistake to spread through a system and become a systemic risk. For instance, if a minor computing error caused a smart electricity reader to transmit inaccurate data readings to its control centre for a period of time this could lead to an automated, and mistaken, assessment that a particular private organisation’s premises required an increased amount of electricity. This would necessitate rerouting some of the existing energy supply to this facility which, in turn, could culminate in increased costs for the affected business, as well as for the city, and a reduced pool of electricity for other companies and citizens. Although minimal at this scale, the consequences of such errors when they affect a larger area – an entire block or an industrial zone for example – could be far more substantial. Smart cities and Beyond the potential for human orcomputer error, smart cities will provide cyber threat actors with a large attack surface to target and potentially exploit and incorporate into broader campaigns: Cybercriminals As we have described above, smart cities will be composed of thousands – if not millions – of interconnected devices. Such a structure is a boon to criminal actors able to create or purchase and subsequently deploy self-propagating malware, variants of which have been known to proliferate across multiple connected networks. These ‘worms’ could be used to acquire easily commoditised information such as healthcare information, social security numbers and banking credentials, or even to take control of a significant number of systems. Were attackers able to successfully hijack these systems they could then be used for extremely powerful distributed denial of service (DDoS) attacks or to hold an entire city for ransom in extortion attacks. Ransomware variants could be designed to encrypt and cripple an entirecity’s grid, with ransom demands likely to be considerable in such a scenario. These tactics could be highly profitable for cybercriminals and represent a natural evolution of trends that we have observed in the current cybercriminal community. Incident response will become increasingly difficult in the case of city-wide compromise. Private sector organisations and municipal authorities will share ownership of systems and the responsibility for their security. Beyond adding legal and financial costs for the private sector, this will create the need for highly complex pre-planned incident response schemes involving multiple parties. Cyber activists As cyber activist groups grow increasingly capable and in some cases, more radical, smart cities will provide them with an attack surface enabling a broad range of attacks from those akin to nuisances such as defacements of a city’s billboards, to the more extreme targeting of a smart city’s energy grid with the aim of physical destruction.In addition, many cyber activist groups are supporting physical protesters by launching . This practice in a smart city environment could allow cyber activists to take a leading role in coercing governments and private sector organisations in meeting their demands. The potential destructiveness of a cyber attack on smart cities is such that even the threat of compromise of the city’s system is likely to be treated by governments and businesses as an existential one. When threat actors such as cyber activists, who arguably lack the self-control of other groups, have the possibility of causing serious physical damages, the security of smart cities becomes essential to the cities’ survival. Nation states As the underlying network of smart cities will encompass most aspects of life within the city, if that network were to be compromised by an attacker, it would grant them unfettered access to a target individual or organisation. For instance, state-owned competitors could compromise asmart city’s infrastructure to gather intelligence on a large number of rival private sector firms. This information could include movements of their executives within the city, private and commercial communications grabbed from the ubiquitous presence of ‘free Wi-Fi hotspots’ managed by the city, and many more. Moreover, organisations operating within the city are likely to have their networks overlap to some extent with the city’s own network, or at the very least, have frequent data transfers from their networks to that of the city. This would enable highly advanced threat actors such as nation states to exploit weaknesses within a city’s infrastructure to reach a target organisation and compromise the confidentiality of its network. Beyond traditional espionage operations, the large-scale destruction or disruption of physical infrastructure via computer systems could become a technical reality with the advent of smart cities. The interconnectedness of systems within smart citieswill lead to the reliance of components on the availability of the entire system to function properly. As such, an advanced cyber attack seeking to destroy parts of the system could have catastrophic cascading effects onto the wider network. This would enable a determined nation state actor to cause large-scale physical destruction throughout an entire city. Although indirect, a belligerent nation state actor could abruptly interrupt the traffic light system of an entire city to cause significant damages and potentially the loss of human lives. Similar scenarios are conceivable for the interruption of energy supplies or water networks. Whilst such events will become more plausible with the increase in smart cities, the actual likelihood of them being undertaken is low because of the possibility that such an attack would provide a potentially justifiable basis – legally and ethically – for military retaliation, something which the perpetrator would presumably appreciate. Securing theimplementation of smart cities for the private sector Although the exact form that smart cities will eventually take remains uncertain, organisations and city planners can take a number of precautions to ensure a smoother implementation process and, ultimately, more secure infrastructure. Prioritise the security of critical assets: Contemporary networks are already impossible to protect in their entirety, a problem which will apply equally to smart cities. Some components of the system will have to be made more secure than others. Public and private sector organisations will need to work together to identify the city’s critical assets and oversee the institution of appropriate security measures. Behaviour based security: Auditing millions of separate devices for signs of malware is simply not feasible. A more workable approach would be to evaluate the behaviour of smart city components and systems against an established baseline of normal functionality or network behaviour. Anysignificant derivation from the norm – above a determined threshold – would trigger an investigation into the possible presence of malware on the subcomponents. Rapid component replacement: Given the potential for component failure or attacks compromising these components, an automated replacement system will enhance the security of the whole system. Although difficult to apply to critical components without full redundancy, such measures would be suitable for low-level, relatively isolated components. Segment critical assets of private organisations from the city’s network: Paramount to the security of organisations in the smart city environment is the segmentation of their critical assets from the city’s network. Although costly and potentially reducing the effectiveness of the organisations, this policy will enable organisations to contain and mitigate any threat actors exploiting vulnerabilities in the smart city network to reach their assets. About Brunswick is an advisory firmspecializing in critical issues and corporate relations: a global partnership with 23 offices in 14 countries. Founded in 1987, Brunswick has grown organically, operating as a single profit center – allowing us to respond seamlessly to our clients’ needs, wherever they are in the world.
