How a Hacker can Attack a Mobile Application
Transcription
How a Hacker can Attack a Mobile Application
1 Cyber Warnings E-Magazine – January 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide CYBER WARNINGS CONTENTS Welcome to Blackhat 2014! ............................................................. 3 How a Hacker can Attack a Mobile Application .................................... 5 The Many Faces of Insider Threats ....................................................... 8 1 Heartbleed vulnerability, 600 products, 100 vendors ..................... 12 Published monthly by Cyber Defense Magazine and distributed electronically via opt-in Email, HTML, PDF and Online Flipbook formats. PRESIDENT Stevin Victor stevinv@cyberdefensemagazine.com EDITOR PierLuigi Paganini, CEH Pierluigi.paganini@cyberdefensemagazine.com As Cyber Threats Increase, Good Hygiene Can Help........................... 18 ADVERTISING Customer Concerns about Mobile Payment Security ......................... 21 Context-Based Authentication for the Enterprise .............................. 24 Protecting Files, Government Style .................................................... 28 Cognitive Biometrics: The Final Frontier of Authentication ................ 32 Dynamic Cryptography and Why it Matters? ..................................... 34 Why is password creation so hard? (Part 3) ....................................... 37 Secure your code with analysis and scanning..................................... 43 Email Threats: A thing of the past? .................................................... 46 Dodging disaster: Cybersecurity and business continuity .................. 49 Consumers Need to Know About Corporate Data Breaches in a Timely Fashion ............................................................................................... 52 Improve Your Computer’s Security in 5 Simple Steps......................... 56 Jessica Quinn jessicaq@cyberdefensemagazine.com KEY WRITERS AND CONTRIBUTORS Pierluigi Paganini Patrick Kehoe Tom Cross Bob Dix John Dancu Reed Taussig Paul Brubaker Oren Kedem Milica Djekic Josephine Rosenburgh Art Dahnert Fred Touchette Stephen Cobb Tom Feige Mike James V Bala Joe Ferrara Ivo Wiens Hitansh Kataria Joan Pepin Dan Virgillito and many more… Combat Advanced Cyberattacks with Shared Security Intelligence.... 59 Phishing Attacks aren’t a Passing Threat ............................................ 62 Interested in writing for us: writers@cyberdefensemagazine.com Why Security Incidents are different — and more dangerous — than IT Incidents ............................................................................................. 68 CONTACT US: The cinch of Hacking: Social Engineering............................................ 71 Toll Free: +1-800-518-5248 Fax: +1-702-703-5505 SKYPE: cyber.defense Magazine: http://www.cyberdefensemagazine.com Enterprise Security and the Machine Data Tsunami........................... 76 Top 5 breaches in the financial sector ................................................ 78 Is It Time to Outsource Your Security Education? .............................. 81 Cyber Defense Magazine Copyright (C) 2014, Cyber Defense Magazine, a division of STEVEN G. SAMUELS LLC 848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-188465, DUNS# 078358935. All rights reserved worldwide. sales@cyberdefensemagazine.com Executive Producer: Gary S. Miliefsky, CISSP® 2 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Welcome to Blackhat 2014! As the summer starts to come to a close, Black Hat returns to Las Vegas for its 17th year running to bring together some of the brightest, most innovative minds in the IT Security universe. With more than a 150 of the industries top solution providers and start-ups displaying their latest technologies, services, and tools that help the information technology world we know thrive. The six day conference will include four days of IT Security training followed by two days of IT security briefing. Join Cyber Defense Magazine as we take a trip Las Vegas to educate ourselves in the essential skills and knowledge to defend ourselves against today's threats. With over 1 Billion smartphones being shipped in 2014, hackers have a playground set for deploying their tools for cybercrime, fraud and spying. The number of automated and free tools for hacking have risen significantly thereby only increasing chances of such incidents. Read on in this edition about commonly used exploits and loopholes in the mobile devices ecosystem. Other vast areas where much focus should be laid on are enterprise security and insider threats. Disgruntled or negligent employees can cause much harm to an organization’s data including its trade secrets. In this age, where corporate espionage is rampant, security systems should be hardened to shut down all classes of insider threats. Heartbleed continues to be present in the news due to the fact that more than 590 different products from 100 different vendors have so far been recorded as vulnerable. Device manufacturers and vendors are sifting through code to identify OpenSSl versions and are also working on patches. We hope you enjoy this month's edition of Cyber Warnings e-Magazine as we cover these and other exciting topics, as well as a trip report by our Executive Producer, from the Black Hat USA conference. To our faithful readers, Enjoy Pierluigi Paganini Pierluigi Paganini, Editor-in-Chief, Pierluigi.Paganini@cyberdefensemagazine.com P.S. Congrats Dave Schippers (USA) – this month’s contest winner! 3 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 4 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide How a Hacker can Attack a Mobile Application by Patrick Kehoe, Chief Marketing Officer, Arxan Technologies We live in a mobile, personal world -- in 2014 IDC, TechCrunch estimates that ~1.9B mobile phones will be shipped with nearly 1B being smartphones. Businesses that are most efficiently adapting to today’s “App Economy” are the most successful at deepening customer engagement and driving new revenues in this ever-changing world. However, where business opportunities abound, opportunities for “blackhats” to conduct illicit and malicious activity abound as well. Application hacking is becoming easier and faster than ever before. Let’s explore why: It’s Fast Recent research found that in 84% of cases, the initial compromise took hours or less to complete It’s Relatively Easy There are automated tools readily available in the market to support hacking, and many of them are available for free! Mobile Apps are “Low-Hanging Fruit” In contrast to centralized web environments, mobile apps live “in the wild”, on a distributed, fragmented and unregulated mobile device ecosystem. Unprotected binary code in mobile applications can be directly accessed, examined, modified and exploited by attackers – especially specialists from the new “black market economy” who realize greater efficiencies and scale in app hacking Hackers are increasingly aiming at binary code targets to launch attacks on high-value mobile applications, across all platforms. For those of you who may not be familiar, binary code is the code that machines read to execute an application – It’s what you download when you access mobile applications from an app store like Google Play. Well-equipped hackers seek to exploit two categories of binary-based vulnerabilities to compromise apps: Exploitable Binary-based Vulnerabilities Code Modification or Code Injection – This is the first category of binary-based vulnerability exploits, whereby hackers conduct unauthorized code modifications or insert malicious code into an application’s binaries. Code modification or code injection threat scenarios can include: • A hacker or hostile user modifying the binary to change its behavior – For example, disabling security controls, bypassing business rules, licensing restrictions, purchasing requirements or ad displays in the app – and potentially distributing it as a patch, crack or even as a new application. • A hacker injecting malicious code into the binary, and then either repackaging the application and publishing it as a new (supposedly legitimate) app, distributed under 5 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide the guise of a patch or a crack, or surreptitiously (re)installing it on an unsuspecting user’s device. • A rogue application performing a drive-by attack (For example, via the run-time method known as swizzling, or function/API hooking) to compromise the target application (in order to lift credentials, expose personal and/or corporate data, redirect traffic, etc.) Reverse Engineering or Code Analysis – This is the second category of exploitable binary vulnerabilities, whereby application binaries can be analyzed statically and dynamically. Using intelligence gathered from code analysis tools and activities, the binaries can be reverse-engineered and valuable code (including source code), sensitive data, or proprietary IP can be lifted out of the application and re-used or re-packaged. Reverse engineering or code analysis threat scenarios can include: • A hacker analyzing or reverse-engineering the binary, and identifying or exposing sensitive information (keys, credentials, data) or vulnerabilities/flaws for broader exploitation • A hacker lifting or exposing proprietary intellectual property out of the application binary to develop counterfeit applications • A hacker reusing and “copy-catting” an application, and submitting it to an app store under his/her own branding (as a nearly identical copy of the legitimate application) A summary of Binary Exploits is provided is the graphic. 6 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Ways That App Are Being Hacked Via Binary Exploits With so much of your organizational productivity riding on the reliable execution of your apps, and such a small a barrier for hackers to overcome superficial protection schemes, Application Hardening and Run-Time Protection are mission-critical security capabilities that are required to proactively defend, detect, and react to attempted application compromises. Hardening and Run-Time Protection can be achieved with no impact to source code, via an automated insertion of “guards” into the binary code. When implemented properly, layers of guards are deployed so that both the application and the guards are protected, and there’s no single point of failure. Arxan enables developers and security engineers to protect applications with such guards. Arxan’s unique patented guarding technology: • Defends applications against compromise via a range of techniques including: Code Obfuscation, Pre-Damage, Encryption, String Encryption, Symbol Stripping and Renaming • Detects attacks through Jailbreak or Root Detection, Resource Verification, Checksum, Debugger Detection, Swizzling/Hook Detection, and other means • Reacts to ward off attacks with Self-Repair, Custom Responses, and Alerts Arxan’s approach is unique and scalable, requiring no changes to source-code and making it easy to integrate into existing applications. Arxan also works with all major computing platforms, with the ability to standardize on application security process and tools. This reduces the need to leverage multiple security providers and integrate application protection solutions. Recent history shows that despite our best efforts, the “plumbing” of servers, networks, and end-points that run our apps can easily be breached, so it is high-time to focus on the application layer! About the Author Patrick Kehoe is the Chief Marketing Officer of Arxan Technologies. He and the team at Arxan are in the business of understanding application security vulnerabilities and deploying approaches to protect applications - building on over 10 years of research and intellectual capital on this topic. Patrick brings over twenty years of experience working with software, hardware, and service providers in the High Tech industry. He holds a degree in Computer Science from Vanderbilt University and a MBA from the Darden Graduate School of Business at the University of Virginia. In his spare time, he enjoys triathlons and traveling with his family. Patrick can be reached at (301) 968-4290 and at the Arxan website http://www.arxan.com 7 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide The Many Faces of Insider Threats By Tom Cross, Director of Security Research, Lancope, Inc. The WikiLeaks disclosures and other news events have caused the insider threat to recently become a more prominent topic. According to a survey conducted by Lancope, concerns over the insider threat are rising, with 40 percent of respondents citing it as a top risk to their organization. It is important to understand that there are several types of insider threat, and that each type requires a different approach from a cybersecurity standpoint. Who Is the Insider Threat? At Lancope, we view the insider threat as three distinct categories of threat actor: Negligent Insiders - Insiders who accidentally expose data – such as an employee who forgets their laptop on an airplane Malicious Insiders - Insiders who intentionally steal data or destroy systems – such as a disgruntled employee who deletes some records on his last day of work Compromised Insiders - Insiders whose access credentials or computers have been compromised by an outside attacker When people talk about the insider threat, they are often referring to negligent insiders who accidentally harm systems or leak data due to carelessness. However, the other categories of insider threat also represent significant challenges for organizations. It is important to understand what impact each category of insider threat has for your organization so that you can implement the right responses. A program focused on one of these types of threats won’t necessarily protect the organization against the others. What steps can you take to protect your organization against each type of insider threat? Negligent Insiders Negligent insiders don’t mean to do anything wrong – they are just employees who have access to sensitive data and inadvertently lose control of it. A large number of security incidents and “data breaches” fit this description. Various measures can be used to deter negligent activity and “keep honest people honest.” Access controls can prevent people from obtaining sensitive data that they do not need in order to do their jobs. Encryption of data at rest can also help prevent data loss by negligent insiders in the event that they lose their laptops or other equipment. User education also matters here. Anything you can do to get employees to be more conscientious with company data can have a positive impact – for example, providing dummy datasets to developers so that they don’t work with real PII information on development systems. You want the path of 8 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide least resistance for people to get their jobs done to also be a path that protects sensitive data. Malicious Insiders Malicious insiders are employees who intentionally set out to harm the organization either by stealing data or damaging systems. In most cases, malicious insiders were once happy employees – cases of malicious attacks on computer systems by employees often result from a breakdown in the relationship between the employee and the company, which can happen for a variety of different reasons. Research by the CERT Insider Threat Center at Carnegie Mellon University surrounding hundreds of real-world cases of attack by malicious insiders has shown that most incidents fit into one of three categories: IT Sabotage - Someone destroys data or systems on the network Fraud - Someone is stealing confidential data from the network for financial gain Theft of Intellectual Property - Someone is stealing intellectual property for competitive advantage or business gain The motivations that turn insiders against their organizations are diverse, and can include: Job/Career Dissatisfaction When someone is extremely dissatisfied with their current work or career situation, they may attempt to harm their employer by destroying or stealing data. Monetary Gain When exposed to valuable data that could make them money on the black market, some employees will be unable to resist the temptation to steal and sell it. Espionage Both nations and corporations have been known to plant insiders within organizations for the sole purpose of stealing trade secrets and intellectual property for espionage. Activism Activists are associated with a particular ideological movement, and can use the theft and exposure of confidential data to bring attention to their cause. Good access controls can help prevent damage done by malicious insiders. Checks and balances are also extremely important in this arena, especially as it pertains to financial data. It is critical to have multiple people keeping an eye on sensitive transactions so that no one person can single-handedly circumvent company policy. Cases of insider malice are often identified and investigated through the use of logs. It is important to collect logs from endpoint systems and network devices. Different kinds of logs 9 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide might be relevant to different kinds of incidents. For example, a case of financial fraud might be detected by examining database logs from a credit card processing system, whereas a case of data theft might be noticed through monitoring of network traffic. Proactively monitoring network and system transactions can serve as a deterrent in discouraging malicious insiders from sabotaging or stealing data, since they know that their activities might be discovered. Compromised Insiders A compromised insider is really an outsider – it is someone who has access to your network as an authorized user, but they aren’t who they are supposed to be. Compromised insiders are a much more challenging type of insider threat to combat since the real attacker is on the outside, with a much lower risk of being identified. Typically, no amount of deterrence will discourage them from carrying out their attack. Furthermore, traditional security solutions that focus on catching malware and exploits cannot identify unauthorized use of legitimate accounts. In this case, closely monitoring network activity is really the only way to uncover and shut down this type of threat. Leveraging Network and Security Monitoring Monitoring activity through various logs is really the key to successfully identifying and shutting down all of these classes of insider threat. By leveraging network activity logs from various technologies such as firewalls, IPS systems, SIEMs, packet capture and NetFlow, organizations can more easily be aware of and subvert insider attack attempts. All of these technologies have their strengths and weaknesses in terms of expense, level of network visibility provided, and privacy concerns, but should all be evaluated as part of an effective insider security strategy. By collecting and analyzing metadata from throughout the entire network, NetFlow in particular provides a wide breadth of visibility at a reasonable cost and without the privacy concerns associated with full packet capture. NetFlow can be leveraged for both real-time threat detection, as well as to create a network audit trail of previous transactions for use in forensic investigations. Some NetFlow-based monitoring solutions such as Lancope’s StealthWatch System also enable the integration of identity data so that organizations can see exactly who is responsible for causing specific issues. Being aware of the various insider threat profiles can help organizations use network logs to zero in on certain behaviors on their network that could be indicative of an attack, such as unusually large file transfers or attempts to access restricted areas. For example, excessive amounts of traffic from one user’s computer to the printer could signify an attempted theft of intellectual property. Or, if a user is frequently communicating with an unfamiliar IP address in another country, it could indicate that the user’s computer is compromised. 10 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide It Takes More Than Technology It is also important to recognize that technology alone cannot prevent insider threats. It has to be a cross-organizational effort that also involves HR, Management and Legal. For example, if HR alerts IT about a disgruntled employee, their network activity can be monitored so that anomalous behaviors such as logging on at unusual hours of the day can be swiftly investigated. And without the involvement of other groups within the company, malicious behaviors discovered by IT cannot be properly addressed. In a recent survey conducted by The Ponemon Institute, 54 percent of respondents said that they did not have a multi-disciplinary insider threat program in their organization. An additional 17 percent of respondents said that they did have a defined insider threat program, but that the participants were limited to just the IT department. While it has begun to garner some attention recently, the insider threat definitely requires more of a focus moving forward. In order to be truly effective, insider threat management programs need to involve a broad understanding of the various types of attackers and motivations attached to insider threats, as well as include the right mix of tools and individuals necessary to effectively detect and thwart attack attempts. About the author Tom Cross is Director of Security Research at Lancope. He has over a decade of experience as a security researcher and thought leader. He is credited with discovering a number of critical security vulnerabilities in enterprise-class software, and frequently speaks on security issues at conferences around the world. 11 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 1 Heartbleed vulnerability, 600 products, 100 vendors 2 months later, and they are still patching! by Kasper Lindgaard, Director of Research and Security, Secunia 590 different products from 100 different vendors have so far been recorded as having been made vulnerable by the Heartbleed vulnerability, which was publically disclosed on April 7th, after an untidy disclosure process – a process which caused Heartbleed to send the IT community reeling, and triggered much more commotion than the vulnerability’s actual criticality warranted. When the news about Heartbleed broke, software vendors around the world scrambled to identify which of their products and services were affected by the vulnerability. The sense of urgency stemmed from the fact that 1) Heartbleed was exploited immediately after disclosure (and may have been exploited before), and 2) from the disclosure process, which had caused rumors and information about Heartbleed to swirl around various online forums for a week prior to the public disclosure. Additionally, some of the big providers had a head start and were able to patch their servers prior to disclosure – confirmed are Facebook, Akamai, CloudFlare and of course Google, whose researcher Neela Mehta originally discovered Heartbleed. This semi-publicity effectively meant that all hackers great and small would have had ample opportunity to develop and use exploits, targeting any product relying on a vulnerable version of OpenSSL – and thereby any organization using one of those products within their IT infrastructure, as well as private users using one of these products. The underlying drama was that because of the nature of Heartbleed, you couldn’t actually tell if you had been hacked. You were essentially fighting flimsy ghosts that could quickly turn into corporal monsters. The vendors: Identification and fixing For the software vendors, time was of the essence – development teams, product teams and internal IT teams everywhere went through code to identify which products had which versions of OpenSSL installed. Once identified, the vulnerable programs needed to be patched, the impact applicable to their set-up analyzed and then customers had to be informed of the issue(s) and of the fix, which could include a reset of passwords. In the ensuing weeks, the internet abounded with stories about servers and routers being vulnerable and how the risk of erroneous updates was making matters worse. Experts were advising businesses and end-users on what actions to take to protect themselves, and everybody’s pulse was kept up, which from a security awareness perspective is a positive effect that hopefully has some residual effect. 