Monthly Archives: April 2016

Decryption Tool Released for CryptXXX Ransomware

Researchers have developed a utility that allows victims affected by CryptXXX ransomware to decrypt their files for free.

CryptXXX is one the newest crypto-ransomware samples to be observed in the wild. It is being delivered to users as a Dynamic-Link Library (DLL) dropped by Bedep, a piece of malware which has the ability to download additional harmful software onto a victim’s computer.

Currently, malicious websites hosting the Angler exploit kit are helping to distribute Bedep to unsuspecting users.

Once it fully installs itself on a victim’s machine, CryptXXX appends the .CRYPT extension to each infected file, displays a ransom message, and asks for US $500 in payment. That demand will double in value if the fee has not been paid within a few days.

CryptXXX can also steal Bitcoins and other information, capabilities which security firm Proofpoint feels might link the ransomware directly to the authors of Angler and Bedep.

Victims of crytpo-ransomware have little choice but to pay the ransom in most cases.

Fortunately, researchers at Kaspersky Lab have given users affected by CryptXXX another option.

“The RannohDecryptor utility was initially created to decrypt files, which suffered from Rannoh ransomware,” Kaspersky says in a post. “In time it acquired additional and useful features. Now it can be used to cure your files from CryptXXX activity.”

Victims of the ransomware should download Kaspersky’s utility (available here), open “Settings,” and choose which drive types they want to have scanned. They should then click “Start scan” and choose where the encrypted .CRYPT file lies.

After asking for where the original file is located, the decryption tool will look for all other files with the .CRYPT extension and will attempt to decrypt those, as well.

Ransomware infections pose a significant threat to users’ and organizations’ data. Fortunately, people can take certain steps to protect themselves against variants like CryptXXX.

Via: tripwire

PCI DSS version 3.2 release extends multifactor authentication requirement

The PCI Data Security Standard version 3.2 released Thursday not only includes new requirements to safeguard payment data,  including multifactor authentication, but also “advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint,” PCI Security Standards Council General Manager Stephen Orfei said in a release.

The council’s chief technology officer (CTO), Troy Leach, said the time has come for multifactor authentication, which the updated standard requires of anyone that has administrative access to card data.

“Previously this requirement applied only to remote access from untrusted networks. A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information,” Leach said in the release. “Additionally, service providers, specifically those that aggregate large amounts of card data, continue to be at risk.”

The latest version of the maturing standard “includes a number of updates to help these entities demonstrate that good security practices are active and effective,” he said.

Among the changes, are revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates outlined in the Bulletin on Migrating from SSL and Early TLS as well as additional security validation steps for providers that rolls in previously separate “Designated Entities Supplemental Validation” (DESV) criteria.

Last spring’s out-of-band PCI DSS version 3.1 release gave organizations a 14-month transition period to move away from SSL and early TLS, which have been in use for years and assumed secure until browser attacks like POODLE and BEAST took advantage of vulnerabilities in SSL.

“The most critical aspect of PCI DSS version 3.2 is the solidified migration away from SSL and early TLS, which have been in use for years and assumed secure until more recent high-profile vulnerabilities were discovered (i.e. POODLE),” Michael Petitti, senior vice president of global alliances at Trustwave, said. “In fact, both are still quite a bit in use and will require a shift in the market for a complete migration over the next two years and beyond.”

Petitti added that “the two-factor authentication (2FA) for admins of Cardholder Data Environments (CDE) is pretty big, as well as the update to the standard tacitly acknowledging internal threats.”

And Chris Strand, senior director of compliance – IT governance, risk, and security audit programs at Carbon Black, noted that “many of the changes enforce the need to prove continuous control over device and asset configurations including the applications within their Card Data Environment (CDE) and endpoints.”

Since “service provides are also being pulled into the mix more so than in previous versions of PCI in terms of liability and accountability,” Strand said, “merchants now need to prove and ensure that controls are effectively in place following ANY change in the card data environment. They must also ensure that applications are being monitored consistently and prove that what is defined as CDE is truly CDE.”

The new release will help “PCI DSS bridging more industries as it becomes a baseline standard for measuring security posture,” he explained. “For example, many healthcare organizations have PCI implications, and if they were to put these new measurements in place, they would be well-positioned to effectively measure their healthcare regulation posture and, more importantly, defend against the onslaught of ransomware attacks currently occurring.”

