IT Support and Hardware for Clinics
32.0K views | +5 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Adobe patches Flash zero-day found in Hacking Team data breach

Adobe patches Flash zero-day found in Hacking Team data breach | IT Support and Hardware for Clinics | Scoop.it

The massive Hacking Team data breach led to the release of 400GB worth of data including a zero-day vulnerability for Adobe Flash. Adobe has released an out-of-band patch for the flaw just two days after it was discovered.


The vulnerability was described by the Hacking Team in a readme file in the data dump as "the most beautiful Flash bug for the last four years". Accompanying the readme in the data was a proof-of-concept exploit of the flaw.


Adobe categorized the vulnerability (CVE-2015-5119) as critical and said it affects Flash Player versions 18.0.0.194 and earlier on Windows and Mac, and versions 11.2.202.468 and earlier on Linux. Successful exploitation of the flaw could allow remote code execution.


Security researcher Kafeine found that the vulnerability has already been added to the Angler, Fiddler, Nuclear and Neutrino exploit kits. Because of this, admins are recommended to apply the patch as soon as possible.


Also found in the Hacking Team data was another Adobe Flash zero-day (CVE-2015-0349), which was patched in April, and a zero-day affecting the Windows kernel. The inclusion of these zero-days has caused experts to question if these exploits are being used by Hacking Team clients, including law enforcement and governments.


"As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully," said Ken Westin, security analyst for Tripwire. "Given the depth and amount of data compromised in this breach, it will reveal a great deal about the market for offensive tools designed for espionage with a great deal of fallout and embarrassment for some organizations."


Hacking Team spokesman Eric Rabe confirmed the breach and said that while law enforcement is investigating, the company suggests its clients suspend the use of its surveillance tools until it can be determined what exactly has been exposed.


In a new statement, Rabe warned that its software could be used by anyone because "sufficient code was released to permit anyone to deploy the software against any target of their choice.


"Before the attack, HackingTeam could control who had access to the technology that was sold exclusively to governments and government agencies," Rabe wrote. "Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation."

more...
No comment yet.
Scoop.it!

LastPass Sounds Breach Alert

LastPass Sounds Breach Alert | IT Support and Hardware for Clinics | Scoop.it

Warning to all LastPass users: Change your master password for the service now and ensure you're using multi-factor authentication. There has been a data breach that might allow attackers to crack master passwords and password reminders.


"Our team discovered and blocked suspicious activity on our network," reads a security notice from Joe Siegrist, the CEO of online password management service LastPass, which allows people to store multiple passwords inside a single, cloud-based password vault.


Siegrist says the intrusion was discovered June 12. "In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


This is not the first time that LastPass has reported that passwords or data might have been hacked. In 2011, the firm reported finding a "traffic anomaly from one of our databases" that could have resulted in data exfiltration. In response, the firm said it took a number of steps to tighten security, including registering domains that might be used by phishing attackers, as well as removing non-core services from the LastPass network.


In the wake of this newly announced breach, Siegrist says that the company is "confident that our encryption measures are sufficient to protect the vast majority of users," noting that the site's techniques for creating users' authentication hashes - in essence, how their authentication credentials get protected - would make it very difficult for an attacker to crack those hashes "with any significant speed." But because that is a possibility, the company says it has now "locked down" all accounts, meaning that any attempt to access an account from a new device or IP address will require the user to first verify their identity via email, unless they're already using multi-factor authentication.


"We will also be prompting all users to change their master passwords," Siegrist says. "You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites." He adds that because encrypted user data wasn't stolen, users do not need to change the passwords for any sites stored inside their LastPass password vault.


LastPass also offers multi-factor authentication - including Google Authenticator, Yubikey and the Duo Security Authenticator - to safeguard accounts. And in the wake of the breach, multiple information security experts recommend that all LastPass users ensure that they are using this feature.

Rethink Password Reset Questions

"Should I panic because LastPass was hacked?" asks Robert David Graham, head of information security research firm Errata Security. "If you chose a long, non-dictionary password, nobody can crack it," he says, thanks to the way LastPass creates its hashing algorithms. "Conversely, if you haven't, then yes, you need to change it."


Some security experts, meanwhile, say that the biggest risk now facing LastPass users will bephishing attacks, especially because users' email addresses have been compromised. "LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority," says Martin Vigo, a product security engineer for salesforce.com who's due to present the talk "Breaking Vaults: Stealing LastPass protected secrets" at the July Shakacon conference in Hawaii. "You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass."


Vigo says many users undercut their security by using password reminders - he recommends never using them, if possible - or else creating weak ones. "While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as 'My password is correct horse battery staple' are possible," he says. "Other more common passwords reminders such as 'My dogs name' can help attackers guess your master password. Remember that they have your email, which leads to your Twitter, Facebook, etc., where possibly that information can be found."

Password Vaults: Pros and Cons

The LastPass breach begs the question of whether people should ever use password managers, a.k.a. password vaults. "If a crook gets hold of your master password, then that's like getting the crown jewels - because now the crook has access to all your accounts at once," says Paul Ducklin, a senior security adviser for anti-virus firm Sophos, in a blog post. As a result, some security experts decry their use, on the grounds that the password manager master password creates a potential single point of failure.


But many security experts, including Bruce Schneier, have long advocated using such tools, saying that it is much more likely that users will get hacked if they reuse passwords, or select weak ones, than have their encrypted password database stolen and cracked.

F-Secure security adviser Sean Sullivan, for example, has said he "can't imagine life" without using one, because such tools can ensure that a user only uses strong passwords, and never repeats them across sites. But Sullivan also takes certain precautions, such as never entering the master password for his password manager when he's using an untrusted system - such as the shared family PC at home - in case a keylogger might be in operation.

Cloud Versus PC-Based

Users can also choose between PC-based, cloud-based or hybrid password managers. Some encryption experts, such as Johns Hopkins cryptographer Matthew Green, have voiced concerns about the security of cloud-based password management services.

more...
No comment yet.
Scoop.it!

President Obama calls for stronger American cybersecurity

President Obama calls for stronger American cybersecurity | IT Support and Hardware for Clinics | Scoop.it

Citing a series of embarrassinghigh profile incursions against US computer networks in recent months, President Obama called for "much more aggressive" efforts to shore up the government's vulnerable cyber-infrastructure. "This problem is not going to go away," the President told reporters at a G7 press conference in Germany. "It is going to accelerate. And that means that we have to be as nimble, as aggressive and as well-resourced as those who are trying to break into these systems." As such, he urged Congress to pass its pending cybersecurity legislation, such as the Cybersecurity Information Sharing Act of 2015.

more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

How DNS is Exploited

How DNS is Exploited | IT Support and Hardware for Clinics | Scoop.it

The Internet is a global engine of commerce today, but it was never designed with such grandiose applications in mind. In the underlying architecture of the Internet, hostility was never a design criterion, and this has been extensively exploited by criminals, who capitalize on the Domain Name System infrastructure - the map of the Internet - which is indispensable for the Internet as we know it to function.

"Right now the Internet is being used to transfer hundreds of billions of dollars per year from the productive part of the world's economy toward the unproductive part because it is such a gaping hole," says Internet pioneer and DNS thought leader Dr. Paul Vixie, CEO of Farsight Security, a provider of real-time passive DNS solutions that provide contextual intelligence to threat and reputation feeds.

The Internet was built without any thought of authentication, admission control or security, and so almost any application or website can be abused by a creative criminal, he says. But the DNS is proving essential to both the good guys and the bad guys - almost a unifying field theory.

"Everything you need to do on the Internet requires DNS - regardless of intent," says Vixie, who is also the principal author of version 8 of BIND, the most widely used DNS software on the Internet. "I think this makes DNS an interesting place to look for criminals and signs that criminals must leave," he says.

In part one of an exclusive two-part interview with Information Security Media Group (transcript below), Vixie talks about DNS and the impact it has on the Internet's security landscape. He shares insights on:

Part two of this interview will feature Vixie's views on the evolution of the Internet as an ecosystem that has evolved to make crime easier.

Vixie, CEO of Farsight Security, previously served as president, chairman and founder of the Internet Systems Consortium. He has served on the ARIN board of trustees since 2005, where he served as chairman in 2008 and 2009, and is a founding member of the ICANN Root Server System Advisory Committee and the ICANN Security and Stability Advisory Committee. He has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8. He has authored or co-authored about a dozen Request for Comments, a publication of the principal technical development and standards-setting body for the Internet, the Internet Engineering Task Force - mostly on DNS and related topics. He was named to the Internet Hall of Fame in 2014.

Varun Haran: How are criminals exploiting DNS infrastructure to perpetrate crime today?

Dr. Paul Vixie: One main area where DNS is facilitating crime is denial-of-service attacks, where the purpose may be economic or ideological to prevent the victim from being able to use the Internet. This is achieved by filling their Internet connection with unsolicited traffic so that they cannot use their connection for good traffic.

Now, unfortunately, the Internet was designed by scientists and engineers to work in a completely friendly environment. Hostility was never one of the design criteria for the Internet. What that means is it is trivial to send packets forging someone else's address as the source. Which means that if you direct the packets forged with a victim's address towards a powerful server, a lot of response traffic will go to your victim. And because the victim did not solicit it, they cannot turn it off. This is a very popular attack, and anytime that you hear that Google or Spamhaus has been hit with a 400 Gbit/s DDoS attack, it is the exact same method being employed - IP source forgery.

This is not only something the Internet was designed without, it is something that the current Internet economy is resisting fixing, because in order to fix this problem, an ISP has to turn on some new features in their Internet routing equipment. Those features need to be tested, there needs to be documentation, there has to be monitoring, so there is a small cost - there may even be a performance cost in the routing equipment if you turn on this feature.

The cost is trivial, but not zero. The benefit that the operator will see, in exchange for that investment will be measurably zero, because what they are doing is protecting the rest of the Internet against their customers. So if an ISP does this, it is only for the greater good and it is very difficult to get an ISP - who has investors, shareholders, board of directors, management chain etc. - to act for the greater good at their own expense. It simply does not make good business sense to fix this problem.
Internet Vulnerabilities

Haran: The Internet wasn't designed for all the purposes it's being put to today. What are some of the security issues that the current nature of the Internet, in terms of infrastructure and architecture, gives rise to?

