Monthly Archives: September 2014

There’s fitness tracking and shopping tools, but no built-in GPS or Wi-Fi.

Apple’s latest “one more thing” was a doozy: A high-tech watch that CEO Tim Cook hopes will “redefine what people expect” from a wearable device. The watch does much more than tell the time — but what exactly does it do? And what can’t it?

The US$350 Apple Watch is meant to be worn throughout the day and relies on its connection to an iPhone for much of its functionality. It can track health activity, communicate with friends and run a wide range of apps. It can even make retail payments.

Here are five things the Apple Watch can do, followed by five things it can’t.

1. Messaging and calling. There’s a variety of ways to communicate with the device: Users can send and receive messages by dictating them or selecting from preset options. There’s a built-in speaker and microphone for phone calls — though it seems those calls have to go through an accompanying smartphone and not directly from the watch to a network. Users can silence incoming calls by covering the watch with their hand. There’s also a new way to communicate called “digital touch,” which lets people draw on the watch’s screen and send the image to friends, almost like a Snapchat doodle.

2. Siri. Apple’s personal assistant can be accessed on the watch by saying, “Hey, Siri,” or holding down the crown (the winder on a regular watch) on the side of the device. With Siri, users can dictate messages to friends, get turn-by-turn directions or perform local searches, like for movie times.

3. Fitness tracking. Apple says the watch can help people lead healthier lives, by letting them set goals within apps or tracking their physical activity using built-in sensors. There’s an accelerometer like in a smartphone, and a heart-rate sensor that uses infrared and visible-light LEDs and photodiodes. The Watch’s Activity app will graph data like calories burned or how long you’ve been standing up. Its Workout app provides more granular information for specific activities like running and cycling. Meanwhile, the companion Health app on the iPhone will let people share the data with third-party health and fitness apps.

4. Shopping. One of the more intriguing features is that the watch supports Apple Pay, a new system intended to replace debit and credit cards for making purchases. It’s based on NFC, or near field communication technology, which is already in some Android smartphones but not Apple’s. Visa, Master Card and Amex card holders will be able to keep their card information on file with Apple, and Apple will create a device account number for each card that’s stored in a Secure Element chip. Watch wearers will then be able to buy items by double clicking the button under the crown and waving their wrist in front of special in-store readers. Apple says its working with Macy’s, McDonald’s and lots of other stores to have the readers installed.

5. Apps. The Apple Watch has a brand new interface that displays apps as small, circular icons. The watch uses what Apple calls a “taptic engine” for alerts and app notifications, so it will vibrate or “tap you on the wrist” when they come in. There’s a range of on-board apps like calendar, Maps, photos, and music. Users can control music on their iPhone from the watch, and music can also be played directly from the watch, though it’s unclear how much storage the watch has. The WatchKit tools will let developers build more apps for the device.

The Apple Watch, clearly, packs a lot of features into a small package. But here are five things it doesn’t have:

1. Universal compatibility. Many of the watch’s functions, like receiving calls and emails, require it to be paired with an iPhone. As of now the watch will only work with the new iPhone 6 and 6 Plus, as well as the 5, 5C and 5S. There’s also no reason to think it will work with Android and Windows phones.

2. A keyboard. To send messages, they must be dictated into the microphone or selected from pre-set responses. This is similar to how smartwatches powered by Google’s Android Wear system currently work. Apple says the watch is smart enough to analyze incoming messages and display the appropriate responses that can be sent back.

3. It’s own camera. The Watch can display favorite photos from a Mac or iPhone, but it doesn’t have its own built in camera. It can be used as a remote viewfinder, however, for the camera on your phone. And you can use the watch to snap the photo or set the timer on the camera’s phone.

4. Built-in GPS and Wi-Fi. For that, you need to be connected to your iPhone. If you go out for a bike ride, or do some other activity that can’t be measured in steps with the accelerometer, the Watch can’t track your distance without your phone.

5. One important thing the Apple Watch doesn’t have yet is a firm launch date. Apple said the watch would be available in “early 2015,” but it did not clarify beyond that.

Via: itworld

For those that remember:

Honey, I Lost the Kids! — 6 Tips for Knowing Where Everyone Is with F-Secure Lokki

Well, it looks like it not going to be around much longer.

