IT Support and Hardware for Clinics
32.1K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Will Sony Settle Cyber-Attack Lawsuit?

Will Sony Settle Cyber-Attack Lawsuit? | IT Support and Hardware for Clinics | Scoop.it

Did Sony underspend on information security, thus contributing to the success of the devastating hack attack against it, which came to light in November 2014? And can a business be held legally accountable by employees for their employer's information security shortcomings?


Those questions are central to a lawsuit filed by Michael Corona and eight other former Sony employees in the wake of what plaintiffs rightly dub a data breach "epic nightmare, much better suited to a cinematic thriller than to real life." Their suit accuses Sony of having failed to put an effective information security program in place, despite having previously suffered repeated, serious attacks.


 An epic nightmare, much better suited to a cinematic thriller than to real life. 


"Sony failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years," the lawsuit alleges, citing in part a September 2014 audit by PricewatershouseCoopers, which found that Sony's information security and monitoring practices fell below "prudent industry standards."


The lawsuit further alleges that nearly 100 terabytes of data was stolen, including 47,000 Social Security numbers and personally identifiable information for at least 15,000 current and former employees, some of whom had not worked for the studio since 1955. As a result, breach victims "face ongoing future vulnerability to identity theft, medical theft, tax fraud, and financial theft," the lawsuit plaintiffs allege. "In fact, plaintiffs' PII has already been traded on black market websites and used by identity thieves."

Lawsuit Ruling

Sony asked a court to dismiss the suit, and U.S. District Judge R. Gary Klausner this week did dismiss some parts, including allegations of breach of contract and that Sony failed to notify breach victims in a timely manner.


But in a setback for Sony, the judge ruled that other parts of the lawsuit can proceed, although he has yet to rule on the merits of these claims, including plaintiffs' allegation that Sony "made a business decision to accept the risk of losses associated with being hacked." The federal judge also agreed with the former employees' allegation that "to receive compensation and employment benefits, they were required to provide their PII to Sony." While many data breach lawsuits get dismissed on the grounds that the breach did not cause any economic harm to people whose information was stolen, Klausner said that by requiring employees' PII, Sony created a "special relationship that provides an exception to the economic loss doctrine."


Michael Sobol, an attorney for the plaintiffs, told the BBC, "We are pleased that the court has properly recognized the harm to Sony's employees."


A spokeswoman for Sony Pictures Entertainment did not immediately respond to a request for comment on the ruling.


In the wake of the 2014 attack, at least nine other lawsuits were filed against Sony by individual former employees. Like the Corona suit, all of these lawsuits seek class-action status, meaning they would include all current and former employees who were affected by the cyber-attack.

Wiper Malware Attack

To recap: Sony suffered a devastating wiper malware attack in November 2014, ostensibly designed to punish the company for releasing "The Interview," a satiric film starring James Franco and Seth Rogan that featured the fictional death of North Korean leader Kim Jong-un.


But before the attackers unleashed their wiper malware and began erasing Sony hard drives and bricking laptops, they penetrated Sony's network and stolen tens of terabytes of data, including copies of unreleased movies and the script for the upcoming James Bond film "Spectre," as well as numerous private email exchanges, all of which the attackers began leaking.


Sony, in a December 2014 breach notification filed with California state authorities, reported that the breach appeared to compromise current and former employees' names, addresses, Social Security numbers, driver's licenses and passport numbers, corporate credit card information, usernames and passwords, and salaries. Sony also warned that individuals' "HIPAA-protected health information" may have been exposed, including medical diagnoses, dates of birth, health plan identification numbers, and personal and health-related information.


As noted in Corona's lawsuit, large amounts of this information were leaked to the Internet by attackers and likely remain in circulation.

Lawsuit Resolution: Unclear

What will happen next in the Sony class-action lawsuit saga, of course, is not clear. But based on past breach-related lawsuits, it's likely that unless the lawsuit gets dismissed, Sony will ultimately settle, rather than risk a jury trial and ruling that might give breach victims more rights.


If Sony did make a business decision to underspend on security, it was a costly move. In February, Sony said in an earnings report that it expected to spend $35 million in cleanup costs through the end of its fiscal year in March, largely related to restoring the company's "financial and IT systems." But as the multiple lawsuits highlight, Sony faces continuing legal costs, as well as the risk that it will eventually have to pay damages or settlements.


But any such settlement likely would not happen soon. Indeed, Sony only settled a lawsuit filed in the wake of its April 2011 breach - a year in which the company fell victim to more than a dozen breaches - in June 2014. That breach exposed personal information for 77 million users of the Sony PlayStation Network and Qriocity services.


By that timeline, the lawsuits stemming from the 2014 Sony cyber-attack may not be resolved until at least 2017.

more...
No comment yet.
Scoop.it!

President Obama calls for stronger American cybersecurity

President Obama calls for stronger American cybersecurity | IT Support and Hardware for Clinics | Scoop.it

Citing a series of embarrassinghigh profile incursions against US computer networks in recent months, President Obama called for "much more aggressive" efforts to shore up the government's vulnerable cyber-infrastructure. "This problem is not going to go away," the President told reporters at a G7 press conference in Germany. "It is going to accelerate. And that means that we have to be as nimble, as aggressive and as well-resourced as those who are trying to break into these systems." As such, he urged Congress to pass its pending cybersecurity legislation, such as the Cybersecurity Information Sharing Act of 2015.

more...
No comment yet.
Scoop.it!

House Expected To Pass Cybersecurity Bill, Indemnifying Companies That Share Breach Data

House Expected To Pass Cybersecurity Bill, Indemnifying Companies That Share Breach Data | IT Support and Hardware for Clinics | Scoop.it

The House is expected to pass a bill Wednesday that is intended to compel private companies to give investigators access to their computer records and networks in the event of a data breach. The bill has been in the making for years, and comes after a series of embarrassing, high-profile hacks at companies such as Sony and Anthem health insurance.


The vote, which coincides with that for a similar Senate bill, is an assertive response from the federal government after major intrusions have resulted in a delayed movie release, lost credit card information, stolen medical records and a shaken faith in corporate America’s ability to protect itself online. Yet debate over the House bill has raised concerns from privacy and transparency advocates, including initial resistance from President Barack Obama and prominent congressional Democrats.


The House bill provides hacked companies with legal liability protection if they share sensitive information with the government. Privacy advocates demanded, and obtained, assurances under this provision that require data to undergo two rounds of scrubbing -- the removal of personal information -- when they're turned over to a government agency. The data will not be sent to the National Security Agency or the Department of Defense first, though it could ultimately end up there.

The privacy changes were enough to win over prominent Democrats, with Obama expected to sign a modified version of the House and Senate bills. Yet the White House still expressed reservations in a statement Tuesday, suggesting that the liability protections that are meant to protect companies from penalties that come with unauthorized use of customer data go too far.


“Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks,” the White House said. Overly broad liability protections might “remove incentives for companies to protect their customers’ personal information and may weaken cybersecurity writ large,” the statement went on.


more...
No comment yet.
Scoop.it!

How DNS is Exploited

How DNS is Exploited | IT Support and Hardware for Clinics | Scoop.it

The Internet is a global engine of commerce today, but it was never designed with such grandiose applications in mind. In the underlying architecture of the Internet, hostility was never a design criterion, and this has been extensively exploited by criminals, who capitalize on the Domain Name System infrastructure - the map of the Internet - which is indispensable for the Internet as we know it to function.

"Right now the Internet is being used to transfer hundreds of billions of dollars per year from the productive part of the world's economy toward the unproductive part because it is such a gaping hole," says Internet pioneer and DNS thought leader Dr. Paul Vixie, CEO of Farsight Security, a provider of real-time passive DNS solutions that provide contextual intelligence to threat and reputation feeds.

The Internet was built without any thought of authentication, admission control or security, and so almost any application or website can be abused by a creative criminal, he says. But the DNS is proving essential to both the good guys and the bad guys - almost a unifying field theory.

"Everything you need to do on the Internet requires DNS - regardless of intent," says Vixie, who is also the principal author of version 8 of BIND, the most widely used DNS software on the Internet. "I think this makes DNS an interesting place to look for criminals and signs that criminals must leave," he says.

In part one of an exclusive two-part interview with Information Security Media Group (transcript below), Vixie talks about DNS and the impact it has on the Internet's security landscape. He shares insights on:

Part two of this interview will feature Vixie's views on the evolution of the Internet as an ecosystem that has evolved to make crime easier.

Vixie, CEO of Farsight Security, previously served as president, chairman and founder of the Internet Systems Consortium. He has served on the ARIN board of trustees since 2005, where he served as chairman in 2008 and 2009, and is a founding member of the ICANN Root Server System Advisory Committee and the ICANN Security and Stability Advisory Committee. He has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8. He has authored or co-authored about a dozen Request for Comments, a publication of the principal technical development and standards-setting body for the Internet, the Internet Engineering Task Force - mostly on DNS and related topics. He was named to the Internet Hall of Fame in 2014.

Varun Haran: How are criminals exploiting DNS infrastructure to perpetrate crime today?

Dr. Paul Vixie: One main area where DNS is facilitating crime is denial-of-service attacks, where the purpose may be economic or ideological to prevent the victim from being able to use the Internet. This is achieved by filling their Internet connection with unsolicited traffic so that they cannot use their connection for good traffic.

Now, unfortunately, the Internet was designed by scientists and engineers to work in a completely friendly environment. Hostility was never one of the design criteria for the Internet. What that means is it is trivial to send packets forging someone else's address as the source. Which means that if you direct the packets forged with a victim's address towards a powerful server, a lot of response traffic will go to your victim. And because the victim did not solicit it, they cannot turn it off. This is a very popular attack, and anytime that you hear that Google or Spamhaus has been hit with a 400 Gbit/s DDoS attack, it is the exact same method being employed - IP source forgery.

This is not only something the Internet was designed without, it is something that the current Internet economy is resisting fixing, because in order to fix this problem, an ISP has to turn on some new features in their Internet routing equipment. Those features need to be tested, there needs to be documentation, there has to be monitoring, so there is a small cost - there may even be a performance cost in the routing equipment if you turn on this feature.