Vixie: I gave you one example, which is the lack of source address validation. But there are other admission control problems also. For example, there are control packets that you can transmit that can potentially interrupt other people's conversations. Various TCP and ICMP packets can be transmitted toward parts of the network that will respond by denying other people the ability to communicate for a few seconds.

This comes from when the Internet was just a collection of universities and government contractors. Everybody on the Internet for the first 10 years had a contract with the U.S. government. None of them had any incentive to transmit damaging traffic. The nature of the Internet took that into account. It was a very fragile network, which was intended only for mature computer science professionals to interact.

So, if we turn our attention now to spam, the email system has no admission control. Anyone can send an email to anyone. That was, in fact, an important design criteria to avoid central clearinghouses and make email an end-to-end activity. But what that means is that spammers are also endpoints and have the same right to transmit email to anyone. There is no differentiation, there is no privilege required.

Add to that the fact that, just like IP packets can have their sources forged, even email sources can be forged. And unless you are a technology expert or have a high-end email firewall appliance, you won't be able to tell the difference. This works at scale. Right now, the Internet is being used to transfer hundreds of billions of dollars per year from the productive part of the world's economy toward the unproductive part because it is such a gaping hole. The Internet is the backbone of global commerce today, and yet it was built without any thought of authentication, admission control or security, and so almost any application or website can be abused by a creative criminal.
The Internet's Map

Haran: You have said that DNS is like a unified field theory between the good guys and the bad guys. Can you elaborate? How indispensable is DNS to the structure of the Internet?

Vixie: If the Internet were a territory, the DNS would be its map. We who have grown up in a world that is completely mapped, completely discovered, find it impossible to conceptualize the idea of a territory without a map. Without DNS, the Internet would be a trackless wild, where things would exist but you wouldn't know how to get there or the cost of admission. So I mean it when I say that all Internet communication begins with a DNS transaction - at least in order for the initiator to discover the responder and to find out where to send the packets that will represent their conversation.

But there may be other things as well, such as looking up a key, so that they can build a secure conversation by sharing key-in information or for looking up directory servers for authentication and authorization. Pretty much everything you need to do on the Internet is going to be a TCP/IP session. And every TCP/IP session is going to begin with one or more DNS transactions. This is true regardless of your intent. You intent might be to create wealth, to innovate, to make the world a better place, or it could be that your intent is criminal and you want to lie, cheat, take, force, defraud and you have purposes which would be seen as evil in the eyes of your fellow man. Your intent does not matter - you are not going to be able to do anything on the Internet without DNS. And it is that that I think makes DNS such an interesting place to look for criminals and signs that criminals must leave.
DNS Response Rate Limiting

Haran: You are a strong advocate of DNS Response Rate Limiting, which is something that you have worked on yourself. What can you tell me about DNS RRL?

Vixie: In DNS, there are many different kinds of DNS agents. Some only ask questions and receive answers and some only provide answers. It is that second type that concerns rate limiting, because a server in the DNS - the so-called authority server, which is where DNS content comes from - must be very powerfully built, having a lot of capability. Otherwise, if someone sends you a DDoS, they will make your content unreachable because your network pipe would be full of attack traffic.

It is common to buy an extra-large connection to your authority servers and to buy not just one authority server, but maybe a dozen and put them behind load balancers, with redundant power and so forth, because you want to make sure that no matter what happens, you can address queries and your content is reachable.

The difficulty that this presents to the rest of us is that in DNS, a response is larger than a request and that means that you are a potential amplifier. And if you are hearing a question that was forged - the IP address used by the attacker is forged to become the IP address of their intended victim - then you as a very powerful content server would be willing to help that attacker DDoS that victim simply because you are a powerful content server, and you have to be powerful for reasons of your own.

So when we designed response rate limiting, it was to allow those servers to differentiate between attack flows and non-attack flows so that they would be not as usable as an amplifier of third-party attacks. The tricky part is that you have to be very careful not to drop legitimate queries. So there is a little bit of mathematical trickery involved in the DNS RRL system that helps to make sure that you can stop most DDoS attacks without causing collateral damage.

more...
No comment yet.
Scoop.it!

Will Executive Order Impact Cybercrime?

Will Executive Order Impact Cybercrime? | IT Support and Hardware for Clinics | Scoop.it

President Obama on April 1 issued an executive order that allows the U.S. government to block or seize the assets of suspected "malicious cyber actors." But some legal and security experts already are questioning whether the order is legally defensible or will have any meaningful impact on either cybercrime or online espionage.


"There are so many problems with this," attorney Mark Rasch, a former U.S. Department of Justice official who created its computer crime unit, tells Information Security Media Group, citing, for example, the government's ability to presume someone is guilty, without first having to prove it. "In general, sanctions are a political tool for putting pressure on recalcitrant governments to change their ways, [but] these sanctions are a legal tool to impose punishment without trial on persons we believe to be criminals and hackers."


The Obama administration, however, says that the executive order - officially titled "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" is necessary to give the U.S. government much-needed new legal tools in its fight against cybercrime and online espionage. The executive order represents the first time that the White House has authorized broad sanctions to be imposed specifically for cyber-attacks, and regardless of the location of whoever is behind the attacks.


"Our primary focus will be on cyberthreats from overseas, Obama writes on news website Medium. "In many cases, diplomatic and law enforcement tools will still be our most effective response. But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst."


The executive order authorizes the Secretary of the Treasury - in consultation with the Attorney General and the Secretary of State - to impose such sanctions "on individuals or entities that engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy or economic health or financial stability of the United States," Obama says in an April 1 statement distributed by the White House.


While the executive order doesn't define "significant," it says sanctions can be imposed for a variety of reasons, for example, in response to attacks that target critical infrastructure, which disrupt networks - via distributed denial-of-service attacks, for instance - as well as for targeting or stealing trade secrets or personally identifiable information, and for computer crime in general.

Intent: To Fill Gaps

White House Cybersecurity Coordinator Michael Daniel says the executive order is meant to expand the "spectrum of tools" that the government can use to combat cyber-attacks, by supplementing current diplomatic, law enforcement, military, economic and intelligence capabilities.


"It is designed to fill in a gap that we have identified where individuals carrying out significant malicious cyber-attacks are located in places that it's difficult for our diplomatic and law enforcement tools to reach - whether because they're behind the borders of a country that has weak cybersecurity laws, or the government is complicit in or turning a blind eye to the activity that is happening, and we don't have good law enforcement relationships or other kinds of relationships," he said on an April 1 a press call. "So what we're doing is putting in place a tool that will enable us to impose costs on those actors."


John Smith, the Treasury Department's acting director of the Office of Foreign Assets Control, or OFAC, which administers and enforces U.S. economic sanctions programs, said on the press call that the executive order elevates cyber-attacks to the realm of such activities as counterterrorism, narcotics trafficking and transnational crime, which the United States targets, regardless of where they're based. Smith says the administration is hoping that by designating cybercrime and online espionage in this manner, more countries will be spurred to put a stop to related activities inside their borders, or which touches their financial system.

Sony Hack Inspired Order

The Washington Post reports that the executive order has been under development for the past two years. But Daniel says the need for the executive order was highlighted after the president called for a "proportional response" to the hack attack against Sony Pictures. "That process informed us as we were finishing up this executive order and highlighted the need for us to have this capability and to have this tool."


The move follows another executive order, signed by the president in January, that imposed sanctions on 10 individuals and three entities associated with the North Korean government, after the FBI attributed the November 2014 hack and wiper malware attack against Sony Pictures Entertainment to "North Korea actors." But numerous information security experts have continued to question that attribution.

Questioning the Rationale

And some legal and security experts are now questioning the rationale behind the new executive order. "It's really built out of frustration, because the international legal process does not deal effective with cybercrime," says Rasch, the former DOJ official. "So there's the urge to take the law into your own hands. Resist that urge."


Rasch adds that another problem with the executive order is that it's not aimed just at state sponsors - or nation-state-backed attackers - but anyone who the U.S. believes has broken the law. Furthermore, it allows the government to impose punishments, such as seizing U.S. citizens' assets, without any due process, or having to first prove the government's case.


The administration says that anyone who wants to contest sanctions that get imposed using this executive order can do so with OFAC, or by filing a lawsuit against the federal government.

Cybercrime Impact?

But will the executive order lead to any meaningful reduction in cybercrime or online espionage? "I'm somewhat skeptical, to say the least," Sean Sullivan, a security adviser for Helsinki, Finland-based anti-virus firm F-Secure, tells ISMG. "There's a great deal of Russian-speaker-based 'espionage as a service' that would be very difficult to do much about. And China seems even more of a challenge. But then again, maybe there are some officials who do actually have American assets to go after - New York real estate, for example."


James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, believes that the new program could have an impact, for example to combat Chinese-promulgated economic espionage. "You have to create a process to change the behavior of people who do cyber-economic espionage," he tells The Washington Post. "Some of that is to create a way to say it's not penalty free. This is an effective penalty. So it moves them in the right direction."

But Rasch thinks it's unlikely that the executive order would fulfill the stated White House purpose of deterring future cybercrime, espionage and large-scale attacks. "The rogues are not going to be deterred by this," he says. "The state sponsors are not going to be deterred by this."


more...
No comment yet.
Scoop.it!

Brave New World: The Future of Cyberspace & Cybersecurity

Brave New World: The Future of Cyberspace & Cybersecurity | IT Support and Hardware for Clinics | Scoop.it

“Since this is a challenge that we can only meet together, I’m announcing that next month we’ll convene a White House summit on cybersecurity and consumer protection. It’s a White House summit where we’re not going to do it at the White House; we’re going to go to Stanford University. And it’s going to bring everybody together — industry, tech companies, law enforcement, consumer and privacy advocates, law professors who are specialists in the field, as well as students — to make sure that we work through these issues in a public, transparent fashion.” – President Barack Obama, Jan. 13, 2015.

The future of cyberspace and cybersecurity has been debated by many theorists and academicians have rendered opinions and studies on the topic. Cyberspace and cybersecurity issues have retaken the center stage of national and homeland security discourse after having taken a sideline to the natural reaction against al-Qaida’s 9/11 attack on the homeland. Despite the renewed sense of purpose and the recognized need to mitigate the ills found in cyberspace, the issue of cybersecurity and the way ahead remain as unclear and obscure since these same theorists and academicians were predicting an “electronic Pearl Harbor” in the 1990s and the events leading up to the hype posed by the Y2K bug.

