Friday, June 30, 2017
Food Supplier Passes Squid Off as Octopus
According to a lawsuit (main article behind paywall), "a Miami-based food vendor and its supplier have been misrepresenting their squid as octopus in an effort to boost profits."
from Schneier on Security http://ift.tt/2u80uZm
3-Ingredient Happy Hour: Mango Rum Mimosa
Happy weekend, and welcome back to 3-Ingredient Happy Hour, the weekly drink column featuring super simple yet delicious libations. This week I’m feeling a Bellini-inspired beverage that’s just a bit more tropical, a bit more booze-y, and bit more rum-y.
Though I’m a big fan of peach puree, I’m also a fan of exerting as little effort as possible, and have found that pre-made smoothies—such as Odwalla and the like—actually make pretty delicious cocktail mixers while requiring no blending or straining.
Advertisement
In addition to a bit of mango smoothie, this tall glass of refreshment also features rum (because it’s summer), and sparkling wine (because it’s delicious). To make it, you will need:
- 1.5 ounces bottled mango smoothie, such as Odwalla
- 1 ounce white rum
- Prosecco (or other sparkling wine) to top
Chill all of your ingredients, as well as a champagne flute. Add the rum and smoothie to flute and stir. Top with the bubbly wine of your choice and sip your way to a better mood.
from Lifehacker http://ift.tt/2svcsdv
Details from the 2017 Workshop on Economics and Information Security
The 16th Workshop on Economics and Information Security was this week. Ross Anderson liveblogged the talks.
from Schneier on Security http://ift.tt/2sZqJCA
News in brief: Germany to levy €50m fines on social media; Facebook drone success; hacker offers Petya help
Your daily round-up of some of the other stories in the news
Berlin passes social media fine laws
German lawmakers have voted in favour of a proposal to levy huge fines on social media providers if they don’t take down “obviously illegal” content in a timely fashion.
Under the new “Netzwerkdurchsetzungsgesetz” law, which comes into effect after Germany’s federal elections which are due in September, Facebook, Twitter, YouTube and other sites with more than 2m users in Germany, will have to take down hate speech or otherwise illegal posts within 24 hours or face a fine of €50m.
Critics have warned that the new law could restrict freedom of speech, and have also raised concerns that the social media platforms will have to act as censors. They’ve also pointed out that issues of jurisdiction apply: what happens, for example, if a user outside Germany posts something that’s visible in Germany that breaks Germany’s strict laws but doesn’t infringe the statutes of other countries?
Justice minister Heiko Mass said that experience had shown that without action from lawmakers, “the large platform operators would not fulfil their obligations”.
Facebook drone success
Facebook has completed a second successful test of a solar-powered drone, called Aquila, which soared over Arizona for an hour and 46 minutes in May. The success of the flight will have come as a relief to Facebook, as the first test last summer ended in a crash and an investigation by the NTSB, the US air safety investigatory board.
Facebook is planning to use its drone fleet to provide internet access to areas of the world that don’t have a reliable network, with the drones constantly in flight and running on solar power.
In a blog post, Facebook said that this flight “was all about data”, measuring things like drag to refine the drone’s aerodynamics and gathering data to predict energy use and “thus optimize for battery and solar array size”.
Petya author offers help with new outbreak
This week has been dominated by news of the Petya (or not-Petya) ransomware outbreak as IT departments around the globe raced to prevent the ransomware crippling their businesses and to contain the damage at organisations that were hit.
Then on Wednesday, about 24 hours after the outbreak surfaced in Ukraine, someone claiming to be the author of the original Petya ransomware, which seems to have been adapted for this week’s attack, popped up online offering to help people who’d been hit.
Janus Cybercrime Solutions, the cybercrime group that claimed to be the author of Petya, tweeted: “we’re back havin a look in “notpetya” maybe it’s crackable with our privkey”.
Janus had been selling the original Petya to other hackers – as ransomware-as-a-service – and said on Wednesday that they were examining the code from the current outbreak, and added that they were not behind this week’s attack.
from Naked Security http://ift.tt/2u7m00e
Happy 50th birthday, hole-in-the-wall cash machines!
Lift a pint to John Shepard-Barron, as we celebrate the 50th anniversary of the ATM (Automated Teller Machine) he devised, or did he? It matters not, ATM #1 was installed by Barclays Bank on June 27 1967, the the user punched in a PIN and lo and behold, the machine paid out £10. There are now well over 3,000,000 ATMs installed across the globe, all able to provide a bit more than ten quid.
And not to disappoint, the criminals (and white hat researchers) have been creating means to get the cash out of the machine, illicitly. We take at look at some of the more interesting, famous and infamous methodologies which have evolved over the 50 years of the ATM.
Hoist and Heist
The first ATM thefts were accomplished by members of the “Hoist and Heist” club of thieves. This methodology of stealing the entire machine and then cracking it open at their leisure remains viable today. Just a few days ago a cashpoint ATM machine was stolen from the Lloyds bank in Suffolk, East Anglia – it was ripped out of the wall using a JCB telehandler.
Jackpot!
Who can forget when the late Barnaby Jack lit up the stage at the 2010 Black Hat conference showing how to “Jackpot” ATMs. The fits of laughter from the audience were evident as the ATM spewed cash out on to the stage.
Years later, we see jackpotting still in vogue, with ATMs across Europe spitting out cash, as evidence by the late 2016 simultaneous jackpotting attack which took place in more than ten countries.
And then, Russian and eastern European crooks demonstrated the move toward cardless manipulation of ATMs in Thailand and Taiwan. The thieves in Thailand hit 21 machines, and made off with $350,000, while the thieves in Taiwan hit an undisclosed number of ATMs, collecting approximately $2m.
While many criminals remain at large, law enforcement does have some wins. In May 2017 Europol had success with the arrest of 27 people across a number of countries in connection with black box attacks on ATMs.
Steal your credentials
We associate credential theft to the more modern epoch of skullduggery, yet, according to the Smithsonian, it was a simply a matter of months after ATMs first appeared in our walls that “proto-hackers in Sweden exploited [the inability to authenticate the user was the owner] to great advantage in 1968 when they used a stolen ATM token to withdraw huge amounts of money from different machines”.
Fill those debit cards and empty those ATMs
As if to define “organized crime”, in late 2012 and early 2013 we saw the draining of $45m from ATMs as teams of runners hit thousands of ATMs in a matter of hours in two separate attacks.
On December 21 2012, the criminals demonstrated they were no slouches when it comes to hacking skills. They infiltrated a credit-card processing company in India handling pre-paid credit cards. Once in, they then raised the withdrawal limits on five prepaid MasterCard debit accounts, and by using the prepaid cards, distributed to runners in 20 countries, the money flowed. The global take on that day was $5m.
A couple of months later, the same modus operandi was used, this time when a credit-card processing company in the United States was infiltrated. First, they raised the withdrawal limits on 12 cards issued by the Bank of Muscat in Oman. Then, at 3pm 19 February 19 2013, teams of runners hit the streets across the world: in a matter of hours, 36,000 transactions netted the criminals $40m.
Were lessons learned? Apparently not, as in late 2016 the Yakuza in Japan using phony cards hit thousands of ATMs at once and drained approximately $16m in two hours.
Pupil power
Then in 2014 we saw two Canadian schoolboys who had studied an ATM operations manual visit a Bank of Montreal ATM, where, using the instructions they had found in the manual, gave themselves admin rights and took over an ATM. Surprised that the technique had worked, they promptly went in to a branch and alerted the bank.
ATM, let me diagnose you
London police arrested three individuals in late 2014, who figured out that if you put the ATM in diagnostic mode, you could induce it to share the money within as part of a test. The three hit 50 ATMs over the course of a May Day holiday weekend, and collected $2.58m.
Whither ATMs?
Are ATMs here to stay? We think so, at least for the time being – as will the continued attention to cracking ATMs by criminals, whether remotely or literally.
The Accenture-ATMIA 2016 ATM Benchmarking Study reckons that the “ATM will retain its importance for banks and consumers alike in the foreseeable future”.
Banks and ATMs now offer services other than simply dispensing cash, including paying bills and cardless withdrawal among them. And with the increased number of ways in which crooks can get access to ATMs, the level of investment by operators in defensive measures can also be expected to increase. The following diagram, from the study, shows the level of adoption of the various defensive measures, with humans – security guards at ATM lobbies – being the least adopted practice and adding alarms to ATMs the most popular.