But, the anticipated changes to PCI DSS didn’t meet expectations for many security pros. They fell “far short of actually improving the security of cardholder data,” Brian NeSmith, Arctic Wolf CEO and co-founder, said in comments sent to “History has proven that this rear view mirror approach to security – focusing on protecting the assets alone does not meaningfully improve security.  By the time you see it, it’s too late; it’s already happened. What the industry really needs is to improve its threat detection and response capabilities in order to catch the bad guys before the damage is done.”

Billy Austin, vice president of security at MAX Risk Intelligence by LOGICnow, echoed that criticism, saying that despite a “fairly lengthy set of requirements,” version 3.2 doesn’t adequately address the threats that the industry faces.

“Attackers are successful for numerous reasons, although at the end of the day, they are focused on systems outside of these ‘PCI DSS’ controlled zones,” he said in a statement. “The two most popular attacks are extortion and exfiltration. Extortion is the means of coercing one to pay for compromised data while exfiltration is the means of extracting data in an unauthorized manner.”

Not only do “data thieves have access to a plethora of automated black market attack code,” he said, “what’s frightening is they are using old techniques to proliferate systems and most are ‘compliant’ organizations.”

Strand said PCI has “plenty left” to tackle – “from individual updates to requirements that fit with new paradigms, to major theme changes.”

The elements are musts “to allow effective coverage against the growing threats targeting CDE,” he said, contending that “PCI is under a gradual paradigm change that started before the 3.0 release, further asserting the standard as a baseline and requiring more tuning.”

Via: scmagazine

On the Horizon – HIPAA OCR Phase 2 Audits

This year was the 24th annual HIPAA Summit in Washington, D.C. and it featured some of the most preeminent leaders in the field, including both private and public individuals.

On day two of the conference, March 22, the Director of the Office of Civil Rights, Jocelyn Samuels Esq., made the announcement that Phase 2 of the HIPAA OCR audits was beginning. In fact, she said that by the time this talk was over, those entities that have been chosen to be a part of the audit selection pool would begin receiving notices.

True to her word, emails immediately began to hit inboxes with the title: “OCR HIPAA Audit – Entity Screening Questionnaire.” In an effort to ensure full disclosure, the author received just such an email as part of his role as Privacy Officer.

Here is a sample copy of the email:

These emails gave the recipient 30 days to respond to a pre-audit questionnaire, and then the waiting game begins. If you would like to see the types of questions being asked in the pre-audit questionnaire, see here.

If the entity is selected, they will have 10 days to respond to the audit questions and provide the necessary documentation. Ultimately, the OCR will perform a total of 200 audits broken into 2 phases.

Under the first phase, approximately 150 covered entities will be audited, with the large majority being “desk audits” of a specific content area:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures
  • Security Rule requirements for administrative, physical, and technical safeguards
  • Requirements for the Breach Notification Rule

The desk audits will quite literally be an OCR review at the desk of an auditor of the materials, policies, procedures, and documentation that you mailed in response to their questions. The focus of these desk audits will be narrow and specifically driven at the policies and procedures of a specific content area listed above.

For now, it appears that desk audits will be limited to one of the bulleted areas above. The timing of the audits will be narrow, with most audit results being delivered back to the auditee within 30 days of receipt.

In addition to these desk audits, a small percentage of the first round covered entities will be selected for on-site audits, a far more rigorous and in-depth experience that will include the physical presence of OCR auditors at the work site(s) for a period of 3-5 days. These audits will likely include multiple content areas, if not all.

After the on-site presence, the entity will receive a list of questions it must then answer within 10 days, providing the requested comments, materials, policies, procedures and documentation. As with the desk audits, the entity will then receive notice of the outcome of the audit within 30 days.

After the first round of audits is complete, the OCR will then move on to audit approximately 50 business associates that were identified by the covered entities in Phase 1. These audits will proceed in much the same way as the desk and on-site audits: notification letters will go out and auditees will then have a certain amount of time to respond to the questions.

Fortunately for us, the OCR is transparent as what they will be requiring and looking for in these audits – the audit protocol is an easy-to-use 420-page document found here. That said, if you are chosen and this document is daunting (it is quite daunting), another option is to run through the NIST SP 800 tool I previously reviewed. This tool matches up and automates the questions you will need to answer for the audit and was developed in conjunction with NIST and the OCR.

