Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2016

Take-Up of Anti-Phishing Standard DMARC Jumps 24%

Take-Up of Anti-Phishing Standard DMARC Jumps 24%

Global adoption of the DMARC email authentication standard has risen by almost a quarter over the past year, although EMEA still lags some way behind North America, according to a new report.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) can significantly reduce instances of phishing or spoofed emails by ensuring recipients’ computers check that incoming mail and attachments are authorized by the domain's administrators and haven’t been modified in transit.

Founding member of the standard, Return Path, analyzed 1000 brands worldwide and found a year-on-year increase in adoption of 24%, up to 29%.

However, there remains a big disparity in adoption between the US and Canada at the top (42%) and EMEA (16%) and Australia and New Zealand (18%) at the bottom.

There was also a notable difference between industries leading the way such as social media (59%) and technology (51%) and the likes of healthcare (16%) and ISP/Telco (21%).

Legacy IT infrastructure, convoluted email ecosystems, and risk-aversion were all cited as reasons contributing to the continued slow adoption rates in some industries.

That said, 2.5 billion inboxes are now protected by DMARC and most major webmail providers including Yahoo and AOL support the standard. Google is switching DMARC on in June.

Although, the report added the following note of caution:

“However, it is important to note that enterprise-messaging gateways are in the early stages of rolling out DMARC, and reporting capabilities are still a big hurdle. 2016 will see an increased focus on providing enhanced reporting capabilities that threat intelligence platforms can leverage to identify malicious activity faster.”

Robert Holmes, general manager of email fraud protection at Return Path, said DMARC is increasingly becoming a silver bullet for stopping domain spoofing attacks.

“However there is no single silver bullet for all types of attacks. Return Path data shows that 30% of all email phishing threats use a company’s own domains. Once DMARC is implemented, cyber-criminals leverage the organization’s brand in other ways, like display name spoofing or use of cousin domains. There is also the challenge that some regional ISPs do not currently support DMARC,” he told Infosecurity by email.

“Defending against the other 70% requires a comprehensive understanding of the tactics fraudsters use to bypass email authentication. To truly fight targeted phishing attacks organizations need full visibility into all threats. Detection and response play an important role in the fight against phishing and today threat intelligence is the only way to know how an organization’s brand is being used in phishing emails to target customers and/or employees.”

A multi-layered approach to security and preventing phishing should always include “people, process and technology implementations,” Holmes concluded.

Source: Information Security Magazine

Micro-Segmentation on the Rise for Cloud Security

Micro-Segmentation on the Rise for Cloud Security

The rise in cloud computing and services has meant that organizations have embraced an on-demand infrastructure that enables technical resources to be delivered in an easily consumed and cost-efficient model. Unsurprisingly, software-based approaches to security are also on the rise, which are a better fit than traditional hardware-centric solutions to secure multi-cloud environments.

Results from a security-as-a-service survey by ESG and vArmour show that the top three most desired cloud security attributes are: extensibility (across private and public clouds); scalability (to match cloud resources) and infrastructure agnosticism (independence from underlying IT infrastructure).

In addition, organizations report lowering costs (both CapEx and OpEx) as two of the top three reasons for adopting cloud—making cost an imperative factor to consider when purchasing tools to secure these dynamic environments.

"Given organizations' adoption of cloud architectures and the consistent rise of attacks, more advanced security tactics, such as micro-segmentation, are necessary to lower the risks and costs associated with cybercrime," said Jon Oltsik, ESG senior principal analyst and the founder of the firm's cybersecurity practice.

About half of respondents in an ESG survey set to be released later in the year (51%) listed workload segmentation as a high priority for their cloud security architectures, with 81% of respondents planning to deploy micro-segmentation in the next six to 12 months.

Micro-segmentation brings security inside the data center and makes it available for every workload, not just the critical or regulated systems. It looks at the inherent characteristics of the workload, tying this information back to the security policy and applying it depending on the type of workload, what it will be used for and what kinds of data are being handled.

