Monthly Archives: August 2013

It’s summer holiday season, when people pack up their smartphones and tablets, sunscreen and tank tops and set off for a change of pace. With connected devices it’s never been easier to find one’s way around, record memories, and stay in touch with friends back home.

When traveling it’s convenient to use public WiFi hotspots in places like airports and restaurants, Our Security Advisor Sean Sullivan says that public WiFi networks should be thought of as just that: public.

Because you’re sharing the network with strangers, there’s the risk that someone is using readily available software that snoops on what you’re doing.

“It may feel private because you’re using your personal device, but it’s not,” he says.

Sean advises against doing anything via public WiFi that you wouldn’t want an eavesdropper to know – including logging into accounts with passwords. “I use public WiFi happily for a topic I would discuss with a friend on the metro. Banking, I do at home,” he says.

Here’s a quick look at how people feel about traveling with their devices and how to stay safe online when you’re on the road.

Here are some more tips that will keep you secure wherever you may roam:

• Don’t let your device connect to public WiFi spots automatically.
• Delete out the WiFi access points you’ve used when you arrive home.
• Don’t be logged into apps you don’t need while traveling.
• Check with the establishment you’re at to make sure the network you log onto is really theirs, and not one a snoop has set up to trick you.
• Be aware of your surroundings and anyone who could be trying to peek over your shoulder.
• Use a unique password for each account.
• For laptops, disable file sharing and turn on the firewall, setting it to block incoming connections.
• Use a VPN (virtual private network) if possible, which secures your connection even on public WiFi.
• Use a travel router with a prepaid SIM card for your own personal WiFi network.
• At the very least, watch for the padlock and “https” in the address bar for any site with your personal information. If they’re not there, avoid the site.
• A good general rule: Assume anything you do over public WiFi is part of a public conversation.

Via: safeandsavvy

Defense Department’s DARPA funded the work, showing the government believes the number of computers systems in cars is a safety threat.

Security researchers who took control of two popular vehicles by connecting a laptop to their internal computers moved a step closer to one day being able to secretly commandeer a car from the driver, experts say.

By connecting cables to the cars’ electronic control units, the researchers were able to use the software they developed to steer left and right, apply the brakes and move the fuel gauge to zero, the BBC reported. The test was performed on a 2010 Ford Escape and a Toyota Prius.

The vehicles’ manufacturers did not consider the work a hack. That’s because the proof of concept, by Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of security intelligence at IOActive,  required a wired connection with the intruder in the vehicle.

However, that logic misses the point, security experts said Monday. Just because no one has been able to commandeer a vehicle by wirelessly hacking into its internal computers does not mean it won’t happen eventually. Miller’s and Valasek’s experiment shows that experts are getting closer.

“What they’re showing is every time they take a step, they’re taking a new step forward,” said Glenn Chisholm, vice president of product management and chief security officer of Cylance.

In 2010, researchers from Rutgers University were able to wirelessly hack a car’s tire-pressure monitoring systems and send a false low-pressure warning. The bogus signal was sent from a car traveling behind the target vehicle.

Of course, breaking into such a system is not nearly as complex as wirelessly hacking an ECU, which are embedded systems that control steering, acceleration, braking and other critical functions.

Nevertheless, the 2010 experiment showed a wireless hack is possible, and the latest research demonstrates would could be done if an ECU is breached.

The fact that the Defense Department’s research facility DARPA funded the latest work shows that the government believes that the growing number of computer systems going into vehicles could present a safety threat.

“I believe that the digital attack surface for vehicles will undoubtedly increase in the coming years, and the fact that DARPA chose to sponsor Valasek’s and Miller’s work is a good indication that they see this field growing in importance,” Aaron Portnoy, vice president of research for Exodus Intelligence, said.

Car manufacturers insist they are paying close attention to security. Toyota told the BBC it has developed “very strict and effective firewall technology” against wireless attacks. Ford says “safety, privacy and security of our customers is and always will be paramount.”

Andrew Ginter, vice president of industrial security at Waterfall Security, said carmakers could learn from the practices of the nuclear power industry.

Monitoring systems are on one network while systems that control reactor operations is on a separate network that’s closed to the outside. Ginter suggested the same architecture for vehicles where separate computers are used for monitoring and for critical functions, such as brakes, acceleration or steering.

“If they’re not connected, then the only thing you can hack over the network is the monitoring functions,” Ginter said. “The safety critical functions continue to work.”

Miller and Valasek were scheduled to present details of their work at the Defcon security conference in Las Vegas.