F-Secure sent out the following:

————————————

Hello F-Secure Lokki users!

Thank you for choosing F-Secure Lokki, the free and private location sharing app for families and other groups. Recent updates in smartphones’ operating systems have affected the location reporting accuracy of the Lokki service. We have decided to quit the Lokki service and focus our efforts on other private and secure apps that we can assure follow our company’s quality and accuracy requirements. We will remove the Lokki app from the Apple, Google and Microsoft application stores by September 5, 2014. The service will not function after September 26, 2014. After this the F-Secure Lokki app will not report your location to other Lokki users. We will erase all your Lokki data from our servers and will not share this data with anyone. You may remove the application from your device. You can still reach the F-Secure Lokki team at lokki-feedback@f-secure.com.

If you want to continue using another location sharing app, we recommend you to check out e.g. some of the following services:  F-Secure SAFE (Android, includes also other security features), Elisa Perhe (Android), Find My Friends (iPhone and iPad), or Find My Phone (Windows Phone).

F-Secure wants to support start-ups and will transfer the Lokki technology for free to an Open Source project at University of Helsinki so that it can be freely utilized in new research projects and mobile applications. We will not transfer the current Lokki users’ data to this new project.

We want to sincerely thank all Lokki friends and we do apologize for the inconvenience caused by the service close-down. We want to compensate you all with a free 6 months PREMIUM license to our password management app F-Secure KEY. Please find attached a personal PREMIUM VOUCHER and guidance to redeem it. You can use it yourself or give it to a friend.

Kind regards,

F-Secure Lokki team

————————————-

So get ready to delete the app.

I guess we will have to look elsewhere for our “Harry Potter type Marauder’s Map”.

The hackers behind the Kelihos botnet are trying to capitalize on users’ increased awareness about the security of Apple online accounts through a new phishing campaign.

According to security researchers from Symantec, the Kelihos botnet has started sending spam emails that purport to be security alerts from Apple informing recipients that a purchase was made using their Apple ID from the iTunes Store. Apple IDs are the accounts that customers use to access Apple’s online services.

The rogue emails bear the subject “Pending Authorisation Notification” and claim that the purchase was made from a computer or a device not previously linked to the user’s Apple ID, the Symantec researchers said Friday in a blog post. The emails list an IP (Internet Protocol) address from where the purchase was allegedly initiated and a corresponding physical location of Volgograd, Russia, they said.

The fake messages instruct users to click on a link if they didn’t initiate the purchase. The link leads to a phishing site that masquerades as the Apple ID log-in page and harvests credentials inputted by users for later misuse.

The use of fake security alerts as phishing bait is not a new technique. However, because this particular attack comes shortly after a widely publicized event where a number of celebrities had their iCloud accounts broken into, it might trick a larger number of users than a typical phishing campaign.

One week ago news broke out that hackers stole nude photographs from the iCloud accounts of a number of female actresses and models and leaked some of them on public websites.

There was initial speculation that the leaks might have been the result of a brute-force password guessing attack via the “Find My Phone” feature, but Apple later said that the leaks were the result of a “a very targeted attack on user names, passwords and security questions” and not that of a breach of the company’s cloud-based systems.

The incident received so much attention online and in the media that it even prompted a response from Apple CEO Tim Cook, who told the Wall Street Journal that the company will start sending security notifications to users via email and push messages when iCloud account changes occur.

“It is possible that the timing of the [phishing] campaign is not a coincidence and the controllers of the botnet are attempting to exploit public fears about the security of Apple IDs to lure people into surrendering their credentials,” the Symantec researchers said.

The Kelihos botnet authors are adept at exploiting current events. In August they launched a spam campaign that encouraged Russian-speaking users to install a program on their computers so they can be used in distributed denial-of-service (DDoS) attacks against Western government websites in response to the recent international sanctions against Russia. The emails actually linked to a variant of the Kelihos malware, not a DDoS program.

To prevent unauthorized access to their accounts even when their user names and passwords are compromised, users are advised to turn on two-step authentication for their Apple ID accounts.

Via: pcworld

For this month’s patch Tuesday, Microsoft released four security bulletins, addressing flaws found in Internet Explorer, Microsoft .NET Framework, Microsoft Windows, and Microsoft Lync server.  One bulletin is rated as ‘Critical’ while the rest are tagged as ‘Important’.