"Cloud security must adapt to an environment where workloads are decoupled from the physical hardware and delivered from a fabric of pooled resources," said Alan Waite, research director for Gartner’s Technical Professionals Security and Risk Management Strategies team. "As you plan your security approach to your private cloud, you can also lay the groundwork for managing workloads in the public cloud. One way to do this is to provide security as a set of on-demand, scalable services."

As ever, usability will be key to true adoption of the approach. “These micro-segmentation technologies must be simple to use and economical to acquire and maintain, to match the expectations of modern IT delivery models,” said Oltsik.

Photo © Melpomene

Source: Information Security Magazine

HSBC Set for UK’s Biggest Biometrics Roll-Out

HSBC Set for UK’s Biggest Biometrics Roll-Out

HSBC is set to launch voice and fingerprint biometric authentication in a bid to improve security and usability for online account holders.

The banking giant will offer its 15 million customers the chance to log into their accounts via Apple’s Touch ID fingerprint scanning service or voice-activated authentication powered by speech recognition specialist Nuance.

Subsidiary First Direct will be the first to switch on the service for its customers over the next few weeks followed by HSBC in the summer, according to the BBC.

"The launch of voice and touch ID makes it even quicker and easier for customers to access their bank account, using the most secure form of password technology – the body," said Francesca McDonagh, HSBC UK's head of retail banking and wealth management.

RBS and NatWest already support fingerprint scanning while Barclays apparently offers voice recognition to some corporate clients.

Anthony Duffy, director of retail banking at Fujitsu UK & Ireland, welcomed the roll-out as a highly accurate, cost-effective and scalable way of replacing password-based systems.

“Deployment of biometric technologies in British banking is still in its infancy, but will become commonplace. Customers will become increasingly familiar with it as it enters other parts of their lives,” he added.

“Already, biometric technologies are commonplace in mobile phones and are increasingly appearing in workplaces, particularly in controlling access to secure locations and in enabling use of technology such as laptops, tablets and the PC mouse. As users become comfortable with the technology, and increasingly appreciate its value in strengthening security of personal information and transaction details, we expect deployments of biometric technologies to become a mainstay of the financial services industry.”

Security experts have been calling for biometrics as a replacement for passwords for years, as they can’t be phished or cracked in the same way. However, concerns persist over false positives and false negatives.

Image credit: TungCheung /

Source: Information Security Magazine

PCI DSS 3.2 Expected as Soon as March

PCI DSS 3.2 Expected as Soon as March

The next version of card data security standard PCI DSS could land as soon as next month, replacing the expected November release as the only update in 2016, according to the PCI Security Standards Council (SSC).

The council’s CTO, Troy Leach, explained that the standard is moving towards a system of smaller, more incremental modifications to address things like the EMV roll-out in the US, rather than larger, wholesale updates.

“When making changes to the standard, in addition to market feedback, we look closely at the threat landscape, and specifically what we are seeing in breach forensics reports as the trending attacks causing compromises,” he argued.

“With this in mind, for 3.2 we are evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; clarifying masking criteria for primary account numbers (PAN) when displayed; and including the updated migration dates for SSL/early TLS that were published in December 2015.”

Leach was at pains to point out that any updates will still be succeeded by a sunrise period prior to them taking effect in order to let complying organizations complete their assessments and validate the new requirements.

Changes to PA-DSS are also planned and will be published in the month following the release of PCI DSS 3.2, he added.

“It is a healthy practice for any company to regularly evaluate how it accepts payments and whether it can reduce the risk to its customers and its organization by changing business practices for cardholder data exposure; evaluating newer payment technology like tokenization and encryption; and confirming its third party service providers understand the importance of the upcoming changes as well,” Leach concluded.

“The revision of PCI DSS is as good a time as any to re-evaluate how to minimize effort while improving security posture.”

The PCI SSC has released guidance for firms looking to address migration from SSL/early TLS here.

Source: Information Security Magazine

Email Security Awareness is High—Preparedness Is Not

Email Security Awareness is High—Preparedness Is Not

Despite risk awareness, many businesses are ignoring critical cyber-issues. Case in point: Although 83% of IT staff highlight email as a common attack vector, one out of 10 reports not having any kind of email security training in place.