Via: csoonline

It’s easy to migrate on-premises applications to the cloud, but not so easy to do it right.

Relocating an application and data set running on a traditional platform to a cloud-based platform might seem like a humdrum shift. However, you must take into account many points before, during, and after the move. In many instances, you can boil down these considerations to simple do’s and don’ts.

Do consider the changes to the application architecture that should be made to take better advantage of the cloud platforms. In many instances, this means the application should undergo a change in architecture before moving to the cloud. Such changes might include the decoupling of data to allow for better distribution intracloud or intercloud. Consider moving to a services-oriented approach, which works and plays well with the abstraction of cloud services through APIs.

Do consider altering the application to use native cloud features. This means changing the application so that it’s optimized for the use of native cloud services, such as direct access to elastic storage, management interfaces, and auto provisioning.

There are many tools on the market that provide a quick “lift and shift” of applications during the move from traditional platforms to the cloud. Although the shifted applications may indeed run, they typically don’t take full advantage of the native cloud features, making them costlier to operate and less efficient.

Don’t follow the hype. Follow your own requirements. Although many public and private clouds may feel like the right place to put your application and data, you need to do your own requirements planning and proof-of-concept testing before you select the right path to the cloud. In many cases, your solution will be more complex than you originally thought, with multiple cloud providers and technologies in the mix.

Don’t forget about performance, security, and governance. I know this advice may feel like a bit of a broken record in this blog, but these concepts should be systemic to everything you do in the migration planning and implementation process.

Via: infoworld

Two of the five men named in an indictment last week, widely labelled “the largest ever hacking and data breach scheme in the United States“, were caught thanks to some pretty obvious carelessness – they posted their holiday snaps online and let their mobile phones broadcast their location to the cops on their trail.

29-year-old Dmitriy Smilianets, thought to have been in charge of monetizing the credit card data heisted by the rest of the gang, maintained a jaunty presence on social networks and ran a globe-trotting online gaming team, according to Reuters.

When one of his travelling companions was identified as Vladimir Drinkman, a suspected confederate of convicted ringleader Albert Gonzalez, cops put two and two together and closed in.

Drinkman’s phone was transmitting location data, allowing the law to pin the group down to a hotel in the Netherlands, where local police picked the two up as they prepared to board a tour bus.

Smilianets has been extradicted to the US, while Drinkman remains in the Netherlands battling extradiction.

The team’s lack of basic precautions seems to contradict recent speculation that an ‘inverse CSI effect’ may either deter potential cybercrooks, or force them to take ever more extreme care in covering their tracks.

The standard ‘CSI effect’ derives from the long-running TV show, which encouraged juries to expect miracles from crime scene scientists – CCTV images enhanced to show car license plates reflected in raindrops from a hundred yards, accurate facial reconstructions extrapolated from a single nasal hair and so on – and finding real-world science disappointing and unconvincing as a result.

The “inverse” effect, described in a forthcoming scientific paper, suggests that any digital wrongdoers not put off perpetrating crimes by the threat of improbably advanced detection techniques may instead have to increase the value of their heists to cover the growing costs of adequate caution, or take increasingly stringent measures to hide from the law.

While the scale of this crew’s eight-year run of crimes may fit the theory, the clumsy approach to anonymity and secrecy seems to fly in the face of its propositions.

The police may claim to have “got lucky”, but their luck was very much helped along by incompetence, arrogance and hubris.

The remaining three men listed in last week’s indictment remain at large in Russia, with the New Jersey US Attorney’s unusual step of naming uncaptured suspects seen as an open criticism of the ineffective input of Russian law enforcement.

If their approach to keeping a low profile is anything like that of their alleged cohorts, it’s only a matter of time before they’re brought bang to rights.

Via: nakedsecurity

Once Apple releases iOS 7, likely this fall, iPhones and iPods will respond to USB chargers in the same way that Android devices already do. If a charger is detected as being a computer and not an ordinary charger, users will be notified and will then have to choose whether or not to “trust” the charger, which should help protect against hack attempts.

Computer scientists from Georgia Tech showed off their ability to hack an iOS device in less than a minute during a presentation at the Black Hat security conference in Las Vegas this week. The researchers first announced the hack was possible in June, but finally detailed how the vulnerabilities in iOS devices could be exploited.

The researchers were able to inject malware into a device by using a custom-made power adapter that had a Linux-based program installed on it. Since current iOS devices will receive commands from a charger seeing it as a regular USB host , the hack is relatively simple. Theoretically anyone would be able to hack a device as long as they can get their hands on an unlocked iPhone or iPod.