The Obama administration’s renewed sense of purpose in dealing with cybersecurity issues by calling for the Summit on Cybersecurity and Consumer Protection at Stanford University promises to reinvigorate the discussion on a vital topic of national security. That said, this initiative also sounds oddly familiar to similar initiatives from past administrations voicing similar concerns.

In Brave New World, Aldous Huxley portrayed a dystopian future where mankind was largely driven by the need for pleasure as a means to distract them from the weightier issues of their everyday lives. Huxley also stated one universal truism in that, “Most human beings have an almost infinite capacity for taking things for granted.”

In terms of cybersecurity, what have we taken for granted? The renewed focus on cyberspace and security issues, while laudable in the sense that it can promise a debate on issues that must be addressed, will ultimately fail if it does not fundamentally address the question: What are we taking for granted in terms of our understanding of cyberspace and cybersecurity? In other words, are we framing the current debate on flawed conceptions of the issue in general? Are our assumptions flawed? Without considering some of these questions, we risk missing the true and weightier questions that we need to address on an issue that is constantly changing in terms of its impact on humanity.

The question before us is a simple one, but harder in terms of envisioning or defining. As Anthony Codevilla and Paul Seabury clearly stated in their book War: Ends and Means: “Strategy is a fancy word for a road map for getting from here to there, from the situation at hand to the situation one wishes to attain.” While this does not mean that we need to quickly create another national strategy on cybersecurity or cyberspace with glossy photos and sweeping language that promises a utopian future, it does mean that we need to fundamentally address the more difficult question first, “What do we ultimately need to attain in terms of cybersecurity?”

In this sense, President Obama’s speech on the future of cyber issues is appropriately framed in that this really is a challenge that we can only meet together. Envisioning the future in a world that will become increasingly dominated by technology and the Digital Age also addresses the type of future that we want to create for subsequent generations. In short, what future are we giving our children and our grandchildren? While blatantly sophomoric, as a parent and grandparent, it also happens to be true.

By envisioning our future, we are forced to recognize where we are. The continued reports on data breaches, identity theft, insufficient cybersecurity protections for health care records, controversies over data retention by the U.S. government and private industry, terrorist recruitment via social media, and the implications of active targeting by foreign entities on U.S. intellectual property are just a few of the many concerns that define the cyberspace issue in the present age.

To date, we have embarked on a journey with no destination. We have not chartered the course to take us to where we want to go. As such, while we must bring national security specialists, policy-makers, private industry, academicians and civil liberty advocates together, we also need to recognize that these issues are the result of failed initiatives and incremental approaches to the overall topic of cyberspace and cybersecurity in general. If this incremental approach to cybersecurity remains unchecked, our generation will be the first to face the brave new world of cyberspace defined by the nefarious drivers that are presently framing the topic. As the noted philosopher, John Stuart Mill appropriately stated, “When we engage in a pursuit, a clear and precise conception of what we are pursuing would seem to be the first thing we need, instead of the last we are to look forward to.”

While the answers to this basic truism can take on a highly technical tone in terms of the development of cybersecurity standards, technologies and processes, the true nature of the answer centers on the ideals and cultural norms that we wish to preserve while advancing into the future that will be defined by technology. How do we preserve privacy in the Digital Age? What type of culture do we wish to establish for ourselves—innocent until proven guilty or questionable until we can verify who you are? What is the role of the government in terms of ensuring security and where does the responsibility for the private sector begin in terms of its obligation to protect its intellectual property?

The answers to these questions represent but a fraction of the answers that are necessary to define our future. The answers to these questions, however, are the ones that begin to define the parameters for how we get from here to there. The sooner we engage in this dialogue, the better off we will be in defining that future for subsequent generations.




Via Paulo Félix
more...
No comment yet.
Scoop.it!

US Senate committee advances cyber-surveillance bill

US Senate committee advances cyber-surveillance bill | IT Support and Hardware for Clinics | Scoop.it

The Senate intelligence committee advanced a priority bill for the National Security Agency on Thursday afternoon, approving long-stalled cybersecurity legislation that civil libertarians consider the latest pathway for surveillance abuse.

The vote on the Cybersecurity Information Sharing Act, 14 to 1, occurred in a secret session inside the Hart Senate office building. Democrat Ron Wyden was the dissenter, calling the measure “a surveillance bill by another name”.

Senator Richard Burr, the committee chairman, said the bill would create avenues for private-to-private, private-to-government and government-to-private information sharing.

The bill’s bipartisan advocates consider it a prophylactic measure against catastrophic data theft, particularly in light of recent large-scale hacking of Sony, Target, Home Depot and other companies.

Private companies could share customer data “in a voluntary capacity” with the government, Burr said, “so that we bring the full strength of the federal government to identifying and recommending what anybody else in the United States should adopt”.

“The sharing has to be voluntary, not coercive, and it’s got to be protected,” said Senator Dianne Feinstein, the committee’s vice-chair, adding that the information would pass through the Department of Homeland Security – and “transferred in real time to other departments where it’s applicable”.

Feinstein said the bill’s provisions would “only be used for counterterrorism purposes and certain immediate crimes”.

Several iterations of the cybersecurity bill have failed in recent years, including a post-Edward Snowden effort that the committee, then under Democratic leadership, approved last year. President Obama, renewing the push earlier this year, has called for a bill to enhance information sharing between businesses particularly banks and others in the financial sector and the federal government surrounding indications of malicious network intrusions.

Advertisement

Both the administration and Congress intend the legislation to join a panoply of recent moves to bolster cybersecurity, including February’s announced creation of a consolidated center within the intelligence agencies for analysis of internet-borne threats.

“This bill will not eliminate [breaches] happening,” Burr said. “This bill will hopefully minimize the impact of a penetration because of the real-time response.”

Feinstein said that companies, “reluctant to share with the government because they are subject to suit” would be protected from lawsuits “for cybersecurity purposes” under the bill.

But the bill faces strong opposition inside and outside Congress. Beyond expanding government’s reach into private data outside warrant requirements, it mandates real-time access to that data for intelligence agencies and the military.

‘Significantly undermine privacy and civil liberties’

Privacy advocates consider the bill to provide a new avenue for the NSA to access consumer and financial data, once laundered through the Department of Homeland Security (DHS), the initial public repository for the desired private-sector information. Campaigners consider the emphasis placed by the bill’s backers on DHS’s role to be a misleading way of downplaying NSA access to win congressional support.

A coalition of nearly 50 technologists, privacy groups and campaigners wrote to the committee earlier this month urging rejection of a bill that would “significantly undermine privacy and civil liberties” and potentially permit corporations to “hack back” at perceived network intrusions.

The bill “does not effectively require private entities to strip out information that identifies a specific person prior to sharing cyber-threat indicators with the government, a fundamental and important privacy protection,” the 2 March letter reads. Its changes to federal law “would permit companies to retaliate against a perceived threat in a manner that may cause significant harm, and undermine cybersecurity”, particularly given the misattributions of responsibility frequently seen in hacking cases.

Companies can only take “defensive measures” and not “countermeasures against another company”, Feinstein said.

Burr said that language in the bill would require companies to “remove all personal information before that data is transferred to the federal government”, and that the Department of Homeland Security would scrub any data not cleaned by companies. “We’ve tried to minimize in that any personal, identifying data that could be captured,” he said.

But Burr admitted the bill would still allow companies to share directly with the NSA, and could potentially receive liability protections if information is shared “not electronically”. “Our preference is the electronic transfer through the DHS portal,” he said.

While the NSA has labored to convince the public to move on from international condemnation of its digital dragnets – though Congress has passed no legislation to curtail them – acrimony within the tech sector at the surveillance giant persists.

At a Washington forum last month, Yahoo’s chief security officer confronted the NSA’s chief, Admiral Mike Rogers, over a recent push by US security agencies to undermine encryption for government benefit, a revival of the so-called “Crypto Wars” of the 1990s.

Alex Stamos of Yahoo challenged Rogers to explain why his company should not do the same thing on behalf of US adversaries or competitors to facilitate their spying on the United States. Rogers, in what was seen as a heated exchange, resisted the comparison.

Against that backdrop of suspicion, it is uncertain if the new cybersecurity bill can garner the votes in the broader Senate and House that its predecessors could not. The digital-rights group Access on Thursday was already seeking to mobilize its membership to call legislators in objection to the bill.

Wyden declined to comment to reporters, saying as he left the meeting: “You guys know I like talking about this stuff but I can’t say anything.”

He later articulated his dissent in a statement: “The most effective way to protect cybersecurity is by ensuring network owners take responsibility for security. Strong cybersecurity legislation should make clear that government agencies cannot order US hardware and software companies to build weaker products, as senior FBI officials have proposed.”



Via Paulo Félix
more...
No comment yet.
Scoop.it!

Should we hack the hackers? - The Guardian

Should we hack the hackers? - The Guardian | IT Support and Hardware for Clinics | Scoop.it

If we’re losing the war against cybercrime, then should we take off the gloves and strike back electronically against hackers?

As banks reel from another major hacking revelation, a former US director of intelligence has joined some of them in advocating for online counterstrikes against cybercriminals.

In February, security firm Kaspersky detailed a direct hack against 100 banks, in a co-ordinated heist worth up to $1bn. This follows growing sentiment among banks, expressed privately, that they should be allowed to hack back against the cybercriminals penetrating their networks.

At February’s Davos forum, senior banking officials reportedly lobbied for permission to track down hackers’ computers and disable them. They are frustrated by sustained hacking campaigns from attackers in other countries, intent on disrupting their web sites and stealing their data.

Dennis Blair, former director of national intelligence in the Obama administration, has now spoken out in favour of electronic countermeasures, known in cybersecurity circles as hacking back, or strikeback.

Blair co-authored a 2013 report from the US Commission on the Theft of American Intellectual Property. It considered explicitly authorising strikeback operations but stopped short of endorsing this measure at the time.

Instead, the report suggested exploring non-destructive alternatives, such as electronically tagging stolen data for later detection. It also called for a rethinking of the laws that forbid hacking, even in self-defence.

Western law enforcers don’t have jurisdiction in the countries where cybercriminals operate. Ideally, they would pass information about hackers onto their counterparts there, said Blair, but in many cases local police are un-cooperative. It’s time to up the ante, he suggested.

“I am more leaning towards some controlled experiments in officially conducting aggressive cyber-tracking of where attacks come from, discovering their origin, and then taking electronic action against them,” he told the Guardian.