That’s according to Mimecast’s Email Security Uncovered global research study, which also shows that while 64% regard email as a major cybersecurity threat to their business, 65% also feel ill-equipped or too out of date to reasonably defend against email-based attacks. One-third of respondents also believe email is more vulnerable today than it was five years ago.

Email continues to be a critical technology in business and the threats of email hacks and data breaches loom large over IT security managers. Consequently, confidence and experience with previous data breaches and email hacks play key parts in determining a company’s perceived level of preparedness against these threats and targeted email attacks.

But, among the least-confident respondents in the survey, 23% attest to lacking any supplementary security measures.

Overall, just 35% feel confident about their level of preparedness against data breaches. Of the 65% who feel unprepared against future potential attacks, nearly half experienced such attacks in the past, indicating that they don’t feel any more protected following an attack than they did prior.

“Our cybersecurity is under attack and we depend on technology, and email in particular, in all aspects of business,” said Peter Bauer, CEO, Mimecast. “So it’s very disconcerting to see that while we might appreciate the danger, many companies are still taking too few measures to defend themselves against email-based threats in particular. As the cyber threat becomes more grave, email attacks will only become more common and more damaging.”

Budget and C-suite involvement were the biggest gaps found between the most and least prepared respondents. Among the IT security managers who feel most prepared, five out of six say that their C-suite is engaged with email security. However, of all IT security managers who were polled, only 15% say their C-suite is extremely engaged in email security, while 44% say their C-suite is only somewhat engaged, not very engaged, or not engaged at all.

“It’s essential that executives, the C-suite in particular, realize that they may not be as safe as they think and take action,” said Bauer. “Our research shows there is work still to be done to be safe and we can learn a lot from the experience of those that have learnt the hard way.”

Those who feel better prepared to handle email-based threats also allocate higher percentages of their IT security budgets toward email security. These IT security managers allocate 50% higher budgets to email security compared to managers who were less confident in their readiness. From these findings, the data points to allotting 10.4% of the total IT security budget toward email security as the ideal intersection between email security confidence and spending.

Photo © deepadesigns

Source: Information Security Magazine

Akamai Bot Manager Takes Aim at Bot Traffic

Akamai Bot Manager Takes Aim at Bot Traffic

The scourge of the bots shows no sign of waning: A fresh study shows that upward of 60 percent of an organization’s Web traffic may be generated by programs that operate as an agent for a user or another program or simulate human activity.

The finding has prompted Akamai Technologies to debut the Akamai Bot Manager, aimed at helping users better identify and understand what types of bot traffic are hitting their sites.

Nearly all online businesses can be impacted by various types of bot traffic. This traffic may include scrapers that grab content or price information, automated “clicks” that fraudulently increase ad revenues and transactional bots that can be used to purchase limited availability goods and services, making them unavailable to legitimate customers.

Further, there are situations where the impact of bot activity on the business may be beneficial, while the impact on site performance is not. As such, organizations require a way not only to identify the type of bot activity they are experiencing, but also to provide a variety of techniques to most effectively respond to different types of bot traffic beyond simple blocking. In the case of malicious bots, simply blocking them alerts the bot operator that protections are in place and triggers the bot to evolve in order to better evade detection.

Instead, Akamai Bot Manager uses a variety of management techniques—slowing or delaying bot traffic, serving alternate content, redirecting to an alternate origin, or identifying bot traffic and allowing customers to take independent action.

“Bot activity is in many ways a ‘cost of doing business’ when you sell online, and up until now, there has not been a good way to achieve the visibility into bot traffic necessary to make truly informed decisions,” said William Avellan, IT director at internet retailer U.S Auto Parts Network. “With Bot Manager, we have the information we need to solve all of the bot problems we’ve been facing including content theft, price scrapers, and even identifying the IP transit providers hosting these bots.”

