Monthly Archives: January 2016

Oracle is planning to kill an attacker’s favorite: the Java browser plug-in

The browser plug-in will be retired in Java 9, but older versions will likely linger on for years.

Oracle will retire the Java browser plug-in, frequently the target of Web-based exploits, about a year from now. Remnants, however, will likely linger long after that.

“Oracle plans to deprecate the Java browser plugin in JDK 9,” the Java Platform Group said in a blog post. “This technology will be removed from the Oracle JDK and JRE in a future Java SE release.”

The Java Development Kit (JDK) 9, the reference implementation for the next version of Java SE, is expected to reach general availability in March 2017. By then, however, most modern browsers will no longer accept the Java browser plug-in anyway.

Mozilla announced in October that it plans to remove support for plug-ins in Firefox by the end of 2016. Chrome disabled support in September for plug-ins that, like Java and Silverlight, use the old Netscape Plugin Application Programming Interface (NPAPI) standard. Microsoft’s Edge browser doesn’t support plug-ins either.

With Internet Explorer and Safari the only browsers set to still accept traditional NPAPI plug-ins after 2016, Oracle is pretty much forced into this decision, even though Chrome does support a new plug-in technology called PPAPI (Pepper Plug-in API).

“Oracle does not plan to provide additional browser-specific plugins as such plugins would require application developers to write browser-specific applets for each browser they wish to support,” the company said in a white paper that outlines migration options for developers. “Moreover, without a cross-browser API, Oracle would only be able to offer a subset of the required functionality, different from one browser to the next, impacting both application developers and users.”

The main alternative proposed by the company is to switch from Java Applets to Java Web Start applications. This type of application can be launched from the Web without the need for a browser plug-in.

From a security perspective though, Java Web Start applications can be used as an attack vector for exploiting vulnerabilities in the Java runtime, just like Applets.

Even after the Java plug-in is retired, it’s likely that many computers will continue to have it installed for years to come. This is especially true in business environments where custom built Web-based Java applications are common and cannot be easily replaced or rewritten.

Even now, for application compatibility reasons, there’s a large number of computers in business environments that continue to use Java 6 or Java 7, versions that no longer receive public security updates.

Via: csoonline

Identity theft victim? This site helps you reclaim your life

A revamped government website will offer consumers personalized, step-by-step guidance to reclaim their identities and untangle compromised accounts.

The Federal Trade Commission unveiled a revamped online hub where victims of identity theft can file complaints and receive a personalized recovery plan to regain control of their personal and financial information and accounts.

At IdentityTheft.gov, consumers can navigate through a series of questions about how their information was compromised (e.g. data breach, lost wallet, etc.) that will then produce a list of steps to take to mitigate the damage from the identity theft.

“The idea is that at a single location, a single site, consumers will be able to not only register a complaint with us at the FTC but then also to understand and see what steps they need to take in order to start the process of recovering their identity,” FTC Chairwoman Edith Ramirez explained on a conference call with reporters.

The site, which also offers a feature to chat with FTC staffers, follows an executive order President Obama issued in the fall of 2014 calling on government agencies to take steps to shore up the financial transactions they process in an effort to safeguard citizens’ personal information.

Combatting identity theft, which has been on a dramatic rise, has become a major priority at the FTC, according to Ramirez. The Justice Department reported 17.6 million cases of identity theft in 2014. Last year, the FTC received more than 490,000 complaints about stolen identities, up 47 percent from 2014 and only a tiny fraction of the actual number of cases that occurred owing to widespread underreporting.

“These numbers are striking in and of themselves, but beyond the numbers identity theft can be a difficult and challenging personal experience,” Ramirez says, noting that it can often take several months or even years to recover from identity theft.

She attributes much of the rise to the free flow of data around the Internet, with entire companies and business models built around harvesting consumer information. Add to that condition the steady march of data breaches, when a single hack or stolen laptop can put the identities of tens of millions of consumers at risk.

