Monthly Archives: September 2014

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Microsoft reflexively releases patches for its product one Tuesday of every month to much fanfare. Apple does not, but on occasion, the Cupertino, Calif.-based company issues what SophosLabs in a Naked Security bulletin callsUpdate Surprisedays.”

Wednesday was one of those days with Apple unleashing seven updates designed to plug holes and boost security in iOS 8 and OS 10.9.5 (Maverick), as well as Apple TV7, OS X Server 3.2.1, OS X Server 2.2.3, Apple’s development environment Xcode and Safari 6.2 and 7.1.

The company fixed more than 40 separate vulnerabilities, “covered by 55 CVEs,” 10 of which “could allow remote code execution, including three inside the kernel,” the blog said, noting a “laundry list of holes fixed,” such as lock screen bugs, incorrectly implemented address book encryption, deprecated and insecure Wi-Fi authentication and Safari’s password manager leaking passwords. Saying the iOS updates added more features than security patches, the Sophos blog noted that the updates contained enough significant security fixes to make updating worthwhile for Apple users.

Of note, one of the patches made good on Apple’s promises to “stop its iDevices giving you away automatically to any Wi-Fi access point you walked past,” the Sophos blog said. The devices transmit their Media Access Code addresses in every packet sent over Wi-Fi, which, although it doesn’t identify the user, can tell a marketer “that the same person who just bought cotton trousers in menswear is not browsing near the organic yogurt section in the food department,” the blog said.

The updates also cover “Remote Code Execution (RCE), Information Disclosure that allows attackers to bypass Address Space Layout Randomization (ASLR), and Elevation of Privilege (EoP),” SophosLabs said.

Shaun Murphy, CEO of PrivateGiant, told in a Friday email correspondence that he wasn’t surprised by the updates. “Bugs creep up in software depending on how much quality assurance you go through,” he said. “iOS 8 has a lot of new capability that is a departure of Apple’s sandboxing (extensions, widgets) so we’ll see how well they can balance security, convenience and elegance.”

He added that the Heartbleed/Open SSL vulnerability demonstrated that “even critical pieces of software can have major problems creep up” for even major vendors, so the industry must “keep looking for all possible attack vectors, obvious or not.”


Via: scmagazine

5 Ways to Protect Your Sexy Photos & Other Private Files You Have Online

News flash: It’s not just celebs that get hacked! Since the iPhone 6 is making its long-awaited debut and Jennifer Lawrence is trending thanks to her recent naked photo leak, digital privacy is once again a concern.

The reality is that most of us think that we’re practicing “safe text” if we have managed to install a password on our phones, but with apparent “thunderstorms” in the “Cloud” and other digital info drips, can you really be sure that the saucy pic you just sent your significant other will be seen by his eyes only?

Well, the only surefire way to ensure you never get “violated” online is to not engage (i.e., the cyber equivalent of “just say no”). However, in this day and age, those who somehow inexplicably aren’t glued to their favorite sites and social networks will just get left behind. A better bet? Learn to work it, but go in armed with some smarts about how to protect yourself.

Robert Siciliano, an identity theft expert with Hotspot Shield, offered these 5 tips for helping make sure your private files stay private — online and otherwise.

1. Set Kick-Butt Passwords. All tablets, laptops, desktops, and mobiles should have a password installed to lock the device in case they are lost or stolen. Having a password on your phone and also for your accounts is a good start for privacy, but if they’re too predictable, you can be easily hacked (i.e., 1234 isn’t a good password and neither is your birthday because someone might be able to find that info online).

“Do away with the ‘Fitgal1982’ password and use an extremely uncrackable one like ‘9&4yiw2pyqx#,'” suggests Siciliano. “Phrases are good too — and regularly change your passwords.” If you’re thinking, But I can’t remember my passwords if I change them or make them too hard (okay, full disclosure, that’s what WE were thinking), Siciliano says that it’s okay to keep a password log. “Backing up all your passwords with a password manager is always recommended. Simply Google ‘password manager’ to see your options.”

