Merry Riskmas

People of all ages look forward to Christmas holidays. Children think of the gifts they will receive from Santa, and those of us who are older savor the thought of spending the holidays in joyous company with friends and family. Christmas is considered by most, including myself, as the most wonderful time of year.

Cyber criminals feel the same way about the holidays. They exploit online shoppers’ longing for a good sale by slamming them with phishing scams laden with "special offers" and try to turn our beautiful Christmas to Riskmas.

We have talked about this subject in the past but constant repetition carries conviction.

The holiday season is retailers’ busiest time of year, with an estimated 20% of the year’s shopping taking place between November and December in the UK and over half of online retailers expecting to achieve 20% growth. During this time, retailers arguably face a more difficult problem with IT than other industries for many reasons. The holiday retail "freeze" is underway, which means that any security upgrades or technology additions for retailers are put on hold until after the busy holiday shopping season. For the next few weeks, only critical security patches will get installed. The concept of a holiday IT freeze is outdated in today’s world, and while many retailers implement such a "freeze", there should be exceptions when it comes to areas that support the business. Security should certainly be one of those exceptions.

The main challenge and priority is service availability to the customers, whether it is for online or in-store purchases. At executive level, service availability translates to transactions, which in turn relates to revenue growth. However, executives often neglect the wider collateral damage that can be caused by a data breach, not only in terms of brand damage but also in the resultant fall of consumer confidence and any remediation activities required (legal and operational) to mitigate those losses.

In December 2009, a hacker, then operating under the alias of “igigi,” succeeded in stealing the account credentials for all 32.6 million users after successfully penetrated RockYou, a company which develops games and advertisements for social media sites. All of the information had been stored in clear text, meaning that neither account holders’ usernames nor passwords had been encrypted. Company’s databases were infiltrated as a result of an SQL injection vulnerability, one of the most common security vulnerabilities with respect to web applications today.

Following the breach, the security firm Imperva analyzed the stolen information, portions of which were published online by the hacker. The study revealed that 40% of account holders had used a password consisting only of lowercase letters, 30% had chosen a password less than six characters in length, and nearly 1 in 100 had set their password to "123456".

Nevertheless, companies are not the sole targets of holiday breaches. The amount of unwanted traffic increases significantly before Christmas, and people need to be wary of viruses and other malware. Christmas, like other holidays, is a time of opportunity for junk mailers and information phishers. An ill-advised click can ruin your holiday, when an electronic Christmas card from a friend or business partner installs malware on your computer. People are in holiday spirits and behave more casually in the online environment. For example Christmas greetings sent by email can be disguised so that they look like they have been sent by someone you know. When the unsuspecting recipient opens a picture or link contained in the message, a virus is released.

Back in 2010, just two days before Christmas, attackers sent out an email that spoofed “seasons greetings” from The White House to a number of government employees and contractors. The text of the email was published on Brian Krebs’ website. It read:

“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.”

The card then prompted users to click on a link, which downloaded a variant of ZeuS malware.

A control server allegedly based in Belarus manually sent out the email to a small number of recipients, which made the attack undetectable by security traps and sensors. Ultimately, more than 2GB of government documents were stolen in the attack. However, no classified documents were compromised.

On December 2013, Symantec reported a spike in the number of NTP amplification attacks. NTP stands for Network Time Protocol. It was originally developed by a professor at the University of Delaware as a means syncing the clocks of multiple computers.

According to Symantec’s blog post on the topic, NTP attacks are similar to DNS amplification attacks in that they use a small packet to request the delivery of a large amount of data to a specific IP address. In this case, the attackers used the monlist command, a query found in older versions of NTP that sends requesters a list of the last 600 hosts who connected to the server, as part of a series of DDoS attacks against certain targets, including a number of gaming sites in late December. The evolution of NTP amplification attacks in part reflects the Internet’s development thus far.

To sum up, here are some additional tips you can use to avoid becoming a victim of cyber fraud: 

• Enable 2-factor authentication in all your accounts. You can find a list of services that support this here.
• Do not respond to unsolicited (spam) e-mail.
• Do not click on links contained within an unsolicited e-mail. Ask yourself: "Why am I being asked to click here?" If you’re not sure, don’t click!
• Be cautious of e-mail claiming to contain pictures in attached files; the files may contain viruses. Only open attachments from known senders. Scan the attachments for viruses if possible. Ask yourself: "Does this look authentic?"
• Avoid filling out forms contained in e-mail messages that ask for personal information.
• Always compare the link in the e-mail to the link you are actually directed to and determine if they match and will lead you to a legitimate site.
• Log on directly to the official website for the business identified in the e-mail instead of "linking" to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
• Contact the actual business that supposedly sent the e-mail to verify that the e-mail is genuine.
• If you are requested to act quickly or there is an emergency that requires your attention, it may be a scam. Fraudsters create a sense of urgency to get you to act quickly.
• Remember if it looks too good to be true, it probably is not.

For organisations: 

• Ensure your staff are educated ahead of the Christmas period. Phishing presents as much danger to businesses as it does individuals.
• Get a penetration test now before the Christmas period to test the security of your networks and systems.

Have A Very Merry Christmas and Stay Safe Online!

Read More

Hard Dollar, Hard Times in IT Spending

The consequences of "hard" dollar and the weakening of demand in the emerging economies of the world will suffer, this year, the global IT market. Spending on IT is expected to move, internationally, to the level of $ 2.69 trillion in 2015, down by 3.5% compared with a year earlier, with all - without exception - branches of the world economy to reduce investment costs of Information Technology.

The decline of international market of IT associated, primarily, with the rise of the dollar - particularly in relation to the euro, the yen and the ruble - and the increases that brought the prices of IT products, as well as weak performance of markets such as Russia, Brazil and China.

According to estimates of the company Gartner, the exchange rates will impact investments in all sectors of economic activity for IT, with costs limited to 2015. In the case of banks, the costs will be, this year, less 2.4% in Communications and Media, the decline will be around 3.6% in Education are expected to fall by 2.5%, while travel spending of public organizations will be reduced in 2015 by 5%. As is apparent from the same data, spending on IT in the health sector will be reduced by 2.7%, insurance by 2,8%, in construction by 4,5%, in retail trade by 1,5% and transport by 3.1%.

Despite the downturn, however, retail, banking and insurance and the health sector should take the lead by making the highest IT spending this year.

Retail

The technologies that help better understanding of consumer needs and enhance customer engagement in a brand, through a multi-channel shopping experience are high priority areas concerning the agenda of business retail for IT. Regarding purchases in the store, the challenges identified, particularly in the various electronic payment systems, but also investments in card acceptance machines (POS).

Banks

Although investments in the banking sector and insurance companies in Information Technology will be reduced in the current year, by 2.5%, Gartner estimates that banks will double their budgets for IT by 2019 in an effort to hold their customers, improve consumer service experience and reduce operating costs. The cyber security remains a focus area for retail banking and an emerging area of ​​interest is the intelligent machine technology, including artificial intelligence, robotics and automation processes.

