Monthly Archives: January 2016

Is it possible to not like an idea yet still believe it makes sense? I hope so because that’s where I’m at on the reported news that Twitter is about to expand its iconic 140-character tweet limit to, oh, let’s say 10,000 or so.

From Re/code:

Twitter is building a new feature that will allow users to tweet things longer than the traditional 140-character limit, and the company is targeting a launch date toward the end of Q1, according to multiple sources familiar with the company’s plans. Twitter is currently considering a 10,000 character limit, according to these sources. That’s the same character limit the company uses for its Direct Messages product, so it isn’t a complete surprise.

There have been earlier reports that this change was in the works, but I don’t like the idea at all.

Brevity is among Twitter’s most endearing features. Not only because reading really short snippets is a welcome diversion from longer fare – and real life — but because that enforced character limit effectively  controls a writer’s worst instinct, which is to ramble on and on and on.

And on.

Some like their tweets twiny.

Nevertheless, I cannot understand why Twitter has waited so long to let its users tweet longer.

Obviously, not every thought can be condensed into 140 characters (and it’s actually fewer than 140, since any Twitter user worthy of the name knows well enough to leave enough characters for a retweet). And not everyone has found these little nuggets of wisdom and nonsense as valuable or as much fun as those of us who use Twitter regularly for work and play.

So it strikes me as beyond likely that the slowing growth of Twitter’s user base and user engagement are at least in part a result of its fundamental structure, which hasn’t changed since the company was founded 10 years ago.

As much as some like Twitter writ small, I have had many an occasion when I have simply been unable to cram what I want to say into 140 minus that retweet cushion. What do I do when that happens? I click over to Facebook.

Twitter can’t have its users clicking over to Facebook. It needs to allow them more room to ruminate … whether some like it or not.

Via: networkworld

Although the naionwide rollout of EMV technology is beginning to eliminate some fraud concerns of retailers, experts expect to see an increase in online fraud as fraudsters turn their attention to online sales. Some reports indicate online retail fraud in the U.S. alone is expected to rise by 106 percent over the next three years.

What’s Ahead in 2016

Even though card present credit card fraud will likely be on the decrease as the EMV rollout started in October 2015 continues, the new chip technology will not directly benefit online retailers and businesses.

For the first time in history, about half of all online purchases made on Black Friday were with mobile devices. This fact represents both the convenience mobile devices have brought to consumers’ lives and also the increase in fraud many businesses now face. In fact, the National Retail Federation expects online retail sales to increase during the 2015 holiday season by 3.7 percent over 2014, up to $630.5 billion this year. Experts estimate that up to one quarter of these sales could potentially be fraudulent.

Further, according to a report by Javelin Strategy & Research, card not present fraud, which includes online transactions, is expected to be nearly four times greater than point-of-sale card fraud by 2018.

The holidays also bring the need for merchants to adhere to customer demands and create a fast and streamlined checkout process to avoid abandoned sales. Typically, in the interest of convenience, key security measures are discarded and fraudsters are presented with an avenue that is often less secure; therefore, easily targeted.

Likewise, because fraudsters can exploit the convenience of mobile channels, businesses should be aware of the risk of fraud that this holiday season can present.

Mitigating Fraud

The best protection against credit card fraud is to “know your customer.” However, this has become increasingly more difficult in the global, online economy. Credit card fraud can be devastating but there are steps businesses can take to protect themselves.

Here are some of most common fraud issues facing businesses followed by steps that can be taken to mitigate these risks:

Stolen card/identity theft fraud

This type of fraud occurs when cardholder and credit card information is stolen and used to illegally purchase services or products. Typically, a business finds out about this type of fraud when the actual cardholder initiates a chargeback after notifying their issuing bank of a stolen card. However, by the time this happens, the product has left the store or has been shipped or the service has been rendered. As such, the business is out the product/service with no compensation.

Mitigating Actions:

Verify card value/billing address: Verifying the CVV code and billing address with the sale helps to confirm the cardholder is actually the person authorizing the sale. The address verification system (AVS) can confirm if the address provided matches the billing address on file with the credit card issuing bank. Unless a sale is initiated by a known customer, only ship to the verified billing address.

Eliminate guest checkouts: Online businesses should require customers to register and create a unique user ID and password to help a them manage fraud. Customer activity can be tracked and “questionable” accounts may be deactivated. Likewise, for repeat customers with accounts in good standing, less scrutiny is needed on their sales, while new customers can be monitored and even limited in their sales activity. For instance, a repeat user in good standing may be permitted to ship to a noncertified address, while new users may only be permitted to have the option to ship to their verified billing address, until they build trust with your business.