2. Watch Your Wi-Fi. Logging in through a public Wi-Fi portal or pilfering your neighbor’s Internet connection? Be aware that whenever you’re browsing or sending info through a connection that isn’t your own, there is a higher chance you could be hacked. The solution? Anytime you’re sending potentially private info you don’t want anyone but the intended recipient to see, switch over to your own provider’s 3G/4G network, which is generally safer than sending anything through a public connection. And if you have a wireless router at home, Siciliano suggests you change the default settings to set up a private, password-protected connection for yourself (so others aren’t able to “get into” your Wi-Fi pocket as well).

3. Use a Barrier Method. Installing a protective encryption device or privacy app to your tech toys is a smart proactive choice before you send revealing selfies (or any private information, really) over a public Wi-Fi connection. Simply type in “Privacy apps” in the iTunes App store and you can get some free or low-fee apps like Hotspot Shield for your iPhone or iPad that will basically scramble the info you send and make it harder for hackers to bust into your bandwidth. “If you use a VPN [virtual private network] like the ones you set up through this type of app, you are in great shape,” says Siciliano.

4. Erase Digital Footprints. Are you comfortable with people knowing where you are at all times? You shouldn’t be. But if you like to take photos with your mobile, be aware that most smartphones save the location where you took the shots, which is no longer a secret once you post the photos on Facebook, Twitter, Instagram, etc.

“Data that’s embedded in the pictures can reveal the home location, thanks to traces left by the imaging devices,” says Siciliano. “This data is called exchangeable image file format (EXIF) and may contain GPS coordinates of where the image was shot.”

In other words, you might be inadvertently be giving hackers way too much info about yourself by innocuously posting a photo on social media. The solve here is to go into your phone or tablet’s privacy settings (check the “location services” section) and seek out which apps are using/providing location data; then determine how much you really need them to do that. “Basically I’ve turned off every location setting that isn’t a map,” says Siciliano. “If I need something like Yelp, then I’ll turn it on on an as-needed basis.”

5. Don’t Shy Away From the Cloud. Just because someone apparently got into J-Law’s private photo stash on the Cloud, which is just another word for online backup, you shouldn’t be afraid to back up your own info that way. Siciliano says that it was likely her password that was hacked, not the Cloud itself (revisit item #1 for setting strong passwords). But backing up your information on an external hard drive and also via an Internet service is recommended by Siciliano. Just decide what you really need to have stored there (do you really need your racy photos saved for all eternity?).

The bottom line is if you would be absolutely horrified if your private stuff were leaked online, don’t send it around to begin with.

“The fact is if you don’t want your data ever being public, you simply shouldn’t do it,” says Siciliano. But since most of us aren’t in the category of J-Law (the probability of someone wanting to spread our naked pics is markedly lower), then with just a few safety precautions, you can enjoy the spice that a little tech play can afford a relationship sans stress.


You could also use Freedome to protect your private data and choose from 12 different virtual locations on iOS 7. But it could be a hassle, requiring you to switch profiles or possibly lose connection.

On iOS 8, your Freedome VPN connects and stays connected. That’s it.



Via: cafemom

Get LastPass for iOS 8 Today!


The LastPass app for iOS 8 is here! As we announced last week, our updated app now fills your web logins with our new LastPass extension for Safari, and offers Touch ID integration for an even easier mobile authentication experience.

Today, we’re excited to introduce you to these new features and show you how they work:



With this app update, we’re introducing a mobile experience that’s much more in-line with our vision … one that’s faster, simpler, and more powerful than ever on iOS.

Once you’ve updated your device to iOS 8, getting started with the new LastPass extension in Safari and the Touch ID integration requires a few simple setup steps:



The one-time setup steps include enabling Touch ID in the LastPass app and toggling the LastPass extension in Safari; please refer to our user manual for a more detailed walk-through.