If you have not received notice of your selection to be in the audit pool, never fear. The notices will continue to be sent out on an ongoing basis until the OCR obtains a satisfactory pool of entities it wants to audit.


“Don’t Panic” ~Douglas Adams

Seriously, don’t panic. This is not a punitive audit, it is a compliance improvement audit aimed at getting a good barometer reading on the current state of HIPAA compliance in the industry.

The process is designed to help the OCR identify gaps and develop resources that can assist entities in working towards HIPAA compliance. As evidenced by the newly redesigned and launched OCR website, there appears to be a real commitment to simplifying HIPAA compliance and empowering individuals and covered entities alike.

The good news is that this is not the first time the OCR has performed audits, and all signs point to a similar audit process to what we saw in 2012. Thankfully, the OCR is transparent about how these audits worked and there is plenty of official material on what happened, when it happened, who it happened to, and the results of Phase 1 Audits, found here.

But seriously, don’t panic.

Via: tripwire

MazarBOT Android Malware Distributed via SMS Spoofing Campaign

In the fall of 2015, Heimdal Security detected a post-office email scam targeting unsuspecting Danish users. The campaign sent out fake emails purporting to originate from PostNord and Post Denmark. When clicked on, the infected emails downloaded Cryptolocker2 ransomware onto users’ machines.

Several months later, Heimdal has now spotted another scam campaign spoofing legitimate organizations in Italy and Denmark, including Post Denmark. This campaign uses spam SMS messages to distribute a form of Android malware known as MazarBOT.

Heimdal explains in a blog post that the campaign begins with the following SMS message:

In English, the text message reads:

“Your package is available for pick up. Follow link to see all the information on your package.”

Clicking on the shortened link leads to www[.], a URL which downloads the infected Android installation application file for MazarBOT.

Security researchers at real-time threat intelligence firm Recorded Future first detected the Android malware back in November of 2015. They found MazarBOT for sale on an underground web market.

At the time, there was no indication any real-life malware campaigns were actively distributing MazarBOT.

That has since changed.

In February, news broke of a malware campaign infecting users with MazarBOT. The malware spread via SMS texts that asked users to click on a link in order to view a multimedia message. That link, in turn, loaded the malware’s APK file.

Once it has been fully downloaded onto a computer, MazarBOT has the ability to open, monitor and control backdoors on the victim’s Android device; send SMS messages to premium channel numbers, which will increase the victim’s mobile phone bill; read SMS messages, including two-step verification codes; use the “Polipo proxy” to launch man-in-the-middle (MitM) attacks; and inject itself in the mobile Google Chrome browser.

Currently, this particular MazarBOT campaign is believed to have affected 400 Android devices in Denmark and 1,500 in Italy.

Android malware, especially those capable of leveraging SMS texts as a distribution vector, are a persistent threat to mobile users’ security. With that in mind, Heimdal recommends that users adhere to the following security guidelines:

  • Avoid clicking on suspicious links sent via SMS, MMS, or email.
  • Install applications only from trusted sources found on the Google Play Store.
    Maintain an up-to-date mobile antivirus solutions app.
  • Use a mobile VPN.
  • Avoid the use of public or open Wi-Fi hotspots.

For more information on how you can protect yourself against MazarBOT and other Android malware, please see Heimdal’s post here.

Via: tripwire

94 Percent of IT Pros See Free Wi-Fi Hotspots as a Significant Security Threat

Sixty-two percent ban their mobile workers from using free Wi-Fi hotspots, a recent survey found.

A recent survey of 500 CIOs and IT decision makers in the U.S., U.K., Germany and France found that fully 94 percent of respondents see free Wi-Fi hotspots as a significant mobile security threat to their organizations.

The survey, conducted by Vanson Bourne for iPass, also found that 62 percent of respondents ban their mobile workers from using free Wi-Fi hotspots, and another 20 percent are planning to enforce such bans in the future.

Ninety-two percent of respondents said they’re concerned about the security challenges posed by a growing mobile workforce.

“Wi-Fi is a disruptive technology that has changed the way people work, but in recent times it has also introduced formidable mobile security concerns,” iPass vice president of engineering Keith Waldorf said in a statement. “Being connected is the basic requirement of every mobile worker. However, with increasing numbers of businesses falling afoul to security breaches, the number of organizations expressing a concern about mobile security is high.”