Health sector

Spending on IT is expected to fall during the current year, in health and care, with the related rate of decline can be estimated, for 2015, to 2.7%. The largest market for IT in the health sector is that of the US, which accounts for the current year, 40% of total expenditure on IT f the health sector. Great mobility is expected to show the sector in the region of Europe, Asia and South Africa.

Read More

From Information Security to Digital Competitiveness

Information is the lifeblood of almost all businesses today. At the same time, not a week goes by without news of another big hack or security breach. The pressure on the security function is immense, and security professionals need a fine balance of skills to bring together risk, compliance, operations and technology in any large organization. Sadly, they rarely find time to grow their relationships and standing in the corporation. 

The role of CISO is difficult yet crucial. Not all organizations appoint an executive CISO; many have a security director report into the CIO or else into risk and compliance functions. A dedicated CISO role is crucial, both politically and culturally, for it sends a strong message about the priorities and commitments of the business.

The role of CISO is relatively new and by no means is it a universal position. Managers attain the title CISO by following any number of career paths, typically starting in an IT environment, then acquiring specialist security certifications and/or on-the-job experience. Information security is managed in many different ways from one business to another. Some firms see it as a part of security generally; it is common among banks, for example, for the safekeeping of cash, branches, staff and IT to all come under the one executive. Other organizations have information security report into legal or risk functions, as they can see it as a corporate governance matter. And some prefer operations or IT to take responsibility for information security, especially if technology in the sector is volatile or complex. Regardless of reporting line, an effective CISO must have influence inside IT and inside the business units. 

Whether a CISO comes with technical qualifications or has learned on the job, the classical CISO job description covers a basket of activities spanning network security, access management (for customers, staff and/or partners), standards compliance (particularly in regulated industries like banking, government and healthcare), policy development and implementation, internal IT audit, and sometimes privacy. The CISO’s position generally involves a lot of tech and a lot of compliance. 

Organizations tend to utilize the security department in a purely defensive capacity. However, in the digital age, an organization’s internally and externally collected information are valuable data sources. Security Officers archive, protect, and maintain the quality of an organization’s information, putting them in a unique position to implement strategic, information-driven business initiatives.

The security department must evolve from “the department of no” to a business unit that utilizes a company’s information to create a strategic advantage and value to internal and external customers alike.

In a market characterized by rapidly changing technology and increasing global competitive forces, it's no secret that companies can no longer afford to rely on the feature-set of their products or services alone. After all, today's innovation is rapidly becoming tomorrow's industry standard, so organisations must ensure they create value from the information they have and forge intimate connections with their customers, colleagues, suppliers and partners in order to stay ahead of their competition. The need for joined-up thinking in business cannot therefore be underestimated. This is not just about improving the flow of information within a business; rather it needs to be about unlocking consistent value and meaning from that information and extending collaboration across an organisation's entire ecosystem in order to put the customer at the center of the business and achieve real customer intimacy.

As the global economy starts to show signs of recovery, businesses can afford to look beyond short term survival and start planning for the anticipated upturn. The long-term value that collaboration brings to an organisation more than outweighs its perceived cost - it will help forge stronger relationships and happier workers as well as translate into more efficient operations company-wide. Clear visibility of business-critical information, improved insight into business performance and customer value are the cornerstones of successful, profitable business in any sector. Making these changes today will not only improve competitiveness and provide the operational clarity required to maximize corporate performance, but will also prepare the organisation to exploit future economic growth.

Digital disruption is not a new phenomenon. But the opportunities and risks it presents shift over time. Competitive advantage flows to the businesses that see and act on those shifts first. We are entering the third, and most consequential, wave of digital disruption. It has profound implications not only for strategy but also for the structures of companies and industries. Business leaders need a new map to guide them.

In the first wave of the commercial Internet, the dot-com era, falling transaction costs altered the traditional trade-off between richness and reach: rich information could suddenly be communicated broadly and cheaply, forever changing how products are made and sold. Strategists had to make hard choices about which pieces of their businesses to protect and which to abandon, and they learned that they could repurpose some assets to attack previously unrelated businesses. Incumbent value chains could be “deconstructed” by competitors focused on narrow slivers of added value. Traditional notions of who competes against whom were upended—Microsoft gave away Encarta on CDs to promote sales of PCs and incidentally destroyed the business model of the venerable Encyclopædia Britannica.

In the second wave, Web 2.0, the important strategic insight was that economies of mass evaporated for many activities.1 Small became beautiful. It was the era of the "long tail" and of collaborative production on a massive scale. Minuscule enterprises and self-organizing communities of autonomous individuals surprised us by performing certain tasks better and more cheaply than large corporations. Hence Linux, hence Wikipedia. Because these communities could grow and collaborate without geographic constraint, major work was done at significantly lower cost and often zero price.

Smart strategists adopted and adapted to these new business architectures. IBM embraced Open Source to challenge Microsoft's position in server software; Apple and Google curated communities of app developers so that they could compete in mobile; SAP recruited thousands of app developers from among its users; Facebook transformed marketing by turning a billion “friends” into advertisers, merchandisers, and customers.

Now we are on the cusp of the third wave: hyper-scaling. Big — really big — is becoming beautiful. At the extreme — where competitive mass is beyond the reach of the individual business unit or company — hyper-scaling demands a bold, new architecture for businesses.

It is fashionable (and correct) to assert that business leaders need to worry about disruption. But disruption takes very specific forms, and these forms are shifting. The disruptive impact of deconstruction—like that of low-cost technologies—is now widely understood, but the challenge of the very small, less so. And the challenge of the very large, hardly at all. Put them together and you pass from the familiar world of value chains to the world of platforms, ecosystems, and stacks. The role of CISO is mission critical in a world of digital disruption.

Read More

Our First Birthday

Its been a year since the first post appeared in ISL blog! On September 1st, we celebrate our birthday and in order to thank all our loyal followers we have setup a small giveaway as the least we can do to thank you for all your support. The whole process is powered by Rafflecopter and all you have to do is follow us on Twitter, tweet about our birthday, or visit our Facebook page. Each of these actions will give you one chance to win one of the prizes.

1. One (1) winner will receive a 12 months Heimdal Pro premium subscription, (approximate retail value or "ARV": €34)
2. One (1) winner will receive quertyCard (approximate retail value or "ARV": €4.99)

The giveaway will last for the entire September, so the winners will be announced in the first couple of days of October.

You can enter the giveaway through our special Giveaway page.

Read More

Tell Me Who You Are, and I Will Tell You Your Lock Pattern

You are predictable, your passwords are predictable, and so are your PINs. This simple fact is often exploited by hackers, as well as the agencies watching you. But what about your Android lock patterns? Can who you are reveal what patterns you create?