The cost is trivial, but not zero. The benefit that the operator will see, in exchange for that investment will be measurably zero, because what they are doing is protecting the rest of the Internet against their customers. So if an ISP does this, it is only for the greater good and it is very difficult to get an ISP - who has investors, shareholders, board of directors, management chain etc. - to act for the greater good at their own expense. It simply does not make good business sense to fix this problem.
Internet Vulnerabilities

Haran: The Internet wasn't designed for all the purposes it's being put to today. What are some of the security issues that the current nature of the Internet, in terms of infrastructure and architecture, gives rise to?

Vixie: I gave you one example, which is the lack of source address validation. But there are other admission control problems also. For example, there are control packets that you can transmit that can potentially interrupt other people's conversations. Various TCP and ICMP packets can be transmitted toward parts of the network that will respond by denying other people the ability to communicate for a few seconds.

This comes from when the Internet was just a collection of universities and government contractors. Everybody on the Internet for the first 10 years had a contract with the U.S. government. None of them had any incentive to transmit damaging traffic. The nature of the Internet took that into account. It was a very fragile network, which was intended only for mature computer science professionals to interact.

So, if we turn our attention now to spam, the email system has no admission control. Anyone can send an email to anyone. That was, in fact, an important design criteria to avoid central clearinghouses and make email an end-to-end activity. But what that means is that spammers are also endpoints and have the same right to transmit email to anyone. There is no differentiation, there is no privilege required.

Add to that the fact that, just like IP packets can have their sources forged, even email sources can be forged. And unless you are a technology expert or have a high-end email firewall appliance, you won't be able to tell the difference. This works at scale. Right now, the Internet is being used to transfer hundreds of billions of dollars per year from the productive part of the world's economy toward the unproductive part because it is such a gaping hole. The Internet is the backbone of global commerce today, and yet it was built without any thought of authentication, admission control or security, and so almost any application or website can be abused by a creative criminal.
The Internet's Map

Haran: You have said that DNS is like a unified field theory between the good guys and the bad guys. Can you elaborate? How indispensable is DNS to the structure of the Internet?

Vixie: If the Internet were a territory, the DNS would be its map. We who have grown up in a world that is completely mapped, completely discovered, find it impossible to conceptualize the idea of a territory without a map. Without DNS, the Internet would be a trackless wild, where things would exist but you wouldn't know how to get there or the cost of admission. So I mean it when I say that all Internet communication begins with a DNS transaction - at least in order for the initiator to discover the responder and to find out where to send the packets that will represent their conversation.

But there may be other things as well, such as looking up a key, so that they can build a secure conversation by sharing key-in information or for looking up directory servers for authentication and authorization. Pretty much everything you need to do on the Internet is going to be a TCP/IP session. And every TCP/IP session is going to begin with one or more DNS transactions. This is true regardless of your intent. You intent might be to create wealth, to innovate, to make the world a better place, or it could be that your intent is criminal and you want to lie, cheat, take, force, defraud and you have purposes which would be seen as evil in the eyes of your fellow man. Your intent does not matter - you are not going to be able to do anything on the Internet without DNS. And it is that that I think makes DNS such an interesting place to look for criminals and signs that criminals must leave.
DNS Response Rate Limiting

Haran: You are a strong advocate of DNS Response Rate Limiting, which is something that you have worked on yourself. What can you tell me about DNS RRL?

Vixie: In DNS, there are many different kinds of DNS agents. Some only ask questions and receive answers and some only provide answers. It is that second type that concerns rate limiting, because a server in the DNS - the so-called authority server, which is where DNS content comes from - must be very powerfully built, having a lot of capability. Otherwise, if someone sends you a DDoS, they will make your content unreachable because your network pipe would be full of attack traffic.

It is common to buy an extra-large connection to your authority servers and to buy not just one authority server, but maybe a dozen and put them behind load balancers, with redundant power and so forth, because you want to make sure that no matter what happens, you can address queries and your content is reachable.

The difficulty that this presents to the rest of us is that in DNS, a response is larger than a request and that means that you are a potential amplifier. And if you are hearing a question that was forged - the IP address used by the attacker is forged to become the IP address of their intended victim - then you as a very powerful content server would be willing to help that attacker DDoS that victim simply because you are a powerful content server, and you have to be powerful for reasons of your own.

So when we designed response rate limiting, it was to allow those servers to differentiate between attack flows and non-attack flows so that they would be not as usable as an amplifier of third-party attacks. The tricky part is that you have to be very careful not to drop legitimate queries. So there is a little bit of mathematical trickery involved in the DNS RRL system that helps to make sure that you can stop most DDoS attacks without causing collateral damage.

more...
No comment yet.
Scoop.it!

Hackers have found a way to get into nearly every computer

Hackers have found a way to get into nearly every computer | IT Support and Hardware for Clinics | Scoop.it

Hacking even the most secure data is easier than previously thought. This was evidenced by two researchers at the CanSecWest security conference in Vancouver last week.

The two computer security experts, Xeno Kovah and Corey Kallenberg, exhibited a proof-of-concept, showing how to hack into BIOS chips, which are microchips containing the firmware of a computer’s motherboard.

"The BIOS boots a computer and helps load the operating system," Wired explained. "By infecting this core software, which operates below antivirus and other security products and therefore is not usually scanned by them, spies can plant malware that remains live and undetected even if the computer’s operating system were wiped and re-installed. "

The attacks can be levied either through remote exploitation — such as phishing emails — or through “physical interdiction of a system,” Wired reports. The researchers discovered what they called "incursion vulnerabilities," giving them access to the BIOS. Once the BIOS is compromised, they can grant themselves the highest of system privileges. Then, they are able to gain all sorts of control over the system. This includes the ability to steal passwords as well as surveil other data. 

Kovah told Business Insider that of the 10,000 enterprise-grade machines they analyzed, 80% of them had at least one BIOS vulnerability.

Most alarming is that any and all data is up for grabs once the BIOS is compromised. This means encrypted data is accessible — even if the computer user is using privacy-oriented security software.

For example, the researchers said that the Tails system — a widely used OS known for its immense security — could be hijacked. Edward Snowden and Glenn Greenwald use Tails to share data. Kovah and Kallenberg say that their malware could subvert Tails making it possible to gain access to any of its data. 

The ramifications for computer security are huge. For one, it was previous thought that only the most well-equipped hacking guns, like deep-pocketed governments, were able to compromise BIOS chips. This was most recently evidenced by findings from the Kaspersky Lab, which discovered a series of attacks targeting computers' firmware from what appears to be the NSA.

Now, given that Kovah and Kallenberg were able to hack these chips without a billion dollar government budget, things have changed. Already vendors are working on patches to deal with the vulnerability, but there's no way to know what sort of damage has already been done.

While the vectors for attack are numerous, Kovah and Kallenberg hope their findings bring awareness to how critical firmware security truly is. At the very least, they hope this forces companies to patch their systems. As Kovah explained, even when new patches are issued, "we keep finding new vulnerabilities."


more...
No comment yet.
Scoop.it!

Why Cyber Security Is All About The Right Hires

Why Cyber Security Is All About The Right Hires | IT Support and Hardware for Clinics | Scoop.it

The United Kingdom has estimated the global cyber security industry to be worth around US$200 billion per annum, and has created a strategy to place UK industry at the forefront of the global cyber security supply base, helping countries to combat cybercrime, cyber terrorism and state-sponsored espionage.

Likewise, the United States government is facilitating trade missions to emerging markets for companies that provide cyber security, critical infrastructure protection, and emergency management technology equipment and services with the goal of increasing US exports of these products and services.

Meanwhile, Australia is going through yet another iteration of a domestic cyber security review. Australia can’t afford to wait any longer to both enhance domestic capability and grasp international leadership.

The recent Australian debate about the government’s proposed data retention scheme has seen heavy focus on the security aspects of collecting, retaining and where authorised, distributing such data.

But much of this debate masks the broader issue facing the information security industry.

Failing to keep up

The constant evolution of the online environment presents cyber threats which are constantly evolving with increasing volume, intensity and complexity.

While organisations of all shapes and sizes are considering spending more money on cyber security, the supply side of information security professionals is not keeping up with the current, let alone future demand. High schools are not encouraging enough students (particularly girls) to get interested in the traditional STEM (science, technology, engineering and maths) subjects. The higher education and vocational sectors are likewise not creating enough coursework and research options to appeal to aspiring students who are faced with evermore study options.

One example of the types of programs needed to address the shortage is the Australian Government’s annual Cyber Security Challenge which is designed to attract talented people to become the next generation of information security professionals. The 2014 Challenge saw 55 teams from 22 Australian higher education institutions take part. At 200 students, this is but a drop in the ocean given what is required.

Even for those who graduate in this field, there is a lack of formal mentoring programs (again particularly for girls), and those which are available are often fragmented and insufficiently resourced. The information security industry is wide and varied, catering for all interests and many skill sets. It is not just for technical experts but also for professionals from other disciplines such as management, accounting, legal, etc, who could make mid-career moves adding to the diversity of thinking within the industry.

More and more organisations are adopting technology to create productivity gains, improve service delivery and drive untapped market opportunities. Their success, or otherwise, will hinge on a large pool of talented information security professionals.

We need to attract more people into cyber security roles. Universities need to produce graduates who understand the relationship between the organisation they work for, its people, its IT assets and the kinds of adversaries and threats they are facing. The vocational education sector needs to train technically adept people in real-world situations where a hands-on approach will enable them to better combat cyber attacks in their future employment roles.

Industry associations should focus on their sector — analysing the emerging information security trends and issues, and the governance surrounding information security strategy — to determine their own unique skills gap.

The government should develop a code of best practice for women in information security in collaboration with industry leaders, promoting internal and external mentoring services.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Should we hack the hackers? - The Guardian

Should we hack the hackers? - The Guardian | IT Support and Hardware for Clinics | Scoop.it

If we’re losing the war against cybercrime, then should we take off the gloves and strike back electronically against hackers?

As banks reel from another major hacking revelation, a former US director of intelligence has joined some of them in advocating for online counterstrikes against cybercriminals.

In February, security firm Kaspersky detailed a direct hack against 100 banks, in a co-ordinated heist worth up to $1bn. This follows growing sentiment among banks, expressed privately, that they should be allowed to hack back against the cybercriminals penetrating their networks.

