Thursday, 29 December 2016

That woman May does not speak for me

This is disgusting. I’m fairly certain that the majority of Britons who voted to leave the EU were not voting to enter a fascist state. But that’s what we’ve got thanks to that woman May — who, incidentally, has never been elected to the office of prime minister by the British people. Immigration was an […]

The post That woman May does not speak for me appeared first on ITsecurity.



from That woman May does not speak for me

Collaborate against the state: 2017 security predictions

Adam Vincent, CEO, ThreatConnect

With state-sponsored hacking now a mainstay of the global threat landscape and cybercriminals pushing into new, powerful forms of ransomware, 2017 is shaping up to be a challenging year for the security community. Organisations face new, powerful threats and adversaries playing a much longer game against specific victims. The era of so-called “scattergun scams” is gradually evolving into a trend for far more finely-targeted exploits designed to achieve strategic goals, both for the advancement of national policy and criminal gain.

What should organisations do to prepare? What will security teams have to face in the new year? ThreatConnect conducted much of the cutting edge research regarding the newsworthy breaches of 2016, including the DNC and WADA hacks. Here are our predictions for 2017 – the threats, targets and responses that will likely define the year.

  1. State hackers, ransomware and the IoT: threats on the up

2017 will see an increase in strategic state-backed hacking among developed nations, with more poorly-equipped countries jumping on the bandwagon with less sophisticated attacks. The use of cyber-espionage reached a new level of maturity in 2016. We will see an increasingly vocal response from western governments to escalating Russian hacking activity as we begin to move towards more codified rules of cyber-engagement. 2017 will still be a period of unfettered hacking activity, however, as state actors use aliases to mask their involvement. Organisations with any strategically useful information, whether in the public or private sector, must prepare themselves to deal with highly sophisticated phishing, infiltration, and data leaking campaigns.

The criminal element will also strengthen their powers in 2017, with ransomware establishing dominance as the most common form of financial attack. This prevalence will be a logical progression in cybercrime, as ransomware cuts out the middlemen and lets the attacker collect money directly from the victim, rather than needing to determine how to convert credit card numbers, account credentials or stolen data into money. The malware involved will become more powerful, incorporating strong encryption and therefore becoming harder to remediate if backups are not up-to-date.

Finally, large-scale DDoS attacks using the IoT as a source for botnet devices will become the new heavyweight menace. The few attacks that have been observed so far have been record-setting in terms of sheer volume, and if embedded devices in IoT networks can’t be patched, they will remain vulnerable to being co-opted into botnets. As a result, we can expect larger scale, more coordinated attacks leveraging IoT devices. Judging by the recent attack on the Dyn DNS system which took down several of the largest sites on the web (Spotify, Twitter, Netflix), the targets will be extremely high profile.

  1. The media will come under fire

One of the most significant hacks of 2016 was the Russian attempt to silence investigative journalist firm Bellingcat during its research into the MH17 shoot-down. This is a trend we will see developing in 2017, as nations seek to edit or censor their presentation in the global press. Journalists who are seen as interfering in the affairs of Russia in particular can expect to be targeted, with the aim of infiltrating their systems and disrupting their activities.

We can also expect to see the tactics in this area turn personal. Bellingcat contributor Ruslan Leviev was subjected not just to professional disruption, but to personal targeting, with his private information being published in a defamatory attempt on his character. In 2017 journalists that are perceived to represent a threat to Russian and other national interests will risk having their emails, social media and databases hacked, either for information gathering or blackmail purposes. Data will no longer need to be directly pertinent to a story to be targeted: any personal information will be fair game.

State efforts will not be restrained to hacking. The information gathered in phishing attacks will be turned to the production of misleading or fake news – a hallmark of the 2016 US election – designed to further the state’s aims overseas. We will see state actors exerting influence over foreign populations by generating a media frenzy with intel extracted through cyber exploits.

State actors will also look to play the long game, infiltrating major media outlets’ servers and lingering before quietly intercepting information which could be used to further their aims. Media organisations will need to be wary, not just of smash-and-grab cybercrime but also dedicated spying.

  1. The government will up its cyber security game

Philip Hammond’s announcement that the UK government would provide £1.9bn of extra funding for cybersecurity over the coming years indicates a major step-up in public cyber-response. With state-sponsored hacking making major headlines worldwide in 2016, we will see governments moving to block the negative effects of these attacks more proactively in the new year. Part of Hammond’s announcement related to cyber offense, so we are likely to see not just a reinforced ‘national firewall’ of defense mechanisms, but also a redoubled effort in terms of retaliation and retribution.

We will also see more collaboration between public and private organisations, as government bodies and enterprises look to benefit from shared information against mutual adversaries. We will begin to move towards a more unified national approach to cyber security based on information sharing communities, rather than a fragmented, secretive organisation-by-organisation approach.

  1. SMEs will benefit from easy-access intel

While in the past couple of years threat intelligence was only accessible to the largest organizations with big security budgets, threat intelligence platforms are now making it possible for more companies and agencies to start threat intel programs. They can either do this on their own or with the help of a managed security service provider (MSSP) which can bring knowledge and expertise to an organization while bundling together security technologies tailored to meet its needs.

With the ever-increasing influx of data, security teams need to create an intelligence-driven approach to their cybersecurity defense that is efficient and effective. Whether it is gaining access to threat intelligence from free, aggregated open sources and/or communities, or building upon a program that is already in place, companies need to take action to prevent attacks to their networks. While an organization may not necessarily be a target, they could be the gateway to a larger company or even a partner. Threat intelligence is a must-have at whatever level you can get it.

The post Collaborate against the state: 2017 security predictions appeared first on IT SECURITY GURU.



from Collaborate against the state: 2017 security predictions

The challenges facing local authorities will demand greater focus on information security

Phil Greenwood, Country Managing Director and Commercial Director at Iron Mountain 

Local authorities face the challenging task of managing ever-growing volumes of records, covering anything from council taxes to confidential information about local schools. Furthermore, they must manage this data securely while dealing with the pressures of cutting costs and improving the overall efficiency of the services they provide to the public. If the protection of this information is not prioritised and is somehow compromised, severe financial penalties and reputational damage will soon follow.

In the UK, the 1998 Data Protection Act requires controllers of personal data to take appropriate measures to prevent data being “accidentally or deliberately compromised”. Some of these measures include having robust policies and procedures in place, and reliable, well-trained staff. If a local authority fails to comply with these measures and a serious data breach occurs, the organisation can face fines up to £500,000.

Despite the obvious risks and reputational damage caused by a breach, local authorities are simply struggling to find the time to manage and protect information properly. A recent study by Iron Mountain, The challenge of sharing information management in UK local authorities in 2016 and beyond highlights the challenges faced by records and information managers.

The study found that 57% of records and information managers have just a few seconds to handle every record they are responsible for and do not have enough staff to deal with day-to-day information management demands. Complicating the issue further is how leaders in other areas view the scale of the problem. According to our study, 50% of records and information managers believe the number of cases involving poor information management has gone up, while only 35% of leaders in other departments agree. There is also a lack of faith within local authorities about their organisation’s ability to manage large volumes of information securely and in accordance with data protection legislation. Approaching half (42%) of records and information managers and leaders in other departments don’t trust their colleagues to adhere to data protection legislation and/or don’t trust them to manage information securely (45%).

In the face of these problems, it is difficult to see what steps local authorities can take to get a better grip on information management. But there are steps they can take. Below are some recommendations on how our local authorities might address the complex information challenges they face.

Overcome cultural and communication barriers

Different working practices and styles mean that teams do not always share or store information across departments in a consistent way. Lowering cultural and cross-departmental barriers within a local authority could go a long way towards helping councils manage information more effectively.

Setting up steering committees can be a useful way to keep communication channels open and align different teams on problems and policies. Once established, steering committees can enable senior leaders and internal stakeholders to communicate regularly with one another about processes, discussing what works well and how to make future improvements.  

Educating staff on the latest data regulations

New data protection regulations are constantly on the horizon. One such is the GDPR, which is set to come into play in 2018 if Brexit does not disrupt current plans. It’s vital that everyone in the local authority is prepared and trained on how to meet data protection requirements. Educate staff so that they are up to date on the latest information management processes, correct procedures and best practice, as well as the potential consequences of mis-managing sensitive information. Every member of staff needs to acknowledge and own their role in helping to keep sensitive information secure, regardless of the time pressures they may be under. 

Balancing organisational pressures with data security

Outsourcing to a trusted third party can help free up time and resource. Secure storage and destruction are areas for consideration. A third party should be able to advise on retention schedules and have high-level security to help safeguard sensitive records, leaving information managers with less to worry about. This will allow them to focus on strategic operations that will deliver better services and value to the public, without compromising the integrity of the information for which they are responsible. 

