Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for November 2015

Key Positive Enterprise Trends Emerge in Cybersecurity

Key Positive Enterprise Trends Emerge in Cybersecurity

Although cybersecurity incidents are daily news, with reports of escalating impacts and costs that are sometimes measured in the billions, at least one survey has identified new reasons for optimism.

According to the Global State of Information Security Survey 2016 from PricewaterhouseCoopers (PwC), the vast majority of organizations—91%—have adopted a security framework or, more often, an amalgam of frameworks.

The most frequently followed guidelines are ISO 27001, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework and SANS Critical Controls. Respondents say adoption of these types of guidelines enable them to identify and prioritize threats, quickly detect and mitigate risks and understand security gaps.

A risk-based framework allows companies to better communicate and collaborate on cybersecurity efforts, internally and externally. These frameworks also can help businesses design, monitor and measure goals toward an improved cybersecurity program. And many say that risk-based standards have helped ensure that sensitive data is more secure.

In another extremely positive trend, PwC noted that technology advances can dim the focus on the cybersecurity competencies and training of people. So it is encouraging to find that top security executives and Boards of Directors are playing increasingly prominent roles.

This year, 54% of respondents reported they have a CISO in charge of their security program, and 49% have a CSO. Today’s CISO is a business manager who should have expertise not only in security but also risk management, corporate governance and overall business objectives.

Also, 46% of survey respondents said their Board participates in information security budgets, which may have contributed to this year’s significant boost in security spending. Other notable outcomes include identification of key risks, helping foster an organizational culture of security and better alignment of information security with overall risk management and business goals.

Also, the report noted that 59% of respondents leverage Big Data analytics to model and monitor for cybersecurity threats, respond to incidents, and audit and review data to understand how it is used, by whom and when.

This is important, considering that a data-driven approach can shift cybersecurity away from perimeter-based defenses and enable organizations to put real-time information to use in ways that can help predict cybersecurity incidents. Data-driven cybersecurity allows companies to better understand anomalous network activity and more quickly identify and respond to cybersecurity incidents.

Some businesses are combining Big Data with existing security information and event management (SIEM) technologies to generate a more extensive view of network activity. Others are exploring the use of data analytics for identity and access management to monitor employee usage patterns, flag outliers and identify improper access.

And finally, speaking of data sets, another positive trend is partnering up to sharpen security intelligence. Over the past three years, the number of organizations that embrace external collaboration has steadily increased, the report found. This year, 65% of respondents said they collaborate to improve cybersecurity and reduce cyber-risks, up from 50% in 2013.

And those that do work with others cite clear benefits. Most organizations say external collaboration allows them to share and receive more actionable information from industry peers, as well as Information Sharing and Analysis Centers (ISACs), government agencies and law enforcement. Many also say information sharing has improved their threat awareness.

Source: Information Security Magazine

InstaAgent Pulled After Stealing User Names and Passwords

InstaAgent Pulled After Stealing User Names and Passwords

A popular mobile app has been pulled from Google Play and the App Store after a researcher warned that it lifted users' names and passwords without their knowledge.

Users of InstaAgent have been urged to change their Instagram passwords immediately after the news came to light.

The app, which was popular in the UK and downloaded by hundreds of thousands of users, promised to show users who was viewing their profile.

But German developer David Layer-Reiss took to Twitter on Tuesday to warn users that the app was stealing their log-in credentials in order to do so. It was also found to be posting ads into users’ accounts.

The developer allegedly behind the controversial app, Turker Bayram, has issued an apology in broken English.

“Please be relax. Nobody account is not stolen,” he said. “Your password never saved unauthorized servers. There is nothing wrong. But again and again we apologize from our precious users.”

Not content, Layer-Reiss has raised question marks over the man behind the app and his company, “Zunamedia.”

“Another strange fact is that it is nearly impossible (for me) to identify the developer of InstaAgent (his AppStore dev name was Turker Bayram). And why didn't the #InstaAgent developer sign his statement?” he wrote in a blog post.