At February’s Davos forum, senior banking officials reportedly lobbied for permission to track down hackers’ computers and disable them. They are frustrated by sustained hacking campaigns from attackers in other countries, intent on disrupting their web sites and stealing their data.

Dennis Blair, former director of national intelligence in the Obama administration, has now spoken out in favour of electronic countermeasures, known in cybersecurity circles as hacking back, or strikeback.

Blair co-authored a 2013 report from the US Commission on the Theft of American Intellectual Property. It considered explicitly authorising strikeback operations but stopped short of endorsing this measure at the time.

Instead, the report suggested exploring non-destructive alternatives, such as electronically tagging stolen data for later detection. It also called for a rethinking of the laws that forbid hacking, even in self-defence.

Western law enforcers don’t have jurisdiction in the countries where cybercriminals operate. Ideally, they would pass information about hackers onto their counterparts there, said Blair, but in many cases local police are un-cooperative. It’s time to up the ante, he suggested.

“I am more leaning towards some controlled experiments in officially conducting aggressive cyber-tracking of where attacks come from, discovering their origin, and then taking electronic action against them,” he told the Guardian.

Legal problems

There’s just one problem with strikeback operations, said Mark Rasch, a former federal cybercrime prosecutor and the head of Maryland-based Rasch Technology and Cyber-law: it’s against the law. “You have to start with the general assumption that hacking back is most likely illegal,” he said.

Long-standing laws on both sides of the Atlantic clearly forbid unauthorised tampering with a computer, even if someone is using that computer to attack you. In the UK, the Computer Misuse Act sets those rules. In the US, the Computer Fraud and Abuse Act does the same.

Even without this legislation, the law generally frowns upon what Rasch calls “self help”. Judges dislike vigilante justice.

The stakes are getting higher, though. Since the report’s release, corporate America has seen several devastating cyber-attacks. JP Morgan suffered a breach affecting 76 million households. Home Depot and Target were also hacked, and most recently, Sony Entertainment was embarrassed by the theft of internal documents.

“I’ve been seeing the way that technology is developing. I think it’s worth some limited legislation to post penalties back to hackers,” Mr Blair said, adding that companies should work with law enforcement rather than taking matters into their own hands.

“Law enforcement authorities can go back down the same route that [the hackers] use to attack, and cause physical damage to their equipment,” he added.



Via Paulo Félix
more...
No comment yet.
Scoop.it!

New Approach to DDOS Protection

New Approach to DDOS Protection | IT Support and Hardware for Clinics | Scoop.it

Attacks are larger, adversaries more diverse, and damage is broader. These are characteristics of today's distributed-denial-of-service attacks, and organizations need a new approach to protection, says Verisign's Ramakant Pandrangi.

Pandrangi, VP of Technology at Verisign, has studied DDoS attacks, and he's concerned about recent trends.

"Large volumetric DDoS attacks are becoming more common," Pandrangi says. "And as that happens, on-premise solutions will not be able to handle these types of attacks."


What's needed, then, is an entirely new approach to protecting against DDoS. Pandrangi advocates what he calls an open/hybrid approach that relies on on-premise solutions to mitigate attacks locally, while leveraging cloud-based services when attacks are likely to overwhelm the defenses. At the core of this new approach is an open platform that allows multiple vendors to act in concert on the customer's behalf.

"This [approach], we believe, will allow businesses to have a wide range of options without the limitations of having vendor lock-in," he says.


more...
No comment yet.
Scoop.it!

OpenDNS trials system that quickly detects computer crime

OpenDNS trials system that quickly detects computer crime | IT Support and Hardware for Clinics | Scoop.it

A security system undergoing testing by a San-Francisco-based company aims to speed up the detection of websites and domains used for cybercrime.

The technology is being developed by OpenDNS, which specializes in performing DNS (Domain Name System) lookups. The DNS translates domain names such as idg.com into an IP address that can be called into a browser

OpenDNS offers a secure DNS service for ISPs and organizations that blocks requests from Web browsers to sites that may be associated with cybercrime or spoof a company such as PayPal.

The company, which was founded in 2005, has grown so much that its systems respond to some 71 billion DNS requests per day. That’s just 2 percent of global DNS traffic but is enough of a sample to pick up on many cybercrime campaigns.

The new system, called Natural Language Processing rank (NLPRank) looks at a range of metrics around a particular domain name or website to figure out if it’s suspicious.

It scores a domain name to figure out if it’s likely fraudulent by comparing it to a corpus of suspicious names or phrases. For example, g00gle.com—with zeros substituting for the letter “o”—would raise a red flag.

Many cybercriminal groups have surprisingly predictable patterns when registering domains names for their campaigns, a type of malicious vernacular that OpenDNS is indexing. Bogus domain names use company names, or phrases like “Java update,” “billinginfo” or “security-info” to try to appear legitimate.

But there’s a chance that NLPRank could trigger a false positive, flagging a variation of a domain that is legitimate, said Andrew Hay, director of security research at OpenDNS.

To prevent false positives, the system also checks to see if a particular domain is running on the same network, known as its ASN (autonomous system number), that the company or organization usually uses. NLPRank also looks at the HTML composition of a new domain. If it differs from that of the real organization, it can be a sign of fraud.

NLPRank is still being refined to make sure the false positive rate is as low as possible. But there have been encouraging signs that the system has already spotted malware campaigns seen by other security companies, Hay said.

Earlier this month, Kaspersky Lab released a report on a gang that stole upwards of US$1 billion from banks in 25 countries. The group infiltrated banks by gaining the login credentials to key systems through emails containing malicious code, which were opened by employees.

Hay said Kaspersky approached OpenDNS before the report was published to see if it had information on domains associated with the attacks. NLPRank was already blocking some of the suspicious domains, even though OpenDNS didn’t know more details about the attacks.

“We caught these things well back,” Hay said.

In some cases, NLPRank could allow a domain to be blocked even before one is actively used. After cybercriminals register a domain, they’ll often visit it once to make sure it’s accessible. It may then go dormant for a few days before it is incorporated in a campaign, Hay said.

If a fraudster is connected to an ISP that uses OpenDNS’s service, just a single DNS query for that new domain would allow OpenDNS to analyze and potentially block it before it is used for crime.

“As soon as we see that little bump on the wire, we can block it and monitor to see what’s going on,” Hay said. “It’s almost an early warning system for fraudulent activity.”



more...
No comment yet.
Scoop.it!

Cybercrime Affects More Than 431 Million Adult Victims Globally

Cybercrime Affects More Than 431 Million Adult Victims Globally | IT Support and Hardware for Clinics | Scoop.it

Cybercrime affects more than 431 million adult victims around the world. Since the internet has become such an integral part of governments, businesses, and the lives of millions of people, cyberspace has become an ideal place, allowing criminals to remain anonymous while they prey on victims.

The most common forms of cybercrime are offences related to identity, such as malware, hacking, and phishing. Criminals use these methods of cybercrime to steal money and credit card information. Additionally, cybercriminals use the internet for crimes related to child pornography, abuse material, and intellectual and copyright property.

As technology advances, criminals are finding it much easier to perform a cybercrime; advanced techniques and skills to perpetrate threats are no longer required. For instance, software that allows criminals to override passwords and locate access points of computers are easily purchased online. Unfortunately, the ability to find cyber criminals is becoming more difficult.


Cybercrime is a rapidly growing business, exceeding $3 trillion a year. Victims and perpetrators are located anywhere in the world. The effects of cybercrime are seen across societies, stressing the need for a pressing and strong international response.

However, many countries do not have the capacity or regulations to combat cybercrime. A global effort is required to make available firmer regulations and improved protection because cyber criminals hide within legal loopholes in countries with less stringent regulation.

Criminals perpetrate a cybercrime by taking advantage of a country’s weak security measures. Additionally, the lack of cooperation between developing and developed countries can also result in safe havens for individuals and groups who carry out a cybercrime.

The United Nations is actively involved in fighting cybercrime. The organization set up the United Nations Office on Drugs and Crime (UNODC) following the 12th Crime Congress to study cybercrime. The UNODC is a global leader in the fight against illicit drugs and international crime.

Cybercrime affects one million victims every single day. More than 431 million people are affected by cybercrime, that’s 14 adult victims every second.

In addition, there are up to 80 million automated hacking attacks every day. The most common and fastest growing forms of consumer fraud on the Internet are identity-related offences, especially through the misuse of credit card information.

Learning online protection methods is one of the simplest means of defense from becoming victim to a cybercrime. When purchasing products online, always be aware of the trustworthiness of the websites.

Avoid using public computers for anything that requires a credit card payment. By all means, be sure online purchases and banking are facilitated with a fully legitimate and safe business.

Computers should have up-to-date security software; choose strong passwords, and do not open suspicious emails or special offers that ask for personal information, which are often in the form of sales, contests, or fake banks.

Internet-related crime, like any other crime, should be reported to appropriate law enforcement investigative authorities at the local, state, federal, or international levels, depending on the scope of the crime.


Via Paulo Félix
more...
purushothamwebsoftex's curator insight, February 24, 2015 3:05 AM

Websoftex Software extending its services in Website Designing, Web Development, MLM Software,HR Payroll Software, TDS Software, Micro Finance Software, RD FD Software, ERP Software, Chit Fund Software. With the help of our experienced software team and insights of clients MLM Software is continuously updated to latest technologies and demands. Websoftex pays special attention to its Research & Development.

Scoop.it!

Darkleaks: An online black market for selling secrets

Darkleaks: An online black market for selling secrets | IT Support and Hardware for Clinics | Scoop.it

Whistleblowers and those individuals that are simply out to make a buck out of any confidential and valuable information, can now offer it for sale on Darkleaks, a decentralized, anonymous black market on the Internet.

The Darkleaks project is built on top of the Bitcoin blockchain, and can be used by downloading this software package (source code is open).

The process of releasing and buying the released information works like this (as explained by Zozan Cudi, a member of the Kurdish People's Defense Units):

"When the leaker selects a document, it is broken up into segments. Each of the segments is hashed, and a Bitcoin address is generated using the hash as the secret key. From this public key, a new key is generated to encrypt the segments. The encrypted segments are released for public download with the list of Bitcoin addresses.