The study concludes the criminals are well resourced, and the challenge to protect ATMs remains a struggle as “ever more sophisticated attacks to which the channel [ATM] is subject”. We agree.
from Naked Security http://ift.tt/2suAZzk
The Muse Jay-Z’s New Album Features ‘Becky’ Admission, His Mom Coming Out | Screengrabber Suspect Le
The Muse Jay-Z’s New Album Features ‘Becky’ Admission, His Mom Coming Out | Screengrabber Suspect Leads Dozens Of Cops On Hour-Long Chase Through Countryside, Is Rewarded With Beatdown | Fusion States Respond to White House’s Voting Roll Demands With a Resounding ‘No’ | The Root Fla. Woman Shot, Killed at Home Hours After Posting on Facebook About ‘Making 6 Figures’ |
from Lifehacker http://ift.tt/2tsBtKD
Eternal Blues: A free EternalBlue vulnerability scanner
It is to be hoped that after the WannaCry and NotPetya outbreaks, companies will finally make sure to install – on all their systems – the Windows update that patches SMB vulnerabilities leveraged by the EternalBlue and EternalRomance exploits.
These exploits are currently available to practically any hacker who might want to use them, and protecting systems against them should be a must for every organization.
But while bigger ones might have an IT department that will make sure to locate these systems and fix the problem, small organizations and mom-and-pop style businesses might not know where to start.
Are you vulnerable?
Here is where Eternal Blues, a free, one-click, easy-to-use EternalBlue vulnerability scanner can come in handy.
Developed as a private project by Elad Erez, Director of Innovation at Imperva, Eternal Blues will only tell users if one of their computer is vulnerable – they will have to implement the needed security update themselves. The tool does NOT exploit the vulnerability, so it can’t be used for mounting attacks.
“The motivation [for creating this tool] came right away after latest WannaCry massive propagation through SMBv1. It shocked me how many systems were exposed to this,” Erez told Help Net Security.
After the NotPetya attack, during which attackers only needed to compromise one vulnerable endpoint to disrupt the entire network, it was clear to him that this tool had a lot of value, so he made it available for download.
The tool is mainly aimed at those who don’t have a security/IT team and/or don’t know how to check if they are exposed to the next attack leveraging those exploits.
But he also thinks that system administrators might find it useful. “I bet there will always be a few endpoints that are not monitored by IT, leaving them exposed to this vulnerability,” he noted.
In fact, he says that he has tested the tool on real networks, and that it found a few vulnerable computers on most of them. Still, he notes that this it a “no-guarantees-use-at-your-own-risk tool.”
from Help Net Security http://ift.tt/2u6uG73
Facebook moderators can inspect private messages of users suspected of terror links
Pressured by European governments, Facebook, Twitter and Google are trying to tackle the extremist propaganda and recruitment on their social networks and sites.
It’s an endeavour for which the companies have no good, pre-existent, overarching plan – the relative newness of social media and its use for propaganda means they have to come up with innovative ideas on how to clamp down on the most extreme cases of it. They are effectively winging it – trying out new approaches, and attempting to react quickly to the changes implemented by the perpetrators.
They have called in former government agents and other expert advisors to create those plans, but on a day-to-day basis, it’s up to artificial intelligence to flag suspicious posts, and human moderators to get to the bottom of each flagged post or message.
Human operators have the final say on whether there is a need to remove content or a made threat is credible and law enforcement needs to be notified.
They have special clearance to investigate user accounts suspected to belong to users having links to terrorist groups and, according to The Guardian, this clearance means that they are authorized to rifle through flagged profiles (including private messages) to see who these individuals are talking to and about what, and to check where they have been traveling.
“The team’s highest priority is to identify ‘traveling fighters’ for Isis and Al-Qaida,” The Guardian reports. “Someone would be categorized as such if their profile has content that’s sympathetic to extremism and if they had, for example, visited Raqqa in Syria before traveling back to Europe. When a traveling fighter is identified – which according to one insider takes place at least once a day – the account is escalated to an internal Facebook team that decides whether to pass information to law enforcement.”
While, at first glance, this seems like the most logical thing to do, there are many things about it that can trouble privacy and human rights advocates.
For example, Facebook’s efforts are guided, for better or for worse, by US State Department’s list of identified terrorist groups.
Secondly, Facebook has still not explained how they make sure that the human moderators and, in general, its entire Community Operations team, are not overstepping their mandated boundaries and are not making mistakes that could have grave consequences for some users.
from Help Net Security http://ift.tt/2stDTnG
‘Risk’ shines uncompromising spotlight on Julian Assange
Risk is an unsparing portrait documenting the life of Wikileaks founder, Julian Assange. Like Citizenfour, director Laura Poitras’ Oscar-winning documentary about whistleblower Edward Snowden, Risk is a similarly intimate portrayal of Assange. Filming in secretive spaces behind the scenes, we get to witness the workings of of international activists seeking to expose secrets, and in doing so we gain insight into the paranoia – and also arrogance – that defines both Assange’s and Wikileaks’ work.
Poitras first approached Wikileaks in 2010, after they published the Apache helicopter video documenting US soldiers gunning down Iraqi civilians and two Reuters journalists, which was leaked by former soldier Chelsea Manning.
Poitras began filming in 2011 after the Arab Spring had begun, and the US government had launched a multi-agency investigation into Assange and Wikileaks. Back then, they were the champions of hacktivists and freedom-of-the-press advocates, and the fact that governments seemed to be threatened by them made the group even more appealing to those who believe all censorship is bad.
It’s clear that in 2011, when Wikileaks’ prominence was at its height, there was a certain smugness and conceit. We see Assange getting his associate, Sarah Harrison, to phone Hillary Clinton to inform her that passwords had been leaked and that he needed to speak directly with her. Harrison is told by a member of Clinton’s staff that Assange doesn’t have a high enough security level to talk to Clinton, and Assange is clearly irritated. It’s breathtaking (and hilarious) to see such self-importance and egotism, and highlights the swagger with which Assange runs Wikileaks.
However, there are many moments in the film where even the most security-conscious person might sympathise. One particular scene with Jacob Applebaum from the Tor project (who worked with Wikileaks) where he publicly attacks the CEOs of the Egyptian telecoms companies for blocking Twitter during the Arab Spring uprising and severely limiting the freedom of the general public, gets the viewer on side and positions Wikileaks as information freedom fighters. In this context, it’s hard to oppose security leaks and hacks when you can see how repressive restrictions online, and in telecoms, have a troubling impact on democracy.
But democracy comes with responsibility, and Risk explores the possibility that Assange has had a role in the victory of Donald Trump winning the USA presidential election last year. American intelligence officials have accused Assange of publishing material stolen from computers of Democratic groups by Russian operatives, and that this tipped the 2016 election in Trump’s favour; for this, they have declared Assange a “hostile intelligence service”.
Poitras has said she accepts that “it was a Russian hack and that they used a cutout or an intermediary to submit it”. She admits that she believes Assange had a role to play. “Julian says his source is not a state actor. Those two things are not mutually exclusive.”
Risk is a revealing portrait of Assange, and not a particularly complimentary one. When he’s not sounding arrogant he comes across as sexist and frequently misogynist; his views on women paint him in an ugly light.
Though Wikileaks is viewed through a mostly positive lens, which will certainly please information activists and freedom-of-the-press advocates, its association with Assange is tainted; it seems clear that Wikileaks’ principles and progressive digital activism have become weakened with Assange continuing to lead the organisation and that it can no longer claim to be non-partisan.
Poitras seems to conclude that Wikileaks itself is fundamentally important to speak truth to power, but that to truly be independent, and for Wikileaks’ release of information to be trusted, Assange needs to disassociate himself with it. But as is clear from Risk, and from Assange himself, that that is unlikely to ever happen.
Follow @NakedSecurity
Follow @girlonetrack
from Naked Security http://ift.tt/2ttgkjm
Good Article About Google's Project Zero
Good Article About Google's Project Zero
Fortune magazine just published a good article about Google's Project Zero, which finds and publishes exploits in other companies' software products.
I have mixed feeling about it. The project does great work, and the Internet has benefited enormously from these efforts. But as long as it is embedded inside Google, it has to deal with accusations that it targets Google competitors.
