Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for November 2015

Hardware Encryption Market Expected to Reach $296.4bn by 2020

Hardware Encryption Market Expected to Reach $296.4bn by 2020

A new report by Allied Market Research forecasts that the world hardware encryption market is to show a CAGR of 54.6% from 2010- 2020 and be worth just over $296 billion.

The World Hardware Encryption—Market Opportunities and Forecasts, 2014–2020 report proposes that hardware encryption is considered as the most effective form of data protection against unauthorized access, aligning with the actions of various governments across the globe who are coming out with stringent regulations pertaining to data protection. This is seen as a key development that further supplements the demand of hardware encryption as a key data security technology.

The hard disk drives (HDD) segment was found to be the highest revenue generating segment, constituting 57% of the total market revenue in 2014 and is expected to maintain its dominance throughout the analysis period. The segment of encrypted USB flash drives is forecast to grow significantly and register highest CAGR of 58.8% during the forecast period. The increasing demands of robust memory storage devices that are highly compact, offer maximum storage and render better security of data are key factors, which would drive the growth of this segment.

Looking at regions and vertical industries, Asia-Pacific was revealed to be the largest revenue generating region for hardware encryption, followed by North America and Europe, as is set to be the highest revenue generating region, constituting nearly 33.5% of the total market revenue. The region is also likely to registering a CAGR of 56.9% during the forecast period, supplemented by factors such as strong economic growth, development in enterprise IT infrastructure and the large scale outsourcing of BPO operations to China, India and Malaysia.

Among the various verticals, healthcare was the largest contributor, accounting for around 23.8% of the total market revenue in 2014. The sector is projected to continue to be the highest revenue generator throughout the analysis period. Stringent government regulations, and security standards along with the increasing use of BYOD devices, will be key factors supplementing the adoption of hardware encryption in the healthcare sector.

Source: Information Security Magazine

Nuclear EK Infects Major Nonprofit with Kelihos

Nuclear EK Infects Major Nonprofit with Kelihos

A bot in the website of the International Council of Women (ICW) has been compromised by attackers using the Nuclear Exploit Kit—infecting users with the Kelihos bot.

According to Zscaler, the EK was heavily obfuscated to evade security software detections.

Researchers found that the malware was communicating with remote servers to exchange information used to execute various tasks—including sending spam email, capturing sensitive information or downloading and executing malicious files. Kelihos was also trying to steal login credentials and digital currency—including Bitcoin—by monitoring network traffic of the victim's machine. And, it was trying to gather stored information such as usernames, passwords and host names from various Internet browsers—including Google Chrome and ChromePlus.

“Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads,” Zscaler researchers noted in an analysis. “The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection.”

Things have been busy on the EK front of late. Earlier in the week Zscaler found that despite the recent attempt to take down the Angler Exploit Kit, a Chinese government website recently was compromised, exploiting Flash and directing users to the CryptoWall 3.0 payload.

The firm uncovered that it’s back to business as usual for kit operators. The compromised Chinese government website was the "Chuxiong Archives,” compromised with injected code. The site has a similar look and feel to both the Chuxiong Yi Prefecture and Chuxiong City websites and appears somewhat inactive. The compromised site was cleaned up within 24 hours, but the situation alerted Zscaler to recent changes to Angler, as well as the inclusion of newer Flash exploits.

Source: Information Security Magazine

Ovum: Data Breaches Offer a Good Case for Cloud Security

Ovum: Data Breaches Offer a Good Case for Cloud Security

Despite cloud security fears, the ongoing epidemic of data breaches is likely to simply push more enterprises towards the cloud.

That’s the assessment of Tim Jennings, Ovum analyst, who says that the trend is an indicator of the increasing maturity of the cloud environment.

“Given that data security and privacy concerns have been an inhibitor during the early stages of cloud adoption, it is somewhat ironic that the continued spate of high-profile customer data breaches is likely to push more enterprises toward cloud services,” he said, in a blog. “One can envisage, therefore, pointed conversations within boardrooms as CIOs and chief security officers are questioned about the likelihood of their organizations being the next to suffer reputational damage through the exposure of customer data. Many organizations will conclude that using the expertise of a third party is a more reliable approach than depending on in-house resources.”