Pattern unlock is one of the entry protection mechanisms in Android system for unlocking the screen. It was introduced by Google in 2008. By connecting 4–9 dots in a 3 x 3 grid, the user can set up an unlock pattern which is equivalent to a password or a PIN. As an alternative to the traditional password/PIN, the visual pattern has gained its popularity because of the potential advantages in memorability and convenience of input. However, the limited pattern space and existing attacks such as shoulder surfing, or smudge attack make this mechanism weak in security.

A recent study by Marte Loge, as part of her MSc thesis, presents the results from a set of 3400 users and their selected lock patterns.

"Humans are predictable, we're seeing the same aspects used when creating a pattern locks [as are used in] pin codes and alphanumeric passwords."

Lock patterns, for Android, can contain a minimum of four nodes and a maximum of nine, making there 389,112 possible combinations. In a similar fashion as passwords, the number of possible combinations grows exponentially with the length, at least up to a point.

Loge asked subjects to create three ALPs, one for an imaginary shopping app, a second for an imaginary banking app, and the last to unlock a smartphone. Sadly, the minimum four-node pattern was the most widely created one by both male and female subjects, followed by five-node ALPs. For reasons Loge still can't explain, eight-node patterns were the least popular, attracting significantly fewer subjects than nine-node choices, even though both offered the same number of possible combinations.

The minimal use of eight-node patterns, by both males and females, was a surprise. Both sexes were two to four times more likely to choose a nine-node pattern rather than one with eight nodes, even though both provided precisely the same number of possible combinations. Another unexpected finding, left-handed users tended to pick the same starting places as their right-handed counterparts.

Males were much more likely than females to choose long and complex patterns, with young males scoring the highest. The slide below illustrates the overall breakdown between men's and women's choices differently.

Loge said the number of nodes isn't the only thing that determines how susceptible an ALP is to guessing attacks. The specific sequence of nodes is also key in how complex a pattern is. Assigning the nine nodes the same digits found on a standard phone interface, the combination 1, 2, 3, 6 will receive a lower complexity score than the combination 2, 1, 3, 6, since the latter pattern changes direction.

A team of researchers formalized this scoring system in a 2014 paper titled Dissecting pattern unlock: The effect of pattern strength meter on pattern selection. They analyzed the characteristics of all valid patterns and proposed a way to quantitatively evaluate their strengths. They also designed two types of pattern strength meters as visual indicators of pattern strength.

Data breaches over the years have repeatedly shown some of the most common passwords are "1234567", "password", and "letmein". Loge said many ALPs suffer a similar form of weakness. More than 10% of the ones she collected were fashioned after an alphabetic letter, which often corresponded to the first initial of the subject or of a spouse, child, or other person close to the subject. The discovery is significant, because it means attackers may have a one-in-ten chance of guessing an ALP with no more than about 100 guesses. The number of guesses could be reduced further if the attacker knows the names of the target or of people close to the target.

Loge had several suggestions for ways to make lock patterns more secure. The first, naturally, is to choose one with more nodes and a higher complexity score. Another is to incorporate crossovers, since it makes it harder for an attacker looking over the target's shoulder to trace the precise sequence. Better yet, she suggested people open the Security category in their Android settings and turn off the "make pattern visible" option. This will prevent the drawing of lines that connect each pattern node, making shoulder surfing even more difficult.

Full disk encryption won't save you if your lock pattern is L - as in "loser"

Read More

Patch Management for Home Users

For system administrators, patch management is a routine activity. But for most home users, patch management is a uncharted waters. Knowing when to patch products and how often patches need to be applied are some of the questions that most home users never think about. Knowing what to patch and when can make a difference in the security of your home computer or network.

First things first, let's clarify some terms. The following definitions come from a post of Allen Householder in CERT Blog.

Zero Day Exploit (a.k.a 0-day)

There are many definitions of zero-day exploit available. These definitions are not merely diverse wordings that map onto the same concepts; they refer to distinct (albeit related) concepts.

"A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. There are zero days between the time the vulnerability is discovered and the first attack." — SearchSecurity

By the way, nothing in this definition talks about patch availability. We'll come back to that in a moment.

"A zero day exploit attack occurs on the same day a weakness is discovered in software. At that point, it's exploited before a fix becomes available from its creator." — Kaspersky

Stating it explicitly: if the following events occur (a) a vulnerability is announced by a vendor, (b) a patch is provided along with the announcement, and (c) it is exploited on the same day (whatever you decide that means, just be consistent), definition 1 says it's a zero-day exploit while definition 2 says it isn't.

 "An attack on a software flaw that occurs before the software's developers have had time to develop a patch for the flaw is often known as a zero-day exploit. The term "zero-day" denotes that developers have had zero days to fix the vulnerability.  It can also refer to attacks that occur on the same day (day zero) a vulnerability is disclosed. In fact, some zero-day exploits are the first indication that the associated vulnerability exists at all."  — Tom's Guide

Here we find that the definition hinges on the existence of a patch. A strict interpretation of this definition would permit someone to apply the zero-day exploit label even if the vulnerability is known to the vendor and the public long before the first attack. The vulnerability may have been known to the vendor for months, and a patch is in development but not does not yet exist. Thus definition 3 directly conflicts with both definitions 1 and 2 above. Definition 1 says nothing of patches. Definition 2 talks about patch availability, not existence.

"Zero-day attacks...software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and, therefore, no vendor fix or software patch available for it." — FireEye

Granted, this definition is for a zero-day attack, but since it mentions exploitation, I think we are justified to include it here. FireEye adds hardware to our growing list of definitions. Further, they discriminate based on the state of knowledge of the general information security community, with the implication that if that community is unaware of the vulnerability, there must not be a patch available. From context, this general information security community appears to be larger than the affected vendor(s) yet smaller than the public. So while it shares some degree of overlap with the other definitions discussed above, it remains distinct in its referents.

There is no generally accepted formal definition for "0Day (also known as zero-day) vulnerability." The term has been used to refer to flaws in software that no one knows about except the attacker. Sometimes the term is used to mean a vulnerability for which no patch is yet available.

Shortly after the Italian firm Hacking Team was hacked and at least two zero-day exploits the firm possessed were released to the public, along with about 400GB of company emails and other data.

Hacking Team has long been a source of controversy because the company sells surveillance tools to law enforcement and intelligence agencies around the world—among them repressive regimes that use the tools to spy on human rights activists and political dissidents.

But the hack of last week highlights another serious issue around Hacking Team and companies like it that stockpile or store zero-day exploits, including software vendors who run bug bounty programs: they can be rich targets for hackers who might want to steal the zero-days to use them for nefarious purposes or sell them. This places an added onus on companies to protect their repositories to prevent the zero-days from getting into the hands of unintended parties.

Automating Patch Management

Enable auto update of your software. Apply patches any time a program asks (needs) to be updated. Although these updates don't always mean it is for security reasons, a security patch may be issued along with the update. Microsoft Windows offers automatic windows updates and in their newest release, of Windows 10, it will not be an option to install them or not. So updating windows is easier than ever when users choose this option.