“We’re all going more online we’re all using mobile technology, so I think the more that consumer data just becomes the currency in today’s world I think it’s going to expose people and people’s information to breaches and expose them to potential for identity theft,” Ramirez says. “I do think that data security is one of the biggest challenges that we face as a society as data and the ubiquity of data transfer becomes even more commonplace.”

Tax ID theft scams on the rise

Ramirez says that the largest and fastest-growing single type of identity theft involves tax scams, noting that the FTC has designated this week Tax Identity Theft Awareness Week. Consumers commonly learn about those scams when they go to file their taxes and are informed by the IRS that a return has already been submitted in their name, she says.

The FTC, which routinely urges companies to be mindful of consumers’ data, to minimize data collection and secure the information that they do gather, says it is incorporating those approaches in its new website. Ramirez says that the site was built from the start with security in mind, and the commission will not ask users reporting an identity theft incident to provide sensitive information such as a Social Security or driver’s license number.

The site does provide prefilled forms and draft letters that victims of identity theft can file with relevant law enforcement companies, credit bureaus, debt collectors and other firms they need to contact to untangle their accounts.

Eventually, the commission is hoping to achieve a direct interface with the credit bureaus to further streamline the process of reporting identity theft and minimizing the damage. As the site stands at launch, Ramirez pledges that it will dramatically simplify the response to a stolen identity by providing victims with the itemized list of the steps they need to take after an incident and sharing information with the commission’s law-enforcement partners.

Via: csoonline

Using the NIST Cybersecurity Framework to Combat Ransomware Attempts

We left 2015 talking about exponential increases in ransomware attempts on a quarter over quarter basis. No surprise that we begin 2016 talking ransomware and its many variants, as this threat vector has been a financial bonanza for cyber criminals and cyber attackers having extorted tens of millions of dollars over the past 18 months from victims.

Though originally founded upon a version of ransomware called CyptoLocker 3.0, other variants have surfaced and have been nearly as successful – a spin-off called CryptoWall generated over $300 million for one criminal gang.

What is ransomware? In general, it is a scam by which a very clever attacker sends you a very crafty socially engineered spearphishing email (with information gained from your social media accounts) that when the attachment is opened scrambles your computer files until you pay the attacker a “ransom,” which is very likely a relatively small amount of untraceable bitcoin.

It is somewhat ironic that not unlike various known computer operating systems, ransomware has now become available in different versions. CyptoLocker 3.0 has now given way to CryptoLocker 4.0, which has “added features.” “Ransomware as a Service” is also available on the DarkWeb for Sale, as are ransomware “joint ventures” for a price. Ugh!

Now I am not the best technical savvy cyber person in the universe, and I don’t have the secret decryption key to help those affected/infected by ransomware in every case. I am a cyber corporate governance person trying to help large and small corporations, private equity, and hedge funds deal with an increasing complex cyber threat and cyber regulatory environment.

Rather, I try and use common sense processes and procedures to help provide our clients with information about current threat actors and threat vectors, so that they (1) can stay safe, and (2) if they have a cyber problem be able to deal with it proactively to protect their businesses, clients and customers.

One of the solutions to the ongoing problem of ransomware is using the NIST cybersecurity framework proactively. What do I mean by that?

The NIST Cybersecurity Framework (“the Framework”) came out in February 2014 as a common sense method for allowing critical infrastructure to proactively assess their current cybersecurity posture and through continuous monitoring improve their posture accordingly.

The Framework’s elegant simplicity is what makes it such a great defense against ransomware. Three of its core elements are right on point:

1. IDENTIFY YOUR MOST CRITICAL ASSETS, WHERE THEY RESIDE, AND HOW YOU VALUE THEM

Do you know how many organizations don’t know where all their stuff is? When I mean “stuff,” I mean critical, super important stuff, like customer information, critical intellectual property, investment-related information, merger and acquisition-related information, critical manufacturing plans, and other personally identifiable or miscellaneous information (e.g. maybe data regarding their core sales drivers).

Once that task is complete, companies then need to map that data to a location, i.e. is it stored locally in the network server room, or is it in a cloud environment? You have to start somewhere with information management governance. Finding out where your stuff is a good start.