12 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Their customers: Assessing and protecting Once the vendors had mapped the consequences and developed patches for those of their products that were affected by Heartbleed, their customers were able to act: IT security and operations teams in organizations everywhere were hard at work assessing risk and putting together a prioritized patch strategy for dealing with all eventualities, while of course focusing on protecting the most business critical data first. For many organizations - vendors and customers alike – dealing with Heartbleed was a test of their policy for handling security incidents. For some, it was a grim lesson in why such a policy is a basic necessity of modern day business life. It would also be reasonable to assume that the vast majority of organizations have revisited their security policies in the aftermath of Heartbleed and given some additional thought to how they protect their data. What is an acceptable time to patch? Many vendors, especially the smaller ones with only a few affected products and services in their portfolio, reacted quickly to Heartbleed. But for the big vendors like Cisco, IBM and HP, with huge portfolios, mapping and fixing was – and still is – a huge task. Some are still, two and a half months later, issuing patches for vulnerable products. 13 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 14 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Two and a half months is a long time for a vendor to take to fix a vulnerability that is being exploited just after disclosure. It also begs the question: If a vendor has e.g. 50 products, what is an acceptable time to take to issue patches? On June 5th, the question of time-to-patch became even more pertinent: OpenSSL released a new set of patches, which fixed 5 vulnerabilities, including one within the handling of DTLS fragments, which can be exploited (but has not been, at this stage) to cause a buffer overflow and potentially execute arbitrary code on servers running a vulnerable version of OpenSSL. While the original vulnerability, disclosed on April 7th, was only rated “Moderately Critical” by Secunia Research - because it only enables information retrieval information, but not code execution; with this new series of vulnerabilities, the stakes were raised for everyone to get their house in order. In Secunia’s annual Vulnerability Review we see how patches are released within the first 24 hours of disclosure for 79% of all publically known vulnerabilities. All in all, that answers the question about patch time: two and a half months is too long! Coordination! So what lessons does Heartbleed teach us? First and foremost that communication, coordination and patience are key ingredients to successful disclosure: There is a reason why we in the security industry must insist on a proper process for vulnerability coordination and disclosure. We know that premature disclosure increases the risk of exploits being made, because a patch will not be available, and this puts users at risk. Successful disclosure involves a lot of people – security researchers, coordinators, developers and vendors. Their efforts need to be timed and aligned, and that requires a lot of communication - and patience! And it is not just the researchers that need a disclosure policy: Companies must also have a policy for handling security incidents and how to fix and coordinate them. More information about Heartbleed: secunia.com/heartbleed Secunia Advisories on Heartbleed 15 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide About The Author Kasper Lindgaard is the Director of Research and Security of Secunia. He originally joined Secunia as Security Specialist in February 2011, and became Head of Research in September 2012. Kasper Lindgaard is in charge of developing and managing Secunia’s Research Team, and is responsible for the quality and reliability of Secunia Research, including the Secunia Advisories. Secunia’s Research Team is respected throughout the security industry as provider of verified vulnerability intelligence of the highest caliber. Kasper Lindgaard works closely with software vendors and the security community to ensure that Secunia Research is able to deliver the timely and accurate vulnerability intelligence that is the core of Secunia’s business. As a Secunia spokesperson, Kasper Lindgaard offers insights into vulnerability intelligence and trends in the security community. Prior to joining Secunia, Kasper Lindgaard worked with development and code auditing. Kasper Lindgaard can be reached online via email and at our company website http://www.secunia.com/ 16 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 17 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide As Cyber Threats Increase, Good Hygiene Can Help By Bob Dix With data breach stories constantly showing up in the news and on the television, it’s a great time to think long and hard about what each of us can do to improve cybersecurity. None of us can do everything, but ALL OF US can do something. In fact, Juniper Networks has released an infographic that highlights the threats facing critical infrastructure and how individuls can use the NIST Cybersecurity Framework as a toolbox to identify proven best practices to better protect themselves. An often-overlooked area of cybersecurity is hygiene. Cybersecurity has had top-billing with media and policy makers for so long now that many people have begun blindly nodding their heads in agreement without fully understanding the topic. When attacks do occur, or 18 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide vulnerabilities are exposed, they express outrage and alarm, but cannot wrap their heads around what really occurred or why, and—perhaps most importantly—how to respond, or better, what might have prevented the event in the first place. This should not be the case. A cohesive, comprehensive and sustained national awareness campaign will help the public understand how to more effectively protect themselves, thereby alleviating many immediate threats. The United States has had success creating a number of national education and awareness campaigns that have provoked change in people’s behaviors. Forest fire prevention and H1N1 protection awareness succeeded because the public was briefed on the topics, including the threat, and a widespread campaign was organized. A comprehensive campaign to improve the cyber health of American citizens and businesses should be a top priority. Areas of public awareness must include: Never opening email links or attachments unless the sender is known and trusted • Periodically changing passwords • Installing and regularly updating proper anti-virus and anti-spyware software • Regularly installing operating system software updates • Enabling firewall security As the U.S. GAO[1] has noted, threats from external sources are up 782 percent from 2006 to 2012. Declines from threats are not on the horizon. Therefore, the imperative lies on each of us to help inform and protect the information systems critical to our everyday lives. Basic issues, such as those noted above and more, produce roughly 80 percent of exploitable vulnerabilities that contribute to cyber-events. More than ever, now is the time for government and its industry partners to help the public better understand the nature of cybersecurity and what steps they can take to improve and ensure their safety. • Start by raising more awareness in K-12 school communities • Provide tips and expertise to small businesses (through social media, pamphlets?) • Use traditional and non-traditional communications channels to drive local decision makers to update cybersecurity information and make resources available Operationalizing the effort These actions and activities have been long discussed and may seem simple enough, many people even may consider them common sense. However, it is true that threats, 19 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide vulnerabilities and their fallout remain a serious challenge. How can we activate this type of campaign? • Engage a consortium of leaders from government, industry, academia, and nonprofits, as well as the wide array of associations National Governor’s Association, National Association of State CIO’s, National League of Cities, National Association of Counties, U. S. Chamber of Commerce, National Retail Federation and others, building on current efforts such as the National Cyber Security Alliance and the DHS Stop, Think, & Connect campaign. • Leverage the government agencies with regular contact with citizens, like the Small Business Administration, Internal Revenue Service, U.S. Postal Service, Federal Trade Commission, and others, to distribute materials offering insights or pointing to a website where they can get information about how to protect themselves. • Similar efforts should be made with state, local, tribal, and territorial constituents. Our elected officials can and should lead by example. Each of them should include links and information on their constituent home pages pointing to information about basic cyber security hygiene and how to better protect themselves from an infection in cyberspace. Better conveying cybersecurity’s impact on the daily lives of Americans and making it relatable is crucial to broadening awareness. Building a common sense approach to cybersecurity will help empower individuals and demonstrate how to positively contribute to the health of our cyber-ecosystem. This approach will not solve all of the cybersecurity risk management challenge. However, addressing the 80 percent hygiene challenge will make a significant positive impact on raising our overall security profile and disrupting the efforts of the bad guys. None of us can do everything, but all of us can do something. Let’s get going. [1] http://www.gao.gov/highrisk/protecting_the_federal_government_information_systems/wh y_did_study#t=1 About the author Bob Dix is the Vice President of Government Affairs and Critical Infrastructure Protection for Juniper Networks. Dix has enjoyed a distinguished career in both the public and private sector, and is widely recognized across industry and government as a subject matter expert and a leading policy expert in furthering government/industry partnerships to protect U.S. critical infrastructure. 20 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Customer Concerns about Mobile Payment Security As we continue to delve deeper into the Digital Age, new products and services are introduced that strive to push the envelope further. Social media, online banking and electronic health profiles are just a few of the advancements that have had an impact on the way people are managing their lifestyles online. While more and more consumers maneuver their lives in this customer-not-present environment, ensuring information privacy and shielding customers’ identities from misuse becomes a defining factor in what makes a business successful. According to IDology’s 2013 Fraud Report, 66% of surveyed organizations experienced suspected fraud attempts in the last 12 months. 36% of respondents noted that these fraud attempts had increased. Because of this, protecting customers’ identities has become a #1 priority for organizations as identity theft and fraud continues to rise. Fairly recently, organizations have begun offering their product and/or service on mobile devices – for example, there has been a more widespread implementation of mobile payment services. However, the mobile environment brings a whole new set of challenges in relation to security. On the one hand, mobile payments users spend nearly twice as much through digital channels overall than people not buying on mobile devices. However, concerns over security, privacy and convenience keep 80% of consumers from changing their payment behavior and using mobile payments. With people becoming more comfortable sharing personal and financial information online and on their mobile device, it is more important than ever for both consumers and businesses to work together on security and the protection of consumers’ identities through innovative technology solutions that enable robust identity verification and fraud prevention. Vulnerability of Information Fraudsters continue to search for and find new ways to gain access to personal data. Emails, social media profiles and banking sites are vulnerable to a cyber attack and raise concerns among consumers. Fraudsters can also simply purchase a legitimate identity from the black market. If a financial account is accessed by a criminal it can lead to negative effects that extend far beyond one website. Users may recycle passwords for multiple accounts online and one security breach can result in a domino effect that leaves a trail of headaches in its wake. When it comes to mobile phones, the risk seems to amplify. NQ Mobile, smartphone security software provider, reported 65,000 new malware threats released worldwide in 2012 – up from 24,000 in 2011 – and that number is only rising. Fraudsters have been able to take advantage of security holes within mobile apps as well as the lack of technology standardization to steal legitimate customer information from mobile devices and use it to defraud businesses of all shapes and sizes. 21 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Mobile Payments and Restricted Access One of the major security concerns related to mobile payments is that apps are often left in the “on” position by consumers. This means that even when an app is not open and active, consumers choose to automatically log-in with usernames and passwords to be able to quickly access information and make payments. Problems instantly arise when a phone is lost, stolen or misplaced because the finder has the ability to begin purchasing items without restriction. Also, fraudsters have been able to exploit phony Wi-Fi networks and other methods that monitor consumers’ online activity in order to steal valuable personal information. However, with the proper security checks in place, businesses that accept mobile payments from customers can ensure that the customer is who they say they are and that their identity is protected from misuse. Methods to Eliminate Concerns While companies may focus on fraud prevention for customer-not-present transactions over the Internet, it is also necessary to have a system in place to stop fraudulent activity when it comes to mobile payments. End-to-end identity verification platforms that go a step further and incorporate a robust fraud prevention solution give companies the tools they need to ensure the customer is legitimate while securely processing more customer transactions without unnecessary friction no matter how they pay for their goods/services. As identity theft become more and more pervasive, pure identity verification is no longer enough. It becomes crucial for businesses to gain more insight into what attributes make up a customer identity – so they can quickly pinpoint suspicious behavior and manage risk in real-time. In particular, it is very important to be able to dynamically flag various indicators of fraud such on identity, activity, location and device-based fraud and then quickly and easily make decisions on how transactions will proceed. Whether someone is ordering from his or her phone, online or through a call center, security measures can be put in place to authenticate customers before a purchase is made. Educating customers about the security features of phones, such as passcodes, and requiring proof of identity adds protection to the process in a day and age where consumers are concerned about the safety of private information. About IDology, Inc. IDology, Inc. provides real-time technology solutions that verify an individual’s identity and age for anyone conducting business in a consumer-not-present environment to help drive revenue, decrease costs, prevent fraud and meet compliance regulations. Founded in 2003, IDology offers a solution-driven approach to identity verification and fraud prevention that ultimately helps increase customer acquisition and improve customer experience. IDology 22 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide has developed an innovative and on-demand technology platform that allows customers to control the entire proofing process and provides the flexibility to make configuration changes that are deployed automatically – without having to rely on internal IT resources or IDology’s customer service – so customers can stay ahead of the fraud landscape while maintaining compliance. For more information, visit http://www.IDology.com or call 866-520-1234. About the author John Dancu has served as President and CEO of IDology since 2005 and is recognized for his leading edge innovations in both the identity and fraud spaces. John has a widespread track record in advising customers, including many Fortune 500 companies, and pioneering industry collaboration initiatives. With John’s leadership, IDology has evolved into a recognized leader across multiple industries including mobile payments, financial services, government and e-commerce for innovation and has become a leading voice coordinating the fight against fraud. John reputation as an innovator has been driven by continual advancements to identity verification and fraud detection methodologies so much that corporations and government agencies seek out his advice on current trends. The fraud landscape is continually evolving and through IDology solutions, John has helped businesses reduce losses, improve processes and collaborate across industries with solutions that attack identity, location and activity-based fraud. 23 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Context-Based Authentication for the Enterprise By Reed Taussig, CEO, ThreatMetrix Today’s enterprise employees use their own devices on the job more than ever before, leading to a consumerization of enterprise IT. As the workforce connects onsite and remotely to critical enterprise applications using personal devices, sophisticated security measures are needed now more than ever before. Bring-your-own-device (BYOD) is now a business reality, leaving corporate IT with little visibility or control over the devices that employees and contractors use to access both critical and non-critical applications. In this fast-changing IT environment, traditional access security controls – such as password verification and cumbersome two-factor authentication – are becoming increasingly obsolete. Today’s employees accessing mission-critical applications look like consumers on business websites and must be treated as such. Enterprise security practitioners must find new approaches for securing access to corporate data to address this major source of risk exposure. To overcome archaic security measures and efficiently secure today’s workforce, enterprises must implement a comprehensive security solution that includes context-based authentication, which establishes trust for each account login based on fully anonymous user identity, device usage, geo-location, behavior and other factors without compromising consumer identity or workforce efficiency. In fact, Gartner estimates that by the end of 2016, more than 30 percent of enterprises will rely on contextual authentication for remote workforce access. [Source: Gartner Magic Quadrant for User Authentication, 2013] Enterprise Challenges with BYOD Remote workforce logins are open to the same types of misuse and abuse as consumerbased applications with potentially far greater business risk. A cybercriminal or internal threat logging into an employee’s account using stolen credentials can do far greater damage to a company than a customer using a stolen credit card. Enterprise security professionals must walk a fine line when it comes to securing workforce access to applications. Cost-effectively mitigating the risks of data breaches must be a top priority – no company wants to end up in the news headlines because of a data breach. Conversely, security must be balanced with the user experience so as not to create friction or negatively impact workforce efficiency. Time-consuming authentication techniques will erode overall productivity. Worse, the more inconvenient the security system, the more motivated the workforce will be to find ways around it. 24 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Key Components of Context-Based Authentication As an alternative to traditional workforce authentication models context-based authentication offers a comprehensive solution that includes the following: Remote workforce access protects sensitive data from illegitimate access by ensuring that it is legitimately remote employees, contractors and partners who are accessing your internal applications rather than potential cybercriminals. Frictionless two-factor authentication offers real-time, passive assessment of user logins and enables businesses to streamline access for known and trusted combinations of accounts and devices – reducing effort and inconvenience for the workforce by not requiring additional one-time passwords for each login. Single sign-on systems enable enterprises to deliver secure, frictionless access to their business applications for all authentic users. Context-based authentication secures single sign-on systems through a combination of device analytics, identity analytics and behavioral analytics to evaluate the entire login’s context and determine whether or not to establish trust for the login. Using this process, businesses can detect anomalies and keep cybercriminals out while streamlining legitimate workforce connections. It can also detect anomalous behavior that might indicate an insider threat, such as unauthorized password sharing. Benefiting from a Shared Global Network Context-based authentication is most effective when paired with a global trust intelligence network. For businesses looking to reduce the threat of data breaches and other risks from unauthorized application access, combining context-based authentication with a global trust intelligence network is the most flexible and cost-effective way to increase security while reducing the cost and friction for workforce access. Cybercriminals targeting enterprises today are rapidly growing in size and sophistication. Until a few years ago most data breach attempts came from targeted phishing emails and opportunistic, individual hackers. Today’s online threat environment consists of wellorganized and well-financed cyber-terrorist rings and crowd-sourced malware and botnets. The only viable defense against these global forces is a global network. By sharing information across business boundaries through context-based authentication and a global trust intelligence network, enterprises and businesses across industries can have the most accurate contextual information of users and devices accessing missioncritical applications. 25 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide About the author Reed Taussig has more than 30 years of experience in the computer hardware and software fields. Prior to ThreatMetrix™, Mr. Taussig was president and CEO of Vormetric, Inc., a leader in data privacy and protection. Under his leadership, Vormetric established itself as a leading provider of encryption solutions for the Payment Card Industry Data Security Standards industry. Mr. Taussig also served as president and CEO of Callidus Software (NASDAQ: CALD), the leading provider of enterprise incentive compensation management application systems. As founding CEO and the fifth employee, Mr. Taussig led the growth of company to more than $70 million in revenues and over 350 employees. Prior to Callidus Mr. Taussig was the president and CEO of inquiry.com, a pioneer in the B2B Internet space as well as senior vice president of operations for Gupta Technologies, the leader for PC client server software development tools and databases. Mr. Taussig holds a bachelor of arts degree in economics from the University of Arizona. 