Problems with Patches

The main risk with patching software is breaking other programs. This is usually only the case with updates from larger programs that other programs hang on. Such as operating systems, anti virus software, etc. Applications that other software does not rely on are usually immune from this. During automated patch management, this may happen and you don't realize it has happened. The problem can be combated with manual patches, but knowing when and what to patch may be a hassle for home users.

When to Patch?

The short answer is: As soon as a stable pach or fix is released by the vendor. It is a good practice to check for patches to your software products about once per month. If you use your computer on a daily basis, or the computer stays online constantly, such as with high speed connections, you may need to opt for a stricter schedule on patches. Such as weekly or bi weekly. Of course, using automated patch management software can eliminate this need for such time consuming tasks.

As mentioned, automating patch management can save much time and energy. Check with your software vendor for information on when patches are usually available. And also check if the program offers automatic updates to its software. This mundane task can be handled with little user intervention and may be possible to run at times when the computer is idle or late at night when it is not in use and doesn't restrict your browsing bandwidth.

Act proactively in order to minimize exposure to known vulnerabilities and zero day attacks.

Information Security League, through our partnership with Heimdal Security, offers you a 70% discount to the Heimdal Pro. Just use infosecleague34 as voucher code in their site when you order the product.

Read More

Stagefright: The Latest Android Phobia

Zimperium zLabs, discovered what they believe to be the worst Android vulnerabilities discovered to date. The vulnerability, nicknamed 'Stagefright', it is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.

These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS.

Android devices since version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations.

The Stagefright vulnerability was assigned with the following CVEs:

• CVE-2015-1538 
• CVE-2015-1539 
• CVE-2015-3824 
• CVE-2015-3826 
• CVE-2015-3827 
• CVE-2015-3828 
• CVE-2015-3829 

Fixes for these issues require an OTA firmware update for all affected devices. The bug was reported by Zimperium zLabs, in April in order to give Google enough time to fix the problem and send patches out to its partners. The security company says that Google has done so -- but that most manufacturers have not reissued them to users, working to the traditionally slow pace of Android phone partners. Devices older than 18 months are unlikely to receive an update at all.

Risk mitigation

Consider changing the settings on your Android apps that use MMS, like Messaging and Hangouts. Deselect “automatically retrieve MMS messages.” In the meantime, consider using alternate messaging services.

Other than that, keep your phone number private. Researchers plan to present more details at the Black Hat conference next month.

Image credit: Stagefright, Zimperium blog

Read More

Cyber Safety Tips for Summer Vacation

Haven't taken your summer vacation yet? You should make sure that you enjoy your vacation to the fullest by avoiding the stress of dealing with identity theft.

Last Day in the Office

When you will be away from work for an extended period, make sure your computer, external drives and other copies of sensitive information are behind a locked door, in a locked cabinet, or under close supervision from others. Before traveling with your computer, make sure you have a current backup of your files.

Be Cautious of Public WiFi Networks

When you connect to email, social networking sites or online stores via public WiFi, make sure you are using a secure connection (https://), so that traffic is encrypted and no one else can access the information. Always check with the hotel first to properly connect to their network and correct SSiD (bad guys might try to setup sneaky networks like “Hotel_Free_Wireless”). Perhaps you should consider turning off features on your computer or mobile devices that allow you to automatically connect to WiFi.

Save the (Public) Social Media Vacation Posts Until You Get Back Home

It may be tempting to post details of where and when you'll be traveling, but don't. By revealing such specifics, you are providing information that could be used by criminals to target your home while you're gone. Before you post your travel plans or vacation photos on Facebook or Twitter, stop and think: ‘who will be able to see this?’. Another common scam involves compromising email accounts to contact your friends or family with requests for help, claiming that you were robbed while on vacation and need money. Sending private posts and photos during your vacation to family and friends is ok, but if you post them publicly, you increase the risk of someone using that information for malicious activities. Also, make sure your children understand what, and when, they should post regarding your vacation plans.

Mobile Devices

If you are traveling with a laptop computer or USB drives, don't get separated from your computer bag. When getting out of a taxi, bus or train; be sure you have all of your items with you. Back up any important data before traveling, also make sure to have your smartphones and tablets locked with a security code/PIN to protect if stolen. Most devices allow you to activate the GPS tracking option to locate the device if stolen. If your device goes missing, report it immediately to the police and your service carrier. If the thief might have access to your banking, email and other accounts, change your passwords immediately.

Monitor Account Activity

Prior to your trip, write down important contact numbers such as credit card, banking and your cell phone customer service so you can quickly report any lost or stolen items. When you return from your trip, use a secure network to check your online bank account for any unauthorized purchases while you were gone.

Have a great and safe summer!

Read More

Financial Malware: Past and Present

Malware is not only increasingly diversified and capable, but also easier to create. Through 2015, this widespread threat will continue to grow unabated. An effective cyber criminal effort could just as well be predicated on an overwhelming amount of simple pieces of malware as it could be upon a monolithic, state-level attack. There are two primary mitigation vectors that can be used against such powerful financial malware - backend protection and specialized endpoint protection.

Malicious software (aka malware) affects us all. Modern malware ranges from keyloggers, to ransom ware to spyware to botnets. Arguably the most advanced are financial trojans, which are capable of emptying bank accounts in seconds. The Zeus toolkit has stolen hundreds of millions of dollars globally in recent years, and is one of the most effective financial trojan platforms. This platform has been used to launch other powerful financial malware such as KINS and Citadel, which has stolen millions of dollars from banks in 2013 alone.

The two main mitigation vectors against this blitz of advanced malware are backend protection and specialized endpoint protection. Backend protection involves the bank implementing multiple controls which are unseen by the average bank customer. They may involve building out powerful antifraud risk engines built on big data, and implementing dual custody for wire and ACH transactions, and limiting customer transfer limits. They are generally very slow rollouts and resource intensive.

Endpoint protection involves placing software on the customer endpoint, typically PC and Mac devices. Effective end point protection against financial malware is not commonly found in common antivirus suites. Modern financial malware uses techniques such as packing and polymorphic encryption to completely bypass detection by well-known antivirus suites. Zeus has historically been so effective at avoiding antivirus detection that other cybercriminals have adopted its use: Zeus has been used to send spam and steal Facebook credentials in addition to stealing bank credentials since its source code leaked in 2011. The antivirus detection rate for Zeus on average is still only 40,1% , with many of those detected being early Zeus versions.

Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on versions of the Microsoft Windows. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Game over Zeus was first developed in September 2011, and runs software on an infected devices which is then used to intercept online banking transactions, defrauding customers and banks. Zeus controllers can fine tune the copy of Zeus they are using to steal only information they are interested in; typically login credentials for online social networks, e-mail accounts, online banking or other online financial services. 

Citadel

Citadel is a relativly recent incarnation of Zeus, first appearing in February 2012. The owners of Citadel are actively building on to the source code of leaked Zeus (2.0.8.9), and adding new functionality. 2013 has been a banner year for cyber criminals. Their tools had greatly evolved, and new advanced malware suites are now available. Hesperbot, Shylock, Beta Bot, KINS and Carberp are also now being used against banks, and this trend shows no sign of abatement.