One of the notable bulletins in this month’s cycle is MS14-052, which addresses thirty-six vulnerabilities found in Internet Explorer. IE 6 to 11 are affected by these vulnerabilities.

MS14-053 resolves issues found in the Microsoft .NET Framework that could allow denial of service once exploited successfully by attackers. Similarly, when the vulnerabilities addressed in MS14-055 are leveraged by attackers it could also lead to denial of service. On the other hand, Adobe also plans to release security updates addressing vulnerabilities in Adobe Flash Player and Adobe Reader and Acrobat by September 15.

Although this month’s security updates are relatively few compared to the previous months, it is highly advisable to update systems with the latest patches to protect it  from threats leveraging such vulnerabilities.

Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage vulnerabilities discussed in MS14-052 via the following DPI rules:

• 1006164 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)
  
• 1006219 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4065)
  
• 1006224 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4080)
  
• 1006227 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4081)
  
• 1006230 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4082)
  
• 1006221 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4084)
  
• 1006229 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4086)
  
• 1006222 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4087)
  
• 1006225 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4088)
  
• 1006220 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4089)
  
• 1006223 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4092)
  
• 1006226 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4094)
  
• 1006228 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4095)
  

The rules above also protect users of Internet Explorer on Windows XP, which is no longer being supported by Microsoft.

Via: trendmicro

Home Depot has confirmed via their corporate website that their payment systems were breached. This followed reports last week, which suggested that Russian and Ukrainian cybercriminals had successfully breached the Atlanta-based retailer’s PoS terminals.

The statement offered full details, but suggested the breach affected users who shopped at their US and Canadian branches from April onwards. Home Depot’s investigation began on September 2, which indicates a worse-case scenario of a breach of four to five months. It has been claimed that up the information of up to 60 million cards may have been stolen.

Speculation suggests that the Home Depot attack was carried out using BlackPOS malware; a BlackPOS variant discussed by Trend Micro researchers in late August may have been part of this attack, as the behavior we found with this variant and those ascribed to the Home Depot attack are very similar.

This particular BlackPOS variant is different in several ways from more common variants, suggesting that the code has been changed significantly since the source code for BlackPOS was leaked in 2012. A different API call is made to list processes which can be targeted for information theft; in addition custom search routines for credit card track information have been introduced as well. This particular variant is detected as TSPY_MEMLOG.A.

These increasingly sophisticated threats make it clear that PoS malware is becoming a bigger and bigger threat. Continued attacks against PoS systems will not only cause financial losses, but also reduce the confidence of consumers in existing commerce systems.

Migrating to more modern “chip-and-personal identification number (PIN)” cards and terminals may help reduce the risk down the road. Also, it is good for users to regularly check their bank statements for any anomalous transaction. Going over the recent transactions on a regular basis should allow users to spot and dispute fraudulent transactions made on their cards.

Later this week, we will publish a paper outlining existing threats to PoS systems. System administrators of organizations that are at potential risk can use the information in these papers to detect, mitigate, and address these attacks. Our earlier paper titled Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries provided examples of potential PoS threats to retailers and companies in the hospitality sector.

For more information, you may check out Data Breaches page in Threat Encyclopedia.

Via: trendmicro

Cyber attacks are all over the news, and it seems like no one is immune — Home Depot, Target, Adobe and eBay included. So why are CIOs still fighting cyber criminals with one hand tied behind their backs?

Shockingly, most companies are still relying on outdated, only partially effective methods to protect their sensitive data, mainly with technology that focuses on preventing incoming attacks. But actually stopping bad guys from slipping inside enterprise networks and getting their hands on sensitive data is nearly impossible these days. In fact, among organizations with over 5,000 computers, over 90 percent have an active breach of some sort at any given time. What’s worse, those organizations may not even know about it.

It’s time for CIOs to start focusing on the next line of defense in the war against cyber crime: an emerging area called breach detection, which focuses on identifying long-tail intrusions after they happen and mitigating their damage, partly through the use of big-data technologies. Your company’s information security may depend on it.