To prove the authenticity of the document, the system uses a trustless provably fair mechanism. When announcing the leak, the leaker chooses a date and number of the chunks to be released. Based on the Bitcoin block hash at that time, some provably fair random numbers are chosen to select segments to be unlocked. This allows the community to verify the veracity of the file and decide whether they want to pay for the remaining encrypted segments.

The buyers then send Bitcoins to these addresses. When the leaker decides to claim the Bitcoins from the private key, due to how Bitcoin is designed he must release the public key which allows the buyers to decrypt the document."


The marketplace is supposed to offer anonymity for both the leaker and the buyer - the two don't interact, and there is no central operator who might somehow discover their identities.

The people behind it say that this marketplace can be used to stop corruption and challenge power, but of course it can obviously be used by sellers and buyers with a more sinister agenda, as there is no limit to what information can be sold - Hollywood movies, government secrets, military intelligence, stolen databases, celebrity sex pictures, and so on...


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Visual hacking exposed

Visual hacking exposed | IT Support and Hardware for Clinics | Scoop.it

While most security professionals focus on thwarting data breaches from cyber attacks, a new study exposes visual hacking, a low-tech method used to capture sensitive, confidential and private information for unauthorized use, as an under-addressed corporate risk.


A visual hacking experiment conducted by the Ponemon Institute on behalf of the Visual Privacy Advisory Council and 3M Company, found that in nearly nine out of ten attempts (88 percent), a white hat hacker was able to visually hack sensitive company information, such as employee access and login credentials, that could potentially put a company at risk for a much larger data breach.

During the study, a computer security expert specializing in penetration testing, entered the offices of eight U.S.-based companies under the guise of a temporary or part-time worker. He attempted to visually retrieve sensitive or confidential information using three methods: walking through the office scouting for information in full-view on desks, screens and other indiscrete locations, taking a stack of business documents labeled as confidential and finally, using his smartphone to take a picture of confidential information displayed on a computer screen. All three of these tasks were completed in full-view of other office workers.

The study revealed the following:

Visual hacking happens quickly: Companies can be visually hacked in a matter of minutes, with 45 percent occurring in less than 15 minutes and 63 percent of visual hacks occurring in less than a half hour.

Visual hacking generally goes unnoticed: In 70 percent of incidences, a visual hacker was not stopped by employees – even when using a cell phone to take a picture of data displayed on a screen. In situations when a visual hacker was stopped by an employee, the hacker was still able to obtain an average of 2.8 pieces of company information (compared to 4.3 when not stopped).

Multiple pieces of sensitive information were able to be visually hacked. During the study, an average of five pieces of information were visually hacked per trial, including employee contact lists (63 percent), customer information (42 percent) and corporate financials (37 percent), employee access & login information/credentials (37 percent) and information about employees (37 percent) during any given hack.

Unprotected devices pose the greatest opportunity for sensitive information to be visually hacked. 53 percent of information deemed sensitive (access or login credentials, confidential or classified documents, financial, accounting or budget information or attorney-client privileged documents) was gleaned by the visual hacker from the computer screen, greater than vacant desks (29 percent), printer bins (9 percent), copiers (6 percent) and fax machines (3 percent) combined.

Open floor plans pose a greater threat to visual privacy. In experimental trials completed in companies with an open-office layout, an average of 4.4 information types were visually hacked, while those conducted in a traditional office layout saw 3.0 information types visually hacked.

Unregulated functional areas were the most likely to experience a visual hack. On average, customer service roles consistently saw the highest number of visual hacks at 6.0, with communications at 5.6 and sales force management 5.2. Regulated functional areas like accounting & finance saw lower averages at 1.9, and legal at 1.0 experienced the least.

Visual hacking controls work. Companies that had relatively low visual hacking rates had more controls in place, such as mandatory training and awareness, clean desk policies document shredding process, suspicious reporting process, and employed the use of privacy filters, to protect against the threat than those without. For instance, in those companies that employed the use of privacy filters, 50 percent of trials saw three or less information types visually hacked while 43 percent of companies that did not use privacy filters saw four or more information types visually hacked.

“Visual privacy is a security issue that is often invisible to senior management, which is why it often goes unaddressed,” says Mari Frank, attorney/mediator and privacy consultant/expert at Mari J. Frank, Esq. and Associates and member of the Visual Privacy Advisory Council. “This study helps to emphasize the importance of implementing a visual privacy policy, educating employees and contractors about how to be responsible with sensitive data they are handling, as well as equipping high-risk employees with the proper tools, such as privacy filters, to protect information as it is displayed.”


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Prepare for faster, safer web browsing: The next-gen HTTP/2 protocol is done

Prepare for faster, safer web browsing: The next-gen HTTP/2 protocol is done | IT Support and Hardware for Clinics | Scoop.it

The future of the web is almost ready for prime time.

Work on HTTP/2 by the Internet Engineering Task Force HTTP Working Group is finished, according to group chair Mark Nottingham, who made the announcement on his personal blog. HTTP/2 now has to go through the final editing process before it is published and becomes an official web standard.

The announcement comes a little more than a week after Google announced that it was discontinuing SPDY in favor of HTTP/2 inside Chrome. SPDY won’t fully disappear from Chrome until early 2016, while HTTP/2 support will roll out to Google’s browser in the coming weeks.

Why this matters: Since HTTP is part of the very foundation of the web, any changes that come to the protocol are a big deal. HTTP/2 promises to make response times faster for web clients (browsers) and reduce the load on servers. But it will take time for the new standard to roll out across the web and for all the kinks to get sorted out. As Nottingham explained in a blog post from 2014, “HTTP/2 isn’t magic Web performance pixie dust; you can’t drop it in and expect your page load times to decrease by 50%.”  Once server admins get the hang of HTTP/2, however, it should boost web performance.

HTTP/2 features

The biggest change with HTTP/2 is a new feature called mutliplexing that, together with header compression, allows multiple server requests to be sent at the same time. HTTP/2 also uses fewer connections between server and client, and allows servers to push content straight to a browser.

That last bit is important since it can also improve load times. With “server push” a website could, for example, send a CSS stylesheet to the browser before it requests it—a logical move since the browser needs the CSS data to know how to lay out the page.

One thing that won’t be coming to HTTP/2, however, is mandatory SSL/TLS (HTTPS) encryption. That was the original plan back in late 2013, but it has since been scrapped. HTTP/2 will still make TLS encryption easier to implement, according to Nottingham, because the new protocol is designed to reduce the speed hits that sites usually take using HTTPS right now. But it won’t be a mandatory part of the new standard.

That said, TLS may still be sort of mandatory for sites that want to use HTTP/2. According to Nottingham, developers for Chrome and Firefox have said that the two popular browsers will only use HTTP/2 over TLS. That means site developers that don’t add TLS to an HTTP/2-enabled site won’t be able to use the new standard with two of the most popular browsers out there.

While the bulk of the work on HTTP/2 is done, the IEFT HTTP WG isn’t going anywhere. In fact, it’s already looking ahead to the possibility of an HTTP/3, as well as improving current HTTP specs with other features like HTTP message signing for improved server-to-browser authentication.



more...
No comment yet.
Scoop.it!

LastPass Sounds Breach Alert

LastPass Sounds Breach Alert | IT Support and Hardware for Clinics | Scoop.it

Warning to all LastPass users: Change your master password for the service now and ensure you're using multi-factor authentication. There has been a data breach that might allow attackers to crack master passwords and password reminders.


"Our team discovered and blocked suspicious activity on our network," reads a security notice from Joe Siegrist, the CEO of online password management service LastPass, which allows people to store multiple passwords inside a single, cloud-based password vault.


Siegrist says the intrusion was discovered June 12. "In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


This is not the first time that LastPass has reported that passwords or data might have been hacked. In 2011, the firm reported finding a "traffic anomaly from one of our databases" that could have resulted in data exfiltration. In response, the firm said it took a number of steps to tighten security, including registering domains that might be used by phishing attackers, as well as removing non-core services from the LastPass network.


In the wake of this newly announced breach, Siegrist says that the company is "confident that our encryption measures are sufficient to protect the vast majority of users," noting that the site's techniques for creating users' authentication hashes - in essence, how their authentication credentials get protected - would make it very difficult for an attacker to crack those hashes "with any significant speed." But because that is a possibility, the company says it has now "locked down" all accounts, meaning that any attempt to access an account from a new device or IP address will require the user to first verify their identity via email, unless they're already using multi-factor authentication.


"We will also be prompting all users to change their master passwords," Siegrist says. "You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites." He adds that because encrypted user data wasn't stolen, users do not need to change the passwords for any sites stored inside their LastPass password vault.


LastPass also offers multi-factor authentication - including Google Authenticator, Yubikey and the Duo Security Authenticator - to safeguard accounts. And in the wake of the breach, multiple information security experts recommend that all LastPass users ensure that they are using this feature.

Rethink Password Reset Questions

"Should I panic because LastPass was hacked?" asks Robert David Graham, head of information security research firm Errata Security. "If you chose a long, non-dictionary password, nobody can crack it," he says, thanks to the way LastPass creates its hashing algorithms. "Conversely, if you haven't, then yes, you need to change it."


Some security experts, meanwhile, say that the biggest risk now facing LastPass users will bephishing attacks, especially because users' email addresses have been compromised. "LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority," says Martin Vigo, a product security engineer for salesforce.com who's due to present the talk "Breaking Vaults: Stealing LastPass protected secrets" at the July Shakacon conference in Hawaii. "You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass."


Vigo says many users undercut their security by using password reminders - he recommends never using them, if possible - or else creating weak ones. "While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as 'My password is correct horse battery staple' are possible," he says. "Other more common passwords reminders such as 'My dogs name' can help attackers guess your master password. Remember that they have your email, which leads to your Twitter, Facebook, etc., where possibly that information can be found."

Password Vaults: Pros and Cons

The LastPass breach begs the question of whether people should ever use password managers, a.k.a. password vaults. "If a crook gets hold of your master password, then that's like getting the crown jewels - because now the crook has access to all your accounts at once," says Paul Ducklin, a senior security adviser for anti-virus firm Sophos, in a blog post. As a result, some security experts decry their use, on the grounds that the password manager master password creates a potential single point of failure.


But many security experts, including Bruce Schneier, have long advocated using such tools, saying that it is much more likely that users will get hacked if they reuse passwords, or select weak ones, than have their encrypted password database stolen and cracked.