Conclusion

 

Avoiding data breaches is vital if local authorities are to inspire trust amongst the communities they serve. The good news is that there are actions information managers, senior leaders, and stakeholders within local authorities can take to help establish best practice that others can then follow.

Closer collaboration and better education in particular will help solve some of the complexities of information management within the organisation. Putting these measures in place will help everyone work towards one common goal – treating sensitive data with care, while using it to deliver a higher level of service to the local community.

The post The challenges facing local authorities will demand greater focus on information security appeared first on IT SECURITY GURU.



from The challenges facing local authorities will demand greater focus on information security

Game of Code – 2nd edition of a Hackathon “made in Luxembourg”

ITOne, in partnership with Docler Holding is proud to announce the second edition of Game of Code at the Geesseknappchen Forum in Luxembourg on March 11th and 12th 2017.

For the 1st edition, the Hackathon gathered more than 200 visitors and 35 teams of developers and designers who participated in the two challenges designed by Docler Holding and Digital Lëtzebuerg. The participants and speakers came from all over Europe.

The game is simple: 24hrs of coding based on web development, during which the best European developers will compete. Marton Fulop COO of Docler Holding explains, “We are proud to contribute to this second edition and we believe such an initiative will help attracting IT Talents to Luxembourg. This is part of the company’s mission”. This year, the challenge created by Docler Holding will focus on virtual, distant and augmented reality. Francis Bourre, Software Architect at Docler Holding, sets the scene: “As with any adventure, the story of one person will perhaps build the story of all. Alice is the name of our main character, engineer and researcher in her spare time, she has developed an application to sublimate the everyday life and recover our imaginary deceased. We now propose to imagine the world of tomorrow, through the eyes of Alice and to rehabilitate the dream by combining it with the digital. In terms of technologies, everything is allowed: JavaScript, PHP, Flash, Java, Python, Unity … The list is not exhaustive, as long as the application is executable in a web page or on a mobile phone. Concerning the devices, controllers and connected objects of all kinds, no restriction either: Kinect, Wii, Leap Motion”.

“We are pleased to be able to get the same main support this year, namely from Docler Holding and Digital Lëtzebuerg. This shows the interest from private companies willing to attract new developers and from the public sector, which works to make Luxembourg a Smart Nation through Digital Lëtzebuerg”, comments Kamel Amroune, Managing Director of ITOne.

Gathered by teams of 3 to 4 people, IT experts will also have the opportunity to meet industry professionals during the weekend to discuss their ambitions and likely seize professional opportunities in Luxembourg. As for the 2nd challenge, the topic will be open data just like last year; additional information will be provided in January.

This year, initiatives in favour of education and the awakening to technologies will also be put in place throughout the weekend. The pitch sessions will begin on Sunday, March 12th at 2PM and the entrance will be free.

To get more information and to register go to: www.gameofcode.eu

The post Game of Code – 2nd edition of a Hackathon “made in Luxembourg” appeared first on IT SECURITY GURU.



from Game of Code – 2nd edition of a Hackathon “made in Luxembourg”

RiskIQ 2017 cyber security predictions

After a year that has seen an unprecedented number of organisations hit by security breaches, RiskIQ looks ahead at the rapidly evolving threat landscape and shares its 2017 cyber security predictions.

Some of the areas included in the predictions are:

–          Threat actors finding a new way in

–          IoT becomes a new threat vector but not in the way you think

–          Threat actors moving ever faster, seconds count

2017 #Infosec Predictions List

With cyber attacks ranging from Yahoo! to the Democratic National Committee and the rise of ransomware to the Shadow Brokers, 2016 was an exciting year for the cyber security community. However, we expect 2017 to provide a very different digital threat landscape than years past. With shifting trends such as the internet of things (IoT), new business and operational models, and organisations using digital channels more than ever before, threat actors are bound to wield brand new threat vectors during the upcoming year. As a security professional, here are some of the trends you need to watch out for.

  1. Phishing will conquer new territory

Our stats show it, and so does everyone else’s: as zero-days and trivial host exploits get harder to pull off, threat actors are reverting to forms of attack that are unsophisticated and primitive—but have proven to be highly effective. That’s why phishing is rising in popularity and traditional email and web phishing, spear phishing, and whaling (Business Email Compromise or BEC) all usually share many of the same simple root causes: domain infringement and content, branding, and keyword impersonation.

Phishers are also starting to conquer new ground. We are now seeing a hard pivot by phishers into leveraging social media, and in 2017, this trend will grow exponentially—especially with social networks adding online marketplaces (Facebook) and payment gateways. At RiskIQ, we’ve been seeing threat actors leverage fake mobile apps for quite some time, but in 2015, we saw a rise in phishers moving to social media in the U.S., primarily targeting banks and major brands with a significant social media sentiment following. And, in early 2016, we detected some of the first phishing attacks via social media targeting in other countries, such as Japan.

  1. IoT will increase as a new attack vector—but not how you think

People have sounded the IoT alarm for years now, but threat actors have only exploited IoT in DDoS attacks, like the one we saw targeting Dyn late in 2016. This attack crippled internet traffic across over half the continental U.S. and many other parts of the world. Many will predict that in 2017, IoT will be leveraged in more sophisticated attacks such as ransomware and data leaks, but for the most part, we’ll continue to see the same kind of attacks we saw in 2016.

Why? It’s true that IoT will continue to standardise operating systems around Android & Linux variants, eventually making it easier to write broad-scale attack/exploit code. But for now, IoT operating systems and embedded systems are still too fragmented. You cannot write a worm that can exploit almost every Windows Desktop, SQL Server, Exchange Server, or Office/Outlook client with the same exploit.

  1. Threat actors will find a new way in

As endpoints get harder to compromise, adversaries such as nation-states, hacktivists, and cyber criminals will ramp up the number of external threats hurled against organisations. Therefore, most of the incidents that will lead to data breaches will come from external sources, especially in digital channels like social, mobile, email, and the cloud, where many digital assets are unknown (and thus unmanaged) by the organisations that are responsible for them.

  1. How will the cat and mouse game will evolve? Data.

Threat actors are getting more sophisticated at hiding their tracks—they anonymise their infrastructure and are improving at detecting and hiding from security scanners and crawlers that detect attacks via websites and ads. Hunt teams will need to deploy increasingly modern sophisticated technology to detect them in the form of new combined internet datasets—such as linking together related hosts, third-party web components, and WHOIS information—that fingerprint and track these new threat actor tactics.

  1. Your biggest vulnerability may have nothing to do with you

Like they say, if you can’t beat ‘em, target a third-party component that’s part of their infrastructure. Now that Microsoft Windows and Office aren’t the easiest common denominator to exploit, threat actors will move towards other shared components and infrastructure that give them a “many-to-one” advantage, i.e., pieces that plug into many different organisations at the same time.

For example, Content delivery networks (CDNs) like WordPress are a big target. If a threat actor accesses one, they also access thousands of websites. Additionally, if a marketing partner like Eloqua and Marketo are compromised, a threat actor gains access to data from thousands of customer campaigns as well as thousands of corporate websites that use plugins from these services.

  1. Keyloggers might steal your credit card info

Because modern vulnerability scanners don’t detect embedded attacks in progress, threat actors will get even sneakier. To avoid detection, they will launch attacks that rewrite the document object model (DOM) of page using keyloggers, which is spyware that can record every keystroke made to log a file. That means when you’re punching your credit card info into a compromised eCommerce site, it falls right into the hacker’s hands.

RiskIQ’s Threat Research Team has seen new shopping cart exploitation that uses this very method.

  1. Modern threat actors move fast. Seconds will count more than ever

We are increasingly hearing of attack campaigns from instances of domain infringement used for phishing and malware campaigns that go live the day the account is created and only last for a few hours. The speed at which these attacks appear and vanish make them unsolvable by human analysts. That means companies need automation that can quickly and accurately detect these attacks, and push them into global blocking solutions in minutes—if not seconds—to get ahead of them.

The post RiskIQ 2017 cyber security predictions appeared first on IT SECURITY GURU.



from RiskIQ 2017 cyber security predictions

‘Switch’ leads to glitch: Android malware hijacks routers’ DNS settings

A newly discovered Android trojan can sabotage entire Wi-Fi networks and the users who connect to them by accessing the router that an infected device is communicating with and executing a Domain Name System (DNS) hijack attack. According to Kaspersky Lab on Wednesday via its Securelist blog, the malware, named Switcher, uses a compromised Android device to pull up the local router’s admin interface, and then attempts to gain top-level privileges by executing a brute-force attack that guesses commonly used or default log-in credentials. If successful, the malware opens the router’s WAN settings and changes the IP address of the primary DNS server to that of a rogue one operated by the cybercriminals behind the campaign.