Posted on June 30, 2017 at 6:05 AM • 0 Comments
from Schneier on Security http://ift.tt/2ttcuq6
CIA contractors fired for stealing from hacked IoT snack machines
FreedomPay: it’s the kind of vending machine technology that makes paying for snacks “faster, simpler, safer, and smarter”, the company says.
Handy for, say, CIA agents who feel a hankering for a lunch of peanuts and Pepsi.
Here’s how it works, and here’s how a bunch of contractors working for the US Central Intelligence Agency (CIA) got themselves some free goodies… And got caught red-handed… And got fired.
The story was initially reported by BuzzFeed reporters who filed a Freedom of Information Act lawsuit in 2015. That enabled them to get their hands on a report from the Office of Inspector General (OIG) Investigations Staff.
According to that report, a FreedomPay network cable hooked the CIA’s vending machines to the CIA’s Agency Internet Network. From there, the machines could communicate with the FreedomPay controlling server.
The way it’s supposed to work is that you’d slide a funded FreedomPay card to buy your stuff. No pesky coins that somebody might stick a piece of chewed gum to and fish right back out; no masking tape stuck to the back of a bill that could then be dragged out. So smart! So cashless!
Safe, too, right? FreedomPay says it uses “PCI Validated P2PE and tokenization” to fill the security gaps left exposed from credit card transactions, “protecting data in transit and at rest in the merchant’s environment”.
Sounds good. But what happens, you well might ask, if somebody simply reaches down and yanks on that cable?
…as did the contractors, who then used an unfunded FreedomPay card to steal their candy?
So IoT!
According to the declassified report, the thefts started in the autumn of 2012, but the pilfering accelerated and continued through March 2013. That’s when the CIA reported the thefts and the OIG launched an investigation.
The OIG advised the CIA to install surveillance cameras near the most theft-plagued vending machines. (The irony of advising the CIA on how to conduct surveillance is duly noted.) Multiple perps were captured on video, all of them “readily identifiable as Agency contract personnel”.
They admitted their misdeeds, handed in their badges, were marched to the exit, and subsequently fired by their contractor companies. The loss of vending machine sales is estimated to have been $3,314.40.
The OIG referred the matter to the US Attorney’s office for Eastern District of Virginia for prosecution, but the Department of Justice decided not to press charges.
One has to wonder about the tendency to overlook what should be obvious security mishaps with IoT gadgets, as in, all the Internet of Things stuff.
…As in, the urge to internet-enable everything under the sun without properly securing said things, thereby introducing risks to gadgets that range from the absurd – internet-enabled kettles? Really? – to the life-threatening, in the case of medical devices.
We can’t lay the blame for the security glitch on FreedomPay. That would be like blaming the IoT kettle for running out of water and burning down the house, right?
And it’s not like the CIA needs our help with security or surveillance, I’m sure, Operation Sticky Fingers notwithstanding. But for the rest of us who have to deal with IoT things and their oft-shaky security, this story is a good reminder to be aware that gadgets that rely on internet connectivity to ensure security can be pwned when you snip that connectivity.
Need more help with securing the IoT? Of course you do – we all do!
Here are some security tips, dispensed free of charge, no masking tape required!
from Naked Security http://ift.tt/2t8aku2
The role of web filtering in a modern security architecture
In its most basic and simplest form, filtering access to content on the web can be achieved by rather blunt instruments such as DNS black-holes. And, in the early 2000s, this was more than enough.
Over time, though, the web became more popular and useful, both for users and attackers, and web filtering providers needed to up their game again: simple URL filtering was used to allow access to example.com/news and block access to example.com/badstuff. Again, for a time, that was enough.
“But web filtering is an arms race, and the evolution of the anonymous proxy was in full swing. The only remaining tool in the web filter provider’s arsenal was full dynamic content analysis, which can be achieved in multiple distinct and (sometimes) opposing ways,” recounts Craig Fearnsides, Operations Technical Authority at Smoothwall, a UK-based developer of firewall and web content filtering software.
“One method (which pure firewall vendors employ) is Layer 7 signature analysis, looking for patterns on the wire and blocking packets. URL and domain pattern matching is next – allowing news.*.com but blocking ads.*.com. Finally, there are regular expression-based methods which allow for content to be scored and categorised according to a customer’s requirements. This involves associating positive/negative scores to phrases, as well as more nuanced categorisation, e.g. essex vs sex vs sextuple.”
No web filtering is no longer an option
“Web filtering has had a somewhat dogged history and has been vastly misunderstood for many years,” Fearnsides tells me.
But, thankfully, the IT/network security community now generally understands and accepts that access to the web is an essential part of most of their fellow employees’ working day, and that something needs to be in place that will keep the corporate environment safe without preventing people from doing their jobs.
“This is where transparent (filtering without requiring explicit proxy settings) and traditional web filtering can help massively, giving already busy IT/network administrators the tools to keep a business moving, without bogging them down in low-level implementation details,” he noted.
Real-time web filtering challenges
The greatest challenge for a web filtering vendor is always going to be speed, followed closely by comprehension, he says.
“There are many shortcuts that can be used to increase throughput of dynamic filtering solutions (this is usually along the lines of limiting escalation of computational effort), but they often lead to poor categorization or false positives. The only real way to improve speed of throughput is by optimising each of the distinct layers of categorisation over many iterations,” he pointed out.
“One method involves using machine learning to understand what content has been previously identified as one or multiple categories (based on a subset of existing basic lists). We then point the tool at a heap of requests/responses to have it seek out subtle differences that would be nearly impossible for a single person. This machine learning process produces vastly improved patterns for use by a dumb regular expression engine, increasing throughput and effectiveness at the same time.”
He says that false positives are inevitable, but can be mitigated by allowing customers to prioritize one or multiple categorization results over another.
For example, the solution can be made to block adult content BEFORE allowing audio/video content. This would have the appropriate effect of allowing access to audio and video content, while still preventing access to adult content sites that may be (appropriately) categorised as audio/video content sites.
from Help Net Security http://ift.tt/2trmctJ
Do we live in a riskier world? C-suite and senior level experts weigh in
72 percent of global business leaders say they’re operating in a riskier world, spurred by increasingly regulated industries, advanced technology and rapid digitalization, according to BDO USA.
Businesses feel more confident in the macroeconomic environment, and may reflect improvements in governance, risk management and business continuity planning. The macro risk trends executives expect to have the most impact in the next 10 years include regulatory risk (19 percent), technological changes (16 percent) and increasing competition (13 percent).
“Executives are adjusting to a faster rate of change and more complex changes in their businesses,” said Vicky Gregorcyk, leader of BDO’s Risk Advisory Services practice. “Threats that were once blips on the horizon are now front and center. To manage them, risk management professionals will need to balance the pace at which they adapt business models to seize new opportunities with their implementation and oversight of risk management practices.”
Turbulence in the environment and geo-political sphere
The past year’s rise in populist sentiment and political agendas across the globe, the election of President Trump and the Brexit vote are leaving waves in their wake. Three-fourths of American respondents said the unpredictable geopolitical and economic environments would impact their business this year. Almost 8 in 10 (78 percent) of European respondents said the same.
Similar turbulence is rocking the natural world. While last year was relatively benign in terms of the number of major catastrophes, natural and man-made disasters caused total economic losses to the tune of $158 billion, according to Swiss Re sigma.
Disruptive technologies
82 percent of global business leaders say they are not ready to tackle the challenge of technology changes and development. 88 percent of CEOs say innovation and the ability to embrace technological change are the two areas for which their businesses are most unprepared.
While new technologies serve up a buffet of opportunity for companies to improve their products, build efficiencies and drive profitability, arguably the biggest challenge to implementing new technologies is managing cybersecurity risk. According to IBM Security, there was a staggering 6,000 percent rise in ransomware attacks in 2016.
To see the implications across national borders and industry lines, look no further than June’s WannaCry attack, which comprised 75,000 ransomware attacks in 153 countries and an estimated 3,300 infections in the U.S. And the fallout can be severe: IBM and Ponemon estimate a data breach costs companies $4 million on average.