F-Secure security adviser Sean Sullivan, for example, has said he "can't imagine life" without using one, because such tools can ensure that a user only uses strong passwords, and never repeats them across sites. But Sullivan also takes certain precautions, such as never entering the master password for his password manager when he's using an untrusted system - such as the shared family PC at home - in case a keylogger might be in operation.

Cloud Versus PC-Based

Users can also choose between PC-based, cloud-based or hybrid password managers. Some encryption experts, such as Johns Hopkins cryptographer Matthew Green, have voiced concerns about the security of cloud-based password management services.

more...
No comment yet.
Scoop.it!

House OKs 2nd Cyberthreat Info-Sharing Bill

House OKs 2nd Cyberthreat Info-Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

A second cyberthreat information sharing bill passed the House of Representatives on April 23. That measure, the National Cybersecurity Protection Advancement Act, now will be combined with the House Intelligence Committee's Protecting Cyber Networks Act, which passed on April 22, before it's sent to the Senate.

The National Cybersecurity Protection Act, which was approved by a 355-63 vote, provides businesses with liability protections if they share cyberthreat information with the federal government and other businesses. The bill designates the National Cybersecurity and Communications Integration Center as the portal for government and business to share data.

"Ultimately, this legislation will arm those who protect our networks with valuable cyber-threat indicators that they can use to fortify defenses against future attacks," said one of the bill's sponsors, Rep. John Ratcliffe, chairman of a House Homeland Security Committee subcommittee, which has cybersecurity oversight.

Supporters of cyberthreat information sharing legislation, including President Obama, say such a measure is needed because many businesses will not share information with the government unless they're protected from civil and criminal lawsuits resulting from the sharing of data. Both bills, and one approved by the Senate Intelligence Committee, would provide those liability safeguards.

The House-passed bills' supporters contend their measures protect citizens' privacy and liberties by requiring businesses to strip personally identifiable information from information to be shared. Language added to the National Cybersecurity Protection Advancement Act specifically says the shared data is to be used for cyberdefense only and cannot be used for intelligence or law enforcement purposes. Still, consumer advocacy groups contend the bill does not go far enough to prevent sharing of data for purposes other than cyberdefense.

The White House, in Statements of Administration Policies, has given both House-passed bills a lukewarm endorsement, but it made suggestions on changes it seeks, especially the narrowing of the liability protections the measures offer.

In the Senate, Majority Leader Mike McConnell said its version of cyberthreat information sharing legislation should come up for a vote shortly, but did not provide a specific date. If the Senate passes its own cyberthreat information sharing legislation, conferees from both chambers, weighing recommendations from the White House, will draft new language in hopes of winning the support of a majority of House and Senate lawmakers as well as the president.


more...
No comment yet.
Scoop.it!

House Panel Passes Cyberthreat Info Sharing Bill

House Panel Passes Cyberthreat Info Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

After beating back amendments by Democratic members to limit liability protections for businesses, the House Homeland Security Committee on April 14 unanimously approved cyberthreat information sharing legislation on a voice vote.


The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to the full House, where differences with another cyberthreat information sharing measure approved by the House Intelligence Committee last month will be worked out. House leaders indicated that the full House could vote on cyberthreat information sharing legislation as early as next week.


In the Senate, a version of its cyberthreat information sharing bill could come up for a vote shortly. Senate Majority Leader Mitch McConnell included the Cybersecurity Information Sharing Act passed last month by the Senate Intelligence Committee as among several bipartisan bills that the Senate is "working hard to advance."


The National Cybersecurity Protection Advancement Act of 2015, approved by the House Homeland Security Committee, provides many of the privacy and civil liberties protections sought by President Obama that were absent in earlier versions of cyberthreat information sharing legislation that passed the House and the White House had threatened to veto in the two previous congresses.

Limits Placed on Shared Data

The House committee approved one amendment that explicitly states that shared cyberthreat information processed through the National Cybersecurity and Communications Integration Center - known as NCCIC, the Department of Homeland Security portal - could not be used for law enforcement or intelligence purposes. Civil liberties groups have raised concerns that some cyberthreat information sharing bills could allow the use of collected cyberthreat data to spy on Americans, violating their privacy and liberties.


The legislation would require private companies to remove personally identifiable information unrelated to the cybersecurity risk before sharing information with the NCCIC or other private entities. It would also require the NCCIC to conduct a second scrub and destroy any personal information that is unrelated to the cybersecurity risk before further sharing with other government agencies or private organizations.


The aim of the cyberthreat information sharing legislation is to encourage businesses and other private organizations to share voluntarily threat data with the government and other businesses to mitigate damaging cyber-attacks. But some businesses are reluctant to share the information unless they are protected from legal actions, which led to the various provisions to offers liability protections.

Liability Provisions Remain Intact

The Democratic minority on the House Homeland Security Committee, along with the Obama administration, contend that the liability protections offered to businesses in the committee's bill were too broad, providing legal protections when not warranted. An amendment offered by Rep. Cedric Richmond, D-La., would have removed liability protection for businesses that received threat data but failed to act on it. "If you abide by the provisions of this act," Richmond said, "then you're exempt from liability. It's just that simple. Instead of adding all these other concepts to the liability language, if we take the time to pass a bill and you abide by it, you have liability exemption. If you don't, then you don't have exemption."


But the bill's cosponsor, Republican Rep. John Ratcliffe of Texas, said the broader liability protections in the bill are aimed to get the greatest number of businesses to participate in cyberthreat information sharing. "Stakeholders are concerned about putting their customers or consumers at risk, and their information at risk; they're concerned about exposing their own sensitive business information by sharing," Ratcliffe said. "And, they're also concerned about possibly violating federal privacy laws. Having strong liability protection is going to be absolutely critical and vital to the success of this bill, and the phraseology in this bill is absolutely critical and essential to that point."

The bill originally provided liability protection for businesses that conducted its network security awareness in "good faith," but the committee voted to excise those words from the measure because, as McCaul noted, the term is too ambiguous and could lead to confusion in enforcing the measure should it become law.

Awaiting Word from White House

The White House has not said whether it would support or veto any of the cyberthreat information sharing bills winding their way through Congress. Statements of Administration Policy, such as the ones containing the earlier veto threats, usually are issued shortly before one of the chambers is set to vote on the legislation.

After the committee vote, the Financial Services Roundtable called for swift floor action on the legislation. "Congressional action to better protect consumers from cyber-attacks is long overdue," said Tim Pawlenty, CEO of the Roundtable, a financial services industry advocacy group. "We applaud the House for addressing gaps in our nation's cybersecurity laws and urge both chambers of Congress to quickly put a bill on the president's desk."


more...
No comment yet.
Scoop.it!

Will Executive Order Impact Cybercrime?

Will Executive Order Impact Cybercrime? | IT Support and Hardware for Clinics | Scoop.it

President Obama on April 1 issued an executive order that allows the U.S. government to block or seize the assets of suspected "malicious cyber actors." But some legal and security experts already are questioning whether the order is legally defensible or will have any meaningful impact on either cybercrime or online espionage.


"There are so many problems with this," attorney Mark Rasch, a former U.S. Department of Justice official who created its computer crime unit, tells Information Security Media Group, citing, for example, the government's ability to presume someone is guilty, without first having to prove it. "In general, sanctions are a political tool for putting pressure on recalcitrant governments to change their ways, [but] these sanctions are a legal tool to impose punishment without trial on persons we believe to be criminals and hackers."


The Obama administration, however, says that the executive order - officially titled "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" is necessary to give the U.S. government much-needed new legal tools in its fight against cybercrime and online espionage. The executive order represents the first time that the White House has authorized broad sanctions to be imposed specifically for cyber-attacks, and regardless of the location of whoever is behind the attacks.


"Our primary focus will be on cyberthreats from overseas, Obama writes on news website Medium. "In many cases, diplomatic and law enforcement tools will still be our most effective response. But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst."


The executive order authorizes the Secretary of the Treasury - in consultation with the Attorney General and the Secretary of State - to impose such sanctions "on individuals or entities that engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy or economic health or financial stability of the United States," Obama says in an April 1 statement distributed by the White House.


While the executive order doesn't define "significant," it says sanctions can be imposed for a variety of reasons, for example, in response to attacks that target critical infrastructure, which disrupt networks - via distributed denial-of-service attacks, for instance - as well as for targeting or stealing trade secrets or personally identifiable information, and for computer crime in general.

Intent: To Fill Gaps

White House Cybersecurity Coordinator Michael Daniel says the executive order is meant to expand the "spectrum of tools" that the government can use to combat cyber-attacks, by supplementing current diplomatic, law enforcement, military, economic and intelligence capabilities.


"It is designed to fill in a gap that we have identified where individuals carrying out significant malicious cyber-attacks are located in places that it's difficult for our diplomatic and law enforcement tools to reach - whether because they're behind the borders of a country that has weak cybersecurity laws, or the government is complicit in or turning a blind eye to the activity that is happening, and we don't have good law enforcement relationships or other kinds of relationships," he said on an April 1 a press call. "So what we're doing is putting in place a tool that will enable us to impose costs on those actors."


John Smith, the Treasury Department's acting director of the Office of Foreign Assets Control, or OFAC, which administers and enforces U.S. economic sanctions programs, said on the press call that the executive order elevates cyber-attacks to the realm of such activities as counterterrorism, narcotics trafficking and transnational crime, which the United States targets, regardless of where they're based. Smith says the administration is hoping that by designating cybercrime and online espionage in this manner, more countries will be spurred to put a stop to related activities inside their borders, or which touches their financial system.

Sony Hack Inspired Order

The Washington Post reports that the executive order has been under development for the past two years. But Daniel says the need for the executive order was highlighted after the president called for a "proportional response" to the hack attack against Sony Pictures. "That process informed us as we were finishing up this executive order and highlighted the need for us to have this capability and to have this tool."


The move follows another executive order, signed by the president in January, that imposed sanctions on 10 individuals and three entities associated with the North Korean government, after the FBI attributed the November 2014 hack and wiper malware attack against Sony Pictures Entertainment to "North Korea actors." But numerous information security experts have continued to question that attribution.

Questioning the Rationale

And some legal and security experts are now questioning the rationale behind the new executive order. "It's really built out of frustration, because the international legal process does not deal effective with cybercrime," says Rasch, the former DOJ official. "So there's the urge to take the law into your own hands. Resist that urge."


