Monthly Archives: May 2013

LinkedIn boosts security similar to Twitter

LinkedIn Corp unveiled technology to improve the security of the social networking site for professionals, about a week after Twitter introduced similar tools following a surge in high-profile attacks on its users.

The optional service, known as two-factor authentication, is designed to verify the identity of users as they log in by requiring them to enter numeric codes sent via text message.

LinkedIn introduced the service on Friday, about a year after a highly publicized breach that exposed passwords of millions of its users. Some security experts criticized LinkedIn at the time, saying the firm had failed to use best practices to secure its passwords.

The site provided instructions to its 225 million users on how to turn on the optional service at linkd.in/1aIFV3D

Via: reuters

Department of Homeland Security Acknowledges Data Breach

Vulnerability in a vendor’s software may have exposed DHS employees’ names, Social Security numbers and birthdates.

The U.S. Department of Homeland Security (DHS) recently issued a statement acknowledging that a vulnerability in software used by a DHS vendor to process personnel security investigations may have exposed information including names, Social Security numbers and birthdates (h/t DataBreaches.net).

“DHS is evaluating all legal options and is engaged with the vendor to pursue all available remedies,” the department said in the statement.

According to DHS, the vulnerability has been present since July of 2009, and may have affected employees who submitted background investigation between July 2009 and May 2013 for positions at DHS headquarters, Customers and Border Protection, and Immigration and Customs Enforcement.

“While there is no evidence that any unauthorized user accessed any personally identifiable information, out of abundance of caution, DHS is alerting employees and individuals who received a DHS clearance, of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and a credit report,” the department noted.

Employees with questions are advised to call (855) 891-2739.

Via: esecurityplanet

Virtualizing apps could be the bridge over the BYOD security gap

Allowing BYOD has unfavorable implications for both the company and employees. Michael P. Kassner explores what businesses are doing to mitigate the risk.

In all my years working IT, I’ve never seen as divisive a chasm between users and IT professionals as the one brought on by Bring Your Own Device (BYOD). I’ve talked to several IT managers preparing for this article; every manager, but one, has agonized over what to do about BYOD.

One high-level IT manager told me about a meeting with her company’s C-level executives — the subject, BYOD. Her strategy was to convince the executives to move slowly in order to avoid any legal or business-related pitfalls from allowing personal devices in the workplace.

“Michael,” she said, “as I walked into the conference room, the execs already there, as if on cue, started fiddling with their personal smart phones.”

I think the discussion is over, unless do as I say, and not as I do is policy where my friend works. So how do IT departments cope? Do nothing and hope that some of the thorny legal issues concerning BYOD never happen?

Gambling that nothing will happen usually is not a good career move; we all know what happens when the blame game starts. Let me ask this, what if the BYOD problem could be solved in a way to make everyone happy?

The solution

My introduction to “the solution” occurred while reading a SANS paper by Adam Walter titled, “Endpoint Security through Application Streaming.” The first thing that caught my eye was the question Adam asked at the beginning of the paper:

Businesses are moving from a centralized core infrastructure to a decentralized one. This causes a number of issues as our businesses grow. The main issue is data flow. How do businesses maintain security when data is continually moving to the edges of our logical boundaries?

Could Adam be referring to BYOD? He continues:

A solution is needed that solves the problem while allowing the user to complete business tasks efficiently and without incident. Why not centralize again? The solution proposed in this paper works around keeping business work flows decentralized while centralizing data through application streaming.

I almost stopped reading right there. I wasn’t ready for yet another “how the cloud will solve all my problems” utterance. But my curiosity overruled:

Application streaming takes software and encapsulates it to fool the client operating system into believing it is running in the local run time. The client has an application experience similar to a local one. However, data never leaves the host server.

The term “application streaming” seemed familiar; if I remember correctly, something to do with Citrix. I also remember Citrix as being temperamental, and slow — really slow — when I first became acquainted with it many years ago.

Citrix has grown up

Once again my curiosity won, so I contacted Citrix hoping to talk to someone in the know about application streaming. My timing could not have been worse; Citrix was right in the middle of their biggest show of the year, Synergy 2013.