Grab these new features by downloading or updating the LastPass app from the App Store after you’ve upgraded to iOS 8. A free 2-week trial is available for the LastPass app before upgrading to LastPass Premium for unlimited mobile sync.



Via: lastpass

Apple adds two-step verification for iCloud, and it starts now

Apple really is listening, and doubly so!

The company backed down over the “foistware” U2 album that you recently received via iTunes, like it or not.

And later the same day, it announced that its two-step verification system would be applied to iCloud, effective immediately.

We’re delighted to hear it!

Bogus blame of iCloud in nude photo scandal

At the start of September 2014, a scandal broke when illegally-collected nude photos of 100 celebrities were published online.

Early rumours suggested that this might be down to some sort of iCloud “hack,” because at least some of the photos had been stolen from iCloud accounts, and because the photos all appeared at once, as though they had been grabbed as a job lot.

That turned out to be bogus reasoning.

The photos were apparently stolen from multiple sources in various ways, but released as a job lot by a collector.

He seems to have accumulated them in a series of underground trades and purchases.

So stolen, phished, keylogged and otherwise illegally acquired Apple ID passwords are a better explanation for the iCloud-related celebrity selfie breaches than a problem in iCloud itself.

→ Remember, re-used passwords make the problem worse: if you have one password for all your accounts, the crooks can breach any one of them and that’s that. So phishing your Gmail password would get them into iCloud, or vice versa.

Two-step verification

Apple’s response, as we reported at the time, was to urge iCloud users to turn on its two-factor authentication system, known as two-step verification (2SV).

2SV augments your password with a one-time login code sent via SMS:

Even a crook who knew your Apple ID password wouldn’t have enough to get into your account and restore your iCloud data onto his computer.

Also, if you were to see SMS verification codes popping up when you didn’t expect them, you’d have an early warning that someone was trying (and failing!) to breach your account

Huzzah for Apple, we thought.

2SV not enough

Except that 2SV didn’t apply to iCloud at all, as Naked Security writer Chester Wisniewski went out of his way to check.

Turning on 2SV only protected certain operations on your Apple account, such as editing your account details or buying products from iTunes or the App Store from a new computer or device.

So they ran a poll, asking whether Apple should change its mind and extend 2SV to iCloud.

The results were overwhelming:

Nearly 95% of you said, “Yes.”

Apple pays attention

And Apple, it seems, was listening, sending out an email late yesterday Cupertino time (2014-09-16T018:00-7) to its 2SV users:

Thank you for using two-step verification to protect your Apple ID. This email provides information about recent updates to your service.

Two-step verification now protects iCloud

Starting today, in addition to protecting your Apple ID account information, two-step verification also protects all of the data you store and keep up to date with iCloud. For more information, read the Two-Step Verification FAQ.

The FAQ (which is article HT5570 in Apple’s knowledgebase) has been updated accordingly:

It now lists 2SV as applying when you:

  • Sign in to My Apple ID to manage your account
  • Sign in to iCloud on a new device or at
  • Make an iTunes, App Store, or iBooks Store purchase from a new device
  • Get Apple ID related support from Apple

2SV still not right

This is a good move, and we want to express public thanks to Apple for responding so quickly.

But we’ll also offer the opinion that the company still hasn’t got 2SV right.

Indeed, it’s a bit of a stretch for Apple to say that 2SV now “protects all of the data you store and keep up to date with iCloud” when, in fact, it only protects your very first login with a new device.

In other words, after you’ve signed in for the first time from your new iPhone, 2SV provides no further protection as you go about actually storing and keeping your data up to date.

In the same way that Apple’s 2SV can’t be turned on for every online purchase you make (why not?), it can’t be turned on for your actual data interactions with iCloud, such as kicking off a restore (why not?).

Allowing a stolen password alone to be used to pull down all your iCloud data, even if it’s being restored to your usual device, seems a huge waste of 2SV.

Trusted apps

Apple’s email also tells you that:

If you use iCloud with any third party apps such as Microsoft Outlook, Mozilla Thunderbird, or BusyCal, you can now generate app-specific passwords that allow you to sign in securely even if the app you are using does not support two-step verification.