“And if you are making an WHOIS to the zunamedia.com server you cannot get any informations because of domains proxy. Why is he hiding his identity? Who is Zunamedia ?”

Rapid7 security research manager, Tod Beardsley, claimed it was unusual that both Google and Apple approved such a dubious looking app.

"While the direct motive for the malicious app developer was to spread spam links via hijacked Instagram accounts, he now has a library of about a half a million username and password combinations,” he explained.

“Since people routinely reuse passwords for various social media sites, we recommend that anyone who mistakenly installed the InstaAgent app immediately change not only their Instagram password, but also the password for any other site where they use the same password, as well as any password that is similar enough that it could be easily guessed.”

Source: Information Security Magazine

Former Council Worker Aces SANS Cyber Academy Exams

Former Council Worker Aces SANS Cyber Academy Exams

A civil servant who worked for Newcastle City Council for 15 years has come top of the class at the new SANS Cyber Academy with one of the highest ever scores in the GIAC information security exams.

Ross Bradley, who spent the past decade and a half processing parking fines for the local authority, has a bright future ahead of him in the cybersecurity industry after aceing the internationally recognized qualifications.

The results are a coup for SANS but also highlight the possibility of finally reducing chronic skills shortages in the industry.

The training institute launched what it claimed to be the world’s first ‘cyber boot camp’ back in April with the aim of getting recent graduates up to speed with real world infosecurity skills so they can more easily walk into a paid job.

With this in mind, the Cyber Academy compresses two years’ worth of training into just eight weeks, with only 31 “high potential” students chosen from over 25,000 candidates after completing an aptitude test.

Bradley and his fellow students completed the GIAC exams with scores which put them in the top 10% worldwide, SANS said.

"I was wary of quitting my job and starting the Academy, especially when I saw that people working in forensics and with degrees were going. I thought to myself, ‘I don’t have a degree, I just work for the council’, but I’m glad I went,” said Bradley.

“I wasn’t expecting to do so well but I knew I had to work extremely hard. I put a lot of work in and I’m glad it paid off.”

Fellow student, Kate Booth, a former university lecturer, praised the academy for offering an alternative way for women to enter what is still a very male-dominated industry.

“I was always interested in maths and science when I was at school and my parents gave me a lot of encouragement to do what I was interested in, but we need to do more as a country to support women into cybersecurity,” she explained.

“There is still a way to go, but initiatives like this can really help women to break through.”

Source: Information Security Magazine

Microsoft Patch Fail as Update Crashes Outlook

Microsoft Patch Fail as Update Crashes Outlook

Microsoft has been forced to reissue a critical patch first released on Tuesday after users took to the web in numbers to complain it crashed their version of Outlook.

MS15-115, which was released in Microsoft’s monthly security update round on 10 November, was designed to fix several vulnerabilities in Windows.

The most severe of these could allow remote code execution “if an attacker convinces a user to open a specially crafted document or to go to an untrusted webpage that contains embedded fonts.”

However, soon after the updates were released by Microsoft, angry customers took to online forums to complain that it had crashed Outlook.

One had the following to say on the TechNet site on Wednesday:

“Today I`ve deployed latest outlook patch to all of my clients, and now Outlook is crashing every 10 minutes and then restarting itself. I tried on fresh Win10, no AV with latest patches applied and here we go, Outlook crashing there too.

Come on guys, do you EVER do proper QA before releasing anything office 2013 related? This is the worst version of Outlook ever. Sorry for negative attitude but this is how things are.”

IT staff took to Reddit’s Sysadmin page to vent further. One user complained: “Vice Prez of our Company was pissed at me all day. This was somehow my fault.”

In its favor, Microsoft appears to have acted quickly to resolve the issue, reissuing KB 3097877 by Thursday. It noted the following in a revision message:

“Bulletin revised to inform customers that the 3097877 update for Windows 7 and Windows Server 2008 R2 has been rereleased to correct a problem with the original update that could cause some applications to quit unexpectedly. Customers who have already successfully installed the update on Windows 7 or Windows Server 2008 R2 systems should reinstall the update.”

