Monthly Archives: November 2016

When it comes to safeguarding your Internet security, installing an antivirus software or running a Secure Linux OS on your system does not mean you are safe enough from all kinds of cyber-threats.

 
Today majority of Internet users are vulnerable to cyber attacks, not because they aren’t using any best antivirus software or other security measures, but because they are using weak passwords to secure their online accounts.

 
Passwords are your last lines of defense against online threats. Just look back to some recent data breaches and cyber attacks, including high-profile data breach at OPM (United States Office of Personnel Management) and the extra-marital affair site Ashley Madison, that led to the exposure of hundreds of millions of records online.

 
Although you can not control data breaches, it is still important to create strong passwords that can withstand dictionary and brute-force attacks.

 
You see, the longer and more complex your password is, the much harder it is crack.

How to Stay Secure Online?

Security researchers have always advised online users to create long, complex and different passwords for their various online accounts. So, if one site is breached, your other accounts on other websites are secure enough from being hacked.

 
Ideally, your strong password should be at least 16 characters long, should contain a combination of digits, symbols, uppercase letters and lowercase letters and most importantly the most secure password is one you don’t even know.

The password should be free of repetition and not contain any dictionary word, pronoun, your username or ID, and any other predefined letter or number sequences.

 
I know this is a real pain to memorize such complex password strings and unless we are human supercomputers, remembering different passwords for several online accounts is not an easy task.

 
The issue is that today people subscribe to a lot of online sites and services, and it’s usually hard to create and remember different passwords for every single account.

 
But, Luckily to make this whole process easy, there’s a growing market for password managers for PCs and phones that can significantly reduce your password memorizing problem, along with the cure for your bad habit of setting weak passwords.

What is Password Manager?

Password Manager software has come a very long way in the past few years and is an excellent system that both allows you to create complex passwords for different sites and remember them.

 
A password manager is just software that creates, stores and organizes all your passwords for your computers, websites, applications and networks.

 
Password managers that generate passwords and double as a form filler are also available in the market, which has the ability to enter your username and password automatically into login forms on websites.

 
So, if you want super secure passwords for your multiple online accounts, but you do not want to memorize them all, Password Manager is the way to go.

How does a Password Manager work?

Typically, Password Manager software works by generating long, complex, and, most importantly, unique password strings for you, and then stores them in encrypted form to protect the confidential data from hackers with physical access to your PC or mobile device.

 
The encrypted file is accessible only through a master password. So, all you need to do is remember just one master password to open your password manager or vault and unlock all your other passwords.

However, you need to make sure your master password is extra-secure of at least 16 characters long.

Which is the Best Password Manager? How to Choose?

I’ve long recommended password managers, but most of our readers always ask:

• Which password manager is best?
• Which password manager is the most secure? Help!

So, today I’m introducing you some of the best Password Manager currently available in the market for Windows, Linux, Mac, Android, iOS and Enterprise.
Before choosing a good password manager for your devices, you should check these following features:

• Cross-Platform Application
• Works with zero-knowledge model
• Offers two-factor authentication (multi-factor authentication)

Note: Once adopted, start relying on your password manager because if you are still using weak passwords for your important online accounts, nobody can save you from malicious hackers.

Best Password Managers for Windows

Windows users are most vulnerable to cyber attacks because Windows operating system has always been the favorite target of hackers. So, it is important for Windows users to make use of a good password manager.

 
Some other best password manager for windows: Keeper, Password Safe, LockCrypt, 1Password, and Dashlane.

1. Keeper Password Manager (Cross-Platform)

Keeper is a secure, easy-to-use and robust password manager for your Windows, Mac, iPhone, iPad, and iPod devices.

Using military-grade 256-bit AES encryption, Keeper password manager keeps your data safe from prying eyes.

 
It has a secure digital vault for protecting and managing your passwords, as well as other secret information. Keeper password manager application supports Two-factor authentication and available for every major operating system.

 
There is also an important security feature, called Self-destruct, which if enabled, will delete all records from your device if the incorrect master password is entered more than five times incorrectly.

 
But you don’t need worry, as this action will not delete the backup records stored on Keeper’s Cloud Security Vault.

Download Keeper Password Manager: Windows, Linux and Mac | iOS | Android | Kindle

2. Dashlane Password Manager (Cross-Platform)

DashLane Password Manager software is a little newer, but it offers great features for almost every platform.

DashLane password manager works by encrypting your personal info and accounts’ passwords with AES-256 encryption on a local machine, and then syncs your details with its online server, so that you can access your accounts database from anywhere.

 
The best part of DashLane is that it has an automatic password changer that can change your accounts’ passwords for you without having to deal with it yourself.

 
DashLane Password Manager app for Android gives you the secure password management tools right to your Android phone: your password vault and form auto-filler for online stores and other sites.

 
DashLane Password Manager app for Android is completely free to use on a single device and for accessing multiple devices, you can buy a premium version of the app.

 
Download DashLane Password Manager: Windows and Mac | iOS | Android

3. LastPass Password Manager (Cross-Platform)

LastPass is one of the best Password Manager for Windows users, though it comes with the extension, mobile app, and even desktop app support for all the browsers and operating systems.

 
LastPass is an incredibly powerful cloud-based password manager software that encrypts your personal info and accounts’ passwords with AES-256 bit encryption and even offers a variety of two-factor authentication options in order to ensure no one else can log into your password vault.

 
LastPass Password Manager comes for free as well as a premium with a fingerprint reader support.

 
Download LastPass Password Manager: Windows, Mac, and Linux | iOS | Android

Best Password Manager for Mac OS X

People often say that Mac computers are more secure than Windows and that “Macs don’t get viruses,” but it is not entirely correct.

 
As proof, you can read our previous articles on cyber attacks against Mac and iOs users, and then decide yourself that you need a password manager or not.

 
Some other best password manager for Mac OS X:  1Password, Dashlane, LastPass, OneSafe, PwSafe.

1. LogMeOnce Password Manager (Cross-Platform)

LogMeOnce Password Management Suite is one of the best password manager for Mac OS X, as well as syncs your passwords across Windows, iOS, and Android devices.

 
LogMeOnce is one of the best Premium and Enterprise Password Management Software that offers a wide variety of features and options, including Mugshot feature.

 
If your phone is ever stolen, LogMeOnce Mugshot feature tracks the location of the thief and also secretly takes a photo of the intruder when trying to gain access to your account without permission.

 
LogmeOnce protects your passwords with military-grade AES-256 encryption technology and offers Two-factor authentication to ensure that even with the master password in hand, a thief hacks your account.

Download LogMeOnce Password Manager: Windows and Mac | iOS | Android

2. KeePass Password Manager (Cross-Platform)

Although LastPass is one of the best password manager, some people are not comfortable with a cloud-based password manager.

 
KeePass is a popular password manager application for Windows, but there are browser extensions and mobile apps for KeePass as well.

 
KeePass password manager for Windows stores your accounts’ passwords on your PC, so you remain in control of them, and also on Dropbox, so you can access it using multiple devices.