. . .

App-Specific passwords will be required starting on October 1, 2014.

App-specific passwords (which effectively act as a pre-approved security bypass) are far from ideal.

But they do prevent crooks from bypassing your 2SV simply by choosing a login method that doesn’t support it.

Again, this is a good move, and hats off to Apple for setting a short deadline (October 2014) to enforce it.

The bottom line

Thanks to Apple for kicking off the process of adding 2SV to iCloud.

Your quick reaction is appreciated.

We urge iCloud users who live in one of the 59 supported countries to turn on 2SV sooner, rather than later, for the extra security it provides.

But please keep in mind: Apple has more work to do before 2SV truly “protects all of the data you store and keep up to date with iCloud”.


Via: sophos

16 ways SAFE protects your devices, your family and you

In the early twenty-first century, when hackers were mostly pranksters, having security software on your PC was mostly about saving you some trouble.

In 2014, international crime syndicates regularly co-opt millions of computers in order to systematically steal banking information, take identities and hold files for ransom, security isn’t about convenience. It’s about giving our families the freedom to live our lives online with out the threat of strangers invading our lives, hijacking our time and money.

An anti-virus on one PC is a good step. But who just uses one PC now? Many of us three different devices before breakfast.

That’s why they created F-Secure SAFE — it’s built to protect all the devices and all of the people in your family. The latest update of SAFE is designed to make it easier to install on infected computers for a smoother overall experience. It also gives your tools to keep your devices and family safe wherever they go.

Since SAFE is such a dramatic expansion of what our traditional F-Secure Internet Security does we wanted to cover 16 ways it protects you, your family and your devices. And to celebrate the new SAFE launch, we’re giving away one SAFE hoodie and a free year of SAFE on our Facebook page every day for 16 days beginning on September 16.

Please read the rules and enter now.

Here’s how SAFE protects you, your devices and your family:

PCs and laptops
1. Protection against ransomware
Thanks to browsing protection, F-Secure SAFE protects you against malicious software that impersonates authorities, such as Interpol or the FBI, and may block your computer, demanding ransom for unblocking it and preventing you from accessing your files until you pay. Thanks to F-Secure SAFE, all known versions of this insidious type of malware can’t get on your computer.

2. Protect your home computer in the same way your office computer is protected
Your office computer is protected by software that safeguards it against viruses and protects corporate data against theft by criminals. SAFE gives you the same options on your home computer.

3. Limit the time your children spend on the Internet.
If you think that your children may spend too much time browsing the internet or playing online games, SAFE will let you decide for how many hours they are allowed to do it every day. You can easily define in which hours exactly they connect to the Internet. If they try to go online during unapproved times, the computer will not connect to the Internet.

4. Online banking protection your bank knows you need
Do you know that most banks recommend in terms of security is using paid anti-virus software when banking online? SAFE ensures you meet these recommendations.

5. Safeguard your memories 
F-Secure Safe protects the photos and videos of your children or grandchildren against falling into the wrong hands. The built-in anti-virus application and protection against as-yet-unknown threats ensure that all of the memories collected on your computer are fully protected. Your files will never be destroyed, encoded to demand payment for decoding them, or intercepted in order to be published or to gain profit from distributing them.

6. Protect your children against adult content
Define which sort of content can be accessed by your children, whether you’re monitoring them or not.

7. Shop online without worry
Thanks to protection against spyware and browsing protection, your credit card number is invisible to criminals. Now you can relax when shopping online, booking hotels or buying air tickets.

1. Control which apps your kids can install
Keep games that involve virtual violence, sex or gambling off your child’s device with a simple setting.

2. Decide which sites your child can visit 
Even if they use tablets in their rooms, you can be sure that they visit no websites inappropriate for their age.

3. Protect your device against malware with browsing protection.
Protect yourself from phishing scams, ransomware and malicious apps that could be triggered by visiting the wrong site.