This is by no means the first time this year Microsoft has got into trouble with users by releasing patches which have subsequently caused problems.

And last December it was forced to pull not one but two fixes for similar reasons.

Photo © George Dolgikh

Source: Information Security Magazine

NIST Awards $1.86Mn IoT Privacy Grant

NIST Awards $1.86Mn IoT Privacy Grant

Amid growing concerns that internet of things (IoT) devices are inherently vulnerable to attacks that could compromise users’ information privacy and security, the NIST National Strategy for Trusted Identities in Cyberspace (NSTIC) has awarded a $1.86 million grant to build a secure data storage system.

NSTIC is a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies and other organizations to improve the privacy, security and convenience of online transactions. The pilot program team includes Tozny, which has built a password-free cryptographic authentication system, its parent company Galois, which builds open and secure technologies for government and commercial organizations; IOTAS, which provides smart-home technology for apartment buildings; GlobeSherpa, a mobile transit ticketing company; SRI International, the non-profit research institute and leader in biometric authentication; and 6 Degrees Consulting, which specializes in privacy policy.

Tozny, will serve as the technical lead for the NSTIC pilot program.

The team will build a data storage and sharing platform that guarantees security and enables new use cases for collaborative connected devices—with an initial focus on allowing consumers to securely store and share private information across IoT-enabled smart homes and transportation systems. The system will protect the users’ data from being involuntarily shared, while at the same time enabling multiple IoT services and devices to easily collaborate in better serving smart home and connected device users.

The pilot program will initially focus on two NSTIC pilot program applications:

Smart Home IoT Authentication – Due to lack of standards and security expertise, many commodity IoT devices and cloud services have not been designed to be secure, easy to use and interoperable. Furthermore, elements of the system that are authenticated typically use weak passwords for login. IOTAS is already operating a smart-home pilot in apartment units in Portland, Oregon and San Francisco, CA. NSTIC support will allow IOTAS and Tozny to collaborate to add transparent but privacy-preserving authentication and encryption to this pilot.

Transit IoT Authentication – Many municipalities are deploying mobile ticketing in their public transit platforms, which allows riders to buy transit tickets on their mobile phone and use the phone itself as the ticket. Password authentication is a barrier for users suffering from password fatigue—particularly acute for mobile devices where inputting sufficiently complex passwords is challenging. NSTIC support will fund collaboration between Tozny and GlobeSherpa to pilot secure, password-free authentication.

 “In the rush to build IoT products and services, security and privacy is often ignored until it’s too late,” said Isaac Potoczny-Jones, founder of Tozny and Galois’ principal investigator for the project. “The collective vision of this team is to enable data sharing between everyday connected devices, while putting security and privacy first. By the end of the pilot, users will be able to create accounts and authenticate to their home without passwords; prove that they’ve purchased transit tickets just by walking to their bus; and have their home and transit systems securely communicate and collaborate—all while preserving the user’s privacy.”

Source: Information Security Magazine

Top 50 UK Websites Offer Up Big Risk

Top 50 UK Websites Offer Up Big Risk

It turns out that visiting any of the top 50 Web domains in the UK exposes visitors to an immense amount of risk, thanks to the outsized number of scripts and code that those sites are employing.

Menlo Security researchers examined the inner workings of the top 50 UK sites, and found, on average, that a browser will execute 19 scripts for each.

The top UK website executed 125 unique scripts when requested. But even taking out this outlier, 8% of the top 50 sites executed more than 50 scripts, and 72% of the top 50 sites executed fewer than 20 scripts.

“Knowing that visiting a top 10 site means that I’m allowing my browser to execute more than 25 scripts according to our data (that’s 25 scripts that may or may not be well written and/or secure), is a concern,” researcher Jason Steer said in a blog. “What’s more is that going to a top 25 UK website exposes my browser to more than 100 scripts without any knowledge of how good or bad they may be, and from over 50 unique websites in the background.”