He added that the main issue is not necessarily the fact that the breach has occurred, because some degree of vulnerability will always exist, but organizational response is varied—and in many cases wholly inappropriate because of a lack of security expertise.

“Many have been like rabbits caught in the headlights, seemingly having little insight into the root cause of the failure, the extent of the consequences, or the actions required for remediation,” Jennings noted.

In many ways, outsourcing to someone with better answers should seem obvious. Modern cloud providers have invested large sums of money into end-to-end security, covering the physical security of the data center and encryption of customer data through to highly automated patching and sophisticated security intelligence.

“It is unrealistic to expect even very large enterprises to replicate this environment,” Jennings said.

He cautioned however that this does not necessarily mean that adopting a public cloud environment is safer.

“It may be that enterprises prefer to use either an on-premise or virtual private cloud, while still taking advantage of a specialist provider’s management and security capabilities. Nor does it mean that the responsibility for security and customer data passes away from the enterprise—even though the delivery of these capabilities is in the hands of the third party, governance and control must be retained in-house.”

Source: Information Security Magazine

Pentagon to Develop Lethal Cyber-Weapons—Report

Pentagon to Develop Lethal Cyber-Weapons—Report

According to government contractors and former Pentagon officials, computer code and cyber-weapons capable of killing adversaries will be developed under a new half-billion-dollar military contract.

These cyber weapons will allow US troops to launch “logic bombs,” instead of traditional explosives, which essentially would force an enemy’s critical infrastructure to self-destruct—likely with the loss of human life.

Sources told Nextgov that the contract is the main part of an upcoming $460 million U.S. Cyber Command project, which will outsource “cyber fires" planning, as well as "cyberspace joint munitions" assessments to contractors. Raytheon, Northrop Grumman and Lockheed Martin are among the major defense firms expected to compete.

The Department of Defense Law of War Manual, first published in June, notes some of the acceptable uses for cyber-weapons, such as: "trigger a nuclear plant meltdown; open a dam above a populated area, causing destruction; or disable air traffic control services, resulting in airplane crashes."

The Pentagon’s stated cyber-mission is to block foreign hackers targeting domestic systems, assist US combat troops overseas and defend military networks. The tools and capabilities necessary to carry these out will be consistent with US and international law, Pentagon spokeswoman Laura Rojas told Nextgov.

That means that, just as with traditional bombs and weaponry, cyber-strikes will be allowed if “it is certain that civilians would be killed or injured—so long as the reasonably anticipated collateral damage isn’t excessive in relation to what you expect to gain militarily," said retired Maj. Gen. Charles J. Dunlap, executive director of Duke University's Center on Law, Ethics and National Security. "These are essentially the same rules as for attacks employing traditional bombs or bullets.”

Most missions will likely be enabling attacks for more traditional approaches, some say.

"Combatant commanders choose weapons that they know will further their course of action," said Bill Leigher, a recently retired Navy admiral who runs Raytheon's government cyber-solutions division. He said that applications for the new capabilities would include things like launching a cyberattack to shut down the power grid of an air maintenance facility.

"You've degraded the enemy's ability to repair aircraft," Leigher said. "I trust [that cyberweapon]. I know how it's going to be used, and I believe that it is the best option to execute and it doesn't create more risk for the 27-year-old Air Force pilot who is flying over a defended target.”

Source: Information Security Magazine

Lack of Employee Security Training Plagues US Businesses

Lack of Employee Security Training Plagues US Businesses

Employee security awareness continues to be the subject of a dramatic disconnect: Research reveals that 73% of US employees believe their company provides sufficient training on how to protect sensitive information, while a similar percentage of IT personnel (72%) say that employers are not doing enough to educate employees.

The research, from Clearswift, underscores the need for more collaboration between the executive team, IT, HR and other employees within an organization to ensure the safety of sensitive information and intellectual property (IP), given that improperly trained staff are at risk of clicking on phishing links that invite attackers in, or inadvertently sending out information hidden within documents and metadata.

That’s especially critical considering that 10% of employees have lost a device containing sensitive business information, 12% have used shadow IT without authorization, and 37% of respondents say they have access to information that is above their position in the company. The risk is exacerbated by an uptick in the use of cloud applications like DropBox, Google Drive or Box, in addition to the proliferation of new communications tools in the form of social media and personal devices being used for work.