March 2, 2016 Get buy-in from the C-suite about training employees on cyber security issues.Training everyone on what to look for when it comes to phishing, spear phishing, and whaling schemes. Doing so will go a long way toward cutting off, or at least reducing, at least one attack vector. Since approximately ninety-five percent of breaches start with email, having the C-suite training alongside the rank and file will stress how important this issue is. Audit your devices and make sure all firmware has been updated. We usually remember to update software on a regular basis thanks to Microsoft and programs like Secunia, which will remind you or update automatically. (You do practice patch management, right?) But firmware tends to be forgotten because many device firmware is not automatically updated, or, when a new device is installed onto a production environment, firmware checks may not have been made yet. Are you finding BYOD is becoming a major part of your network infrastructure?It may be time to re-evaluate your network bandwidth. The more devices you have, the less bandwidth you have for your existing devices. Perhaps it is also time to invest in a Mobile Device Management (MDM) solution. Keep the company data away from employee personal data. Make it easier to check BYOD devices for recent updates and sufficient anti-virus/malware protection. Cloud service providers are everywhere. In the past, all you had to worry about was moving files from your computer or server and putting it on someone else’s server someplace else. Now you have software providers, storage providers, infrastructure providers, platform providers and even Disaster Recovery as a Service Providers (DRaaS). What do you want to do? What do you want to pay? How much control do you want to give up and what Return on Investment (ROI) are you looking for. These are just a few questions you need to ask. All of these pose security implications, with the possible exceptions of ROI and what you wantto pay. So maybe it is time to look into a cloud service. Just remember, research what you are getting into and know what you want to get out of cloud service. Also look at the human side. Are you replacing employees with the cloud service, or are you enhancing employee productivity? There is an old saying (anything older than one year in technology is considered an old saying): There are those who know they’ve been breached and those who’ve been breached but just don’t know it yet. It is along the same vein as: It isn’t if you lose your data, but when. Are you in an industry that requires a breach notification to the public, because compliance compels you to, or will you do it as a public service? I have a friend who is a psychologist who had her email hacked. An email went out to all of her clients and friends. Because she had less than 500 contacts in total, was a private practitioner, and HIPAA compliance didn’t have teeth yet, she didn’t have to notify her clients about thebreach. So she didn’t. If your company is in a compliance situation (Sarbanes-Oxley (SOX), PCI-DSS, etc.), will you have the proper notification protocols in place to let your customers/clients know? Look over your notification protocols, and develop them if you don’t have them. In today’s world, breaches are almost an everyday occurrence. Coming clean to your customer base immediately will save the goodwill your company has developed over the years – and may prevent a lawsuit if you come forward. It may also create more trust from your customers since you have the strength of character to own it and take care of it immediately. The only time this may not be wise is if law enforcement tells you not to. In those cases, you can point to law enforcement for not letting you tell the public and your customers immediately. 2016 is going to be a bad year. Each year is going to get worse as newer and faster computers come online and more sophisticated forms of malware take shape. Inthis industry, we are only one step ahead of the bad actors. And even then that one step is tenuous. We win some, we lose some, and then we fight back and win some of the ground we lost. Cyber war is here to stay. We just have to try and keep our heads above water. Start with educating your staff, managers, and executives. Your worst enemy is not what is outside, but what lurks inside your company. Employees cause the most damage to networks, whether intentional or accidental. Training, though, can give your company a little bit of hope. Allan Pratt Company: Los Angeles City College & Consultant Position: Adjunct Faculty & InfoSecurity Strategist Twitter: Bio: Allan Pratt, an infosec strategist, represents the alignment of technology, marketing, and management. With an MBA Degree and four CompTIA certs in computers, networks, servers, and security, Allan translates tech issues into everyday language that is easily understandable by all business units. His expertise includes theinstallation and maintenance of all aspects of the PC and peripheral lifecycle and the planning and integration of end-to-end security solutions. Allan also teaches both the CompTIA A+ and the CompTIA Security+ certification courses, and has been quoted in industry publications. Follow Allan on . Allan is on our expert panel list. To find out more about our panel members, please visit the page Comments are closed