According to Symantec, the number of detections of financial malware dropped off significantly in 2014. The total number of common financial Trojans detected decreased by 53%, while financial phishing emails fell by 74%. The U.S. had the most detections, with the UK and Germany rounding out the top three.

While some malware families such as Trojan.Shylock nearly disappeared, others such as the new spin-off threat Infostealer.Dyranges stepped into the void, blogged Symantec security researcher Candid Wueest.

"In the U.S., there is a larger number of potential organizations to target, many of whom conduct banking online and have more wealth across the board, making the U.S. a good target for the attacker in terms of revenue per infection."

In July 2014, an operation led by the UK National Crime Agency (NCA) and European Cybercrime Centre (EC3) at Europol resulted in the seizure of command and control servers and domains used by Trojan.Shylock. Shylock has been observed being distributed by at least five different exploit kits, including Nuclear and Blackhole. After the takedown, the number of Shylock infections fell by more than half, according to Symantec. 

Over the past couple months, the FS-ISAC SOC has been tracking malicious activity associated with the Neverquest banking trojan. Neverquest is a new variant of the Vawtrak banking trojan that primarily targets on-line banking customers in the US and Asia-Pacific countries. It is primarily a credential stealing Trojan that targets the login credentials for specific websites. Like other credential-stealing malware, Neverquest leverages a “trigger list” of URLs and keywords to identify when an infected user logs into a secure banking site or other targeted secure website. Recent configurations show a shift to include social networking sites, gaming sites, and online retailers in their target list. Other optional functionality reportedly includes a VNC module to provide remote control of an infected computer, and a webinject module to collect additional information from victims. Recent related campaigns use the Chanitor malware downloader for initial infection and to download the Neverquest malware to the victim’s computer. Chanitor primarily leverages malicious macros in Microsoft Word documents, which are typically delivered via phishing emails, although they could also be hosted on malicious or compromised websites.

Ineffectiveness of traditional antivirus suites against financial malware? I would say no. Most common desktop antivirus suites are having a hard time of detecting and protecting endpoints from modern financial malware. New financial malware is highly targeted and antivirus vendors do not see copies in the wild until the malware has mainstreamed, by which time cybercriminals will have moved to newer malware having successfully raided countless bank accounts. While it is true that some malware attacks utilize "zero-day" vulnerabilities (attacks that have just been discovered and are referred to as 'unknown vulnerabilities') these attacks are a tiny minority. The reason is that 'zero day', unknown vulnerabilities are hard to discover and are thus expensive and relatively few in number. Rather than being reactive to threats and relying on aging solutions such as blacklist-based malware, an effective security architecture should incorporate practices such as proactive network monitoring with deep discovery, as well as tools that protect endpoints and cloud assets.

Read More

Does IT Security Fail?

RSA, the security division of EMC, with the contribution of Northeastern University, recently published a report on the reasons why the IT security sector fails to effectively address the modern cyber attacks. The report highlights the challenges faced by the industry, while deepening the best practices that can build an organization in order to achieve everything that managed to achieve so far in safety. It also includes practical advice for professionals from the field of IT security, which can help to improve the strategy and tactics with which face modern threats.

The main messages of the report:

The attacks on the IT infrastructure of an organization and multiply them increases and the economic damage that accompanies them.

The economic impact of these attacks are important and tend to expand.

According to The Global State of Information Security® Survey Research 2015, the number of established attacks worldwide increased by 48%, to 42,8 million, which is equivalent to 117339 per day attacks. Since 2009, the incidents of attacks are growing at 66 % annually. The economic losses due to detected attacks worldwide raised to US$ 2,7 million, about 34% higher than in 2013.

The report notes that the lack of awareness of risk is one of the most vulnerable points in terms of IT security in the US.

Amounts invested in cyber-attacks prevention technologies (prevention-based security) is disproportionately high in relation to expenditure for procurement solutions that can detect and adequately address these attacks. Moreover, the situation aggravated by a "skills shortage". It is important to note that IT security should be based on adequate preparation. One needs a thorough understanding of business processes and entire operation of an organization, as well as the ability to collect and analyze all information related to the security of IT infrastructure. Those organizations do not have adequate staff or experience to deal with such situations should consider whether they need to strengthen the internal IT security team, buying specialized cloud-based services to more fully protect their infrastructures.

Recommendations for better preparation against threats

The focus should now be focused not on what attacks are detected or how successful the effort to prevent several aspiring invaders, but who managed to escape, you may not be protected adequately and what attacks might not have been known.

Preparation - The vigilance and sustained attention should be an inherent feature of any plan to protect the IT infrastructure of an organization. The access control systems can not by themselves effectively against modern attackers who launch attacks at high speed, drawing more and more new weapons to exploit any weakness of protective systems.

Setting priorities - Every IT system and all information has the same value as another. Each organization should define what is critical for a particular function (mission critical) and what about all of the activity (business-critical). What attack would prevent the business development of the company in the future and what will lead many years back or out of the market.

Customization - Those professionally engaged in IT security should first understand the nature of the changes that have occurred in terms of infrastructure - cloud, mobility, BYOD etc. - And then prepare methodically defensive plan and the corresponding tactics to neutralization of new and sophisticated threats.

Light everywhere - There should be no 'dark' points in the IT infrastructure, which could be hidden or where they could escape the invaders. The use of the tools offered by modern technology as well as the examination of the behavior of each user and each device connected to the network infrastructures help to better equip an organization.

Flexibility - A business can not operate under a system of strict policing. The officials should be given freedom and flexibility, there is - to some extent - respect for private activity and sense of confidence. Education and communication with staff should be continuous, so that users can understand and be ready to properly react to attacks that occur through social networks (social engineering).

Read More

The Future of Cyber Crime

Over the past years we have witnessed the illegal uses of the Internet to completely change in form, shape, and objectives. Today's hackers are often members of the organized crime who hack computers for profit or even for political power. Motivated by radical new goals and armed with exceptional programming skills they pose a major challenge to cybercrime researchers and law enforcement investigators alike. The field of cybercrime is a multidisciplinary area that includes law, computer science, finance, telecommunications, and data analysis.

Online security companies have made their predictions for 2015, from the malware that will be trying to weasel its way onto our computers and smartphones to the prospect of cyberwar involving state-sponsored hackers. WebSense suggests, “Cybercriminals upping their game are perfecting their campaign abilities previously associated only with advanced, targeted attacks. These advanced tactics designed to evade most modern email security solutions are quickly becoming the new norm as more sophisticated email threats increase...”

A parallel trend cited by several information security companies is the prospect of attacks on bigger companies in the private and public sector, with cybercriminals having specific goals in mind. Executives at some of the world’s largest banks are pressing government officials to pursue cyber criminals more aggressively or let the industry off the leash to fight them directly. The topic has shot up the agenda at the World Economic Forum in Davos this year, partly because of a series of high-profile incidents in the past 12 months, including the theft from JPMorgan Chase of data belonging to 75 million US households. Cybercriminals go after bigger targets rather than home users as this can generate more profits for them. We will see more data breach incidents with banks, financial institutions, and customer data holders remaining to be attractive targets.