26 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 27 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Protecting Files, Government Style Enable Safe, Secure Content Sharing for Government Agencies by Paul Brubaker, director of government solutions, AirWatch® by VMware® Mobility is changing the way we do business around the world. With an increased adoption of smart devices for personal and work use, almost every industry has been rapidly embracing the digital frontier. One major shift since the adoption of mobility in the enterprise is the rapid increase in content sharing. Employees are now creating, editing and sharing content directly from their devices, enabling productivity and communication on an unprecedented scale. Documents can be maintained on the fly from a smartphone or tablet and sent to a recipient with a few taps of the finger. Government organizations are also exploring new ways to share documents securely. Mobile devices are enabling government agencies to increase collaboration away from the office and reduce the need for employees to stay in touch face-to-face to pass along confidential information. However, mobility brings new challenges to the security landscape, especially with the incredibly sensitive data government agencies must share to do their jobs. So how can governments create, edit and share information confidently without risking exposure to unauthorized sources? Simple passcodes and device locks are standard fare for keeping information protected on mobile devices. But government agencies need even more protection. With national security at risk, governments can use three effective strategies to ramp up their protection to prevent sensitive data leakage. Use encryption for end-to-end containerization of data Encryption is one of the most important components of government mobility security. Encryption protects information by encoding it in a way that only authorized persons can see it. This can be used to protect the contents of documents, email attachments and more. Devices and applications can be configured to encrypt information automatically until an authorized user verifies their identity. With government-level containerization solutions available on the market today, encryption should be standard fare to store, edit and share content, whether it’s on a device, in-transit to another device or being edited. Content containerization also offers the benefit of protecting information automatically. Information is encrypted and decrypted as it is needed, enabling employees to make changes to documents and save them without going through an extra step. This ensures encryption is always functioning, whether employees realize it or not. 28 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Verify employee identity with multi-factor authentication As with most businesses, the importance of knowing who is trying to access information cannot be understated. This is why many companies use name badges, unique computer logins and even license plate number tracking for parking spaces. But most employees say the same thing about passwords on their mobile devices: it’s just too difficult to remember a complex password and too cumbersome to input it multiple times a day (imagine having to enter a 12-digit passcode on an iPhone just to make a phone call). Instead of relying solely on employee passwords for security, agencies can use multi-factor authentication to increase protection. In conjunction with passwords, employees can be verified by directory services, such as AD/LDAP. By integrating security with directory services, IT ensures that users must know the device passcode in addition to being a recognized user in the corporate directory. Another form of validation is the use of tokens. These are one-time-use codes used to verify employee identity for a single active session. For example, many webmail providers use two-factor authentication where users must enter their regular password along with a unique code sent to their mobile device. Because tokens can be used only once, would-be attackers cannot gain access by knowing just the tokens. The added benefit is that these codes can require the user to have an additional device independent of their computer, such as their cell phone, on which to receive the token, adding another element of identity verification. Set advanced device restrictions to limit functionality Encryption and multi-factor authentication can keep unauthorized users out of protected document stores. However, once a user is inside, what is keeping them from forwarding the information to a personal email account or sending documents to the office printer? Although employees can be authenticated, this does not prevent them from making mistakes or jeopardizing security on their own, whether accidentally or intentionally. A proven way to prevent data leakage of sensitive content is by using device and application restrictions. Common restrictions include limiting access to the camera, preventing screenshots within certain applications and stopping connections to unsecure Wi-Fi networks. With respect to content, government agencies can prevent copying/pasting, sharing, email forwarding and printing while employees are within the content application. These features can even be assigned to different users based on their AD/LDAP permissions, enabling certain users to print or share files while disabling these features for others. Customizing the experience for different users establishes levels of trust to protect information from leakage while promoting/encouraging employee productivity throughout the workday. Despite these efforts, content can still be leaked if employees aren’t aware of how to proactively secure information. Establishing safe device usage habits, smart password policies and most importantly, meaningful reasons to follow the rules ensure that employees act with care when using sensitive information. Encryption, multi-factor authentication and device restrictions, in conjunction with conscious security measures, will keep government documents safe and in the right hands. 29 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide About The Author Paul Brubaker, Director of Federal Government Solutions, AirWatch® by VMware® Paul Brubaker is the director of federal government solutions at AirWatch by VMware, the leading enterprise mobility management (EMM) provider. In this role, Brubaker oversees all federal government activities, includes sales, marketing, events and strategy. Brubaker, a two-time presidential appointee, has held a number of leadership positions in government and the private sector. Most recently, he served as director at the United States Department of Defense, where he was responsible for planning and performance management activities for the Office of the Secretary of Defense. A former GAO evaluator, he served as the Republican staff director of the Senate Subcommittee on Oversight of Government Management where he led the passage of the Clinger-Cohen Act for then-Sen. William S. Cohen (R-ME). Brubaker was the deputy CIO of the Defense Department under President Bill Clinton and in 2007, he was confirmed by the U.S. Senate to become the research and technology administrator at the Transportation Department under President Bush. In the private sector, Brubaker served as CEO, president, CMO and at the executive level of several successful small and mid-sized technology-focused companies, including Silver Lining, Synteractive and Procentrix. Additionally, he was the general manager for the North American Public Sector Internet Business Solutions Group (IBSG) at Cisco Systems, developing innovative applications and creating market expansion opportunities across the enterprise. He received the Department of Transportation Secretary’s Gold Medal in 2009 and the Department of Defense Medal for Distinguished Public Service in 2001. He was also recognized with numerous awards for his contributions to public service and his collaborative work with the public sector and private industry. Brubaker earned a bachelor’s degree in political science from Youngstown State University and a master’s degree in public administration from Kent State University. Paul Brubaker can be reached at PaulBrubaker@air-watch.com and at our company website http://www.air-watch.com 30 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 31 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Cognitive Biometrics: The Final Frontier of Authentication Reducing fraud, eliminating friction and enabling more functionality are just a few of the benefits awaiting companies that make the switch By Oren Kedem, VP Product Management, BioCatch Most companies that enable users to perform Web transactions (e.g. banks and eCommerce sites) have implemented security controls to address online and mobile fraud. These controls fall into two main categories: transaction-focused intelligence, which looks for anomalous actions, and device-focused intelligence, which look for a new device, unusual IP geo location, or signs that the device is infected with financial malware. With a growing number of reports of major hacks into companies like Bank of America, LinkedIn, Groupon, and Target, these authentication methods continue to be thrust into the spotlight as unreliable for catching all fraud. Passwords, the most popular form of authentication, are easy to steal with 90% of usergenerated passwords in existence subject to malicious activity. Other types of authentication mechanisms are equally ineffective, as more than 20% of genuine users fail. Security questions are often so “secure” that the real user doesn’t know (or remember) the answer. Questions can be subjective with multiple possible correct answers, and some answers change over time. SMS one-time-code verification requires the end user to have a cellphone on them. The simple truth is that “traditional” authentication is taking a toll on banks, eCommerce sites and companies protecting data. Each time an online banking user fails to authenticate, for example, it can cost a bank upwards of $10 to resolve the issue over the phone or at the local branch, without even factoring-in the customer frustration that negatively impacts their willingness to continue doing business with the bank. As the technology continues to advance, cognitive biometrics is a solution that provides an effective alternative to standard authentication measures. It requires no user enrollment or involvement, while running “behind the scenes” comparing a user’s active behavioral parameters with those exhibited in previous sessions. It records the general behavioral patterns of an online user while they interact with a website or mobile application. This includes hundreds of metrics, such as the speed with which somebody types and clicks, how the device is held, how the cursor is moved, etc. Cognitive biometrics offers an additional security measure with invisible challenges that are inserted to test how a user responds to them. These test alterations are so slight that users do not consciously register them. For example, the system will add a slight sideways motion to the mouse movement when the user moves towards the "Submit" button. The user spontaneously reacts, adjusting his/her movement and offsetting the alteration. 32 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Each user has a slightly different way in which he/she subconsciously responds to this challenge. Invisible challenges measure multiple response attributes, including the pressure applied to the smartphone, which hand is used, response time, correction path, correction patterns, and speed and trajectory of the mouse or finger movements. In addition to authentication, cognitive biometrics is also used to detect behavior consistent with known threats and fraudsters. The concept is the same. First, the known threat behavior is profiled. Then, each user session is compared against a list of known criminal behaviors, such as Automated Scripts, Malware/Bot/Man-in-the-Browser attacks and Remote Access Attacks (RATs). Since cognitive biometrics doesn’t depend on user responses like traditional authentication measures, each person has a distinct biometric signature which cannot be matched by anyone else or by an automated process, and it is nearly impossible to duplicate. While no individual cognitive response can identify a user alone, when piled together it creates a unique user profile. Beyond improving end-user experience and the obvious monetary savings, using this type of authentication can help banks achieve a much greater goal – expand business and drive revenue. To maintain a competitive edge, banks and eCommerce sites need to continually introduce new products and services, in particular, in their Web and mobile applications. However, adding new service and functionality (e.g. mobile wallets, peer-to-peer payments) to the online channels exposes the organization to new risks that cannot be mitigated with existing security controls without significant impact on user experience. By layering cognitive biometric analysis on top of existing security controls, organizations can generate more business without accepting more risk. As the inefficiencies of traditional authentication methods continue to be highlighted with major breaches and continued friction for end-users, costing businesses millions of dollars a year, we are seeing a significant shift towards cognitive biometrics which better protects companies online and offers a more user-friendly experience for customers. About the Author Oren Kedem is the VP of Product Management at BioCatch. He brings over 15 years of experience in product management in the areas of Web Fraud Detection and Enterprise Security. Prior to joining BioCatch, Oren served as Director of Product Marketing at Trusteer (now part of IBM) and led the Anti-fraud eCommerce solution at RSA (now part of EMC). He also served at various product marketing and management positions at BMC covering the Identify and Access Management and System's Management solutions. Oren can be reached online at oren.kedem@biocatch.com and at our company website www.biocatch.com. 33 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Dynamic Cryptography and Why it Matters? Milica Djekic, an Online Marketing Coordinator at Dejan SEO and the Editor-in-Chief at Australian Science Magazine As it is known, we live in a very dynamic and constantly changing world, where new information and ideas are coming and leaving at a really fast pace. Indeed, we should notice that data protection and critical information security play a crucial role in maintaining our everyday’s lives. For that reason, invoking the technique of dynamic encryption could be strategically important in this digital era. In this article we should attempt to provide the answer to the following question – Why the concept of dynamic encryption matters? Well, let’s begin. Introduction With the widespread use of different network services and applications, security becomes a major concern. From security perspectives, data integrity and confidentiality are vital problems for information systems. Confidentiality is concerned with resources being only accessed by authorized users, while integrity refers to protection against unauthorized modification. Integrity and confidentiality are often related to authentication, authorization and cryptography. In fact, authentication utilizes strong cryptographic systems in order to secure itself. In other words, cryptography plays a crucial part of any security system. There are two basic techniques in cryptography: symmetric and asymmetric cryptography. In symmetric cryptography, encrypted and decrypted keys are the same. In contrast, cryptography using different encrypted keys from decrypted keys is called asymmetric cryptography. Each of them has its pluses and minuses. Because of its characteristics, asymmetric cryptography is more secure than symmetric in key distribution and exchange. However, symmetric cryptography is significantly faster than asymmetric cryptography. In security systems, based on their advantages, symmetric and asymmetric cryptography are often combined together to protect information systems. By capturing communication messages, an adversary might be able to detect patterns in the encrypted messages to crack the ciphers. The compromise of one session key exposes all communication data in the session. Furthermore, key exchange protocols rely on permanent asymmetric keys. The more that asymmetric keys are reused to create sessions, the more cryptographic systems become vulnerable to cryptanalysis attacks. When these keys are compromised, the whole security system becomes vulnerable to adversaries. Dynamic Cryptography Imagine a typical hacker’s attack to some valuable communication lines or an information system. Suppose that a cryptanalyst or an attacker is trying to identify a function transferred throughout the certain communication channel by using a table of corresponding pairs of 34 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide input and output. For special functions used, for example linear functions, this problem may be solved efficiently. On the other hand, that can not be the case for general functions, because then we deal with much complex mathematical functions and operations. It is clear that no finite number of experiments will suffice for the cryptanalyst to separate the given functions from each other, as the arbitrary number may have been set to any value. That’s why we must invoke the following theorem: Theorem: There can not exist an algorithm that can identify a general computational process based upon the input/output relation. We conclude that if we use a cipher that includes a general computational process, and keep all construction parameters of that process secret, the cryptanalyst will face a problem which he will be unable to solve. We must however carefully get familiar with the inconvenience which should occur if the system falls into the hands of the enemy. We see specifically that simply using an optimal encryption algorithm, that is kept secret, will not be a solution. For that reasons, we invoke the concept of the specific universal machine. The specific universal machine that we will make use of here must have a few specific properties. It should be designed into accepting any binary string as valid input, i.e. no input string shall be rejected as having wrong syntax. This requirement is equivalent to that the set of operations, of the universal machine, is devised such that an operation will be selected in response to any possible input information stream. This modification is of no difficulty, and can be implemented without restricting the set of possible computations. The input stream must further be kept secret, as knowledge of this would essentially be equivalent to knowing the key of the system. This choice will not pose any difficulties, as the universal machine may use any binary string as input. We see that the secret input stream and the internal memory of the universal machine, may easily be protected during encryption or decryption, and can be erased afterwards. Why Dynamic Encryption Matters? The modern world is a very dynamic place. We are going very digital and the information are getting a normal part of our lives. Everything changes very fast and sometimes it’s quite challenging to follow all those changes. If our world is going dynamic, the logical question should be as follows: “Do we need the protection that will go dynamic as well?” The answer is simple – yes. What do we use to secure our so valuable information? An encryption, indeed. So, what we need at this stage is a dynamic form of an encryption. It is well-known that modern encryption systems are based on very strong mathematics and can appear in a form of both – hardware and software. What is typical for many dynamic cryptographic systems is that they are based not only on logical circuits, but include memory elements as well. Digital science classifies these systems as sequential. The characteristic of sequential circuits is that they go from one logical state to another. Basically, they make a cycle. Imagine how these could be useful in terms of binary information permutation. For example, a logical part 35 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide of the circuit does the information transformation and a memory element is responsible for the information permutation. It is obvious that, in such a case, we are getting a constantly changing and quite smart system that can offer us a dynamic protection. In programming, these could be resolved using an adaptive algorithm. At this stage, these would be all regarding dynamic cryptography. Conclusion At the end, we could simply ask the question as follows: “Is the future of our digital reality so dynamic, indeed, or do we need to concentrate to somewhat brighter solutions?” Well, since our environment is so dynamic and constantly changing, it appear we should try to adapt to those changes somehow. At the moment, a dynamic encryption seems as a quite good choice. But, what we would like to mention here the most is that the special attention should be paid to solution that can assure a perfect secrecy. Why is that important? Well, as it is known, the key-based options are not that reliable, because there are always ways for a cryptanalyst to get an information about the cryptosystem’s key and easily break in such a communication. There are a dozen of very attractive cryptographic softwares available on the web and they all are normally a key-based. From our perspective, these are the quite risky and concerning problems. So, that’s how we should think in the future… Yes. We are dynamic and we need a dynamic protection! But, is that all? About The Author Milica Djekic is a graduate of Control Engineering and the current Editorin-Chief of Australian Science Magazine, where she writes about her explorations in the world of cryptography, online security, and wireless systems. Currently based in Serbia, she works as an Online Marketing Coordinator for Dejan SEO. 36 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Why is password creation so hard? (Part 3) by Josephine Rosenburgh If you're trying to create a 256-bit encryption algorithm you need to ensure that there is absolutely no chance of anyone every cracking it, not just a small chance or a very small chance. No chance. You cannot afford to make a single mistake anywhere in the design which is why you need it at the correct efficiency. Do you want the world's top cryptographers to run out of ideas in the middle of a 256-bit encryption algorithm? They're expecting you to use their algorithms. Therefore, you have every right to question them. The great problem is an algorithm which is too inefficiently slow or too inefficiently fast. It is no good being nearly good enough. I do not think it is not safe to run out of ideas when you're in the middle of creating a 256-bit encryption algorithm. That's 10^77 permutations, which you're trying to protect. (And one day there will be that computer that will be powerful enough to crack Eternity 2. Even if you cannot program it there are plenty of mathematicians at Cambridge University, or any other university, who can.) I think the world owes a big amount of gratitude to the Twofish people. They were the only team who correctly assessed how efficient an algorithm is supposed to be, given that there are no clues in the universe. They correctly realized they would have to create those clues literally out of thin air, which is just what I did. You create, request, the clues yourself rather than expect the universe to do it all for you. The Twofish team mentioned that it is easy to create an algorithm which is secure but totally ignores the amount of time taken. It is also easy to create an algorithm which is very quick but isn't secure at all. The hard part is getting both of them together. The Twofish team did try to crack Rijndael (which is set at 14 rounds of encryption). They knew what it lacked but still could not crack it in the time they had. Others have attempted too without success but that doesn't mean anything. No one can predict if or when it will successfully occur. I will say that an algorithm can only be secure if every one of the 2^256 combinations is fully protected. What if 999 of those are exposed? Those 999 are always hidden to the cryptographer(s) that created it. Its creators may not see them but someone else easily could. With 2^256 combinations every single one is being tested all the time, not just part of the time but all of the time. A competent algorithm creator can see all of them and they should all flow beautifully exactly as the inventor intended. (I will take the word "cryptographer" as meaning someone who studies algorithms whereas an algorithm creator is someone who creates them.) 37 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide When I formed my infinite algorithm and my password encryption algorithm I was constantly doing calculations. I had to know exactly how efficient something was. For Rijndael to reach Twofish's level of security the Twofish team calculated that 24 rounds would be needed, which makes it less efficient than Twofish. When you pick an algorithm do you choose one from someone who is in the top 10 of the world's best or someone only in the top 20 to 30? Certain people did take Twofish to be the correct algorithm. The Twofish team still felt uneasy about Rijndael (set at 14 rounds) and recommended 18 rounds to increase its level of security. This advice was ignored. If you don't know how efficient an algorithm is supposed to be then you will not know how efficient your algorithm is and, therefore, you will not know how secure it is. You will think it's more secure than what it actually is. As a result your algorithm could have too few calculations and, BANGGGGGg, your algorithm could be blown wide open and you wouldn't even know it. If, however, there had been too many calculations then that would just be by pure, pure, pure luck. Fourteen teams failed, one succeeded. If you're programming a computer to perform a super, super, super, super complex algorithm then you really, really need to make sure that you know exactly what is going on at all times. You cannot afford any mistakes. Here's how it works: the better the algorithm creator the better they will be at understanding where they went wrong and, obviously, the worse the algorithm creator the worse they will be at understanding where they went wrong. I constantly recognised where I went wrong and I'm sure the Twofish team will have done the same. The best algorithm creators will make mistakes but will correct them very quickly so that they make the correct progress. It won't happen as often for other algorithm creators and that's exactly what you will have seen in the AES contest. If you're staring a giant 256-bit encryption algorithm in the face how many of those permutations would you expect to be protected? 