View full story

ORIGINAL SOURCE: SC Magazine

The post ‘Switch’ leads to glitch: Android malware hijacks routers’ DNS settings appeared first on IT SECURITY GURU.



from ‘Switch’ leads to glitch: Android malware hijacks routers’ DNS settings

Samir Nasri could face doping charges as well as embarrassment after Twitter account was hacked

Samir Nasri is being investigated by Spanish anti-doping authorities after his Twitter account was hacked on Tuesday night, according to reports in Spain. A series of bizarre tweets were sent from Nasri’s account in response to a post from Drip Doctors, a service he is understood to have used for an intravenous treatment. While most of the focus was on Nasri’s alleged infidelity to his then-girlfriend Anara Atanes, it has now emerged that the French playmaker could be investigated for anti-doping offences.

View full story

ORIGINAL SOURCE: The Daily Mail

The post Samir Nasri could face doping charges as well as embarrassment after Twitter account was hacked appeared first on IT SECURITY GURU.



from Samir Nasri could face doping charges as well as embarrassment after Twitter account was hacked

NH Department of Health and Human Services Announces Data Breach

On Dec. 27th, the NH Department of Health and Human Services announced a data breach that has potentially compromised the personal information of 15,000 people who receive services from DHHS. For more information about the breach, how it happened and steps you can take to protect your personal information, please follow this link to the DHHS web site and read the documents posted there.

View full story

ORIGINAL SOURCE: DHHS

The post NH Department of Health and Human Services Announces Data Breach appeared first on IT SECURITY GURU.



from NH Department of Health and Human Services Announces Data Breach

U.S. accuses Chinese citizens of hacking law firms, insider trading

Three Chinese citizens have been criminally charged in the United States with trading on confidential corporate information obtained by hacking into networks and servers of law firms working on mergers, U.S. prosecutors said on Tuesday. Iat Hong of Macau, Bo Zheng of Changsha, China, and Chin Hung of Macau were charged in an indictment filed in Manhattan federal court with conspiracy, insider trading, wire fraud and computer intrusion.

View full story

ORIGINAL SOURCE: Reuters

The post U.S. accuses Chinese citizens of hacking law firms, insider trading appeared first on IT SECURITY GURU.



from U.S. accuses Chinese citizens of hacking law firms, insider trading

Breach Affects Data of 400,000 Members of Washington Health Plan

Hackers had access to protected health information and other information of nearly 400,000 members of Community Health Plan of Washington over a 10-month period, the organization says. The information was held by a server operated by a technology services provider, which was not identified by Community Health Plan. The breach was discovered on November 7 and the server was disabled; members of the plan and the media were notified of the breach on December 20.

View full story

ORIGINAL SOURCE: Insurance Networking News

The post Breach Affects Data of 400,000 Members of Washington Health Plan appeared first on IT SECURITY GURU.



from Breach Affects Data of 400,000 Members of Washington Health Plan

‘Frequent flyer points put at risk by website flaws’

Airline booking systems lack basic security checks that would stop attackers changing flight details or stealing rewards, warn experts. The problems emerge because the six-digit codes booking systems use to identify travellers are easy to guess. Two researchers demonstrated the weaknesses by changing a flight booking and seat assignment for a reporter. The security investigators presented their findings at the Chaos Communications Congress in Germany.

View full story

ORIGINAL SOURCE: BBC

The post ‘Frequent flyer points put at risk by website flaws’ appeared first on IT SECURITY GURU.



from ‘Frequent flyer points put at risk by website flaws’

Tuesday, 27 December 2016

Webcam shows and Experian

I came across this headline today: 200 Million Data Enrichment Records For Sale on Darknet The second paragraph reads: The person offering the files claims the data is from Experian, and is looking to get $600 for everything. However, sources at Experian said that they were made aware of this data breach last week, and […]

The post Webcam shows and Experian appeared first on ITsecurity.



from Webcam shows and Experian

Saturday, 24 December 2016

Agents Smith & Jones versus the Bad Guys

A new breed of endpoint protection software has emerged over the last few years. If we simplify things – probably over-simplifying – this breed of products uses machine-learning technology to teach itself behavioural rules that can detect and block known and unknown malware in situ. This is the central theme of what is usually known […]

The post Agents Smith & Jones versus the Bad Guys appeared first on ITsecurity.



from Agents Smith & Jones versus the Bad Guys

Friday, 23 December 2016

Danger around the corner! Cyber-sec predictions from Zscaler CISO

As one of the hottest topics of 2016, businesses and consumers alike have been affected by the almost daily threats of data breaches and the impact these have on an continuous basis.

 

Will such threats enable identity fraud, send a business under or even give adversaries further power to conduct ever more dangerous attacks?

 

With this in mind, Michael Sutton, CISO at Zscaler, has crafted his top five predictions for the year ahead and what this will mean for the threat landscape.

He discusses:

  • Nation states ‘offensive offense’ – It’s likely 2017 will see the US and other nations step into a cyber mudslinging contest
  • AI will be used for good and evil – Another platform that holds mass quantities of data will be susceptible to savvy criminals in 2017
  • Ransomware gets physical – Encrypting data will be replaced with extortion via disabling physical systems
  • Data breaches 3.0 – The next wave as criminals seek to alter, not exfiltrate data with corporate espionage in mind
  • Cyber insurance disruption – Risk scoring algorithms will need to go far deeper with internal corporate security systems to calculate the likelihood of a breach

Offensive Offense – Increasingly, motivations for offensive nation state sponsored attacks have gone into a new realm and have been driven primarily as an effort to undermine the credibility of another government or in some cases influence public sentiment. The Director of National Intelligence went so far as to publicly accuse the Russian Government of the attack on the DNC and others have openly speculated that they too were behind the compromise of Hillary Clinton Campaign Chairman John Podesta’s inbox. In light of such aggressive and direct medaling in the political affairs of another nation, some in the intelligence community are suggesting that the US should return the favour. This is a troubling notion. If we enter an era where nations are actively conducting offensive cyber attacks with the primary goal of embarrassing their foe by leaking documents online, many innocent victims will be caught in the crossfire. It’s one thing to conduct cyber espionage covertly to get a leg up on the competition either from a military or economic perspective, but it is an entirely different situation when private documents are being handed over to Wikileaks. Given current political tensions, the precedent that has already been set and the aggressive tone of the incoming US administration, it’s likely that 2017 will see the US and other nations step into this cyber mudslinging contest.

Rise of the Machine (Learning) – Machine learning and artificial intelligence (AI) are the current buzz words du jour in the security industry. Machine learning will revolutionise security because humans simply can’t scale in the same way that but machines do and we’re willing to invest in perfecting the neural networks that drive them. While AI may not be ready to replace humans just yet, a number of startups in the User Entity and Behavior Analytics (UEBA) space such as Interset, Gurucul and Exabeam are proving that the science is mature enough to add value. At the same time, the magic of AI is becoming increasingly accessible to those that can’t afford to hire an army of machine learning experts thanks to projects such as Microsoft Azure Machine Learning StudioAmazon Machine Learning and Google’s TensorFlow. These projects deliver powerful machine learning platforms that are available to programmers. Yet, as with any good tool, AI will be used for good and evil. Just as IaaS platforms were quickly adopted by those spreading malware, so too will the AI platforms. Mass quantities of data are being stolen and savvy criminals are looking to monetise it. Stealing networking logs is of limited value, but being able to analyse those logs to identify user behaviours, such as employees more susceptible to social engineering attacks, or those with higher access privileges, is very valuable. Just stole 18 million records from OPM and need to sort through it, identify connections and figure out who may be susceptible to extortion? AI is for you.

Ransomware gets Physical – Most ransomware to date remains relatively unsophisticated, relying primarily on social engineering as the infection mechanism. Attackers don’t need to pull 0day tricks out of their bag to infect PCs, when signature based defenses are easily evaded and humans remain gullible. What is changing, is the targets that the attackers are going after. The vulnerable state of IoT devices is finally front and centre thanks to the Mirai botnet DDoS attacks and we can expect ransomware authors to train their sights on Internet enabled hardware devices. This phase of ransomware will be different. Encrypting data will be replaced with extortion via disabling physical systems. Corporations are all too willing to pay ransom demands when valuable intellectual property has been locked up and we can expect them to be even more eager when systems go offline. The silver lining to the current generation of ransomware attacks is that enterprises are finally taking data backup seriously and upping their security game with next gen endpoint protection – two defenses that will do little to protect vulnerable IoT devices. If an enterprise is willing to pay ransom to retrieve valuable data, how much will they be willing to shell out when an assembly line or manufacturing plant producing millions of pounds worth of goods per day is brought to a grinding halt?