 
KeePass encrypts your passwords and login info using the most secure encryption algorithms currently known: AES 256-bit encryption by default, or optional, Twofish 256-bit encryption.

 
KeePass is not just free, but it is also open source, which means its code and integrity can be examined by anyone, adding a degree of confidence.

 
Download KeePass Password Manager: Windows and Linux | Mac | iOS | Android

3. Apple iCloud Keychain

Apple introduced the iCloud Keychain password management system as a convenient way to store and automatically sync all your login credentials, Wi-Fi passwords, and credit card numbers securely across your approved Apple devices, including Mac OS X, iPhone, and iPad.

 
Your Secret Data in Keychain is encrypted with 256-bit AES (Advanced Encryption Standard) and secured with elliptic curve asymmetric cryptography and key wrapping.

 
Also, iCloud Keychain generates new, unique and strong passwords for you to use to protect your computer and accounts.

 
Major limitation: Keychain doesn’t work with other browsers other than Apple Safari.

 
Also Read: How to Setup iCloud Keychain?

Best Password Manager for Linux

No doubt, some Linux distributions are the safest operating systems exist on the earth, but as I said above that adopting Linux doesn’t completely protect your online accounts from hackers.

 
There are a number of cross-platform password managers available that sync all your accounts’ passwords across all your devices, such as LastPass, KeePass, RoboForm password managers.

 
Here below I have listed two popular and secure open source password managers for Linux:

1. SpiderOak Encryptr Password Manager (Cross-Platform)

SpiderOak’s Encryptr Password Manager is a zero-knowledge cloud-based password manager that encrypts protect your passwords using Crypton JavaScript framework, developed by SpiderOak and recommended by Edward Snowden.

It is a cross-platform, open-Source and free password manager that uses end-to-end encryption and works perfectly for Ubuntu, Debian Linux Mint, and other Linux distributions.
Encryptr Password Manager application itself is very simple and comes with some basic features.

 
Encryptr software lets you encrypt three types of files: Passwords, Credit Card numbers and general any text/keys.

 
Download Encryptr Password Manager: Windows, Linux and Mac | iOS | Android

2. EnPass Password Manager (Cross-Platform)

Enpass is an excellent security oriented Linux password manager that works perfectly with other platforms too. Enpass offers you to backup and restores stored passwords with third-party cloud services, including Google Drive, Dropbox, OneDrive, or OwnCloud.

 
It makes sure to provide the high levels of security and protects your data by a master password and encrypted it with 256-bit AES using open-source encryption engine SQLCipher, before uploading backup onto the cloud.

“We do not host your Enpass data on our servers. So, no signup is required for us. Your data is only stored on your device,” EnPass says.

Additionally, by default, Enpass locks itself every minute when you leave your computer unattended and clears clipboard memory every 30 seconds to prevent your passwords from being stolen by any other malicious software.

 
Download EnPass Password Manager: Windows, Linux | Mac | iOS | Android

3. RoboForm Password Manager (Cross-Platform)

You can easily find good password managers for Windows OS, but RoboForm Free Password Manager software goes a step further.

 
Besides creating complex passwords and remembering them for you, RoboForm also offers a smart form filler feature to save your time while browsing the Web.

 
RoboForm encrypts your login info and accounts’ passwords using military grade AES encryption with the key that is obtained from your RoboForm Master Password.

 
RoboForm is available for browsers like Internet Explorer, Chrome, and Firefox as well as mobile platforms with apps available for iOS, Android, and Windows Phone.

 
Download RoboForm Password Manager: Windows and Mac | Linux | iOS | Android

Best Password Manager for Android

More than half of the world’s population today is using Android devices, so it becomes necessary for Android users to secure their online accounts from hackers who are always seeking access to these devices.

 
Some of the best Password Manager apps for Android include 1Password, Keeper, DashLane, EnPass, OneSafe, mSecure and SplashID Safe.

1. 1Password Password Manager (Cross-Platform)

1Password Password Manager app for Android is one of the best apps for managing all your accounts’ passwords.

1Password password manager app creates strong, unique and secure passwords for every account, remembers them all for you, and logs you in with just a single tap.

 
1Password password manager software secures your logins and passwords with AES-256 bit encryption, and syncs them to all of your devices via your Dropbox account or stores locally for any other application to sync if you choose.

Recently, the Android version of 1Password password manager app has added Fingerprint support for unlocking all of your passwords instead of using your master password.

 
Download 1Password Password Manager: Windows and Mac | iOS | Android

2. mSecure Password Manager (Cross-Platform)

Like other popular password manager solutions, mSecure Password Manager for Android automatically generates secure passwords for you and stores them using 256-bit Blowfish encryption.

 
The catchy and unique feature mSecure Password Manager software provides its ability to self-destruct database after 5, 10, or 20 failed attempts (as per your preference) to input the right password.

 
You can also sync all of your devices with Dropbox, or via a private Wi-Fi network. In either case, all your data is transmitted safely and securely between devices regardless of the security of your cloud account.

 
Download mSecure Password Manager software: Windows and Mac | iOS | Android

Best Password Manager for iOS

As I said, Apple’s iOS is also prone to cyber attacks, so you can use some of the best password manager apps for iOS to secure your online accounts, including Keeper, OneSafe, Enpass, mSecure, LastPass, RoboForm, SplashID Safe and LoginBox Pro.

1. OneSafe Password Manager (Cross-Platform)

OneSafe is one of the best Password Manager apps for iOS devices that lets you store not only your accounts’ passwords but also sensitive documents, credit card details, photos, and more.

 
OneSafe password manager app for iOS encrypts your data behind a master password, with AES-256 encryption — the highest level available on mobile — and Touch ID. There is also an option for additional passwords for given folders.

 
OneSafe password manager for iOS also offers an in-app browser that supports autofill of logins, so that you don’t need to enter your login details every time.

 
Besides this, OneSafe also provides advanced security for your accounts’ passwords with features like auto-lock, intrusion detection, self-destruct mode, decoy safe and double protection.

 
Download OneSafe Password Manager: iOS | Mac | Android | Windows

2. SplashID Safe Password Manager (Cross-Platform)

SplashID Safe is one of the oldest and best password manager tools for iOS that allows users to securely store their login data and other sensitive information in an encrypted record.

 
All your information, including website logins, credit card and social security data, photos and file attachments, are protected with 256-bit encryption.

 
SplashID Safe Password Manager app for iOS also provides web autofill option, meaning you will not have to bother copy-pasting your passwords in login.

 
The free version of SplashID Safe app comes with basic record storage functionality, though you can opt for premium subscriptions that provide cross-device syncing among other premium features.

 
Download SplashID Safe Password Manager: Windows and Mac | iOS | Android

3. LoginBox Pro Password Manager

LoginBox Pro is another great password manager app for iOS devices. The app provides a single tap login to any website you visit, making the password manager app as the safest and fastest way to sign in to password-protected internet sites.

LoginBox Password Manager app for iOS combines a password manager as well as a browser.