“The use of free and insecure Wi-Fi hotspots in particular is a growing concern, as organizations balance the need for low-cost and convenient connectivity against the potential threat posed by hackers,” Waldorf added.

When asked to name their organization’s biggest mobile security threat, the leading responses were free Wi-Fi hotspots (37 percent), employees’ lack of attention to security (36 percent), and the devices used by employees (27 percent).

Fully 88 percent of respondents said they’re struggling to enforce a safe mobile usage policy.

Separately, a Crowd Research Partners survey of 800 cyber security professionals found that the leading inhibitors of BYOD adoption are security (39 percent) and employee privacy (12 percent).

The leading security concerns regarding BYOD are data leakage/loss (72 percent), unauthorized access to company data and systems (56 percent), users downloading unsafe apps or content (54 percent), malware (52 percent), and lost or stolen devices (50 percent).

One in five organizations acknowledged having suffered a mobile security breach, primarily driven by malware and malicious Wi-Fi.

When asked if any of their BYO or corporate-owned devices had downloaded malware in the past, 39 percent of respondents said yes, 26 percent said no, and 35 percent weren’t sure. And when asked if any of their BYO or corporate-owned devices had connected to malicious Wi-Fi in the past, 24 percent of respondents said yes, 28 percent said no, and 48 percent weren’t sure.

Still, only 30 percent of organizations plan to increase their security budgets for BYOD in the next 12 months.

“The threat of data leakage is more prevalent than ever as employees look to access sensitive corporate information on mobile devices outside the corporate network,” Bitglass CEO Nat Kausik said in a statement. “Unfortunately, few organizations have adequate risk control measures in place.”

Via: esecurityplanet

Software audits: How high tech plays hardball

‘Truing up’ licenses amounts to billions of dollars in revenue for the major software makers. Here’s where the money goes — and how it’s extracted.

When the software audit request came from Adobe two years ago, Margaret Smith (not her real name) thought it was business as usual. As a governance risk and compliance specialist for a Fortune 500 company, she was used to getting audited several times each year.

“Usually these things start out friendly,” she says. “We get a request for an audit, and there’s some negotiation involved. They want do an on-site audit or request specific employee IDs, and we say no. But this time they came out swinging. Within two weeks they were threatening to bring in the lawyers.”

Smith’s firm, a maker of consumer goods, had licensed at least 55 different Adobe products in offices around the globe. Now the software maker was accusing her firm of using far more software than it had a right to.

The stakes were high. Adobe could have levied penalties on top of outstanding license fees, charged her firm for the cost of the audit, and asked for retroactive payments from a certain date.

But Margaret was no pushover. She worked for a huge organization that managed more than 4,000 software products and had a pretty good handle on how compliant they were.

It turns out there was a conflict between language in the license agreement the company signed and supporting documents Adobe considered part of that agreement. In the end, they settled. The consumer goods maker agreed to additional controls for how it deployed software, and Adobe dropped the matter (and, not surprisingly, declined to comment for this story).

But it could have gotten ugly. And it’s emblematic of how aggressive major software publishers have become.

That audit was a key factor in her company’s decision to implement a software asset management solution from Snow Software, says Smith. “It was the perfect example to support my theory that the first step in gaining compliance is understanding what you’re working with.”

When it comes to software audits, the code of omertà prevails.

If you buy it, they will come

It’s not a question of whether your organizations’ software licenses will get audited. It’s only a question of when, how often, and how painful the audits will be. The shakedown is such a sure thing that nearly every customer we contacted asked us to keep their names out of this story, lest it make their employers a target for future audits.

Audits are on the rise, and they’re getting more expensive. According to Gartner, 68 percent of enterprises get at least one audit request each year, a number that has climbed steadily each year since 2009. The most frequent requests come from the usual suspects: Microsoft, Oracle, Adobe, IBM, and SAP.

survey by Flexera, a software asset management vendor, reports that 44 percent of enterprises have had to pay “true up” costs of $100,000 or more, and 20 percent have paid in excess of $1 million — percentages that have more than doubled over the past year.

IDC’s Amy Konary estimates that up to 25 percent of an organization’s software budget will be spent dealing with license complexity alone.