Legal problems

There’s just one problem with strikeback operations, said Mark Rasch, a former federal cybercrime prosecutor and the head of Maryland-based Rasch Technology and Cyber-law: it’s against the law. “You have to start with the general assumption that hacking back is most likely illegal,” he said.

Long-standing laws on both sides of the Atlantic clearly forbid unauthorised tampering with a computer, even if someone is using that computer to attack you. In the UK, the Computer Misuse Act sets those rules. In the US, the Computer Fraud and Abuse Act does the same.

Even without this legislation, the law generally frowns upon what Rasch calls “self help”. Judges dislike vigilante justice.

The stakes are getting higher, though. Since the report’s release, corporate America has seen several devastating cyber-attacks. JP Morgan suffered a breach affecting 76 million households. Home Depot and Target were also hacked, and most recently, Sony Entertainment was embarrassed by the theft of internal documents.

“I’ve been seeing the way that technology is developing. I think it’s worth some limited legislation to post penalties back to hackers,” Mr Blair said, adding that companies should work with law enforcement rather than taking matters into their own hands.

“Law enforcement authorities can go back down the same route that [the hackers] use to attack, and cause physical damage to their equipment,” he added.



Via Paulo Félix
more...
No comment yet.
Scoop.it!

Despite High-Profile Data Breaches, Fraud is Down

Despite High-Profile Data Breaches, Fraud is Down | IT Support and Hardware for Clinics | Scoop.it

Home Depot, Staples, Neiman Marcus — 2014 was a blockbuster year for the high-profile data breaches, with at least $16 billion stolen from a reported 12.7 million fraud victims.

But those numbers are actually an improvement, according to a new study by Javelin Strategy & Research. Last year, the amount of money lost to fraud dropped 11 percent, down from $18 billion in 2013. And in 2012, the amount was even higher, at $21 billion.

The number of victims is down too, dipping 3 percent in 2014.

Though hacks appear to be growing in size and targeting larger retailers, financial institutions have also gotten better at performing triage after such an attack occurs.

“The combined efforts of industry, consumers, and monitoring and protection systems that are catching fraud more quickly helped reduce the incidence of fraud and the amount stolen over the past year,” said Al Pascual, director of fraud and security at Javelin, a consulting firm that analyzes consumer transactions. “When detected, fraud is being resolved quicker than ever before.”

After 110 million credit card numbers were stolen in the December 2013 Target breach, for example, banks went on the offensive, spending more than $200 million to replace consumer credit and debit cards.

In 2014, 1 in 4 consumers received data breach notifications, but a smaller proportion of those people became fraud victims than in 2013. Last year, fraud incidents among notified breach victims dropped 17 percentage points to 13.7 percent, the lowest rate since Javelin began conducting its annual study in 2004.

The report hypothesized that the huge number of data breaches in 2014 may have spurred banks and retailers to take such attacks more seriously, driving down the incidents of fraud. Improvements in technology that can help detect fraud also contributed to the decline, the report said.

Pascual warned that despite dropping reports of fraud, consumers should still be wary of identity theft.

“We have seen declines in the past, but they have reversed as fraudsters try new approaches or when new technologies make it easier for fraudsters to get consumer information,” he said.

For instance, while new-account fraud (in which a fraudster uses stolen information to open an account in a victim’s name) reached record lows in 2014 according to the Javelin report, this year such incidents have increased due to security weaknesses in Apple’s new mobile payments system, Apple Pay.

In the Javelin report, 13 percent of victims of new-account fraud did not detect the identity theft for more than a year.

Though 2014’s number of victims was down, 2013 had the second-highest number of identity theft victims since Javelin began its annual study.

In the end, said Pascual, more breaches will result in more victims of identity theft. In 2014, two-thirds of identity fraud victims had previously received a data breach notification that year.

“This is a long, drawn-out battle against identity thieves,” he said. “While there have been some victories this year, there have also been some discouraging setbacks. It really reinforces why we need the combined efforts of industry, consumers, and monitoring and protection systems working together to continue the downward trend.”


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Google has delayed its Android encryption plans because they're crippling people's phones

Google has delayed its Android encryption plans because they're crippling people's phones | IT Support and Hardware for Clinics | Scoop.it

Google is delaying plans to encrypt all new Android phones by default, Ars Technica reports, because the technical demands of encryption are crippling people's devices.

Encryption slowed down some phones by 50% or more, speed tests show. 

In September 2014, Google — along with Apple — said that it planned to encrypt all new devices sold with its mobile OS by default. This means that unless a customer opted out, it would be impossible for anyone to gain access to their device without the passcode, including law enforcement (or Google itself).

This hardened stance on encryption from tech companies came after repeated revelations about the NSA, GCHQ and other government spy agencies snooping on ordinary citizens' data.

Default encryption has infuriated authorities. One US cop said that the iPhone would become "the phone of choice for the paedophile" because law enforcement wouldn't be able to access its contents. UK Prime Minister David Cameron has floated the idea of banning strong encryption altogether — though the proposal has been slammed by critics as technically unworkable.

Apple rolled out default-on encryption in iOS 8 back in September. Google's Android Lollipop system was first released in November — but because the phone manufacturers, rather than Google itself, are responsible for pushing out the update, it can take months for a new version of the OS to reach the majority of consumers.

But as Ars Technica reports, Lollipop smartphones are now finally coming to the market, and many do not have default-on encryption. So what's the reason? The devices couldn't actually handle it.

Speed tests show that even Google's flagship phone, the Google Nexus 6, suffers serious slowdown when encryption is turned on. A "random write" test measuring writing data to memory showed that the Nexus 6 performed more than twice as fast with encryption switched off — 2.85MB per second as compared with 1.41 per second with it on. The difference was even more striking in a "sequential read" test to measure memory reading speeds. An unecrypted device achieved 131.65MB/s; the encrypted version managed just 25.36MB/s. That's a third of even the Nexus 5, the previous model, which came in at 76.29MB/s.

As such, Google is now rowing back on its encryption stance. Its guidelines now say that full-disk encryption is "very strongly recommended" on devices, rather than the necessary requirement promised. Users can still encrypt their devices (even if it slows them down), but it won't happen by default.

Google says it still intends to force it in "future versions of Android".


more...
No comment yet.
Scoop.it!

Cybercrime Affects More Than 431 Million Adult Victims Globally

Cybercrime Affects More Than 431 Million Adult Victims Globally | IT Support and Hardware for Clinics | Scoop.it

Cybercrime affects more than 431 million adult victims around the world. Since the internet has become such an integral part of governments, businesses, and the lives of millions of people, cyberspace has become an ideal place, allowing criminals to remain anonymous while they prey on victims.

The most common forms of cybercrime are offences related to identity, such as malware, hacking, and phishing. Criminals use these methods of cybercrime to steal money and credit card information. Additionally, cybercriminals use the internet for crimes related to child pornography, abuse material, and intellectual and copyright property.

As technology advances, criminals are finding it much easier to perform a cybercrime; advanced techniques and skills to perpetrate threats are no longer required. For instance, software that allows criminals to override passwords and locate access points of computers are easily purchased online. Unfortunately, the ability to find cyber criminals is becoming more difficult.


Cybercrime is a rapidly growing business, exceeding $3 trillion a year. Victims and perpetrators are located anywhere in the world. The effects of cybercrime are seen across societies, stressing the need for a pressing and strong international response.

However, many countries do not have the capacity or regulations to combat cybercrime. A global effort is required to make available firmer regulations and improved protection because cyber criminals hide within legal loopholes in countries with less stringent regulation.

Criminals perpetrate a cybercrime by taking advantage of a country’s weak security measures. Additionally, the lack of cooperation between developing and developed countries can also result in safe havens for individuals and groups who carry out a cybercrime.

The United Nations is actively involved in fighting cybercrime. The organization set up the United Nations Office on Drugs and Crime (UNODC) following the 12th Crime Congress to study cybercrime. The UNODC is a global leader in the fight against illicit drugs and international crime.

Cybercrime affects one million victims every single day. More than 431 million people are affected by cybercrime, that’s 14 adult victims every second.

In addition, there are up to 80 million automated hacking attacks every day. The most common and fastest growing forms of consumer fraud on the Internet are identity-related offences, especially through the misuse of credit card information.

Learning online protection methods is one of the simplest means of defense from becoming victim to a cybercrime. When purchasing products online, always be aware of the trustworthiness of the websites.

Avoid using public computers for anything that requires a credit card payment. By all means, be sure online purchases and banking are facilitated with a fully legitimate and safe business.

Computers should have up-to-date security software; choose strong passwords, and do not open suspicious emails or special offers that ask for personal information, which are often in the form of sales, contests, or fake banks.

Internet-related crime, like any other crime, should be reported to appropriate law enforcement investigative authorities at the local, state, federal, or international levels, depending on the scope of the crime.


Via Paulo Félix
more...
purushothamwebsoftex's curator insight, February 24, 2015 3:05 AM

Websoftex Software extending its services in Website Designing, Web Development, MLM Software,HR Payroll Software, TDS Software, Micro Finance Software, RD FD Software, ERP Software, Chit Fund Software. With the help of our experienced software team and insights of clients MLM Software is continuously updated to latest technologies and demands. Websoftex pays special attention to its Research & Development.

Scoop.it!

Visual hacking exposed

Visual hacking exposed | IT Support and Hardware for Clinics | Scoop.it

While most security professionals focus on thwarting data breaches from cyber attacks, a new study exposes visual hacking, a low-tech method used to capture sensitive, confidential and private information for unauthorized use, as an under-addressed corporate risk.


A visual hacking experiment conducted by the Ponemon Institute on behalf of the Visual Privacy Advisory Council and 3M Company, found that in nearly nine out of ten attempts (88 percent), a white hat hacker was able to visually hack sensitive company information, such as employee access and login credentials, that could potentially put a company at risk for a much larger data breach.

During the study, a computer security expert specializing in penetration testing, entered the offices of eight U.S.-based companies under the guise of a temporary or part-time worker. He attempted to visually retrieve sensitive or confidential information using three methods: walking through the office scouting for information in full-view on desks, screens and other indiscrete locations, taking a stack of business documents labeled as confidential and finally, using his smartphone to take a picture of confidential information displayed on a computer screen. All three of these tasks were completed in full-view of other office workers.

The study revealed the following:

Visual hacking happens quickly: Companies can be visually hacked in a matter of minutes, with 45 percent occurring in less than 15 minutes and 63 percent of visual hacks occurring in less than a half hour.