Governance woes
Nine years on from the height of the global financial crisis, business leaders remain concerned about their ability to adapt to compliance pressures. With regulators addressing a variety of issues related to the conduct of financial services firms, 85 percent of leaders in the financial services sector identified regulatory risk as the biggest risk for which their firms are unprepared.
The theme of business resilience continues, and with new corporate governance codes raising the bar on risk management, there is growing recognition that responsibility for risk management ultimately comes from the top.
“The risks we’ve identified require a multifaceted and agile approach with a unique sensitivity to the numerous players involved in each discussion,” said Nigel Burbidge, Partner and Global Chair for Risk and Advisory Services at BDO LLP. “By starting the discussion, we come a step closer to finding the right road ahead, working together to become more resilient to risk and securing success for our future.”
The 2017 BDO Global Risk Landscape Report asked 500 C-suite leaders, board and audit committee members in all major industries in 55 countries, including the U.S. and across Europe, the Middle East, Africa, Asia and the Americas, what they see as the biggest risks facing their businesses now and into the future.
from Help Net Security http://ift.tt/2t7tVub
New infosec products of the week: June 30, 2017
Protection against the impacts of malware, ransomware and DNS data exfiltration
Akamai introduced Enterprise Threat Protector, a solution designed specifically to address the “intelligence gap” in DNS infrastructure. Using threat data gathered through Akamai’s Cloud Security Intelligence capabilities, Enterprise Threat Protector layers critical intelligence onto a company’s recursive DNS requests, preventing users from accessing malicious domains. The value of the solutions comes from the solution’s ability to better determine the “intent” of a DNS request from the enterprise.
Indegy extends ICS security from PLCs to cover global OT networks with unified protection
Indegy has enhanced the Indegy Cyber Security Platform to meet requirements for protecting multi-site ICS environments. The new version centralizes the management and configuration of threat monitoring and anomaly detection capabilities across multiple facilities. This enables global organizations to protect ICS by maintaining unified and visibility into all activity across Operational Technology networks spread over the country or world.
Application-based interactive firewall Little Snitch 4 released
Little Snitch warns the user when an installed application tries to connect to the Internet, preventing personal and confidential information from being sent without explicit consent of the user. Little Snitch monitors and filters the Mac computer’s network traffic on application level and offers detailed, rule-based filter options. Connection attempts which are not yet covered by a user-defined rule can be allowed or denied interactively by the user.
Security platform that protects citizen identity and private information
NXP Semiconductors unveiled its 3rd generation SmartMX platform to provide security and privacy protection for citizen IDs, ePassports, payment and access management applications. The platform is optimized to create future-proof secure microprocessors required for secure identity and payment applications where protection of personal identifiable information and other private data are paramount.
Comodo releases free Endpoint Detection and Response (EDR) solution
Comodo released a free endpoint detection and response (EDR) solution. cWatch EDR is part of the Comodo Security Solutions’ Advanced Endpoint Protection. It complements the Endpoint Protection Platform, which is designed to prevent malware infection. EDR is designed to detect and respond to malware.
from Help Net Security http://ift.tt/2s81cEm
Thursday, June 29, 2017
Jezebel John Mayer Doesn’t Want to Talk About Having Sex With Katy Perry | Deadspin The Rockets Migh
Jezebel John Mayer Doesn’t Want to Talk About Having Sex With Katy Perry | Deadspin The Rockets Might Not Be Done Making Moves | The Root Off-Duty Ill. Cop ‘Detained’ Black Teen For Not Following Orders, Lansing Police Say | Fusion California Gives a Giant Middle Finger to Monsanto |
from Lifehacker http://ift.tt/2toPOI2
The Women of Bletchley Park
Really good article about the women who worked at Bletchley Park during World War II, breaking German Enigma-encrypted messages.
from Schneier on Security http://ift.tt/2tqwQAk
News in brief: PCs’ PCs still running XP; bug-hunters cashing in; airport security stepped up
Your daily round-up of some of the other stories in the news
Thousands of PCs’ PCs running on XP
More than half of the computers in London’s Metropolitan Police force are still running on Windows XP, according to London’s mayor Sadiq Khan. That admission comes a year after the force had pledged to upgrade them to supported versions of Windows.
The mayor told Steve O’Connell of the London Assembly in a written response that a total of 18,293 of the force’s 32,751 desktops are on XP.
O’Connell said on Tuesday: “The Met is working towards upgrading its software, but in its current state it’s like a fish swimming in a pool of sharks.”
There’s increased concern about the number of PCs running out of date versions of Windows in the light of the WannaCry ransomware attack, which focused attention on the number of devices running the unsupported version of Microsoft’s operating system in the NHS and elsewhere.
Microsoft has since released patches for XP and Windows Server 2003, which is also no longer officially supported, to protect against the EternalBlue exploit used by WannaCry and this week’s Petya outbreak.
Bug-hunters cashing in
Bug-hunters have been doing well out of bug bounty programmes, according to a report from HackerOne, with companies paying out nearly $1m to some researchers who report vulnerabilities.
The HackerOne report looks at bounty programmes run by companies from Airbnb and Uber to Intel, Lufthansa and the US Department of Defense, and – perhaps unsurprisingly – found that the tech sector pays the biggest bounties, of up to $900,000 a time.
Yet while the use of bounty programmes has been growing, there are still many organisations that don’t use them, found the report, which surveyed 800 companies: 94% of the Forbes Global 2000 list don’t have a bounty programme in place, with just 8% of the airlines on that list having a scheme and only one eaterie: Starbucks.
So if you’re a bug-hunter, it’s worth having a look at which companies offer bounties: you’ll be helping them harden their defences and you could make a bit of extra cash in the bargain.
Kelly steps up airport security
Yes, the laptop ban again. Though the good news is that the laptop ban itself isn’t being extended, although travellers to the US do face tighter security restrictions.
Homeland security secretary John Kelly said that passengers will face increased scrutiny at their departure airports as a way to address what officials say is an increased threat without having to extend the existing laptop ban. That increased scrutiny will include further screening of devices, more thorough vetting of passengers and other steps designed to stop what Kelly called “insider attacks”.
The ban on tablets and laptops remains for the eight countries and 10 airports covered by the existing rule. Kelly was deliberately vague about what the additional steps would be, and added that “we cannot play whack-a-mole with each new threat”.
The new rules apply to anyone arriving in the US from 280 airports in 105 countries, and will affect some 325,000 passengers every day, and are due to take effect within three weeks.
from Naked Security http://ift.tt/2u3n6tJ
Hacking nuclear submarines – how likely is the nightmare scenario?
Last July, the UK’s parliament voted overwhelmingly to renew Trident, its submarine-based nuclear weapons system. Almost a year later, experts argue that it’s vulnerable to cyberattack. Should we be worried?
The British American Security Information Council (Basic), a London-based thinktank, issued a report called Hacking UK Trident: A Growing Threat. It says that despite claims to the contrary, the system is vulnerable.
Trident, which Britain started using in the early 1990s, is the replacement for the Polaris missile system that had been operating since the 1960s. Four Vanguard submarines each carry eight Trident ballistic missiles, which in turn house independently targetable warheads each (they can carry up to 16 missiles if needed). The UK gets one sub out at a time while the others are docked for maintenance work or handling exercises.
When the submarine is cruising, it keeps quiet. The whole idea is that the enemy doesn’t know where it is, so that it can fire missiles even after a first strike. That makes it part of the deterrent system that keeps nuclear war both too close for comfort and inconceivable at the same time. The idea is that either side could launch an attack at a moment’s notice, but neither would because both have vowed to retaliate. No one wins.
That makes Trident one big, floating dead man’s switch, costing between £31bn and £179bn, depending on what you factor in and who you listen to. If no one can agree on how much the thing actually costs, can they get any more clarity on how secure it is?
Trident has one big security advantage: when a submarine is at sea, it’s very difficult to talk to. Communications are all one way, from the mainland, via low-frequency radio or satellite. There are no internet connections, in what’s commonly known as an air gap (shouldn’t that be a water gap?)
The UK government has always maintained that this isolated design makes the missiles secure and protects them from hackers. BASIC is far from convinced, calling this view “patently false and complacent”.
Its report explores the system’s vulnerabilities methodically, and says that there are ways in to Trident that could lead to a variety of outcomes: stopping missiles firing, exploding them early, or even destroying the vessel by hitting its reactor.