“There are two aspects to this, and both are hard to pin down,” says Konary, vice president responsible for leading IDC’s SaaS, Business Models, and Mobile Enterprise Applications programs. “The first is overbuying. How much extra software are you purchasing to mitigate the risks of being out of compliance? The second is underbuying. You get audited, you find you’ve used more software than anticipated, and you end up spending more in the true-up. It’s difficult to rightsize your software environment due to the complexity of licensing.”

More than a quarter of all software installed in large U.S. and U.K. enterprises is shelfware, with a collective cost exceeding $7 billion, according to research by 1E, a software lifecycle automation company. Add to that the hidden costs of business interruption for audits that can last 18 months, and the final price tag can be enormous.

In short, enterprises are leaving a lot of money on the table — and software publishers are more than happy to scoop up as much of it as they can.

Audits are sales tools

Technically, a software audit is a way to prove you’ve installed only software you’ve paid for, or for a publisher to prove you’ve installed or used too much. But the audit process often ends by the customer signing a check — either to pay for software that was over- or misinstalled, or to strike a new deal for a longer-term commitment

“There is going to be a sale at the end of an audit,” says Peter Turpin, vice president at Snow Software. “Auditing is a way of collecting money for the software a customer has installed. Therefore you need to pay for it.”

But major publishers also use the threat of an audit as a way to close new deals, says Craig Guarente, co-founder of Palisade Compliance, which helps enterprises manage Oracle licensing issues.

For more than 15 years, Guarente was a global VP of contracts and business practices for Oracle. He says that for many years Oracle’s sales team had a “Glengarry Glen Ross”-inspired mantra called “ABC: audit-bargain-close.”

“You audit someone, find some issues, put some fear into their hearts, and throw a big number up there,” he says. “Then you close a deal on something else they want you to buy. Except these days I’m calling it ‘audit bargain cloud’ — throw in a cloud deal, and suddenly all your audit issues go away.”

Oracle in particular has been called out for aggressive software licensing practices. An October 2014 survey of Oracle customers by the Campaign for Clear Licensing concluded that customer relationships with Oracle “are hostile and filled with deep-rooted mistrust.”

In October 2015, the candy company Mars Inc. filed suit against Oracle, accusing the company of “out-of-scope” licensing enforcement based on “false premises.” The suit was dropped last December; terms of the settlement were not announced.

In an interview with U.K. tech news site V3 last February, Specsavers global CIO Phil Pavitt decried Oracle’s “gun-to-the-head methodology” for software licensing.

Oracle is certainly not alone in using audits as a negotiating tool. Customers contacted for this story confirmed similar pressure exerted by other publishers.

Over the long run, though, this aggressive approach merely breeds animosity, says IDC’s Konary. If a sales rep is using audits as a way to push sales, that usually means you have a bad sales rep, she says. Still, the pressure to make quarterly quotas can push them to be more aggressive.

“Sales managers don’t like software audits because they can wreck their relationships with customers,” she says. “But many also have sales quotas and a certain dollar amount they need to hit. There’s a bit of a misalignment.”

Clouds on the horizon

As more enterprises move toward software as a service, it should theoretically simplify how software is licensed and managed. But in the short term the opposite is true; operating in a hybrid cloud and on-premise environment makes everything more complex. For example, it’s all too easy for IT to spin up new services in the cloud as needed, without considering the licensing implications, says Ed Rossi, vice president of product management for Flexera.

“When you introduce the cloud, you also introduce a lot of complexity,” he says. “As clients take advantage of that, they put themselves in a position of using more software than they’re entitled to. I think we’re seeing an incremental increase in audits for that reason.”

Merely moving to the cloud will sometimes trigger an audit, says Konary.

“If you take on-premise software and move it to a cloud environment in your own data center, you are very likely to have licensing issues,” says Konary. “It’s such a dynamic environment, it becomes much more difficult to track what you’re actually using and stick to your license requirements.”

Using public cloud services poses less of a licensing challenge, she adds. Unless users are sharing passwords, it’s relatively straightforward to measure who’s using what.

Another reason that increased reliance on the cloud has been accompanied by a rise in audits: Companies that have made billions from on-premise software are trying to wring as much revenue out of them as possible while they still can, says Robin Purohit, Group President of BMC’s Enterprise Solutions Organization.

“We see audits from the big enterprise companies on the rise,” says Purohit. “These are the ones most vulnerable to the transition to software as a service. Their license growth is at risk, so they’re looking to maintain revenue from the customers they have as they build up their cloud and SAAS portfolio.”