2^254? 2^248 perhaps? Or maybe maybe maybe 2^230? Which of the 15 algorithms would you have picked? The one with the most technicalsounding name perhaps? Have you ever heard of the Teknotranic 256-bit encryption algorithm before? Or maybe you could opt for the Compucell-Ramdac? It could have been that all 15 teams failed to produce a correct 256-bit encryption algorithm, in which case we would never have known. That is as much as I can say on the subject (since I don't specialize in those types of algorithms). 38 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide So there must be connections between standard cryptographers (algorithm creators) and specialist cryptographers (algorithm creators) and either one could succeed or fail. NIST can pick whatever algorithms they want. That's their choice. I'm not here to change their mind. I just compared algorithm efficiencies so that others will learn something from it. The algorithms are all available for everyone to use. You pick whatever one you think is best for you. Besides, we can all have our own opinions about the five that made it to stage 2. When NIST set up the challenge they asked for an algorithm that no five people on the planet were capable of meeting. They assumed it was going to be very easy. What is encryption? What actually is it? I will use an analogy. Imagine you have been buried in the desert. You have a limited amount of time to escape. To escape you have to guess the number of sand particles in the desert. The total number is not random but is derived from an algorithm. You have to guess, exactly, what the algorithm is before your time runs out. The algorithm is a very, very efficient one. It is unbelievably efficient. And you're wondering why 14 teams failed? When an encryption algorithm is introduced it is always being tested, every day. It is tested by nature, the universe, which is why it has to be perfectly secure and correctly efficient. If the algorithm isn't correctly efficient and there aren't enough steps then it's just a numbers game as to when it will break. Does it matter whether it is 23, 33, 43 or 53 years' time? What if a dam has a very slight crack? The water is testing the dam every day. How can you say when it will break? It doesn't matter when. The water appears not to be moving but it can only be that way if the dam was perfect in the first place. You have to be solving all of the problems at a faster rate than nature is putting them there. Once the dam has been built then it is too late to do anything about it. Only the best algorithm creators will know exactly where the correct efficiency levels are. There are cryptographers who spend all day testing the weaknesses of algorithms. Why is it so hard to create an encryption algorithm? Because it is so deceptive and no one knows what such a thing would ever be. You are being asked to create something when you don't even know what the end result is supposed to be. It is constantly like that throughout the whole process and yet you are always lead to thinking the opposite. It is virtually impossible for an algorithm creator to know when they have reached the final formula successfully. What in the universe will tell that algorithm creator when they have got there? There is literally nothing. It is the worse jigsaw puzzle in the universe and no one even knows of its existence. The people who created Twofish wouldn't be able to answer the question and I'm sure that none of them would ever say that encryption is easy. Can you guess what other encryption algorithms I have yet to create? I can't even do that. I would never say it was easy. And now you know why password creation (and password encryption) is so so so hard. 39 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide I also want to say something to computer programmers who incorporate encryption algorithms within their software. I know exactly what you were thinking: "I'll just use whatever algorithm NIST chose. They must know more than me. They're the experts." Obviously, you have absolutely no idea about the creation of advanced encryption systems. It is clear to everyone that you didn't even bother reading any of the reports about the algorithms or you did but you still couldn't understand anything written in them. Have you ever thought about joining NIST? Perhaps you could make a change to your choice of algorithm and kindly offer your clients a free upgrade to the new version of your software? Who knows what someone will be able to do in 20 or 50 years' time? "What about software which creates, encrypts and saves all your passwords?" Do you need a password to use such software? Why should you know how to create all of your own passwords? Some word processors encrypt your files but only if you provide a password. Trying is get away from using passwords is impossible. Encryption always involves passwords somewhere. And what if someone loses their laptop or tablet? What is such software doing? It is treating passwords like known data (which it is not) and encrypting it. Will the people who create such software provide a password encryption system for everyone to use? Are they going to show the world's best cryptographers and mathematicians how to encrypt all their passwords? Whilst they're programming their computers are they using the very algorithms that were seen submitted for AES? Surely, the people who submitted AES algorithms are all perfectly capable of programming their own computers with their own algorithms to encrypt all of their own passwords? We all know that computers are far faster than people at performing numerical calculations. I have now highlighted Twofish as being the most efficient of all the algorithms. Can you guess what I'm going to ask next? How does Twofish compare with my infinite encryption algorithm? Which is more efficient? That's what the average football supporter is asking. My efficient infinite algorithm is going to have to be more efficient for an average human to use than Twofish is for a computer to use. Did I do everything absolutely correctly? Twofish has 2^256 permutations. Mine has infinitely many. Which is more efficient? And guess what? My password encryption algorithm is going to have to be more efficient than my infinite encryption algorithm. That's how difficult it is to do. What does this mean? My password encryption algorithm is going to have to be the most efficient encryption algorithm in the world as it will have to comfortably protect all of your passwords. 40 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide The password encryption algorithm has to be perfect in every way, with absolutely no flaws in encryption. An infinite encryption algorithm, however, does not have to be so perfect but it has to be reasonably close enough so that it is easy to find the password encryption algorithm as a result of finding the efficient infinite algorithm. Of course, there are an infinite number of efficient infinite algorithms but which ones are close enough to being perfect? I could have found a reasonably efficient one which wasn't quite efficient enough. However, to get there a totally flawless efficient infinite algorithm is required. And cryptographers have never even heard of a password encryption algorithm until now. You have seen flowers before. So what? Everyone has seen flowers before. It was harder for me to write this article than it was to find the password encryption algorithm. So here we have it: on my left are the world's leading cryptographers. On my right are the world's leading mathematicians and physicists. I quickly turned and faced the right direction to walk to the one correct door which lead to the world's most succinct, efficient encryption algorithm. Opening it and looking in was like seeing a golden new world. I saw several flowers out of an infinite number hidden in the unlit background. The only flowers in there come from an infinite number of permutations and they are all designed by supreme cryptographers. Whatever is designing these flowers is far better at cryptography than I am. Whichever direction you look at you will see amazing flowers. The next amazing algorithm will be even harder to find. Expect people without basic maths skills to purchase the book and complain that the author is a liar. I now know that my mathematics skills are better than those who cannot do basic maths. (As a matter of fact, try and avoid telling those with below average intelligence about this article.) There is one more calculation that I should show you. If I don't then someone else probably will so I might as well show it. What is the consequence of finding these two special super-efficient algorithms? I've said countless times that my infinite algorithm is super, super efficient. What does that mean in the real world? How big is 10^77 or 10^38? Let me give you some kind of a physical perspective. I now want to talk about cruise ships. What on Earth do cruise ships have to do with cryptography, you ask? Good question. Let me continue. The world's largest cruise ship is the "Oasis of the Seas" (along with the "Allure of the Seas"). Its (gross tonnage) volume is 225,000 tons. Its weight (displacement) is 100,000 tons. Suppose that someone wishes to steal all those 100 billion (10^11) booklets. They can't run very quickly so everyone in Germany has agreed that all of the booklets will be thrown into a container. 41 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide After completion everyone is now standing around waiting for something to happen. Minus the weight of the container, the approximate weight of the whole thing is 2 million tons. This is equivalent to 20 "Oasis of the Seas" ships. Never mind UFOs landing in your street. You have now read this article. I will finish with one last message. I remember one man (who works for a very very famous software company) complain about the number of passwords he had to use. The answer is simple: use a search engine. Type in "password tips". I tried it and got 2,500,000 results. My advice to him: stick to your current method rather than view all of the results. Which result came top? The one from his employer. About The Author From California this young author spends most of her time working in a computer store. An avid fanatic of sudoku and crosswords, reading several articles on cryptography lead her to the inspiration she needed for her first ebook. Married to her husband, John, a sales rep, she also spends her spare time writing and dancing. Prior to the launch of her first ebook she was unsuccessful in her attempts to get another book into print and still continues to pursue this objective. Josephine's book can be found at https://www.smashwords.com/books/view/429052 She can be reached online at https://twitter.com/jrosenburgh 42 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Secure your code with analysis and scanning by Art Dahnert, Security Product Manager, Klocwork, a Rogue Wave Company More and more development teams are standardizing on static code analysis and open source scanning to reduce their risk of encountering security breaches in the field. These tools find the vulnerabilities for you, so you don’t have to spend time, money, and skill sets worrying about them. It boils down to three things: knowing where your risks are, checking in more secure code, and reducing the probability of attack. What does static code analysis do? Static code analysis (SCA) is the automated identification of programmatic, semantic, and security errors in code. There are simple analysis tools out there, no more than glorified compilers, but more sophisticated tools take into account all the control and data flow interactions within the application and check for compliance against common industry standards. Consider a function that dereferences a pointer set by another function. Manual unit testing of either function in isolation may not reveal that the pointer being dereferenced could be NULL. Static code analysis, on the other hand, would find the problem. Going further, consider the same situation but having the two functions developed by two different teams. The chances of the NULL pointer dereference reaching the customer becomes higher if the test coverage isn’t there. It’s not surprising, then, that Capers Jones of Namcook Analytics found that, without tools and processes like static code analysis, developers are less than 50 percent efficient at finding bugs in their own software. What does open source scanning do? Developers have nearly limitless options when it comes to finding and downloading open source code and they often include this code in any number of ways and amounts. Understanding and tracking open source use isn’t usually a priority for developers when their primary focus is on delivering features. Scanning tools offer an automated and repeatable method for understanding the scope and depth of open source use within a company. Not only do they free up time to focus on other development efforts, they also remove any element of human error. Given that open source packages can contain other open source packages and that even just a few lines of reused code can contain risks, scanning tools are the only reliable choice to know exactly what’s going on within your code base. Sophisticated open source scanning also comes with open source support, to help you understand the software packages better. How do these tools reduce security risks? Static analysis helps developers deal with well-known but hard to understand security vulnerabilities. Take a buffer overflow as an example: when a buffer of insufficient or untrusted size is used to copy into memory, the application is potentially vulnerable. Buffer 43 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide overflows cover so many different forms of exploits (such as the well-known Heartbleed flaw) that it’s almost impossible to quantify. The issue isn’t necessarily that developers don’t understand what a buffer overflow is, rather it’s the size and complexity of the code base that makes it extremely difficult to find. SCA, on the other hand, uses a detailed model of the code base to identify and explains these issues in a way that helps developers fix them early in the development process. The power of SCA isn’t limited to finding code vulnerabilities, it’s also an effective method for determining how compliant your code is to common security standards, like CWE or OWASP. Open source software is used by over 50 percent of enterprise organizations today (from the 2014 Future of Open Source survey) yet it’s not surprising that most of them don’t know the extent of where and how open source is used. If open source isn’t tested to the same technical and performance requirements as the rest of your software, including security vulnerabilities, any product or service that includes it is potentially compromised (this issue is now number 9 on OWASP’s list of Top 10 Application Security Concerns). Open source scanning and support does two things: It gives you a comprehensive picture of where open source is used throughout the organization, giving you the information you need to plan and execute security testing It provides up-to-date reports on known security vulnerabilities, patch levels, and versions. Armed with the knowledge provided by open source scanning, your team is better positioned to combat security threats. The perfect combination Static code analysis finds flaws before check-in and open source scanning finds flaws for code that you’re bringing in from the outside. Put the two together and you’ll not only have a complete picture of the potential weaknesses in your code, you’ll also be able to fix flaws earlier and faster than if you tried to do it manually. About The Author Art Dahnert is the Security Product Manager of Klocwork, a Rogue Wave Company. He is a distinguished software security engineer with over 17 years of security experience within the development process. Before joining Klocwork, Art performed numerous application security assessments while working at Trustwave Spider Labs, Symantec, Overwatch, Schlumberger, and BMC Software. 44 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 45 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Email Threats: A thing of the past? By Fred Touchette, AppRiver There is no doubt cyber criminals continue to use personal and rented botnets to pump the Internet full of unwanted advertisements for fake or knock-off products, but its effectiveness as a money-making device is dwindling. Now in the cyber underbelly, email has turned from mischievous to outright malicious with campaigns once utilizing trickery to fool recipients into spending money to simply taking it. Delivery Methods Today’s cyber criminals employ many email methods to steal money. And since so many people maintain and rely on email accounts, what better place for cyber criminals to target? Email-borne attacks come in the form of phishing, spear-phishing, Trojans, malicious attachments, and hidden scripts. Attack techniques are ever-evolving and adapt with technology in an effort to stay ahead of security professionals. This constant game of “cat and mouse” has driven malware authors to become very good at what they do, and has resulted in some very sophisticated code. In the beginning, cyber criminals wishing to lure victims to a malicious site would first manually set up the site and then attract enough people to that site before it was shut down. Later, cybercriminals sent Trojan horse viruses that pretended to be something of interest to the receiving party. It was often the attacker’s job to write the malicious code, send out emails, and maintain compromised sites. While the Trojan approach still lives on, the need for one person to maintain the prerequisite skill set and personal resources is no longer necessary thanks to underground outsourcing. Today, just about anyone with the desire and wherewithal can assemble an entire cybercrime team and be ready to go within days. Threat Variants We have seen millions of variants of email-borne malware, including “Melissa” from 1999. Melissa was dubbed after the author’s love affair with; you guessed it, a woman named Melissa. Purporting to be a Microsoft Word document, Melissa was actually a worm that spread so quickly it caused a massive shut down - the largest the world had ever seen up until that point. Fast forward a few years and a massive surge of email-delivered viruses ran rampant with help from Blaster Worm, Sasser, Slammer, and an even more destructive and hearty strain named Storm Worm, which had a team of people maintaining its code and its subsequent botnet. Storm Worm’s code was so strong that it became one the most prevalent threats from 2007 to 2010. 46 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide In recent years, SpyEye, Zeus and mega botnet Cutwail have also wreaked serious havoc. The point is that the landscape is constantly changing in order to meet the needs of the attackers as well as respond to the obstacles the security pros put in their way. Introducing the Malware Kit A decade ago, personal gratification may have been realized when spammers successfully executed a mass email attack. But today’s objective is much more sinister and involves money- your money. Unfortunately, today’s cyber attackers need little training to initiate malicious threats. Once upon a time, technical knowledge was required to create and run malware operations. But today, malware toolkits (‘kits’) are easy to find and use on underground forums. Malware authors make malware kits in order to make money. Kits are sold to individuals who have the desire to commit cybercrime, but lack the ability to do so. Most malware kits are affordable, sometimes hitting the black market for a few thousand dollars each and then drop down to a couple hundred dollars once the newness of a particular brand fades. Some kits even come with the added benefit of a support feature that grants the purchaser access to the kit author so that any questions related to the kit and its proper function can be answered in a timely manner. What’s more, some authors offer upgrade versions so that their payloads attached to email campaigns can remain undetected by even the most current anti-virus solution, guaranteed. Kits are often made with novice users in mind. One simply needs to input data (such as a victim’s email address), compose a generic email body, and give it a destination to report back to. After that, the user clicks, “Go” and the kit will do everything by exploiting vulnerabilities in other websites on which to host malicious code and a place to store their newly obtained stolen private personal information. Enter the Breach Targeted user threats like the ones discussed above have become almost passé to cyber criminals who are anxious for a quick score of private personal information in one fell swoop. It appears that some of the most sought-after targets today are those that house millions of pieces of stored data in one place. Such targets include large department stores, ecommerce warehouses or any large entity that has credit card, password and/or other data stored on servers that potentially lack proper storage security procedures. The general public is quickly learning the importance of data security. Still, many organizations fail to take heed and find themselves in the middle of a media blitz when consumers discover that their data has been handled in less than savory manners. Such data breaches cost much more in disaster recovery than they would have if proper security protocol was in place in the first place. 47 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Vigilance is Key It may be true that spam is on the decline, but email and the Internet itself has not become less dangerous because of it. Due to demand and enhanced security, cyber criminals are getting more creative with advanced techniques and are unleashing greater threats. That’s why education and awareness of cyber dangers are needed. After all, the complacent individual will often find themselves the next victim. About the Author Fred Touchette, CCNA, GSEC, GREM, GPEN, Security+, is a Senior Security Analyst at AppRiver. Touchette is primarily responsible for evaluating security controls and identifying potential risks. He provides advice, research support, project management services, and information security expertise to assist in designing security solutions for new and existing applications. 48 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Dodging disaster: Cybersecurity and business continuity By Stephen Cobb, senior security researcher at ESET You know your company runs on data, and you’ve installed firewalls and antivirus to protect your systems, but could your business keep going if the power went out? Or your Internet connection went down for a day? Or your office was inaccessible due to flooding or if some other disruptive incident occurred? For many organizations the honest answer is: That would depend on the exact nature of the “incident” and how long it lasted. Some companies do go out of business when they are hit with a disaster for which they have not adequately prepared, which is unfortunate because the path to preparedness is welldocumented. Any company of any size can improve its chances of coming through a disruptive event in one piece—with its brand intact and its revenue undiminished—by following some tried and trusted strategies collectively known as Business Continuity Management (BCM). What is business continuity? Business continuity is the ability of an organization to continue to deliver its product and services at acceptable predefined levels after disruptive incidents have occurred. Identify and rank the threats • List potentially disruptive incidents that are most likely to threaten your business. For example, in San Diego, where ESET is based, there is a relatively high level of earthquake and wildfire awareness. But what about a data breach or IT outage? What if a toxic chemical spill puts your premises off limits for several days? • A good technique at this stage is to include people from all departments in a brainstorming session. The goal is a list of scenarios ranked by probability of occurrence and potential for negative impact. Perform a business impact analysis You need to figure out which parts of your business are most critical to its survival. • Begin by detailing the functions, processes, personnel, places and systems that are critical to the functioning of your organization. The BCM project leader can do this by interviewing employees in each department and laying the results out in a table that lists functions and key person(s) and alternate person(s). • You then determine the number of Survival Days for each function. How long can your business endure without that function causing serious impact? 