4. Keep login data and online banking passwords secure
SAFE protects your tablet against spyware that steals your bank login data.

1. Find your missing phone.
Locate your lost phone and make sure no one can access your data should your device be stolen.

2. Find your child
Check the location of your child’s phone from our simple web portal.

3. Avoid surprising charges
Are you concerned that your children may install games than require additional payments? F-Secure Safe lets you control which software is installed on their phones.

4. Block calls and text messages from unwanted numbers
Start your own “Do not call” list with this feature that allows you decide who has access to you through your phone.

5. Keep your phone malware free
More than 99 percent of all mobile malware targets Android, which is the second most targeted platform in the world behind Windows. With SAFE, you have protection from increasingly complex ransomware and trojans designed to get inside your phone then your wallet.

You can try F-Secure SAFE for free now.



Via: safeandsavvy

US government “threatened” Yahoo with daily $250,000 fines over user data

In the post-Snowden era many web firms came in for criticism over their apparent willingness to bend over for the NSA as the agency went on a massive data grab.

Now, however, Yahoo has revealed how much it would have cost the company to disregard government data requests – a cool quarter of a million dollars per day.

In a blog post yesterday, the firm said it soon hopes to release more than 1500 previously secret papers which will reveal the full extent of its legal challenge to what the company says was overreaching surveillance:

In 2007, the U.S. Government amended a key law to demand user information from online services. We refused to comply with what we viewed as unconstitutional and overbroad surveillance and challenged the U.S. Government’s authority.

The newly-released papers outline Yahoo’s ultimately unsuccessful bid to thwart the NSA’s surveillance program which Snowden brought into the public domain last year.

The released documents underscore how we had to fight every step of the way to challenge the U.S. Government’s surveillance efforts. At one point, the U.S. Government threatened the imposition of $250,000 in fines per day if we refused to comply.

Yahoo’s general counsel, Rob Bell, who wrote the blog post, says the government first approached the company in 2007 after it amended a law to grant itself the power to demand user data from online services.

Yahoo, he says, made a legal challenge to those requests but was shot down initially and then failed again on appeal. The secretive Foreign Intelligence Surveillance Court (FISC) then ordered the company to comply with the government’s requests and all the hearing notes and records from the proceedings were classified until 2013 when only the judgement was made public.

Following continued pressure from Yahoo, Federal Judge William C. Bryson, who presides over the Foreign Intelligence Surveillance Court of Review (FISC-R), unsealed the documents on Thursday.

The declassification of most of the documents – some portions still remain unavailable and unknown to Yahoo – is seen as a victory of sorts by Bell who called it an “important win for transparency”.

Bell added that the 1500 declassified papers will be made available to the public in due course via Yahoo’s Tumblr platform.

In the mean time, the company will continue to push the FISC to release more documentation from its 2007-2008 case now that the FISC-R case has been resolved.

Bell finished by reassuring customers that Yahoo has always been on the side of its users:

Users come first at Yahoo. We treat public safety with the utmost seriousness, but we are also committed to protecting users’ data. We will continue to contest requests and laws that we consider unlawful, unclear, or overbroad.

Patrick Toomey, a staff attorney with the American Civil Liberties Union’s national security project, told the Guardian that the documents he had reviewed suggested that Yahoo “had challenged the warrantless wiretapping program more than any other of its competitors.”

But what about other tech firms? Now that the courts have unsealed documents relating to Yahoo, it’s possible we’ll hear more about how other large firms did – or did not – try to protect their users by fending off the government’s overt surveillance attempts.


Via: nakedsecurity

Firefox sneaks out an “inbetweener” update, with security improvements rather than fixes

Here’s a quick note to remind all Firefox users that Mozilla just snuck out a point release.

Usually, if everything goes according to plan, Firefox updates appear every six weeks.

The last major update delivered version 32.0 on Mozilla’s most recent Fortytwosday (2014-09-03).

But if needs must, Mozilla delivers in-between updates, too.