Their tools, their rules

Many vendors will offer to help you figure out your license compliance issues. Don’t do it, advises Palisade’s Guarente.

“That can turn into what I call a ‘stealth audit,'” he says. “The vendor offers to ‘help’ the customer figure out his compliance issues, but it’s really an audit in disguise.”

He says one client was spending nearly $40,000 a year on Oracle maintenance and support contracts and asked them to help him figure out how to reduce his spend. They happily agreed. A few months later he got a compliance bill for more than $1 million. That’s when Palisades was brought in.

Oftentimes, vendors require customers to use specific tools to track their usage, but they don’t always do a good job of informing them about it, notes attorney Rob Scott, principal of Scott & Scott, LLP, a firm that specializes in resolving software audit disputes.

“One of the biggest horror stories we see surround IBM and its virtualization rules,” says Scott. “According to IBM, you can only deploy their virtual server software if you also deploy their proprietary discovery tool, which most customers only learn about the first time they are audited.”

IBM then comes in and says these virtual servers are licensed for subcapacity, but because you didn’t deploy our discovery tool you owe us for full capacity, adds Scott.

“I’ve seen that issue account for hundreds of millions of dollars of true-up fees for our client base alone,” says Scott. “It sounds esoteric, but it’s happening all over the world.”

When contacted, an IBM spokesperson confirmed that the company does require clients to use a free monitoring tool to track “subcapacity licensing.” In an email, she wrote:

Our software contracts are very clear on the requirements to take advantage of subcapacity licensing; this has been a part of all such contracts for more than a decade. In addition, we proactively reach out to our clients to ensure that they are familiar with the sub-capacity licensing opportunities and protocols.

Shelf where?

An audit may also reveal that you’re paying for software you don’t use. But don’t expect software publishers to tell you that.

“I don’t hear a lot about vendors coming to customers and saying, ‘Hey, you spent too much money with us’,” admits Konary. On the other hand, she adds, most vendors won’t initiate an audit unless they’re fairly confident the customer will need to true up.

Konary says enterprises could be buying the wrong types of licenses for their users — such as a developer’s license when a less expensive self-serve license would do.

“You may have much more expensive tiers than you need. Do you have the option to downgrade that? A lot of this shelfware discovery has to be initiated by the customer.”

While implementing software asset management tools can help, enterprises will also need to modify their processes around compliance and train people how to deal with the complexity, she adds.

In most cases, software publishers want to remain partners in good standing with their enterprise customers. But they also want to make as much money as possible. And that can strain partnerships to the breaking point.

“It’s really important to remember that publishers have a right to be paid for the software their customers are consuming,” says Snow’s Turpin. “Your best defense is a good offense. Equip yourself with the right management tools so that if you are out of compliance, you’ll know about it and can do something on your own terms.”

Via: itworld

City of Baltimore Investigates Possible Data Breach

Dozens of city employees’ personal information was used to file fraudulent tax returns.

The city of Baltimore, Maryland is working with federal and state authorities to determine how the personal information of dozens of city employees was stolen and used to file fraudulent tax returns, the Baltimore Sun reports.

On March 14, all city employees were notified of the potential breach and warned that they may be at risk of fraud. Current and prior employees are being offered free access to credit monitoring services.

City spokesman Howard Libit told the Sun that the pool of affected employees could be larger than officials currently know. The affected employees work for several different city agencies — it’s not clear what connection there may be between them.

“They’re related, as far as we know, only by the fact that they’re city employees,” Richard Forno, assistant director of the Center for Cybersecurity at the University of Maryland, Baltimore County (UMBC), told the Sun. “There’s still not enough to go on to say the city is to blame here.”

Donald F. Norris, director of the School of Public Policy at UMBC, told the Sun that local governments and other organizations that face serious financial constraints simply aren’t able to keep up with technological advances, because the modes of attack keep changing.

The 2016 Vormetric Data Threat Report found that government agencies’ leading barriers to adoption of better data security include concerns about complexity (51 percent), skill shortages (44 percent), and budget limitations (43 percent).

The report, based on a survey of 1,100 senior IT executives (including more than 100 in federal government agencies), was issued in conjuction with 451 Research.

Sixty-one percent of government agencies acknowledged having experienced a data breach, and almost one in five experienced a breach in the past year. Ninety precent of respondents said they feel vulnerable to data threats.