49 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide • Next you rank the impact of that function not being available. For example, disaster recovery expert Michael Miora suggests using a scale of 1 to 4, where 1 = critical operational impact or fiscal loss, and 4 = no short term impacts. • If you then multiply Impact x Survival Days you can see which functions are most critical. Top of the table will be functions with major impact and just one survival day. Create the response and recovery plan This is where you catalog key data about the assets involved in performing critical functions, including IT systems, personnel, facilities, suppliers, and customers. • Catalog equipment serial numbers, licensing agreements, leases, warranties, contact details. • You will need to determine “who to call” for each category of incident and create a calling tree so the right calls get made, in the right order. • You also need a “who can say what” list to control interaction with the media during an incident. • Any arrangements you have in place for transitioning to temporary locations and IT facilities should be documented. • Don’t forget to document an “all-hands” notification process and a customer advisory procedure. • The steps to recover key operations should be laid out in a sequence that accounts for functional inter-dependencies. • When the plan is ready, make sure you train managers and their reports on the details relevant to each department and the importance of the plan to surviving an incident. Test the plan and refine the analysis • Test your plan at least once a year, with exercises, walk-throughs or simulations. • If a task seems too daunting to undertake on a company-wide basis, consider beginning with a few departments, or one office if you have several. • Apply learnings more broadly to your company as you progress through the test. • Avoid thinking bad things won’t happen, because they do. But being prepared with a plan is a step in the right direction. 50 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide About The Author Stephen Cobb is a senior security researcher at ESET. Cobb has been researching information assurance and data privacy for more than 20 years, advising government agencies and some of the world's largest companies on information security strategy. Cobb also co-founded two successful IT security firms that were acquired by publicly-traded companies and is the author of several books and hundreds of articles on information assurance. He has been a Certified Information System Security Professional since 1996 and is based in San Diego as part of the ESET global research team. Cobb can be reached on Twitter @zcobb. For more information about business continuity management, please visit www.eset.com/bcm. 51 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Consumers Need to Know About Corporate Data Breaches in a Timely Fashion Breach notification laws & regulations are necessary By Tom Feige ,CEO of idRADAR Consumers everywhere strongly expect their personal data will be valued and protected no matter where the merchant is located. Unfortunately, this is not often the case given the recent rash of so-called “mega’ breaches that are besieging our area, the country and the world like the eBAY breach just a few weeks ago. Consistent laws and regulations on data security need to be formulated and followed nationwide. idRADAR’s own research indicates that nearly 80 percent of people who have had personal data exposed, ignore the threat while those companies that have been breached often mask the data theft by making announcements only in two states which require immediate public awareness. Without a national breach notification law, millions of Americans don’t know of their risk of exposed personal information nor can the appropriately protect themselves. Corporate data breaches and personal identity thefts are now global phenomena that are imperiling the financial integrity of our entire society and culture. Believe you’re safe? Think again. No one is 100 percent safe from the best efforts of the best hackers representing some of the world’s worst criminal organizations. The truth is many of the leading corporations, retailers and government organizations are only now beginning to understand the depth of these threats and the unwavering commitment of these perpetrators to attain wealth achieved through the theft of your most intimate personal information and financial records. Another complication involves the crazy quilt of data breach notification procedures that lack definitive federal standards and constitute a mish mash of varying state laws and US territorial regulations. In addition to making it tough for consumers to learn their data has been compromised, this landscape also presents a massive challenge to companies and organizations as they attempt to understand their legal obligations. This creates complication and delays even for those organizations with the greatest intent to alert customers immediately after identifying threats and their potential damaging effects. Then again, there are the actions of retailers such as Michaels Stores that make the case for stiffer and mandated regulatory practices when breaches occur. Michaels announced it might have a problem on January 25, 2014 but did not confirm the details until April 17, 2014—a 12 week delay. In fact, the company only announced an investigation was in the works after news of the problem leaked to the media. In all, three million payment cards were compromised—some of them a full year ago. 52 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide In comparison, Target Corp. took four days to go from first suspicions to initial disclosure. In the days immediately following its pre-Christmas announcement, Target stumbled and struggled with everything from overwhelmed hotlines for incoming calls and glitches in its credit monitoring sign up to its testimony before Congress. While most corporations would choose the Michaels route of carefully crafting a response plan down to the smallest detail to ensure smooth implementation, the truth is customers are rarely served by such tactics. Even when law enforcement investigators ask a merchant to hold off on public disclosure, they are not usually anticipating several months of delays. For customers, such lengthy timeframes can create complex damages especially if the payments were made with debit cards. Take the case of the Raley’s grocery chain breach disclosed last June. Even when the banks promised to absorb the fraudulent charges, shoppers suffered in other ways. One idRADAR customer spelled out how his life was turned upside down when the hackers emptied his bank account. “I was given a refund by the bank but only after two weeks, and being late on bills and running out of money to put gas in my car, and then another week before I even had another debit card to use. Shameful, the way they make it sound like it is no big deal!” wrote the individual. Customers who have the foresight to put comprehensive identity monitoring services in place before a breach—daily checks of three credit bureau files, criminal court records, the dark web a.k.a. Internet Black Market and other public records checks—are then in a far better position to detect the theft of credit card numbers before their sale to criminals, protect bank accounts and identify safeguards well in advance of companies like Michaels publicly owning up to the problem. Yet few individuals have this level of complete protection. For the average Michaels Stores, Target or Raley’s shopper, speed in disclosure is essential for limiting damages. Realistically, a two-week window should be ample for hacked companies to line up strong responses provided their risk management plans and strategies are in place long before the breach. Asking customers to wait any longer pushes the boundaries of reason. Delays are even less acceptable when Social Security numbers have been compromised. Not all companies will comply with such a timeline---some will still try to avoid any sort of breach news dissemination--but the federal enforcement agency could levy fines for longer delays that are judged to be unreasonable. While all the details may not be clear in 14 days, a federal law should also require that companies disclose the exact types of data lost and the total number of victims. Recent reports in The Washington Post put the data breach at Harbor Freight Tools at close to 200 million compromised cards, which if accurate could make it even larger that the Target or Adobe Systems breaches. However, Harbor Freight has steadfastly refused to disclose numbers. How and when breaches are detected can no longer be governed by our current puzzle of state laws. The strength or weakness of a state statute should not determine how much 53 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide residents in that state learn about the loss of their own personal data. It’s time to steadfastly remove the blinders so that America can see this problem -- its full size and impact— and not just the slices that are revealed piecemeal state by state. Perhaps if the country realizes the true magnitude of the problem, we can finally shift the focus from breach reaction to where it should have been all along—proactive breach prevention. About the author Tom Feige co-founded Denver-based idRADAR (www.idradar.com ) to provide security solutions for individuals and corporations that protect and monitor identity data, credit information, Internet use, and digital communications. For more information please call 888-949-4245. 54 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 55 Cyber Warnings E-Magazine – January 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Improve Your Computer’s Security in 5 Simple Steps Whether you have a laptop, a netbook or a high-end PC it is incredibly likely that you do more than just check your emails on it. With the recent development of online technologies to include shopping online and even online banking, it is incredibly important that you ensure the safety and security of your computer. Plus if you have a business PC, and store any client files in your documents it is important to ensure that these are secure. A breach of client privacy is a huge issue within any business. Because of the anonymity provided for hackers online it has become more dangerous to share information online and even offline on your PC. This is why it is important to make sure you have the right security measures in place to stop any potential hackers or data-thieves in their tracks. There are a number of precautions you can take to reduce the risk of becoming a victim to hacking, however as with any security measure these are not fail safe methods, so it is important to continue to update your security in accordance with your privacy needs and budget. 1. Password Protection and Changing Passwords Password protection is essential for any level of security. Whether you have a PC or a tablet, even if you only use it while at home, it is important to at least use a password on the login screen. Although it doesn’t provide a huge level of protection it is still one extra barrier for potential thieves to cross. All online accounts created require you to have a username and password and it is vastly recommended that you have several different passwords to use as opposed to a single password for every account. If you have trouble remembering passwords, don’t write them down in a document on the computer! This is a rookie mistake. Try writing it on a piece of paper to keep in your wallet or in your diary, but don’t make it obvious that it is a password! People often keep nonsensical notes in their diaries and wallets and you should recognise it when you see it. Setting up password policies within a business is also essential if you are handling sensitive client information. Password policies often have a set of requirements that the password needs to fulfil before it is accepted as the user password. For example some requirements may be that a password is a minimum of 8 characters and it contains one numeric figure and a capital letter. You can also make sure that passwords are changed every 30 days or every month to reduce the chances of a password being used for nefarious means. It may seem annoying but it is a good security measure. There have even been some companies who state that a password cannot be the same as 24 previous passwords. Imagine having to think up 24 passwords that meet the requirements! But it greatly improves security. 56 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 2. Consider an Alternative Browser If you happen to be less than savvy about IT and the internet in general, the chances are that the browser you’re using is Internet Explorer. It is generally recommended to change to Firefox or Google Chrome as these browsers have applications and features that you can add to the browser to increase security while browsing online. Changing your browser is not the end of the world! There will be a few noticeable differences but both Firefox and Chrome are incredibly easy to use once you’ve gotten used to them and applications such as Adblocker and Pop up Blocker are incredibly useful as they help to filter out some of the Spam you come across when browsing normally. Adblocker works wonders as most websites will run adverts in the background or on the side of the main website to generate revenue. In most cases these adverts are harmless if you don’t click on them. However there is the occasional advert that will ‘pop up’ or start playing automatically and these can be both dangerous and annoying. Adblocker helps to disable these adverts so that you simply don’t see them. 3. Use ONE Guaranteed Antivirus Program “I can’t choose one Antivirus program? Isn’t it better if I just install them all?” While in theory this may work a treat, in reality the antivirus programs actually cancel each other out. Many programs are trained to detect other antivirus programs and to see them as threats, as some malware is coded to look like an antivirus program (the perfect disguise). If you install two or more antivirus program, the two programs will spend so much time trying to fight each other and contain the other program that your computer is left off more vulnerable than it was before. Read reviews, look at statistics and do your research before choosing an Antivirus program. Surprisingly some of the best programs out there are actually free, so make sure you’re not getting ripped off before choosing! 4. Data Backup In the case of a complete system shut down where there is no way to recover data lost, having a backup disk or memory stick with all your files duplicated onto it can be an incredibly useful thing to have. It is essential to regularly back up your system in the case of a PC wipe as then you can quickly restore your PC back into working order with minimal effort and without having to spend hundreds of pounds on an IT technician who would normally have to find and restore all the files. Make sure to keep your backup in a safe place and try to backup your files once every few months, more so if you feel the need to. It could save you a lot in the long run! 57 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 5. Stay Cautious and Stay Smart! A major part of increasing computer security is learning to be e-streetwise. Don’t click on suspicious looking links, don’t open any emails whereby you don’t know or don’t recognise the sender and try to only visit registered and trustworthy websites. If you are using a shared computer, never leave yourself logged into any accounts and always close all sessions on the browser you are currently using after logging out. Think of a PC as your wallet and personal ID. Keep them close to your person and in a safe place when you’re not using them. By using these five techniques you can significantly reduce the chances of your personal details – or those of your clients’ if you happen to run a business coming under attack. Remember to stay vigilant and to regularly update both your passwords and your antivirus program and keep backing up those files! About the author Mike James is a tech geek and gaming addict based in Sussex, UK. He takes an interest in new MMORPGs often writes about this and new tech findings for Technology Means Business, an IT support provider with offices in Hampshire, Essex and Kent. 58 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Combat Advanced Cyberattacks with Shared Security Intelligence By V Bala, Marketing Manager, ManageEngine In this information age, even the mightiest of enterprises and governments across the globe are worried about cyberattacks. Not a single day passes by without a story about a hack or a compromise or an identity theft involving data related to a large number of users. Cybersecurity is increasingly becoming complex, and cyberattacks have truly emerged as a global crisis. An analysis of some of the recent high profile breaches reveals that the threat landscape is rapidly evolving into a more dangerous ground with highly targeted attacks and advanced persistent threats (APTs) leading the way. Traditionally, enterprises have depended primarily on perimeter security software and traffic analysis solutions, which help only in combating traditional attack vectors. But hackers today are becoming highly creative, and traditional defenses are not effective against advanced threats. Combating modern cyberattacks demands a multi-pronged strategy incorporating a complex set of activities. These include deploying security devices, enforcing security policies, controlling access to resources, monitoring events, analyzing logs, detecting vulnerabilities, managing patches, tracking changes, meeting compliance regulations, monitoring traffic and more. But even all these measures are proving insufficient to effectively tackle the sophisticated APTs and targeted attacks. Organizations are required to turn toward advanced analytics, which involves analyzing all the data that enters the network, all the time. Though the market is flooded with various types of IT security analytics solutions, the harsh reality is that no single solution could offer effective protection against all emerging threats. Despite having a sound security arsenal, organizations encounter embarrassing breaches as cybercriminals often stay ahead of all defenses. Organizations are required to not just analyze internal data but also to gain threat intelligence from external sources to obtain real-time visibility. The battle against evolving cybercrimes calls for close coordination and collaboration among security solution vendors, industry groups, government agencies, and security analysts. The need for sharing security data and intelligence is pressing and clear. Already, a good number of public and private collaborative communities and information sharing groups are playing a pioneering role in creating and disseminating threat intelligence. Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), Anti-Phishing Working Group (APWG), Emerging Threats, Malware Domain List, SANS ISC, and Spam and Open Relay Blocking System (SORBS) are some of the popular communities. Other communities like Information Sharing and Analysis Centers (ISACs) specialize in verticals, such as IT, financial, healthcare or banking, and they offer highly focused feeds relevant to specific verticals. 59 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide However, the vendors in the information security space, especially those in the log management and SIEM domains, are not liberal in exposing their data to third-party applications and threat intelligence tools. Of course, the SIEM solutions have been offering provisions to import data from varied sources, including threat intelligence solutions. But such integrations are fraught with many limitations. In the absence of proper correlation and data processing, feeding terabytes of data to the SIEM solution will not offer the required protection. Even when the SIEM solution proves to be powerful, with the capability of analyzing and correlating big data from internal and external sources, most organizations cannot afford huge investment in big data analytics. SIEM and log management solutions like ManageEngine’s EventLog Analyzer shatter all these limitations when they open up their database for integration with any third-party application. The solution’s API can let security administrators feed reams of normalized log data into any thirdparty application, including crowd-sourced threat intelligence solutions, vulnerability assessment platforms, business intelligence tools or even custom applications for advanced security intelligence and threat protection. The solution’s rich database can serve as the centralized warehouse of security-sensitive data, and a Thrift IDL-based API enables administrators to pull the required data. Security administrators can leverage this integration to bolster their security framework in such use cases as: Advanced threat mitigation – The normalized data from the SIEM software could be fed into crowd-sourced advanced threat intelligence services, sandbox solutions or sophisticated vulnerability assessment platforms. These tools can associate the SIEM solution’s security data with the information they already possess and help mitigate emerging attacks, botnets, zero-day threats, phishing attacks, malware attacks and APTs. Location-based threat analysis – Integration with geolocation services could help enterprises gain geographic context to any event. This, in turn, helps pinpoint the country of origin and physical location of an application involved in an event. If the origin matches the countries commonly associated with APTs, suspicious traffic could be isolated for deeper analysis. Customized security views – Security managers could even create their own web applications and dashboards by extracting the data critical to their needs. Application performance tuning – Normalized data from the SIEM software could be fed into modern business intelligence tools, which could help organizations understand the evolving threat landscape, assess risks, and prepare mitigation strategies and an emergency response plan in the event of attack. The data could also help drill down to overall application performance issues and assess product usability and quality. 60 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide The SIEM solution collects, normalizes, analyzes, correlates and stores voluminous logs from heterogeneous sources. Now, the API can provide actionable intelligence and help security admins trace, thwart and combat evolving threats. It is high time information security solution vendors came together and worked toward shared intelligence. By opening up the normalized log database to third-party applications, ManageEngine has taken the first modest step in that direction. About the author V Bala is marketing manager with ManageEngine, a division of Zoho Corp. During the past 13 years with Zoho, he has performed a variety of technical, marketing and product management roles. He is now focusing on marketing ManageEngine's IT security solutions, including Privileged Identity and Access Management, Network Configuration Management, and Vulnerability Management. He completed his studies in Mechanical Engineering before pursuing a PG certificate in Marketing from Indian Institute of Management, Calcutta. Bala has published many white papers and articles on IT security, compliance and automation in leading IT magazines. He can be reached at vbala@manageengine.com and via LinkedIn and Twitter. 61 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Phishing Attacks aren’t a Passing Threat In 2013 there were nearly 450,000 phishing attacks and record estimated losses of over USD $5.9 billion. Phishing remains an ominous threat to consumers and businesses around the world. The costs of phishing According to the Ponemon Institute, US companies have the second most costly data breaches at $188 per record (Germany comes in first at $199/record), with a total cost per US company at $5.4 million. 