That’s what has happened here, bumping Firefox from version 32.0 to 32.0.1.

→ We’ve dubbed them Fortytwosdays because: they’re always on Tuesdays, like Microsoft’s and Adobe’s updates; six weeks is 42 days; and 42 days has a certain popular connotation.

Three fixes are listed, none of them labelled as security related:

Fixed. Stability issues for computers with multiple graphics cards

Fixed. Mixed content icon may be incorrectly displayed instead of lock icon for SSL sites

Fixed. WebRTC: setRemoteDescription() silently fails if no success callback is specified

Browser stability

Stability issues always sound worrying when you’re talking about a browser.

There’s a lot at stake when your browser crashes, especially if the crash is predictable and can be triggered by content sent in from outside.

If a crook can crash your browser at will, that’s a denial of service (DoS) vulnerability.

A DoS won’t let crooks hack into your network, but will give them a smidgeon of malevolent control that they shouldn’t have.

If a crook can not only crash your browser but grab control of the browser process at the same time, that’s a remote code execution (RCE) exploit.

RCEs are one of the most common tricks used by cybercriminals to sneak malware onto your computer.

There’s no suggestion that the instability problems that are fixed in Firefox 32.0.1 could be exploited for criminal gain, but anything that even whiffs of a crash should be enough to persuade you to update right away.

SSL connection status

The second bug listed relates to the incorrect presentation of the status of an SSL connection.

This is also the sort of mistake you don’t want to see in a browser.

In this case, fortunately, the bug seems to cause more of a “fail closed” than a “fail open” situation: Firefox may wrongly warn you that a site is less secure than it really is, not the other way around.

When you visit a well-configured HTTPS site, Firefox should give you a clean and consistent way to verify your security:

Clicking on the green site identifier drills down to give you extra information about the HTTPS certificate supplied by the site.

But if a web page is inconsistent about HTTPS security and contains a mixture of HTTPS and HTTP items, Mozilla should give you a warning:

A web page that mixes insecure and secure content is not necessarily putting your personally identifiable information (PII) at risk, as long as your PII only travels in the secure parts of the web traffic.

The thing is, in mixed-content web pages, how can you be sure which data travels with encryption, and which without?

By default, Firefox simply omits any unencrypted sub-components (e.g. images) embedded in an HTTPS page, but it’s still better to avoid mixed content altogether.

So this bug fix in Firefox is not critical, but it is highly desirable.

It makes it more likely that a well-informed user will reach the correct conclusion about the security or otherwise of any web page.

And that’s about it for Firefox 32.0.1.


Via: sophos

Unprecedented Gmail Hack Highlights Need for Better Security

If you’re a Google Gmail user, this is bad news. An archive of about 5 million Gmail addresses and plain text passwords was leaked to an online forum. The good news is the data is old, but better security is still needed.

CSIS Security Group, a Danish security company that offers cybercrime intelligence to law enforcement agencies and financial institutions, claims it collected a “large data set” containing a massive data leak associated with Gmail. The firm pegs the number of accounts at just over 5 million and said the leak seemed to come from sources beyond Google.

Peter Kruse, chief technology officer at CSIS, pointed out that a similar data leak associated with the Russian Web mail service also found its way into the public eye last week. Millions of accounts from were dumped online. CSIS believes the Gmail data came from the same source that leaked the data.

“This episode illustrates that security is now a major, ongoing headache for consumers who will have to live with regular data breaches,” Greg Sterling, Vice President of the Local Search Association, told us. “They will thus be forced to change passwords and confront more burdensome multiple-factor authentication systems as publishers and e-commerce sites implement stricter and more Byzantine security measures in the new cat-and-mouse world of hacking.”

So What?

We also asked Craig Young, a security researcher at security firm Tripwire, to weigh in on the data leak. He told us, quite frankly, he’s surprised this incident is receiving attention considering there’s no indication that the compromised passwords came directly out of Google’s system. It’s likely that a variety of Web sites failed to properly secure user credentials and someone just picked out all the Gmail accounts for resale on the underground, he said.