Visual hacking generally goes unnoticed: In 70 percent of incidences, a visual hacker was not stopped by employees – even when using a cell phone to take a picture of data displayed on a screen. In situations when a visual hacker was stopped by an employee, the hacker was still able to obtain an average of 2.8 pieces of company information (compared to 4.3 when not stopped).

Multiple pieces of sensitive information were able to be visually hacked. During the study, an average of five pieces of information were visually hacked per trial, including employee contact lists (63 percent), customer information (42 percent) and corporate financials (37 percent), employee access & login information/credentials (37 percent) and information about employees (37 percent) during any given hack.

Unprotected devices pose the greatest opportunity for sensitive information to be visually hacked. 53 percent of information deemed sensitive (access or login credentials, confidential or classified documents, financial, accounting or budget information or attorney-client privileged documents) was gleaned by the visual hacker from the computer screen, greater than vacant desks (29 percent), printer bins (9 percent), copiers (6 percent) and fax machines (3 percent) combined.

Open floor plans pose a greater threat to visual privacy. In experimental trials completed in companies with an open-office layout, an average of 4.4 information types were visually hacked, while those conducted in a traditional office layout saw 3.0 information types visually hacked.

Unregulated functional areas were the most likely to experience a visual hack. On average, customer service roles consistently saw the highest number of visual hacks at 6.0, with communications at 5.6 and sales force management 5.2. Regulated functional areas like accounting & finance saw lower averages at 1.9, and legal at 1.0 experienced the least.

Visual hacking controls work. Companies that had relatively low visual hacking rates had more controls in place, such as mandatory training and awareness, clean desk policies document shredding process, suspicious reporting process, and employed the use of privacy filters, to protect against the threat than those without. For instance, in those companies that employed the use of privacy filters, 50 percent of trials saw three or less information types visually hacked while 43 percent of companies that did not use privacy filters saw four or more information types visually hacked.

“Visual privacy is a security issue that is often invisible to senior management, which is why it often goes unaddressed,” says Mari Frank, attorney/mediator and privacy consultant/expert at Mari J. Frank, Esq. and Associates and member of the Visual Privacy Advisory Council. “This study helps to emphasize the importance of implementing a visual privacy policy, educating employees and contractors about how to be responsible with sensitive data they are handling, as well as equipping high-risk employees with the proper tools, such as privacy filters, to protect information as it is displayed.”


Via Paulo Félix
more...
No comment yet.
Scoop.it!

FBI Alert: $18 Million in Ransomware Losses

FBI Alert: $18 Million in Ransomware Losses | IT Support and Hardware for Clinics | Scoop.it

In the past year, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.


In total, IC3 - a collaboration between the FBI and the National White Collar Crime Center - says it received 992 CryptoWall-related complaints from April 2014 to June 2015. And it says the reported losses relate not just to ransom payments potentially made by victims, but additional costs that can include "network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or customers."

The quantity of ransomware attacks continues to escalate, security experts say, because it offers criminals the potential for high rewards with little risk (see Crime: Why So Much Is Cyber-Enabled). Indeed, ransomware attacks can be launched en masse by remote attackers and are relatively cheap and easy to perpetrate. Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.

"In most cases, once the victim pays a ransom fee, he or she regains access to the files that were encrypted," IC3 reports. "Most criminals involved in ransomware schemes demand payment in Bitcoin. Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity."

Because ransomware can rely so heavily on social engineering - tricking - victims into executing related malware or falling for ransom scams, many security experts have urged businesses to continually educate their employees and customers about ways to spot such attacks and defend themselves.

Click-Fraud Attack Spike


Earlier this month, security firm Symantec warned that it had seen a spike in attacks that began with the year-old Poweliks Trojan, which was designed to perpetrate click fraud, and which also downloaded CryptoWall onto an infected system. Click fraud refers to infecting systems with malware that is used to make "bogus requests" for online advertising, without the malware revealing its presence to the user of the infected system.

Using a single piece of malware - or "dropper" - to infect a system and then download and install many other types of malware onto the same system is not a new attack technique.

For example, authorities have accused the gang behind Gameover Zeus of first using that Trojan to harvest bank credentials, and then infecting systems with Cryptolocker ransomware. The U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.

Attacks Get Modular


But attackers have been retooling their malware to make it easier to rapidly infect PCs with multiple types of malware. Security firm Trend Micro warned in 2013 that the aging Asprox botnet, which was first discovered in 2007, had re-emerged "with a new and improved modular framework," and been rebranded as Kuluoz malware, which was a dropper designed to download additional malware onto infected PCs.

By December 2014, the Level 42 threat-intelligence research group at security vendor Palo Alto Networks reported seeing a spike in Asprox-related attack activity. "This malware sends copies of itself over email quickly and to users all around the world and then attempts to download additional malware," it said. The researchers noted that of the 4,000 organizations that it was monitoring, the malware had been tied to "approximately 80 percent of all attack sessions" seen in October and had attempted to infect nearly half of all those organizations.

Also in December, the Association of National Advertisers warned that U.S. businesses were losing about $6.3 billion annually to click fraud. The same month, a study conducted for the ANA by the security firm White Ops found that botnets were responsible for "viewing" 11 percent of all online advertisement, and 23 percent of all online video advertisements.

Asprox Botnet Serves CryptoWall


But click-fraud malware attacks are increasingly blended with other types of malware as attackers attempt to monetize infected PCs as much - and as rapidly - as possible.

In a recent series of attacks, Asprox malware - now typically distributed via phishing attacks - "phoned home" to the Asprox command-and-control server after it infected a PC, and received back the Zemot dropper malware, according to a new report released by the security firm Damballa. The dropper then downloaded the Rovnix rootkit, as well as Rerdom, which is a click-fraud installer.

Damballa says that it has also seen Zemot get installed via crimeware toolkit exploits, which can exploit systems using known vulnerabilities, for example if attackers compromise otherwise legitimate websites and use them to launch drive-by attacks.

Inside enterprises, "click fraud is generally viewed as a low-priority risk," Damballa says. "In reality, click fraud is often a precursor to something more sinister. A device infected with click-fraud [malware] may leave the enterprise susceptible to dangerous downstream infections."

Indeed, Damballa reports that tests of Asprox-infected machines found that over the course of two hours, a single PC was infected with three different types of click-fraud malware, as well as the CryptoWall ransomware. Even after CryptoWall encrypted much of the infected PC's hard drive, furthermore, the click-fraud malware continued to operate, so long as the machine remained Internet-connected.

more...
No comment yet.
Scoop.it!

Microsoft just made a huge privacy move to make Bing more competitive with Google and Yahoo

Microsoft just made a huge privacy move to make Bing more competitive with Google and Yahoo | IT Support and Hardware for Clinics | Scoop.it

Microsoft’s search engine Bing has announced that it will encrypt all of its search traffic by default this summer. Bing had already offered optional encryption, but soon it will be a default for everyone.

This levels up Bing to match the security standards of the other big search giants like Google and Yahoo, and the added encryption also makes Bing a worthy search engine competitor. Google first made all search encrypted by default in 2013. Yahoo did so in 2014. 


Like Google, however, Bing will still report referrer data to marketers, although Bing will not let the marketers know what the search term was. This means that if a Bing user clicks on an ad after searching for something, the advertiser will know that Bing is what brought that customer to the website but they will not know what the precise term was that was typed into the search bar. 


While this encryption move may seem like a tiny piece of news, it indicates a new shift toward better privacy standards. With Microsoft joining the ranks of Google and Yahoo in terms of security standards, this marks the first time the top three search engines provide privacy by default, making it much more difficult for external snoopers to know what people are searching for.


It also makes it possible for Bing to further gain a search engine edge. Though Google still is king, Microsoft has been working to give itself an edge on mobile — Siri uses Bing search by default, for example.

But the main question for Microsoft is still whether its move towards an encrypted Bing search engine will be noticed by the average user, and whether it will convince any Google or Yahoo fans to make the switch.

more...
No comment yet.
Scoop.it!

Over 4 billion people still have no Internet connection

Over 4 billion people still have no Internet connection | IT Support and Hardware for Clinics | Scoop.it

The number of people using the Internet is growing at a steady rate, but 4.2 billion out of 7.4 billion will still be offline by the end of the year.

Overall, 35.3 percent of people in developing countries will use the Internet, compared to 82.2 percent in developed countries, according to data from the ITU (International Telecommunication Union). People who live in the so-called least developed countries will the worst off by far: In those nations only 9.5 percent will be connected by the end of December.


This digital divide has resulted in projects such as the Facebook-led Internet.org. Earlier this month, Facebook sought to address some of the criticism directed at the project, including charges that it is a so-called walled garden, putting a limit on the types of services that are available.


Mobile broadband is seen as the way to get a larger part of the world’s population connected. There are several reasons for this. It’s much easier to cover rural areas with mobile networks than it is with fixed broadband. Smartphones are also becoming more affordable.

But there are still barriers for getting more people online, especially in rural areas in poor countries.


The cost of maintaining and powering cell towers in remote, off-grid locations, combined with lower revenue expected from thinly spread, low income populations, are key hurdles, according to the GSM Association. Other barriers include taxes, illiteracy and a lack of content in local languages, according to the organization.


At the end of 2015, 29 percent of people living in rural areas around the world will be covered by 3G. Sixty-nine percent of the global population will be covered by a 3G network. That’s up from 45 percent four years ago.


The three countries with the fastest broadband speeds in the world are South Korea, France and Ireland, and at the bottom of the list are Senegal, Pakistan and Zambia, according to the ITU.

more...
No comment yet.
Scoop.it!

How to avoid getting hacked due to vulnerable WordPress plugins

How to avoid getting hacked due to vulnerable WordPress plugins | IT Support and Hardware for Clinics | Scoop.it

I’m a huge WordPress fan because it’s a very powerful, effective, and amazingly extensible platform which is why it’s used by 60.4% of [websites with identifiable content management systems which amounts to] 23.7% of all websites. But there’s a risk with any platform that’s extensible trough the use of third party software (called “plugins” in WordPress): That risk is from software vulnerabilities.


Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues. The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin. For a summary of current Wordpress vulnerabilities check out the WPScan Vulnerability Database, a “black box WordPress vulnerability scanner.”