2. PROTECT WHICH MATTERS MOST

Ok then, your business is that of a regulated investment advisor. Your business sells the most delicious French toast ever made (using a recipe thought up by your wife), and it’s made and distributed through a plant in New Jersey that is run by both your IT network and by various industrial control devices or SCADA systems contained throughout your factory. The factory is your lifeblood.

If it isn’t running, you can’t make the French toast, and trucks can’t deliver it to food stores around the NY tristate area. And if it can’t get to food stores, your business is toast. So clearly you have three separate sources of critical information (“your crown jewels”) that need protecting – your basic IT network, your industrial control systems in your plant, and your client lists of the various food stores where you sell your French toast.

How are you protecting this data? Really think about the question in detail:

  • Do you have next generation firewalls to catch bad code before it enters your network and ICS devices and encrypts your files?
  • Do you patch your AV software as required to stay fully up to date on variants of ransomware? How quickly to patch “critical updates?” ASAP or whenever?
  • Do you conduct quarterly anti-spearphishing training for your employees so they don’t feel compelled to “click on every link”?
  • Do you have a DMARC or other email hardware/filter that will catch or sandbox suspicious socially-engineered or spoofed email before it encrypts your files?
  • Have you recently tested or “red-teamed” your ICS or SCADA systems to see if they can be (1) hacked, or (2) need to be patched, or (3) are otherwise subject to encryption coded commands that will shut your factory down

3. TEST YOUR RECOVERY AND BACK-UP SYSTEMS CONSTANTLY – AND SEGMENT YOUR BACK UP FROM YOUR NETWORK

So your employee clicks on a link from the King of Arabia looking for his King’s Ransom, and your business gets “ransomwared” instead. The Recovery element of the NIST recommends the following: have processes and procedures in place to have your files backed up on a regular basis, stored off-site, tested periodically, and ready to employ on little to no notice if your files get encrypted, and you need to restore your network from the last available moment before the ransomware went live.

In enterprise risk management language, this is called “business continuity planning” or resiliency. In reality, this is called common sense. Understand that you will be hacked. And be ready to react at a moment’s notice.

There are so many variants of ransomware to which neither the NIST framework nor this article can do adequate justice. But using the Framework as a basis to re-evaluate your ransomware defenses is a perfect solution to a moving-target problem that calls not just for one solution or many solutions.

As we start 2016, and as the Framework approaches its second birthday, we are again urging client’s to use its core precepts to re-evaluate their defenses against all threat vectors. There is ghostware, stealthware, and other silent vectors to strike. Use the Framework as your “Seal Team Six” to fight back.

Via: tripwire

Over 40% of UK Security Breaches in 2015 Involved Ransomware

Ransomware attacks have surged significantly in the past several years, targeting an increasing number of organizations as cybercriminals seek an easy way to monetize their efforts.

According to a new survey conducted by IT security firm Foursys, 42 percent of security breaches in the UK last year were attributed to ransomware.

The survey polled more than 400 UK-based organizations, ranging from small SMEs to large corporations with more than 1,000 employees.

The results revealed that 15 percent of organizations responded to a security breach in 2015.

In 10 percent of the cases, respondents said the breach led to “significant disruption to systems,” while 11 percent said the incident caused loss of data.

“With so many victims paying out, it is no wonder that ransomware is becoming more and more attractive to cyber criminals,” said James Miller, managing director as Foursys.

“Once files are encrypted, you’d better hope your backups are secure and up-to-date, or pay the fine and keep your fingers crossed that the files will be decrypted,” he added.

A separate report by Cisco, says the overall explosion of ransomware activity can be tied to two main advantages for cybercriminals:

“It is a low-maintenance operation for threat actors, and it offers a quick path to monetization because the users pay adversaries directly in cryptocurrency,” read Cisco’s 2016 Annual Security Report. 