I was having no luck at all, then Latoya Mayo answered the phone. Latoya somehow managed to find Karen Gilles, Director of Communications, at the show. (Thank you, Latoya.) Karen then worked her own magic, hooking me up with Kevin Strohmeyer, Director of Product Marketing Desktops and Apps.

First thing I did was explain to Kevin what I thought Adam had in mind; a solution that removes BYOD from IT’s most hated list. Kevin then asked what it would take to get off the list. I suggested the following:

  • Personal devices used for work cannot store company data locally.
  • Personal devices and application-streaming software must meld seamlessly with the company’s network.
  • Using personal devices cannot be a security risk.

I also had a few thoughts about the app-sharing client. It must be able to work with a whole lot of different devices and operating systems, and be convenient to use.

I wasn’t remotely prepared for Kevin’s answer: “No problem, Michael. We have an application called Citrix Receiver. It meets all your requirements, and works with all major operating systems. We even have a version for Kindle.”

Kevin also said he didn’t mind the term app streaming, but Citrix calls that particular technology “Session Virtualization.” I noticed in my research there are a whole host of names given to this technology. I’d like to continue using app streaming, with the understanding that neither the application nor the data resides on the user’s mobile device.


The above diagram depicts how Citrix Receiver works. The user first logs into Citrix Receiver. Once the Receiver desktop opens (image below), the user selects the application needed.


XenApp then connects the user’s device to the host server where the application has been delivered. The user interacts with the application remotely by sending input to the server. The server then responds by sending screen updates back to the user’s device.

As I see it, Citrix Receiver:

  • Allows the user to get their preference in mobile device, and the IT department does not care as long as Citrix Receiver can be installed.
  • Isolates sensitive personal information from privileged company information (company data is never on the mobile device). This is particularly important to the individual and company if legal issues surface.
  • Reduces costs and simplifies device management. Licensing and maintenance of company applications occurs on the server, not each individual computing device.
  • Eliminates concern about malicious apps or over-reaching permissions in the case of devices using Android.

I’m usually above-average cynical, but it seems application streaming has a chance of being a bona fide solution. I say that with even more confidence after looking at several companies that started using Citrix or enlarged their Citrix environment just to accommodate BYOD.

An example

Remember my mentioning every manager but one was agonizing over BYOD? Well, the unworried manager works in the health-care field, and according to him; he only stays sane because Citrix services allow him to fulfill everyone’s IT needs, along with meeting all necessary government regulations.

A case in point: when doctors asked if they could use portable devices at the office and when they were at the hospital making rounds, it was a non-issue as long as there was a Citrix Receiver app for the tablet, phone, or notebook they wanted to use.

Just to make sure

I still had a few questions for Adam, particularly if what he had in mind matched what Citrix is offering.

Kassner: Adam, app-streaming technology similar to Citrix has been around for a long time. What has changed to make you feel it will help improve the mobile-device situation?

Walter: I feel products such as Citrix have been very good at responding to customer feedback, and their products have evolved to fit the changing corporate atmosphere. We now see a product that doesn’t just virtualize, but does so seamlessly. Also, we have a variety of vendors creating products that behave differently. This is a boon to corporations, because it allows them to find the solution that fits their needs.

Kassner: I read the following in your paper:

With application streaming you are moving towards an environment that is much easier to grasp. The security problems don’t go away, but by simplifying your environment you can make mitigation something much more attainable.

Would you explain what you mean? What is easier to grasp? And, why is mitigation more attainable?

Walter: As technology has evolved, it’s also grown increasingly complex. Ten years ago, networks were relatively simple. Today we have a plethora of virtual environments, complex routing tables, and so on.

Securing such environments requires significant technological knowledge, and a lot of effort to cover all traffic flows. With application streaming, we can move important data and applications to a secure core, and serve the rest of the company from there. That means you can establish smaller boundaries for compliance purposes and focus on them rather than the whole network.