Apple has since responded to the demonstration stating that the vulnerability will be fixed in iOS 7. Following the initial announcement of the flaw, Apple introduced a patch into the beta version of the coming operating system.

Was There Really a Risk?

With all the steps necessary to carry out an attack by exploiting this type of vulnerability, it seems unlikely that someone would ever be able to do so in a real-life scenario. However, there are far more chances for this type of hack to occur than the average user realizes.

In the aftermath of recent natural disasters such as Hurricane Sandy, multiple companies stepped up to offer public phone chargers in airport terminals as well as around a devastated area. AT&T and GoPhone are two of the leading companies behind these public charging stations. GoPhone in particular has nine locations scattered around New York, and all it takes is someone to switch out a charger to hack a device.

The researchers from Georgia Tech showed that by simply plugging in a phone, they were able to switch out a regular Facebook app with a malware-infected one, resulting in the hacker being able to see whenever passwords or sensitive information were entered into the infected device.

Luckily, someone that wants to carry out this attack would require an Apple Developer account, and even though it is just a matter of paying a small fee, the number of potential hackers is limited greatly by that requirement.

The iOS 7 Fix

Once iOS 7 is released, iPhones and iPods will respond to USB chargers in the same way that Android devices already do. If a charger is detected as being a computer and not an ordinary charger, users will be notified and will then have to choose whether or not to “trust” the charger.

Between the low chance that someone would have their device hacked in this manner and the addition of a manual “trust” or “don’t trust” notification, this vulnerability is not likely to cause any harm. Whether it is actually worth worrying about or not, iOS 7 should be released in the fall and will patch the vulnerability.

Via: enterprise-security-today

The White House is thinking about basically bribing businesses to get them to patch leaky cybersecurity.

According to Politico, the US government is pondering, specifically, tax breaks, insurance perks and other legal benefits for businesses that do some serious overhaul of their digital defenses.

Politico recently got its hands on a May 21 presentation from the Department of Homeland Security (DHS) that raised the notion of such incentives.

The incentives aren’t yet finalized.

They would be designed to entice critical infrastructure players in particular, such as power plants and water systems, to adopt voluntary standards that are now being drafted by government and industry in response to an executive order from President Barack Obama.

The standards will be hammered out by DHS and the National Institute for Standards and Technology (NIST). The bodies will be working with businesses to create a security framework that businesses will, ideally, adopt on their own volition.

Politico pointed out that the financial lures also need to be run through federal agencies, including DHS and the Treasury Department, to determine how tasty the enticements can be, either with or without the help of a Congress that has proved, unfortunately, markedly unhelpful.

The 12-page document from DHS – which Politico refrained from publishing – reportedly mulls not only financial and market benefits, but also legal benefits, including limited lawsuit protection for participating companies.

It’s wonderful to hear about incentives like this, particularly if they might spur organizations into getting insurance that could help to protect them from potentially devastating costs of data breaches or other cybersecurity dangers.

As it is, insurance professionals will tell you that many, if not most, businesses mistakenly think that general liability policies will cover them in times of cybersecurity mayhem.

Such policies won’t, but there are policies that will, and it’s wise to learn about them and know what questions to ask about such policies to make sure an organization is as well-covered as possible.

As Politico reports, experts believe that those organizations that adopt upcoming cybersecurity standards could be well-positioned to get breaks on such insurance, being able to point to the standards as evidence that they’re following best practices.

This is the juicy stuff that could greatly help to improve security postures.

As it is, the Homeland Security page about cybersecurity incentives is as dry as a sun-baked bone.

DHS talks about secure software engineering, security breach forensics, better training and the instillation of personal data “ownership” – all worthy, mind you, but all very blah, blah, blah.

Tasty cash, on the other hand? Much more interesting, I’d wager.

Let’s hope that the Feds can get something done, with or without the help of Congress.

Via: sophos

Kate and William’s Royal Baby Sparks New Wave of Malware — SnoopWall warns of massive wave of malware likely to exploit this major news event.

SnoopWall, the world’s first counterveillance security software company, issued a major public warning today — that a new wave of malware has followed directly upon news of the birth of the royal baby, Prince George. Not only has media coverage of Prince William and Kate Middleton and their infant son captivated millions around the world, but cyber criminals and malicious hackers have exploited the news as a means to conduct scams and spread drive-by malware.