One of the most common forms of malware in 2014 was “ransomware” – cybercriminals trying to extort money from victims either by locking their devices and demanding a fee to release them, or by accusing them of various unpleasant crimes. Ransomware will be a key strategy for malware developers and it will be a more relevant threat in coming years. During 2014, we have seen big companies hit by ransomware (like Yahoo, Match and AOL). In December 2014, in a panel discussion called “Cybercrime 2020: The Future of Online Crime and Investigations” it was said that "...ransomware is the future of consumer cybercrime".

As more of our devices talk to one another – the “Internet of Things” – there may be a range of new cybersecurity headaches to think about,  from domestic appliances to home security and climate control. It has to be said that some reporting on IoT hacking has exaggerated the scale of the problem. While it probably won’t be a massive problem next year, it is an emerging space for cyber crime.

As 2014 ended with the now-infamous hack of Sony Pictures – with intense debate about whether North Korea was involved – security firms see 2015 bringing a greater prospect of cyberattacks on behalf of nation states, even if they don’t run them themselves. Cyber warfare is very attractive to small nations. The development of a government-built malware is cheaper than any other conventional weapon and far more accessible to any nation-state. Cyber warfare represents for every government an efficient alternative to conventional weapons. The boundaries between cybercriminal gangs and governments may also blur. “Criminal groups will increasingly adopt nation-state tactics,” predicts Kaspersky.

One suggested solution is cyber security awareness and advice – where the public and businesses can go to get the information they need to protect themselves, how to implement basic controls to protect their data and privacy, and finally who to trust online and who to avoid.

Read More

Setup an Information Security Awareness Program

Protecting corporate data should be part of any organization-wide information security awareness program. The security awareness program should be delivered in a way that fits the overall culture of the organization and has the most impact to personnel. Security awareness should be conducted as an on-going program to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a daily basis. Ensuring staff is aware of the importance of data security is important to the success of a security awareness program and will assist in meeting various standards’ requirements.

The first step in the development of a formal security awareness program is assembling a security awareness team. This team is responsible for the development, delivery, and maintenance of the security awareness program. The size and membership of the security awareness team will depend on the specific needs of each organization and its culture.

Security awareness may be delivered in many ways, including formal training, computer-based training, e-mails, memos, notices, bulletins, posters, etc. It is important to target cyber security awareness notifications to the appropriate audience to ensure the information is read and understood. By disseminating security awareness training via multiple communication channels, the organization ensures that employees are exposed to the same information multiple times in different ways. By targeting the material and communication channel to relevant personnel, the security awareness team can improve adoption of the security awareness program. One key to an effective security awareness program is in targeting the delivery of relevant material to the appropriate audience in a timely and efficient manner.

Role-based security awareness provides organizations a reference for training personnel at the appropriate levels based on their job functions. Establishing a minimum awareness level for all personnel (management and employees) can be the base of the security awareness program. The first task when scoping a role-based security awareness program is to group individuals according to their job functions within the organization. Having a team in place will help ensure the success of the security awareness program through assignment of responsibility for the program. A solid awareness program will help all personnel to recognize threats, see security as beneficial enough to make it a habit at work and at home, and feel comfortable reporting potential security issues.

Management leadership and support for the security awareness program is crucial to its successful adoption by staff. Managers are encouraged to:

• Encourage personnel to actively participate and uphold the security awareness principles.
• Model the appropriate security awareness approach to reinforce the learning obtained from the program.
• Include security awareness metrics into management and staff performance reviews.

As stated above, it is recommended that training content be determined based on the role and the organization’s culture. The security awareness team may wish to coordinate with the appropriate business units to classify each role in order to determine the level of security awareness training required for those specific job duties. This is vital in development of content, to avoid “over-trainning” or “under-trainning” an employee. In addition to general security awareness training, it is recommended personnel be exposed to general concepts of data security, to promote proper data handling throughout the organization, according to their role in the organization.

Training materials should be available for all areas of the organization, such as the corporate intranet. Choosing which materials to use in a security awareness training program is highly dependent on the organization. Each organization should consider its culture when selecting the materials to use for the security awareness training. The following are examples of reference materials that may help in the development of a Security Awareness Program:

• National Institute of Standards and Technology (NIST) Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, www.nist.gov
• International Standards Organization (ISO) 27002:2013, Information technology -- Security techniques -- Code of practice for information security controls, www.iso.org
• International Standards Organization (ISO) 27001:2013, Information technology — Security techniques — Information security management systems, www.iso.org
• COBIT 5 Appendix F.2, Detailed Guidance: Services, Infrastructure and Applications Enabler, Security Awareness, www.isaca.org/cobit

Additionally, due to the increased focus on cyber security awareness, many government agencies and industry bodies provide training materials to the public at no cost.

To ensure all personnel are engaged stakeholders in the security awareness program, the roles and responsibilities of all staff to protect corporate data should be outlined during all security awareness training, in accordance with organizational policy.

Because data is at risk both in electronic form and in non-electronic (paper) form, it is recommended that the different ways to safeguard information for different media be covered at a basic level for all personnel. For instance, considerations for protecting data in electronic format may include secure storage, transmission and disposal. Considerations for paper-based formats may also include secure storage and disposal as well as a “clear desk” policy. Without an understanding of how different media types need to be protected, personnel may inadvertently handle data in an insecure manner.

Another important consideration for inclusion in general security training is awareness of social engineering attacks. One way an attacker may use social engineering is to acquire a user’s credentials and work their way through the organization from a low-security area to a high security area. Tailoring this awareness to reflect the types of attacks that the organization may encounter provides the most effective results. Users should be aware of the common methods by which fraudsters, hackers or other malicious individuals might try to obtain credentials, payment card data, and other sensitive data, to minimize the risk of personnel unintentionally disseminating sensitive information to outsiders. Training in organizational policies and procedures that specify proper data handling, including sharing and transmission of sensitive data, is also recommended.

Feedback on training content and comprehension are key to ensuring personnel understand the content and the organization’s security policies.

In addition to content for all personnel, management training should include more detailed information regarding the consequences of a breach to management stakeholders. Management should understand not only the monetary penalties of failing to safeguard assets, but also the lasting harm to the organization due to reputational (brand) damage.

As previously discussed, management will need to understand security requirements enough to discuss and reinforce them, and encourage personnel to follow the requirements. It is recommended that management security awareness training include specific content relevant to the area of responsibility, particularly areas with access to sensitive data.

Management that is security-aware better understands the risk factors to the organization’s information. This knowledge helps them make well-informed decisions related to business operations. Managers who are security-aware can also assist with development of data security policies, secure procedures, and security awareness training.