Kassner: It’s hard to disagree with the notion that applications and data can be better protected residing in a data center. But lately, it seems having to focus on a single location helps the bad guys as much, if not more than the IT department: breached credit-card processing centers come to mind. Do you see this as a problem?

Walter: As mentioned in the white paper, most attacks are easily preventable. The problem is the networks are too complex. By reducing the number of egress points, we make security more attainable. A good analogy here is that it’s easier to guard the door of your house than it is to protect the Smithsonian.

Final thoughts

I have to thank Adam Walter — until I bumped into his paper; I felt BYOD was going to be one of those “have to live with” situations. Now it becomes a risk assessment, deciding whether the cost of using app-streaming software by Citrix or other vendors to mitigate legal, regulatory, and business downfalls is cheaper than the alternative.

I’d also like to thank everyone at Citrix, particularly Kevin Strohmeyer, for helping further my understanding of app streaming.

Via: techrepublic

BYOD Brings Big Financial Gains, Says Cisco Report

The BYOD trend has become a widespread part of corporate life, with 89 percent of organizations allowing employees to use their own devices for work. There are about 198 million BYOD devices in the six countries surveyed. Most are smartphones, but tablets and portable PCs are gaining, with the average employee using 1.7 BYOD devices.

What are the financial benefits of the Bring-Your-Own-Device (BYOD ) trend? A new study from Cisco finds that companies can save as much as $3,150 (U.S.) per employee, per year, but careful mobile device management (MDM) is key.

The report, released last week by Cisco’s Internet Business Solutions Group, showed about half of the potential savings coming from costs being shifted to employees, and half because of increased productivity. The report surveyed 2,415 mobile users in six countries — the U.S., the U.K., Brazil, China, Germany, and India.

With a full-scale or “Comprehensive BYOD” effort, the report said, employees will spend an average of $965 on their devices, plus another $734 in annual data plans. Time saved per week varied by country, from a low of four minutes in Germany to a high of 81 minutes for U.S. workers. The average gain in weekly productivity was 37 minutes.

89 Percent Allow BYOD

The dollar amount for productivity gain was based on how much each of those workers was paid per minute. With an average salary of $45,000 per year, the time saved represented about $75 for the German worker and about $1,518 for the American.

The Bring-Your-Own-Device trend has become a widespread part of corporate life, with 89 percent of organizations allowing employees to use their own devices for work. Currently, there are about 198 million BYOD devices in the countries surveyed, a number which Cisco said is expected to grow to 405 million within three years. Most of the BYOD devices were smartphones, as opposed to tablets and laptop PCs. Employees own an average of 1.7 devices.

Cisco said the current median level of BYOD implementation, which it calls Basic BYOD, generates an average $350 of savings per year, per employee in the U.S. The report envisions an ‘ideal’ quantity of employees bringing their own devices to use at work, which it calls Comprehensive BYOD.

It is in the U.S. that Comprehensive BYOD yields as much as $3,150 in total savings to companies. By comparison, basic BYOD in the U.K. offers $400 in savings, while Comprehensive BYOD can save up to $2,250. However, Cisco said, the average company today is only about 21 percent along the route to Comprehensive BYOD.

‘Warp Speed’ Move to BYOD

To reach a Comprehensive BYOD approach, Cisco recommends several key steps. They include (1) implementing a scaled architecture that turns any device into a trusted device, (2) the establishment of clear policies, (3) simplification of the process of getting and using mobile apps , and (4) a support mechanism that includes a social community helping each other.

Laura DiDio, an analyst with Information Technology Intelligence Corp, pointed out that “many firms don’t reimburse employees fully” for their costs for hardware, software or data plans.

One note of caution to managers and C-Suite executives: partial reimbursement, or more specifically not reimbursing employees fully for their expenses, could be creating a future liability if employees later decide to go after their employers to recover additional out-of-pocket expenses. (Perhaps a class action lawsuit waiting to happen?)

DiDio also said that the movement to Bring Your Own Device, which was “already turbo-charged,” could start to move at “warp speed” because of the savings demonstrated in this report. She noted a Gartner study that projected half of all companies in the U.S. will require employees to provide their own devices by 2017.