overarching strategy of the organisation. In addition, they boast a well-deserved reputation for being fiercely analytical of potential risks to the safety of their clients and employers.” Ultimately, said Raef Lawson, it is up to finance professionals to keep a watchful eye when it comes to cybercrime. “Above all, professional accountants tend to be cautious in dealing with innovations that have a potential to put safety at risk. These traits make them perfectly placed to hold vigil over potential threats to the cybersecurity of the organisation,” he said. The study found that accountants and other finance professionals clearly understand the importance of the issue. 85% of respondents said that management at their respective companies was concerned about risks. About ACCA (the Association of Chartered Certified Accountants) is the global body for professional accountants. We aim to offer business-relevant, first-choice qualifications to people of application, ability and ambitionaround the world who seek a rewarding career in accountancy, finance and management. We support our 178,000 members and 455,000 students in 181 countries, helping them to develop successful careers in accounting and business, with the skills required by employers. We work through a network of 92 offices and centres and more than 7,110 Approved Employers worldwide, who provide high standards of employee learning and development. Through our public interest remit, we promote appropriate regulation of accounting and conduct relevant research to ensure accountancy continues to grow in reputation and influence. About IMA® , the association of accountants and financial professionals in business, is one of the largest and most respected associations focused exclusively on advancing the management accounting profession. Globally, IMA supports the profession through research, the CMA® (Certified Management Accountant) program, continuing education, networking and advocacy of the highest ethicalbusiness practices. IMA has a global network of more than 80,000 members in 140 countries and 300 professional and student chapters. Headquartered in Montvale, N.J., USA, IMA provides localized services through its four global regions: The Americas, Asia/Pacific, Europe, and Middle East/Africa.
February 25, 2016 Technology adoption is bringing about massive change in major cities around the world from smart traffic lights to knowing exactly what time transportation will arrive and paying for public services with the touch of a credit card or personal device. The Smart London initiative embraces technology that improves the lives of residents, businesses and visitors by allowing them to experience the city in a more seamless and immersive way. With the capital’s population predicted to grow by over a million between 2011 and 2021, new technologies will undoubtedly play a big role in the way we see and experience London. But with the rise of malicious targeted threats, how can smart cities secure their IT initiatives from possible attack? Navigant Research forecasts that the smart city technology market will represent over $20 billion in 2020. In line with this explosive growth, investment in more complex technologies will be significant, but as always, with increasedtechnology comes greater vulnerability. One of the major security concerns facing smart cities is an “APT” (Advanced Persistent Threat). These are targeted attacks (such as malware) executed by a hacker or group of hackers, motivated not by financial gain, but instead by political gain or “hacktivism.” As a city’s framework and infrastructure becomes increasingly technology-depended, IT security must work hard in the frontlines looking out for suspicious activities and abnormal behaviour. Measures are especially needed to protect the weakest link in the city’s IT infrastructure – the endpoints and end-user devices, to ensure compliance enforcement of security policies and standards. What are the worst possible scenarios for attacks on the infrastructure of the smart city? In smart cities, everything is connected, from local government, utilities, financial and transactional services to transport and emergency services. For example, in a city the size of London with a populationexceeding 8.5 million, having a critical service that has been attacked and doesn’t respond can have a devastating effect. The attack can create a domino effect, where many of the operations dependent on that service would malfunction or simply shut down. For hackers, knowing which services are essential to the functioning of the city, can form the basis of a targeted attack. Such attacks can work in hidden mode and take down the most crucial components of the city’s infrastructure, placing the entire city at risk of complete standstill or worst. Such an instance of multiple city services malfunctioning simultaneously would at the very least result in a failure of the economic infrastructure for 48 hours or more. It is hard to imagine the consequences, with the loss of every economic transaction and the time needed to replace the damaged infrastructure, while trying to maintain law and order. The costs and impact would be huge and not only in financial terms, but also in the long-term