Data Breaches 3.0 – First we had the era of the financial data breach with the likes of Target, Home Depot, Michael’s and Neiman Marcus all suffering massive thefts of debit/credit card data across 2013 and 2014. Healthcare then bore the brunt of the attacks announced in 2015 with Anthem, Premera and Carefirst all acknowledging that millions of records had been stolen. In 2017 we can expect a third data breach phase, with attackers seeking to alter, not exfiltrate data. Such attacks raise the stakes as the damage can be far greater and longer lasting. Stolen data is more likely to ultimately be identified, either because of indicators pointing to the exfiltration or because the stolen data is spotted in the wild. Altered data on the other hand, can fly under the radar indefinitely, especially if the alterations are subtle. Data is meant to be manipulated and attackers with internal access have the ability to do so, not through anomalous behavior, but by leveraging the very systems designed to alter the data in the first place. Why would attackers want to do this? Imagine attackers conducting corporate espionage altering data to influence business decisions designed to alter negotiations with a partner or competitor? How about changes to data used in financial analysis that would lead a trader to conduct a trading pattern that is now predictable? Most concerning are nation state sponsored attacks designed to alter political policy.

 

Disruption in cyber insurance – The insurance industry is one that’s ripe for disruption. With data breaches becoming the norm, cyber insurance has also become a must have item for large enterprises. Insurance companies are desperate to get in on the game, but they have a big challenge – how do they calculate the likelihood of a breach? Life insurance is easy – plenty of people have lived and died and we have solid data on it. Data breaches are entirely different. For one, the risk has only existed for a couple of decades at most, so there is limited data. Beyond that, any company can be hacked. Today, insurance companies are forced to limit the size and scope of policies to also limit the size of a potential payout as they simply don’t have confidence in their ability to fully understand risk.  A variety of startups have emerged to help fill the void. In order generate true value to insurance companies, risk scoring algorithms will need to go far deeper and integrate with internal corporate security systems to gain a complete picture of the threat landscape for a given entity. Such a system would benefit provider and consumer alike, allowing insurance companies to provide policies with broader scope and diligent corporations could drive lower premiums by continually demonstrating best of breed security controls.”

The post Danger around the corner! Cyber-sec predictions from Zscaler CISO appeared first on IT SECURITY GURU.



from Danger around the corner! Cyber-sec predictions from Zscaler CISO

Browser based malware: evolution and prevention

By Andrey Kovalev, Information Security Expert, Yandex

The web-enabled generation has become increasingly reliant on technology for everyday activities. Cloud services, social networks, web extensions, plug-ins and online games, are all growing in popularity and as such, are replacing desktop applications. This heightened use of mobile web-browsers has opened the back door to cybercriminals, who now have new channels to implement browser-based attacks, spread malware and maximise infection campaigns.

Traditional “Man in the Browser Attacks” (MITB) have been given a new lease of life as a result of the latest types of malware, distribution models and special features. Cybercriminals are becoming ever more sophisticated, injecting JavaScript code into web pages to steal user credentials or hijack data, such as those used for online banking.

The concern for the security of personal credentials and online profiles is growing, particularly when malicious browser extensions are becoming one of the most complex threats to detect and prevent.

The evolution of Man in the Browser attacks

When Internet Explorer was one of the most popular browsers, the dynamic libraries of Browser Helper Objects (BHOs) was the only way to add extra functionality to extensions. If cybercriminals wanted to set up a MITB attack, they had to either install malicious BHO or use web injection techniques. Fortunately, to prevent this vulnerability, BHOs now have to be digitally signed off by Microsoft.

Modern browsers now incorporate special JavaScript APIs for protection, however, with new methods of defence comes yet another stage in the evolution of browser-based malware with malicious intent. For example social engineering and ‘browlocking’ mechanisms are on the rise, forcing users to install malicious or imposter extensions or install updates for popular extensions that have been hijacked and infected with malware.

Malicious extensions in practice

Eko and Smartbrowse are recent examples of MITB attacks that made the headlines. Eko, discovered on Facebook Russia in early 2015, spread malware via Facebook direct messages and scam video postings. Victims were sent links to phishing websites replicating Facebook and YouTube and which prompted users to install video player extensions containing malicious code.

Once installed, the browser-based malware spreads and replicates the browser environment, a perfect combination for malicious web-injection. In 2016 we have seen the emergence of  advertisement injections and Facebook payload spam. Worryingly, the same technique is imminent for online banking attacks.

Smartbrowse is a wrapper-based malware which gains entry into vulnerable machines through user payment downloads and leaves a trail of unwanted or malicious extensions. Appearing on Google Chrome, Yandex Browser, Opera and Firefox among others, Smartbrowse switches the browser to auto-run mode and installs JavaScript-based extensions which spread malicious code even when the browser has been closed.

The difficulty with protecting against MITB attacks

Detecting and preventing MITB attacks, malicious extensions and aggressive ads are complex for the following reasons:

  • Location of malicious code, parts of malicious functionality are stored on remote servers and often an infected PC doesn’t contain any malicious code at all. The harmful payload can change dramatically depending on websites and URLs visited. It’s difficult to tell harmful scripts from legal ones.
  • From the user’s perspective, a malicious extension can look legal and be useful for users. It can work like a normal extension for some time, and only start to behave harmfully a month or two after installation.
  • Malicious extensions live only in the browser and don’t leave any traces in critical system areas, nor do they have any outstanding indicators of compromise. This makes them hard for anti-virus products to detect.
  • A malicious extension can be harmful to the user and the web resource, by replacing ads and search responses with malicious content. For traditional anti-virus vendors these ad injections are difficult to detect.

How to detect and prevent against an attack

Whilst MITB and web extension attacks are difficult to detect and therefore defend against, users and web providers (or web-developers) can work together in the fight against cybercrime as it continues to evolve. Detection and protection policies from both the server-side (web services) and client-side (browser and AV vendors) can provide a belt and braces style protection against MITB attacks.

Server-side techniques which incorporate content security policies (CSP) and reporting capabilities can be implemented in all modern browsers and operate in two modes: reporting-only mode and blocking mode. In reporting mode, violations are reported but without blocking the browser. In blocking mode, all violations are blocked by the browser and reported back to the URL.

Of course this technology could also be bypassed by malware which could hijack or delete CSP headers. However this can be mitigated by embedding validation JavaScript that can monitor a page’s integrity and send a report to the server. Obfuscation techniques can be used to protect the script and make it extremely hard to remove without breaking the page functionality. Reports from these techniques collect malicious script sources to enrich a database of safe browsing. Essentially, this shows whether the user is infected and in need of anti-virus software.

On the client-side, users can bolster online security by using browsers with additional security mechanisms and by installing anti-virus software. The most secure browsers come with an in-built black list of malicious extensions which can be blocked once the user launches the browser. These browsers also perform extension integrity checks against trusted extension stores such as Chrome or Opera, which helps to protect users from having their credentials exposed when an extension ID is leaked.

To further support the detection and prevention methods in such a transforming landscape, advanced technology such as artificial intelligence (AI) and machine learning within browsers should become the norm. These technologies can learn which websites are distributing malicious extensions and prevent users from entering in the first instance.

Conclusion

Browser-based malware needs to be a critical area of focus in the evolving threat landscape, particularly with modern browsers. Although browsers have their own protection mechanisms, a combination of anti-virus software, server and client-side prevention methods and AI technology will help to fight against content hijacking and malicious web extensions. Although there is no silver bullet, browser and anti-virus vendors need to focus on monitoring the evolution of browser-based malware and improve the security level of the rapidly changing extension ecosystem. Additional validation mechanisms need to be in place for browsers and integrity checks should be conducted on web resource content. This combined approach will help smooth the path to a safer browser environment and will better protect users against inevitable cyber-attacks now and in the future.

The post Browser based malware: evolution and prevention appeared first on IT SECURITY GURU.



from Browser based malware: evolution and prevention

CyberArk 2017 (and beyond) Cyber Security Predictions

  1. The Silent Attack on Information – Complete Loss of Trust

The integrity of information will be one of the biggest challenges global consumers, businesses and governments face in 2017, where information from previously venerated sources is no longer trusted. Cyber attacks won’t just focus on a specific company, they’ll be attacks on society designed to eliminate trust itself.

We’ve seen information used as a weapon and propaganda tool in the 2016 U.S. election cycle, but this will move to the next stage where information can no longer be trusted at all. Attackers aren’t just accessing information; they’re controlling the means to change information where it resides, and manipulating it to help accomplish their goals.

For example, consider how the emergence of tools that allow for greater manipulation of previously unquestioned content – like audio files – could lead to increased extortion attempts using information that may not be real, or grossly out of context. It will be easier than ever to piece together real information stolen in a breach with fabricated information to create an imbalance that will make it increasingly difficult for people to determine what’s real and what’s not.

  1. Cloudy with a Chance of Cyber Attacks

Cloud infrastructure and the proliferation of cloud-based services have proven to be game changers for business.  The benefits of the cloud have not gone unnoticed by the dark side either.