DiDio added that dual persona mobile management, where there are separate workspaces or even separate OSs on the same device to separate personal and work apps/data, is likely to become a more common solution to the security and control issue.

Via: enterprise-security-today

Chinese Said To Have Hacked U.S. Weapons Designs

“We have seen the theft of information from commercial and government organizations for many years,” said security expert Ken Silva. “But this incident is a clear example of the national security implications of such breaches. It is increasingly more evident that defensive measures don’t always work and organizations need to assume there has been, or will be, a breach.”

Last week, reports of hacks from groups in Iran made big headlines. This week, headlines are pointing fingers at China once again.

The Washington Post got the ball rolling with a story carrying the headline “Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies.” The headline is enough to drive panic in security circles, even if it’s not surprising. Many security analysts have been warning of this possibility for years.

The Post pointed to a report prepared for the Pentagon by Defense Science Board leaders. The Defense Science Board is part of the Department of Defense that works to provide solutions to technological, operational and managerial problems.

Discovering the Breach

A spokesman for the Pentagon declined to discuss the list with The Post. But the spokesman, who was not authorized to speak on the record, told The Post in an e-mail, “The Department of Defense has growing concerns about the global threat to economic and national security from persistent cyber-intrusions aimed at the theft of intellectual property, trade secrets and commercial data, which threatens the competitive edge of U.S. businesses like those in the Defense Industrial Base.”

Ken Silva, senior vice president for cyber strategy of the Mission, Cyber and Intelligence Solutions group at ManTech International Corp., said that while it is not new that Chinese hackers have penetrated a number of companies and government agencies, this news is indicative of the types of information which have probably been gleaned from those penetrations.

“We have seen the theft of information from commercial and government organizations for many years. But this incident is a clear example of the national security implications of such breaches,” Silva told us. “It is increasingly more evident that defensive measures don’t always work and organizations need to assume there has been, or will be, a breach and put the proper tools and procedures in place to detect and deal with it quickly. Organizations without these tools and procedures have often made the discovery of a breach after months or even years of exploitation.”

What Enterprises Can Learn

Meanwhile, security experts are still talking about Iran, including Silva. As he sees it, the news regarding possible Iranian-backed hackers targeting the U.S. energy infrastructure is a clear indication that the stakes have been raised and that the methods by which nations will attempt to attack other nations are evolving rapidly.

“In general, nation-state attackers in China, Iran, Russia and South American countries are becoming more brazen and their attacks more complex, involving elaborate plans to steal intellectual property and money,” he said. “Now is the time for administrators and decision makers to either put a detection and mitigation strategy in place or finalize current plans so that quicker detection and mitigation of these types of sophisticated attacks becomes a reality and corporations put an end to the leaking critical information.”

Via: enterprise-security-today

Expect Facebook To Turbocharge ‘Notes’ Into A True Tumblr Competitor

Facebook used to have a blogging feature called Notes. It still does, but it got buried by the Timeline redesign and widely forgotten. Facebook needs to overhaul Notes, and signs say a refresh may already be in the works. It could help people express themselves, make Notes a legitimate competitor to Tumblr, and soften the blow of Facebook reportedly failing to buy Yahoo’s new baby.

Back in March, Facebook acqui-hired the team from Storylane, a sort of blogging platform its founders described as the “the home for personal thoughts and stories that go deeper than a quick Facebook or Twitter update.” It illustrated the rift between Facebook and Tumblr. Twitter is defined by its simplicity, so we’ll leave it out of this discussion.

When it comes down to it, Facebook is more limiting but consistent and easy for the masses. Tumblr gives you more freedom and control. Facebook’s brevity is sufficient for some, but others crave a more customizable presence on the web that’s separate from reports about their day-to-day life. If Facebook wants to house our whole digital lives, it may need to get serious about blogging. It’d be a big undertaking for the social network that could take a while to come to fruition. But better Notes could fill it with high-quality content, pull in ad views, and box out competitors trying to pick away at the Facebook empire.