Further, when looking at just how much “stuff” a browser downloads when visiting a top 50 UK website, the firm found that on average, the visitor’s browser will download 1.2MB of code. Media sites held the top two places for amount of downloaded code (No. 1 was a media site downloading 4.9MB of code), followed by social media, to make up the top 5 UK websites.

One site outside the top 50 took the cake: It downloaded 6.1MB of code.

Menlo researchers also looked at the backend code on the top 50 UK websites to see which ones were running versions of web-server code. When he cross-referenced that information with the MITRE CVE database to look at known vulnerabilities for the versions reported, he found that 15 of the top 50 sites (30%), were running vulnerable server versions.

Microsoft IIS version 7.5 was the most prominent vulnerable version, reported with known vulnerabilities going back more than five years.

“There are many legitimate reasons why developers use scripts to enhance the user experience of a website today, but similarly, attackers can use scripting capabilities for iframe redirects and malvertising links to compromise browsers,” said Steer. “The main takeaways show that going to any popular website is now associated with some risk, as we see play out in numerous media stories every week.”

It should be noted that the sites in question are quite varied. At number 17 is a sinkholed malware domain that would indicate there are clearly a large number of infected computers still to clean up in the UK, Steer noted. News sites and social media dominated the top 20, with Google and Facebook taking over the top five spots. Banking and retail were also well represented throughout the top 50 list. There were also two adult content sites in the top 50, and a house/property search site made it at number 20.

Regardless, users don’t really have a way to protect themselves. “For many non-technical users, it’s not really an option to deploy, meaning the vast majority of users cannot make an educated choice on script permissions,” Steer said. Security professionals have been using browser plugins like NoScript for years; however, it makes the web-surfing experience worse.

Source: Information Security Magazine

Third of Global Organizations Lack Confidence in Ability to Detect Sophisticated Cyber Attacks

Third of Global Organizations Lack Confidence in Ability to Detect Sophisticated Cyber Attacks

The 2015 edition of EY’s annual Global Information Security Survey, Creating trust in the digital world, has revealed a corporate world still worried about the latest generation of cyber-attacks.

The survey of 1,755 organizations from 67 countries found that 88% do not believe their information security structure fully meets their organization’s needs and that when it comes to IT security budgets, just over two-thirds want their budgets to be increased by up to 50% to align their organization’s need for protection with its management's tolerance for risk.

There were a variety of sources of concern for respondents. The most likely sources of cyber-attacks cited were criminal syndicates (59%), hacktivists (54%), and state-sponsored groups (35%) retained their top rankings. However, compared with last year’s survey, respondents rated these sources as more likely: up from 53%, 46%, and 27%, respectively, in 2014.

Encouragingly, the survey also found that companies currently feel less vulnerable to attacks arising from unaware employees (44%) and outdated systems (34%); down from 57% and 52%, respectively, than they did a year earlier. However, they feel more threatened today by phishing and malware. Almost half (44%) of respondents ranked phishing as their top threat—up from 39% in 2014—while 43% consider malware as their biggest threat. The latter figure was 34% in 2014.

“Organizations are embracing the digital world with enthusiasm, but there must be a corresponding uptick in addressing the increasingly sophisticated cyber threats,” commented EY Global Cybersecurity Leader Ken Allan. “Businesses should not overlook or underestimate the potential risks of cyber breaches. Instead, they should develop a laser-like focus on cybersecurity and make the required investments. The only way to make the digital world fully operational and sustainable is to enable organizations to protect themselves and their clients and to create trust in their brand.”

But such protection was not being felt in general by respondents who felt that organizations were falling short in thwarting a cyber-attack. Just over half (54%) indicated that their firm lacked a dedicated function that focuses on emerging technology and its impact while 47% did not have a security operations center.

Slightly more than a third (36%) did not have a threat intelligence program, while 18% did not have an identity and access management program. More than half (57%) said that the contribution and value that the information security function provides to their organization is compromised by the lack of skilled talent available, compared with 53% of respondents in the 2014 survey, indicating that the situation is deteriorating, rather than improving.