 
From the moment you download it, all your login actions, including entering information, tapping buttons, checking boxes, or answering security questions, automatically completes by the LoginBox Password Manager app.

 
For security, LoginBox Password Manager app uses hardware-accelerated AES encryption and passcode to encrypt your data and save it on your device itself.

 
Download LoginBox Password Manager: iOS | Android

Best Online Password Managers

Using an online password manager tool is the easiest way to keep your personal and private information safe and secure from hackers and people with malicious intents.

 
Here I have listed some of the best online password managers that you can rely on to keep yourself safe online:

1. Google Online Password Manager

Did you know Google has its homebrew dedicated password manager?

 
Google Chrome has a built-in password manager tool that offers you an option to save your password whenever you sign in to a website or web service using Chrome.

 
All of your stored accounts’ passwords are synced with your Google Account, making them available across all of your devices using the same Google Account.

 
Chrome password manager lets you manage all your accounts’ passwords from the Web.

 
So, if you prefer using a different browser, like Microsoft Edge on Windows 10 or Safari on iPhone, just visit passwords.google.com, and you’ll see a list of all your passwords you have saved with Chrome. Google’s two-factor authentication protects this list.

2. Clipperz Online Password Manager

Clipperz is a free, cross-platform best online password manager that does not require you to download any software. Clipperz online password manager uses a bookmarklet or sidebar to create and use direct logins.

Clipperz also offers an offline password manager version of its software that allows you to download your passwords to an encrypted disk or a USB drive so you can take them with you while traveling and access your accounts’ passwords when you are offline.

 
Some features of Clipperz online password manager also includes password strength indicator, application locking, SSL secure connection, one-time password and a password generator.

 
Clipperz online password manager can work on any computer that runs a browser with a JavaScript browser.

3. Passpack Online Password Manager

Passpack is an excellent online password manager with a competitive collection of features that creates, stores and manages passwords for your different online accounts.

 
PassPack online password manager also allows you to share your passwords safely with your family or coworkers for managing multiple projects, team members, clients, and employees easily.

 
Your usernames and passwords for different accounts are encrypted with AES-256 Encryption on PassPack’s servers that even hackers access to its server can not read your login information.

 
Download the PassPack online password manager toolbar to your web browser and navigate the web normally.

Whenever you log into any password-protected site, PassPack saves your login data so that you do not have to save your username and password manually on its site.

Best Enterprise Password Manager

Over the course of last 12 months, we’ve seen some of the biggest data breaches in the history of the Internet and year-over-year the growth is heating up.

 
According to statistics, a majority of employees even don’t know how to protect themselves online, which led company’s business at risk.

 
To keep password sharing mechanism secure in an organization, there exist some password management tools specially designed for enterprises use, such as Vaultier, CommonKey, Meldium, PassWork, and Zoho Vault.

1. Meldium Enterprise Password Manager Software

LogMeIn’s Meldium password management tool comes with a one-click single sign-on solution that helps businesses access to web apps securely and quickly.

It automatically logs users into apps and websites without typing usernames and passwords and also tracks password usage within your organization.

 
Meldium password manager is perfect for sharing accounts within your team member without sharing the actual password, which helps organizations to protect themselves from phishing attacks.

2. Zoho Vault Password Management Software

Zoho Vault is one of the best Password Manager for Enterprise users that helps your team share passwords and other sensitive information fast and securely while monitoring each user’s usage.

All your team members need to download is the Zoho browser extension. Zoho Vault password manager will automatically fill passwords from your team’s shared vault.

 
Zoho Vault also provides features that let you monitor your team’s password usage and security level so that you can know who is using which login.

 
The Zoho Vault enterprise-level package even alerts you whenever a password is changed or accessed.

For Extra Security, Use 2-Factor Authentication

No matter how strong your password is, there still remains a possibility for hackers to find some or the other way to hack into your account.

 
Two-factor authentication is designed to fight this issue. Instead of just one password, it requires you to enter the second passcode which is sent either to your mobile number via an SMS or to your email address via an email.

 
So, I recommend you to enable two-factor authentication now along with using a password manager software to secure your online accounts and sensitive information from hackers.

via:  thehackernews

Mirai Botnet is getting stronger and more notorious each day that passes by. The reason: Insecure Internet-of-things Devices.

Last month, the Mirai botnet knocked the entire Internet offline for a few hours, crippling some of the world’s biggest and most popular websites.

 
Now, more than 900,000 broadband routers belonging to Deutsche Telekom users in Germany knocked offline over the weekend following a supposed cyber-attack, affecting the telephony, television, and internet service in the country.

 
The German Internet Service Provider, Deutsche Telekom, which offers various services to around 20 Million customers, confirmed on Facebook that as many as 900,000 customers suffered internet outages on Sunday and Monday.

 
Millions of routers are said to have vulnerable to a critical Remote code Execution flaw in routers made by Zyxel and Speedport, wherein Internet port 7547 open to receive commands based on the TR-069 and related TR-064 protocols, which are meant to use by ISPs to manage your devices remotely.

The same vulnerability affects Eir D1000 wireless routers (rebranded Zyxel Modem) deployed by Irish internet service provider Eircom, while there are no signs that these routers are actively exploited.

 
According to Shodan search, around 41 Million devices leave port 7547 open, while about 5 Million expose TR-064 services to the outside world.

 
According to an advisory published by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploit code every 5-10 minutes for each target IP.

 
An intercepted packet showed how a remote code execution flaw in the <NewNTPServer> part of a SOAP request was used to download and execute a file in order to infect the vulnerable device.

 
Security researchers at BadCyber also analyzed one of the malicious payloads that were delivered during the attacks and discovered that the attack originated from a known Mirai’s command-and-control server.

“The unusual application of TR-064 commands to execute code on routers has been described for the very first time at the beginning of November, and a few days later a relevant Metasploit module had appeared,” BadCyber wrote in a blog post. “It looks like someone decided to weaponize it and create an Internet worm based on Mirai code.”

It all started early October when a cyber criminal publicly released the source code of Mirai, a piece of nasty IoT malware designed to scan for insecure IoT devices – mostly routers, cameras, and DVRs – and enslaves them into a botnet network, which is then used to launch DDoS attacks.

 
The hacker created three separate exploit files in order to infect three different architectures: two running different types of MIPS chips and one with ARM silicon.

The malicious payloads open the remote administration interface and then attempt to log in using three different default passwords. After this is done, the exploit then closes port 7547 in order to prevent other attackers from taking control of the infected devices.

 
“Logins and passwords are obfuscated (or “encrypted”) in the worm code using the same algorithm as does Mirai,” the researchers say. “The C&C server resides under timeserver.host domain name, which can be found on the Mirai tracker list.”

 
More in-depth technical details about the vulnerability can be found on ISC Sans, Kaspersky Lab, and Reverse Engineering Blog.

Deutsche Telekom has issued an emergency patch for two models of its Speedport broadband routers – Speedport W 921V, Speedport W 723V Type B – and currently rolling out firmware updates.