Let’s start with the outlandish stuff first. In the future, surveillance nano-drones could infiltrate the vessel, the report says. People could use subdermal skin implants and “advanced nano and bionic technologies” to compromise its systems. It worries about nano-surveillance drones that could somehow hack a sub from the outside. That’s all conjecture, though.
The report says that cutting-edge technology quickly outpaces large military projects like this, creating future disparities, between cyber attackers and submarine defenders. Perhaps, but it’s certainly not realistic now, and the establishment may develop countermeasures if and when such things develop.
Windows for Warships
So let’s talk about present-day threats. The report raises more realistic security issues that could get attackers through the air gap and affect things happening aboard the vessel. The subs get software patches and other fixes when in port, it says. Wouldn’t it be possible to install malware on its systems that could be triggered by an event such as a missile launch, or even set to execute at a certain time?
It points to the oft-cited story that the subs run Windows XP. Well they do, after a fashion, although it’s a customised version still under special support contract. It’s difficult to know just how customised, although it’s worth pointing out that the government rolled the thing out in 18 days, and that it’s also used across other naval systems. How susceptible could it be to malware? We can’t say.
Could someone install zero-day malware on the subs, or tinker with other control systems in port? Or perhaps they could get to one of the crew? This isn’t inconceivable. Tech is difficult enough to secure, but people and processes are far messier, in all sorts of ways.
Let’s not forget security concerns raised by nuclear whistleblower William McNeilly, who alleged severe laxity in the navy’s procedures. These holes could easily let someone into a base or on a sub, said the former engineering technician submariner, who claims that security is so lax he was able to scan the Trident instruction manual page by page on his phone while on the vessel. He says in his account:
The fact is it would’ve been even easier for me to cause a nuclear catastrophe than to gather that information.
So a rogue actor on board could be a possibility.
The other entirely conceivable attack is on the supply chain. Many contractors and subcontractors work on components for Trident. Attackers could infiltrate their systems and insert malware or other key attacks, it warns.
We’ve seen attempts at this before, some unsuccessful (because Sophos intercepted them) and some successful. One of the most successful defence contractor hacks saw nation state actors pilfer plans for the Lockheed Matin F-35 Lightning II. If you can pull something like that off, you’d probably have a go at compromising a deterrent system, wouldn’t you?
If you did compromise the “Windows for Warships” system, you’d be able to knacker critical ship control functions. You could also go after the programmable logic controllers and attack the ship’s reactor, rendering it inoperable or worse. We know that intelligence types are good at hitting PLCs, don’t we?
But no, you couldn’t launch a thermonuclear device by hitting CTRL-ALT-DELETE. Windows for Warships doesn’t control the actual firing of the missiles – they have their own software and would be fired using a mechanical switch, and only after two on-board officers agreed.
The report does worry about direct tampering with the warheads, though. McNeill claims to have scurried around inside a missile, right next to them.
Alternatively, attackers could wreak havoc simply by whispering in the crew’s ear, the report frets. Here’s how that might work.
The crew follows orders when firing a missile but ultimately has autonomy. The US ballistic system uses a Permissive Action Link (PAL) which means that the chiefs of staff have to send their nuclear launch site a code before the missile can be fired.
Accounts differ over whether the code was set to all-zeroes for more than a decade. When configured properly, though, this avoids a megalomaniac with a short temper firing the missiles in a hissy fit, by keeping the president in charge (oh, wait).
The UK subs don’t use a PAL. They still get told what to do by the prime minister of the day, but don’t need a code to do it. They can fire missiles autonomously if they think the country has fallen, relying on a handwritten “letter of last resort” that presumably gives them permission.
The report worries that an attacker could hack the very low frequency radio that sends data to the subs at 300 baud. They could use it to manipulate malware aboard the vessel, or simply mislead and confuse the crew into firing (or not firing) a nuke, they say.
We are in danger, but only a bit
What does all this mean? The report floats several scary fictional scenarios, which make great bedtime reading, but it’s worth putting it all in context, and avoiding extremes on either side.
On the one extreme, you have the doomsday dramatists. Newspaper straplines suggesting that “a country can be brought to its knees with the click of a mouse” aren’t helpful.
On the the other extreme, you have the denialists. The UK government claims that Trident is safe because it is air-gapped, but safety is never absolute. Whenever anyone calls something “safe” from hacking, a red flag should go up.
The report says:
The vulnerability to cyberattacks is real. It can be reduced by significant, vigilant and continuous cyber protection, but cannot be eliminated.
But this is basic cybersecurity theory. The real question is, does Trident’s level of risk fit its purpose?
The isolated nature of the ships elevates security by an order of magnitude, and claims of air-gap hacking are speculative and futuristic. Talk of underwater drones and nano-hacking make great science fiction but don’t seem to present any clear and present danger.
If someone were going to get inside Trident, they’d probably take the path of least resistance, whether that’s through the supply chain or through the people and systems interacting with the subs when they’re in port.
So you’re really looking for security flaws at their touchpoints with the rest of the military ecosystem. There are plenty of those, both direct and indirect. Look closely enough and you’ll probably find some nasty holes. McNeill says that he already did.
What’s more interesting for us is the human element. We’ve seen many instances where we narrowly avoided Armageddon because of simple mistakes.
In 1983, the world almost went to war because the Russians thought a NATO exercise was going to turn into a real nuclear attack, and went on hair trigger alert. In that same year, a satellite malfunction sent false signals of a massive incoming nuclear strike to this Soviet technician, who thankfully ignored them.
In 1961 an ailing US plane actually bombed North Carolina with a nuke that nearly went off. During the Cuban missile crisis, a bear on an airforce base set of an alarm that had ground crews scurrying for takeoff.
There are many more such stories. If the world does end in a bang, it might not be because a smart state actor got control of the switch. It’s more likely that we’ll be fried because someone else was asleep at it. Sleep well.
from Naked Security http://ift.tt/2t5h4sw
Facial recognition: it’s much more widespread than you might think
Governments, retailers and social networks are driving multiple-use scenarios toward ubiquitous facial recognition capability, a technology that’s moved out of the realm of fiction and Hollywood (George Orwell’s novels, or Mission Impossible, Bourne Ultimatum, Minority Report or Matrix Reloaded) into the realm of everyday acceptance.
There are the applications and tools that “suggest” the identity of a given person, ranging from who is the actor on the screen, to the much more problematic and frankly creepy ability to collect information on the stranger across the aisle from me on the subway using an app on my smartphone.
No country is having more success in adoption of facial recognition technologies than China – which isn’t too surprising given the years of authoritarian introspection into the lives of the Chinese citizen.
Do China’s residents really find the facial recognition capabilities useful? Absolutely, as there is little pushback given the different perspective on privacy which exists in China. MIT’s April/May 2017 Technology Review highlighted the myriad ways facial recognition is being used in China.
- Making sure that the driver behind the wheel of the vehicle-for-hire you are about to get into is legitimate;
- Picking up your rail tickets by showing your face;
- Visiting tourist attractions without need for a ticket with your face authenticating you instead
- Walking into a retailer where you are greeted by name.
And who can forget the success enjoyed by the Chinese app, Baby Come Home, built to connect missing children with their parents? The technology, created with Microsoft, reunited a father with his child, who had been missing for four years.
Lest we think China is the only country embracing the technology successfully, there are many others, too – and more than a few whose implementation is not sitting well with people.
Fancy football (soccer)? The Champions League Finals in the UK earlier in June 2017 let a contract to have faces scanned at the stadium and central rail station – a scenario for real-time review of unknown individuals and identify them against a database of known individuals, presumably bad guys.
The US NIST, in collaboration with the Department of Homeland Security, conducted a multi-year project called, Face in Video Evaluation (FIVE). The purpose of the project was to determine if algorithms could “correctly identify or ignore persons appearing in video sequences”. The identified scenarios included high-volume screening within crowded venues, forensic screening (crime scene), crime video review (such as bank video of a robbery), video-conferencing, and individuals appearing in video footage (television).
Fly much? Airports around the globe have been using facial recognition for a number of years (Brazil, UAE, and US), but only recently have we seen airlines rolling out use scenarios. Both Jet Blue and Delta are experimenting with facial recognition: Jet Blue as part of the boarding process; and Delta for passengers to self-check their luggage.