Much like how cyber attackers are channelling the power and insecurity of IoT devices to launch massive DDoS attacks on scales previously thought unachievable, attackers will increasingly use the cloud to ramp up production of attack tools.

With the addition of available computing power and agile development capabilities afforded by the cloud, we’ll see new attack tools that are exponentially stronger than previous iterations, we’ll see attacks that are stronger and more devastating, and ultimately, because attacks are raining from the cloud, attribution will become nearly impossible. This will also increase the agility of attackers – a strategic advantage that they currently hold over organisations.

  1. Self-Learning Cyber Attacks

The year 2016 was marked by tremendous progress in the field of artificial intelligence (AI) and subsets of the technology such as machine learning, machine intelligence, deep learning and more.

In the field of cyber security, hundreds of companies are working to incorporate AI and machine learning into their technologies to predict, prevent and defeat the next major cyber attack.

As we’ve seen with other technologies, as AI becomes commoditised, we can expect cyber attackers to take advantage of AI in a similar way as businesses. Much like 2016 saw the first massive IoT-driven botnet unleashed on the Internet, 2017 will be characterized by the first AI-driven cyber attack.

These attacks will be characterised by their ability to learn and get better as they evolve. Think about “spray and pay” ransomware attacks that get smarter, and more targeted about what information is held hostage, and what to charge for it. This will transform the “advanced attack” into the common place, and will drive a huge economic spike in the hacker underground. Attacks that were typically reserved for nation-states and criminal syndicates will now be available on a greater scale.

  1. Data Privacy and Pricing Structures

The efforts on consumer data-conditioning are almost complete – consumers know that private information is a commodity they can trade for better service. We’re beginning to see this in the insurance market, where drivers are giving up driving habits, location, destinations and PII to get better rates.

We expect that more companies will take this approach with online data as well and use cyber security fears and concerns over privacy to drive pricing structures.

Consumers will increasingly be faced with a data conundrum – provide more personal information for basic service, or upgrade and spend more money on premium services that require less personal information and provide greater levels of security.

In parallel, small and midsize organisations that have been ‘priced out’ of adequate security options, particularly against threats like ransomware, may also be able to make trades for better protection.  In the meantime, the emergence and greater adoption of automated security solutions will help close the gaps between available skills, budget and protection.

  1. The Agile Enemy – Hacker Collaboration

Unlike private business and government organisations, cyber criminals are not bound by IP, data privacy, budgets or other concerns. We expect to see hacktivists, nation-based attackers and cyber-criminals accelerate use of the tools used to learn from each other’s attacks – and identify defacto best practices to emulate them on broader scales.

Agile approaches to spur greater black hat collaboration will enable attackers to ‘improve upon’ existing malware and viruses like Stuxnet, Carbanak and most recently Shamoon, to unleash a new wave of threats.

These more dangerous attacks will put pressure – potentially regulatory or merger and acquisition related – on public and private organisations to step up collaboration and prioritise ways to incorporate intelligence gained from these attacks into new innovations meant to combat cyber threats and beat the attackers at their own game.

The post CyberArk 2017 (and beyond) Cyber Security Predictions appeared first on IT SECURITY GURU.



from CyberArk 2017 (and beyond) Cyber Security Predictions

Thursday, 22 December 2016

Uber removes self-driving cars from San Francisco roads

Uber Technologies Inc [UBER.UL] has removed its self-driving cars from San Francisco streets, halting the autonomous program one week after its launch as the company faced a regulatory crackdown. The California Department of Motor Vehicles said on Wednesday it revoked the registration of 16 Uber self-driving cars because they had not been properly permitted.

View full story

Original source: Reuters

The post Uber removes self-driving cars from San Francisco roads appeared first on IT SECURITY GURU.



from Uber removes self-driving cars from San Francisco roads

Don’t pay up to decrypt – cure found for CryptXXX ransomware, again

It’s third time unlucky for the scumbags behind CryptXXX ransomware, as their shoddy coding has been cracked yet again. CryptXXX is a particularly nasty form of the species – a ransomware app that not only encrypts over 40 file formats on a host PC and any external storage devices, but also steals any Bitcoins it can find on there and demands a hefty ransom for a cure.

View full story

Original source:The Register

The post Don’t pay up to decrypt – cure found for CryptXXX ransomware, again appeared first on IT SECURITY GURU.



from Don’t pay up to decrypt – cure found for CryptXXX ransomware, again

Tumblr down in US and Europe in outage which may be result of DDoS attack

Tumblr reportedly down in US and Europe and it may be the result of a DDoS attack. The outage reportedly began at around 8.30pm UK time. Users trying to access the blogging site are currently met with the message:“Service is temporarily unavailable”. Tumblr wrote on its official Twitter account: “Some users are experiencing latency affecting the dashboard. We’ll get it fixed ASAP.”

View full story

Original source: Mirror

The post Tumblr down in US and Europe in outage which may be result of DDoS attack appeared first on IT SECURITY GURU.



from Tumblr down in US and Europe in outage which may be result of DDoS attack

Netflix US Twitter account hacked

The Netflix US Twitter account – with 2.5m followers – has been compromised by a hacker group. The group, OurMine, posted tweets promoting its own website and services. However, the tweets were removed about an hour after the first one appeared. OurMine has hacked several high-profile Twitter accounts this year, including those of Wikipedia co-founder Jimmy Wales, Facebook co-founder Mark Zuckerberg and Google chief executive Sundar Pichai.

View full story

Original source: BBC

The post Netflix US Twitter account hacked appeared first on IT SECURITY GURU.



from Netflix US Twitter account hacked

Groupon hacked: Industry reaction

Groupon users have reported that fraudsters gained illegal access to their accounts and placed unauthorised purchases in their names. The hackers allegedly used login details from other data breaches to hack into individual customers’ Groupon accounts.

Here is what the industry makes of the data breach:

Rob Sobers, director at Varonis:

“Today’s news is the result of billions of compromised user accounts from other breaches now being used to gain legitimate access to Groupon user accounts in order to make high-ticket purchases just in time for the holidays. If hackers can co-opt a consumer’s credentials for Groupon, then data security professionals need to be asking themselves if those same passwords can be used to access their organisation’s data.

“Barely a day goes by without us entering at least one password or pin to prove we are who we are before accessing information or resources. Yet, passwords are also one of the things we consistently get wrong because we make them short, common and the same across our various applications. If consumers are simplifying their password authentication practices across their personal applications, then it stands to reason that they may be doing this with their employee access credentials.  A perimeter defence doesn’t matter anymore if someone has the keys to the front door who intends to do the individual user account or the organisation harm.

“Consumers need to take pro-active steps to ensure their own data privacy by first practicing good password hygiene. Troy Hunt, renowned security expert and author of the free data breach service, “Have I been pwned?,” gives the everyday online consumer helpful tips for creating strong and effective passwords in this free online training sponsored by Varonis Systems, Inc.: “Internet Security Basics, 5 Lessons for Protecting Yourself Online.” He suggests that strong passwords need to be at least 8 characters in length of random lower and upper case letters, numbers and non-numeric punctuation. Your dog’s name plus the year is not a random password. Instead a passphrase should be used to create length and randomness. For example, “What’s Roger got for dinner?” can be manipulated with letter substitution and shortened into an acronym. Finally and most importantly to the Groupon example is that a strong password is unique and only used for one application.”

Paul Fletcher, cyber security evangelist at Alert Logic:

“This is the type of secondary impact that can result from security breaches that include personal identifiable information (PII) and specifically, username, passwords and security question information.  It’s extremely important to have good “password” hygiene to lessen the impact of breaches on one system from effective another system.  Part of good “password hygiene” is to NOT use the same password on multiple websites, rotate (change) passwords on a recurring basis and use different security questions on different systems and, when possible, use two factor authentication.”

Richard Meeus, VP technology EMEA at NSFOCUS:

“With the massive data breaches announced last week by Yahoo! – remember it was 1 billion accounts – it has never been more important to use different passwords on every site and use 2FA (2 factor authentication) where possible.

Using the same username and password on every site should not be happening anymore. We need to change user apathy towards passwords and maybe also get website owners to be more proactive in supporting their customers by checking their user databases against the lists of breached accounts”

Lee Munson, security researcher at Comparitech.com:

“The issues experienced by Groupon customers show how a data breach can have far-reaching consequences that affect more than just the company that was initially attacked.

“The fact that Groupon account holders have seen accounts compromised, and money lost, also says much about the practice of reusing email addresses and, especially, passwords across many different websites.

“Users need to be aware of the risks of recycling login credentials – which means one breach can undermine ALL their accounts – as well as be informed specifically about this incident so they can at least change their Groupon password right away.