Bot Manager also contains a pre-defined directory of more than 1,300 pre-defined bot signatures in 15 different categories of legitimate web and business services, making it easier to rapidly identify commonly seen bot traffic. And, companies can create custom bot signatures and categories reflecting the impacts that new and/or unique bots to their sites have on their business and IT infrastructure.

Detection features include the automatic identification of clients that have engaged in web scraping behavior against other Akamai customers; customers can then apply a unique management policy to each custom or pre-defined category.

 “The web is full of bots and until now, companies had two choices, block them or suffer in silence. Unfortunately, neither choice was ideal,” said Stuart Scholly, senior vice president and general manager, Cloud Security Solutions, Akamai. “With Bot Manager, we’re changing the game when it comes to bots. We’re giving our customers the power and flexibility to put a true bot management strategy in place that best fits their business goals and objectives.”

Photo © Ken Wolter/

Source: Information Security Magazine

Dangerous RCE Flaws Found in Popular E-Com Software

Dangerous RCE Flaws Found in Popular E-Com Software

Security experts have gone public with two Remote Code Execution vulnerabilities branded high-risk, after the e-commerce software vendors responsible failed to patch the issues despite being told about them at the end of December.

High-Tech Bridge Security Research Lab revealed the flaws in popular software providers osCommerce and osCmax in separate advisories yesterday, having notified the firms privately on 21 December.

Both are remote code execution flaws made possible by Cross Site Request Forgery (CSRF) and have been given a CVSSv3 base score of 5.3. However, the security vendor claimed both are easily exploitable via social engineering, so are in reality a much bigger threat to customers.

OsCommerce is particularly vulnerable as it claims to serve over 280,000 e-commerce store owners worldwide.

“The vulnerability can be exploited to execute arbitrary PHP code on the remote system, compromise the vulnerable web application, its database and even the web server and related environment,” the advisory noted.

“Successful exploitation of the vulnerability requires attacker to access to administrative panel, however it can also be successfully exploited by remote non-authenticated attacker via CSRF vector to which the application is also vulnerable.”

High-Tech Bridge found two RCE via CSRF flaws in popular e-commerce and shopping cart application provider osCmax.

They’re characterized as PHP Local File Inclusion vulnerabilities and can be exploited to execute arbitrary PHP code on the target system.

High-Tech Bridge CEO, Ilia Kolochenko, warned osCommerce admins to be careful not to open any suspicious links in emails, on social networks, or comms platforms like WhatsApp.

“However, modern spear-phishing campaigns can be very efficient, for example many web-shop owners will immediately open a link coming from a client who had already spent a $100 in the shop. Attackers, can buy one product for $100, and get all your customer database just after to sell it for $100,000,” he told Infosecurity.

“Moreover, we saw cases when a CSRF exploit was hosted on a trusted website, where victims regularly visit everyday, minimizing any interaction with victim."

Source: Information Security Magazine

Instagram Set to Switch On Two Factor Authentication

Instagram Set to Switch On Two Factor Authentication

Photo sharing platform Instagram is set to switch on two-factor authentication capabilities to improve account security for its users in a long overdue move.

The Facebook-owned company has over 400 million users to date, many of them corporate account holders or others who use the platform as a marketing channel and a means to interact with customers.

Now the firm has finally confirmed to TechCrunch that it is joining countless other web companies in rolling out added authentication security for users.

This will mean that soon, on log-in, users will be asked to link their account to a phone number.

If a hacker then tries to log in using a victim’s email address and password – which they’ve stolen or phished – they will not be able to complete the log-in process as they won’t have the one-time passcode sent to the account holder’s mobile.

The move comes over four years after parent company Facebook offered users the option of switching on two-factor authentication. Other big names providing the service include Google, Yahoo, Apple and Twitter.

In fact, it’s fast becoming the industry norm, so Instagram is somewhat late to the game here.

With phishing attacks becoming increasingly realistic and voluminous, and password-cracking tools readily available on the darknet, all web-facing firms really need to move to two-factor authentication to improve account security.

The infamous iCloud hack in particular showed the potentially damaging repercussions of not doing so.