Foursys notes that the only real defense from ransomware attacks is prevention, and urges organizations to implement the following practices:

  • Ensure all security patches are up-to-date
  • Run the latest version of security software to prevent unauthorized access
  • Execute penetration tests to discover unknown vulnerabilities; and
  • Ensure all staff, including senior management, is kept abreast of the latest threats and their impact on business continuity.

Via: tripwire

NIST announces the Release of Special Publication 800-57 Part 1 Revision 4, Recommendation for Key Management, Part 1: General

NIST announces the Release of Special Publication 800-57 Part 1 Revision 4, Recommendation for Key Management, Part 1: General is now available.

Link to the full announcement of this document’s release can be found on the NIST CSRC News/Announcements page:
http://csrc.nist.gov/news_events/#jan28-2

Link to Special Publication 800-57 Part 1 Revision 4 document (PDF format) from the NIST Library website:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

Link to Special Publication 800-57 part 1 Revision 4 located on the CSRC Special Publications page:
http://csrc.nist.gov/publications/PubsSPs.html#800-57pt1r4

Via: csrc.nist

Fast-Food Chain Wendy’s Investigating Potential Credit Card Breach

The nationwide fast-food chain Wendy’s is reportedly investigating claims of a potential credit card breach at some of its restaurant locations.

According to independent security journalist Brian Krebs, multiple sources in the banking industry found a pattern of fraud on payment cards that had all been recently used at various Wendy’s locations.

The restaurant chain acknowledged the claims after Krebs questioned the company in regards to the suspicious fraud pattern.

Wendy’s spokesperson Bob Bertini said the company began receiving reports earlier this month from its payment industry contacts about a possible data breach.

He added that a security firm has been hired to investigate further.

“Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants,” Bertini told KrebsOnSecurity.

“We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts,” said Bertini.

Bertini noted it may be too soon to determine whether the incident has been fully contained, how long it may have persisted or the number of locations affected.

“We began investigating immediately, and the period of time we’re looking at the incidents is late last year,” said Bertini.

“We know it’s [affecting] some restaurants but it’s not appropriate just yet to speculate on anything in terms of scope,” he added.

Krebs said he received reports of the possible breach from financial institutions based in the Midwest, as well as the east coast.

The Dublin, Ohio-based fast-food chain operates more than 6,500 franchise and company restaurants across the U.S. and in 29 other countries worldwide.

Via: tripwire

University of Virginia Breached by Phishing Attack

1,400 university employees’ W-2 tax forms were accessed.

The University of Virginia (UVA) recently began notifying more than 1,400 of its Academic Division employees that their data was exposed as a result of a successful phishing attack.

The FBI alerted the university to the breach, which happened between November 2014 and February 2015.

“Suspects overseas involved in this incident are in custody,” UVA said in a statement.

The attackers accessed part of the university’s human resources system, exposing the W-2 tax forms for approximately 1,400 employees from 2013 and 2014, and the direct deposit banking information of 40 employees. In total, UVA employs over 20,000 people.

All those affected are being offered one free year of credit monitoring and identity protection services. Employees with questions are advised to contact (855) 907-3155.

“The incident is the result of a ‘phishing’ email scam by which the perpetrators sent emails asking recipients to click on a link and provide user names and passwords,” the university noted.

UVA, like many organizations, is a frequent target of phishing attacks — a recent security alert lists over two dozen examples of phishing emails currently targeting UVA users.

Following the breach, the university says it received several employee reports of tax fraud last spring. “The incidents were investigated and the information available to officials at that time did not indicate the fraud occurred as a result of any data exposure,” UVA stated. “However, this latest investigation by the FBI does suggest that some of the previously reported instances of tax fraud may be a result of the actions of these perpetrators.”

IDT911 chairman and founder Adam Levin stated that phishing attacks will inevitably escalate in 2016. “While we don’t have intimate knowledge of the specific security protocols at UVA, it is clear that even if their IT and Information Security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals,” he said.

“This is why it is imperative that organizations need to practice the three Ms: minimize the risk of exposure, continuously monitor systems, and have a breach response program in place that can help manage the damage,” Levin added.