Rasch adds that another problem with the executive order is that it's not aimed just at state sponsors - or nation-state-backed attackers - but anyone who the U.S. believes has broken the law. Furthermore, it allows the government to impose punishments, such as seizing U.S. citizens' assets, without any due process, or having to first prove the government's case.


The administration says that anyone who wants to contest sanctions that get imposed using this executive order can do so with OFAC, or by filing a lawsuit against the federal government.

Cybercrime Impact?

But will the executive order lead to any meaningful reduction in cybercrime or online espionage? "I'm somewhat skeptical, to say the least," Sean Sullivan, a security adviser for Helsinki, Finland-based anti-virus firm F-Secure, tells ISMG. "There's a great deal of Russian-speaker-based 'espionage as a service' that would be very difficult to do much about. And China seems even more of a challenge. But then again, maybe there are some officials who do actually have American assets to go after - New York real estate, for example."


James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, believes that the new program could have an impact, for example to combat Chinese-promulgated economic espionage. "You have to create a process to change the behavior of people who do cyber-economic espionage," he tells The Washington Post. "Some of that is to create a way to say it's not penalty free. This is an effective penalty. So it moves them in the right direction."

But Rasch thinks it's unlikely that the executive order would fulfill the stated White House purpose of deterring future cybercrime, espionage and large-scale attacks. "The rogues are not going to be deterred by this," he says. "The state sponsors are not going to be deterred by this."


more...
No comment yet.
Scoop.it!

Brave New World: The Future of Cyberspace & Cybersecurity

Brave New World: The Future of Cyberspace & Cybersecurity | IT Support and Hardware for Clinics | Scoop.it

“Since this is a challenge that we can only meet together, I’m announcing that next month we’ll convene a White House summit on cybersecurity and consumer protection. It’s a White House summit where we’re not going to do it at the White House; we’re going to go to Stanford University. And it’s going to bring everybody together — industry, tech companies, law enforcement, consumer and privacy advocates, law professors who are specialists in the field, as well as students — to make sure that we work through these issues in a public, transparent fashion.” – President Barack Obama, Jan. 13, 2015.

The future of cyberspace and cybersecurity has been debated by many theorists and academicians have rendered opinions and studies on the topic. Cyberspace and cybersecurity issues have retaken the center stage of national and homeland security discourse after having taken a sideline to the natural reaction against al-Qaida’s 9/11 attack on the homeland. Despite the renewed sense of purpose and the recognized need to mitigate the ills found in cyberspace, the issue of cybersecurity and the way ahead remain as unclear and obscure since these same theorists and academicians were predicting an “electronic Pearl Harbor” in the 1990s and the events leading up to the hype posed by the Y2K bug.

The Obama administration’s renewed sense of purpose in dealing with cybersecurity issues by calling for the Summit on Cybersecurity and Consumer Protection at Stanford University promises to reinvigorate the discussion on a vital topic of national security. That said, this initiative also sounds oddly familiar to similar initiatives from past administrations voicing similar concerns.

In Brave New World, Aldous Huxley portrayed a dystopian future where mankind was largely driven by the need for pleasure as a means to distract them from the weightier issues of their everyday lives. Huxley also stated one universal truism in that, “Most human beings have an almost infinite capacity for taking things for granted.”

In terms of cybersecurity, what have we taken for granted? The renewed focus on cyberspace and security issues, while laudable in the sense that it can promise a debate on issues that must be addressed, will ultimately fail if it does not fundamentally address the question: What are we taking for granted in terms of our understanding of cyberspace and cybersecurity? In other words, are we framing the current debate on flawed conceptions of the issue in general? Are our assumptions flawed? Without considering some of these questions, we risk missing the true and weightier questions that we need to address on an issue that is constantly changing in terms of its impact on humanity.

The question before us is a simple one, but harder in terms of envisioning or defining. As Anthony Codevilla and Paul Seabury clearly stated in their book War: Ends and Means: “Strategy is a fancy word for a road map for getting from here to there, from the situation at hand to the situation one wishes to attain.” While this does not mean that we need to quickly create another national strategy on cybersecurity or cyberspace with glossy photos and sweeping language that promises a utopian future, it does mean that we need to fundamentally address the more difficult question first, “What do we ultimately need to attain in terms of cybersecurity?”

In this sense, President Obama’s speech on the future of cyber issues is appropriately framed in that this really is a challenge that we can only meet together. Envisioning the future in a world that will become increasingly dominated by technology and the Digital Age also addresses the type of future that we want to create for subsequent generations. In short, what future are we giving our children and our grandchildren? While blatantly sophomoric, as a parent and grandparent, it also happens to be true.

By envisioning our future, we are forced to recognize where we are. The continued reports on data breaches, identity theft, insufficient cybersecurity protections for health care records, controversies over data retention by the U.S. government and private industry, terrorist recruitment via social media, and the implications of active targeting by foreign entities on U.S. intellectual property are just a few of the many concerns that define the cyberspace issue in the present age.

To date, we have embarked on a journey with no destination. We have not chartered the course to take us to where we want to go. As such, while we must bring national security specialists, policy-makers, private industry, academicians and civil liberty advocates together, we also need to recognize that these issues are the result of failed initiatives and incremental approaches to the overall topic of cyberspace and cybersecurity in general. If this incremental approach to cybersecurity remains unchecked, our generation will be the first to face the brave new world of cyberspace defined by the nefarious drivers that are presently framing the topic. As the noted philosopher, John Stuart Mill appropriately stated, “When we engage in a pursuit, a clear and precise conception of what we are pursuing would seem to be the first thing we need, instead of the last we are to look forward to.”

While the answers to this basic truism can take on a highly technical tone in terms of the development of cybersecurity standards, technologies and processes, the true nature of the answer centers on the ideals and cultural norms that we wish to preserve while advancing into the future that will be defined by technology. How do we preserve privacy in the Digital Age? What type of culture do we wish to establish for ourselves—innocent until proven guilty or questionable until we can verify who you are? What is the role of the government in terms of ensuring security and where does the responsibility for the private sector begin in terms of its obligation to protect its intellectual property?

The answers to these questions represent but a fraction of the answers that are necessary to define our future. The answers to these questions, however, are the ones that begin to define the parameters for how we get from here to there. The sooner we engage in this dialogue, the better off we will be in defining that future for subsequent generations.




Via Paulo Félix
more...
No comment yet.
Scoop.it!

Online trust is at the breaking point

Online trust is at the breaking point | IT Support and Hardware for Clinics | Scoop.it

IT security professionals around the globe believe the system of trust established by cryptographic keys and digital certificates, as well as the security of trillions of dollars of the world's economy, is at the breaking point.

For the first time, half of the more than 2,300 IT security professionals surveyed by The Ponemon Institute now believe the technology behind the trust their business requires to operate is in jeopardy. 100% of organizations surveyed had responded to multiple attacks on keys and certificates over the last two years.


Research reveals that over the next two years, the risk facing every Global 5000 enterprise from attacks on keys and certificates is at least $53 million USD, an increase of 51 percent from 2013. For four years running, 100 percent of the companies surveyed said they had responded to multiple attacks on keys and certificates, and vulnerabilities have taken their toll.

"The overwhelming theme in this year's report is that online trust is at the breaking point. And it's no surprise. Leading researchers from FireEye, Intel, Kaspersky, and Mandiant, and many others consistently identify the misuse of key and certificates as an important part of APT and cybercriminal operations," said Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi. "Whether they realize it or not, every business relies upon cryptographic keys and digital certificates to operate. Without the trust established by keys and certificates, we'd be back to the Internet 'stone age' – not knowing if a website, device, or mobile application can be trusted."

As risk increases, so does the number of keys and certificates: Over the last two years, the number of keys and certificates deployed on infrastructure such as web servers, network appliances, and cloud services grew more than 34 percent to almost 24,000 per enterprise. The use of more keys and certificates makes them a better target for attack. Stolen certificates sell for almost $1000 on underground marketplaces, and doubled in price in just one year. Researchers from Intel believe hacker interest is growing quickly.

Organizations are more uncertain than ever about how and where they use keys and certificates: Now 54 percent of organizations admit to not knowing where all keys and certificates are located and how they're being used. This leads to the logical conclusion: how can any enterprise know what's trusted or not?

Security pros worry about a Cryptoapocalypse-like event: A scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight is reported as the most alarming threat. Instantly transactions, payments, mobile applications, and a growing number of Internet of Things could not be trusted. Coined by researchers at Black Hat 2013, a Cryptoapocalypse would dwarf Heartbleed in scope, complexity, and time to remediate.

The misuse of enterprise mobile certificates is a lurking concern: The misuse of enterprise mobility certificates used for applications like WiFi, VPN, and MDM/EMM is a growing concern for security professionals. Misuse of enterprise mobility certificates was a close second to a Cryptoapocalypse-like event as the most alarming threat. Incidents involving enterprise mobility certificates were assessed to have the largest total impact, over $126 million, and the second largest risk. With a quickly expanding array of mobile devices and applications in enterprises, it's no wonder why security pros are so concerned.

"With the rising tide of attacks on keys and certificates, it's important that enterprises really understand the grave financial consequences. We couldn't run the world's digital economy without the system of trust they create," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "This research is incredibly timely for IT security professionals everywhere – they need a wake up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals."survey


Via Paulo Félix
more...
No comment yet.
Scoop.it!

'Freak' Flaw Also Affects Windows

'Freak' Flaw Also Affects Windows | IT Support and Hardware for Clinics | Scoop.it

Microsoft is warning that all Windows operating systems are at risk from the vulnerability known as Freak, for "Factoring RSA-EXPORT Keys." The flaw exists in SSL, which is used to secure online communications, and could be abused by an attacker to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

A new Microsoft security advisory (KB3046015) warns that Secure Channel, or Schannel, which encrypts traffic and transactions on most Windows platforms, is at risk from the Freak flaw.


"Microsoft is aware of a security feature bypass vulnerability in Secure Channel that affects all supported releases of Microsoft Windows," the alert says. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."