3 These costs were calculated using both direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished acquisition rates. The risk of data breaches and the financial damages associated with breaches is significant for companies of all sizes. While smaller organizations may believe that they are not a target they are actually at risk because they do not prioritize appropriately defending themselves from attack. 57% of small businesses suffered staff related security breaches in the last year (up from 45% a year ago). While 57% may seem like a high number, the same study found that 84% of large organizations had staff related breaches. What is the best way to combat phishing attacks? According to Deloitte, over 70% of companies surveyed in a recent study, rated lack of employee security awareness as an average or high vulnerability.4 There’s a good reason for this rating. Security technology, the first approach to protecting a corporate IT infrastructure, is not effective in protecting against social engineering or phishing attacks. It takes a human to identify that “something doesn’t seem quite right about this” to avoid an attack and report it. Of course employees can only do this if they have the right knowledge to spot an attack in progress and practice safe behaviors to avoid opening themselves or their employer to attacks. Sadly, even with the profound statistics listed above with regard to percentage of companies that have had staff related breaches, 42% of organizations don’t provide any ongoing security awareness training to their staff. According to a PWC survey, organizations with a security awareness program in place were 50% less likely to have staff-related security breaches. Enabling the Phishers 62 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide What many people don’t realize is that consumers are giving cybercriminals everything they need to launch very successful and sophisticated attacks. Uneducated consumer use of social networking sites is feeding the phishing problem. Here are some examples of risky behaviors that enable phishers to create increasingly effective attacks. First and foremost everyone is oversharing information. This gives new meaning to the phrase “TMI” (Too much information). We are sharing too much information in social networking sites, everything from our birthday and anniversary to our kid’s names, our friend’s names, our employer and co-workers and their names. All of this information can be used to create very targeted and believable phishing attacks. In addition to the oversharing there are other risky behaviors in social media. 39% of users don’t log out after each session 25% share their passwords 31% connect with people they don’t know As a result, 15% of social media users have had their profile hacked and impersonated.8 On the surface 15% of social media users being compromised doesn’t seem like many. But consider that right now there 1.4 billion people on Facebook alone. That equates to 210 million people who have had their profile hacked and impersonated and who have given phishers great information to form targeted attacks on a large percentage of the population. Here are some of the more sophisticated attacks that phishers have been using successfully. Recent Sophisticated Attacks Recent phishing attacks are not the “easy-to-spot Nigerian Prince” attacks. These attacks are well disguised and require an educated computer use to identify them. What both of these phishing attacks have in common is that they use common tools, Google Docs, and text messages, to catch “victims” by surprise. A Google Docs phishing attack used an email with the subject line of “Documents” and had content urging the recipient to open a document via an embedded URL. The link looks like a pretty legitimate link because it is pointing to a Google page hosted on Google servers. Unfortunately the login form, shown here, was a fake Google login and enabled the criminals to collect the Google credentials for every person who attempted to login to access the document. 63 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Another recent attack utilized another common communication tactic, a text message from your mobile phone provider. The bait of the message was an account credit or a discount on the recipient’s next bill. Following the link in the text message took the victim to a mobile landing page and then a data entry page that requested the last four digits of their social security number, their User ID and their Password. Here’s the tricky part about this attack. Users could only visit the fraudulent web page via mobile phone. Going to the same page from a PC caused a 404 error. This made it harder to detect the fraudulent site and take it down. In both of these cases the “victims” should not have responded to communications they were not expecting to receive. Fake login pages can be especially dangerous because sharing credentials can make it easy for cyber criminals to access these accounts and potentially other accounts if users don’t vary their passwords from web app to web app. These are risky behaviors that can be changed with the right educational approach. How should you teach your employees to avoid phishing attacks? In order for security education programs to be effective they need to be continuous because the threats are continuous and ever changing as evidenced by the examples earlier in this article. Research and industry results have shown that the current methods of classroom and video training once a year is not effective in the battle against cyber-attack. To be most effective, cyber security awareness and training must be ongoing to maximize learning and lengthen retention of the learned topics. The methodology outlined below should be approached as an evolving program that strives towards continuous improvement. A continuous cycle of assessment, education, and evaluation has been proven to provide reduced vulnerability and it ensures that users retain training content delivered. 64 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide There are 3 simple steps to effectively educate your users to recognize and avoid phishing attacks. Step 1 – Assess knowledge and motivate learning and behavior change through mock attacks Mock attacks enable organizations to assess organizational vulnerability to attack and motivate employees to complete training. Because trainees who fall for mock attacks are humbled and aware of their risky behaviors they are more likely to complete training. Training completion rates following mock attacks can be over 90%. Step 2 – Assign in-depth training for topics of greatest weakness This in-depth training doesn’t have to be long to be effective. In fact brief training (10 minutes or less) that enables trainees to practice what they’re learning during the training session lengthens their retention of learned concepts. Step 3 – Analyze Results Review detailed reports about who fell for attacks and completed training to determine which simulated phishing attack to send next and in what topics users need more training. This anti-phishing training cycle can be completed every other month to maintain trainee vigilance in their defense against real attacks. A Phishing Education Success Story The employees at a Fortune 50 company were over 80% less susceptible to phishing-attacks after combining education modules and mock phishing attacks. 65 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide The Company sent a “your package has been delivered” phishing email. Those that fell for the attack were automatically assigned to complete interactive training modules that taught end users how to spot traps in emails and how to identify fraudulent URLs. Then the Company sent another phishing email to the same group of employees. Almost 35% of the recipients fell for the first mock phishing attack but less than 6% fell for the second phishing attack, which shows an 84% decrease in susceptibility in less than 60 days. Summary Phishing attacks aren’t going away any time soon. The mindset that eventually someone will find a technology that prevents these attacks is too passive for the increasingly sophisticated threats at hand. Information security officers have a responsibility to their organizations and to the general public to effectively teach people how to recognize and avoid these attacks both at work and at home. The right approach to change user behavior is not difficult to implement. About the author Joe Ferrara is CEO of Wombat Security Technologies, a provider of information security awareness and training software to help organizations teach their employees secure behavior. Joe Ferrara has recently been named as “CEO of the Year” by the CEO Awards and is an EY Entrepreneur Of The Year™ 2014 Award finalist in Western Pennsylvania and West Virginia. 66 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 67 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Why Security Incidents are different — and more dangerous — than IT Incidents by Ivo Wiens, Seccuris Inc. Imagine that, for some odd reason, you decide to build a house in an area that gets slammed by tornados on a regular basis. The smart thing to do is design and build your home to withstand the onslaught of a tornado’s force. That way, you, your family, and your valuable belongings are protected. You’ll also devise an emergency response plan, like an underground shelter, just in case the tornado manages to find a weakness in the structure around you. Now imagine your house is your organization’s network system, and the land that surrounds it is the internet. That land is fraught with tornados in the guise of malware, viruses, hackers, criminals, and other formidable threats trying to penetrate your structure. Like a house in tornado alley, it makes sense to fortify your network so it shields your valuable data and information from unknown dangers, right? You’d also have an emergency response plan just in case something pierces your defenses. Right? Yet, there are still organizations that don’t do either. According to The Online Trust Alliance (OTA), data breaches spiked to record levels in 2013. The OTA states that over 740 million online records were exposed. Most of those breaches were avoidable, but many organizations, including major retailers, didn't have the right security controls in place. Offense is always the best defense. Developing and implementing an integrated security program is the most effective way to avoid security incidents. But even the most comprehensive security isn’t 100%. Incidents may still occur. And if they do, you must have a security response team and plan ready to react at a moment’s notice. Your team must be able to recognize a security incident, evaluate the associated risks, and determine the most effective approach before, during, and after an attack. One of the key factors of recognizing a security incident is being able to differentiate between it and other IT incidents. While the two may share common problems, their potential levels of threats and consequences are vastly different. Knowing the difference can protect your organization and customers from a loss of critical information, stolen revenue, and even legal actions. Basically, an IT incident is usually a technical issue that, in many cases, can be handled within a short period. On the other hand, security incidents risk a higher likelihood of long-lasting collateral damage. Your e-commerce site crashing is an example of an IT incident, while a security incident would be a hacker breaching your network and stealing credit card numbers. Your e-commerce site going down can disrupt your business, but it will rarely have long-term consequences. But losing credit card data can result in potentially disastrous financial ramifications and legal actions that affect not only your company and reputation, but also your customers. 68 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide The following are other factors to help you determine how security incidents are different — and potentially more dangerous — than IT incidents. Threat Agents: Security incidents always have a threat agent. Threats can be non-target specific like viruses, worms, and Trojans, or even acts of nature. They can also be intentional attacks from hackers, terrorists, or insiders; international and domestic criminals; other corporations or foreign governments seeking to steal competitive company, product or financial information; and unauthorized acts by employees that may expose or threaten critical data. Basically it’s anything and everything that affects the state of your entire organization’s security. These events should be treated as if they are being performed by an enemy, even if that enemy is just lines of code. Containment: When an IT Incident occurs, immediate response can be important, but not always essential. With a security incident, instant reaction is critical in order to shut down the attack and contain further potential loss and damage. Also, unlike most IT staffs, security incidents don’t work on an eight-hour schedule. They can happen at any time, and the longer it takes you to react, the more damage your company may suffer. So you need a response team and plan ready to go 24 hours a day. Impact Not Readily Known: When you suffer an IT problem, like a computer crashing or losing an internet connection, you know right away. But with so much information contained in a complex IT infrastructure, detecting whether a security incident has occurred can sometimes be challenging. With copious amounts of processing power and memory, malware can exist in a system for the duration of its lifespan without a user noticing any impact at all — until it’s too late. You could continue to lose data that won’t be missed until an internal audit weeks later, or even worse, when your own customers notify you that someone has stolen private information they trusted you to protect. Communication: An IT incident response will normally involve the IT staff and the department or departments the issue affects. A problem occurs, someone contacts IT, a staff member repairs it, and life is back to normal. But since it may threaten multiple departments, including IT, or even the entire company, a security incident must involve communications with key stakeholders, management, and affected parties throughout your organization. How quickly and effectively people share information determines how swiftly they can take the appropriate course of action to neutralize the threat and curtail widespread harm. What is the most effective way to detect security incidents? Technology, people and processes. Design and implement a system that will warn you the moment an incident occurs. Build a team of IT and security people who understand your technology and systems, but also the criticality of your business. The right approach to security incident response enables you to position your organization a step ahead of any incident. Aligning with this methodology and enabling the 69 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide appropriate team and procedures demonstrates due care and a comprehensive framework for dealing with and recovering from incidents. You must have a security incident handling methodology, even if you have to go outside your company to do it. If you’re one of the many organizations that lacks the staff or budget to develop an in-house security response team, consider seeking the help of a Managed Security Services Provider. By outsourcing your incident handling and other security needs, it not only allows your IT staff to concentrate on other activities, it also helps you avoid the cost and time of hiring and training security personnel. But most of all, it provides an effective and efficient means of dealing with the situation in a manner that reduces the potential far-reaching impact to your organization. About the Author Ivo Wiens (CISSP, SCF, VCP) has several years in IT Information Security with a focus on security service delivery. Ivo’s knowledge, experience and business-driven approach to the information security and operational assurance fields allows him to understand and address the issues facing both security analysts and executives today. Currently, Ivo is the Manager of Security Engineering for Seccuris, a leading security consulting, risk management, and managed security services firm. Contact him through LinkedIn at http://linkd.in/1mWWV0i or at the Seccuris website: www.seccuris.com. 70 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide The cinch of Hacking: Social Engineering By Hitansh Kataria, Co-Founder & CEO, H2K Cyber Experts and CreativeTabs Cybercrime, just like all other crimes, appears in variety of forms, as Cross Site Scripting, Cookie Stealing, Session Hijacking and many more... but Social Engineering being the most facile and prominent way of Hacking every time. Right from 1980’s till today Social Engineering attacks are most frequent and worth working just because there is no patch for Human Stupidity. According to the key terminology, Social Engineering in context of information security, is a technique to manipulate people into blabbing their confidential data to the hacker. A hacker gains trust of the victim and grab all the confidential information viz. Bank Account information, Credit Card info etc. Actually Internet is just like a fertile ground for social engineers looking to harvest passwords. It is a perfect blend of Science, Psychology and Art. Hackers usually adapt this method to get into someone’s network as it is easier to exploit the natural inclination to trust. Apart from all other cyber attacks, the success rate of Social Engineering is the highest one and is also been listed as one of the most crucial and perilous attack, just because many security professionals assert that the weakest link in the security chain is human itself. In confer to a survey transpired in 2003, 90% of the employees of an IT company gave their secret passwords in lure of cheap pens or chocolates. Often bank accounts, social network’s accounts are been compromised by Social Engineering only. As Cyber Security landscape is evolving constantly, therefore social engineering techniques provide ample opportunities to the hackers to steal information. As the increasing number of internet users and notably social networking users viz. Facebook, Twitter, LinkedIn etc, social engineering is sure to become more favoured attack among the hackers. Due to this obvious reason, internet frauds are the daily’s news. In realm, hackers use various techniques to deploy their social engineering attack on to a victim, and victims also get into the bait and usually reveal their confidential data to the attacker. These following methods are broadly used for attempting this attack: 1. Phishing Attack This approach of attacking is generally used for getting passwords of online banking and social networking sites. Commonly, attacker sends a fake mail to the victim and asks for verification providing with a so-called authentic web link (URL) making it so authentic that victim believes that it is actually from the real source and the link redirects victim to a web page which is actually has been developed as replicate of the real website. As victim login into it, hacker got the password and username without even known to the victim that he/she has been hacked. 71 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide With the latest report in 2014, 27 websites in Hong Kong reported to be bogus and having phishing scripts implied on them. Therefore whenever, we login for our online banking account, we always have been encountered by a webpage showing “Beware of Phishing”, just because 72% bank accounts are compromised due to Phishing or Social Engineering. 2. Vishing Attack It comprises of the words “Voice and Phishing”, in this attack hacker gains access to the victim’s data just by having a telephonic conversation and intimating to be called up from a trustworthy person and due to human biases, victim rely on him and shares all the confidential data with the hacker. This attack only needs two things, confidence and soft spoken personality. Mostly, hackers spoof their caller id with the authentic caller id, in order to seem a call from a legitimate source using VoIP or IVR so that their work should also be bit easier. A case in New Delhi, India is been most prominent where a person called 57 persons in the local region having bank accounts in common branch and gain their net-banking passwords posing them, that he is being calling from bank’s side and get away with approx. 49 crore rupees. 3. SmiShing This term is introduced with the combination of SMS Phishing, where attacker spoofs an SMS sender’s id and sends it to the victim in order to claim the passwords, ATM pins and many more. Usually attackers send a message “Your Net Banking account has been used from an unknown location and Rs. 1,00,000/- has been transacted, for details call #2222221118888*** (any number) immediately.” Actually these attacks are bit rare but they have the highest success rate and 9 out of 10 SMS phishing attacks are successful. In 2012, walmart has also issued a Fraud Alert as someone baiting of $1000 gifts. 4. Baiting Attack This attack is having high success rate due to one reason i.e. Human nature of greediness. Baiting attack is actually when a hacker uses some physical media dangling something that an attacker wants to entice. Generally, we all having a nature that if something alluring seems to us, we just need to have it and that is where attacker actually attacks. Usually, attackers binds their malwares, virus, trojans with some important files or implanted in USBs or CDs and as the victim insert it to PC, these malwares automatically gets installed into it in the background process not even been known to the victim and they got hacked even without 72 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide their knowledge. All the data available there in the PC like data in Hard Disk, Browsing History, and Saved Passwords etc. They all get compromised with the attacker within just minutes. 