If you’re running a WordPress site and given the number of potentially show-stopping problems that exist, get fixed, and are replaced with new problems that are just as bad then you need to be on top of what plugins you’re using and what problems they might have. Rather than scanning through loads of vulnerability notices and checking each plugin’s Web site for news there’s not only WPScan, there’s also a free plugin that check the plugins you use for known issues. It’s called Plugin Vulnerabilities and published by WhiteFirDesign.


The publishers also offer another free plugin, Automatic Plugin Updates that, as its name implies, will update your plugins automatically as new versions become available (you can also set up an “ignore” list to exclude specific plugins from automatic updates).

When you activate Plugin Vulnerabilities, all of your other plugins are examined and checked against WhiteFirDesign’s database of vulnerabilities. They’re also rechecked whenever a plugin in manually updated or an update executed by the Automatic Plugin Updates or by any other method.


WhiteFirDesign’s vulnerability stats were, as of April 6:

  • 257 vulnerabilities included
  • 61 included vulnerabilities are in the most recent version of plugins (57 of these plugins have been removed from the Plugin Directory)
  • 24 vulnerabilities have been fixed in part due to our work on this plugin
  • 5 included vulnerabilities in security plugins
  • Top vulnerability types:
    • cross-site request forgery (CSRF)/cross-site scripting (XSS): 52 vulnerabilities
    • reflected cross-site scripting (XSS): 45 vulnerabilities
    • arbitrary file upload: 45 vulnerabilities
    • arbitrary file viewing: 23 vulnerabilities
    • SQL injection: 16 vulnerabilities



This plugin is, in short, something you shouldn’t do without if you’re running WordPress. It could make the difference between smooth, uninterrupted operations and spending lots of time rebuilding your WordPress site after being hacked.

The Plugin Vulnerabilities and Automatic Plugin Updates plugins both get a Gearhead rating of 5 out of 5.


more...
No comment yet.
Scoop.it!

Ransomware: The Right Response

Ransomware: The Right Response | IT Support and Hardware for Clinics | Scoop.it

So-called ransomware attacks are on the rise, namely because targeted businesses are increasingly willing to negotiate with - and even pay - their extortionists.


Ransomware has been getting a lot of media attention of late. On April 1, security firm Trend Micro reported that since the beginning of the year, numerous variants of crypto-ransomware have been discovered in the wild, striking consumers and businesses throughout the world.

 Criminals rarely hold up their end of the bargain, so negotiating with anyone who is demanding a ransom is just a bad idea. 


Just weeks earlier, security firms FireEye and Bitdefender issued warnings about new ransomware trends that were making these attacks more difficult to thwart and detect.


Now experts are calling attention to one of the reasons why ransomware attacks are becoming more common - because organizations say they'd rather not deal with the fallout that trails a breach or cyber-attack that goes public. Instead of getting law enforcement involved, they'd rather try their hands at making deals with their attackers first.


But paying ransom is short-sighted and is never a good idea. Why? Because cybercriminals rarely keep their end of the bargain. Organizations that negotiate with hackers often end up with lost data after paying a hefty ransom.


Lance James, who heads up cyber-intelligence at consultancy Deloitte & Touche, says most businesses that pay ransoms never have their data restored or their encrypted files decrypted.


During his presentation at Information Security Media Group's Fraud Summit in Atlanta, James discussed ransomware cases he has investigated. He noted that in most of those cases, businesses paid the ransom and then the attackers disappeared, never fulfilling their end of the negotiating bargain.


Of course, organizations should prepare for these types of attacks by taking steps now to ensure they have data and drive backups, and that they have strong multifactor authentication requirements for access to servers, in the event an employee's credentials are hijacked during one of these attacks.


But businesses also need to spend more time educating their staff about how ransomware attacks work, why these attacks are waged, and why reporting these attacks to law enforcement, rather than trying to handle them internally, is so critical.

The Attack Strategy

Ransomware attacks are waged in two parts. First, a PC or mobile device is infected with malware that locks the corporate user out or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he or she has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased.


The tools for these attacks are easy to buy and technical support for waging the attacks is inexpensive.


Law enforcement agencies, such as the Federal Bureau of Investigation, have advised consumers and businesses to immediately report ransomware schemes when they occur.


But security researchers say that, despite of those warnings, many businesses are opting to either pay the ransom or are engaging in direct negotiations with their attackers instead of getting the authorities involved.

Willingness to Negotiate

A new study from cyber-intelligence firm ThreatTrack Security finds that 40 percent of security professionals believe their organizations have been targeted by a ransomware attack. Of those that believe they've been targeted, 55 percent say that when under attack, they are willing to negotiate a ransom in exchange for the release of corporate data or files.


ThreatTrack's research also finds that one in three security pros would recommend to upper management that their companies negotiate a ransom to see if they could avoid public disclosure of a breach involving stolen data or files that have been encrypted as part of the attack.


In fact, 66 percent of those surveyed by ThreatTrack say they fear negative reactions from customers and/or employees whose data was compromised in a breach if those customers or employees were to learn that their organizations chose not to negotiate with cybercriminals for the return of data.


ThreatTrack's survey includes responses from 250 U.S. security professionals at companies with 500 to 2,500 employees.

Beware of a Quick Fix

When it comes to ransomware attacks waged against corporations, many victimized organizations see paying the criminals what they want as the easiest way to make the problem go away.


But criminals rarely hold up their end of the bargain, so negotiating with anyone who is demanding a ransom is just a bad idea.

Obviously, more education, from the CEO down to the employee, is needed. But we also need a shift in the corporate culture, with an emphasis on looking beyond a "quick fix" for avoiding breach publicity.

Information sharing with peers can play a critical role as well. The more we talk about these attacks and share the techniques used, the more we can learn about how to defend our networks and shield our employees from falling victim to the phishing schemes that are often used to infect systems in the first place.


Security vendors need to step up their efforts here, too. Rather than just supplying intrusion detection, they also need to provide some good-old-fashioned education.

more...
Ivan Garcia-Hidalgo's curator insight, April 8, 2015 1:33 PM

Ransomware: The Right Response #InfoSec #cybersecurity

Scoop.it!

Hackers have found a way to get into nearly every computer

Hackers have found a way to get into nearly every computer | IT Support and Hardware for Clinics | Scoop.it

Hacking even the most secure data is easier than previously thought. This was evidenced by two researchers at the CanSecWest security conference in Vancouver last week.

The two computer security experts, Xeno Kovah and Corey Kallenberg, exhibited a proof-of-concept, showing how to hack into BIOS chips, which are microchips containing the firmware of a computer’s motherboard.

"The BIOS boots a computer and helps load the operating system," Wired explained. "By infecting this core software, which operates below antivirus and other security products and therefore is not usually scanned by them, spies can plant malware that remains live and undetected even if the computer’s operating system were wiped and re-installed. "

The attacks can be levied either through remote exploitation — such as phishing emails — or through “physical interdiction of a system,” Wired reports. The researchers discovered what they called "incursion vulnerabilities," giving them access to the BIOS. Once the BIOS is compromised, they can grant themselves the highest of system privileges. Then, they are able to gain all sorts of control over the system. This includes the ability to steal passwords as well as surveil other data. 

Kovah told Business Insider that of the 10,000 enterprise-grade machines they analyzed, 80% of them had at least one BIOS vulnerability.

Most alarming is that any and all data is up for grabs once the BIOS is compromised. This means encrypted data is accessible — even if the computer user is using privacy-oriented security software.

For example, the researchers said that the Tails system — a widely used OS known for its immense security — could be hijacked. Edward Snowden and Glenn Greenwald use Tails to share data. Kovah and Kallenberg say that their malware could subvert Tails making it possible to gain access to any of its data. 

The ramifications for computer security are huge. For one, it was previous thought that only the most well-equipped hacking guns, like deep-pocketed governments, were able to compromise BIOS chips. This was most recently evidenced by findings from the Kaspersky Lab, which discovered a series of attacks targeting computers' firmware from what appears to be the NSA.

Now, given that Kovah and Kallenberg were able to hack these chips without a billion dollar government budget, things have changed. Already vendors are working on patches to deal with the vulnerability, but there's no way to know what sort of damage has already been done.

While the vectors for attack are numerous, Kovah and Kallenberg hope their findings bring awareness to how critical firmware security truly is. At the very least, they hope this forces companies to patch their systems. As Kovah explained, even when new patches are issued, "we keep finding new vulnerabilities."


more...
No comment yet.
Scoop.it!

Why Cyber Security Is All About The Right Hires

Why Cyber Security Is All About The Right Hires | IT Support and Hardware for Clinics | Scoop.it

The United Kingdom has estimated the global cyber security industry to be worth around US$200 billion per annum, and has created a strategy to place UK industry at the forefront of the global cyber security supply base, helping countries to combat cybercrime, cyber terrorism and state-sponsored espionage.

Likewise, the United States government is facilitating trade missions to emerging markets for companies that provide cyber security, critical infrastructure protection, and emergency management technology equipment and services with the goal of increasing US exports of these products and services.

Meanwhile, Australia is going through yet another iteration of a domestic cyber security review. Australia can’t afford to wait any longer to both enhance domestic capability and grasp international leadership.

The recent Australian debate about the government’s proposed data retention scheme has seen heavy focus on the security aspects of collecting, retaining and where authorised, distributing such data.

But much of this debate masks the broader issue facing the information security industry.

Failing to keep up

The constant evolution of the online environment presents cyber threats which are constantly evolving with increasing volume, intensity and complexity.

While organisations of all shapes and sizes are considering spending more money on cyber security, the supply side of information security professionals is not keeping up with the current, let alone future demand. High schools are not encouraging enough students (particularly girls) to get interested in the traditional STEM (science, technology, engineering and maths) subjects. The higher education and vocational sectors are likewise not creating enough coursework and research options to appeal to aspiring students who are faced with evermore study options.

One example of the types of programs needed to address the shortage is the Australian Government’s annual Cyber Security Challenge which is designed to attract talented people to become the next generation of information security professionals. The 2014 Challenge saw 55 teams from 22 Australian higher education institutions take part. At 200 students, this is but a drop in the ocean given what is required.

Even for those who graduate in this field, there is a lack of formal mentoring programs (again particularly for girls), and those which are available are often fragmented and insufficiently resourced. The information security industry is wide and varied, catering for all interests and many skill sets. It is not just for technical experts but also for professionals from other disciplines such as management, accounting, legal, etc, who could make mid-career moves adding to the diversity of thinking within the industry.