Still, 58 percent are planning to increase spending to offset threats to data, and 37 percent are increasing spending on data-at-rest defenses this year.

Top categories for increased spending among government respondents were network defenses at 53 percent, followed by analysis and correlation tools at 46 percent.

“Public sector organizations need to realize that doing more of the same won’t help us achieve an improved data security posture,” Vormetric vice president of marketing Tina Stewart said in a statement.

“More attention must be paid to techniques that protect critical information even when peripheral security has failed, and data-at-rest security controls such as encryption, access control, tokenization and monitoring of data access patterns are some of the best ways to achieve this,” Stewart added.

Via: esecurityplanet

IBM Researchers Warn of New GozNym Banking Trojan

The malware has already been used to steal $4 million from banks in the U.S. and Canada.

IBM X-Force researchers recently uncovered a new hybrid of the Nymaim and Gozi banking Trojans. The malware, which the researchers are calling GozNym, has already been used to steal $4 million from more than 22 banks in the U.S. and two in Canada,Forbes reports.

“The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan,” IBM executive security advisor Limor Kessem wrote in an analysis of the new malware. “From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.”

While the Gozi malware source code was leaked in 2010, nobody aside from the original Nymaim development team is believed to have access to the Nymaim source code. As a result, Kessem says the most likely scenario is that the Nymaim development team incorporated the leaked Gozi source code into their own malware.

Lastline CTO and co-founder Giovanni Vigna told eSecurity Planet by email that while it’s interesting to see two strands of malware merged, it’s not surprising. “As for any software that has to be flexible and reliable, malware has been modularized for a while, so that functionality can be reused or loaded as needed,” he said. “The stealth behavior of the malware highlights the need for sophisticated dynamic analysis that is able to identify the both the overtly malicious actions and the attempts to hide the true nature of the code.”

And Lieberman Software vice president Jonathan Sander said by email that it’s frustrating for security professionals to see something like GozNym successfully stealing as much as $4 million. “You know you told both IT and the business how they needed to react to attacks of this type when the original threats emerged,” he said. “This just shows you that they didn’t really listen then.”

“One would think that once a bad guy has crawled in an unlocked window once everyone would remember to lock it up from then on,” Sander added. “When you walk by and see the open window and the missing valuables, all you can do is sigh, close it up again, and hope folks may heed your warning this time around.”

A recent RSA survey of more than 160 respondents worldwide found that only 7 percent of organizations are completely satisfied with their ability to detect and investigate threats using their current data and toolset.

Fully 92 percent of organizations said they can’t detect threats quickly, and 89 said they can’t investigate threats quickly.

“This survey reinforces our greatest fear that organizations are not currently taking, and in many cases are not planning to take, the necessary steps to protect themselves from advanced threats,” RSA president Amit Yoran said in a statement. “They are not collecting the right data, not integrating the data they collect, and focusing on old-school prevention technologies.”

Via: esecurityplanet

Outdated endpoints putting healthcare at risk

Large hospitals often have thousands of workstations used by multiple employees to access confidential patient data, so securing them can be a major challenge.

Endpoint security specialist Duo Security has compared its customers in healthcare with those in other industries to determine how the sector differs in its security requirements.

Among the findings are that healthcare customers are logging into twice as many applications as the average user, widening the attack vector. Twice as many healthcare endpoints have Flash installed and three times as many healthcare customers have Java installed on their devices, again, putting them at greater risk of vulnerabilities and exploitation.

Healthcare customers are also more likely to choose Internet Explorer 11 as their preferred browser, compared to the latest version of Chrome favored by other users. Around 22 per cent of healthcare customers browse dangerously on unsupported versions of IE.

Windows is by far the most popular OS in healthcare organisations at 82 per cent. Ten per cent of healthcare customers are on Windows 10, while another three per cent run the now unsupported Windows XP.

“Keeping endpoints up-to-date with the latest versions of operating systems, browsers, plugins and more is no simple task for healthcare IT admins. Furthermore, they may use applications with dependencies on software versions commonly targeted by malicious hackers,” says Mike Hanley, Director of Duo Labs. “It only takes one outdated device for a hacker to exploit a known vulnerability, install malware, steal passwords and/or gain access to an entire healthcare system and databases of patient data”.