Utilize fraud scoring systems: One of the more robust fraud management tools for online sales is a fraud scoring system. These tools, along with internal procedures, can be implemented to “rate” each sale to determine risk level. These tools aid businesses in identifying and avoiding high risk sales that may turn out to be fraud. Fraud scoring systems use a wide range of input to critique as sale, including IP filtering, geography filtering, sales thresholds (amount of sale, number of transactions), proxy detection, and even social media information.

Compromised systems and data

This fraud typically occurs when a point of sale system, website or other system that stores credit card information is “hacked.” In these cases, the hackers steal customer credit card data and personal information that has been entrusted to keep secure by the business. The business may be liable for excessive fines and devastating negative exposure in their community. Consequently, this type of fraud is most widely represented in the news.

Mitigating actions:

Utilize end-to-end encryption and tokenization: Tokenization replaces sensitive date, such as the credit card number, with a nondescript value set called a “token” while the sensitive data is stored securely. Encryption is the process of transforming data using an algorithm to make it unreadable to anyone except those possessing the “decoder ring,” usually referred to as a key. When both technologies are deployed, systems are highly secure, making hacking of data extremely difficult. Most payment solutions offer these technologies that can be integrated into a point of sale or website.

Implement 3D secure: Each of the major card brands has a 3D Secure solution: Verified by Visa, MasterCard SecureCode, American Express SafeKey, etc. These solutions are integrated into a business’ website and provide a safer, more secure online payment method as the actual card data is not entered on the website. The cardholder authenticates the sale by entering in their user ID and password, which act like a PIN. These systems help protect all parties, including the business (merchant), the card holder and the banks from fraud. The drawback to these 3D Secure technologies is it requires the cardholder to register their credit card with the corresponding card brand’s solution. Still, the first step is to enable your business website to work with these technologies and most payment gateways support 3D secure.

International fraud

This fraud is perpetrated by international fraudsters who understand how to work the payment system to their advantage, at the detriment to the business. The aim is to extort product and/or money from the business and their a many elaborate scams associated with their international fraudsters.

Mitigating actions: Businesses must be especially cautious with international sales. Since address verification is not supported in most countries (AVS is only supported in the US, Canada and the United Kingdom), a business cannot verify the billing address. International sales are at the business’ own risk and there is very limited protection from fraud. For this reason, businesses are encouraged to only do business with known international customers. For new international customers, be sure to conduct proper due diligence on the legitimacy of the cardholder and the sale. There is a general lack of advocacy for businesses as it relates to the safest methods of accepting credit card payments. Knowing these fraud techniques and adopting these fraud mitigating procedures will help avoid the significant impacts of experiencing credit card fraud.

Looking to the Future

By understanding the most common types of credit card fraud, businesses can better fight and control new cases of fraud this holiday season and in years to come. Further, the earlier merchants have fraud management procedures and solutions in place, the faster they can begin to prevent losses. In layering security solutions, merchants can more securely authenticate payments throughout systems and networks. This will ensure that their environment — and customers’ payment information — is protected against fraudsters and attacks of hackers.

Via: enterprise-security-today

Highly destructive malware creates “destructive events” at 3 Ukrainian substations.

Highly destructive malware that infected at least three regional power authorities in Ukraine led to a power failure that left hundreds of thousands of homes without electricity last week, researchers said.

The outage left about half of the homes in the Ivano-Frankivsk region of Ukraine without electricity, Ukrainian news service TSN reported in an article posted a day after the December 23 failure. The report went on to say that the outage was the result of malware that disconnected electrical substations. On Monday, researchers from security firm iSIGHT Partners said they had obtained samples of the malicious code that infected at least three regional operators. They said the malware led to “destructive events” that in turn caused the blackout. If confirmed it would be the first known instance of someone using malware to generate a power outage.

“It’s a milestone because we’ve definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout,” John Hultquist, head of iSIGHT’s cyber espionage intelligence practice. “It’s the major scenario we’ve all been concerned about for so long.”

Researchers from antivirus provider ESET have confirmed that multiple Ukrainian power authorities were infected by “BlackEnergy,” a package discovered in 2007 that was updated two years ago to include a host of new functions, including the ability to render infected computers unbootable. More recently, ESET found, the malware was updated again to add a component dubbed KillDisk, which destroys critical parts of a computer hard drive and also appears to have functions that sabotage industrial control systems. The latest BlackEnergy also includes a backdoored secure shell (SSH) utility that gives attackers permanent access to infected computers.