Offering advice on how firms needed to react, EY global risk leader Paul van Kessel said: “Cybersecurity is inherently a defensive capability, but organizations should not wait to become victims. Instead, they should take an ‘active defense’ stance, with advanced security operations centers that identify potential attackers and analyze, assess and neutralize threats before damage can occur. It is imperative that organizations consider cybersecurity as an enabler to build and keep customers’ trust.”

Source: Information Security Magazine

Intel: Wearables, Cars and Stolen-Data Warehousing Will Mark 2016

Intel: Wearables, Cars and Stolen-Data Warehousing Will Mark 2016

2016 will see a gamut of cybersecurity trends, including likely threats around ransomware, attacks on automobile systems, infrastructure attacks, and the warehousing and sale of stolen data.

Intel Security’s McAfee Labs Threats Predictions Report predicts attacks on all types of hardware and firmware, while the market for tools that make them possible will expand and grow. Virtual machines could be targeted with system firmware rootkits.

On the ransomware, anonymizing networks and payment methods could continue to fuel the major and rapidly growing threat. Intel believes that in 2016, greater numbers of inexperienced cyber-criminals will leverage ransomware-as-a-service offerings which could further accelerate the growth of ransomware.

When it comes to the Internet of Things (IoT), although most wearable devices store a relatively small amount of personal information, wearable platforms could be targeted by cyber-criminals working to compromise the smartphones used to manage them. The industry will work to protect potential attack surfaces such as operating system kernels, networking and Wi-Fi software, user interfaces, memory, local files and storage systems, virtual machines, web apps, and access control and security software.

Also on the IoT front, researchers will continue to focus on potential exploit scenarios for connected automobile systems lacking foundational security capabilities or failing to meet best-practice security policies. IT security vendors and automakers will proactively work together to develop guidance, standards and technical solutions to protect attack surfaces such as vehicle access system engine control units (ECUs), engine and transmission ECUs, advanced driver assistance system ECUs, remote key systems, passive keyless entry, V2X receiver, USBs, OBD IIs, remote link type apps and smartphone access.

Intel also thinks that organizations will continue to improve their security postures, implement the latest security technologies, work to hire talented and experienced people, create effective policies and remain vigilant. Thus, attackers are likely to shift their focus and increasingly attack enterprises through their employees, by targeting, among other things, employees’ relatively insecure home systems to gain access to corporate networks.

Cyber-criminals could also seek to exploit weak or ignored corporate security policies established to protect cloud services. Home to an increasing amount of business confidential information, such services, if exploited, could compromise organizational business strategy, company portfolio strategies, next-generation innovations, financials, acquisition and divestiture plans, employee data and other data.

And what happens to all of that stolen data? Stolen personally identifiable information sets are being linked together in big data warehouses, making the combined records more valuable to cyber-attackers. The coming year will see the development of an even more robust dark market for stolen personally identifiable information and usernames and passwords.

Intel also expects a rise in integrity attacks. One of the most significant new attack vectors will be stealthy, selective compromises to the integrity of systems and data. These attacks involve seizing and modifying transactions or data in favor of the perpetrators, such as a malicious party changing the direct deposit settings for a victim’s paychecks and having money deposited into a different account. In 2016, McAfee Labs predicts that we could witness an integrity attack in the financial sector in which millions of dollars could be stolen by cyber-thieves.

And finally, in the plus column, threat intelligence-sharing among enterprises and security vendors will grow rapidly and mature. Legislative steps may will be taken making it possible for companies and governments to share threat intelligence with government. The development of best practices in this area will accelerate, metrics for success will emerge to quantify protection improvement, and threat intelligence cooperatives between industry vendors will expand, Intel noted.

Source: Information Security Magazine

JPMorgan Indictments Show 83Mn Affected in Enormous Breach

JPMorgan Indictments Show 83Mn Affected in Enormous Breach

Federal prosecutors have unsealed documents relating to the breach at JPMorgan Chase, revealing that cyber-criminals stole information from more than 83 million customers (as well as data from other companies, like Scottrade and E*Trade), and used that information to carry out a stock-manipulation scheme, credit-card fraud and illegal online casinos.