 
The company recommends its customers to power down their routers, wait for 30 seconds and then restart their routers in an attempt to fetch the new firmware during the bootup process.

 
If the router fails to connect to the company’s network, users are advised to disconnect their device from the network permanently.

 
To compensate the downtime, the ISP is also offering free Internet access through mobile devices to the affected customers until the technical problem is resolved.

via:  thehackernews

Nothing is immune to being hacked when hackers are motivated.

 
The same proved by hackers on Friday, when more than 2,000 computer systems at San Francisco’s public transit agency were apparently got hacked.

 
San Francisco’s Municipal Transportation Agency, also known as MUNI, offered free rides on November 26th after MUNI station payment systems and schedule monitors got hacked by ransomware and station screens across the city started displaying a message that reads:

 
“You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.“

 
According to the San Francisco Examiner, MUNI confirmed a Ransomware attack against the station fare systems, which caused them to shut down ticket kiosks and make rides free for weekend.

As you can see, the above message delivered by the malware followed by an email address and ID number, which can then be used to arrange ransom payments.

 
MUNI Spokesman Paul Rose said his agency was investigating the matter and “working to resolve the situation,” but did not provide details as of how MUNI got hacked.

 
“We are currently working to resolve the situation,” said Rose. “There is an ongoing investigation, and it wouldn’t be appropriate to provide additional details.”

Trains themselves were not affected by the malware attack, and the MUNI claimed that the payments were resumed on the morning of November 27th. The MUNI looks after trains, trams and buses around the city, including San Francisco’s iconic cable cars.

 
It is yet not clear exactly who was responsible for the attack (besides a pseudonym “Andy Saolis“), but according to local media reports, the agency’s computers were being held by ransomware until the MUNI paid the equivalent of more than $73,000 in Bitcoin.

Andy Saolis is a pseudonym commonly used in HDDCryptor ransom attacks, which uses commercial tools to encrypt hard drives and network shares on Windows machines using randomly generated keys and then overwrite the hard disks’ MBRs to prevent systems from booting up properly.

 
The target machine is typically infected by accidentally opening a malicious executable in an email or download, and then the malware spreads out across the network.

 
The email address, cryptom27@yandex.com, used by anonymous criminal points the city to a Russian email address to arrange payment and has been linked to other cyber attacks as well.

The Hacker Linked to a Previous Ransomware Starin

 
When reaching at the provided email, the hacker provided a statement in broken English, which read:

“We don’t attention to interview and propagate news! Our software working completely automatically and we don’t have targeted attack to anywhere! SFMTA network was Very Open and 2000 Server/PC infected by software! So we are waiting for contact any responsible person in SFMTA but I think they don’t want deal ! so we close this email tomorrow!”

The same email address, cryptom27@yandex.com, was linked to a ransomware strain called Mamba in September. The ransomware employs tactics similar to those demonstrated against the MUNI systems.

 
The hacker provided hoodline a list of systems the hacker claimed to have infected in Muni’s network, which came out to be 2,112 of the total 8,656 computer networks. The hacker also said that the MUNI had “one more day” to make a deal.

 
Not much about the hack is known; the extent of the hack and hacker’s identity remain a mystery for now, but the incident once again reminds us that how vulnerable our critical infrastructure remains.

via:  thehackernews

The popular cyber security and antivirus company Kaspersky has unveiled its new hack-proof operating system: Kaspersky OS.

 
The new operating system has been in development for last 14 years and has chosen to design from scratch rather than relying on Linux.

 
Kaspersky OS makes its debut on a Kraftway Layer 3 Switch, CEO Eugene Kaspersky says in his blog post, without revealing many details about its new operating system.

The Layer of 3-switch is the very first tool for running the Kaspersky OS, which is designed for networks with extreme requirements for data security and aimed at critical infrastructure and Internet of Things (IoT) devices.

What’s new in Kaspersky OS than others?

Kaspersky OS is based on Microkernel Architecture: The new secure OS is based on microkernel architecture that enables users to customize their own operating system accordingly.

 
So, depending on a user’s specific requirements, Kaspersky OS can be designed by using different modifications blocks of the operating system.

 
Kaspersky OS is non-Linux: Yes, one of the three major distinctive features of the new OS mentioned by Kaspersky is that the GUI-less operating system has been constructed from scratch and does not contain “even the slightest smell of Linux.”

“All the popular operating systems are not designed with security in mind, so it is simpler and safer to start from the ground up and do everything correctly. Which is just what we did,” says Kaspersky.

But what makes Kaspersky OS Hack-Proof?

It is the operating system’s inbuilt security system. Yes, Kaspersky OS inbuilt security system has the ability to control the behavior of applications and the OS modules.

Kaspersky OS claims itself as practically unhackable OS, because for gaining unauthorized access, any hacker would need to break the digital signature of an account holder, which is possible only with a quantum computer.

“In order to hack this platform a cyber-baddie would need to break the digital signature, which – anytime before the introduction of quantum computers – would be exorbitantly expensive,” says Kaspersky.

Kaspersky talked about the recent DDoS attacks that affected numerous websites in past few months. He guaranteed that Kaspersky OS would protect devices, such as industrial control systems, SCADA or ICS, and IoTs, from cyber attacks.

 
The most severe one was the recent massive DDoS attack on Dyn’s DNS servers, which knock down popular sites like Amazon and Twitter. The attack was carried out by Mirai botnets that had infected smart devices like security cameras.

So, Kaspersky says it is mandatory to protect the IoT and other critical infrastructure (like industry, transport, and telecoms) from IT threats.

“I also hope it’s clear that it’s better – no matter how difficult – to build IoT/infrastructure devices from the very beginning in such a way that hacking them is practically impossible. Indeed, that is a fundamental goal with Kaspersky OS,” he says.

via:  thehackernews

At the Splunk GovSummit in Washington D.C., The National Institute of Standards and Technology (NIST) unveiled its Systems Security Engineering guidelines (NIST SP 800-160) – A set of detailed guidelines to help security engineering and other engineering professionals better protect Internet-connected devices.

The NIST guidelines are the product of four years of research and development. They have been available in draft form since 2014, although the document has only just been finalized. The guidelines were initially scheduled to be released in December, although NIST took the decision to bring forward the release date and published the finished document a month early.

According to NIST, “the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States.”

Currently, Internet-connected devices are coming to market without adequate security controls. Only when hackers succeed in compromising those devices do the risks become abundantly clear.

Improving device security is a complex task that cannot simply involve bolting on additional protections as an afterthought. Security needs to be considered when developing products and must be factored in to all stages of the product lifecycle. That is a complex task, hence the need for detailed guidance.

As NIST explains, “Increasing the trustworthiness of systems is a significant undertaking that requires a substantial investment in the requirements, architecture, design, and development of systems, components, applications, and networks.”

The guidelines apply not only to systems, but also the components that make up those systems and the services which depend on those systems. The 242-page document details 30 separate processes covering the entire life cycle of products from the initial planning stages through to disposal along with the actions that must be taken to ensure more defensible and survivable systems are developed.