Further, a full 56% of employees in the US have access to intellectual property at work—but less than half (45%) recognize that intellectual property could damage their company if leaked. This can include new code for software products, trade secrets, designs or strategic plans, and can be very costly to lose if it is not yet protected by patents.

“The value of a company’s IP is frequently misunderstood. First off, IP comes in many guises and it’s essential for organizations to recognize ‘what’ their IP is; where it exists and who has access to it,” said Heath Davies, CEO at Clearswift. “IP is often a company’s most prized possession, if it were to fall into a competitor’s hands, or even unauthorized hands, it could cause immense financial damage to a company, or as in the case of the recent attempted US naval espionage charge, potentially result in dire effects. It is incredible that so many survey respondents say they have access to such information, yet so few seem to realize its value.”

The study also found that 62% of businesses worldwide think their employees don’t care enough about the implications of a security breach to change their behavior, and 57% admit that they need to make employees care more about the ramifications of a breach, explain the risks and talk about cases in the media.

"Most employees are not acting maliciously, but their carelessness can be just as damaging,” said Davies. “Companies need to wake up to the fact that employees have the potential to cause the company huge damage through their actions, and ensure that training, policies and technology are in place to minimize that risk. Those sitting on the board need to sit up and pay attention; critical information needs to be governed at the highest levels or it could jeopardize the future of a company."

Source: Information Security Magazine

Teenage 'Cracka' Hackers Hit FBI Deputy Director

Teenage 'Cracka' Hackers Hit FBI Deputy Director

A group of teenage hackers have broken into the AOL email accounts of the FBI Deputy Director Mark Giuliano and his wife.

The hacktivist group, known as “Crackas With Attitude” (CWA), is making AOL a bit of a specialty; two weeks ago it also hacked the AOL email account of the CIA director John Brennan.

The ringleader, who fittingly goes by the name Cracka, has posted online a veritable treasure trove of information belonging to thousands of government employees, including more than 3,500 names, email addresses and contact numbers of law enforcement and military personnel, including intelligence analysts. The group has warned that this is just a taste of the full amount of information that CWA has in its possession.

CWA said that it is acting in support of the Palestinian cause; and that the Giuliano attack is payback for the director’s comments that he made after the Brennnan hack about making an example out of CWA.

If CWA was able to access all of that information via personal AOL accounts, this has the makings of a Hilary Clinton-level email security scandal. So far however, the FBI has declined to comment on whether the hack is legitimate.

Cracka told Millennial news outlet Vice that he called the deputy director's phone number:  "I called it and asked for Mark, and he is like 'I don't know you, but you better watch your back', and then he hung up, and I kept calling and he was getting mad, then he didn't pick up.”

Source: Information Security Magazine

Most Mobile Apps Subject to at Least Nine Vulnerabilities

Most Mobile Apps Subject to at Least Nine Vulnerabilities

Mobile applications show an alarming rate of vulnerability, with the average app susceptible to an average of nine different vulnerabilities.

Further, the research from Checkmarx and AppSec Labs shows that out of those nine different vulnerabilities, 38% of are critical or high-severity.

Interestingly, and despite conventional wisdom, iOS is no more secure than Android when it comes to vulnerabilities built into the code or application logic: Here, the vulnerability rate of iOS and Android applications is almost identical. And, 40% of detected vulnerabilities in iOS applications were found to be critical or high-severity, compared to only 36% on Android.

“When we undertake penetration testing for our customers, we're often asked to test both the Android and iOS versions of the same app,” said AppSec Labs founder Erez Metula. “We realized that since iOS developers wrongly assume that iOS is ‘more secure,’ they let themselves take poor security decisions that open up vulnerabilities in their app.”

Among the types of applications tested were the banking applications of high-street retail banks, which access the personal data of millions of private individuals. Even those applications, which undergo rigorous security testing, were found to suffer from critical vulnerabilities such as faulty authentication, data leakage and more.

Overall, 50% of vulnerabilities are either personal/sensitive information leakage or authentication and authorization faults.