US prosecutors have unsealed two indictments, in which they described a vast, multi-year criminal enterprise that spanned more than a dozen countries, and targeted at least nine big financial and publishing firms, including JPMorgan Chase, E*Trade, Fidelity Investments, Scottrade Financial and Dow Jones & Co. The indictments revealed that the perpetrators stole some 10 million email addresses from customers of Dow Jones, far bigger of a breach than the 3,500 customers the company said in October could have been compromised.

“From 2012 to mid-2015, the suspects and their co-conspirators successfully manipulated dozens of publicly traded stocks, sent misleading pitches to clients of banks and brokerages whose email addresses they’d stolen, and profited by using trading accounts set up under fake names,” reported Bloomberg.

The ring also “tried to extract nonpublic information from financial corporations, processed payment information for fake pharmaceuticals and fake antivirus software, falsified passports and took control of a New Jersey credit union,” said prosecutors.

About 75 companies and bank and brokerage accounts around the world were allegedly used to launder money, prosecutors wrote, and the ring’s operations network stretched from Israel to the US, including stops in Cyprus, Azerbaijan and Switzerland.

Gery Shalon, Joshua Aaron and Ziv Orenstein were named in the indictment, for a range of offenses that include hacking, securities fraud, wire fraud and identity theft. Shalon and Orenstein were arrested in Israel in July. Aaron remains at large.

“They colluded with corrupt international bank officials who willfully ignored its criminal nature in order to profit from, as a co-conspirator described it to Shalon, their payment processing ‘casino/software/pharmaceutical cocktail’,” according to the indictment.

“The shocking size and reach of this cyber breach underscores the sophistication of today’s cyber-criminal enterprises and shows what security teams across all industries are up against,” said Fortscale CEO Idan Tendler, in an email. “Today’s hackers aren’t necessarily looking for a quick payday. Once the initial data theft is completed, there are countless opportunities for cyber-criminals to conduct targeted campaigns. The key for organizations is to prevent the initial breaches from occurring in the first place. These types of attacks can be prevented, but only through aggressive monitoring of internal networks with a key emphasis on user behavior.”

Source: Information Security Magazine

Amazon Shipping Android Tablets with Pre-installed Trojan

Amazon Shipping Android Tablets with Pre-installed Trojan

A dangerous new Trojan, dubbed Cloudsota, has been found to be pre-installed on certain Android tablets being sold through Amazon and other major marketplaces.

According to researchers from the Cheetah Mobile Security Lab, the Cloudsota Trojan can install adware or malware on the devices and uninstall anti-virus applications silently. With root permission, it is also able to automatically open all installed applications. Furthermore, the Trojan can replace boot animation and wallpapers with ads, change the browser’s homepage and redirect searches to strange ad pages.

Over 30 tablet brands have been pre-loaded with the Trojan, among which the most severely affected are the no-brand tablets with Allwinner chips.

Cheetah Mobile said in an analysis that at least 17,233 infected tablets have been delivered to customers’ hands, in more than 153 affected countries, with Mexico, US and Turkey suffering the most. But this estimation is based on anonymous data collected by the company from its antivirus application; since many tablets are not protected by antivirus, the number may actually be significantly greater.

And worse, these tablets are still available on many online stores, including Amazon.

“A large number of customers have left comments on Amazon.com grumbling about the advertisements and popups,” Cheeta Mobile said. These tablets share some similarities that all of them are low-priced and manufactured by nameless small-scale workshops.”

Upon discovery, Cheetah Mobile reached out to Amazon to report users selling these infected tablets. It also notified companies involved whose products are found with pre-installed Trojans. “We advised those manufacturers to investigate their system firmware carefully, but unfortunately none have responded yet,” the firm said.

Consumers should beware no-name, cheap tablets for now. “This Trojan has existed for quite some time and victims have been consistently asking for help at Android forums like XDA, TechKnow and others,” researchers said. “While most people have no idea about Cloudsota’s potential risks, it is a ticking time bomb threatening your privacy and property.”

Source: Information Security Magazine