Friday, September 04, 2015
The fact that you may not have heard of what Verizon refers to as ‘the detection deficit’ in the Data Breach Investigations Report is by the by. For the record, it’s the difference between how long it takes the bad guys to compromise a target network and how long it takes you to detect that there is a threat. What matters here is that they are on the right side, as far as network compromise times are concerned, of that deficit and you are falling ever further behind. Frankly, as far as detecting threats go, you need all the help you can get. That help comes in many different forms including, as you might expect to read here considering the business that MAXfocus is in, from a managed security perspective. What you might not expect to hear is that another way to help close the ‘hacker gap’ is by employing free network security tools. Yeah, you read that right: even in the world of security there is sometimes such a thing as a free lunch. So here’s some ingredients, in no particular order, that cost nothing but form the basis of a pretty balanced and healthy defensive security diet…
Thursday, September 03, 2015
According to a newly published report on mobile malware from researchers at G Data, "well over 26" smartphones have been discovered shipping complete with pre-installed malware in the device firmware. Earlier this year the same company revealed the presence of adware on Android devices, along with 'potentially unwanted programs' or PUPs. Now it says that monitoring applications – aka spyware – to collect data without the smartphone owner realising, along with other malware, is also becoming a problem on certain Chinese handsets. The shipping of mobile devices with pre-installed malware is nothing new, certainly not to me. Some eight years ago I won an award for my investigation and subsequent breaking of a news story involving TomTom GO 910 satnav units that came with a bunch of Trojans right out of the box. Back then, although never actually confirmed, it appeared that the malware was most likely introduced through the quality assurance process ironically enough – random units taken off the production line and plugged into an infected computer for testing. This was what you might call an accidental infection.
Wednesday, September 02, 2015
My late father always told me that in order to be successful I should play to my strengths. He was talking about life skills, but his words stuck with me when it came to business as well. Nearly 25 years ago when a career change was being forced upon me, I reflected upon what I was good at and it turned out that my skills were: writing, conversation and hacking. So I put these things to good use and became a security consultant and journalist. Given that the 'focus on what you know' advice is pretty much business 101 stuff, why is it then that so many organisations find it so hard to outsource their security needs?
Tuesday, September 01, 2015
The global Breach Level Index, to be published next week by Gemalto, reveals the number of state-sponsored cyber attacks accounted for just 2 per cent of data breach incidents during the first six months of 2015. However, the number of records compromised as a result of those attacks amounted to 42 per cent of the total. Further, while none of the top-ten breaches from the first half of 2014 were thought to be state sponsored, three in 2015 were. These included the top two breaches at Anthem Insurance and the US Office of Personnel Management. “State-sponsored attacks were the second highest source of data records loss, with 102.4 million, behind malicious outsiders responsible for 112 million,” says Jason Hart, chief technology officer for data protection at Gemalto. "Perhaps the biggest danger for any business, no matter which sector it operates in, is thinking its data isn’t sensitive enough to be of any interest” The days of such attacks being targeted purely at government organisations also seem to be over. According to threat forensics specialist FireEye, during the first six months of 2015 there have been considerably more state-sponsored cyber attacks on the private sector (87 per cent) compared with the public sector (13 per cent). The common link between all such attacks is the sensitive nature of the data targeted.
Thursday, August 27, 2015
According to the 'Distributed Denial of Service Trends Report - 2nd Quarter 2015' published by VeriSign today, between the period April 1 to June 30 there was increased activity from the DDoS For Bitcoin (DD4BC) attack group. This came not only in the form of ransom threats – the ransom being demanded in Bitcoin hence the name – but also in those threats not being paid off turning into actual attacks. Most DD4BC attacks have traditionally been, and largely remain, within the one to five Gbps size range. The report says that the second most targeted industry sector for all DDoS attacks was finance and payments which made up some 22 percent of those mitigated by VeriSign, and this was largely driven by the DD4BC attack group. The VeriSign conclusions appear to tie in with those from other recent Internet threat reports such as Akamai's 'State of the Internet - Q2 2015' which concurs that many DDoS attacks were fuelled by actors such as DD4BC and those copying their ransom tactics and attack methodologies. Akamai reckons that the group "expanded its extortion and DDoS campaigns during April and May" and it has found itself protecting "a growing number of customers" from DD4BC attacks as a result. Akamai says that several customers have received ransom demands threatening DDoS attacks of between 400-500 Gbps if the money was not paid, although it hadn't seen anything larger than 50 Gbps in reality up until the time the report was published. It would seem that DD4BC do not have quite the resources to pull off the size of attack that it threatens, considering that VeriSign has also not seen anything approaching three figures as of yet from it, so is DD4BC actually just a bunch of (albeit fairly successful) chancers?
Friday, August 21, 2015
In a blog posting on Wednesday, a Webroot threat research analyst revealed how the use of ad-blocking software by Mac users could not only be leaving them with a false sense of security but actually putting them at risk. Devin Byrd explained how Mac users are often told that their chosen platform is safe from threats and malware, and a 'vast majority' still believe this despite plenty of proof to the contrary. "The magic myth of Mac immunity has long been disproven and really exploited in the past years with such concepts as Thunderstrike and root privilege exploits" Byrd says, adding "most of the malware that we come across for Mac has been adware." Although I wouldn't necessarily label adware as malware myself, I appreciate that it does try to get you to spend money, can point you towards malicious software downloads and is almost always unwanted by the person whose machine has it installed. It is therefore understandable that for many the answer to adware is a large dose of ad-blocking software, and Adblock Plus is amongst the most popular. I will put my hands up and admit I have been a happy user for many years myself, although on a Microsoft rather than Mac platform. Byrd, however, warns that adware companies know only too well that software is being used to block their wares, and have figured out a way of getting around the roadblocks.