“As for Groupon itself, even though it hasn’t been breached, it appears it could still learn a lesson or two about incident response so that its customers can retain the belief that the company has their best interests and security at heart.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:

“What we’re seeing with the Groupon security complaints is the triumph of social media noise over common sense. Groupon was not breached – as far as we know. If Groupon users decided to do what every security expert on earth, and likely every other service the user interacts with has told them again and again NOT to do – use the same password for many websites and services – then how can the user expect anything but these terrible results? Does this mean Groupon has awesome security? No. The point is this isn’t about Groupon’s security in any way. This problem comes from users’ not making good choices even when they know the potential consequences. The reason so many security professionals feel like their advice is like “eat right and exercise” is because, just like health advice, people only seem to follow security advice after something terrible shows them bad things can happen to them, too.”

Mark James, IT Security Specialist at ESET:

“Sadly this is often a result of reusing passwords on other sites, when large data breaches happen the hackers or receivers of stolen details will try those details on sites that store or hold your card details. If successful, they may be able to purchase goods using authentication methods already stolen or even in some cases no authentication at all, if the only authentication is the CVC code of your card then it’s only a 1 in 1000 chance to get it right. With so much of our data being stolen these days it’s imperative you keep an eye on your emails and financial statements for any suspect transactions. Be vigilant and try where possible to contact both your bank and the retailer as soon as possible with any discrepancies, keep all correspondence and review your passwords for any sites that can potentially store your credit card information. A password manager can help you use unique complex passwords and 2 factor authentication, if available, will stop others from using your login details.”

 

The post Groupon hacked: Industry reaction appeared first on IT SECURITY GURU.



from Groupon hacked: Industry reaction

Wednesday, 21 December 2016

Marshalling DDoS defences for the Terabit era

For anyone involved with DDoS defence, 2016 will be remembered as the year of Mirai. Until the botnet’s spectacular attack on Internet company Dyn on 30 September, things had been going relatively well. DDoS attacks were up, of course, but probably no more than expected. The feared reflection attacks that exploit any one of a family of common Internet protocols to multiply DDoS size had largely subsided, or were being dealt with.

Mirai’s size was alarming – the first disclosed Terabit-level DDoS attack in history – but the real story was that nobody saw a botnet built from ignored Internet of Things devices (webcams, old routers, PVRs) as a plausible threat until after the event. It was as if Mirai were a volcano that had erupted suddenly from a quiet city park.

One theme of Mirai remains how such vast, volumetric attacks can be defended against in an economically-sustainable way and by whom. Customers need protection but at an affordable cost and in a reasonable timeframe. Mitigation, in turn, can’t come at the expense of tying up expensive human and technical resources for days at a time.

Defences exist for even the largest DDoS attacks but below the surface not all of them work in the same way. One company pioneering a distinct approach is Corero Network Security, a London-quoted US company which can trace its DNA in this business back to an outfit called Top Layer Security, which it bought out in 2011.

Despite having a lot of in-house technology and expertise it set about building a new system from scratch. What came out of the other end is now called the SmartWall Threat Defence System, which can be used in the cloud or on premise.

“We embarked three and a half years ago to build carrier-scale DDoS mitigation solutions,” opens CTO Dave Larson, who joined the company in 2014 after a succession of jobs at intrusion prevention pioneer TippingPoint, followed by 3Com (which bought TippingPoint) and finally HP (which bought 3Com).

SmartWall wasn’t just another anti-DDoS mitigation platform but one designed to overcome the limitations of traditional anti-DDoS architectures.

Large, saturating, Mirai-like attacks that aren’t common but are a major challenge when they happen.  Sinkholing the traffic is one option but causes immediate downtime. A less drastic option is scrubbing, but this comes with its own drawbacks.

“The majority of competing solutions are employed out-of-band in scrubbing centres. The problem with that is you are required to detect the attack and move the flows into your scrubbing centres. That is tremendously complex and very time intensive,” says Larson.

“The minimum outage caused by a major DDoS event is in the order of 30 minutes – that’s not something viable in the modern Internet.”

Paradoxically, smaller, everyday DDoS attacks are almost as difficult to mitigate. If they’re short enough they’re not easy to detect so might never be mitigated at all. When they are spotted, scrubbing often requires manual intervention, upping the cost, precisely the sort of overhead the attackers want to induce.

“The differentiation of our solution is it can be employed in an always-on, inline manner without damaging good traffic in peacetime, automatically in sub-second timeframes mitigating attacks as they occur.”

Putting DDoS mitigation ‘inline’ sounds simple enough but it a radical departure from the traditional custom which demands that as little as possible should ever stand between a datacentre server and its traffic.  This allows service providers to automatically mitigate DDoS traffic of all kinds at the edge of the network, in front of their firewalls. As long as it’s done at scale, the latency is minimal and a range of DDoS events suddenly become cheaper and simpler to deal with. The appeal for carriers is obvious because, almost for the first, time they can sell DDoS protection as an affordable service.

“We are making a terabit of DDoS capacity available for $1 million dollars. That’s almost an order of magnitude more that you’d be able to purchase from a competitor.”

But the DDoS mitigation market has not been easy to change, Larson admits.

“There was incredulity in the existing market. That’s one of the difficulties when you are a category creator. You have to change hearts and minds.”

LDAP zero day

Corero’s claims about the capabilities of SmartWall got a boost in October with the company’s detection of a previously unknown amplification attack based on abusing Connectionless Lightweight Directory Access Protocol (LDAP), against one of its customers. This was so novel, nobody had even imagined that LDAP could be abused on the open Internet (LDAP should normally only be used inside networks).

“That attack was a novel zero day that occurred for the first time on the Internet at 70Gbps – it was perfectly mitigated by our system. We didn’t know what it was, we just knew it was a reflection attack.”

The vulnerability was unknown, then, but the company’s inline technology was still able to protect the customer. Normally in this case, the customer would call the datacentre after going down. An anomaly would be detected, thereby moving traffic into a scrubbing centre. That entire sequence of events was shorted.

“Both our customer (the datacentre) and their customer (the tenant) were initially completely unaware that an attack even took place,” says Larson.

According to Larson, coping with DDoS attacks requires more attention at the service provider level, particularly in terms of the way they provision capacity. At the very least, more regional scrubbing capacity is needed to cope. Better still, DDoS mitigation should be put at the edge of these networks, not in large centres further down.

In the end, Larson and Corero’s insight is that DDoS mitigation it is simply too costly and slow. It is not automated enough and that on its own has played into the hands of attackers. This sounds like an acid criticism of a market badly in need of a shakeup.

Despite recent events, he remains remarkably upbeat about the future, believing that DDoS attacks can be put back in their box with better mitigation design at carrier level. If this sector becomes engaged in solving the issue, the neighbourhood can be cleaned up, he says.

“Good discipline, good hygiene, good cooperation and maybe a little bit of regulatory stick from government agencies. It’s not going away so the community has to deal with the new reality.”

The post Marshalling DDoS defences for the Terabit era appeared first on IT SECURITY GURU.



from Marshalling DDoS defences for the Terabit era

Global research reveals 40 per cent of businesses implement security testing at the programming stage

Veracode, a leader in securing the world’s software, today announced compelling insight from a survey of global developers and development managers on the current state of software security. The report underscores the importance of developer-led security in the age of DevOps, and showed that businesses are recognising the importance of securing applications. Despite showing moves toward earlier and more frequent security testing throughout the development process, the survey results also indicated there are still hurdles development and security teams must overcome when it comes to securing applications.

Increased recognition, earlier testing

According to the survey, 40 per cent of developers are incorporating securing testing during the programming stage, and 21 per cent identify the design stage as the point at which security testing is completed. Testing early in the development process finds security defects in code at the point where it is the least costly to fix the defects.

The survey also shows that developers are recognising the importance of securing applications. 39 per cent of developers responded that their number one concern is protecting applications from cyberattacks and data breaches. Traditionally, developers were not focused on securing applications, and this shift in mindset helps explain the new emphasis on early testing reported in the survey.

Improving for the future

Despite the fact developers recognise the importance of securing software and the need for early security testing, areas for improvement remain. Developers are still dealing with security programmes that impede their development efforts. The report, which included respondents from the US, UK and Germany, also showed that that 52 per cent of developers feel application security testing often delays development and threatens deadlines. And, fewer than 25 per cent of developers feel they have authority over decisions regarding application security.

This lack of authority and impact of development timelines has the potential to decelerate the strides made in improving application security and making security part of the development process.

“In an age where continuous deployment and frequent innovation is critical to the success of business, it is unacceptable for security testing to hinder development efforts,” said Tim Jarrett, director of Security at Veracode. “As DevOps environments become a standard method of developing software, the industry has an opportunity to continuously improve the way it integrates security into the development process.”