Updates Vs Blogs: The Difference Matters

On Facebook, you write ‘status updates’ — short descriptions of your current life to keep your friends in the loop. They’re typically concocted for the news feed, rather than your Timeline, and have to adhere to Facebook’s style and format standards. They don’t have a home you’d be proud to show off.

Tumblr blogs feel like you’re writing for yourself. Strange, longer-f0rm dives into niche ideas that might weird out your Facebook friends fit naturally on your own blog alongside quick hits of images and content you’ve stumbled across or created. Tumblrs reach a like-minded audience of those who seek them out, rather than being forced on your social graph. There’s an emphasis on reblogging — lending your audience to content you appreciate. On Facebook there’s not much of a re-sharing culture. You just ‘Like”, which nets creators much less added influence.


When Notes launched in 2006, Facebook’s user base may not have needed it. It was around the same time the site was opening up to the public, and launching the news feed and status updates. For most of the social network’s users, short-form updates were enough. But the world has grown more tech savvy in the seven years since. People increasingly long for a place to call their own on the web. That desire, along with network effect and an improving state of mobile, led to massive, hockey-stick growth for Tumblr in 2010.

Now the signs say it’s time for Facebook to get back in the blogging game. There’s the Storylane acqui-hire. When that went down I asked Facebook about Notes and it was atypically cagey, which made me suspect something was in the works for the feature. Then there was Forbes’ report that Facebook was in talks with Tumblr about a potential acquisition before Yahoo successfully bought the startup. When I asked Facebook’s spokespeople flat-out whether the social network was redesigning Notes, I was met with a coy look and vague advice to watch out for something.

If you remember, Facebook launched its own Camera app just weeks after announcing it would buy Instagram. It had been working on it for a while and decided to launch it anyways. Similarly, a Notes overhaul may be in store, but without a successful acquisition of Tumblr running in parallel.

Fixing Facebook Notes

Facebook’s got a long way to go if it wants Notes to seriously compete with Tumblr and other populist blogging platforms. As of a few years ago I was one of the few people I knew using the feature. I’d employ Notes to host sets of links and descriptions of mixtapes I’d made or a calendar of upcoming concerts I’d compiled. Now I pretty much only see Notes used by outgoing Facebook employees leaving a long goodbye message, or Facebook divisions like Engineering posting deep descriptions of their latest coding adventures. I’m friends with a lot of power users, and if they’re not Noting, I bet the feature has quite poor traction overall.

It’s not hard to see why. First, Notes is totally buried. You have to fish the bookmark out of your massive list of third-party apps. Writing a Note presents you with a sterile white canvas, with no hint of personalization. You can add basic text formatting and some markup, plus embed photos. However, you can’t add videos or animated .Gifs, Tumblr’s lifeblood. Once you publish, the Notes get published to the news feed (probably their greatest strength), but live on a boring white feed hidden within Timeline’s “More” drop-down or the optional Notes section.


Compare that to Tumblr where there’s a wealth of customization options, and the ability to embed most kinds of media. Posts are distributed to a Tumblr’s followers. The Tumblr dashboard might not be as popular as the Facebook news feed, but there, posts don’t have to compete with the barrage of other content types.


To make Notes competitive, Facebook would need to make the product instantly accessible from the home page. It could become a selectable feed in the recently launched news feeds menu, and you could opt to write them straight from the status update composer. If someone actively writes, Facebook would need to prominently display a link to their feed of Notes on their profile so friends could discover their posts beyond the feed. Notes would need to offer stylish themes, accept more media types, and preferably support drag-and-drop uploading and formatting.

Figuring out privacy could be a challenge. Typically, blogs are public but Facebook is usually about sharing with friends. Defaulting to public would make Notes more sharable and help Facebook rack up ad impressions through page views, but it’d need to ensure people don’t accidentally expose themselves. Tumblr’s optional anonymity, NSFW content, and it simply not being Facebook all give it a coolness edge is some respects.

As for incentivizing authors, making it quick to reshare a Note (like reblogging on Tumblr) could give people wider reach than just their friends. That could attract both average Joes who don’t have much of an audience (similar to the intention of Quora’s new blogging feature), as well as public figures looking for massive influence.