SnoopWall’s Research Division has discovered an alarming development that a significant number of Web sites, email messages, Twitter and Facebook posts are offering false promises of access to images and exclusive video coverage of the young prince’s first days. It appears that cyber criminals will exploit this news while it remains the most popular story across the globe, this week, possibly through the month of August.

“Malicious ne’re-do-wells are exploiting enthusiasm around the happy arrival of the prince by launching new scams and malware designed to steal personal and confidential information as well as to gain control of consumers’ laptops, smartphone and tablet devices,” said Gary S. Miliefsky, President and Founder of SnoopWall.

SnoopWall warns consumers to exercise extreme caution when receiving emails from both unknown and apparently trustworthy sources that contain links to news associated this specific historic event. In addition, they should not visit sites or attempt to watch online video from odd locations or less popular sites outside of Vimeo or YouTube. With the announcement on July 24 of Prince George’s name, email and Internet users can anticipate additional waves of ransomware, spyware, Trojans and other kinds of malware launched from hyperlinks to searches of the baby’s name and related keywords. Finally, given their typically “unprotected” settings, users of laptops, tablet and smartphones may be particularly vulnerable, and may benefit from proactive protection.

SnoopWall applauds the selection of forward-thinking consumer-focused media who have also called attention to the rash of anticipated royal baby security scams, including these articles: The Huffington Post: “Beware Royal Baby Scams” Information Week: “Royal Baby Malware Attacks” Threatware: “Royal Baby Spam Campaign Leads to Black Hole Infected Site”

About SnoopWall SnoopWall is the world’s first counterveillance software company focused on helping consumers and enterprises protect their privacy on all of their computing devices including smartphones, tablets, and laptops. SnoopWall’s software is proudly made in the United States of America. To learn more about SnoopWall, visit them online at http://www.snoopwall.com.

Via: enterprise-security-today

Online backup service IDrive today announced a new service that allows its users to back up large amounts of data to the cloud. Instead of waiting around for days to upload what are often hundreds of gigabytes of data, IDrive now ships hard disks to its users so they can back up to a terabyte of data to the cloud. The users then ship the drive back to IDrive and the company enables the data on their account. After this, users can continue to use the company’s regular online backup service to send incremental updates to IDrive and, of course, restore their data from their cloud backup.

The service, called IDrive Express, is available for a one-time fee of $59.99. IDrive Pro users, whose paid accounts start at $99.50 per year for 100GB of backup storage, can use the service once per year for free.

The idea to use hard disks and FedEx or UPS to back up data is, of course, not new. Mozy, for example, also offers a similar service (though for the higher price of $275 for up to 1.8 terabytes), and both Google and Amazon allow developers to send in drives to enable large amounts of data in their respective clouds.

As IDrive’s CEO Raghu Kulkarni told me, the company originally thought that it would target this service at business users, but the team quickly realized that most personal users now also have very similar storage needs. Most of us, after all, store huge amounts of photos and videos on our local hard disks now.

The process to get started with IDrive Express is pretty straightforward. Users request a drive and it gets shipped to them. The drives include IDrive’s backup software, so starting the backup is just a matter of plugging the drive into your computer’s USB port (Mac and Windows are supported), waiting for it to finish and returning it to the company. IDrive will then upload it to your account in one of the four California data centers it has a presence in. All of the data is automatically encrypted during the backup process (in case the drive gets lost), and users can also use private key encryption to ensure that nobody at iDrive can see their data, either.

The whole process, Kulkarni says, should take less than a week. It’s worth noting that users do, of course, have to pay for the extra storage these backups need on iDrive’s servers. The service’s pricing plans start at $49.50 per year for personal use and $99.50 for business users who, in return, get support for multiple accounts and backups from Windows Server. IDrive, the company tells me, currently has about 2 million users, and about 250,000 of these are on a paid plan.

Via: techcrunch

Fixmo and Mach 1 Partner to Prevent Sensitive Corporate Documents from Leaking via Mobile Devices — Joint solution offering combines defense-grade mobile security for Microsoft SharePoint with industry-leading document tracking and policy enforcement to mitigate external and insider threats.

Fixmo and Mach 1 Development today announced a strategic partnership that will see the two companies integrate Mach 1’s DocuTRACER(TM) technology with the Fixmo SharePlace(TM) mobile DLP solution for Microsoft SharePoint . As a result of the partnership, the companies will offer the industry’s first government-grade mobility solution for SharePoint that will enable IT organizations to digitally sign, track and trace sensitive digital documents as they move around the enterprise network, and to proactively prevent them from being moved to smartphones and tablets, in addition to desktop and laptop computers.