More and more organisations are adopting technology to create productivity gains, improve service delivery and drive untapped market opportunities. Their success, or otherwise, will hinge on a large pool of talented information security professionals.

We need to attract more people into cyber security roles. Universities need to produce graduates who understand the relationship between the organisation they work for, its people, its IT assets and the kinds of adversaries and threats they are facing. The vocational education sector needs to train technically adept people in real-world situations where a hands-on approach will enable them to better combat cyber attacks in their future employment roles.

Industry associations should focus on their sector — analysing the emerging information security trends and issues, and the governance surrounding information security strategy — to determine their own unique skills gap.

The government should develop a code of best practice for women in information security in collaboration with industry leaders, promoting internal and external mentoring services.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

This USB Drive Can Nuke A Computer

This USB Drive Can Nuke A Computer | IT Support and Hardware for Clinics | Scoop.it

Do not ever use a random USB flash drive. There are plenty of software exploits that can ruin your computer or life. And with this flash drive, it can physically destroy your computer by blasting a load of voltage to the USB controller with negative voltage. Think Wile E. Coyote and an ACME Human Cannon. BOOM!


The basic idea of the USB drive is quite simple. When we connect it up to the USB port, an inverting DC/DC converter runs and charges capacitors to -110V. When the voltage is reached, the DC/DC is switched off. At the same time, the filed transistor opens. It is used to apply the -110V to signal lines of the USB interface. When the voltage on capacitors increases to -7V, the transistor closes and the DC/DC starts. The loop runs till everything possible is broken down. Those familiar with the electronics have already guessed why we use negative voltage here. I‘ll explain to others that negative voltage is easier to commutate, as we need the N-channel field resistor, which, unlike the P-channel one, can have larger current for the same dimensions.

Put simply, the bits inside the USB drive draws and stores a ton of power. When a certain level is hit, it returns the power to the source, which is either a dedicated USB controller or the CPU itself. This is bad news bears. The amount of power returned overloads the circuits, rendering it useless. Since a lot of USB controllers are built directly into the main processor… bye bye computer.

Scary. Thankfully the creator hasn’t released the schematic for the drive.

There are enough USB exploits floating around to warrant caution. Some will unknowingly install malware or backdoor software, and now, there is at least one, that will actually destroy your computer. It’s straight out of Colin Farrell spy movie and a fantastic argument for Apple’s vision of the future.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

'Freak' Flaw Also Affects Windows

'Freak' Flaw Also Affects Windows | IT Support and Hardware for Clinics | Scoop.it

Microsoft is warning that all Windows operating systems are at risk from the vulnerability known as Freak, for "Factoring RSA-EXPORT Keys." The flaw exists in SSL, which is used to secure online communications, and could be abused by an attacker to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

A new Microsoft security advisory (KB3046015) warns that Secure Channel, or Schannel, which encrypts traffic and transactions on most Windows platforms, is at risk from the Freak flaw.


"Microsoft is aware of a security feature bypass vulnerability in Secure Channel that affects all supported releases of Microsoft Windows," the alert says. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."

As yet, there's no patch available for vulnerable Windows systems, although information security experts say they expect Microsoft to release related fixes quickly. In the interim, Microsoft has detailed a temporary workaround that can be used for most Windows systems. "You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor," it says. But it warns: "Windows will fail to connect to systems that do not support any of the ciphers listed in the workaround."

To date, however, there's no fix or workaround available for Windows Server 2003. "The cipher management architecture on Windows Server 2003 does not allow for the enabling or disabling of individual ciphers," Microsoft says.

Risks to Apple, Android, Cloud

After quietly warning security vendors, government agencies and other organizations in recent weeks, security researchers first sounded a public alert about the Freak vulnerability on March 3. They've warned that the vulnerability exists in versions of OpenSSL prior to 1.0.1k, all Android devices that ship with the standard browser, as well as in Apple SSL/TLS clients, which are used by both Mac OS X clients and iOS mobile devices, among other operating systems. The vulnerability has been designated as CVE-2015-0204.

The Freak flaw could be exploited to downgrade a browser or other client's Internet connection from a relatively secure cipher, to an outdated - and weak - "export cipher," which attackers could then crack, allowing them to intercept communications or inject attack code into browsers. "What Freak allows you to do is, if you can break the RSA export-strength key, then you can provide a 'valid' certificate for a man-in-the-middle attack," says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. Tenable, which sells the widely used Nessus vulnerability scanner, has released a Nessus plug-in that will scan for Windows clients and servers that are vulnerable to Freak.

No Attacks Seen

But to date, there have been no signs that the Freak flaw has ever been exploited in the wild - against Windows servers and systems, or any other device. "The reality is, it's still really difficult to do - to break a key, it would still take a few hours or $100 of Amazon EC2 time," Millard says, referring to Amazon's Elastic Compute Cloud, which offers on-demand processing power. "There are so many other ways to break into a site. Hackers are smart; they don't use a sledgehammer to crack a walnut."

Still, related vulnerabilities remain widespread. The Freak Attack website, which is run by researchers at the University of Michigan, has been tracking the extent of the Freak vulnerability. The site reports that as of March 6, 9.5 percent of the websites on the Alexa index of the 1 million most popular top-level domains remained vulnerable to Freak, although that was a decrease from 12.2 percent of all such sites when the Freak vulnerability was first publicized on March 3. But 37 percent of all HTTPS servers with browser-trusted certificates remained vulnerable to Freak, as did 26 percent of all HTTPS servers, and neither of those statistics had declined since Freak was first publicized, the researchers say.

As of March 6, the Freak Attack website reported that the following client software remained vulnerable to the Freak flaw:

  • Internet Explorer
  • Chrome on Mac OS (patch available now)
  • Chrome on Android
  • Safari on Mac OS (patch due week of March 9)
  • Safari on iOS (patch due week of March 9)
  • Stock Android Browser
  • BlackBerry Browser
  • Opera on Mac OS
  • Opera on Linux

Cloud security firm Skyhigh Networks reported that as of March 4, 766 cloud providers also remained unpatched against the vulnerability, thus leaving their users at risk. "These services include some of the leading backup, HR, security, collaboration, CRM, ERP, cloud storage, and backup services," Sekhar Sarukkai, vice president of engineering at Skyhigh, says in a March 5 blog post. Across the company's 350 customers, meanwhile, he reports that 99 percent use at least one cloud provider that's vulnerable to the Freak flaw, while the average company uses 122 vulnerable services.

Don't Freak: How to Mitigate

The Freak Attack site says that to mitigate the vulnerability, anyone running a server "should immediately disable support for TLS export cipher suites," and that anyone who uses a browser should ensure that they have the latest version installed, and keep checking for new upgrades, since all major browsers should soon see a fix.

Finally, Freak Attack recommends that all systems administrators and developers ensure that their TLS libraries are fully updated. "Both OpenSSL and Microsoft Schannel are known to be vulnerable," it says. "Note that these libraries are used internally by many other programs." The site offers a number of tools that can be used to test for related flaws.

This is not the first time that the Microsoft Schannel has been at risk from a newly discovered vulnerability. In particular, a zero-day vulnerability in Schannel was discovered in November 2014. Before that, Schannel was at risk from the so-called POODLE flaw - first publicly revealed Oct. 14 - in SSL, and which was later found in TLS. The flaw could be exploited to intercept and read encrypted Internet communications, steal session cookies and impersonate users.


more...
No comment yet.
Scoop.it!

OpenDNS trials system that quickly detects computer crime

OpenDNS trials system that quickly detects computer crime | IT Support and Hardware for Clinics | Scoop.it

A security system undergoing testing by a San-Francisco-based company aims to speed up the detection of websites and domains used for cybercrime.

The technology is being developed by OpenDNS, which specializes in performing DNS (Domain Name System) lookups. The DNS translates domain names such as idg.com into an IP address that can be called into a browser

OpenDNS offers a secure DNS service for ISPs and organizations that blocks requests from Web browsers to sites that may be associated with cybercrime or spoof a company such as PayPal.

The company, which was founded in 2005, has grown so much that its systems respond to some 71 billion DNS requests per day. That’s just 2 percent of global DNS traffic but is enough of a sample to pick up on many cybercrime campaigns.

The new system, called Natural Language Processing rank (NLPRank) looks at a range of metrics around a particular domain name or website to figure out if it’s suspicious.

It scores a domain name to figure out if it’s likely fraudulent by comparing it to a corpus of suspicious names or phrases. For example, g00gle.com—with zeros substituting for the letter “o”—would raise a red flag.

Many cybercriminal groups have surprisingly predictable patterns when registering domains names for their campaigns, a type of malicious vernacular that OpenDNS is indexing. Bogus domain names use company names, or phrases like “Java update,” “billinginfo” or “security-info” to try to appear legitimate.

But there’s a chance that NLPRank could trigger a false positive, flagging a variation of a domain that is legitimate, said Andrew Hay, director of security research at OpenDNS.

To prevent false positives, the system also checks to see if a particular domain is running on the same network, known as its ASN (autonomous system number), that the company or organization usually uses. NLPRank also looks at the HTML composition of a new domain. If it differs from that of the real organization, it can be a sign of fraud.

NLPRank is still being refined to make sure the false positive rate is as low as possible. But there have been encouraging signs that the system has already spotted malware campaigns seen by other security companies, Hay said.

Earlier this month, Kaspersky Lab released a report on a gang that stole upwards of US$1 billion from banks in 25 countries. The group infiltrated banks by gaining the login credentials to key systems through emails containing malicious code, which were opened by employees.

Hay said Kaspersky approached OpenDNS before the report was published to see if it had information on domains associated with the attacks. NLPRank was already blocking some of the suspicious domains, even though OpenDNS didn’t know more details about the attacks.

“We caught these things well back,” Hay said.

In some cases, NLPRank could allow a domain to be blocked even before one is actively used. After cybercriminals register a domain, they’ll often visit it once to make sure it’s accessible. It may then go dormant for a few days before it is incorporated in a campaign, Hay said.

If a fraudster is connected to an ISP that uses OpenDNS’s service, just a single DNS query for that new domain would allow OpenDNS to analyze and potentially block it before it is used for crime.

“As soon as we see that little bump on the wire, we can block it and monitor to see what’s going on,” Hay said. “It’s almost an early warning system for fraudulent activity.”



more...
No comment yet.
Scoop.it!