According to a recent Cloudmark survey of 300 IT decision makers in the U.S. and U.K., more than 84 percent of organizations have been breached by a spear phishing attack. Survey respondents estimated the financial impact of spear phishing to their organization to be more than $1.6 million in the past year alone.

Via: esecurityplanet

Centene Begins Notifying 950,000 Members of Possible Data Breach

Centene Corporation has begun the process of notifying 950,000 members who may have been affected by a possible data breach.

On Monday, the multi-line healthcare enterprise announced that it was launching a search for six hard drives that are currently unaccounted for among its information technology assets:

“Centene takes the privacy and security of our members’ information seriously,” Michael F. Neidorff, Chairman, President and CEO of the company, said in a press release. “While we don’t believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives. The drives were a part of a data project using laboratory results to improve the health outcomes of our members.”

The missing hard drives are thought to contain the personal health information of approximately 950,000 individuals who received laboratory services from Centene between 2009 and 2015, including members’ names, addresses, dates of birth, social security numbers, member IDs numbers, and other health information.

While there is no evidence that the hard drives contained individuals’ financial or payment data, stolen personal health information nonetheless enables computer criminals to conduct phishing attacks whereby they might seek to gain access to members’ accounts, notes Phil Muncaster of Infosecurity Magazine. Additionally, malicious actors could leverage the stolen information to blackmail affected members.

At this time, there is no evidence that the data was encrypted.

“Consistent with our policies around communication and transparency, we are beginning the process of notifying all affected individuals and all appropriate regulatory agencies as we continue to search and investigate,” Neidorff went on to comment.

Centene will also offer customers free credit and healthcare monitoring while it works to revamp its IT asset management strategy.

The nature of this incident differs significantly from previous breaches. For example, Anthem suffered a breach last year when external attackers exploited a vulnerability in order to gain access to a company database, thereby compromising the information of 80 million customers.

Even so, Centene is not the only company to have misplaced IT assets. Back in 2007, two password-protected CDs owned by Her Majesty’s Revenue and Customs (HMRC) were lost in the mail. This incident compromised the information of 25 million UK children and parents.

Via: tripwire

Microsoft jettisons support for legacy software

Microsoft has ended support for older versions of Internet Explorer, sending a clear message: It’s time for enterprises to adopt the latest version of all its products.

If you weren’t paying attention last week, let me bring you up to date. As of January 12, 2016, only the most current version of Internet Explorer will receive technical support and security updates from Microsoft. Internet Explorer 11 is the most current version, so you might want to check which version is being used in your enterprise.

The move to drop support for older versions of Internet Explorer should come as no surprise to anyone. It should be obvious by now that Microsoft’s strategy is to move enterprises beyond any legacy versions of its software. Microsoft is moving forward and if you don’t follow, you will be left behind.

Change

Dropping support for older versions of IE is just the latest move in what has become a well-established strategic pattern. Whether it is Windows, Office, Azure, or Internet Explorer, Microsoft wants all business enterprises to be using the latest versions of its software. Of course, that has always been the case—but there is a twist now.

In the past, Microsoft was willing to make allowances for enterprises that wished to stick with older tried-and-true versions of its software. However, Microsoft has made it quite clear that it will not be doing that anymore. If your enterprise wants to keep using Windows XP and Office XP, it will have to do so on its own. Essentially, Microsoft is washing its hands of all responsibility.

The change in strategy makes total sense, at least from Microsoft’s perspective. Trying to maintain three, four, and sometimes five versions of its software has taken a toll on Microsoft’s ability to innovate and adjust to changing industry standards, trends, and business needs. Microsoft is eliminating the weight of legacy support to streamline its business.

Kicking and screaming

The day support was cut off for older versions of IE, I saw several complaints from enterprises running specific applications designed to work exclusively with IE9. First of all, I never understood why enterprises tied themselves to one specific third-party application for which they have no control. But beyond that, why are those enterprises still using Internet Explorer 9 at all? For that matter, why are those enterprises running a critical application tied to any specific browser?