On the business end, highly viral Notes could bring in traffic, but also box out Tumblr, which wants to monetize with sponsored posts in the dashboard that could compete with Facebook for ad dollars

In the end, the goals would be to:

  • Make it so even kids or Grandma could create a personalized, simple-to-update blog,
  • Allow the Tumblr demographic of hardcore Internet users to publish beautiful posts that reach their Facebook friends via the news feed so they don’t have to cultivate a new following elsewhere
  • Be classy enough for big names to want to house their opinions on Facebook’s blogging feature.

If given a proper reintroduction, Notes might be a departure from Facebook’s highly standardized look. Keeping tighter control of how people expressed themselves made Facebook easier to use and differentiated it from the chaos of Myspace. But if done right, Notes could give people a vivid way to share and connect. It could make sure Facebook hosts not just our pasts with Timeline, or our day-to-day with news feed, but also be the manicured nest for our deepest thoughts and the content we love.

Considering Facebook’s penchant for naming things what they are, I wouldn’t be surprised to see Notes eventually revived as “Facebook Blogs”.

Postscript: Too bad it didn’t do this a few months ago before Tumblr became such a media darling. Now whatever Facebook does in blogging may be cast as a copy in Tumblr’s shadow.

Via: techcrunch

Social media privacy explained – In plain English

Privacy is important to most of us and based on the feedback we get from Naked Security readers, especially important to you.

The problem with attempting to protect our privacy online begins with the policies.

They vary in complexity, but invariably they are confusing, contain carefully crafted language designed to hold up in a court of law and are too long for most people to get their heads around.

Fortunately some very smart people at the University of Victoria in British Columbia, Canada created The Canadian Access to Social Media Information Project (CATSMI Project).

The project analyzes the privacy policies of more than 20 popular social media services and provides a plainly worded description of what you can expect from them concerning the following topics:

  • Who is your Personally Identifiable Information (PII) disclosed to?
  • How can you complain? Is there a specific privacy officer listed?
  • Will your PII possibly be disclosed to law enforcement agencies? If so, why?
  • Can the site change its privacy policy without telling you?
  • Does the PII collected change depending on whether you are an adult or a child?
  • If you’re a child, can you sign up with adult consent?
  • What counts as PII that the site collects?
  • Can you opt out of disclosing your PII?
  • Does the privacy policy mention national or international privacy laws?
  • Can you permanently delete information that you previously provided?
  • Is the privacy policy just for that site or is it part of a larger organization?
  • Does the privacy policy involve self-regulation or a seal of approval?
  • Can you find out when the privacy policy was last updated? Can you see older versions?
  • Does the site make commitments to keeping your PII secure?
  • If there’s a breach of information on the site, will they let you know?
  • Can you access the privacy policy from the home page? Is the policy all in one place or in different parts of the website?
  • Can you correct or update your PII if you want to? Does the site tell you how to do this?

That’s quite a list! But it does pull out the most important information to know about what companies are collecting and what they are going to do with it.

For Canadians there is additional information on our privacy law, PIPEDA, and what might change if Parliament passes bill C-30.

CATSMI is a great resource for Canadians and I think a great resource for everyone. The easiest way to get started is to click on “Learn About…” -> “A Network” and choose a provider you are interested in.

It isn’t that hard and you owe it to yourself to be aware of what organizations want to do with your PII.

Spend a few minutes on CATSMI and use that information to help you decide what you want to share online.

Via: sophos

 

Only 36% of small firms apply security patches. No wonder cybercrooks are stealing their cash

Small businesses are under constant attack from malware, scams and online fraud.

They are not only losing money directly to fraud, but also in costs associated with maintaining security. Small businesses are simply woefully under-prepared to keep their assets safe. Despite reorganization and redirected priorities, the police can still do little to help.

This all emerges from a report on the threat of online fraud to small UK businesses, released by the FSB. No, not Russia’s slightly cuddlier successor to the KGB; this is the Federation of Small Businesses, a UK pressure group representing the needs of small businesses, and providing a range of services to them, boasting over 200,000 members.