Distributed Denial of Service (DDoS) attacks are the plat du jour for cyber-criminals looking to deflect attention and resources from a breach elsewhere within the target enterprise, as well as hacktivists taking sites down with political or just plain malicious motivation alike. According to the Q2 2015 State of the Internet report from Akamai, the number of DDoS attacks has grown by 132 per cent compared to the same time last year. Not only is that a record high, or low depending upon which side of the security fence you are positioned, the number of 'almost indefensible' mega-attacks, those peaking in excess of 1,000Gbps/50Mpps, was also on the up. Anything that can help the bad guys to make a DDoS attack easier, bigger and more destructive is never good news; enter stage left, the villain of the piece in the shape of the Distributed Reflective DoS (DRDos) attack. Although DRDos attacks are not exactly new, new methods to launch them are always high on the agenda of both those out to cause problems, and to prevent them. So when we heard that a new DRDos attack using BitTorrent was being demonstrated, SCMagazineUK.com decided to investigate further.
Friday, August 14, 2015
Some would argue that our cities are already pretty smart. Glasgow has street lighting that brightens automatically as pedestrians or cyclists approach. Bristol is installing machine-to-machine sensors to supply superfast networks with data about energy use, air quality and traffic flow. Songdo in South Korea even has a waste disposal system that does away with garbage trucks and sucks your rubbish out of the kitchen via an underground tunnel network directly to the waste processing center. So what actually defines a smart city? According to the British Standards Institution (BSI) the answer is “an effective integration of physical, digital and human systems in the built environment to deliver a sustainable, prosperous and inclusive future for its citizens.” Unfortunately, explains Dr Gordon Fletcher, co-director of the Centre for Digital Business at Salford Business School, there are an awful lot of alternative definitions out there: “A straightforward summary is that [smart cities] all fall onto a continuum, from a light version which interconnects residences individually with various city systems (typically councils), through to a completely integrated system of residents, visitors and the various private and public organizational systems.” What is on the ground now looks less futuristic than we might imagine. But if we were to let that imagination fly, what might we expect in terms of the positives of a truly smart city?
Researchers at cloud application security vendor Elastica have published details of a Cross-Site Scripting (XSS) vulnerability within a Salesforce subdomain providing the potential for attackers to use a trusted Salesforce application as a platform for end-user credential gathering attacks. Disclosed in early July, Salesforce finally patched the vulnerability on Monday just two days before Elastica went public with the disclosure. Admittedly, XSS vulnerabilities are not the most exciting of attack vectors, but that doesn't mean they are not dangerous. Nor does it mean that organisations shouldn't know better when it comes to detecting them. Heck, the Salesforce developer pages themselves even have a section dedicated to preventing XSS attacks which states "Most applications that display dynamic Web pages without properly validating the data are likely to be vulnerable. Attacks against the website are especially easy if input from one user is intended to be displayed to another user. Some obvious possibilities include bulletin board or user comment-style websites, news, or email archives." Oh the irony. XSS is becoming both more frequent and more dangerous as an attack vector year on year. Frequent because XSS vulnerabilities are pretty easy to spot (oh the irony again) and dangerous as they are also easy to exploit, and exploit with similar outcomes to SQL injection attacks for example. The bad guys would rather take the easiest route on offer, and for many that appears to be XSS right now.
Thursday, August 13, 2015
Fingerprint scanning on smartphones came under the spotlight at the Black Hat conference this year, with researchers highlighting vulnerabilities on certain Android devices - which places a question mark over the real security value of such biometric measures. FireEye researchers discovered that HTC smartphones were storing data from fingerprint scans, necessary to enable biometric security on the devices, as unencrypted .bmp image files where any attacker could easily find them. The researchers point out, for example, that the HTC One Max X device stored the fingerprint as /data/dbgraw.bmp having a 0666 permission setting which equates to being 'world readable' and so any unprivileged process or app could read it at will. If that were not bad enough, every time the fingerprint sensor was used to unlock the handset or access a protected app then that bitmap file was refreshed. As a consequence, an attacker would be able to collect every swipe the user made and so the chances of getting a good image that could be used for nefarious purposes was very high indeed. HTC says it was just the HTC One Max that was vulnerable, and that vulnerability has now been fixed. However, the FireEye researchers insist that the fingerprint sensors used by vendors including HTC and Samsung are vulnerable courtesy of it being exposed to attackers. "Although the ARM architecture enables isolating critical peripherals from being accessed outside the TrustZone" they wrote "most vendors fail to utilise this feature to protect fingerprint sensors." Specific handsets said to be at risk included the HTC One Max and Samsung Galaxy S5, and both HTC and Samsung along with other as yet unidentified vendors are said to have rolled out fixes for this issue as well. However, with support for fingerprint scanners being incorporated into Android, and services such as Android Pay and Apple Pay utilising fingerprints to secure payments, the biometric sensors along with the data they collect are sure to come under increasing scrutiny from cyber-criminals. So, the question is: are fingerprints up to scratch in the world of mobile security?