“Perfectly capable”

Until now, BlackEnergy has mainly been used to conduct espionage on targets in news organizations, power companies, and other industrial groups. While ESET stopped short of saying the BlackEnergy infections hitting the power companies were responsible for last week’s outage, the company left little doubt that one or more of the BlackEnergy components had that capability. In a blog post published Monday, ESET researchers wrote:

Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems. However, there is also another possible explanation. The BlackEnergy backdoor, as well as a recently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.

Over the past year, the group behind BlackEnergy has slowly ramped up its destructive abilities. Late last year, according to an advisory from Ukraine’s Computer Emergency Response Team, the KillDisk module of BlackEnergy infected media organizations in that country and led to the permanent loss of video and other content. The KillDisk that hit the Ukrainian power companies contained similar functions but was programmed to delete a much narrower set of data, ESET reported. KillDisk had also been updated to sabotage two computer processes, including a remote management platform associated with the ELTIMA Serial to Ethernet Connectors used in industrial control systems.

In 2014, the group behind BlackEnergy, which iSIGHT has dubbed the Sandworm gang, targeted the North Atlantic Treaty Organization, Ukrainian and Polish government agencies, and a variety of sensitive European industries. iSIGHT researchers say the Sandworm gang has ties to Russia, although readers are cautioned on attributing hacking attacks to specific groups or governments.

According to ESET, the Ukrainian power authorities were infected using booby-trapped macro functions embedded in Microsoft Office documents. If true, it’s distressing that industrial control systems used to supply power to millions of people could be infected using such a simple social-engineering ploy. It’s also concerning that malware is now being used to create power failures that can have life-and-death consequences for large numbers of people.

Ukrainian authorities are investigating a suspected hacking attack on its power grid, the Reuters news service reported last week. ESET has additional technical details about the latests BlackEnergy package here.

While Saudi Arabia’s largest gas producer was also infected by destructive malware in 2012, there’s no confirmation it affected production. iSIGHT’s report suggests a troubling escalation in malware-controlled conflict that has consequences for industrialized nations everywhere.

Via: arstechnica

A major breach at computer network company Juniper Networks has U.S. officials worried that hackers working for a foreign government were able to spy on the encrypted communications of the U.S. government and private companies for the past three years.

The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issue along with an emergency security patch that it urged customers to use to update their systems “with the highest priority.”

The concern, U.S. officials said, is that sophisticated hackers who compromised the equipment could use their access to get into any company or government agency that used it.

One U.S. official described it as akin to “stealing a master key to get into any government building.”

The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren’t behind the back door. China and Russia are among the top suspected governments, though officials cautioned the investigation hasn’t reached conclusions.

It’s not yet clear what if any classified information could be affected, but U.S. officials said the Juniper Networks equipment is so widely used that it may take some time to determine what damage was done.

A senior administration official told CNN, “We are aware of the vulnerabilities recently announced by Juniper. The Department of Homeland Security has been and remains in close touch with the company. The administration remains committed to enhancing our national cybersecurity by raising our cyber defenses, disrupting adversary activity, and effectively responding to incidents when they occur.”

Juniper Networks’ security fix is intended to seal a back door that hackers created in order to remotely log into commonly used VPN networks to spy on communications that were supposed to be among the most secure.

Juniper said that someone managed to get into its systems and write “unauthorized code” that “could allow a knowledgeable attacker to gain administrative access.”

Such access would allow the hacker to monitor encrypted traffic on the computer network and decrypt communications.

Juniper sells computer network equipment and routers to big companies and to U.S. government clients such as the Defense Department, Justice Department, FBI and Treasury Department. On its website, the company boasts of providing networks that “US intelligence agencies require.”

Its routers and network equipment are widely used by corporations, including for secure communications. Homeland Security officials are now trying to determine how many such systems are in use for U.S. government networks.

Juniper said in its security alert that it wasn’t aware of any “malicious exploitation of these vulnerabilities.” However, the alert also said that attackers would leave behind no trace of their activity by removing security logs that would show a breach.

“Note that a skilled attacker would likely remove these entries from the log file, thus effectively eliminating any reliable signature that the device had been compromised,” the Juniper security alert said. If encrypted communications were being monitored, “There is no way to detect that this vulnerability was exploited,” according to the Juniper security alert.

According to a Juniper Networks spokeswoman’s statement, “Once we identified these vulnerabilities, we launched an investigation and worked to develop and issue patched releases for the impacted devices. We also reached out to affected customers, strongly recommending that they update their systems.”