Survey synopsis

The study takes the form of a survey of a subset of that membership, covering their experiences of online fraud, their attitudes to how it affects them, and what actions they’ve taken to protect themselves.

Now, such studies are notoriously biased – asking people with a vested interest and minimal specialist knowledge what they think of a complex technical issues will always give some off-the-wall results.

This report contains some useful data though, both on what small business owners think has happened to them in the past, and on the parlous state of their cyber defences.

Stats

The report kicks off with a third-party figure of £18.9 billion lost to fraud by small-and-medium enterprises. This boils down to an average of just under £4000 per business in their study, although that covers all kinds of fraud. A previous analysis came up with a figure of £2900 for ‘normal’ fraud, hinting that the figure for online losses is over a quarter of the total.

On the plus side, 49% of businesses suffered no fraud losses at all, and only around 7% lost more than £5000. 10% reported incidents of card fraud, including ‘card not present’ problems associated with online trading. Such issues, along with the costs and complexity of PCI-DSS compliance, have apparently discouraged many businesses from operating online at all.

20% report ‘virus’ infections, with a further 8% spotting hacking or other ‘electronic intrusion’, and that’s only those that knew about the issues – 73% claimed they had had no problems.

It would be interesting to see how the list of victims overlaps with those who regularly apply security patches to software (a mere 36%), and those who regularly update their anti-virus software (a much higher, but still rather depressing, 59%). 17% claimed they took no actions to counter cyber-attack, from a lengthy list of options.

The figures contrast rather oddly with another survey published just a month ago, produced by the Department for Business, Innovation and Skills (BIS), who also partnered with the FSB on this report. That survey does cover all types of data breach and all associated costs though, rather than just the direct costs of fraud.

Police action

A lot of businesses have gripes about the banks, how little they do to help and how much they cost. They also claim the police don’t help much either.

Indeed, among the study’s headline recommendations are a need to ‘manage expectations around the police response to fraud and online crime by highlighting the benefits of reporting in terms of feeding into a wider intelligence picture’ and ‘Inform businesses what the police do not have the capacity to deal with so they can take preventative measures to help themselves more’.

This is basically admitting that if your businesses is robbed online, the police may provide you with a pat on the hand and a sympathetic “there, there”, but that’s about it – you should be dealing with this stuff on your own.

At least there is that encouragement to keep reporting issues so their levels can be monitored, which gives some hope that one day even the police will begin to sit up and take notice. The police’s centralised, outsourced Action Fraud reporting system is referenced.

Top tips

The FSB study also provides a good, clear ‘ten top tips’ to help business owners protect themselves.

It includes the basics of running up-to-date security software, applying patches and using at least reasonably strong passwords.

Here are the FSB top ten tips:

  • Implement a combination of security protection solutions (anti-virus, anti-spam, firewall(s))
  • Carry out regular security updates on all software and devices
  • Implement a resilient password policy (min eight characters, change regularly)
  • Secure your wireless network
  • Implement clear and concise procedures for email, internet and mobile devices
  • Train staff in good security practices and consider employee background checks
  • Implement and test backup plans, information disposal and disaster recovery procedures
  • Carry out regular security risk assessments to identify important information and systems
  • Carry out regular security testing on the business website
  • Check provider credentials and contracts when using cloud services

This is a good start, but business owners clearly need a lot more help. In the UK at least, they may not be so at risk from the POS malware targeting their US cousins, but they face some serious issues.

Many of these problems are based on a simple lack of know-how and IT security illiteracy.

Sadly, even the best defenses can get breached, and there needs to be a stronger deterrent in the criminal system. With the internet involved, this means global action, which remains a rather distant dream.

Via: sophos

Researchers find critical vulnerabilities in popular game engines

Attackers could exploit the flaws to compromise game clients and servers, researchers from ReVuln said.

Security researchers found serious vulnerabilities in the engines of several popular first-person shooter video games that could allow attackers to compromise their online servers and the computers of players accessing them.