As yet, there's no patch available for vulnerable Windows systems, although information security experts say they expect Microsoft to release related fixes quickly. In the interim, Microsoft has detailed a temporary workaround that can be used for most Windows systems. "You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor," it says. But it warns: "Windows will fail to connect to systems that do not support any of the ciphers listed in the workaround."

To date, however, there's no fix or workaround available for Windows Server 2003. "The cipher management architecture on Windows Server 2003 does not allow for the enabling or disabling of individual ciphers," Microsoft says.

Risks to Apple, Android, Cloud

After quietly warning security vendors, government agencies and other organizations in recent weeks, security researchers first sounded a public alert about the Freak vulnerability on March 3. They've warned that the vulnerability exists in versions of OpenSSL prior to 1.0.1k, all Android devices that ship with the standard browser, as well as in Apple SSL/TLS clients, which are used by both Mac OS X clients and iOS mobile devices, among other operating systems. The vulnerability has been designated as CVE-2015-0204.

The Freak flaw could be exploited to downgrade a browser or other client's Internet connection from a relatively secure cipher, to an outdated - and weak - "export cipher," which attackers could then crack, allowing them to intercept communications or inject attack code into browsers. "What Freak allows you to do is, if you can break the RSA export-strength key, then you can provide a 'valid' certificate for a man-in-the-middle attack," says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. Tenable, which sells the widely used Nessus vulnerability scanner, has released a Nessus plug-in that will scan for Windows clients and servers that are vulnerable to Freak.

No Attacks Seen

But to date, there have been no signs that the Freak flaw has ever been exploited in the wild - against Windows servers and systems, or any other device. "The reality is, it's still really difficult to do - to break a key, it would still take a few hours or $100 of Amazon EC2 time," Millard says, referring to Amazon's Elastic Compute Cloud, which offers on-demand processing power. "There are so many other ways to break into a site. Hackers are smart; they don't use a sledgehammer to crack a walnut."

Still, related vulnerabilities remain widespread. The Freak Attack website, which is run by researchers at the University of Michigan, has been tracking the extent of the Freak vulnerability. The site reports that as of March 6, 9.5 percent of the websites on the Alexa index of the 1 million most popular top-level domains remained vulnerable to Freak, although that was a decrease from 12.2 percent of all such sites when the Freak vulnerability was first publicized on March 3. But 37 percent of all HTTPS servers with browser-trusted certificates remained vulnerable to Freak, as did 26 percent of all HTTPS servers, and neither of those statistics had declined since Freak was first publicized, the researchers say.

As of March 6, the Freak Attack website reported that the following client software remained vulnerable to the Freak flaw:

  • Internet Explorer
  • Chrome on Mac OS (patch available now)
  • Chrome on Android
  • Safari on Mac OS (patch due week of March 9)
  • Safari on iOS (patch due week of March 9)
  • Stock Android Browser
  • BlackBerry Browser
  • Opera on Mac OS
  • Opera on Linux

Cloud security firm Skyhigh Networks reported that as of March 4, 766 cloud providers also remained unpatched against the vulnerability, thus leaving their users at risk. "These services include some of the leading backup, HR, security, collaboration, CRM, ERP, cloud storage, and backup services," Sekhar Sarukkai, vice president of engineering at Skyhigh, says in a March 5 blog post. Across the company's 350 customers, meanwhile, he reports that 99 percent use at least one cloud provider that's vulnerable to the Freak flaw, while the average company uses 122 vulnerable services.

Don't Freak: How to Mitigate

The Freak Attack site says that to mitigate the vulnerability, anyone running a server "should immediately disable support for TLS export cipher suites," and that anyone who uses a browser should ensure that they have the latest version installed, and keep checking for new upgrades, since all major browsers should soon see a fix.

Finally, Freak Attack recommends that all systems administrators and developers ensure that their TLS libraries are fully updated. "Both OpenSSL and Microsoft Schannel are known to be vulnerable," it says. "Note that these libraries are used internally by many other programs." The site offers a number of tools that can be used to test for related flaws.

This is not the first time that the Microsoft Schannel has been at risk from a newly discovered vulnerability. In particular, a zero-day vulnerability in Schannel was discovered in November 2014. Before that, Schannel was at risk from the so-called POODLE flaw - first publicly revealed Oct. 14 - in SSL, and which was later found in TLS. The flaw could be exploited to intercept and read encrypted Internet communications, steal session cookies and impersonate users.


more...
No comment yet.
Scoop.it!

Despite High-Profile Data Breaches, Fraud is Down

Despite High-Profile Data Breaches, Fraud is Down | IT Support and Hardware for Clinics | Scoop.it

Home Depot, Staples, Neiman Marcus — 2014 was a blockbuster year for the high-profile data breaches, with at least $16 billion stolen from a reported 12.7 million fraud victims.

But those numbers are actually an improvement, according to a new study by Javelin Strategy & Research. Last year, the amount of money lost to fraud dropped 11 percent, down from $18 billion in 2013. And in 2012, the amount was even higher, at $21 billion.

The number of victims is down too, dipping 3 percent in 2014.

Though hacks appear to be growing in size and targeting larger retailers, financial institutions have also gotten better at performing triage after such an attack occurs.

“The combined efforts of industry, consumers, and monitoring and protection systems that are catching fraud more quickly helped reduce the incidence of fraud and the amount stolen over the past year,” said Al Pascual, director of fraud and security at Javelin, a consulting firm that analyzes consumer transactions. “When detected, fraud is being resolved quicker than ever before.”

After 110 million credit card numbers were stolen in the December 2013 Target breach, for example, banks went on the offensive, spending more than $200 million to replace consumer credit and debit cards.

In 2014, 1 in 4 consumers received data breach notifications, but a smaller proportion of those people became fraud victims than in 2013. Last year, fraud incidents among notified breach victims dropped 17 percentage points to 13.7 percent, the lowest rate since Javelin began conducting its annual study in 2004.

The report hypothesized that the huge number of data breaches in 2014 may have spurred banks and retailers to take such attacks more seriously, driving down the incidents of fraud. Improvements in technology that can help detect fraud also contributed to the decline, the report said.

Pascual warned that despite dropping reports of fraud, consumers should still be wary of identity theft.

“We have seen declines in the past, but they have reversed as fraudsters try new approaches or when new technologies make it easier for fraudsters to get consumer information,” he said.

For instance, while new-account fraud (in which a fraudster uses stolen information to open an account in a victim’s name) reached record lows in 2014 according to the Javelin report, this year such incidents have increased due to security weaknesses in Apple’s new mobile payments system, Apple Pay.

In the Javelin report, 13 percent of victims of new-account fraud did not detect the identity theft for more than a year.

Though 2014’s number of victims was down, 2013 had the second-highest number of identity theft victims since Javelin began its annual study.

In the end, said Pascual, more breaches will result in more victims of identity theft. In 2014, two-thirds of identity fraud victims had previously received a data breach notification that year.

“This is a long, drawn-out battle against identity thieves,” he said. “While there have been some victories this year, there have also been some discouraging setbacks. It really reinforces why we need the combined efforts of industry, consumers, and monitoring and protection systems working together to continue the downward trend.”


Via Paulo Félix
more...
No comment yet.
Scoop.it!

How the NSA’s Firmware Hacking Works and Why It’s So Unsettling

How the NSA’s Firmware Hacking Works and Why It’s So Unsettling | IT Support and Hardware for Clinics | Scoop.it
One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen.The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered.It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted.Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption.Here’s what we know about the firmware-flashing module.How It WorksHard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides.When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish.The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system.Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one.The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered.The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba.“You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.”Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation.Hidden Storage Is the Holy GrailThe revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised.The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal.This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption.“Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says.Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk.Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications.“[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.”Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.”They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space.An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.”Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage.To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “[b]y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail.One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem.
Via Paulo Félix
more...
No comment yet.
Scoop.it!

President Signs Executive Order for Unity in Cybersecurity

President Signs Executive Order for Unity in Cybersecurity | IT Support and Hardware for Clinics | Scoop.it

Executive Order to Promote Cyberthreat Info Sharing

Key Takeaway: President Obama, last Friday, signed an executive order to promote more information sharing about cyberthreats – both within the private sector and between the government and private sector.

Why it Matters: This is the latest in a series of steps taken by the Obama administration to focus on cybersecurity, going back to February 2013. When viewed alongside congressional efforts, there appear to be consensus on a number of items – including the need to bolster information sharing organizations and develop information sharing protocols.

Last week, President Obama signed an executive order (EO) promoting private sector cybersecurity information sharing during the first White House summit on Cybersecurity and Consumer Protection at Stanford University.  According to the EO, “The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.”

The main provisions of the EO include provisions directing the Department of Homeland Security to encourage development and formation of private-sector or non-profit sector Information Sharing and Analysis Organizations (ISAOs) and tasks the National Cybersecurity and Communications Integration Center (NCCIC) with coordinating ISAOs.  A second provision of the EO tasks the Secretary of Homeland Security with entering into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization which “shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order.”  The Standards Organization is tasked to develop:

  • Standards to further robust information sharing related to cybersecurity risks and incidents with ISAOs and among ISAOs and to foster development and adoption of automated mechanisms for information sharing;
  • Baseline standards that ISAOs should possess and be able to demonstrate;
  • The standards will also touch on contractual agreements, business processes, operating procedures, technical means, and privacy protections, such as minimization, for ISAO operation and ISAO member participation.


more...
No comment yet.
Scoop.it!

Yes, You Can Afford a Hacker

Yes, You Can Afford a Hacker | IT Support and Hardware for Clinics | Scoop.it
Want to break into your partner’s email? Got a few hundred bucks lying around? You can afford your very own hacker.

If you’re looking to break into someone’s email account or snag a few compromising photos stored in the cloud, where would you go? Craigslist, of course.

“I am looking for someone who can get into a database to retrieve a few photos. Someone who is a genius at computers,” read a recent post. And it doesn’t stop there.

You can post “How do I get the password for my ex-girlfriend’s hotmail account?” or just “Need a computer hacker for a job!” on an online forum and just wait for people to respond, says Tyler Reguly, manager of security research at Tripwire. Then you just sit back and wait for the replies to roll in and strike a deal.

It’s that easy to hire a hacker.