Then there is the Norwegian digital signage company, ProntoTV, which surreptitiously collected data on visitors to its client’s locales. The software, using artificial intelligence, provided data on the individuals within “scan range”.
What is acceptable in China may not be the case in the US, so learned the FBI. In May 2016, the FBI was reminded of the 2008 E-Government Act that requires government agencies to publish a “privacy impact assessment” as they rolled out their Next Generation Identification-Interstate Photo System (NGI-IPS).
The FBI and its facial analytic teams attracted censure from the US Government Accounting Office, which took the FBI to task for failure to test the technology appropriately, levying six recommendations on the FBI. Those included completing the privacy impact assessment, improving transparency, conducting audits on the use of the NGI-IPS capability by law enforcement, carrying out tests on accuracy of the NGI-IPS technologies, conducting an annual review of the NGI-IPS, and determining if each system used by the FBI is sufficiently accurate.
The FBI disagreed with some, agreed with most, and then went on its way, only to be called out by the House of Representatives in March 2017, for many of the same issues highlighted by the GAO.
Social networks and search engines have shown us the results of their algorithms in various ways. Facebook users can tag individuals in photographs – and with each tag another piece of the facial recognition jigsaw is provided to Facebook. The result: Facebook can now suggest individuals for tagging to you when you share photos.
Is Facebook alone? No. Snapchat created a positive bump for privacy advocates last year when it filed a patent for an “apparatus and method for automated privacy protection in distributed images” – in other words, automatically assigning privacy settings to an image that matches that of a Snapchat user.
Is facial recognition good enough?
It’s getting there.
In March 2017, NIST published the results of its Face Recognition of Non-Cooperative Subjects project. The perhaps not unsurprising findings: facial recognition is hard to do, and none of the technologies “attained peak performance”. It went on to note that candidate alerts by systems and humans contain errors and the “overall rates of the hybrid machine-human system must be understood and planned for”.
In other words, false positives and misses will occur. To increase the likelihood that the hybrid machine-human system increase accuracy, perhaps the solution lies with employing those with “superior facial recognition skills”. These are “super-recognisers”, or people with superior ability to remember faces, which, according to a study by Bournemouth University, comprises 2% of the population. Perhaps human intelligence might yet trump AI when it comes to faces after all.
from Naked Security http://ift.tt/2s5gfyv
NotPetya attacker can’t provide decryption keys, researchers warn
While defenders and security researchers are sifting artefacts that could help prevent new NotPetya ransomware attacks and perhaps point to the identity of the attacker, the victims are trying to recover their systems.
Judging by the Bitcoin wallet to which ransom payments are to be made, some 45 organizations have attempted to go that route. As I’m writing this, the wallet holds nearly 4 Bitcoin (around $10,200).
But it’s very doubtful that those that chose to pay the ransom actually managed to get their files back.
For one, the only way to get in contact with the attacker is through an email address opened with German email service provider Posteo, and the provider has suspended the account almost right away.
Secondly, even if the email address was still working, it’s highly likely that the attacker is not interested in helping the victims.
Decryption is not possible
Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov say that after an analysis of the encryption routine of the malware, they found that the attacker can’t decrypt victims’ disk, even if a payment is made.
The installation key (ID) that the victims need to provide in order to get the decryption key back is a useless, randomly generated string, they noted.
“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware,” they added.
Matthieu Suiche, CEO of cybersecurity firm Comae, is of the same opinion.
“This variant of Petya is a disguised wiper,” he says. “[The] 24 sector blocks following the first sector block are being purposely overwritten, they are not read or saved anywhere. Whereas the original 2016 Petya version correctly reads each sector block and reversibly encode them.”
He believes that the ransomware disguise was an attempt by the attacker to control the media narrative of the attack, and initially pass it as the work of cybercriminals, not nation-state attackers.
While you’re here, check out:
from Help Net Security http://ift.tt/2s5tuPT
Websites Grabbing User-Form Data Before It's Submitted
Websites Grabbing User-Form Data Before It's Submitted
Websites are sending information prematurely:
...we discovered NaviStone's code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.
This is important because it goes against what people expect:
In yesterday's report on Acurian Health, University of Washington law professor Ryan Calo told Gizmodo that giving users a "send" or "submit" button, but then sending the entered information regardless of whether the button is pressed or not, clearly violates a user's expectation of what will happen. Calo said it could violate a federal law against unfair and deceptive practices, as well as laws against deceptive trade practices in California and Massachusetts. A complaint on those grounds, Calo said, "would not be laughed out of court."
This kind of thing is going to happen more and more, in all sorts of areas of our lives. The Internet of Things is the Internet of sensors, and the Internet of surveillance. We've long passed the point where ordinary people have any technical understanding of the different ways networked computers violate their privacy. Government needs to step in and regulate businesses down to reasonable practices. Which means government needs to prioritize security over their own surveillance needs.
Posted on June 29, 2017 at 6:51 AM • 0 Comments
from Schneier on Security http://ift.tt/2tpm1P2
Azure AD Connect vulnerability allows attackers to reset admin passwords
A vulnerability in Azure AD Connect could be exploited by attackers to reset passwords and gain unauthorized access to on-premises AD privileged user accounts, Microsoft warned on Tuesday.
What are Azure AD and Azure AD Connect?
Microsoft Azure AD (Active Directory) is often used by enterprises to provide employees and business partners single sign-on access to cloud SaaS Applications (e.g. Office365, DropBox, etc.). It can also be integrated with an organization’s existing Windows Server Active Directory, so that they can use existing on-premises identity solutions to manage access to cloud based SaaS applications.
Azure AD Connect is a tool used by enterprise sysadmins to connect on-premises identity infrastructure to Microsoft Azure AD.
About the Azure AD Connect vulnerability
The privilege elevation bug can be exploited if the Azure AD Connect Password writeback, which provides a convenient cloud-based way for users to reset their on-premises passwords wherever they are, is misconfigured during enablement.
The hole has been plugged by Microsoft, and sysadmins just need to upgrade to the newest Azure AD Connect version: 1.1.553.0.
“The latest version of Azure AD Connect addresses this issue by blocking Password writeback request for on-premises AD privileged accounts unless the requesting Azure AD Administrator is the owner of the on-premises AD account,” Microsoft explained, and advices admins to upgrade to this version even if their organization isn’t currently affected by the flaw.
Those who, for whatever reason, can’t do so immediately, can implement one or more of several risk mitigation steps offered by Microsoft in the security advisory accompanying the release.
The document also contains instructions for admins to verify if their organization is affected.
from Help Net Security http://ift.tt/2tpg6cN
Who was to blame for what looked like a DDoS attack on the AA? That would be … the AA
From lost keys to dead batteries, UK car insurance giant the AA says it’s “here for everyone”. Except, that is, when it stalls its servers with a self-inflicted distributed denial of service (DDoS) attack.
As The Register reports, on Monday, the AA accidentally sent out a “password update” email to customers.
You can imagine the response: password update? What password update? Do I have to update my password?
Concerned motorists want to know! So they all floored it over to the site to change their passwords.
…creating a traffic jam, overwhelming the AA’s servers and running them clear off the road. The Register said that Brits were “furious” when they couldn’t access their profiles, fearing that their accounts had been hijacked, with hackers having gone in and changed their passwords.
The AA didn’t help matters much with its first Twitter communique, which sounded for all the world like a massive phishing attack was under way:
We’re aware an email has been sent to members re password change. Please don’t ring the number in the email. We’re looking into this urgently
— The AA (@TheAA_UK) June 26 2017
No, nobody changed anybody’s passwords. That email wasn’t supposed to go out, the business said next:
The email was sent by us, but in error. Your password hasn’t been changed, and your data remains secure. Sorry for any confusion.
— The AA (@TheAA_UK) June 26 2017
Customers were flummoxed. The site was turning them away, yet the business said it didn’t change passwords – so what’s the deal?
Please read your own thread, you have told people their passwords have not been changed yet they have!
— Mark Phillips (@dreamengineer) June 26 2017
No, really, nobody changed your password, the AA said. Just give us a minute, we’re working on this!
We can assure you no passwords were changed, if you’re unable to log in, please don’t worry. We’re working to resolve this.
— The AA (@TheAA_Help) June 26 2017
…And while we’re at it, one commenter said, what’s going on with that database leak?!