For more information on the data, please visit: https://info.veracode.com/report-veracode-developer-survey.html

Additional data points:

  • Sensitive data exposure is top concern: 52 per cent of developers and managers cited sensitive data exposure as their top concern. This includes credentials and PII such as health data. Broken authentication and session management was the second concern at 37 per cent.
  • Regional differences: In Germany and the UK, 40 per cent of developers, and 38 per cent of development managers said stopping cyberattacks and breaches was their top concern, while in the US, the opposite was true: more development managers (42 per cent) than developers (34 per cent) listed this as their top concern.
  • Budget and delivery schedules: In Germany and the UK, 26 per cent of managers said meeting budget and delivery schedules was their top concern, versus just 18 per cent of development managers in the US.
  • Healthcare prioritises compliance: Developers and managers in the healthcare industry cited meeting customer and regulatory compliance as their top concern.
  • Despite risk, open-source is of little concern: Veracode’s recent SOSS Report showed that 97 per cent of Java applications had at least one component with a known vulnerability, yet the survey results showed that only 28 per cent said that using components with known vulnerabilities was a major concern.
  • Financial services and manufacturing late to the game: 11 per cent of financial services and 16 per cent of manufacturing companies said they incorporated security later in the development cycle.

The post Global research reveals 40 per cent of businesses implement security testing at the programming stage appeared first on IT SECURITY GURU.



from Global research reveals 40 per cent of businesses implement security testing at the programming stage

Welcome aboard Flight 666, this is your hacker speaking

Yesterday, security research company IOActive released research detailing several cybersecurity vulnerabilities found in Panasonic Avionics In-Flight Entertainment (IFE) systems used by a number of major airlines including United, Virgin, American Airlines, Emirates, AirFrance, Singapore, and Qatar, among others. The vulnerabilities in these systems could allow hackers to ‘hijack’ passengers’ in-flight displays and, in some instances, potentially access their credit card information. These vulnerabilities could also potentially act as an entry point to the wider network, depending on system configurations on an airplane.

The full research, “In-Flight Hacking System,” is authored by IOActive principal security consultant, Ruben Santamarta, and is now available at http://blog.ioactive.com/2016/12/in-flight-hacking-system.html.

“On a flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic in-flight display,” said Santamarta. “A subsequent internet search allowed me to discover hundreds of publically available firmware updates for multiple major airlines, which was quite alarming. Upon analyzing backend source code for these airlines and reverse engineering the main binary, I found several interesting functionalities and exploits.”

According to Santamarta, once IFE system vulnerabilities have been exploited, a hacker could gain control of what passengers see and hear from their in-flight screen. For example, an attacker might spoof flight information values, such as altitude or speed, or show a bogus route on the interactive map. An attacker might also compromise the ‘CrewApp’ unit, which controls PA systems, lighting, or even the recliners on first class seating. Furthermore, the capture of personal information, including credit card details, is also technically possible due to backends that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data.

Added Santamarta, “If all of these attacks are chained, a malicious actor could at least create a confusing and disconcerting situation for passengers.”

Aircraft’s data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services, and finally aircraft control. Avionics is usually located in the aircraft control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen. This means that as long as there is a physical path that connects both domains, there is potential for an attack. As for the ability to cross the “red line” between the ‘passenger entertainment and owned devices domain’ and the ‘aircraft control domain,’ this relies heavily on the specific devices, software, and configuration deployed on the target aircraft.

“I don’t believe these systems can resist solid attacks from skilled malicious actors,” continued Santamarta. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft’s security posture is carefully analyzed case by case.”

“Ruben’s discovery of these vulnerabilities in Panasonic Avionics in-flight entertainment systems echoes IOActive’s remote hack of an automobile, where our researchers took control of the vehicle’s dashboard functions, including steering, brakes, and transmission, through vulnerabilities existing in the on-board entertainment system,” said Cesar Cerrudo, CTO of IOActive Labs. “Our research once again points to the fact that all IP-based systems today must be continuously tested for vulnerabilities so that they can be addressed immediately. This is of utmost importance, especially when it comes to critical infrastructure and transportation systems where vulnerabilities in on-board components can create potential entry points to more important functional systems and therefore the risks are much higher. This new research together with Ruben’s previously published work on Satellite Communications (SATCOM) terminals clearly demonstrates that aircraft systems are vulnerable to being hacked.”

Due to heightened sensitivities regarding the security of commercial passenger airlines, IOActive has given Panasonic adequate time to resolve these issues before making them public, first alerting Panasonic of the vulnerabilities in March 2015.

The Guru reached out to the industry to get their reactions.

Stephen Gates, chief research intelligence analyst at NSFOCUS:

“In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important. As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems. This research demonstrates that hackers could cause all sorts of issues that could impact a customer’s “experience” while flying, but have yet to prove they could impact flight control systems.  Let’s all hope that remains the case, long-term.

“It’s not too far of a stretch to suggest that flight entertainment systems could even be hacked from the ground, via the Internet access on the plane.  If remote access was gained while the plane was on the ground, or by way of a hacker planting a backdoor via an infected device while in flight, hackers could cause all kinds of disruption that would not directly impact them – since they’re not even on the plane.  Now that’s a scary thought…”

Mike Ahmadi, global director – critical systems security at Synopsys:

“Any system that gets the attention of the hacking/research community will eventually be found vulnerable.  There are literally an infinite number of ways to compromise any system.  Organisations need to constantly monitor and test their systems in order to keep up with security issues.  Moreover, organisations should assume compromise will happen and plan accordingly.”

Alex Cruz-Farmer, VP at NSFOCUS:

“Previous hacks and vulnerabilities have always been on the ground, but we’re now in the realms of something extremely scary – hacks in mid-air with no escape. The active threats will be growing, and with thousands of planes in the air, the remediation of this is going to be extremely complicated and time consuming. This will be a huge flag to all manufacturers to review their underlying platforms, and whether their integrated infrastructure has the necessary security around it to protect us, the passengers. If anything did happen it could at worst be life threatening leading this to be considered as major negligence across the multiple parties involved.”

Tim Erlin, Sr. Director, Product Management at Tripwire:

“Using the in-flight entertainment system to attack an aircraft isn’t a new concept. As soon as the USB and RJ45 ports started showing up in aircraft, security researchers became very interested. The security research community and aviation industry are clearly at odds over the feasibility and likelihood of using the in-flight entertainment system to actually affect aircraft controls. It would be a solid step forward to see cooperation instead of conflict. The majority of security researchers are interested in improving the systems they test, and partnership with industry vendors is the best way to accomplish that goal.

“Now that there’s credit card data on the plane, the in-flight systems are a more attractive target for profit driven criminals. The increased interest in these systems from criminals after credit card data might result in more vulnerabilities being discovered.”

 

Myles Bray, Vice President, EMEA at ForeScout Technologies Inc:

“The concept of hackers being able to take control of a plane through the in-flight entertainment system is not new. Last year a prominent hacker claimed he made a plane “climb” and move “sideways” after infiltrating its in-flight entertainment system. While the current claims to take control of lighting systems and make in-flight announcements sounds unsettling rather than fatal they set a worrying precedent. As the number of connected systems grow the risk of hackers gaining full access to the network through them rises exponentially. Without adequate security systems in place to automate the process of identifying and quarantining an infected system users and businesses will continue to be at risk. Our own research has found that common IoT devices can be hacked in as little as three minutes and its impact can be devastating, and in a very connected world the number of entry points to a systems is growing quickly. But it is preventable. All vital systems need total visibility of the devices and the users accessing them. Without visibility and a degree of automation to control the access levels granted there can be no timely defence against serious threats like destabilising an aircraft.”

Art Swift, president at  prpl Foundation: 

“Travellers this holiday season will be horrified to hear that in-flight entertainment systems could be used to help hackers gain access to their favourite airline’s flight control system, but the truth is it’s something which prpl has been talking about publicly since the flaw was first disclosed – and it’s not just airplanes that are at risk. Technology plays an important role in getting us from here to there, but without separation of critical aspects within the systems that keep things like critical controls such as steering, braking or heating and cooling that could potentially cause damage apart from less critical aspects like entertainment – hackers can worm their way around systems and potentially cause real devastation. For this reason, the prpl Foundation has come up with its free “Security Guidance for Critical Areas of Embedded Computing” for developers, manufacturers and engineers that outlines exactly how this security separation is possible.”

 

The post Welcome aboard Flight 666, this is your hacker speaking appeared first on IT SECURITY GURU.



from Welcome aboard Flight 666, this is your hacker speaking

Modern account security is finally on its way

A string of high profile security breaches in recent months, most notably at TalkTalk and Three mobile, reflect the ever-present and ever-growing threat to the security of billions of online accounts. Breaches compromising the sensitive details of hundreds of millions of users have become a near common place event today.

In an attempt to address this threat, many companies advise users to select complex, unique passwords for each account they own and recommend changing these passwords on a regular basis. However, vast numbers of consumers tend to reuse old passwords or choose weak ones, in spite of the risk this poses. “123456” and “password” have topped SplashData’s annual “Worst Password” report as the most commonly used passwords– five years in a row.