Cybercrime used to be limited to the shadowy corners of the Internet and secret black market forums, but now these transactions are taking place on websites that millions of people use every day. Googling “hacker for hire” returns more than 1.6 million results. And for the slightly more tech-savvy, new marketplaces such as hackerslist.com, hackerforhire.org, and neighborhoodhacker.com provide a safe meeting place for hackers and those seeking their services. You can even leave Yelp-style feedback on forums like hackerforhirereview.com.

“It’s frightening that people have no qualms asking” for hacking in the same way they would ask someone to shovel snow from their driveway, Reguly says.

Black market websites have long offered a wide array of services for would-be cybercriminals—customized malware, carder forums selling stolen payment card details and cloned credit cards, exploit kits and other toolkits to craft campaigns, denial-of-service attack tools, and botnet rentals—at fairly affordable prices. Most of the sites accept the cryptocurrency Bitcoin, to keep transactions anonymous. Some sites welcome new users and others have strict membership requirements, but in general, these forums and stores are public, transparent, and easy to find, says Daniel Ingevaldson, CTO of Easy Solutions, a fraud detection company.

“It’s really hard to get in trouble for doing this, so there is no reason to hide,” Ingevaldson says. “It will take you only a few minutes to find it, even if you don’t know what you are doing.”

Hacking used to be thought of as a financial crime, but today’s hackers-for-hire will take personal jobs. Instead of offering botnets with hundreds or thousands of compromised machines or stolen payment card information, these sites target a much broader market. Offerings include breaking into email and social media accounts or hacking into online databases and services, says Grayson Milbourne, the security intelligence director at Webroot. Some sites may offer escrow accounts, letting customers transfer funds in and paying the hacker only after the service is complete. Prices vary, but usually range between $100 and $3,000, making these services “within reach of most,” he says.

That Craigslist ad for retrieving some photos off the database offered $500 for the gig.

If you’re willing to tread these muddy waters, finding a hacker is easy and just a simple Google search away.

That society doesn’t seem to care about this kind of hacking is “disconcerting,” Reguly says, noting that many people don’t view stealing digital assets as a real crime. The disconnect between the physical and digital worlds remains very strong, even as people’s offline and online lives merge.

The same person who would be upset when thieves steal credit card numbers would not consider breaking into email or Facebook accounts as serious, he said.

And some customers feel they deserve what they’re paying for or that they’re righting some wrong. A PhD student angry that his research paper has been posted without his permission on other sites might hire someone to make sure people can't search or link to those pirated copies. A mother might want someone to break into her son’s Facebook account and install something on his phone that would let her intercept both incoming and outgoing phone calls, text messages, and pictures.

Even though it’s relatively affordable, hiring a hacker for personal use is a risky business, Milbourne says.

Is there honor among thieves? There is no way to make sure the hacker will stop where you’ve told him or her to once they’ve done the job. That mom may receive her son’s Facebook password, but she can never be sure the hacker won’t use the information to steal her son’s identity, or to trick him into downloading a banking Trojan on the family computer to steal her bank account information.

The legal issues surrounding these transactions are murky.

The activities being posted online are criminal, but who is supposed to prosecute them? Hacking is a global service—the providers can be based anywhere in the world and out of U.S. jurisdiction. The customer looking for the services doesn’t need to know, and probably doesn’t even care, where the service is coming from. And the sellers know the odds of law enforcement coming after them are very low.

“Getting arrested is out of their realm of experience for what can possibly happen,” Ingevaldson said. “None of their friends have been arrested.”

Hacker-for-hire sites may or may not be breaking the law—no one has tested those limits yet. And mainstream sites such as Craigslist act as just a marketplace connecting buyers and sellers and so far have claimed they are not responsible for any resulting illegal activities.

“It should be simple … hacking into someone’s email is a crime, so discussing that with someone and paying them to do it should, therefore, be conspiracy to commit a crime,” Reguly says.

The recent proposals from the White House to amend the Racketeering Influenced and Corrupt Organizations Act—originally designed to prosecute the Mafia and gangs—to include hacking may change things. If RICO can be applied to cybercrime, just being in the same chatroom or forum as a hacker may make the person an accomplice.

If you’re willing to tread these muddy waters, finding a hacker is easy and just a simple Google search away.

“At this point, our lives are digital, the bits and bytes traversing the wires are as much a part of us as the clothes we choose to wear and the cards we carry in our wallets,” Reguly says. This means people have to protect their digital assets just as they take care of themselves in the physical world. “To make a mockery of that with sites like this is a great example of the decay of society.”


Via Roger Smith, Paulo Félix
more...
No comment yet.
Scoop.it!

Ramping Up Automobile Cybersecurity

Ramping Up Automobile Cybersecurity | IT Support and Hardware for Clinics | Scoop.it

In late 2014, signs emerged that the automobile industry was taking the first steps toward addressing cybersecurity and privacy risks.

See Also: Solving the Mobile Security Challenge

For instance, General Motors hired its first chief product cybersecurity officer, and the automobile industry set up an automobile Information Sharing and Analysis Center to collect and share information about cyber-related threats and vulnerabilities in motor vehicle electronics.


Heading into 2015, efforts to mitigate cybersecurity and privacy risks affecting automobiles continue to gain traction. Recently, Senator Edward Markey, D-Mass., issued a report detailing various automobile security and privacy vulnerabilities. Then, on Feb. 11, Markey confirmed that he, along with Senator Richard Blumenthal, D-Conn., will introduce legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards for improving the security of vehicles and protecting drivers' privacy.

"We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century," Markey says.

The senators' efforts come after auto manufacturer BMW recently addressed a potential security gap affecting data transmissions to and from the company's connected vehicles via the mobile phone network.

But while early steps are being taken by the industry to get on top of the risks, progress around securing automobiles may not come as quickly as some would hope. "Sure, proof of concept exploits are there - and they are real - but there is not even a semblance of exploitation by the criminals in the wild," says Anton Chuvakin, research vice president for security and risk management at Gartner.

"We do have a chance to prepare for this now by starting early with car and other device security," he says. "However, the history of information security teaches us that we probably won't. Today the threat is mostly 'not' real, but all signs point that it will become real."

Key Risks

Chris Valasek, director of vehicle security research at IOActive, a computer security services firm, has researched cyber vulnerabilities in automobiles through funding from the Cyber Fast Track initiative from the Defense Advanced Research Projects Agency, or DARPA.

Based on his research, Valasek says hackers could gain access to a vehicle's systems and potentially take private information, such as GPS coordinates or the driver's username and password for various in-car applications. Also, cybercriminals potentially could obtain control of computers within the car that operate certain features, such as cruise control, Valasek says.

"[Through our research], we showed that if you're on the car's computer network, you could send messages to completely stop the car and immobilize it," he says. "If an attacker found a way to break in remotely - through Bluetooth, cellular or an application - and was able to be on the right portion of the car's network, they could stop the car, disengage breaks or steer the steering wheel."

Down the road, automakers also need to worry about the potential cyberthreats concerning so-called "autonomous" or driverless vehicles now in development, says Stephen Wu, an attorney at the Silicon Valley Law Group, who has been researching the legal concerns regarding autonomous driving. "If cars crash because of information security vulnerabilities, it could lead to liability for the manufacturers," he says. "They need not only be concerned about safety, but also the governance of information security, privacy and the management of information that's being generated and communicated by cars."

Security Gaps Remain

The recent report from Senator Markey is based on a survey of 16 major automobile manufacturers about how vehicles may be vulnerable to hackers and how driver information is collected and protected.

Among the findings:

  • Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions;
  • Most automobile manufacturers were unaware of or unable to report on past hacking incidents;
  • Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers;
  • Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real time, and most said they rely on technologies that cannot be used for this purpose at all.

Valasek at IOActive says the biggest takeaway from the report is how most of the manufacturers couldn't answer many questions. "This means that not only are they behind on their security efforts, but probably don't have a good idea of the attack landscape or where to start," he says.

Legislation

The new legislation proposed by Markey would include three key requirements:

  • All wireless access points in cars must be protected against hacking attacks and evaluated using penetration testing;
  • All collected information must be appropriately secured and encrypted to prevent unwanted access; and
  • The manufacturer or third-party feature provider must be able to detect, report and respond to real-time hacking events.

To address privacy issues, Markey is seeking a transparency requirement that drivers be made explicitly aware of data collection, transmission and use. He also wants consumers to have the ability to choose whether data is collected, without having to disable navigation. And he's seeking prohibition of the use of personal driving information for advertising or marketing purposes.

"In essence, the proposed legislation codifies what have been best practices in privacy and security for years," says Scot Ganow, a privacy and security attorney at the law firm Faruki Ireland and Cox PLL.

But that doesn't mean the proposed law won't face challenges similar to those that have arisen in previous failed attempts to adopt federal data breach legislation, Ganow says. "As with all laws seeking to regulate commerce and, in particular, the flow of information, the struggle will exist over balancing appropriate regulation while not choking innovation and corporate independence."

Proactive Approach

As the security and privacy landscape around automobiles continues to take shape, manufacturers can start taking the necessary steps to get ahead of the challenge before it becomes a real problem.

Right now, hacking a vehicle is still very hard and very expensive, Valasek says. "That's not to say that won't change in the future. But you want to start implementing security measures before there is an actual problem."

Valasek argues that manufacturers "will have to accept that security is required as part of the process and not an after-thought. Only then can we truly talk about mitigating risks."

In addition, automakers should hire more cybersecurity experts and attempt to integrate security into the automotive software development lifecycle, says Ben Johnson, chief security strategist at Bit9 + Carbon Black, an endpoint security firm. "Immediately, I would be hiring penetration-testers and security consultants to do as much assessment and analysis of the existing systems as possible," he says.

It may also be in the best interest of the automobile industry - and consumers - if manufacturers adopt a model similar to PCI-DSS, the independently developed standards in the payments card industry, says Andreas Mai, director for smart connected vehicles at Cisco. "If an independent body devised a list of security features and controls that a vehicle and its computer systems should have, and the body audited vehicles for adherence, even if it was voluntary, like Consumer Reports, it would at least provide consumers with the notion someone has looked at security and provide a baseline level of confidence," he says.


more...
Secunoid's curator insight, February 19, 2015 1:52 PM

The next frontier to keep an eye out for from security perspective, Automobiles.

Sandesh's curator insight, March 23, 2015 9:55 AM

They have introduced the cybersecurity which is attached withh audio player