“The mobile application industry is growing at an explosive pace, yet security issues of mobile applications are lagging behind,” said Asaph Schulman, vice president of marketing at Checkmarx. “During 2014-15, Appsec Labs and Checkmarx tested hundreds of mobile applications, of all types including banking, utilities, retail, gaming and even security oriented applications. The results of the study were nothing short of alarming and unless we improve secure coding practices we should expect an increase of major hacks via the mobile application vector in the near future.”

Source: Information Security Magazine

Coffeemakers, Baby Monitors and More Open Up Big IoT Security Holes

Coffeemakers, Baby Monitors and More Open Up Big IoT Security Holes

Investigating some of the latest Internet-of-Things (IoT) products, Kaspersky Lab researchers have discovered serious threats to the connected home—including a coffeemaker that exposes the homeowner’s Wi-Fi password, a baby video monitor that can be controlled by a malicious third party, and a smartphone-controlled home security system that can be fooled by a magnet. 

The security firm’s investigation into the connected home discovered that almost all of the devices tested contained vulnerabilities.

The baby-monitor camera used in the experiment could allow a potential attacker, while using the same network as the camera owner, to connect to the camera, watch the video from it and launch audio on the camera itself. Other cameras from the same vendor allowed for the ability to collect owner passwords, and the experiment showed it was also possible for someone on the same network to retrieve the root password from the camera and maliciously modify the camera’s firmware.

When researching the app-controlled coffeemakers, it was discovered that it’s not even necessary for an attacker to be on the same network as the victim. The coffeemaker was sending enough unencrypted information for an attacker to discover the password for the coffeemaker owner’s entire Wi-Fi network.

On the other hand, Kaspersky Lab researchers found that the smartphone-controlled home security system’s software had just minor issues and was secure enough to resist a cyberattack. Instead, the vulnerability was found in one of the sensors used by the system.

The contact sensor used, which is designed to set off the alarm when a door or a window is opened, works by detecting a magnetic field emitted by a magnet mounted on the door or window. During the experiment, Kaspersky Lab experts were able to use a simple magnet to replace the magnetic field of the magnet on the window, allowing them to open and close a window without setting off the alarm. This vulnerability is also impossible to fix with a software update; the issue is in the design of the home security system itself. Furthermore, the magnetic field sensor-based devices are a common type of sensors, used by multiple home security systems on the market.

“Our experiment, reassuringly, has shown that vendors are considering cyber-security as they develop their IoT devices,” said Victor Alyushin, security researcher at Kaspersky Lab. “Nevertheless, any connected, app-controlled device is almost certain to have at least one security issue. Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues—even those that are not critical. These vulnerabilities should be fixed before the product even hits the market, as it can be much harder to fix a problem when a device has already been sold to thousands of homeowners.”

Kaspersky suggests that before rushing out to buy an IoT device, homeowners should do their due diligence and examine whether any security flaws have been reported in the media. They should also avoid the temptation of purchasing new products recently released on the market. And, when purchasing a baby monitor, it may be wise to choose the simplest RF-model on the market, one that is capable of transmitting only an audio signal, without internet connectivity.

Source: Information Security Magazine

FIDO Alliance Certifies New iOS, Mobile Devices

FIDO Alliance Certifies New iOS, Mobile Devices

The Fast IDentity Online (FIDO) Alliance has reached 72 certified products available in the market.

FIDO, an industry consortium launched in 2013 to provide open standards for simpler, stronger authentication, has announced results from the most recent round of FIDO 1.0 certifications.

FIDO members, and others, leverage open FIDO standards for Android, Apple, iOS and Touch ID to use FIDO authentication in devices, services and applications instead of passwords. Companies, organizations and individuals can use FIDO U2F second-factor devices for stronger authentication, and can eliminate passwords entirely through FIDO UAF biometric solutions such as fingerprint or iris recognition sensors. 

Newly certified FIDO 1.0 products include the first FIDO Certified iOS products from Egis, Nok Nok Labs and Samsung SDS, along with a line-up of smartphones.

For instance, the Nok Nok App SDK for iOS leverages the Secure Enclave and TouchID for both on-device and out of band authentication, allowing deploying organizations to deliver strong authentication across multiple platforms including iOS. And the Egis Touch ID-enabled UAF client allows mobile payment service providers to extend its online payment services on iOS.