A Changing Battle Space: Prevention Is Not Enough

Surviving a shark attack is fairly simple: As long as you swim faster than the person next to you, chances are you’ll make it. Not so long ago, security was very much the same. As long as your company had better-than-average security, you were likely safe because someone else would get hit first.

Hackers were looking for the “low hanging fruit” — the easy breaches. Online criminals mainly used a broad “spray and pray” approach to opportunistically find targets. In those days, “signature-based” security solutions, which tried to identify known, malicious code patterns and block them, made sense. If one company saw a new threat, a signature could be written for it and distributed to others to protect them from infection.

Fast forward to today. As organizations have bolstered their security, hackers also evolved. Attacks today are more sophisticated and targeted than ever before. Rather than sending generic malware, hackers today carefully plot each and every attack, using unique, “zero-day” exploits that render signature-based protections nearly useless.

While a number of new security companies, like FireEye, have surfaced in recent years to try to combat this type of attack, hackers continue finding creative ways around these tools. Some hackers go so far as to buy all of the same, state-of-the-art intrusion prevention systems their targets use so they can perfectly replicate the target’s exact security environment — then test their attack and virtually guarantee its success.

Most Damage Happens After Initial Breach

The initial intrusion in a typical breach scenario takes minutes to a few hours — in some rare cases, days. The real damage, however, occurs after hackers get around the first line of defense, making new, after-the-fact breach-detection efforts so critical. Once inside a target, it’s like discovering a gold mine. Hackers study their victim’s internal network, carefully extend their foothold and then begin mining the valuable data they find for months, if not years, before being detected — usually by accident.

Mandiant, for example, recently reported that APT1, one of China’s cyber-espionage units, attacked 141 victim companies across 20 industries and stole many terabytes of compressed data in sustained attacks averaging 365 days each. The longest attack lasted more than four years.

The most concerning part of all this is that very few organizations are now using new breach-detection technologies and can actually discover these ongoing breaches themselves, meaning attacks are even more destructive for their victims. Despite numerous alerts, Target, for example, didn’t detect the recent breach that led to 40 million stolen credit card numbers. Rather, it was only after the U.S. Department of Justice notified the company in mid-December that Target investigators went back to figure out what happened. According to a report published by Verizon last year, this is not uncommon — only about 13 percent of security breaches are discovered internally.

Breach Detection — The Last Line of Defense

All these factors point to the need for robust breach detection to provide a “last line of defense” against these attacks, instead of just focusing on blocking the initial wave of the intrusion.

While after-the-fact detection is not a new concept, the old generation of Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) technologies generally fall short in today’s data-center environment. Why?

• They rely on pre-defined rules/signatures to detect breaches. In a world of bespoke attacks, such solutions will often miss the most relevant alerts.
  
• Low signal-to-noise. Imagine being flooded with hundreds or even thousands of alerts per day—each one representing a potential breach to your organization’s most sensitive data. It is no surprise that Target, like many others, missed the warning signs of the attack, like the proverbial forest for the trees.
  
• Limited visibility due to being deployed at the security perimeter or relying on log files. Without access to a rich data set that expands beyond the perimeter and includes all of the raw information (as opposed to a log file, which is a derivative of it), these tools are undermined in their ability to properly detect threats.
  

Next-gen breach detection is solving, in essence, a classic big-data problem: To be effective, these tools need to analyze a great variety of data in high volume, and at great velocity, to determine potential breaches. Most important, the tools must be precise; too many false positives and their reports will quickly be ignored, just like the boy who cried wolf.

A new crop of next-generation startups are working on this. They include Aorato, Bit9, Cybereason, Exabeam, Fortscale, LightCyber, Seculert, and Vectra Networks. Rather than relying on detecting known signatures, these companies marry big-data techniques, such as machine learning, with deep cyber security expertise to profile and understand user and machine behavior patterns, enabling them to detect this new breed of attacks. And to avoid flooding security professionals in a sea of useless alerts, these companies try to minimize the number of alerts and provide rich user interfaces that enable interactive exploration and investigation.

To help illustrate how these new technologies work, think of all of the online “breadcrumbs” that an attacker inevitably leaves behind during each step of the attack.