In order to keep their endpoints safe, Duo recommends that healthcare organisations keep their OS, browsers, Flash, Java and other software up to date, and apply patches as soon as they’re available from vendors. They need to enable good security controls, like strong, unique passwords; two-factor authentication; and access security policies to detect, warn, notify and block outdated devices.

They should also enable and require a minimum standard of security features on users’ devices, including encryption, screen locks, passcodes, Touch ID and more. It’s also important that they encrypt patient data while in transit, and in storage, and never transmit it over public networks.

Via: itproportal

Why the FBI director puts tape over his webcam – and you should too

FBI Director James Comey gave a speech at Kenyon College in Ohio last week, making his case that “absolute privacy” has never existed in America – until now, when encryption by default creates spaces where law enforcement cannot go, even with a court order.

Comey has made this kind of speech many times before, saying encryption in everyday products has tilted the balance between privacy and security too far in favor of privacy.

But during a question and answer session with students after his speech, Comey said something unexpected that caught the attention of privacy activists.

Comey commented that he puts a “piece of tape” over the webcam on his personal laptop.

That’s probably a good idea for someone as high-profile as Comey, as spies and hackers have made a habit of going after government officials and hacking their personal accounts.

Hackers can use malicious software called a remote access trojan (RAT) to take over your computer, record your conversations, or even turn on your webcam to spy on you.

RATs are perfect for surveillance, which is probably why the FBI has used similar malware to infect the computers of suspects in criminal investigations, court records have shown.

Comey’s admission about putting tape over his webcam got the immediate attention of a privacy activist who pointed out the irony of his statement.

Christopher Soghoian, a senior technologist and policy analyst with the ACLU, tweeted that Comey had created a “warrant-proof webcam,” and jabbed Comey with tweets saying “patriots don’t cover their webcams” and “anti lawful surveillance of webcam tech” (tape) is widely available.

Comey made his comment about taping over his webcam in response to a student’s question about panopticism – pervasive surveillance – and what effect it has when people become aware that “other people are listening.”

On balance, Comey said, public awareness of surveillance since the Snowden revelations is “a good thing,” because it should make people realize they have “a decision to make” about how the government balances security and privacy:

I don’t think it should freak you out. I think you should demand the details, demand to know how the government conducts surveillance, how they’re overseen, how they’re constrained, demand to know how these devices work, demand to know whether it is true.

I saw someone do this so I copied it … I put a piece of tape – I have a laptop, a personal laptop – I put a piece of tape over the camera because I saw somebody smarter than I am had a piece of tape over their camera.

And so I think you should channel it into a healthy awareness, a demand for information, and engagement – especially young people.

You can hear the question and answer in a Livestream video at around the 1:24 mark.

Comey’s comments on surveillance and privacy come just a few weeks after a stand-off between Apple and the FBI over a dead terrorist’s locked iPhone, when a court ordered Apple to create a backdoor to help the FBI get around the iPhone’s passcode and encryption.

These legal issues should be addressed by Congress and the courts, Comey says – although as technology changes, the laws will need to change to keep up.

The conversation about privacy, security and surveillance in our society needs to keep going, too.

What you can do to stop RATs

One high profile case that put the spotlight on RATs was that of Miss Teen USA Cassidy Wolf, who was blackmailed by a criminal who used the RAT known as “Blackshades” to take nude pictures of her through her webcam.

The FBI has a good description of what Blackshades in particular can do, which is a lot more than just taking control of your webcam:

[Blackshades RAT] allows criminals to steal passwords and banking credentials; hack into social media accounts; access documents, photos, and other computer files; record all keystrokes; activate webcams; hold a computer for ransom; and use the computer in distributed denial of service (DDoS) attacks.

Here are some simple tips you can use to defend against RATs and other malware that someone could use to spy on you:

  • Cover your webcam when you’re not using it with something non-transparent like tape, or point it towards the wall. If your webcam is embedded in your laptop, close the lid when not using your laptop or cover the camera with a webcam cover (like these cool ones available in The Sophos Store!).
  • Patch your OS (Windows, OS X) and applications (web browser, email and messaging client, etc.) as soon as security updates are available.
  • Malware often arrives in emails, so be wary of links and attachments in emails or social media messages from strangers. Even messages that appear to come from people you know could be faked by crooked hackers.
  • Keep your computer safe from RATs and other types of malware by installing security software and keeping it up to date.

Via: nakedsecurity