NIST used International Standards for systems and software engineering as a base, and built on those standards by including a range of systems security engineering methods, practices, and techniques. The new guidelines use a security engineering approach to prevent penetration and limit damage if systems are breached.

NIST fellow, Ron Ross Ross says, “The ultimate objective is to obtain trustworthy secure systems that are fully capable of supporting critical missions and business operations while protecting stakeholder assets, and to do so with a level of assurance that is consistent with the risk tolerance of those stakeholders.”

According to U.S. Chief Information Officer Tony Scott, who joined Ross at the Summit announcing the release of the guidelines, the document “will change the national dialogue from one of victims to one of a group of people who can do something about this.”

via:  hipaajournal

We are currently in the middle of a digital revolution which continues to grow with each passing day. Not surprisingly, we are generating and consuming information at an astounding rate, contributing to the information explosion and leaving behind an extensive information footprint in digital, physical and spoken formats. This trend is set to continue: global data volumes are forecast to reach 44 trillion gigabytes by 2020.

In today’s “Information Age”, data has become an extremely valuable asset. Nowadays, information is used to compete and succeed in a global market. In fact, intangible information assets can represent 80% or more of an organization’s total value. With that being said, organizations must prioritize the protection of their mission-critical information assets. These assets require clear ownership and heightened protection due to the risks to which they are exposed.

What Are Your Mission-Critical Information Assets?

For centuries, organizations have been acquiring, producing, leasing, licensing and selling assets. Accounted for in financial statements, these assets represent an organization’s wealth and financial stability. This makes them vulnerable to theft and fraud. As a priority organizations should focus on those assets that are of the highest value and risk – commonly referred to by business leaders as the “crown jewels”.

Assets such as property, plant and equipment are tangible whereas information is an intangible asset. There are two types of intangible assets:

• Legal – such as trade secrets, copyrights and customer lists
• Competitive – such as company culture, collaboration activities and customer relationships

Both types are essential drivers of competitive advantage and shareholder value today. It’s common to view the value or importance of information by using a simple classification chart (e.g., negligible, low, moderate and high); however, mission-critical information assets represent only the very tip of the highest layer. Information of high business value or impact could still register as “high” or “critical” but not necessarily be designated as mission-critical. Traditional risk assessment approaches would not identify this information separately, so mission-critical information assets typically require a different approach to identification.

At the Information Security Forum (ISF), we refer to information assets with a high value and business impact rating as “mission-critical information assets”. When identifying mission-critical information assets, organizations should take into account the extent to which:

• The information asset contributes to, or supports, business value (e.g., business revenue; competitive advantage; operational effectiveness; and legal, regulatory or contractual compliance)
• The business could be impacted in the event of the confidentiality, integrity or availability of the information asset being compromised, considering any financial, operational, legal/ regulatory compliance, reputational, or health and safety implications.

Valuable Information Brings Added Risk

Data breaches are happening with greater frequency, and are compromising larger volumes of data, than ever before. As breaches continue, and the number of compromised records grows, organizations are being subjected to stronger financial penalties, greater legislative and regulatory scrutiny, and tangible reputational damage. For organizations that suffer an incident, responding in an intelligent and confident manner is becoming essential.

Business leaders often consider the value of mission-critical information assets, but fail to recognize the extent to which these assets are exposed to threats and the potential business impact should they be compromised. These assets often attract the attention of highly motivated, capable and well-funded adversarial threats, such as unscrupulous competitors, nation states and organized criminal groups. The extensive footprint of these assets provides more opportunities for attackers to gain access.

Recent ISF research found that different types of mission-critical information assets will often require innovative, advanced and sometimes unique protection approaches, supported by a range of security controls. Unfortunately, many organizations simply do not know what their mission-critical information assets are, where these assets reside or who is responsible for them. Few organizations have given focused attention to defining their mission-critical information assets across the enterprise. As a result, these assets are frequently incorrectly classified and poorly managed.

The Global Impact of EU Data Protection Reform

I’d like to move now to take a look at what regulators and legislators are doing and I’m going to focus on the European Union (EU) General Data Protection Regulation (GDPR).

Most governments have created, or are currently in the process of creating, regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, businesses need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.

Back in January 2012, a two-part data protection reform was proposed and this Regulation will officially go into effect in May of 2018. It will certainly have an international reach, affecting any organization that handles the personal data of EU residents. From a standpoint of doing business in Europe, EU reform means that anybody who is handling European data in any way, shape or form will know exactly what they need to do and what they can get away with.

The Regulation aims to establish the same data protection levels for all EU residents and clarify blurred lines of responsibility and will have a strong focus on how organizations handle personal data. Organizations face several challenges in preparing for the reform, including a lack of awareness among major internal stakeholders. The benefits of the Regulation will create numerous compliance requirements, from which few organizations will completely escape. However, organizations will benefit from the EU-wide consistency introduced by the reform and will avoid having to navigate the current array of often-contradictory national data protection laws. There will also be international benefits as countries in other regions are devoting more attention to the protection of mission-critical assets. The Regulation has the potential to serve as a robust, scalable and exportable regime that could become a global benchmark.

Because of the effort required to report data breaches, it is absolutely essential that organizations prepare in advance. For many, this will require a more coherent incident response process along with closer cooperation between multiple departments, in particular legal. This coherence is essential, as Data Protection Authority’s (DPAs) will want to see a transparent rationale for remediation actions taken in response to a data breach.  ISF members have the benefit of an information security incident management framework that helps members build and improve their incident response capability and members should be well placed to deal with the implementation of the regulation.

The cost of non-compliance will increase, not only from new sanctions and fines but also from the court of public opinion. Reporting requirements will steadily push more data breaches into public view, creating reputational risks that many organizations have thus far avoided. Organizations that establish themselves as trusted data protectors will benefit commercially.

With reform on the horizon, organizations planning to do business in Europe, or those already doing business in Europe, must get an immediate handle on what data they are collecting on European individuals. They should also know where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it.

Move Beyond Conventional Protection

Mission-critical information assets demand and justify additional investment to ensure these assets are adequately protected. However, greater protection does not just mean performing additional security activities or purchasing more security products. To protect mission-critical information assets, including the footprint, a range of different protection approaches are likely to be needed for different types of mission-critical information asset. Information security practitioners have to think and plan beyond existing protection capabilities and security controls to provide owners of these information assets with protection that is:

• Balanced, providing a mixture of informative, preventative and detective security controls that complement each other
• Comprehensive, providing protection before, during and after threat events materialize into security incidents
• End-to-end, covering the complete information life cycle.

This will enable organizations to match the protection provided with the sophistication of threats to mission-critical information assets. Organizations should also consider controls that are:

• Automated, to complement manual security controls and help ensure greater levels of protection can be maintained
• Fast, operating in real time, supporting decisions that need to be made immediately
• Resilient, being resistant to direct attack by highly capable and committed threats.

While the need to provide mission-critical information assets with specialized protection can appear obvious, organizations often experience difficulties in identifying these assets, evaluating the extent of their exposure to adversarial threats and understanding the true level of risk to the organization. Consequently, many organizations do not adequately protect their mission-critical information assets and are vulnerable to a range of attacks, including serious cyber-attacks.