Security researchers Luigi Auriemma and Donato Ferrante from Malta-based security consultancy firm ReVuln found memory corruption and buffer-overflow issues in “CryEngine 3,” “Unreal Engine 3,” “Hydrogen Engine” and “id Tech 4.” These are game engines that are used in video games like “Quake 4,” “Crysis 2,” “Homefront,” “Brink,” “Monday Night Combat,” “Enemy Territory: Quake Wars”, “Sanctum”, “Breach,” “Nexuiz” and many others.

The vulnerabilities found by the two researchers can be used to launch remote code execution or denial-of-service attacks against game clients and servers by sending maliciously crafted data packets to them.

Auriemma and Ferrante presented their findings Friday at the NoSuchCon security conference in Paris and released a video showing proof-of-concept attacks against Crysis 2 and Quake 4 servers. More details about the vulnerabilities are available in a research paper released Monday.

The vulnerabilities covered in the paper haven’t been disclosed in advance to the affected game developers and are not yet patched, the two researchers said Tuesday via email.

ReVuln doesn’t report vulnerabilities to affected vendors. The company sells information about newly discovered vulnerabilities to third-party companies and government agencies as part of a subscription-based service.

Some of the game engine vulnerabilities disclosed in the new paper can be used to attack game servers, while others, like the ones in CryEngine 3, can be used to attack game clients, the researchers said. “Any attacker can exploit them without any user interaction or additional requirements.”

An attacker could, for example, set up a rogue server for one of the affected games and list it on a master server — a database of available game servers that gets queried by clients. This would allow him to compromise the computers of any players that join his rogue server by exploiting one of the remote code execution vulnerabilities present in the game engine.

In some cases such vulnerabilities can even be exploited when players query more information about the rogue server from the game client’s multiplayer menu, the researchers said.

Servers can also be compromised or crashed by sending them malicious packets from a client. If an attacker wants to disrupt a larger community of players, he can obtain a list of available game servers from a master server and crash them at regular intervals by exploiting one of the denial-of-service flaws.

Game servers are frequently targeted in wars between different game clans, by cheaters who want to artificially increase their game rankings or by competing game server hosts, the researchers said.

“Game companies usually tend to give more importance to anti-cheating solutions than to improving the security aspects of games,” they said. “In other words, they tend to care more about cheaters than people exploiting vulnerabilities on their users’ systems.”

Game vulnerabilities could also be used to compromise the computers of specific individuals or organizations in targeted attacks, the two researchers said. It’s not just kids and teenagers that play online games, but people of all ages with different backgrounds and jobs, they said, pointing out that a game player could be a technician working at a power plant, a politician, or anyone with access to some type of sensitive information or system.

When people play games, their defenses are down and the only thing standing between their computer and attackers is a vulnerable game that often doesn’t even have Windows exploit mitigation technologies like DEP (Data Execution Prevention) and ASLR (Address space layout randomization) enabled, they said.

Via: itworld

Twitter begins rollout of two-factor authentication to limit account takeovers

Twitter has enabled two-factor authentication, the company announced Wednesday.

“Every day, a growing number of people login to Twitter,” Jim O’Leary of Twitter’s Product Security Team wrote in a blog post. “Usually these login attempts come from the genuine account owners, but we occasionally hear from people whose accounts have been compromised by email phishing schemes or a breach of password data elsewhere on the web.”

The functionality will work similar to the way it does on Gmail.

Users opt in to the additional security feature in the “Settings” page and add a cell phone number. Then, each time they login to their account using their normal credentials, they are prompted to enter a six-digit verification code, which is sent via SMS to that phone number.

“With login verification enabled, your existing applications will continue to work without disruption,” O’Leary wrote. “If you need to sign in to your Twitter account on other devices or apps, visit your ‘Applications’ page to generate a temporary password to login and authorize that application.’

Twitter has faced pressure to deploy two-factor capability in light of a number of highly publicized account takeovers, including one that targeted The Associated Press. In that case, the attackers, from the “Syrian Electronic Army,” sent a tweet claiming there had been a bombing at the White House and President Obama was injured.

Not everyone is convinced, however, that an additional mode of authentication would be able to stop a dedicated hacker.

Via: scmagazine