“The unfortunate reality is that the state of Web security is light years behind where it needs to be, resulting in an Internet where a teenager can compromise hundreds of Web sites in a matter of days just using Google and a hacking tool like sqlmap,” Young said. “Spoils from such hacks are commonly traded on underground forums in exchange for digital currency, access to other systems, or simply for prestige.”

As Young sees it, Google’s two-step verification is a very helpful tool for protecting Gmail accounts. Unfortunately most, if not all, two-factor authentication systems still have a fundamental weakness because the authentication process typically leads to an all-powerful session token which, when hijacked, can give attackers the same permissions on a target system as if they had successfully logged in with two-factor authentication, he added.

“This problem was recently highlighted in a breach of Juniper VPN technology leveraging the Heartbleed attack to collection session tokens and bypass authentication on the target,” Young said. “The fact that three-year-old passwords are being leaked also serves as a reminder why it is important to periodically change passwords. The fact that a small percentage — less than 2 percent — are still valid Google credentials only serves as a reminder that too many consumers reuse passwords and don’t change them frequently enough.”

Finally, Ken Westin, a security analyst at Tripwire, told us this leak reveals the troubling truth regarding the large amount of data available to criminal groups as a result of unreported breaches. He noted the data breaches we hear about really are just the tip of the iceberg when it comes to the full amount of stolen credentials, credit cards and other data available to cybercriminals.

“Many breaches are never detected, so the target organization is unaware of the compromise and it goes unreported,” he said. “In addition, user credentials are routinely harvested in phishing attacks and aggregated over years and then sold through underground markets.”



Via: enterprise-security-today

Train security as critical as planes and automobiles – Tunnel vision

In recent weeks you’ve heard a lot of discussion around the cyber risks to aircraft and automobiles. After the Black Hat, DefCon and BSides conferences in Las Vegas, Nev., in July, it would seem that a great deal of necessary attention will be paid to the security of design and implementation of these two key critical transportation components. The cybersecurity volunteer organization I Am The Cavalry has created an awareness campaign (which I have signed on to and you should too!) aimed at automakers. Even prime-time television is getting into the act with the premier episode of CBS’ hot new drama, Scorpion, focusing on the security of aircraft. But what of the trains?

America’s railroads account for 40 percent of intercity freight volume. Over three million cars filled with food, two million cars filled with chemicals and more than 70 percent of all the coal we use in America are transported by rail every year.  Without rail, the economy is at risk. And if just one of those two million railcars filled with chemicals was to crash in your neighborhood, you’d have a risk of another nature.

“The Obama Administration is committed to improving our nation’s infrastructure, which is crucial for both creating jobs and remaining competitive in today’s global economy,” said U.S. Secretary of Commerce Penny Pritzker in July. In fact, President Obama has now signed Executive Order 13636 (EO13636), directing each of the critical infrastructure sectors to work more cooperatively to better defend themselves and the nation from cyber attacks.

With Transportation Systems identified as one of the nation’s Critical Infrastructure Sectors, and with rail making up a large part of that sector, we cannot afford to overlook the security of our railroads, and our railroads cannot afford to overlook cybersecurity. While many IT-enabled components exist on the modern train, the biggest change in rail systems today is the introduction of Positive Train Control, or PTC.

PTC, a processor-based/communication-based train control system designed to prevent train accidents, is capable of automatically controlling train speeds and movements. Railroads now are required to install and implement PTC systems on rail lines where any poisonous or toxic-by-inhalation hazardous materials are transported, and on any railroad’s main lines where regularly scheduled passenger intercity or commuter operations are conducted. This covers more than 70,000 miles of track and approximately 20,000 locomotives in the U.S.  While PTC is designed for safety, whenever we turn over control of thousand-ton rolling bombs that run through our backyards to computers and industrial control systems, we also must account for the introduction of the cyber threat.