U.S. officials said it’s not clear how the Juniper source code was altered, whether from an outside attack or someone inside.

The work to alter millions of lines of source code is sophisticated. The system was compromised for three years before Juniper uncovered it in a routine review in recent weeks.

Juniper said it was also issuing a security fix for a separate bug that could allow a hacker to launch denial-of-service attacks on networks.

Via: cnn

Microsoft users will now be notified if a state-sponsored attacker tries to break into their accounts, the company said in a blog post. The announcement comes the same day as a Reuters report that Microsoft did not warn Hotmail users their email accounts had been accessed by a group associated with the Chinese government.

Users will be notified if services they access through Microsoft Account logins, including Outlook.com and OneDrive, have been breached by a government organization or hackers working for governments. The company already notifies users if an unauthorized third-party tries to access their accounts, but Scott Charney, Microsoft corporate vice president of trustworthy computing, wrote that state-sponsored attacks “could be more sophisticated or sustained than attacks from cybercriminals.”

Getting a notification does not mean an account has been hacked, but that Microsoft has evidence it has been targeted by state-sponsored attackers and extra steps, like turning on two-factor authentication and changing passwords, need to be taken by users.

Charney did not specifically mention the Reuters article in his post, but a Microsoft representative told the news agency that it plans to change its policy to notify email users of state-sponsored attacks. Charney did state, however, that the new notifications “do not mean that Microsoft’s own systems have in any way been compromised.”

The email attacks covered by the report were first discovered by security software maker Trend Micro in May 2011 and found to have begun in July 2009. During that time, email accounts from international leaders of the Uighur and Tibetan communities (two Chinese minorities under heavy surveillance by the government), African and Japanese diplomats, and human rights lawyers were breached.

Microsoft forced targeted users to reset their passwords, but did not give them more details about the attack. Two former Microsoft employees told Reuters that the company did not give explicit warnings in part because of the risk of reprisals from the Chinese government.

In a media statement, a Microsoft representative said “Our focus is on helping customers keep personal information secure and private. Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset. We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. government were able to identify the source of the attacks, which did not come from any single country. We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks.”

Via: techcrunch

The great sage and Hall of Fame baseball player Yogi Berra. Yogi once noted, “It’s tough to make predictions especially about the future.”

And so I will venture out to make predictions, many of which should be considered warnings, for 2016 — as I remain all the while cognizant of the words of the Chinese philosopher La Tzu that “those who have knowledge, don’t predict. Those who predict don’t have knowledge.”

So here are cybersecurity predictions for 2016:

1. Nation-states will continue battling for control (overt and covert) of the Internet infrastructure components, including energy facilities, further polarizing the cyber intelligence landscape. What started as intelligence sharing between Iraq, Russia, Iran and Syria in the fight against ISIS, might well develop into a new coalition in the cyber space to counteract “Five Eyes” intelligence alliance, with China and EU having to pick sides. Cyber criminals will join hacktivists and nation-states in the race to dominate endpoints, whether mobile or stationary. Malware wars on the endpoint and malware hijacking will escalate significantly, as the demand for distributed bots grows and the supply of vulnerable hosts gets depleted.
   
2. As more and more people do large amounts of their financial dealings on their smartphones, these devices will increasingly be targeted by identity thieves seeking to exploit vulnerabilities in the Android systems and Apple’s iOS. Hackers will also take advantage of smartphone users failing to use basic security precautions such as having a complex password for their smartphones or failing to install and continually update anti-virus and anti-malware software. Mobile botnets will overtake PC-based with the vengeance, as the number of poorly protected devices, as well as their bandwidth and processing power, grows exponentially. New strains will utilize every possible communication channel (4G/LTE, Wi-Fi, Bluetooth, NFC) to circumvent blocking, spread faster, and become more resilient. GPS tracking, hot miking, interesting camera angles, and potential to jump air gaps make mobile an irresistible hacking platform.
   

1.  The Internet of Things will increasingly be exploited by hackers. With more and more products including cars, refrigerators, coffee makers, televisions, smartwatches, webcams, copy machines, toys and even medical devices being connected to the Internet, the Internet of Things will become a prime target for hackers to exploit in many ways. It will evolve into a household terrorism (smart toaster can really ruin your morning by mounting a DDoS attack on the coffeemaker), and that’s in the best case scenario. In the worst case, explosion and propagation of the unchecked number of mostly unprotected, but well-connected devices can blow through the best designed cyber defenses – anything from a thermostat to a sprinkler can now be used as an entry point to the enterprise or home network.
   