He generates network connections to command and control servers, for example. He moves across the organization in ways that are ever so slightly different from what’s normal; he may use whatever credentials he can get his hands on to try to access sensitive resources (e.g. tries to access proprietary code on development servers using a sales executive’s login). New breach-detection startups can sense all of these movements and changes. Combined with an intimate understanding of how hackers operate, they are able to finally piece together all the puzzle pieces in real-time before more significant damage has occurred.

There is a lot at stake here. In the end, solutions that effectively cut through the noise and point up just a handful of highly relevant, actionable security alerts will likely become an important “last line of defense” and a key component of the next-gen enterprise security stack.

Via: techcrunch

Following the news this week that multiple celebrities had naked photos posted online, Apple confirmed it found no evidence of a security breach, but that some individual iCloud accounts were compromised.

The company said that the individual accounts were accessed the old fashioned way – by figuring out the victims’ login credentials.

Of course, it isn’t just film stars who have sensitive data on their Apple devices – employees will often have corporate data on their iPhones and iPads while home users may also have their personal pictures and videos stored on their iOS device.

With that in mind, here are 3 tips to help keep your photos and other data safe:

1. Use a strong password

This is an easy one – it’s important to make sure you use a strong, unique password for your iCloud account, especially as Apple hasn’t yet enabled two-step verification for iCloud.

To do this, make the new password long (minimum 14 characters), avoid using real words and switch between UPPER, lower, d1g1t5 and \/\/@ckies. If you have trouble remembering such a complex password, consider using a password manager.

And while we’re here, make sure you use unique passwords for every account on every website that you use. It’s important because if someone gains access to one of your accounts, they can only access that one – not every account you own.

2. Limit what you backup to iCloud

Now is a good time to check what exactly is being backed up to your own iCloud account.

Go to Settings on your device and then select iCloud.

Here you will see a list of all the apps on your device that are being backed up to the cloud.

Each can be individually toggled on or off. You need to decide for yourself as to what you want to backup – for example, you may decide to not backup your Photos (especially if they’re a little risque), but keep backing up your Mail and Documents & Data.

It’s a case of weighing up the risk of losing or bricking your device, versus the risk of having your information stolen through the cloud. Of course, there’s always the option of…

3. Turn iCloud off and backup locally

If you feel that the risk of having your iCloud storage hacked outweighs the convenience of the service then you may wish to delete your account entirely.

Doing so is very easy.

Go to Settings on your iDevice and then select iCloud. Scroll all the way to the bottom of the screen and you will see the option to Delete Account.

Of course, that means your device will no longer be backed up, so you’ll need an alternative means of backing up your data. Fortunately, you have that with Apple’s iTunes which offers a manual alternative.

To backup with iTunes:

1. Make sure your computer has the latest version of iTunes

2. Connect your iOS device to your computer

3. Choose File, then Devices and Back up.

If you decide to backup your devices this way, remember to continue backing up on a regular basis.

Via: sophos

HHS confirms server breach, but says that personal information was not compromised.

The Health and Human Services Department (HHS) said that HealthCare.gov, the nation’s health insurance enrollment website, was breached in July and that the attackers uploaded malware to the server.

The breach, which is the first successful intrusion into the website, was discovered on August 25 by a CMS security team after an anomaly was detected in the security logs of one of the servers on the compromised system.

Officials say that while the attacker did gain access to the server, no personal information was compromised.

In a statement to CSO, an HHS spokesperson said that based on their analysis of the intrusion, as well as additional attempted intrusions on other government and private sector websites, “we do not believe HealthCare.gov was targeted.”

“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency,” the spokesperson added.

According to reports on the incident from HHS, the breach occurred because a development server wasn’t properly configured.

While the system was supposed to remain segmented and unavailable to the general public, someone connected it to the Internet. On July 8, the test server was compromised and had upload malware to it.

The malware uploaded to the test server is described as commonplace, and was designed to add the server to a botnet and launch a Denial of Service attacks against other websites, or deliver spam when activated. Analysis of the malware didn’t reveal any functions designed to exfiltrate personal information.

However, the malware remained idle, which according to HHS is why detection took so long. The agency has said that the website undergoes quarterly security audits, as well as daily security scans and hacking exercises.

Exact details on how the breach occurred were not shared with the public, but sources close to the investigation said that the development server was poorly configured and used default credentials.