In contrast, ISF research has revealed that some organizations demonstrated “good practice”, providing the necessary high levels of protection for mission-critical information assets. These ISF members invest time and resources in a range of security activities, which form part of a broader set of good practices in information risk management and information security.

Cyber Resilience is Crucial

Every organization must assume they will eventually incur severe impacts from unpredictable cyber threats. Planning for resilient incident response in the aftermath of a breach is imperative. Traditional risk management is insufficient. It’s important to learn from the cautionary tales of past breaches, not only to build better defenses, but also better responses. Business, government, and personal security are now so interconnected, resilience is important to withstanding direct attacks as well as the ripple effects that pass through interdependent systems.

I urge organizations to establish a crisis management plan that includes the formation of a Cyber Resilience Team. This team, made up of experienced security professionals, should be charged with thoroughly investigating each incident and ensuring that all relevant players communicate effectively. This is the only way a comprehensive and collaborative recovery plan can be implemented in a timely fashion.

Today’s most successful, and cyber-resilient organizations, are appointing a coordinator, such as a Director of Cyber Security or a Chief Digital Officer (CDO), to oversee all activities in cyberspace and to apprise the board of its responsibilities for operating in cyberspace. This coordinator also highlights the board’s obligations to establish cyber resilience programs that protect the organization’s mission-critical assets and preserve shareholder value. Such efforts are especially important due to all of the legal facets of doing business in cyberspace.

Take it to the Board

Finally, information risk must be elevated to a board-level issue and given the same attention afforded to other risk management practices. Organizations face a daunting array of challenges interconnected with cybersecurity: the insatiable appetite for speed and agility, the growing dependence on complex supply chains, and the rapid emergence of new technologies. Cyber security chiefs must drive collaboration across the entire enterprise, bringing business and marketing needs into alignment with IT strategy. IT must transform the security conversation so it will resonate with leading decision-makers while also supporting the organization’s business objectives.

Given the rapid pace of business and technology, and the myriad elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure mission-critical assets and protect people.

Successful cyber security programs require careful planning and sustained effort throughout the enterprise, with executives leading the charge. Organizations that sow and fertilize a deeply rooted culture of security are most likely to be resilient and competitive in the face of ongoing threats and challenges. As the players, targets, and stakes shift in response to geopolitical and financial forces, leadership must remain vigilant—keeping up on trends and emerging threats, drawing lessons from incidents at other companies, reassessing plans and priorities, and collaborating closely with security experts.

via:  infosecisland

Have you considered the possibility that someone could be watching you through your webcam? Or Listening to all your conversations through your laptop’s microphone?

 
Even a bit of thought about this probability could make you feel incredibly creepy.

 
But most people think that they have a solution to these major issues i.e. simply covering their laptop’s webcam and microphone with tape, just like Facebook CEO Mark Zuckerberg and FBI Director James Comey.

 
But it’s 2016, and a piece of tape won’t help you, as a new experiment has proved that how easily hackers can turn your headphones into a microphone to spy on all your conversations in the background without your knowledge.

A group of Israeli security researchers at Ben Gurion University have created a proof-of-concept code (malware) that converts typical headphones into microphones and then use them to record all your conversations in the room just like a fully-featured spying device.

Speake(a)r Malware Weaponizes Headphones and Speakers

Using headphones as microphones is a decade-old technique. There are many videos available on YouTube, which show that earbuds can function as microphones in a pinch.

But what the researchers managed to do is switching an output channel of the audio card on your laptop — running either Windows or Mac OS — to an input signal and then recording the sound without any dedicated microphone channel from as far as 20 feet away.

Dubbed “Speake(a)r,” the malicious code (malware) is disturbingly able to hijack a computer to record audio even when its microphone is disabled or completely disconnected from the computer.

“People don’t think about this privacy vulnerability,” says lead researcher Mordechai Guri told Wired. “Even if you remove your computer’s microphone, if you use headphones you can be recorded.”

Speake(a)r actually utilizes the existing headphones to capture vibrations in the air, converts them to electromagnetic signals, alters the internal functions of audio jacks, and then flips input jacks (used by microphones) to output jacks (used for speakers and headphones).

This allows a hacker to record audio, though at a lower quality, from computers with disabled or no microphone or from computers of a paranoid user, who has intentionally removed any existing audio components.

But What made this Hack Possible?

Thanks to a little-known feature of Realtek audio codec chips that actually “retask” the computer’s output channel as an input channel silently.

This makes it possible for the researchers’ malware to record audio even when the earbuds is connected into an output-only jack and do not even have a microphone channel on their plug.
What’s even worse? Since RealTek chips are being used on the majority of systems these days, the Speake(a)r attack works on practically any computer, running Windows or MacOS, and most laptops, as well, leaving most computers vulnerable to such attacks.

“This is the real vulnerability,” said Guri. “It’s what makes almost every computer today vulnerable to this type of attack.”

The feature of RealTek audio codec chips is truly dangerous, as it can not be easily fixed. The only way to deal with this issue is to redesign and replace the chip in current as well as future computers, which is impractical.

 
Security researchers also published a YouTube video which shows the Speake(a)r eavesdropping attack in work.

For more detailed and technical explanation of the Speake(a)r attack, you can head on to the research paper [PDF] titled “Speake(a)r: Turn Speakers to Microphones for Fun and Profit.”

via:  thehackernews

In today’s complex world of cybersecurity threats that are ever-changing and ever-evolving, it’s nearly impossible to say you’re 100 percent compliant with all standards at all times — FedRAMP, PCI DSS, SOX-2, HIPAA, etc. With enterprises quickly migrating to the cloud and data storage volumes growing exponentially, it becomes even harder to confidently say you’ve checked the box on compliance these days. It’s up to organizations to measure and demonstrate compliance in their systems and many organizations struggle to do so in the new cloud paradigm.

In addition, most organizations think that passing an annual audit or assessment means they are “in the clear” and don’t have to worry about maintaining their compliance, once they’ve gotten the green light. However, according to Verizon, 80 percent of those that passed their annual PCI assessment drifted out of compliance shortly thereafter. The scale of recent data breaches makes it clear that many organizations’ security measures aren’t slowing attackers down, and continuous compliance and ongoing risk management is needed to protect vulnerable systems and networks from future attacks. Simply putting security controls and standards in place aren’t enough. Compliance needs to be sustained by companies who wish to be prepared for the evolving security breach landscape.

Today’s compliance frameworks are offering more recommendations around a “continuous compliance” process to manage risk. They know that it’s impossible to guarantee compliance at any given point in time, so their best effort is to use continuous monitoring. Continuous monitoring is the only path to continuous compliance and simply put, managing this risk manually isn’t effective or efficient. Adopting a modern cloud infrastructure with automated security and compliance is necessary to protect the large entry point of attack that the cloud creates. Despite the fact that manual interrogation of the cloud is slow and arduous, many organizations also want to increase the frequency of their audits to ensure and demonstrate they are doing their best to remain secure.