As a growing number of iPads, iPhones and Android -based devices proliferate throughout Government and enterprise markets, so too has the complexity of tracking the audit trail of sensitive and classified documents as they move around the network and onto consumer-grade smartphones and tablets. Even more difficult has been the task of preventing those documents from being stored on a mobile device in the first place in a high assurance and auditable manner. Through the integrated solution offering, Fixmo and Mach 1 will now enable IT organizations to easily track and audit which sensitive documents have been stored on which mobile devices, and to proactively detect and remove specific documents through a sophisticated on-device security and policy enforcement engine.

“DocuTRACER is powerful solution that enables IT organizations to track the location, movement and chain-of-custody of sensitive documents as they move between devices, users and networks,” said Paul Greene, CEO of Mach 1. “In partnering with Fixmo, we will now offer our joint customers a complete solution for securing corporate documents on mobile devices and ensuring highly sensitive information is closely tracked and controlled. This is all about helping our customers protect themselves from both outsider and insider threats.”

DocuTRACER embeds a digital fingerprint into a document when it is initially created and each time it moves or is modified, and records its associated location, movement, and chain-of-custody. It provides real-time analysis and reporting of user access, modification, and distribution of documents, and alerts managers to suspicious or unauthorized mission critical document movement, location, or use. Fixmo SharePlace is a defense-grade mobile solution for Microsoft SharePoint that keeps private corporate documents encrypted, contained and under IT control on Apple iOS and Android devices. It enables secure offline access to corporate documents while offering advanced data leakage prevention (DLP) controls and policy enforcement. The combined solution delivers a complete offering for securing and tracking documents on mobile devices, and for preventing highly sensitive documents from being accessed, stored or forwarded from smartphones and tablets.

“The heightened risk of sensitive data leakage and document theft via mobile devices has become a front-and-center issue for Government agencies and regulated markets around the world,” said Daniel Ford, Chief Security Officer at Fixmo. “Through the integrated solution with Mach 1, our customers can now be alerted when a sensitive or classified document is downloaded to a mobile device with a full suite of capabilities for securing, tracking or destroying that instance of the document. It’s a powerful solution that will help organizations embrace mobile devices while mitigating the security and compliance risks of corporate data leakage and document theft.”

Via: enterprise-security-today

Trend Micro spotted yet another threat lurking around social media sites targeting users of either Google Chrome or Mozilla Firefox. This threat uses fake extensions for both browsers to infiltrate user systems and hijack social media accounts – specifically, Facebook, Google+, and Twitter accounts.

To install these fake extensions, users would see various lures on social media sites to try to get users to install a fake video player update. In reality, this player update is a malicious file detected as TROJ_FEBUSER.AA, installs a browser plugin depending on the browser currently being used.

One earlier version we saw for Google Chrome, detected as JS_FEBUSER.AA, identifies itself as Chrome Service Pack 5.0.0. In the case of Mozilla Firefox, the fake plugin is Mozilla Service Pack 5.0.

Figure 2. Names used by the malicious plugin

Google Chrome has since flagged this particular plugin as malicious. An updated version of the plugin, detected as JS_FEBUSER.AB, is identified as F-Secure Security Pack 6.1.0 (for Google Chrome) and F-Secure Security Pack 6.1 (for Mozilla Firefox) .

Figure 3. Names used by the updated malicious file

Once installed, it connects to a malicious URL to download a configuration file. It uses the details on that configuration file to hijack the user’s social media accounts and perform the following actions, without any authorization from the user:

• Like pages
  
• Share posts
  
• Join a group
  
• Invite friends to a group
  
• Chat with friends
  
• Post comments
  
• Update status
  

This threat tries to perform the above actions on three different social networks: Facebook, Google+, and Twitter. Because of this, in effect, the attackers are able to hijack the accounts of the users and could, for example, use them to spread links to other malicious sites.

One more thing to note: the fake video player update is digitally signed. Digital signatures are a way for developers and publishers to prove that a file did come from them and has not been modified. Potential victims may take this to mean that the file is legitimate and harmless.

Figure 5. Valid digital certificate of the malicious video player update file

It is not yet clear if this signature was fraudulently issued, or a valid organization had their signing key compromised and used for this type of purpose.

Users are once more reminded to always be aware and vigilant of such scams. Cybercriminals are getting better at making their lures much more convincing, even resorting to abusing legitimate services and users in order to appear legitimate.

Via: trendmicro