In addition, it’s possible that the attack itself was automated, as server logs showed similar scans across multiple government websites.

“While it’s great to hear that this impacted server doesn’t seem to have directly impacted user’s personal data, it is concerning that such a related server could have been using a default password as is being reported at this time. Any system related to HealthCare.gov should be treated with great focus on security,” commented Mark Stanislav, Security Evangelist at Duo Security.

While HHS says that the incident will not impact the second open enrollment period on HealthCare.gov, which begins November 15, the fact that the incident happened at all will once again bring the website under fire for having problems with security.

Last year, a CBS News report detailed how security checks for the website were delayed three times, and the final overall security assessment was never performed. Despite being fully aware of the missing security checks, the Obama administration granted itself a waiver to launch HealthCare.gov with a level of uncertainty that was deemed as high risk.

“If this was a server used to test code for healthcare.gov, I would assume that the test servers are configured in a way that reflects the production environment. Depending on what data was used in the testing environment, this could be a bigger deal than we know,” commented Rapid7’s Trey Ford.

In the aftermath of this most recent incident, HHS said that they’ve “taken measures to further strengthen security.”

Via: csoonline

In April 2014 Facebook launched a new tool to help users check their privacy settings. Using a blue cartoon dinosaur, dubbed ‘Zuckersaurus-Rex’, otherwise known as the ‘privacy dinosaur’, the social networking company offered a warning to a small number of users before they posted anything publicly.

Five months on and Facebook began rolling the tool out to the more than 1.2 billion people who are signed up to its service.

If you haven’t received a dino-popup yet then you can either wait for it to appear in the next few days or you can click on the padlock icon in the top right corner of your Facebook page and choose Privacy Checkup. It is not yet available in the mobile version of Facebook, so you’ll need to access it via your desktop to find it.

Running the tool is pretty simple as you can see from Facebook’s own video below:

 http://vimeo.com/105198517

The three-step process begins by asking who you would like to share your next post with from a choice of your friends only, everyone, or more custom options.

The second stage of the checkup looks at the apps you’ve logged into with Facebook. You can scroll through each of the apps and choose who can see that you use them, who can view anything that they may post or even delete apps that are no longer required.

Step 3 allows you to review your profile on Facebook and decide whether details such as your email address, birthday or location should be viewable by everyone on Facebook, your friends only, just you, or a custom set of people you specify.

Once complete, simply click on Close to end the Facebook Privacy Checkup.

So why is Facebook suddenly pushing privacy controls for its users?

The company has a chequered history where privacy is concerned. Perhaps in the wake of the Snowden revelations, the upcoming class action lawsuit instigated by Max Schrems and the fallout over its emotion experiment, the company is making some changes.

Around the time the privacy dinosaur first appeared, Facebook switched the default post setting from “public” to “friends” for new users. And, in April, more changes were revealed at the F8 conference – the most notable of which was the ability for users to login anonymously to third party apps.

Despite the widespread introduction of the Privacy Checker, some users may still feel a little overwhelmed by the large number of security options the social giant has to offer.

Fret not – we have prepared our own tips to help you make your Facebook account safer!

Via: sophos

In this day and age where everything is connected, it’s easy to forget that protecting devices themselves is just as important as InfoSec.

In the current era of mega-(should I say giga-?) breaches with tens to hundreds of millions of lost customer records and the hacking-of-everything,
it is safe to assume that the logical security of devices becomes almost more important than the physical protection around those assets. While it is true that the logical (in-) security of devices renders “remote attacks” (attacks that are carried out against the system from another location than where the device is located, i.e. via a communication channel with a protocol such as TCP/IP, Ethernet, Bluetooth, or CDMA, GSM, etc.) possible, there is still an important defense layer that surrounds your device: the physical security.

To provide a little anecdote: a little while ago I took a flight into Washington and the seat beside me in the back of the airplane was empty (yes, that still occurs despite all the overbooking and other tantalizing measures of the airliners) – I set my little book and magazine there during the flight, and my cell phone on top of it. Then, when the plane landed and touched ground, it was a pretty heavy bump, and the pilot really hit the thrust reversal and hit the brakes, so much, that I needed to stretch my arm against the seat back in front of me. During the initial bump I saw my cell phone drop to ground and when the full deceleration took place, the cell phone slid very fast towards the cockpit. I was looking under the seat(s) in front of me, but couldn’t find it. Then, a friendly stewardess came up to me smiling with my cell phone in her hands, asking if it was mine – and I was quite happy to say yes.