Metrics can be an effective tool to measure the success of a security awareness program, and can also provide valuable information to keep the security awareness program up-to-date and effective. The particular metrics used to measure the success of a security awareness program will vary for each organization based on considerations such as size, industry, and type of training.

Read More

Ides of March

So, you have studied hard and succeeded in your CISA exams. You passed a strict selection process and got the certification. You abide by the code of professional ethics. And now what??

Sometimes people forget, quite quickly... Being an auditor, does not mean that you have ascended in some semi-divine rank where you see mortal mistakes as a sin that needs to be crushed. Users are sinful, but so are the auditors. Please, bear in mind that you where once among the users, do not forget that. Perhaps a poem for wannabe "CISARS" will change your mind, read it just before your next audit.

Historical background: Artemidoros tried - without success - to warn Julius Caesar on March 15 - Ides of March - about the assassination conspiracy led by Brutus.

Ides of March, The Canon

Be fearful of exalted rank, o soul.
And if you are unable to subdue
your aspirations — doubtingly pursue them
and with precautions. And the more you rise,
the more examining, the warier be.

And when you are arrived at the supreme
height of your glory — a Caesar, as it were:
when you are become a man so widely famed:
then specially be wary — at such time
as you come out into the thoroughfares,
a noted ruler with great following:
if peradventure, from the multitude,
some friendly person, an Artemidorus,
bringing a paper, should press near to you
and rap out sharp “Read this without delay;
herein are weighty matters touching you”,
fail not to tarry; fail not to postpone
all talk or business; fail not to turn off
the different hangers-on who bow and scrape,
(you will attend to them in time); let even
the Senate wait; — leave all, and learn at once
the grave things written by Artemidorus.

--Poems by C. P. Cavafy. Translated, from the Greek, by J. C. Cavafy. Ikaros, 2003

Read More

UI Interference Attack

The method relies on exploiting the shared memory, meaning the memory almost all programs use to store the nuts and bolts of their work, which enables various processes running on the operating system to share data between them.

In this case, graphical user interface (GUI) frameworks that can be used to determine every UI state change , which can be accessed without special permissions.

Knowing this state change the attacker, can know when sensitive data are being photographed or typed or used in general, enabling the attacker to transmit them to the receiver application. Of course this method needs the injection of a spy application in the targeted OS and as researchers claim this attack can work on almost all current OSes. such GUI confidentiality breach is indeed possible, leading to serious security consequences.

So let’s look into the android exploit that is already published. The fundamental reason for such confidentiality breach is in the Android GUI framework design, where every UI state change can be unexpectedly observed through publicly accessible side channels. Specifically, the major enabling factor is a newly-discovered shared memory side channel , which can be used to detect window events in the target application. This side channel exists because shared memory is commonly adopted by window managers to efficiently receive window changes or updates from running applications.

Window manager is a system software that interacts with applications to draw the final pixels from all application windows to the frame buffer, which is then displayed on screen. After evolving for decades, the most recent design is called compositing window manager , which is used virtually in all modern OSes. Unlike its predecessors, which allow individual applications to draw to the frame buffer directly, a compositing window manager requires applications to draw the window content to offscreen buffers first, and use a dedicated window compositor process to combine them into a final image, which is then drawn to the frame buffer.

In Android, the UI state our attack infers is called Activity. An Activity provides a user interface (UI) for user in off-screen. Client refers to the application, and server refers to the window compositor.

Due to security concerns, by default apps cannot know which Activity is currently shown in the foreground unless they are the owners or the central Activity manager.

An Activity may display different content depending on the app state. For instance, a dictionary app may have a single “definition” Activity showing different texts for each word lookup. We call these distinct displays View States. Denoting the state of the user experience.

Activity transition

In Android, multiple Activities typically work together and transition from one to another to support the functionality of an app as a whole. An example during a typical transition, the current foreground Activity pauses and a new one is created. A Back Stack  storing the current and past Activities is maintained by Android. To prevent excessive memory usage, at any point in time, only the top Activity has its window buffer allocated. Whenever an Activity transition occurs, the off-screen buffer allocation for the new Activity window and the deallocation for the existing Activity window take place.

Activity transitions can occur in two ways: a new Activity is created (create transition), or an existing one resumes when the BACK key is pressed (resume transition), corresponding to push and pop  actions in the Back Stack.

Knowing these fundamentals we will try to explain this novel attack on our beloved smartphones and maybe all new OSes we use.

LoginActivity Attack Overview

The spy app uses Activity hijacking to determine when the state its looking for will come to focus. Let’s use a typical login screen such as facebook or maybe a PayPal login.

LoginActivity, is about to enter the foreground, the attack app simultaneously injects a pre-prepared phishing LoginActivity into the foreground. Just at the right moment so not to make a visual disruption. Thus, enabling the spy app to steal the login data but still log the user in the appropriate application so there will be no trace of the disruption.

Camera Peeking Attack Overview

Due to privacy concerns, many apps store photo images shot by the camera only in memory and never make them publicly accessible, for example by writing them to external storage. This applies to many apps such as banking apps (e.g. Chase), shopping apps (e.g. Amazon), and search apps (e.g. Google Goggles).

Such photo images contain highly-sensitive information such as the user’s life events, shopping interests, home address and signature (on the check). With Activity tracking such sensitive and well-protected camera photo images can be successfully stolen by a background spy app. Targeting at the camera photo shot by the user, instead of random ones of the environment.

This attack uses the OpenGL library many new phones and tablets use , which has very high frame rate and does not need the sound turned off cause it does not use the shutter sound.

Even though Android disallows the taking of photographs in the background that does not mean that it does not stack the camera usage requests while the camera is in use. So when the user photographs something of importance the activity tracker tells the spy app to take another photo just when the camera is released and the user returns to the application he was using.

The camera has a very low release time about 500ms,so the spy app can shoot another shot or the sensitive data milliseconds after the original which makes it very likely the user is still pointing at the document.

There will be information about defending ourselves against these attacks soon.

Image by Benjamin F. Clay CC BY-SA 3.0

Read More

Windows Server 2003 - The End Is Near

In July 2015 Microsoft will be ending Extended Support for Windows Server 2003. What this means is that standard, packaged support offerings will no longer be available and also that Microsoft will stop issuing security patches for this product. Thus, organizations will be exposed to significant risk if they stay on the Windows Server 2003 platform beyond the termination date. Organizations need to start planning for a migration to Windows Server 2012 R2 asap. This pose a significant opportunity for organizations to take a closer look at their entire IT infrastructure, because of the significant evolution in the past 10 years in all IT technology layers.

While organizations can potentially negotiate custom support agreements with Microsoft to provide security patches beyond the cut-off date, this will inevitably raise support costs significantly. Microsoft will stop issuing security patches for Windows Server 2003 when Extended Support ends. This will mean that applications and services built on Windows Server 2003 will be out of support and also out of compliance unless they are migrated to a newer operating system platform.