Some of the main benefits of continuous compliance in today’s automated cloud security frameworks include:

1. Real-time compliance and faster remediation – Near real-time situational awareness is achieved by monitoring infrastructure continuously and identifying critical risks as they are introduced. Compliance from the start means monitoring security throughout the entire development lifecycle and avoids expensive changes late in the cycle. 
2. Ease of use and simpler, faster reporting –  One-button compliance reports document how compliance policies are followed and allows teams to create auto-remediation rules or follow guided remediation steps to resolve issues. User attribution features identify who, when, how and where risks were introduced into the environment. There is no more spending weeks of interrogating systems to manually aggregate a compliance report, which would be out of date by the time you finish. With one click, you can run a report and then export it in the form needed for auditors, saving time and money. Anyone from the team can produce reports without needing specialized knowledge. In fact, providing the auditors read-only access to self-service compliance reports creates a whole new layer of abstraction to protect your operational teams from disruption.
3. Complete visibility into the cloud ecosystem – These platforms monitor, test and report on all cloud services and provide an actionable view into all testable compliance checks. Stakeholders have an easy way to view, monitor and report on the security and compliance of their entire cloud ecosystem.
4. Faster remediation – Because monitoring, assessment and remediation of the cloud infrastructure risk are all managed from a single platform in real-time, risks are detected and remediated quickly. No longer are development teams thrown off track when they have to stop projects to address a year’s worth of compliance debt when audit time comes around.

Organizations need to shift their thinking around point-in-time compliance versus continuous compliance. With today’s dynamic computing environment, where there is no network perimeter, automated and continuous compliance is needed to ensure infrastructure is safe at all times. Today’s cloud security frameworks are equipped with complete, real-time compliance assessments for an organization’s entire cloud infrastructure. Reports can be generated in real time, and audits can be completed more frequently. Organizations who adopt modern security and compliance platforms can benefit from financial efficiencies and timeliness, so they can focus attention on other high-value projects.

via:  infosecisland

A massive Distributed Denial of Service attack shut down a portion of the internet recently. Experts say it is unlikely a similar attack could take down the grid or other critical infrastructure but acknowledge that security remains weak in the industry.

The massive Distributed Denial of Service (DDoS) attack last month on Dyn, the New Hampshire-based Domain Name System (DNS) provider, was mostly an inconvenience.

While it took down a portion of the internet for several hours, disrupted dozens of major websites and made national news, nobody died. Nobody even got hurt, other than financially.

But the attack, enabled by a botnet of millions of Internet of Things (IoT) devices, inevitably led to speculation on what damage a DDoS of that scale or worse could do to even a portion of the nation’s critical infrastructure (CI).

Clearly it could go well beyond inconvenient. Businesses, households, emergency services, the financial industry and yes, the internet, can’t function without electricity.

That has already been demonstrated on a relatively small scale. Earlier this month, a DDoS attack took down heating distribution in two properties in Lappeenranta, a city in eastern Finland.

The disruption was only temporary, but as local media noted, with below-freezing temperatures, “a long-term disruption in heat will cause both material damage as well as the need to relocate residents elsewhere.”

Also, in a recent paper titled “IoT Goes Nuclear: Creating a ZigBee Chain Reaction,” researchers reported that they were able to demonstrate, using Phillips Hue smart light bulbs, “a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction …”

Using the bulbs’ ZigBee wireless connectivity, the researchers said the attack, “can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack.”

If that kind of attack could also be used to take down heat, water, sewer, traffic control and other basic services for any length of time, the risks of chaos and physical harm grow rapidly.

As author, blogger security guru and Resilient Systems CTO Bruce Schneier put it in a recent post, “security flaws in these things could mean people dying and property being destroyed.”

But could a DDoS attack really cause a long-term disruption of Industrial Control Systems (ICS), which operate or monitor much of the nation’s CI?

Experts have mixed views on the topic. Some say the nation’s ICSs are distinct enough from the consumer IoT that they would not be as vulnerable to a DDoS, while others say those systems are indeed connected enough to be a component of the IoT.

DDoS attacks are nothing new – they have been around for decades and are not considered sophisticated. They work by overloading websites and other internet-connected systems with junk traffic that prevents legitimate traffic from getting through, and can also cause the sites to crash.

What made the Dyn attack relatively unprecedented was its use of millions of “zombie” IoT devices like “smart” cameras, digital video recorders etc. instead of computers. The scale of the attack, at 1.2Tbps was unheard of as recently as a year ago. Now it is the norm, and is expected to increase rapidly.

Meanwhile, the nation’s CI remains notoriously insecure. Earlier this year, the FBI and Department of Homeland Security (DHS) launched a national campaign to warn US utilities and the public about the danger from cyber attacks like the one last December that took down part of Ukraine’s power grid.

This past September, at the Security of Things Forum in Cambridge, Mass., a panel of security experts agreed that attackers, likely from hostile nation states, are probably already inside the nation’s ICS.

Paul Dant, chief strategist and managing principal at Independent Security Evaluators, said at that discussion that more attacks are inevitable. “To think that stuff is not vulnerable is a complete fallacy,” he said.

Still, some in the industry say a DDoS is not a direct threat to major CI, because ICSs are not a part of the IoT in the way consumer devices are. Ben Miller, director of the Threat Operations Center at Dragos, said while, “at face value (ICSs) may seem similar” to IoT devices, “an industrial controller with input from a thermostat has a vastly different technology stack, use case, evolution, and capability than the Nest (consumer) thermostat on a wall.

“Industrial control system processes generally do not rely on Internet-based services,” he said.

Matt Devost, managing director at Accenture and CEO of FusionX, sees it much the same way. “The DDoS attack is most effective against targets that are inherently dependent on internet communications and the ICS/SCADA (Supervisory Control and Data Acquisition) environment is just not engineered to operate with that sort of dependency,” he said.

According to Gabe Gumbs, vice president of product strategy at Spirion, “the IoT should be strictly defined as consumer-connected devices. Much of critical infrastructure is connected, but it is not consumer-grade technology. Organizations that own things like SCADA systems are invested in securing them, in stark contrast to the consumer end of the spectrum.”

And Robert M. Lee, CEO of Dragos, said while there are still ICS assets on the internet – “too many, to be honest” – a lot of them are not. “These devices are instead forming a network of data and end points that is new and comprehensive in these locations. A DDoS styled attack would not be able to significantly disrupt critical infrastructure sites in the ICS community,” he said.

But Yoni Shohet, cofounder and CEO of SCADAfence said ICSs are, “definitely part of the IoT, since the industry is transforming from physical systems to cyber physical systems. The connectivity between industrial environments and external networks has increased in the past few years. These environments are exposed more than ever to external attacks.”

Stewart Kantor, CEO of Full Spectrum, has seen the same thing. “Since we’re seeing critical infrastructure initiating automation efforts through IP-based communications over public cellular data networks to smart devices, it’s becoming part of the broader IoT that incorporates consumer and mission-critical technologies alike,” he said.