If biometric data (like TouchID data) is used by a FIDO authenticator, the biometric information never leaves the device. FIDO authentication to the cloud is always performed by means of industry-standard public key cryptography.

“We are excited to pass the first FIDO Certification Process for iOS 9,” said Steve Ro, Chairman and CEO of Egis. “iOS plays a major part in mobile payment trends. “We will be able to provide more security, easy solutions, and products for authentication based on FIDO specifications. These specifications are changing the nature of authentication with standards for simpler, stronger authentication that reduce reliance on passwords.”

The new products also include FIDO applications, authenticators and servers from DDS, Goodix, Feitian, Hypersecu, LG Electronics, Neowave, Samsung and Sony.

“The FIDO ecosystem is emerging with an abundance of options that enable easy adoption of strong authentication for Internet providers and services, enterprise and consumers,” said Dustin Ingalls, president of the FIDO Alliance. “In less than three years, the FIDO Alliance has delivered standards and a range of products that make it possible now to see a world that doesn’t rely on passwords, but rather is prepared with more secure, private and convenient FIDO authentication.”

Certification testing is based on industry-standard best practices to objectively evaluate technical implementations of the FIDO 1.0 specifications, which are Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F).

Source: Information Security Magazine

Malicious Code-Signing Becomes Dark-Web Cottage Industry

Malicious Code-Signing Becomes Dark-Web Cottage Industry

Hackers are selling digital certificates that allow code-signing of malicious files—and, they’re making a whole cottage-industry business out of it.

According to a report from InfoArmor, hackers are using a malware creation tool called GovRAT, which is bundled with digital certificates for code-signing. It’s primarily an advanced persistent threat (APT) tool, active since early 2014. GovRAT victims so far include political, diplomatic and military employees of more than 15 governments worldwide, the firm said, along with seven banks, 30 defense contractors and more than 100 other corporations.

“Code-signing provides the assurance to users and the operating system that the software is from a legitimate source,” said Travis Smith, senior security research engineer for Tripwire, in an email. “Both obtaining and correctly applying the certificates to legitimate software is expensive and complex. Many protection mechanisms, rightfully so, check for the digital certificate. However, it's possible that additional security measures stop investigating the software beyond this.”

Attackers can thus exploit this lapse in security by obtaining certificates and signing their malware. 

“This decreases the ability for attacker automation, but will increase the value of potential loot,” Smith added. “For organizations which have valuable data, attackers are going to sacrifice automation for stealthier attacks such as code-signed malware.”

GovRAT tool uses Microsoft SignTool and WinTrust to digitally sign malicious code and evade antivirus detection. And once malware signed with the tool is embedded, it can communicate over SSL, obscuring the exfiltration of sensitive data. It also has advanced self-encryption and anti-debugging tools.

Originally offered on the Dark Web for 1.25 Bitcoin ($420, at current rates, or $1,000 at the time), it’s now available only privately—and in an as-a-service model.

And GovRAT is not the only game in town. InfoArmor also has found code-signing certificates in various underground marketplaces that go for between $600-$900, including legitimate certificates issued by Comodo, Thawte DigiCert and GoDaddy.

“[The buyers are] black hats (mostly state-sponsored), malware developers,” Andrew Komarov, president and CIO at InfoArmor, told the Register. “It is [a] pretty professional audience, as typical script kiddies and cyber-criminals don’t need such stuff. It is used in APTs, organized for targeted and stealth attacks. The appearance of such services on the black market allows [hackers] to perform them much more easily, rather like Stuxnet.”

He added, “It is a pretty specific niche of modern underground market. It can’t be very big, as the number of certificates is pretty limited, and it is not easy to buy them, but according to our statistics, the number of such services is significantly growing.”

Hackers can sign not only executable files, but also drivers, Microsoft Office documents, Java content and many other file types—widening the attack surface considerably.

“Organizations should rely on a defense-in-depth security posture so if one defensive mechanism fails, another is in line to detect the attack,” Tripwire’s Smith said. “For attacks such as this, monitoring the list of both signed and unsigned software in the environment will give security administrators an early indication of compromise.”

Source: Information Security Magazine