Did you notify your users when you were told of DB leak? If not, why not?
— Sam Silvester (@SilvesterSJ) June 26 2017
That was likely in reference to a tweet, also on Monday, about 13GB of exposed database backups. The tweet came from Troy Hunt, security researcher and exposed-database wrangler extraordinaire:
A follower just advised they recently notified @TheAA_UK about 13GB of exposed DB backups. It’s not clear if they ever notified customers. http://pic.twitter.com/gOGYJSfVep
— Troy Hunt (@troyhunt) June 26 2017
So OK, a randomly sent, DDoS-spawning, not-a-phishing-attack email, followed by news about an exposed customer database that AA didn’t inform customers about?
No, no, no, the much-explaining AA said, that exposed database was trivial, nothing to worry about, and has been taken care of!
This incident was related to the AA shop & retailers’ orders rather than sensitive info. It was rectified and taken seriously.
— The AA (@TheAA_Help) June 26 2017
So…. just a stray email? Not a phishing attack? Sent by who, exactly? The Register suggested maybe an inexperienced staffer pressing the wrong button or something like that, rather than hostile hacker action… maybe?!
Well, it wouldn’t be surprising, if it were in fact a rookie mistake. And honestly, if it were the fault of a fat-fingered newbie, it wasn’t all that bad, as mistakes go.
True, there were frustrated customers galore, judging by the Twitter sputtering. But hey, any day that doesn’t end in blowing up a company’s live production database, getting fired, and then facing legal action after only one measly day on the job – and yes that’s a true story! – well, comparatively, this one is small potatoes!
from Naked Security http://ift.tt/2spEOpa
The path to protecting health data: 10 steps to get started
The information in your medical records can be more valuable than your credit card numbers to a cybercriminal.
Experts estimate healthcare data is 50 times more valuable to hackers than stolen credit card information. With access to names, home addresses, birth dates, policy numbers, diagnosis codes and billing information, cybercriminals can do real damage. They can create fake IDs to buy drugs, buy and resell expensive medical equipment, file false insurance claims in your name and much more.
While consumers/patients have some responsibility for using and securing high strength passwords, the healthcare industry also bears a burden to help ensure that patient information is protected.
The burden of protecting data falls largely on the healthcare industry. This is actually where the breakdown is happening. In August 2016 alone, the Office of Civil Rights reported more than 8.7 million electronic health records (EHRs) were exposed to hackers or stolen.
The path to protecting information starts with leadership, funding, reorganization, board buy-in and corporate culture. Hospitals and healthcare systems need prevention and treatment technologies, threat detection like email scanning, behavior analytics and remediation strategies.
Technology alone won’t solve for the growing risk of a cybersecurity breach. Doctors, nurses, technicians, lab workers, office staff and more must all play their part to keep patient data protected.
New technology, more devices, social media
Doctors live in the same world as we do. They text to make dinner plans, video chat with relatives in other states and snap-and-post a picture of anything memorable. The line between the world and hospitals is blurring, especially as more Millennial doctors appear on the scene. Doctors want, even expect, new tools and technology.
The number of medical devices in U.S. hospitals grew 62% from 1995 to 2010. In 2010, it was common to see 10-15 devices by a patient’s bed. That number is likely higher today. By 2014, at least 20% of medical devices connected back to a patient’s EHR.4 Many of those devices were, and still are, using outdated technology systems, making them vulnerable to attacks.
Along with more medical devices, there are also more mobile devices. Those pose a security concern too. Doctors may carry a personal phone and tablet in addition to their secured work devices. And chances are, they favor their personal device.
What if the doctor accesses the patient’s data on a personal tablet? The hacker has an immediate opening. Often personal and work apps coexist on the same device. The compromise of a personal app can lead to access to sensitive patient data. These apps can deploy malware into the hospital’s patient database, or just sniff for unencrypted data or passwords.
Many patients want to be able to text their doctors and doctors’ offices. Proper security and authentication must come first. And these are just some of the many ways we’re now open to attacks that did not exist a decade ago.
Protecting health data: Start a security overhaul
Many hospitals will need to make serious changes to defend against possible cyberattacks.
Here are 10 steps to get started:
1. Find areas of vulnerability. Work with a third-party to conduct an in-depth audit. Identify any areas of potential weakness.
2. Set up the right alarms and tools. Start using network and security tools that will quickly find issues and alert in the event of an attack. Look for products and services that control data flow with minimal disruptions.
3. Highly secure all devices. Try to make sure all parties’ devices are protected. Phones, computers, connected medical devices, etc. should all be included in a security plan.
4. Disconnect or protect old technology. Use encryption and authentication tools and protocols. Isolate medical devices that have outdated OS or security technology.
5. Analyze actions. Is a doctor, who was at the hospital today, appearing to try and access data from another country tonight? It may not be the doctor. User-behavior analytics tools can help stop cybercrimes.
6. Look at inbound and outbound traffic. Global analytics models help find threats directed toward, or even coming from, your hospital.
7. Test, test, test. Regularly check all systems for vulnerabilities.
8. Help employees be vigilant. Educate employees regularly and frequently.
9. Manage vendors and associates. Make sure their systems and communication tools are up to your standards. They can be a weak point, and you may be liable.
10. Prepare for the worst. Have a thorough breach response plan ready to go if needed.
Threats are constantly evolving. Tomorrow’s new technologies and trends will bring new vulnerabilities. Hospitals must be vigilant against cyberattacks.
from Help Net Security http://ift.tt/2toM3Cc
DHS to enforce extra security checks instead of airplane carry-on laptop ban
Travelers from all over the world who plan to fly into the US will be subjected to more rigorous security checks before being allowed to board the plane, the Department of Homeland Security has decided. Still, they will be allowed to take their laptops in the passenger cabin.
The introduction of the new security measures was preceded by a ban on all electronic devices (except phones and medical devices) in carry-ons for US-bound travelers from ten airports in United Arab Emirates, Saudi Arabia, Turkey, Egypt, Jordan, Kuwait, Morocco, and Qatar.
Enhanced USA air travel security measures
“The enhanced security measures include but are not limited to: enhancing overall passenger screening; conducting heightened screening of personal electronic devices; increasing security protocols around aircraft and in passenger areas; and deploying advanced technology, expanding canine screening, and establishing additional preclearance locations,” the DHS explained.
These enhanced security measures will be imposed on travelers on all commercial flights departing from some 280 airports in 105 counties, and will affect 180 airlines and, on average, 325,000 passengers each day.
When will the changes be implemented?
Some of these enhancements will be implemented immediately, and others in the coming weeks and months, but the DHS is clear on the fact that it expects airlines adopt these requirements within certain timeframes, lest they be hit with additional security restrictions (e.g. a ban on large personal electronic devices on aircraft), or denied permission to land their planes on US airports.
The agency noted that these enhanced security measures are just the beginning, and will evolve as threats evolve.
“The enhanced security measures are both seen and unseen but all passengers flying to the United States may experience additional screening of their person and property. We recommend that passengers flying to the United States prepare for a more extensive screening process,” they concluded.
Airlines and fliers might not be content with these new rules, but for many of the latter – especially business travelers – this beats a carry-on laptop ban for sure.
from Help Net Security http://ift.tt/2sTRpVi
The next frontier of cyber governance: Achieving resilience in the wake of NotPetya
Earlier this week, several European nations experienced a widespread ransomware attack. Major international giants, such as Merck, WPP, Rosneft, and AP Moller-Maersk, alongside financial institutions, banks, energy companies and more were affected, where users were locked out of computers. The focus of the attack was Europe, but it was also discovered that DLA Piper, a massive U.S. headquartered law firm, was hit by this new strain of ransomware.
First reports attributed the attack to the WannaCry-like Petya ransomware, but Kaspersky Lab later discovered that the cause is a previously unknown NotPetya strain that had hit users across the Ukraine, Russia, France, Germany, Italy, Poland, the UK, and the U.S. It’s clear the WannaCry attack in May was just the beginning, as this week’s attack marks yet another crime scene with substantial evidence that global economies are at massive risk.
Reliance on connected devices and computers, coupled with the lack of government-mandated and incentivized cyber defense for both public and private sectors, poses an intimidating threat to the world’s economy.