But he doesn’t entirely disagree with those who say ICS is not part of the IoT, since some utilities have detached from the public internet through the creation of, “their own separate and private IoT using software-defined radio technology over a private network that is owned and operated exclusively by the utility.”

Kantor added that there are a number of US utility companies, along with industry research and trade associations that include the Electric Power Research Institute and the Utilities Technology Council, “that are supporting an amendment to an existing wireless communications standard to address reliability, coverage and security concerns of critical infrastructure networks or what they refer to as Field Area Networks (FANs).”

Lee also said he has seen an encouraging focus on security. “I’ve seen some critical infrastructure companies, such as in energy, that are extremely well prepared and could have detected targeted threats that have attempted to breach their organizations.

“As a community we need to ensure that this isn’t the 5 percent of the community and is more widespread. But there are great successes,” he said.

Miller said there are “serious efforts” being made to improve ICS security. “In 2014 the US Department of Energy issued guidance for energy delivery systems and US ICS-CERT issued similar guidance for ICS procurement way back in 2009.”

But he acknowledged that vendors of ICS equipment are selling in a global market, where security pressures are not as great as in the US. And, as has been widely reported, large generators and other ICS equipment can cost well into six figures, cannot be easily retrofitted with security and are meant to last for 25 years or more.

The reality is that the ICS industry has a long way to go,” he said.

Gumbs agreed. “Security hasn’t always been viewed as a priority,” he said. “They don’t have the skills needed to keep up with attackers. They don’t have ability to hire or retain talent.

“It isn’t trivial to detect a sophisticated attack and it requires a large amount of people, skill and technologies in place to properly defend against them. Because the industry is just now prioritizing security, it will take some time before they can provide a formidable defense against sophisticated cyberattacks.”

Of course, a DDoS is not considered a sophisticated attack. It could still cause some significant disruption – Devost noted that, “if millions of IoT thermostats in homes and smart grid devices in commercial buildings are compromised and ask for maximum AC on a day in which there is excess demand in the grid, what would the impact be?”

But Gumbs said he thinks CI in the US is resilient enough to respond to such an attack without catastrophic disruption.

“A cyberattack on the scale that we’re talking about could be compared to a natural disaster, maybe,” he said, “and we’ve shown that we are fairly resilient when facing hurricanes, floods, earthquakes and more.”

He said a crash of the financial system would be worse. “This would undermine the trust we have in walking to an ATM and withdrawing cash, even paying for provisions if we were in an actual disaster.”

Kantor said he believes most utilities take security seriously. But he acknowledged that, “given the size and scope of the electric utility industry – there are more than 3,300 electric utilities in the contiguous US distributed over three million square miles – there are many areas of vulnerability, both physical and remotely.

“Infiltrating the critical communications infrastructure is the easiest and most anonymous way to cause major disruption. We’re now facing a world where hackers are getting smarter and hacker communities exist where knowledge and advancements in DDoS code is shared.”

So, lowering the threat of a DDoS against utilities or other CI may require an improvement in IoT security. And some experts say the market won’t do it – that it will take a push from government.

Schneier, in his recent post, said there is, “a market failure at work” when it comes to IoT security, because neither the sellers nor the buyers of devices really care about it.

“It’s a form of invisible pollution,” he wrote, “and, like pollution, the only solution is to regulate,” with things like minimum security standards and/or making it easier to sue manufacturers if their products are used in DDoS attacks.

“The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure,” he wrote.

That may be under way soon. U.S. reps. Frank Pallone Jr. (D-NJ) and Jan Schakowsky (D-IL) wrote a letter dated Nov. 3 to Federal Trade Commission Chairwoman Edith Ramirez “urging” the agency to, “use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures to best protect consumers from cyberattacks.”

via:  csoonline

In the fight against encryption, Apple has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products, as well as implementing better encryption for its products.

 
However, a new report from a security firm suggests Apple’s online syncing service iCloud secretly stores logs of its users’ private information for as long as four months — even when iCloud backup is switched off.

 
Russian digital forensics firm Elcomsoft discovered that Apple’s mobile devices automatically send its users’ call history to the company’s servers if iCloud is enabled, and stored that data for up to four months.

 
And it turns out that there is no way for iCloud users to stop this phone call syncing service unless they completely disable the cloud synchronization feature.

Elcomsoft, which sells software to extract data from Apple’s iCloud backups and works with police and intelligence agencies, says the company should tell its customers exactly what personal data it is backing up—and should give users an easy option to turn it off.

Why does this Matter?

If you own an iPhone or iPad, your device automatically collects and transmits private information — including call history, phone numbers, dates, the length of calls, missed calls, FaceTime calls — to iCloud if it is enabled.

 
Not just this, your iPhone also send information collected from other third-party applications that use VoIP service, including WhatsApp, Skype, Viber, and Facebook Messenger.

“We discovered that yet another piece of data is stored in the cloud for no apparent reason,” Elcomsoft’s Oleg Afonin writes. “Using an iPhone and have an active iCloud account? Your calls will sync with iCloud whether you want it or not.”

Apple stores this information for as long as 4 months, and while the company encrypts everything, Privacy buffs note that Apple could become an easy target for law enforcement seeking access to user data.

The security firm also raised doubts over possible government surveillance that could be performed.

What’s more? Elcomsoft says that the logs are uploaded from any iPhone which has iCloud Drive enabled and that this effectively allows spying on you “without you even knowing.”

“Syncing call logs happens almost in real time, though sometimes only in a few hours,” says Elcomsoft CEO Vladimir Katalov. “But all you need to have is just iCloud Drive enabled, and there is no way to turn that syncing off, apart from just disabling iCloud Drive completely. In that case, many applications will stop working or lose iCloud-related features completely.”

Apple: No Need to Worry

However, Apple says there is no reason to worry.

 
Yes, the company says there is nothing wrong with its feature, as it is simply part of its iCloud service that allows its users to access their calls from any of their devices that use an Apple ID.

 
Moreover, Apple guarantees that all of its customers’ data is encrypted and two-factor authentication provides an extra layer of security for blocking any hacking attempts from hackers or law enforcement.

 
Here’s what the company said in the statement:

“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices. Apple is deeply committed to safeguarding our customers’ data. That is why we give our customers the ability to keep their data private. Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”

So, as long as you keep your Apple ID to yourself and use a strong password, you do not need to freak out over this report of your call logs being “secretly” sent to Apple.

Disable iCloud Drive to Prevent Apple from Logging Your calls

The solution? At the time, the only way to prevent Apple from logging your call history is to simply disable iCloud Drive altogether.

 
Besides this, you can also manually delete every call entry from your iPhone or iPad, and this will automatically remove the data from iCloud on the next backup.

 
Apple is not the only company that syncs its users’ call logs to the cloud. Android smartphones also sync its users’ call logs to the cloud as part of backups. Windows 10 mobile devices also sync call logs by default with other Windows 10 devices that use the same Microsoft account.

via:  thehackernews