2. Behavioral Analytics will continue to mature its Predictive capabilities, aided by better data coverage, increased security monitoring, advances in machine learning, and deeper understanding of adversary tactics, techniques and procedures, including insider threat. We’ll start to see gradual adoption of Prescriptive analytics too – automated response to well-known scenarios – as well as significant shift from batch processing to real-time Streaming Analytics enhanced by the rich context of historical data.
   
3. We will get better at fighting the cybercrime. The only way to stop the attacks is to make the cost outweigh the benefits. Crime cannot go unpunished, and the punishment has to extend beyond perpetrators: facilitators and benefactors have to be held responsible too. Cyber-insecurity is another factor that lowers the cost of cybercrime. Product safety should extend into cyber space, and buggy router has to be treated as seriously as faulty airbag, subject to safety recall and hefty fines.
   
4. Although in the wake of the massive data breach at the Office of Personnel Management (OPM) the federal government has made a concerted effort to increase computer security, the problem is too big and the government is too cumbersome to make the dramatic across the board changes necessary to prevent another major and embarrassing data breach at one or more federal agencies.
   
5. The financial system will come under increased attack in creative ways such as stealing “insider” information and using it to profit through stock trading. Pump and dump schemes will be done on a large scale based on stolen data identifying vulnerable victims. Banks worldwide will continue to be targeted by criminals attacking not just particular accounts, but the accounting systems of the banks to make their crimes more difficult to recognize.
   
6.  The health care industry will remain the largest segment of the economy to be victimized by data breaches both because, as an industry, it does not provide sufficient data security and because the sale of medical insurance information on the black market is more lucrative than selling stolen credit and debit card information. Medical identity theft is not only the most costly for its individual victims to recover from, but also presents a potentially deadly threat when the identity thief’s medical information becomes intermingled with the medical identity theft victim’s medical records.
   
7. Although data breaches have not been discovered at major retailers during this holiday shopping season that does not meant that they have not occurred. It only means that they have not yet been discovered. You can expect that in 2016 we will learn about major retailers whose credit and debit card processing equipment has already been hacked.
   
8.  The computers of the candidates for President of the United States present too tempting a target to a wide range of hackers from those merely looking to embarrass a candidate to those seeking financial information about political contributions. Expect one or more candidates to have their campaigns’ computers hacked.
   
9. As more and more data migrates to the cloud, hackers will focus their attention on infiltrating the cloud. As so often is the case, the cloud may be more vulnerable due to the security measures used by the people and companies using the cloud rather than inherent security weaknesses in the companies providing cloud services.
   

In addition, get ready for these next five cybersecurity challenges in the New Year:

1. Tor Troubles

There will be a greater percentage of reconnaissance, attacks and exfiltration over Tor, anonymous proxies and related mechanisms for encrypted, anonymized communication. Tor Project is an anonymous browsing service. It was breached in 2014. Specifically, those relays appear to have been targeting people who operate or access the features of the browsing service. The attack essentially modified Tor protocol headers to do traffic confirmation attacks.

2. Incident Prevention

In the New Year, there will be a strong need to integrate incident prevention, detection and response for more rapid risk mitigation in the face of a growing volume of overall attacks. This will ring true with companies that were breached and those that were not. Outmaneuvering the bad actors remains a constant challenge in the security world.

3. Lines Increasingly Opaque

The lines separating nation-state actors and cybercriminals will become increasingly opaque as talent, tools and techniques are used across both camps. This makes the law enforcement side of the equation even more vital as the FBI and other agencies set out to catch the criminals.

4. Predictive Intelligence

We’ll see an increased need for predictive intelligence that helps organizations understand the ‘who, what, where and how’ of attacks before they hit their organization. IBM and others have invested heavily in security software that taps into big data to prevent attacks with predictive intelligence.

5. Incident Response

Robust intelligence-driven incident response solutions coupled with incident responder services will be the norm for post-incident risk mitigation. McAfee and other security software companies have been placing a greater emphasis on this approach to combat threats and maintain service availability even in the face of a cyberattack.

Even More Cybersecurity Predictions

Looking back at 2015, we remember the vast array of breaches and hacks, as well as new technologies designed to stop the bleeding of critical data from within organizations.

There will be massive security vendor consolidation and thinning of the masses from single vendor point solutions.

Single-use credit card numbers or two-step authentication will become attractive options for curbing comprised credit card information.

A true username and password replacement will evolve.

And, last but not least, we may see — or at least hope to see — secure, always-on communications for all mobile devices.

Via: usatoday,
Igor Baikalov, enterprise-security-today,