It’s imperative to impress upon organizations the vital need for a more organized, transparent and incentivized cyber defense system to halt the outbreak of devastating cyber attacks across the globe. Understanding that need is step one, but making actionable solutions a reality is the next frontier.
Here’s how organizations can get ahead of existential threats and lead the charge in the next frontier of cyber governance:
Create a cyber-conscious culture
It should be clear by now that cybersecurity is no longer just an IT issue. We aren’t facing a breakdown in technology; what we are seeing is a failure to put the right people, processes, and policies in place to minimize internal vulnerabilities to cyber attacks. Most perimeter defense and network disruption detection technologies do their job effectively, but that does not protect organizations from vulnerabilities associated with human error and lack of adequate training. Effective cybersecurity must involve the entire organization and be engrained in the cultural in all corners of an organization. Engaging and training the greater workforce, not just the IT department, is critical in supporting CISOs and mitigating cyber risk.
Implement mandates and incentives
The U.S. is on the right path to achieving national cyber resiliency with the launch of the Cybersecurity of Federal Networks Executive Order (EO), deferring to the NIST Cybersecurity Framework gold standard, and the New York Department of Financial Services cybersecurity regulations. These mandates are a step in the right direction, and even the lesser-known SAFETY Act from the Department of Homeland Security is another decree of liability protection, offering designations to technology vendors deemed “anti-terrorism.” Companies suffering from a cyberterrorism attack would be protected if utilizing a SAFETY Act designated technology. The European Union has also implemented the NIS Directive, which is the first piece of EU-wide legislation on cybersecurity.
Federal governments must do better to incentivize these mandates and protections, all while balancing a general aversion to regulation from some industries, like utilities and energy. However, organizations should also mandate and incentivize their own internal training programs to raise awareness of common internal risk factors, ensuring successful risk mitigation from the top-down.
Be accountable
Accountability standards must be upheld should organizations, or the individuals within them, fail to comply with national requirements for cyber defense and mitigation. Those standards, as outlined in the EO and NIS Directive, have launched the U.S. and EU’s first push into mandatory compliance for federal agencies, versus purely voluntary or recommended cybersecurity best practices shared government entities in the past.
If the mandates’ compliance requirements are upheld or maintained, agency heads and organizational leaders will be held liable for future attacks, both legally and financially. This means it is their fiduciary duty to ensure everyone in the organization is equipped to identify, assess and mitigate risks. There is less structure on accountability in the commercial arena, often wrongfully blaming CISOs for any successful breach when, in fact, every department and employee should be held to a level of accountability in protecting the enterprise from the inside, out.
Streamline protection of the whole, not just the parts
While regulations like the EO and NIS Directive are steps in the right direction, they do pose some consistency and reporting challenges to the nation’s overall cybersecurity posture. Individual agencies are responsible for their own measurement, reporting and mitigation plans, but it’s a heavy burden when looking at it in the full-portfolio context of a nation’s cyber defense maturity.
Nations needs to find a balance between public and private sector cybersecurity regulation, where a consistent and unified defense program can be referenced, implemented, measured, and maintained across agencies, enterprises and individuals. Vulnerability in any part of the cybersecurity chain poses risks to the entire portfolio.
As attacks continue to strike on a global scale, it is likely that government leaders will begin moving toward nation-wide regulatory standards to protect the portfolio as an autonomous unit. Organizations that begin implementing standardized cybersecurity systems under frameworks like NIST or ISO will be a step ahead of this charge – not to mention better prepared to proactively defend against evolving cyber threats, rather than waiting for another devastating attack to foray in our public and private sectors.
from Help Net Security http://ift.tt/2s4hxtT
Top cloud challenges: Security, compliance, and cost control
A new Fugue survey, fielded to over 300 IT operations professionals, executives, and developers, found that most respondents believe that the cloud is not living up to expectations because of compliance and security concerns, unexpected downstream costs, and the glut of cloud management tools available in the market.
Top cloud challenges
Only 1 in 5 surveyed felt they are getting “the most” out of the cloud, while 80 percent feel they are failing to do so. Thirty-nine percent said security/compliance is slowing them down, 36 percent said CXOs fail to understand the complexity of the cloud, 26 percent said IT leadership doesn’t understand the complexity of the cloud, and 20 percent said developers don’t understand the complexity of the cloud. Another 22 percent pointed to a lack of cohesion between the cloud and data center teams.
When asked about what challenges they are working to overcome in their cloud organizations this year, IT professionals pointed first to controlling costs (48 percent), then to ensuring infrastructure security and compliance (44 percent), managing increasing cloud complexity (42 percent), and meeting business agility demands (36 percent).
Stitched-together cloud tooling yields complexity
Meanwhile, survey respondents indicated that their businesses are employing an unwieldy number of disparate tools in order to get the cloud to deliver on their business expectations: 38 percent are using 3-5 tools; 31 percent are using 6-10; 16 percent are using 11-15; and 7 percent are using more than 15.
As a result, 69 percent say they are spending as much or more on stitched-together cloud tooling and services as they spend on the cloud itself, and 42 percent say the cloud is not saving them money over the data center.
“The promises of the cloud are tremendous, but they are hard-won,” said Josh Stella, CEO at Fugue. “You hear you’ll get rid of data centers, save money, and move faster; cloud’s essentially an infinite resource. But what happens is that IT departments lose control of it—they can’t keep track of everything that’s running, and there are security and compliance complications. If you’re Netflix, you have enough money to throw at the problem, but most companies trying to manage the cloud end up in a DIY headache of patch-ups and tools that were born in the data center and adapted for use in the cloud.”
While many companies have resorted to building in-house tooling, 83 percent of respondents said this creates problems of its own. Prime among them:
- In-house tooling requires specialists and time to maintain them – 50 percent
- Adopting newly available cloud services is made difficult – 41 percent
- In-house tooling involves a lot of egos and politics – 31 percent
- Adopting new architectures is made difficult – 21 percent.
Cloud needs a makeover
IT professionals are almost unanimous (96 percent) in their agreement that the cloud could use a makeover. When asked why, 85 percent pointed to usability struggles:
- Needs to be simplified and easier to use – 33 percent
- Needs to be easier to keep secure – 29 percent
- Needs to be easier to control costs – 13 percent
- Needs to be easier to control – 10 percent.
Another 7 percent complained about the overall expense, and 5 percent complained about reliability.
Fully 87 percent of IT professionals say they have experienced a cloud downtime event, in response to which their companies have added multi-cloud capabilities (47 percent), created more resilient application architectures (41 percent), and added multi-region capabilities (38 percent).
Another 24 percent prefer to simply pass the blame, and 19 percent have resorted to “prayer.”
from Help Net Security http://ift.tt/2tngIjv
Wednesday, June 28, 2017
Open Security Controller: Security service orchestration for multi-cloud environments
The Linux Foundation launched the Open Security Controller project, an open source project focused on centralizing security services orchestration for multi-cloud environments.
Open Security Controller orchestrates the deployment of virtual network security policies, applies the correct policy to the appropriate workload, and it brokers services among cloud management platforms—resulting in seamless integration of multi-vendor virtual security controls. Because the project is open, organizations may choose the security and SDN vendors that best meet their needs.
“Software-defined networks are becoming a standard for businesses, and open source networking projects are a key element in helping the transition, and pushing for a more automated network” said Arpit Joshipura, General Manager of Networking and Orchestration at The Linux Foundation. “Equally important to automation in the open source community is ensuring security. The Open Security Controller project touches both of these areas. We are excited to have this project join The Linux Foundation, and look forward to the collaboration this project will engender regarding network security now and in the future.”
Open Security Controller project technology is licensed under Apache 2.
Industry support for the Open Security Controller project
“Security orchestration is important to cloud solutions, we are looking forward to working together with The Linux Foundation and industry partners to further enhance security,” said Evan Xiao, President, Strategy & Business Development Department, at Huawei Products & Solutions.
“At Intel we are committed to security, from the hardware root of trust through the compute stack, the network infrastructure and to cloud and emerging workloads,” said Rick Echevarria, Vice President, Software and Services Group and General Manager, Platforms Security Division at Intel. “Our contribution of the Open Security Controller to the Linux Foundation will help accelerate the adoption of software-defined security, as demonstrated by the participation of the other founding members who are among leaders in the delivery of security solutions.”
from Help Net Security http://ift.tt/2u0wgYd