My phone had crossed the entire plane up to the first class cabin – where someone found it, and since my device is encrypted, has a display PIN, and shows my owner information with my name and my home phone number (should someone find it and intend to give it back), that likely helped the stewardess look up my name and seat number on the passenger list, hence the quick resolution to my almost lost device.

So, what does this little anecdote tell us? In my view, it provides reasons why you need to use the physical seat belts, why you should put upwards your tray tables during takeoff and landing and bring forward your seat back, why to put your belongings in the seat pocket in front of you (and not elsewhere), and that labeling and logical security are really important, too. Sometimes physical events can change your possession of something making it necessary for you to rely you need to rely on those additional controls.

It is the combination of different types of controls (also often called “defense-in-depth”) that can make-or-break your protection.

Another example: I have also seen in my global endeavors data centers where these were in collocation or shared facilities with other companies. While the DC was physically and logically safeguarded, the cage around it was at the top and bottom open (so anyone could use the near-by standing latter or the floor handles (to open the raised floor) and thereby allowing anyone with access to the collocation site to easily intrude into the neighbor’s DC units. This alone was already risky enough, but within the DC(s) I found then the important logical controls like firewalls or other such choke points in a less-than-standard fashion: the siding of the firewall racks were taken off (to “solve” heat / cooling problems) so that the above-mentioned intruder (or even people with otherwise authorized access to the DC cage) could easily put their hands or attacks against it.

Lastly, in another setting I discovered cable trays wide open and accessible via a parking garage (which was not protected against unauthorized 3^rd party access) – the main facility with the core backbone was vulnerable via a simply physical attack with an axe or something similar – all the other spent millions of dollars were at total risk here. I am not saying that all the logical controls wouldn’t be necessary (in fact, they are needed and even more than that, given the endless forms of new attack vectors and the daily increasing attack surface) – but my “lessons learned” are that you have to think things through completely from the ground up, starting at the physical level and then go upwards in the ten layers of the security stack.

If you think this further, you will come to conclusion that that is why you need to have at least 60 miles (~100 km) of distance between redundant data center facilities, and that your DR and BCP plan should be based on worst case physical scenarios to cover you bases. Backups need not only be physically separated from the place of origin, but they in addition need to be protected both physically and logically (otherwise, the attack against your potential crown jewels will happen against the offsite-transport truck or the storage facility etc.).

Hopefully the provided examples give enough reason to understand that physical security absolutely still matters. Now, let’s focus on the second aspect – the information (or logical) security piece.

Why does it still matter?  Well, even if you would create a “Fort Knox” from a physical perspective around your assets, the reality is that every system that has communication channels open (ports/protocols/input/output facilities, etc.) is vulnerable to logical attacks along that protocol or via the encapsulated data itself (this is why we have the current crisis, it is “system-immanent” so to speak, and it will remain for quite a long time.

So, in order to protect your assets, you need to employ logical controls, like gates and control points. Think of protocol-aware firewalls, malicious code detection and response (anti-malware); intrusion detection/prevention systems (IDS/IPS); log monitoring; SIEM and correlation tools; data leakage prevention (DLP) and classification systems; network segmentation; compartmentalization (of virtualized environments); multi-factor authentication; strong and complex passwords; and other sophisticated tools like global cyber threat information and real-time intelligence, or strong encryption (AES256 etc.) and hashing for integrity.

The key is that a fully crafted, well-designed security architecture, governed by clear and concise policies, run by a best-practices-oriented security operations, supported by sophisticated and well-educated / trained cyber intelligence specialists, used by well-aware and trained users, organizationally lead and managed by truly experienced CSOs / CISOs, will strategically solve the security threat by design. Security has to become a design-goal.
No more programming, software- or hardware-developments, implementation projects, delivery programs, etc. without clear and upfront security requirements in the specifications and planning phase. It will take a generation or two, but it is possible. Let’s get started!

Via: csoonline