5. On-Line Attack This attack involves spamming emails to thousands of people with malicious code inside the attachment and as the user open up the mail, these attachments pop out and gets installed in the victim’s PC without any knowledge and gives a backtrack record to the attacker timely. These attachments can be keyloggers, viruses, malwares, worms etc, sometimes, attacker sends a registration form lobbing to create an account and as mostly users have common or same passwords to almost every account, attacker tries the same password to get access. If there are Cyber Criminals who attacks and makes the web unsecure so in the counter there are Cyber Security Experts who are working as an Army to secure everything. Ethical Hackers are working day and night to cope up with cyber crime but in Social Engineering they are also helpless, as this attack doesn’t beach any technical security, it rifts the human mind and takes up the benefit of human nature. In order to cope up with this most dangerous attack of Social Engineering, there is a need to learn what the countermeasures for this attack are. Countermeasures for Social Engineering Attacks I. Everyone should know the basic of social engineering and should be aware of its counter effects. II. Every company should have training sessions by Cyber Security Experts on aftermath of social engineering. III. Employees need to have proper authentication of other before handling over any confidential data. IV. In case of any doubt, employee should be trained or prepared to politely refuse to share data. V. Proper security protocols, policies and procedures should be there in any company. VI. Individuals should never reply for the mails, SMSs or phone calls which ask for your personal information or passwords of your bank instead always contact your branch head in this regard. VII. Always be aware of URLs or Web Links while working on internet, it should not be a phishing page. 73 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide VIII. Never access your confidential data at any Cyber Cafe or Public Network, there can be data sniffers or keyloggers. IX. Install and always maintain anti-viruses, anti-malwares, anti-spywares and firewalls. X. Never have same passwords of different accounts. Always choose different passwords for all the accounts and should be the combination of alphabets (uppercase as well as lowercase), numerals and special characters. XI. And most importantly, never get be fooled by anyone, you never know who he is; otherwise you are at risk... Always remember be smart and secure and get in touch with the latest information and security issues if you want safe working on Internet, otherwise you never know you can be hacked the next moment and lost your everything within seconds. About the Author Hitansh Kataria is the Co-Founder & CEO of H2K Cyber Experts and CreativeTabs. Both of the companies deal with the IT solutions and Cyber Security Auditing. Producing a Number of products as well as a securing the web is the major concern for us. Hitansh is responsible for company’s vision and product’s security. He has gained an image of a beetling speaker on various verticals of Cyber Security and Entrepreneurship. He has also been concerned by many companies as a Cyber Security Consultant. Contact him at ceo@h2kcyberexperts.com or www.hitanshkataria.com 74 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 75 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Enterprise Security and the Machine Data Tsunami The changing landscape of security data in an age of decentralized computing by Joan Pepin, VP of Security and CISO, Sumo Logic As the proliferation of devices and hardware continues, machine data volumes are now a tsunami. A few years ago, the cost of maintaining PCI (Payment Card Industry) compliance was counted around $200,000. As the mass quantities of data to be monitored as part of maintaining this and other compliance standards grow, enterprises are not only facing fines for letting compliance lapse, but the real risk of a malicious threat is rising in this era of the “mega-breach.” Recently Ponemon Institute pegged the average cost to a company as a result of a security breach at $3.5 million. The estimated annual cost of cybercrime as reported by the Center for Strategic and International Studies has hit over $400 billlion. Put those two numbers together and that equates to a lot of high-priced security breaches. Let’s try to add some context around this problem. The source of machine data is much more complex than it was 10 years ago. BYOD, cloud computing, and de-centralized IT infrastructures are increasing the source and quantity of devices and data traversing the network. But with more devices accessing the network, the storage and analysis of this Big Data is growing even more critical for enterprises to understand and evaluate their security posture. Cisco predicts that the Internet of Things-related devices will balloon to between 15 and 25 billion by 2015. More devices equals more machine data. And the effect is non-linear. More devices, running more applications, each interacting with more services (cloud storage, cloud authentication, and cloud-based exception tracking are often all used by a single application) equals an exponential increase in interfaces. Industry analyst firm IDC quantifies what we can expect: the volume of machine data will grow 15 times by 2020. For an enterprise looking for the needle in the haystack – the alert or warning that a malicious threat might be in play – this is a significant obstacle as neither IT budgets nor staffing will match this rate of growth. Consider how an enterprise that shifted from on-premise to cloud-based services and software might view their compliance landscape. When most, if not all, software and systems resided onpremise, the IT organization can specifically monitor the performance of their onsite infrastructure – hardware, software, networks and storage. Once some of this storage and compute capacity is transitioned to the cloud, an organization must negotiate SLAs (service level agreements) with the cloud provider to ensure data is available when it’s needed and all security protocols promised to their customers remain in place. Multiply that process across dozens of software and solution providers that also leverage the cloud, and you can see how the picture gets complicated quickly. As the quantity and severity of security breaches continue, maintaining compliance is a key first step in ensuring that customer and business-critical data is properly managed. As lives become increasingly digitized – though it’s difficult to imagine them more than they are now – the stakes 76 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide grow even higher. Between medical health records, to identity and credit information, the risk of negative impact to customers should data fall into the wrong hands is real. Cyber crime has become a large business and cyber criminals have become better and better at monetizing the data they exfiltrated. Javelin Strategy & Research has found that the likelihood that a victim of a security breach will also become the victim of fraud has grown from a one in nine chance in 2010 to a one in three chance as of 2013. So although meeting HIPAA, PCI or other compliance standards and SLAs are critical to keeping your organization out of risk for fines, just maintaining compliance will not protect you from all malicious threats. Exceeding compliance standards and building confidence, both internally and externally, in your security posture requires consistent, proactive monitoring of your end-to-end IT infrastructure. With the availability of mass quantities of machine data comes responsibility for organizations to actually utilize it. But it won’t be your IT or security organization alone that can handle it. CISOs must remain vigilant, identifying the consistent patterns of threats and adjusting their team and skillsets available to ensure that they are prepared and able to address the issues your company faces. The increasing use of machine-learning to analyze and distill petabytes of data into actionable alerts and insights will assist in the process, but no amount of data can replace a security team’s holistic understanding of the enterprise infrastructure. If the rising tide of cybercrime continues, we might see organizations become more transparent and sharing information about consistent threats and challenges with each other. Until then, CISOs must realize that with fundamental changes to the network come fundamental changes to the way they must address compliance and enterprise-wide security. In a world increasingly driven by data, the enterprises that successfully integrate and evolve analytics, processes and strategy will be in the best position to maintain a strong security posture. About The Author Joan Pepin is VP of Security and CISO at Sumo Logic, the next generation machine data intelligence company. Joan has more than 15 years experience in information security in a variety of industries, including healthcare, manufacturing, defense, ISPs and MSSPs. Her experience spans technical, operational and management level of security, allowing her to bring highly technical research expertise to her role in security management, marketing and strategy. A recognized expert in security policy and lifecycle management, Joan is the inventor of SecureWorks’ Anomaly Detection Engine and Event Linking technologies. Joan can be reached online at joan@sumologic.com and at our company website http://www.sumologic.com/. 77 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Top 5 breaches in the financial sector WHAT WE CAN LEARN FROM THE TOP TARGET OF CYBER ATTACKS by Dan Virgillito, Director of Media & Communications, Massive Let’s not pussyfoot around it: security breaches are a serious issue. Just ask any bank that has been a victim of a data breach. In addition to customer churn, negative headlines, and regulatory penalties associated with data breaches, the financial loss can add up quickly. Despite attackers focusing on other industries, the financial sector continues to be a top target for sophisticated attacks, caused by malicious insiders, hacks, card scams, and loss of portable devices containing sensitive data. The recent state of data breaches illustrates the pinch felt by banks, hedge funds, insurers and credit unions from the recent growth in cybercriminal activity. The US CBA (Consumer Bankers Association) revealed that the cost of replacing credit cards after the data breach at Target was over $200 million. The report merges the CBA’s $172 million figure, with additional $30.6 million quotes by the CUNA (Credit Union National Association). Smaller financial institutions are facing the effects even more. According to ICBA (Independent Bankers of America), which represents local banks and smaller financial institutions, its members have to shell $40 million for replacing 4 million cards since the recent retail breaches, including those at Neiman Marcus and Target. Apart from outside breaches affecting the financial sector, the Insider Threat study informs that malicious insiders are also the cause of data breaches at financial services organizations. The report also cited cloud computing technology as a big concern, with several financial organizations finding malicious insiders because of increasing use of the cloud. The details of these data breaches are downright ingenious, but the financial sector has more to worry about. Here are the top 5 security breaches in the sector, and what we can learn from them: 1. DDOS attacks In 2012, an increasing number of financial institutions had to face sophisticated DDoS attacks against politically motivated groups. These attacks increased in sophisticated and caused slow response times on banking websites, preventing customers from accessing their accounts, and affecting bank-office operations adversely. DDoS continues to spell danger, for the banking industry and the world in general. 78 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Key lesson: The traditional DDoS protection, including firewalls and internal intrusion detection, proved to be ineffective in repelling the attacks. When systems got socked with abnormal HTTP traffic, firewalls may have fought to a point but tuned into bottlenecks. Enormous amounts of bad DNS killed the game. External cyber monitoring platforms may ensure better chance of success against such attacks. 2. Spear phishing BAE system director of product Paul Henninger revealed how a spear phishing attack technique was used to steal sensitive data from an unnamed hedge fund in the US. Speaking to CNBC, he informed that there was a slight lag between the issuance and execution of the trade, which may have provided competitive advantage in trading to another firm. The unnamed victim lost millions of dollars. Key lesson: the loophole here was the lack of employee training against spear phishing attacks. Financial institutions should make employees wary of unsolicited emails and messages on social networks. Internal security teams can only do as much as to locate threats, so financial firms should provide adequate employee training against these kind of cyber threats. 3. Insider threats A prime example of this attack is Bank of America’s employee who leaked customer data to an identity theft group. The hackers obtained Social Security Numbers, driver’s license numbers, bank accounts numbers, addresses, phone numbers, and customer names; more than $10 million was the financial loss. The group of thieves used the information to modify customer account information while hiding fake accounts they were creating under the names of victims. Key lesson: Bank of America didn’t have technology in place to detect the losses over a long period of time, or processes to identify malicious insiders. Financial institutions should look at concerning behaviors to prevent insider threats. Warning signs could include resignation and termination of staff members, as malicious insiders strike shortly before departing with the firm. 4. Cyber eavesdropping Not all data breaches massive quantities of customer information stored by financial institutions. Notably, hackers used a web monitoring tool to eavesdrop on Directors Desk, a Nasdaq platform for facilitating communications for 10,000 company directors and executives. By eavesdropping, attackers may have gained access to inside information, which could have been sold on the black market. 79 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Key lesson: Nasdaq’s security was criticized for running outdated security software and improperly configuring firewalls. They could have been better off with cyber security solutions that allow to trace the root source of attacks – malicious monitoring in this case. 5. Identity theft Citibank and JP Morgan Chase disclosed an NY resident obtaining the personal information of their customers back in 2011, reveals privacyrights.org. The woman used the information to steal $30,000 from Citibank and $300,000 from Chase. Forged driver’s licenses were used to make fraudulent withdrawals. Key lesson: The security systems in place failed to protect customer data, and there was no forensic analysis post-identity theft. Banks should be backed by an incident response team that is able to use the widely utilized forensic tools for preservation and collection of digital evidence for analysis and future theft prevention. Forensic analysis helps in analyzing what information lead to the compromise, and how the breach occurred, as well as how to repair the damage. It’s a long, hard slog for financial institutions when it comes to mitigating and preventing cyber threats, but the lessons point the route towards better security practices. About The Author Dan Virgillito is a freelance content strategist and the Director of Media & Communications at Massive, a cyber intelligence firm specialising in early threat prevention. 80 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Is It Time to Outsource Your Security Education? It has happened again. Although Jean has led half-day training sessions and sent repeated emails about how her colleagues can better protect themselves and their company from cyber attacks, another employee just clicked on a link in an email and launched a phishing attack. What's wrong with Jean's approach to security training? After all, as her company's chief information security officer (CISO), she's already doing her part to educate employees about their vulnerability to attacks such as phishing and malware. But is she providing the right content with the right message to the right employees in the right format? Probably not, and that's where many internal security training initiatives fall short. She has the right idea: Companies must have security training programs that teach their employees to protect themselves from all types of threats, both cyber and physical. Jean's problem, however, is that the imperative for training at her company is greater than her resources, and because of that, she's treating security education as a one-size-fits-all process. The solution: Outsource the training program to a third-party security education partner to take advantage of industry expertise, on-target and cutting-edge training tools, and methodologies that measure and deliver results. Many companies like to keep security education in-house, to maintain control over training. After all, businesses struggle to understand how outsourcing companies could possibly be a better fit than an internal team that knows the company and its employees inside and out. Yet oftentimes programs developed in-house don't engage employees in a manner that's causing a change in their dangerous behavior. A different approach is needed. Outsourcing Benefits are Huge The global risk of cyber attacks is a real and growing threat, and could carry a whopping price tag in the future, according to a report from McKinsey and Co. The cost—the material effect of slowing the pace of technology and innovation due to a lack of cyber resiliency—could be as high as $3 trillion by 2020. These figures prove that companies need security education—and quickly. For most businesses, outsourcing security education makes a lot of sense. Here's why: Expertise is Key In an outsourced security training program, content is developed by security experts who are trained educators. On the other hand, internal teams may make mistakes, such as inadvertently using examples of real-life attacks on the company, potentially embarrassing the impacted employees. Your IT team may be up to date on the latest issues, but not always able 81 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide to relate this information back to employees in a way they can easily comprehend—and retain— with the end goal always being a change in behavior. External Resources are Used Your staff's valuable time is freed from developing and maintaining comprehensive training materials. New types of security threats emerge every day. While your IT and security teams are likely aware of many threats, do they have time to constantly review and update training materials to make sure they are protected against new types of attacks? Outsourcing is an opportunity cost—that is, what else could your IT and security teams be doing if this responsibility was assigned to another source? Outsourced programs address existing threats as well as those that are emerging, such as clicking on a link in a text message on a smartphone. Content and Context are Both Considered Security training done in-house is usually conducted in a classroom setting using a series of PowerPoint slides or videos. As you may remember from personal experience with the platform, while inexpensive, PowerPoint might not be the best way to engage users or change behavior. For starters, the trainer has no idea if every employee is giving the presentation their full attention and only knows if the training is failing when another attack against the company occurs. Because it's a classroom setting that involves their peers, employees may be afraid to ask questions or contribute to the discussion. Informative mass emails and PDFs are also relatively inexpensive and easy-to-produce, but again fail to engage the user or change behavior. They are too easy to ignore and there's no way to know if the employee did anything except open the email. When training is outsourced to a trusted provider, it is not a one-off event but rather a series of interrelated exercises and lessons that can be completed at an employee's desktop. Awareness is tested frequently and follow-up sessions can be scheduled with employees who do not seem to be grasping training concepts. When you outsource training, sessions are short, interactive and engaging. Employees are not pulled away from their desk for hour-long, half-day or even full-day sessions. Security training is best-addressed in short bursts for maximum retention and, ultimately, behavioral change. 82 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Results are Measurable Even the best internal programs stumble in one key area: measurement. If you can't accurately measure and analyze results, you have no way of knowing: • How the company is improving overall in its security awareness • How individuals are changing their behaviors • Which employees are still the weakest link from a security perspective and need to be enrolled in follow-up training programs. • Where the company is still most vulnerable in terms of type of attack (email, bad URLs, smartphones, physical security, etc.) Reporting capabilities from an outsourced partner provide both aggregate and individual data to gauge effectiveness, guide follow-up training programs and show improved results over time. Each day you put off implementing a security education program is a day when your company is vulnerable to all types of cyber attacks. Training programs available from a trusted partner can be rolled out companywide immediately, so as new threats become known, training is available. Effective Training is Outsourced Training To be effective, security training needs to be more than a simple PowerPoint that warns people of the dangers facing them or an email blast with the same message that goes unopened. A comprehensive security education program includes: • Broad assessments, which provide baseline information about employee knowledge on several cyber security threat vectors and helps the security officer prioritize the training rollout. • Mock attacks, which allow companies to assess employees' initial susceptibility to schemes such as phishing and malware, and provide motivation for employees to complete training. Mock attacks can lead to training completion rates as high as 90 percent. • Short, interactive training modules, that cover a variety of cyber threats, designed to show employees what the threats are, how to best avoid different types of attacks, and an opportunity to practice what they’ve been taught. This can help to ensure the right employee behavior when they are faced with real attacks. 83 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide • Awareness materials such as posters, screen savers and digital sign boards that remind users about the importance of staying alert and that reinforce methods used in training. Whether you decide to keep things internal or partner with a security training expert, it's time to act. Managers need to find or create a program they can roll out immediately, rather than leave employees uninformed while potential attackers hone in on security weaknesses in your infrastructure. About the author Joe Ferrara is CEO of Wombat Security Technologies, a provider of information security awareness and training software to help organizations teach their employees secure behavior. Joe Ferrara has recently been named as “CEO of the Year” by the CEO Awards and is an EY Entrepreneur Of The Year™ 2014 Award finalist in Western Pennsylvania and West Virginia. 84 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Top 3 Myths About Antivirus Software by AntivirusTruth.org 85 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide NSA Spying Concerns? Learn Counterveillance Free Online Course Replay at www.snoopwall.com/free "NSA Spying Concerns? Learn Counterveillance" is a 60-minute recorded online instructor-led course for beginners who will learn how easily we are all being spied upon - not just by the NSA but by cyber criminals, malicious insiders and even online predators who watch our children; then you will learn the basics in the art of Counterveillance and how you can use new tools and techniques to defend against this next generation threat of data theft and data leakage. The course has been developed for IT and IT security professionals including Network Administrators, Data Security Analysts, System and Network Security Administrators, Network Security Engineers and Security Professionals. After you take the class, you'll have newfound knowledge and understanding of: 1. How you are being Spied upon. 2. Why Counterveillance is so important. 3. What You can do to protect private information. Course Overview: How long has the NSA been spying on you? What tools and techniques have they been using? Who else has been spying on you? What tools and techniques they have been using? What is Counterveillance? Why is Counterveillance the most important missing piece of your security posture? How hard is Counterveillance? What are the best tools and techniques for Counterveillance? Your Enrollment includes : 1. A certificate for one free personal usage copy of the Preview Release of SnoopWall for Android 2. A worksheet listing the best open and commercial tools for Counterveillance 3. Email access to the industry leading Counterveillance expert, Gary S. Miliefsky, our educator. 