The first step is to get an overview of all the applications that are running on Windows Server 2003. Once the assessment is underway, the applications need to be prioritized, and a plan devised for migration. This might take quite some time, especially in the development and testing phases. The critical issues are time, skills and budget, as developing and testing a new system architecture and application design is not a trivial task.

The biggest risk from staying on Windows Server 2003 is that Microsoft will no longer provide any security patches and updates to address vulnerabilities that are detected for operational systems. This is not a trivial fact, as Microsoft still issues double digit numbers of critical patches every year under the standard support model. Consequently, Windows Server 2003 installations will increasingly become a target for hackers as unpatched vulnerabilities pile up. Running on unsupported software will also mean that European organizations will be out of compliance with standard industry regulations around data protection or standards such as the PCI DSS. This in turn will restrict their ability to do business effectively.

Next, evaluate the technology options for a new IT architecture. Points to consider include new server hardware platforms, current server operating systems, a potential move from physical to virtualized environments such as Hyper-V, and the data protection and recovery products to ensure resilience and recoverability of the infrastructure.

Once you have made your technology choices, you need to design your new IT infrastructure and plan the system migration, including migrating from physical to virtualized environments. Prioritize those services that

have to be moved, and develop a plan to mitigate risk for workloads that do not need to be migrated.

Plan the migration proccess and elaborate fall-back plans. Some data protection and recovery products can actually help with the migration from physical to virtual infrastructure and take out risk from the migration process by ensuring that you can fail back to an older version of the infrastructure, application, and data if something goes bad.

Do not forget to test your applications in the new environment to verify that everything works as it should. This step is tricky and might take longer than you expected.

Leaving migrations too late can leave you exposed to substantial business risks, whereas acting now enables you to move through the migration process in due time. This is your opportunity to move to a modern, efficient, and high performance infrastructure that will position your organization well for the next decade.

Read More

Desert Falcons

The action group Desert Falcons, a digital espionage network that targeted many organizations and high-profile individuals from the Middle East, was revealed during the Kaspersky Lab Security Analyst Summit in Mexico. Analysts consider this unit as the first known Arab group of "digital mercenaries" who have developed and executed integrated digital espionage operations against companies.

The list of victims includes military and governmental organizations, in particular, officers responsible for tackling money laundering. Also, the attack targeted executives from the fields of health and economy, leading media, research and educational institutions, energy providers and utilities, activists and political leaders, private security companies and other individuals that hold considerable geopolitical information.

The group is active for at least two years. Team Desert Falcons began to develop and consolidate the operation in 2011. However, the start of the key action of the group and infections through malware mounted in 2013. The peak of activity recorded in early 2015.

The vast majority of targets located in Egypt, Palestine, Israel and Jordan.

Apart from the Middle East, which were the original objectives, the team Desert Falcons operates outside this range. Overall, its members have been able to attack more than 3000 victims in more than 50 countries worldwide, having stolen more than one million records.

Attackers use malicious tools they have developed themselves, to launch attacks on Windows computers and Android devices. The Kaspersky Lab specialists have many reasons to believe that the mother tongue of the Desert Falcons is Arabic.

While the attack vector appears to act in countries such as Egypt, Palestine, Israel and Jordan, many victims were also found in Qatar, Saudi Arabia, the United Arab Emirates, Algeria, Lebanon, Norway, Turkey, Sweden, France, the United States, Russia and other countries.

The main method used by the group Desert Falcons for transferring malicious payload was spearphishing via email, messaging and social media messages in chat. The phishing messages contained malicious files (or link leading to malware), which imitated legal documents or applications.

The Desert Falcons team uses various techniques to lure victims and forced them to carry out malicious files. One of the most typical techniques used by the group is the so-called «Right-to-Left Override». This technique takes advantage of a special character in Unicode, to reverse the order of characters in the name of a file, hiding a dangerous extension in the middle of the name and putting a false file extension, which looks harmless, near the end of the file name. Using this technique, malicious files (.exe, .scr) look like an innocuous document or file PDF, and even careful users with good technical knowledge can be dragged and "run" these files. For example, a file with extension ".fdp.scr" will be presented as ".rcs.pdf".

After successful "infection" of the victim, team members Desert Falcons use one of two different backdoors, either their main Trojan or DHS Backdoor, which seems to have been developed from the beginning and is in constant development. The Kaspersky Lab experts managed to identify more than 100 samples of malware used for attacks.

Malicious tools used have fully backdoor functionality. So they can take screenshots, steal keystrokes, make upload or download files to collect information about all files on hard disk or USB connected devices of a victim, stealing passwords stored in the system registry (Internet Explorer and Live Messenger) and make recordings. The Kaspersky Lab experts were also able to detect traces of the activity of a malicious software, which seems to be a backdoor for Android, with call interception capabilities and SMS logs.

Read More

ENISA Threat Landscape 2014

ENISA published the third yearly report in sequence Threat Landscape 2014 (ETL 2014), consolidating and analyzing the top cyber threats and the evolution, encountered in 2014. ENISA Threat Landscape 2014, an activity contributing towards achieving the objectives formulated in the Cyber Security Strategy for the EU, stresses the importance of threat analysis and the identification of emerging trends in cyber security.

No previous threat landscape document published by ENISA has shown such a wide range of change as the one of the year 2014. We were able to see impressive changes in top threats, increased complexity of attacks, successful internationally coordinated operations of law enforcement and security vendors, but also successful attacks on vital security functions of the internet.

Many of the changes in the top threats can be attributed to successful law enforcement operations and mobilization of the cyber-security community:

• The take down of GameOver Zeus botnet has almost immediately stopped infection campaigns and Command and Control communication with infected machines.
• Last year’s arrest of the developers of Blackhole has shown its effect in 2014 when use of the exploit kit has been massively reduced.
• NTP-based reflection within DDoS attacks are declining as a result of a reduction of infected servers. This in turn was due to awareness raising efforts within the security community.
• SQL injection, one of the main tools used to compromise web sites, is on the decline due to a broader understanding of the issue in the web development community.
• Taking off-line Silk Road 2 and another 400 hidden services in the dark net has created a shock in TOR community, both at the attackers and TOR users ends.

But there is a dark side of the threat landscape of 2014:

• SSL and TLS, the core security protocols of the internet have been under massive stress, after a number of incidents have unveiled significant flaws in their implementation.
• 2014 can be called the year of data breach. The massive data breaches that have been identified demonstrate how effectively cyber threat agents abuse security weaknesses of businesses and governments.
• A vulnerability found in the BASH shell may have a long term impact on a large number of components using older versions, often implemented as embedded software.
• Privacy violations, revealed through media reports on surveillance practices have weakened the trust of users in the internet and e-services in general.
• Increased sophistication and advances in targeted campaigns have demonstrated new qualities of attacks, thus increasing efficiency and evasion through security defences.

In the ETL 2014, details of these developments are consolidated by means of top cyber threats and emerging threat trends in various technological and application areas. References to over 400 relevant sources on threats will help decision makers, security experts and interested individuals to navigate through the threat landscape.

Read More