While hacked Instagram accounts are unlikely to cause the same kind of embarrassment for the user, they still have the potential to send out irritating spam to followers, and could even damage account holders financially.

The report cited the case of artist Rachel Ryle, who uses the platform to share hand drawn stop-motion animations.

After someone hacked her account and began spreading spam, some 35,000 followers apparently unfollowed her, scuppering a hefty sponsorship deal she had lined up.

Image credit: tulpahn /

Source: Information Security Magazine

Hollywood Hospital Paid $17,000 Ransom to Decrypt Files

Hollywood Hospital Paid $17,000 Ransom to Decrypt Files

A Californian hospital struck by a ransomware infection which resulted in it being forced to cancel patient appointments has admitted it paid a $17,000 ransom to have key files decrypted.

The Hollywood Presbyterian Medical Center made headlines this week when it emerged that unnamed ransomware had effectively forced a lock down of IT systems.

Staff are said to have declared an internal emergency when it hit on 5 February and were forced to use pen and paper and fax machines as email and online patient records were inaccessible.

Reports at the time suggested lab work, X-rays and CT scans were affected, with outpatients forced to miss treatment and some patients even sent to other hospitals.

However, in a lengthy statement on the matter yesterday, hospital president and CEO Allen Stefanek argued that patient care had “not been compromised in any way.”

Original reports of a 9000 BTC ($3.8m) ransom being demanded were wide of the mark – the actual amount was a more modest 40 BTC ($16,880).

The hospital ended up paying that to the cyber-criminals behind the attack.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” said Stefanek.

“HPMC has restored its electronic medical record system (‘EMR’) on Monday, February 15th. All clinical operations are utilizing the EMR system. All systems currently in use were cleared of the malware and thoroughly tested. We continue to work with our team of experts to understand more about this event.”

Given that law enforcers from the FBI and LAPD were said to have been drafted in to investigate the attack, it seems that their advice was to pay the ransom – hinting that the variant used was one which couldn’t be cracked, like Cryptowall.

In fact, it was reported last year that an FBI cyber specialist and assistant special agent told attendees at a conference that some ransomware is so good at encrypting files that “we often advise people just to pay the ransom.”

Source: Information Security Magazine

Dridex Gang Gets ‘Locky’ with New Ransomware Campaign

Dridex Gang Gets ‘Locky’ with New Ransomware Campaign

Security experts are warning that the same infrastructure used to deliver the infamous Dridex banking trojan is now behind a major new email-based ransomware campaign.

The “Locky” ransomware variant is distributed via email attachments, specifically Word documents disguised as invoices. The docs contain macros which download and install the ransomware, security firm Proofpoint explained in a blog post.

What particularly piqued the interest of the researchers who discovered it was the fact that the botnet behind the spam mail is the same as that which delivers the majority of emails containing the infamous Dridex trojan.

It’s apparently also responsible for some non-Dridex malware including Ursnif, Shifu and ransomware variants Nymaim and TeslaCrypt.

The firm added that, just like Dridex, the actors behind Locky are “pushing the limits” of campaign size, with spam volumes rivaling the biggest Dridex campaigns ever seen.

“Coincidentally, the same day we tracked the large spam campaign, we also spotted Locky being distributed in a Neutrino thread usually spreading Necurs,” Proofpoint continued.

“When run on the same virtual machine, the document from both the Neutrino drop and the spam emails generate the same individual ID, point to the same Bitcoin wallet, and appear to use the same infrastructure. This can be explained either by a common actor or, more likely, by a distribution in affiliate mode.”

As for the ransomware itself, Locky is said to encrypt files based on their extension, and replaces the desktop background with the ransom message. Victims are told to visit one of a choice of .onion or tor2web links to buy Bitcoin, send them to a specific address, and wait for their decryptor download.

It’s not confirmed yet whether this will actually decrypt the victim’s files, however.

Interestingly, over the past few weeks, while the Dyre trojan has fallen silent those behind Dridex have been experimenting with new attack vectors, according to security researchers.

Source: Information Security Magazine