Lenovo Website Hijacked

Lenovo Website Hijacked | IT Support and Hardware for Clinics | Scoop.it

The website of Lenovo.com, the world's largest PC manufacturer, was hacked on Feb. 25 and visitors directed to an attacker-controlled page. The hacking group Lizard Squad, which has claimed credit for the attack via Twitter, also appears to have intercepted some Lenovo e-mails.

"Lenovo has been the victim of a cyber-attack," spokeswoman Wendy Fung told Information Security Media Group on Feb. 26. "One effect of this attack was to redirect traffic from the Lenovo website. We are also actively investigating other aspects. We are responding and have already restored certain functionality to our public-facing website.


"We regret any inconvenience that our users may have if they are not able to access parts of our site at this time," Fung added. "We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users' information and experience. We are also working proactively with third parties to address this attack and we will provide additional information as it becomes available."

Lenovo appeared to have restored complete access to its public website by the evening of Feb. 25.

The attack follows revelations that Lenovo, in recent months, had been preinstalling Superfish, which is adware that information security experts warn could be abused by attackers to intercept consumers' communications on many of its consumer devices.

In response to those reports, Lenovo has apologized and released utilities consumers can use to expunge Superfish from their systems. Working with McAfee, Microsoft and Trend Micro, the Superfish software has also been classified as malware and targeted for removal by their anti-virus engines, which Lenovo says will remotely wipe the adware from many systems.

Lizard Squad has recently claimed credit for a number of attacks, including the January disruption of the Malaysian Airline website, as well as the 2014 Christmas Day disruption of the Sony PlayStation and Microsoft Xbox Live networks.

Hacking Lenovo's DNS

The Lenovo.com website disruption began Feb. 25 at about 4 p.m. ET, with visitors to the site being redirected to another site that was labeled as being "the new and improved rebranded Lenovo website," accompanied by a slideshow of bored-looking teenagers looking at webcams, as the song "Breaking Free" - from the movie "High School Musical" - played in the background, technology publication The Verge first reported.

"We're breaking free! Soarin', flyin', there's not a star in heaven that we can't reach!" Lizard Squad tweeted at 4:19 p.m. ET via its @LizardCircle account, referencing the lyrics from the High "School Musical" song.

Security experts say Lizard Squad appears to have hijacked the Lenovo.com website by compromising its domain registrar, Web Commerce Communications Limited - better known as Webnic.cc. The attackers were then able to alter the Lenovo.com DNS settings, ultimately transferring them to servers run by the distributed denial-of-service attack defense service CloudFlare.

"To all asking: Lenovo was NOT a CF customer; their domain was hijacked & transferred to us," CloudFlare principal security research Marc Rogers tweeted on Feb. 25. "We are working with them to restore service."

The choice of CloudFlare was no doubt an ironic move, given that Lizard Squad says its attacks are meant to advertise its own DDoS service, Lizard Stresser.

Domain Registrar Offline

Following the attack, the Webnic.cc website has been unavailable and resolving to a "service temporarily unavailable" error message. Contacted on Feb. 26, a member of the Webnic.cc customer support team, based in Kuala Lumpur, Malaysia, declined to comment on the reported attack, and whether the website outage was intentional, for example if the registrar is attempting to conduct a digital forensics investigation and remediate affected systems following the apparent hack attack.

If Lizard Squad obtained access to internal Webnic.cc systems, then it could have transferred the Lenovo.com website to any address of its choosing. Bolstering that theory, Lizard Squad has published what it claims to be an authorization key - also known as an auth code or EFF key - that it stole from Webnic.cc. Such keys are used to authorize the transfer of domains between registrars.

Lenovo E-Mail Theft?

Lizard Squad has also published two e-mails that had apparently been sent to employees at Lenovo - with a Lenovo.com e-mail address - on Feb. 25, during the time when the hacking group appeared to have been in control of the Lenovo.com DNS settings. One e-mail cited The Verge report that the Lenovo.com website had been hacked as of 4 p.m. ET, and that Lizard Squad appeared to be responsible.

Another published e-mail referred to a Lenovo Yoga laptop that was "bricked" when a customer attempted to run Lenovo's update to remove the Superfish application and root certificate that it was preinstalling on many of its consumer devices (see Lenovo Drops Superfish Adware). "FYI - the process to remove the Superfish software from the Yoga 11 has resulted in a failed device. Can we get him a new one?" the internal e-mail reads.

Lenovo's Fung declined to comment on whether those e-mails were genuine. But Lizard Squad says via Twitter: "We'll comb the Lenovo dump for more interesting things later."

Follows Google Vietnam Hack

The Lenovo website hack follows Lizard Squad claiming credit for the recent disruption of Google.com.vn, or Google Vietnam, which was reportedly also registered with Webnic.cc. For several hours on Feb. 23, visitors to that Google website were reportedly redirected to a website that showed a man taking a "selfie" in the mirror with his iPhone, underneath the words "Hacked by Lizard Squad," The Wall Street Journal reports.

Google says that its systems were not breached by the attack, and said its domain name registrar was responsible. "For a short period today, some people had trouble connecting to google.com.vn, or were being directed to a different website," a Google spokesman told The Wall Street Journal. "We've been in contact with the organization responsible for managing this domain name and the issue should be resolved."


more...
No comment yet.
Scoop.it!

Yes, You Can Afford a Hacker

Yes, You Can Afford a Hacker | IT Support and Hardware for Clinics | Scoop.it
Want to break into your partner’s email? Got a few hundred bucks lying around? You can afford your very own hacker.

If you’re looking to break into someone’s email account or snag a few compromising photos stored in the cloud, where would you go? Craigslist, of course.

“I am looking for someone who can get into a database to retrieve a few photos. Someone who is a genius at computers,” read a recent post. And it doesn’t stop there.

You can post “How do I get the password for my ex-girlfriend’s hotmail account?” or just “Need a computer hacker for a job!” on an online forum and just wait for people to respond, says Tyler Reguly, manager of security research at Tripwire. Then you just sit back and wait for the replies to roll in and strike a deal.

It’s that easy to hire a hacker.

Cybercrime used to be limited to the shadowy corners of the Internet and secret black market forums, but now these transactions are taking place on websites that millions of people use every day. Googling “hacker for hire” returns more than 1.6 million results. And for the slightly more tech-savvy, new marketplaces such as hackerslist.com, hackerforhire.org, and neighborhoodhacker.com provide a safe meeting place for hackers and those seeking their services. You can even leave Yelp-style feedback on forums like hackerforhirereview.com.

“It’s frightening that people have no qualms asking” for hacking in the same way they would ask someone to shovel snow from their driveway, Reguly says.

Black market websites have long offered a wide array of services for would-be cybercriminals—customized malware, carder forums selling stolen payment card details and cloned credit cards, exploit kits and other toolkits to craft campaigns, denial-of-service attack tools, and botnet rentals—at fairly affordable prices. Most of the sites accept the cryptocurrency Bitcoin, to keep transactions anonymous. Some sites welcome new users and others have strict membership requirements, but in general, these forums and stores are public, transparent, and easy to find, says Daniel Ingevaldson, CTO of Easy Solutions, a fraud detection company.

“It’s really hard to get in trouble for doing this, so there is no reason to hide,” Ingevaldson says. “It will take you only a few minutes to find it, even if you don’t know what you are doing.”

Hacking used to be thought of as a financial crime, but today’s hackers-for-hire will take personal jobs. Instead of offering botnets with hundreds or thousands of compromised machines or stolen payment card information, these sites target a much broader market. Offerings include breaking into email and social media accounts or hacking into online databases and services, says Grayson Milbourne, the security intelligence director at Webroot. Some sites may offer escrow accounts, letting customers transfer funds in and paying the hacker only after the service is complete. Prices vary, but usually range between $100 and $3,000, making these services “within reach of most,” he says.

That Craigslist ad for retrieving some photos off the database offered $500 for the gig.

If you’re willing to tread these muddy waters, finding a hacker is easy and just a simple Google search away.

That society doesn’t seem to care about this kind of hacking is “disconcerting,” Reguly says, noting that many people don’t view stealing digital assets as a real crime. The disconnect between the physical and digital worlds remains very strong, even as people’s offline and online lives merge.

The same person who would be upset when thieves steal credit card numbers would not consider breaking into email or Facebook accounts as serious, he said.

And some customers feel they deserve what they’re paying for or that they’re righting some wrong. A PhD student angry that his research paper has been posted without his permission on other sites might hire someone to make sure people can't search or link to those pirated copies. A mother might want someone to break into her son’s Facebook account and install something on his phone that would let her intercept both incoming and outgoing phone calls, text messages, and pictures.

Even though it’s relatively affordable, hiring a hacker for personal use is a risky business, Milbourne says.

Is there honor among thieves? There is no way to make sure the hacker will stop where you’ve told him or her to once they’ve done the job. That mom may receive her son’s Facebook password, but she can never be sure the hacker won’t use the information to steal her son’s identity, or to trick him into downloading a banking Trojan on the family computer to steal her bank account information.

The legal issues surrounding these transactions are murky.

The activities being posted online are criminal, but who is supposed to prosecute them? Hacking is a global service—the providers can be based anywhere in the world and out of U.S. jurisdiction. The customer looking for the services doesn’t need to know, and probably doesn’t even care, where the service is coming from. And the sellers know the odds of law enforcement coming after them are very low.

“Getting arrested is out of their realm of experience for what can possibly happen,” Ingevaldson said. “None of their friends have been arrested.”

Hacker-for-hire sites may or may not be breaking the law—no one has tested those limits yet. And mainstream sites such as Craigslist act as just a marketplace connecting buyers and sellers and so far have claimed they are not responsible for any resulting illegal activities.

“It should be simple … hacking into someone’s email is a crime, so discussing that with someone and paying them to do it should, therefore, be conspiracy to commit a crime,” Reguly says.

The recent proposals from the White House to amend the Racketeering Influenced and Corrupt Organizations Act—originally designed to prosecute the Mafia and gangs—to include hacking may change things. If RICO can be applied to cybercrime, just being in the same chatroom or forum as a hacker may make the person an accomplice.

If you’re willing to tread these muddy waters, finding a hacker is easy and just a simple Google search away.

“At this point, our lives are digital, the bits and bytes traversing the wires are as much a part of us as the clothes we choose to wear and the cards we carry in our wallets,” Reguly says. This means people have to protect their digital assets just as they take care of themselves in the physical world. “To make a mockery of that with sites like this is a great example of the decay of society.”


Via Roger Smith, Paulo Félix
more...
No comment yet.