For a while now security commentators and experts have been aware that usernames and passwords alone aren’t enough to protect users. The industry is starting to understand just how important added security is, in particular how important two-factor authentication (2FA) can be.

With the help of cloud communication platforms, companies can easily incorporate 2FA into the user experience. 2FA improves account security by requiring customers to provide a code that is transmitted to their own device. In the majority of cases a mobile device is a far more secure form of authentication compared to using say, your place of birth.

Unfortunately, despite the better security offered by 2FA you need only pay a visit to TwoFactorAuth.org to see how many businesses have yet to introduce a second tier of authentication.

SMS vs push notification

As a recent Microsoft study attests, adding new steps in the log-in process can be a risky business. Security fatigue can occur, frustrating the user to the extent that they may even decide to stop using their account. To this end, businesses have traditionally shied away from clunkier – though stronger – security. The research conducted by Microsoft found no substitute security method more easy to use, or implement, than passwords. They wrote, ‘Marginal gains are often not sufficient … to overcome significant transition costs’, concluding that the ‘funeral procession for passwords’ is likely still years away.

To showcase this issue, let’s look at the most popular method through which two-factor authentication is achieved: SMS. Users are prompted to send an SMS verification code to their phone number, and then are asked to enter the code into the website. Whilst this provides a stronger form of security than a username and password, businesses remain focused on converting as many website visitors as possible, and hence this can seem counterproductive.

Whilst there is no reason to avoid SMS verification in low-risk communications (for example: a text to let you know that your taxi has arrived), this type of communication, which is by default unencrypted, remains less well suited to high-risk communications. Luckily, the security industry is always trying to devise strong security measures that consumers will actually want, and be willing, to use. In the past year and a half, a new form of 2FA has appeared, which is based on a technology that we familiar and comfortable: push notifications.

Unlike SMS, push notifications can start a chain of end-to-end encrypted communications between the app and a secured authentication service, thus providing “Push authentication” which is then transmitted to your device over the internet. Simply replying to the push triggers secure software that then presents an intended message to the device owner. But instead of just being able transmit a numerical code in the form of random numbers, push notifications can include context in an authentication request. For example:

“An attempt to sign in to your account has been detected in Lapland. Is this you?”

Reactive fraud alerts only notify the victim to the illicit action, but a push notification gives the user the power to respond immediately and even prevent the attack from taking place. Most businesses should be considering utilising push notification in cloud based authentication scenarios because of the added levels of security and versatility that goes with this. Push is familiar and easy, and the technology is mature and reliable.

The end of the password era?

In recent months, new forms of push authentication have been introduced into the services of a number of popular and high profile consumer websites. Yahoo, Google, Microsoft, and even online gaming giant, Blizzard, are implementing “password-less” experiences, powered by push.

Although this development is fantastic news for the user, it doesn’t present an obvious adoption strategy for businesses that are looking to introduce similar security measures, because each of these solutions aim to serve a particular community alone.

Fortunately, we live in an age of readily available, flexible building blocks for software development that can scale and keep up with growing customer demands and changing business requirements. APIs continue to innovate, altering previously static industries like communications and payments.

What’s more, companies like live-streaming service Twitch and virtualisation leader VMware understand the importance of securing user accounts –  that’s why they looked to cloud-driven, reliable two-factor authentication layers to further protect their communities.

In your migration to agile, cloud-based development, don’t leave the safety of your customers behind. Instead put serious consideration in strengthening your security capabilities by implementing two form authentication functionality.

Marc Boroditsky – VP & General Manager of Authentication at Twilio.

Marc is a seasoned entrepreneur with 30+ years computing experience including 25+ years with startups. He has founded and financed four startup software companies in electronic medical records, authentication and identity management and successfully completed the sale of the most recent one, Authy, to Twilio and before that, Passlogix, to Oracle. He’s currently the VP & General Manager of Authentication at Twilio.

The post Modern account security is finally on its way appeared first on IT SECURITY GURU.



from Modern account security is finally on its way

Protecting identity should be your resolution next year

Cyber security has been a huge topic of discussion throughout 2016. With plenty of high-level (and often very public) threats, attacks and hacks, it is showing no sign of a slow down over the next 12 months.

With companies looking to protect their valuable data and identity, SailPoint takes a look at the year ahead and predicts what we can expect to see and hear more of terms of identity in 2017:

  • The domino effect – Poor password hygiene will continue to help hackers leverage identities from one organisation to the next
  • Identity analytics – Organisations must have insight into human behaviours in 2017 to help detect anomalies
  • Cyber-attack fatigue – Domestic attacks on the government and critical infrastructure will increase with devastating effects
  • GDPR wake-up call – Businesses must begin to align their processes in the coming year in order not to get caught out
  • The cybersecurity brain drain – The security market must overcome its significant talent shortage in two ways

The domino effect

Kevin Cunningham, president and founder, SailPoint

“2016 has been the year of poor password hygiene, with people continuing to use the same password across a myriad of personal and professional applications. The result of this is that seemingly unrelated corporate accounts are put at risk. It’s a domino effect – hackers are going on to leverage identities from one organisation to the next, charting their way across the corporate landscape unchecked. This is a new phenomenon, but one we’re likely to see more of in 2017. It’s also an indication of how patient these guys are. They take their time and work the chain to get to the info they’re ultimately after. They’re willing to work for it; with the average time for organisations to detect a threat embedded in the network more than 200 days in the round, it gives them a wide window to do serious damage.” 

Identity analytics

Kevin Cunningham, president and founder, SailPoint

“Identity analytics will become increasingly more important in 2017, giving organisations an understanding and insight into human behaviours related to identity access and anomaly detection. Understanding and predicting human behaviour is the next frontier of identity access management (IAM). This will manifest itself in enabling the organisation to query who has requested what and how that is different from other users. Additionally, how a certain application is being used compared to how other users are engaging with it. From a governance standpoint, if someone is not using an application, does that mean that entitlement goes away or do they simply not know that this application could help them do their jobs better? These are the kind of insights organisations will benefit from in the year to come with increased visibility into user behaviour.”

Cyber-attack fatigue (government, critical infrastructure, DNS and the cloud)

Darran Rolls, CTO, SailPoint

“Cyber-attacks are going to continue and increase in scale, but we’re seeing a greater acceptance of the fact that an attack will happen, leading to an increased level of fatigue. As a result, in 2017 we’re going to see an increase in domestic attacks on the government, as well as on critical infrastructure – that includes the grid and nuclear power plants. I like to call this the ‘internet of insecure things’, because as we’ve seen, these industries use devices that are completely vulnerable, ripe for attack. 

“We’ll see additional attacks on domain name systems (DNS), like the recent hit on Dyn which caused a massive outage on the US west coast, taking down several major websites that are used on a daily basis. The next attack will be even more significant than what we’ve already seen, down to our reliance on centralised systems and the sheer vulnerability of DNS. 

“There’s also a good chance we’ll see a major cloud provider admitting to a background worm that’s been there forever. We think of the underlying infrastructure providers as safe havens, but they’re not. There are likely major flaws in systems we’ve all assumed are secure, similar to the Heartbleed vulnerability. While for some, the frequency of data breaches can create a state of fatigue and acceptance, organisations must resist the temptation to sit on their hands. Identity must be at the core of cybersecurity. That means taking responsibility for knowing what data is being accessed, by who and at any given time.” 

GDPR wake-up call

Darran Rolls, CTO, SailPoint

“When people begin to truly understand the implications of what GDPR means for businesses today, it’s going to result in a lot more disclosure in general. While no-one will be penalised until 2018, businesses must begin to align their processes in the coming year in order not to get caught out. For example, if you lose your laptop, which contains a list of customers on its hard drive, and it’s not encrypted, your company will have to declare that publicly to avoid a hefty fine. The GDPR ‘wake-up call’ will likely see companies scrambling to get organised in 2017.” 

The cybersecurity brain drain

Mark McClain, CEO and founder, SailPoint

“The security market is experiencing a significant talent shortage – exacerbated by the continuing evolution of the industry. There aren’t enough experts out there and those that exist are sometimes in danger of becoming obsolete if they’re not constantly reinventing themselves, or staying abreast of the tools and threats of the day. 

“In 2017 the industry will respond to this in two ways: firstly, there will be lots of education and training to retrofit general IT staff into many of these roles, due to the increasing importance of security within the general IT landscape. Secondly, vendors will continue to look for ways to leverage the new wave of automation and artificial intelligence. As the complexity and volume of security-related issues increases, companies will expect vendors to help them ‘separate the signal from the noise’, so they can focus their efforts on the areas of greatest risk and impact.”

The post Protecting identity should be your resolution next year appeared first on IT SECURITY GURU.



from Protecting identity should be your resolution next year