Railroads have historically considered their computing, controls and communications to be proprietary, and therefore more secure. With today’s use of commercial off-the-shelf products and standard protocols, such as TCP/IP, yesterday’s “security through obscurity” defenses no longer are valid. Today’s railroads, especially with the rapid introduction of PTC, must adopt a stronger stance in the cyber defense of their critical infrastructure.

Basic controls are a great place to start. Just like the SANS Institute’s recommended top 20 Critical Security Controls for enterprise computing, guidelines for PTC infrastructure should be implemented. Basics such as making inventories of devices and software, establishing trusted standard configurations, performing regular vulnerability assessments, segmenting life-threatening train and track controls, controlling full-spectrum radio-based access, limiting use of administrator privileges while enforcing need-to-know, performing regular security training, and conducting regular penetration tests all will go a long way toward improving security and engendering trust, but even that is just a start.

With rail such a critical component of a nation’s economic infrastructure, adversaries have developed more than basic attack scenarios in an effort to cripple a country. Custom zero-day malware designed solely to take over vital control systems, insider threats from willing and duped employees, and patient attack vectors from tier-two and tier-three ecosystem partners are now the norm in critical infrastructure sectors. These extraordinary threats, coupled by the extraordinary harm that could be caused to life and the economy, necessitate extraordinary security responses.

Just as automakers are hardening their cyber designs and ecosystems, it’s critical that the railroad industry proactively enacts advanced malware sweeps, architects insider-resilient systems and services, and establishes crystal-box security controls for all components of their ecosystem.  While EO13636 provides the impetus, federal law enforcement has useful services, and several ISACs have relevant experience and infrastructure, it’s key that railroad boards and executives get ahead of this critical issue – before it’s too late.

This article is published as part of the IDG Contributor Network. Want to Join?


Via: csoonline

Hackers target Apple Mac OS X with 25 malware variants

Hackers are besieging Apple OS X systems with 25 new malware variants, some of which are being used in targeted attacks, according to security firm F-Secure.

F-Secure reported uncovering the malware variants in its Threat Report H1 2014, claiming it discovered the first 20 attack tools in the opening months of the year.

“2014 started with almost 20 new unique variants discovered in the first two months alone, though this pace slowed later so that by the end of the H1 period, 25 new Mac threats had been found,” the report said.

“Among the new unique variants, 13 belong to five new families, with the Mask and Clientsnow being involved in targeted attacks. The remaining three new families – Coinstealer, Cointhief and LaoShu – affect normal Mac users.”

F-Secure senior security analyst Sean Sullivan told V3 the malware variants’ appearance is particularly troubling as some of the attacks detected using them were targeting critical infrastructure areas.

“It’s mostly targeting human rights activists (which focus heavily on rights in China). But then there are also efforts to compromise Macs within the energy industry and other sectors,” he said.

“It appears to be the same sort of stuff as Havex, [going after] a wide range of targets. Possibly it is a campaign by a private ‘contractor’ who is selling to particular nation states.”

Havex is a family of remote-access Trojans known to have been used during several attacks on critical infrastructure. It is believed to have been used in targeted attacks for at least a year.

Sullivan said the lack of public information about the targeted attacks from affected businesses indicates they are either unaware or unable to comment on them.

“It’s interesting to note there are no victims reported. We know about the targeted attacks against human rights activists because they speak out about it. Companies that are being attacked are either unaware or keep quiet,” he said.

Apple has a closed security model and does not disclose any information about potential vulnerabilities until it has investigated and fixed them.

Apple’s iOS mobile operating system remained malware free, despite the resurgence of Mac OS attacks.

F-Secure reported that of the 295 new mobile threat families and variants that were discovered, only one targeted iOS, and even this required the Apple device to be jailbroken to work. The remaining 294 are listed as targeting Android.

The stats mirror F-Secure’s past mobile threat findings. The firm listed Android as being the intended victim of more than 99 percent of mobile malware in its previous Mobile Threat Report Q1 2014.