In the end, the reason your enterprise is refusing to join the rest of us in the 21st century is really not important. So you can kick and scream, throw a tantrum on the discussion forums, and whine about evil intentions, but it is not going to change anything. Microsoft has made it clear—it doesn’t care about legacy support anymore.

Bottom line

I have made this argument in the past, but I think it is worth repeating. Running outdated and unsupported software in an enterprise, especially when you have been specifically warned not to, and extra especially when an alternative is available, is irresponsible, dangerous, and frankly, stupid.

When your Windows XP systems get hacked and all your customer information is stolen, and Scott Pelly and 60 Minutes shows up at your door to ask, “What were you thinking?” don’t blame it on Microsoft because it is going to be all your fault.

Via: techrepublic

90% of mobile health and finance apps vulnerable to critical security risks

A new report from Arxan found that many popular enterprise applications lack protection from critical security vulnerabilities. Here are the details.

In analyzing 126 of the most popular mobile health and finance apps, app security company Arxan found that 90% of them had one thing in common—major security vulnerabilities. What’s even more concerning is that many consumers in the space don’t realize that this many of the apps are unsafe.

The data comes from Arxan’s fifth annual State of Application Security Report, wherein the company found a great disparity between the perceived security of mobile apps in the space and the reality of their level of security.

Security expert John Pironti said he wasn’t surprised by the results, and that these are some of the same trends and behaviors that emerged in the late 1990s and the dot-com boom.

“The expectation was that this new innovation was driving tremendous benefit and value and that the vendors producing solutions are smart and building in security properly,” Pironti said.

Arxan surveyed 1,083 individuals in the US, UK, Germany and Japan. Of the respondents, 268 were IT executives and 815 were consumers. The 126 apps that were tested came from the US, UK, Germany, and Japan as well.

In surveying these folks, 87% of executives and 83% of consumers said that they felt their mobile apps were “adequately secure.” Additionally, 82% of executives and 57% of consumers said that they believe “everything is being done” to protect their apps. When asked if they thought their app was likely to be hacked in the next six months or so, 46% of executives and 48% of consumers said yes.

However, those responses didn’t quite line up with what was found when the apps were examined.

Of the apps examined, a staggering 90% were vulnerable to at least two of the OWASP Security Project’s top 10 mobile risks. For those interested, here’s the top 10 list from 2014:

  • M1: Weak Server Side Controls
  • M2: Insecure Data Storage
  • M3: Insufficient Transport Layer Protection
  • M4: Unintended Data Leakage
  • M5: Poor Authorization and Authentication
  • M6: Broken Cryptography
  • M7: Client Side Injection
  • M8: Security Decisions Via Untrusted Inputs
  • M9: Improper Session Handling
  • M10: Lack of Binary Protections

If we break it down by the genre of app, it doesn’t look much better.

Of the health apps approved by the FDA, 84% were vulnerable to at least two of these risks, and 80% of apps approved by the NHS were as well. Also, 98% of the apps did not have binary code protection, meaning they could potentially be reverse-engineered, and 84% had poor transport layer protection.

In the financial sector, Arxan found that 84% of cyber attacks are happening at the application layer. Of the financial apps tested for this report, 92% were vulnerable to at least two of the top ten mobile application risks mentioned earlier.

When asked if they would change apps over a known vulnerability, or if a competitive app was known to be more secure, 80% said that they would. However, as IBM pointed out in its recent research, half of all companies have zero budget set aside for mobile app security. An additional IBM-sponsored report found that, at any given time, there are nearly 12 million mobile devices infected with malicious code.

For executives, the report recommended setting high expectations for your security, strengthening your weakest links, and making security your competitive advantage. For users, though, the report recommended only downloading apps from authorized sources, avoid jailbreaking or rooting your device, and demand transparency of your app’s security.

One major way that end users and executives alike can pressure mobile application vendors to providing better security is by speaking with their wallets.

“They can require the organizations and developers that are offering applications to them to provide independent assessment results from unbiased and capable third parties that show that they are providing commercially reasonable security on a regular basis,” Pironti said. “If they do not then the end user should choose to spend with those that will.”

Via: techrepublic