fitness bands to detect whether officers are under stress and in need of back up. It is not a huge step from here to embedding such capability within the human body. Protection vs privacy Where technology goes, the cybercriminals are rarely far behind. The data generated by such applications is highly sensitive, personal and confidential and therefore of immense appeal to cyberattackers. Understanding the potential security risks and addressing them with comprehensive security solutions that include robust encryption and authentication, for example should be a top priority for the security industry and product and service providers. This needs to be complemented by consumer education and communication. We recently undertook research across Europe to explore how ordinary consumers view the risk and potential of connected bio-chip implants. We found that, as is often the case with emerging technologies, fear of the unknown can be overwhelming, with two-thirds concerned that an implantedchip might malfunction and harm them (63%) or enable someone with malicious intent to take over their body or data (60%). The truth is that without the right security in place, these are all possible. At the same time, many were open to the benefits the technology could bring. So we shouldn’t let fear paralyse progress when there is action we can and should take. Implanted, connected bio-chips can make our lives richer, easier and safer. Let’s focus our energy on making sure they do so safely. About Marco Preuss Marco was appointed Director of Europe for the company’s Global Research & Analysis Team in March 2013. Prior to becoming Director of Europe, Marco served as the Head of Global Research & Analysis Team in Germany. Marco brings more than 13 years of IT security experience to his role and is responsible for managing the threat landscape in Europe while specializing in web and social networking threats and Apple OS security. Apart from research, Marco is responsible formaintaining close contact with independent testers and security partners. Marco began his career with Kaspersky Lab back in 2004 as a Technical Consultant, providing expert knowledge on Linux and Unix-based systems. He has also been involved in corporate sales management, before moving on to become the technical contact for the OEM department, supporting customized solutions. Marco has participated in the development of web-based services and systems for the Marketing and Retail Sales departments and has worked extensively with the Company’s product design teams. Marco joined the research team as a Virus Analyst in 2009.
domains, first and third-party. Remove the offending JavaScript code or do not let it execute in the browser. Ad Tech: Integrate ad blocking detection code inside the core website JavaScript functionality. If the JavaScript code fails to run, the web page is designed to be unusable. GAME OVER. Ad Tech Wins. Although the steps above will not necessarily play out exactly in this order, what matters is how the war always ends. No matter how you slice it – and believe me we sliced it a number of ways – ad tech eventually wins. Its control and access over the DOM appears dominant. Security lessons to be learnt? If you look at it closely, the ad tech industry behaves quite similarly to the malware industry, with both the techniques and delivery consistent across both. Ad tech wants to deliver and execute code that users don’t want and it will bypass the user’s security controls to do exactly that! So it really should come as no surprise that malware purveyors heavily utilise onlineadvertising channels to infect millions of users. And if this is the way the war plays out, where users and their ad blockers eventually lose, it could well be the case that anti-virus is the only option left – and we all know that anti-virus is effective at the flip of the coin. The only recourse left is not a technical one, but one that ends in regulations and the courts. About Jeremiah Grossman Jeremiah Grossman is the founder of . Jeremiah possesses a unique combination of technology savvy, customer advocacy and personal passion for application security. A world-renowned web security expert, sought-after speaker and influential blogger, Jeremiah brings a literal lifetime of information security experience, both homegrown and from his days as Yahoo!’s information security engineer, to the role. The ultimate “WhiteHat,” Jeremiah is also founder of the Web Application Security Consortium. In his spare time, Jeremiah practices Brazilian Jiu jitsu and has earned a black belt.
February 11, 2016 Kaspersky Lab’s Global Research and Analysis Team has published extensive research on the Adwind RAT, a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, which is distributed through a single Malware-as-a-Service Platform. According to the results of the investigation, conducted between 2013 and 2016, different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organisations around the world. The platform and the malware are still active. At the end of 2015, Kaspersky Lab researchers became aware of an unusual malware program that had been discovered during an attempted targeted attack against a bank in Singapore. A malicious JAR file was attached to a spear-phishing email received by a targeted employee at the bank. The malware’s rich capabilities, including its ability to run on multiple platforms as well as the fact that itwas not detected by any antivirus solution, immediately captured the attention of the researchers. The Adwind RAT It turned out that the organisation had been attacked with the Adwind RAT, a backdoor available for purchase and written entirely in Java, which makes it cross-platform. It can run on Windows, OS X, Linux and Android platforms providing capabilities for remote desktop control, data gathering, data exfiltration etc. If the targeted user opens the attached JAR file the malware self-installs and attempts to communicate with the command and control server. The malware’s list of functions includes the ability to: collect keystrokes steal cached passwords and grab data from web forms take screenshots take pictures and record video from the webcam record sound from the microphone transfer files collect general system and user information steal keys for cryptocurrency wallets manage SMS (for Android) steal VPN certificates While it is used mainly by opportunistic attackers and
eset endpoint security 6 download endpoint security 2014 gartner