4. A certificate of achievement for passing the Concise-Courses Counterveillance 101 course. Visit this course online, sponsored by Concise-Courses.com and SnoopWall.com at http://www.snoopwall.com/free 86 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Top Twenty INFOSEC Open Sources Our Editor Picks His Favorite Open Sources You Can Put to Work Today There are so many projects at sourceforge it’s hard to keep up with them. However, that’s not where we are going to find our growing list of the top twenty infosec open sources. Some of them have been around for a long time and continue to evolve, others are fairly new. These are the Editor favorites that you can use at work and some at home to increase your security posture, reduce your risk and harden your systems. While there are many great free tools out there, these are open sources which means they comply with a GPL license of some sort that you should read and feel comfortable with before deploying. For example, typically, if you improve the code in any of these open sources, you are required to share your tweaks with the entire community – nothing proprietary here. Here they are: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. TrueCrypt.org – The Best Open Encryption Suite Available OpenSSL.org – The Industry Standard for Web Encryption OpenVAS.org – The Most Advance Open Source Vulnerability Scanner NMAP.org – The World’s Most Powerful Network Fingerprint Engine WireShark.org – The World’s Foremost Network Protocol Analyser Metasploit.org – The Best Suite for Penetration Testing and Exploitation OpenCA.org – The Leading Open Source Certificate and PKI Management Stunnel.org – The First Open Source SSL VPN Tunneling Project NetFilter.org – The First Open Source Firewall Based Upon IPTables ClamAV – The Industry Standard Open Source Antivirus Scanner PFSense.org – The Very Powerful Open Source Firewall and Router OSSIM – Open Source Security Information Event Management (SIEM) OpenSwan.org – The Open Source IPSEC VPN for Linux DansGuardian.org – The Award Winning Open Source Content Filter OSSTMM.org – Open Source Security Test Methodology CVE.MITRE.org – The World’s Most Open Vulnerability Definitions OVAL.MITRE.org – The World’s Standard for Host-based Vulnerabilities WiKiD Community Edition – The Best Open Two Factor Authentication Suricata – Next Generation Open Source IDS/IPS Technology CryptoCat – The Open Source Encrypted Instant Messaging Platform Please do enjoy and share your comments with us – if you know of others you think should make our list of the Top Twenty Open Sources for Information Security, do let us know at marketing@cyberdefensemagazine.com. (Source: CDM) 87 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide National Information Security Group Offers FREE Techtips Have a tough INFOSEC Question – Ask for an answer and ‘YE Shall Receive Here’s a wonderful non-profit organization. You can join for free, start your own local chapter and so much more. The best service of NAISG are their free Techtips. It works like this, you join the Techtips mailing list. Then of course you’ll start to see a stream of emails with questions and ideas about any area of INFOSEC. Let’s say you just bought an application layer firewall and can’t figure out a best-practices model for ‘firewall log storage’, you could ask thousands of INFOSEC experts in a single email by posting your question to the Techtips newsgroup. Next thing you know, a discussion ensues and you’ll have more than one great answer. It’s the NAISG.org’s best kept secret. So use it by going here: http://www.naisg.org/techtips.asp SOURCES: CDM and NAISG.ORG SIDENOTE: Don’t forget to tell your friends to register for Cyber Defense Magazine at: http://register.cyberdefensemagazine.com where they (like you) will be entered into a monthly drawing for the Award winning Lavasoft Ad-Aware Pro, Emsisoft Anti-malware and our new favorite system ‘cleaner’ from East-Tec called Eraser 2013. 88 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Job Opportunities Send us your list and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at marketing@cyberdefensemagazine.com Free Monthly Cyber Warnings Via Email Enjoy our monthly electronic editions of our Magazines for FREE. This magazine is by and for ethical information security professionals with a twist on innovative consumer products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best ideas, products and services in the information technology industry. Our monthly Cyber Warnings e-Magazines will also keep you up to speed on what’s happening in the cyber crime and cyber warfare arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here to signup today and within moments, you’ll receive your first email from us with an archive of our newsletters along with this month’s newsletter. By signing up, you’ll always be in the loop with CDM. 89 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Cyber Warnings E-Magazine July 2014 Sample Sponsors: To learn more about us, visit us online at http://www.cyberdefensemagazine.com/ 90 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Don’t Miss Out on a Great Advertising Opportunity. Join the INFOSEC INNOVATORS MARKETPLACE: First-come-first-serve pre-paid placement One Year Commitment starting at only $199 Five Year Commitment starting at only $499 http://www.cyberdefensemagazine.com/infosec-innovators-marketplace Now Includes: Your Graphic or Logo Page-over Popup with More Information Hyperlink to your website BEST HIGH TRAFFIC OPPORTUNITY FOR INFOSEC INNOVATORS Email: marketing@cyberdefensemagazine.com for more information. 91 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Cyber Warnings Newsflash for July 2014 Highlights of CYBER CRIME and CYBER WARFARE Global News Clippings Get ready to read on and click the titles below to read the full stories – this has been one of the busiest months in Cyber Crime and Cyber Warfare that we’ve tracked so far. Even though these titles are in BLACK, they are active hyperlinks to the stories, so find those of interest to you and read on through your favorite web browser… POS Vendor Warns of Restaurant Breach - BankInfoSecurity 07/01/2014 09:22 (Bankinfosecurity) ...remote access credentials were somehow compromised, possibly through a phishing attack. Since learning of the breach, which LogMeIn discovered, Cybercrooks are Zeroing in on "Candy Stores" - Affluent Consumers and Their Advisors 07/01/2014 09:05 (Morningstar) NSA Director: Snowden Leaks 'Manageable' 07/01/2014 08:42 (The Takeaway) ...is falling." Sanger joins to discuss the new director's views on Snowden, the phone-data surveillance program, cyber security, and much more. Prepare yourself for high-stakes cyber ransom 07/01/2014 06:09 (Security - InfoWorld) ...cloud | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert... 92 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Energy sector faces attacks from hackers in Russia 07/01/2014 03:11 (CNBC) ...Moscow working hours. A report released Monday by Symantec, a computer security company based in Mountain View, Calif., detailed similar conclusions... Female Cyber Sleuths Hack Into Silicon Valley’s Boys Club 07/01/2014 00:40 (Bloomberg) said Rad, who speaks regularly at security events and has worked for top cyber-security firms. Now I meet many more women doing the same. Over... NCA charges 17-year-old London man for role in massive Spamhaus DDoS attack 06/30/2014 15:39 (SC Magazine) ...16-year-old attacker was taken into custody secretly by the National Cyber Crime Unit, but reports on the arrest did not start coming out until... Google Glass privacy – hack lets attackers ‘see through victim’s eyes’ 06/30/2014 13:29 (We Live Security) ...headset but works so quickly that researchers at Deloitte s computer security division and Dutch security company Masc told newspaper Volkskrant, Could NSA gain more access to private information under new cyber bill? 06/30/2014 09:26 (BizBeat - Washington Business Journal) Could NSA gain more access to private information under new cyber bill? The National Security Agency could gain access to even more private data... New malware program targets banking data 06/30/2014 08:57 (Computerworld) ...information is much harder to detect by users than those involving phishing or rogue form fields injected into pages, the Trend Micro researchers... 93 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide No perfect way to protect data, NSA chief says 06/30/2014 06:36 (PilotOnline.com) ...contractor, can t be stolen again. But the Defense Department, of which the security agency and Cyber Command are a part, made the same vow in 2010, after... Bug in WordPress plugin allows unauthorized file upload 07/02/2014 07:29 (Help Net Security) ...website." The bug can be exploited to use vulnerable websites for phishing lures, sending spam, host malware, infecting other customers (on a... The 5 Biggest Cybersecurity Myths, Debunked 07/02/2014 06:47 (Wired) ...still fictionalized dangers on the cyber side. Myth #4: The Best (Cyber) Defense Is a Good (Cyber) Offense Senior Pentagon leaders talk about how... US privacy board says NSA Internet spying program is effective but worrying 07/02/2014 06:27 (Bangor Daily News) ...collection program has been an effective tool to enhance the country s security but some elements of the cyber-spying raises privacy concerns, Hackers Find Open Back Door to Power Grid With Renewables: Tech 07/02/2014 05:23 (Washington Post - Bloomberg) ...distribution system opens additional portals through which hackers can attack the grid, according to computer security experts advising governments... Legitimate No-IP users still affected by Microsoft's domain takeover 07/02/2014 05:13 (Help Net Security) ...by dynamic DNS service No-IP on Monday, it disrupted malware networks used by cybercriminals to infect victims with NJrat and NJw0rm backdoors, Hackers hit more businesses through remote access accounts 07/02/2014 03:48 (Computerworld) 94 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide LogMeIn username and password, but surmised it might have been via a phishing attack. Prior to the intrusion, ISS used a common password to access... Hacked Companies Face SEC Scrutiny Over Disclosure 07/02/2014 00:20 (Bloomberg) ...shares. In guidance issued three years ago, the SEC said a cyber-attack could be material if it causes a company to significantly increase what... Data Breaches: Not Learning from History 07/01/2014 18:19 (Isssource.com) ...to security. It is great that recent breaches have increased cyber security awareness and internal dialogue, said Dwayne Melancon, chief technology... Big data security analytics mantra: Collect and analyze everything 07/01/2014 08:18 (Network World) ...security professionals to identify the most important type of data for use in malware detection and analysis (note: I am an employee of ESG). New Apple patent will let iPhone 'feel safe' based on location and unlock itself 07/07/2014 08:36 (Tech Times) ...its patent application. "It can be desirable to have decreased security requirements when the mobile device is at a secure location. Conversely, Students Who Push Tech Boundaries Should Be Encouraged, Not Punished 07/07/2014 06:50 (Wired) ...and subject to serious prosecution under existing federal and state level computer crime laws. Armed with the Computer Fraud and Abuse Act (CFAA) MiniDuke hackers attack governments, hunt drug dealers 07/07/2014 03:55 (Tech Times) MiniDuke hackers attack governments, hunt drug dealers With cyber criminals looming large, security in the World Wide Web is becoming a growing... 95 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Computer forensics key in hot car child death case 07/07/2014 03:30 (Wusa9) Computer forensics key in hot car child death case COBB COUNTY, Ga. Attention has shifted to the mother of a 22month-old child who died after... Australian teen accepts police caution to avoid hacking charge 07/07/2014 01:40 (Network World) ...that period.Rogers case illustrates the fine line that computer security researchers tread when hunting for software vulnerabilities on public... Encrypted instant messaging project seeks to obscure metadata 07/06/2014 21:35 (ComputerWorld) ...aims to allow people to have online chats but leave little digital forensic evidence Security researchers have a working prototype of an instant... North Korea has doubled number of elite cyber warriors and established overseas bases for hacking 07/06/2014 04:15 (The Raw Story) ...established overseas bases for hacking attacks, a report said Sunday. The North s cyber war unit now has 5,900 personnel, compared with 3,000 two... NSA dragnet ensnares mostly ordinary users 07/06/2014 00:09 (The Boston Globe) ...legally targeted foreigners in the communications intercepted by the National Security Agency from US digital networks, according to a four-month... The Ex-Google Hacker Taking on the World’s Spy Agencies 07/08/2014 06:51 (Wired) ...as Morgan Mayhem spent his nights and weekends hunting down the malware used to spy on vulnerable targets like human rights activists and political... 96 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Cyber spying, maritime disputes loom large in U.S.-China talks 07/08/2014 06:33 (Yahoo! News) ...the School of International Studies at Peking University who has advised the government on diplomatic issues. "I don't foresee many tangible... Studies show a car’s computer system vulnerable to hacking Special 07/08/2014 04:07 (Digital Journal) Banks Dreading Computer Hacks Call for Cyber War Council 07/08/2014 00:21 (Bloomberg) Banks Dreading Computer Hacks Call for Cyber War Council Wall Street s biggest trade group has proposed a government-industry cyber war council... Chinese Attackers Targeting U.S. Think Tanks, Researchers Say 07/07/2014 18:30 (Dark Reading) ...national security policy research organizations, CrowdStrike says The Chinese cyber attack group Deep Panda late last month compromised "several" Advanced attack group Deep Panda uses PowerShell to breach think tanks 07/07/2014 17:46 (SC Magazine) Less skilled or funded attackers have made use of PowerShell to spread malware to unsuspecting victims. Last month, a new variant of ransomware... Senate should demand electric grid reliability and security 07/07/2014 16:00 (The Hill - Blogs) ...Northeast Blackout. In November 2013, FERC approved an NERC-drafted cyber security standard. In its ruling, FERC called out deficiencies in the... Google Glass Lets You Figure Out Passwords From User Keystrokes 07/07/2014 15:40 (ValueWalk) ...looking over your shoulder. It was announced today that computer forensics experts at the University of Massachusetts in Lowell have discovered... 97 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Payment Card Data Isn't The Only Lucrative Loot In A Data Breach 07/07/2014 14:29 (Forbes.com) ...extortion. For example, the primary function of the Zeus malware family is to steal bank credentials. Criminals surreptitiously install the malware... Data Breach Bulletin: Brazilian Banks Lose $3.75 Billion Because Of Boleto Malware 07/07/2014 12:46 (Forbes.com) ...May 2014. The investigation is still ongoing through third-party computer forensics experts, but the school has determined that names, birth... Android bug lets apps make rogue phone calls 07/07/2014 08:25 (Network World) ...Key) several times. The new vulnerability might be exploited by malware for some time to come, especially since the patching rate of Android... Senate intelligence committee approves cyber security bill 07/09/2014 08:47 (1070 WINA) Senate intelligence committee approves cyber security bill (Reuters) The U.S. Senate Intelligence Committee approved a bill on Tuesday to encourage... Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee 07/09/2014 06:55 (Forbes.com) ...establishment of a portal managed by the Department of Homeland Security through which electronic cyber information will enter the government and... Anonymous Norway claim massive cyber-attack on Norwegian banks 07/09/2014 06:39 (Digital Journal) How the Target Breach Has Affected Small Business Data Security 07/09/2014 04:10 (Network World) ...puzzle." Hackers used credentials from Target's HVAC company to upload malware into the security and payment's system. Target's malware detection... 98 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide China, U.S. say committed to managing differences 07/09/2014 01:28 (Yahoo! News) would definitely be a disaster," he told the opening ceremony at a government guesthouse in the west of the city. "We should mutually respect and... US nabs alleged Russian hacker – and Kremlin cries foul 07/08/2014 20:42 (Yahoo! News) ...in the face, say psychologists. Why hedge funds are under attack by cyber-criminals Ukraine election narrowly avoided 'wanton destruction' from... E-ZPass Warns Of Phishing Scam E-Mails About Unpaid Tolls 07/08/2014 19:43 (CBS New York) E-ZPass Warns Of Phishing Scam E-Mails About Unpaid Tolls NEW YORK (CBSNewYork) The Port Authority of New York and New Jersey is cautioning the... Nude pics, other data, recovered from 'wiped' Android phones purchased on eBay 07/08/2014 16:36 (SC Magazine) No business data or company information was recovered, Jaromír Hořejší, malware analyst with AVAST, told SCMagazine.com in a Tuesday email correspondence. Facebook Helps Cripple Greek Botnet 07/08/2014 16:25 (Dark Reading) ...this one, which hails from Greece, working with Greece's Cyber Crime Division. Disrupting a botnet's infrastructure is typically a temporary... Security Firm Says Chinese Hackers Targeting U.S. Experts on Iraq 07/08/2014 15:28 (Nextgov) ...Hackers Targeting U.S. Experts on Iraq A private cyber security firm has discovered evidence that a suspected Chinese government hacker group... 99 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Air Force base finalist for agency relocation 07/08/2014 15:16 (AdVantage News) ...facility. Scott is the ideal location for NGA, Enyart said. Scott s cyber-security work combined with the NGA s natural fit with our military make the... Rogers: Cybersecurity is the 'ultimate team sport' 07/08/2014 14:58 (Federal Times) ...importance to us as a nation: this idea of how do we maintain security in a cyber arena in a world where cyber continues to grow in importance... Electronic Frontier Foundation Sues NSA, Director of National Intelligence 07/08/2014 14:22 (Dark Reading) ...Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, Gameover Zeus Trojan Returns 07/11/2014 09:06 (GovInfoSecurity) ...give up because of the Gameover Zeus takedown," says independent computer security analyst Graham Cluley. "With their criminal income disrupted, DSC Cyber Camp impresses teens 07/11/2014 06:10 (Hometown News) ...computer security techniques, involving digital forensics, browser security, malware handling and virtualization. The consortium's goal is to... Norway's massive cyber-attack the work of one lone teenager 07/11/2014 05:32 (Digital Journal) CryptoLocker is temporarily disabled, users still at risk 07/11/2014 05:06 (Help Net Security) Adobe Reader or Flash should be deployed as soon as they become available. The use of an anti-malware solution would also be highly recommended. 100 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Shipping companies' computers compromised by malware-infected Chinese scanners 07/11/2014 05:00 (Network World) ...go into critical systems. [DOJ throws down the gauntlet with cyber crime charges against Chinese military] While steps can be taken to reduce... Exploring the BYOD security dynamic 07/11/2014 03:41 (Help Net Security) ...devices. Over 60% of employers indicated they seek employee input on mobile device security policies, but over 60% also said employee preference has... Germany demands the expulsion of top U.S. intelligence official 07/11/2014 00:00 (Pittsburgh Post-Gazette) ...since last summer, when it was reported that the National Security Agency had been monitoring the digital communications of millions of Germans. No likely data breach from reported Chinese hacking: US 07/10/2014 21:35 (Yahoo! News) ...US government workers was not compromised in a recently reported cyber attack, officials said Thursday amid fresh allegations that Chinese hackers... Study: Most Critical Infrastructure Firms Have Been Breached 07/10/2014 17:15 (Dark Reading) ...companies have been hit by security breaches in the last year, but cyber security programs are still a low priority. A new Ponemon Institute study... Hacking Gets Physical: Utilities At Risk For Cyber Attacks 07/10/2014 15:22 (Forbes.com) ...in the real world. The most well-known example of a cyber attack on a physical infrastructure is the Stuxnet malware, which was allegedly built... Global action targeting Shylock malware 07/14/2014 07:03 (Help Net Security) 101 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Global action targeting Shylock malware On 8 and 9 July 2014, an alliance of law enforcement and industry undertook measures against the Internet... US signs off US$1m for electric grid security study 07/14/2014 06:48 (Metering.com) and make the electric sector more efficient overall. Threat of grid cyber attack The study will look at ways to make the grid more resilient... Cyberwar council plan offered 07/14/2014 03:00 (The Journal Gazette) ...the electric grid, which is also vulnerable to physical and cyber attack. The systemic consequences could well be devastating for the economy... How to promote data security in the workplace? A roundtable report 07/14/2014 02:31 (The Guardian) ...acknowledge that they are vulnerable to attack. According to Charlie McMurdie, senior cyber crime adviser at PwC and former head of the e-crime unit at... FBI cyber expert is ex-discount furniture salesman 07/14/2014 00:50 (Yahoo! News) ...replacing all the cards he stole. "This was all just really organized crime with a computer," Mularski said. "It's traditional sleuthing but... To be secure, AWS users must mind their keys and cues 07/13/2014 11:00 (GigaOM) ...and can see them logging into accounts, Prendergast said. If that phishing victim has admin rights, then well, yikes. Read the best practices... Chinese man accused of nicking data on C-17 U.S. military cargo plane 07/13/2014 00:13 (Nextgov) ...appreciate that the government brought its concerns about a potential compromise of our protected computer systems to our attention, Boeing officials... 102 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Scott Air Force Base poised for military cybersecurity boom 07/12/2014 12:16 (Belleville News Democrat) ...just don't understand," said Charles Tendell, the CEO of Azorian Cyber Security, of Colorado Springs, Colo. The nature of this war came to light... The Gameover Trojan program is back, with some modifications 07/11/2014 08:05 (Network World) ...by law enforcement agencies at the beginning of June. The Gameover Zeus malware is designed to steal log-in credentials, as well as personal... Meet ‘Project Zero,’ Google’s Secret Team of Bug-Hunting Hackers 07/15/2014 06:31 (Wired) ...that s meant to limit an application s access to the rest of the computer. On certain attack surfaces, we re optimistic we can fix the bugs faster... Say goodbye to desktop phones 07/15/2014 03:00 (Network World) ...to AirWave. Aruba s ClearPass handles network access control, security, guest access and other authentication services. For mobile devicemanagement, CyberCamp reaches out to girls 07/15/2014 00:40 (Denton Record Chronicle (AP)) ...cybersecurity, and throughout the week they will work in computer simulations of networks with security breaches and weaknesses that they must... Air Force will cut 3,500 over five years 07/14/2014 18:36 (Quad-Cities Online) Air Force will cut 3,500 over five years NORFOLK, Va. (AP) The Air Force said Monday it will eliminate nearly 3,500 positions over the next five... Snowden and NSA: A Boon to the Privacy Business 07/14/2014 17:45 (Yahoo! News) 103 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...of the market, Michela Menting, ABI Research s senior analyst in cyber security, said in a statement. Companies have been quickly rolling out... Cryptolocker neutralized, says Justice Department 07/14/2014 17:05 (SC Magazine) ...existence, can no longer communicate with the infrastructure used to control the malware, according to a Friday release. As a result, Cryptolocker is... Washington Post: Cyber security 07/14/2014 14:58 (The Salt Lake Tribune) Washington Post: Cyber security The internet security company Symantec revealed recently that a group of hackers known as Dragonfly infiltrated... Capitol Hill joins business leaders in cybersecurity progress 07/14/2014 14:00 (The Hill - Blogs) ...consumers all over the world, and if they or any corporation were to suffer a cyber-attack, the repercussions would be farreaching, as we ve seen in... WANTED - Special Agents: CID launches online application portal 07/14/2014 13:50 (Fort Lee Traveller) ...master's degree in Forensic Science or a master's degree in Digital Forensics from George Mason University. A unique aspect of these programs for CID... New banking malware 'Kronos' advertised on underground forums 07/14/2014 11:50 (Network World) ...said. It remains to be seen how popular Kronos will be within the cyber crime community, he said. The premium price suggests that Kronos is aimed... Agencies reset after missing the mark on cybersecurity goals 07/14/2014 10:52 (FederalNewsRadio.com) ...information officers to focus on priorities of continuous monitoring, phishing and malware, and authorization processes for 2015, according to... 104 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ATM Cash-Out Strikes Red Cross Accounts 07/16/2014 08:44 (GovInfoSecurity) ...victims. After the hackers penetrated the payment processor's computer network and compromised the Red Cross prepaid card accounts, they allegedly... Why The World Needs Google Project Zero To Be More Than A 'Marketing Ploy' 07/16/2014 06:38 (Forbes.com) ...campaign from Google corporation, nothing new under the sun from a cyber security perspective . What Google did not understand is that killing a... 65 challenges that cloud computing poses to forensics investigators 07/16/2014 03:29 (Help Net Security) ...cloud computing environments. Even if they seize a tablet or laptop computer at a crime scene, digital crime fighters could come up empty handed... ‘Smart’ technology could make utilities more vulnerable to hackers 07/16/2014 02:31 (The Raw Story) ...IT security company, said. Fortunately for residents, Lindner s cyber attack on its energy utility, Stadtwerke Ettlingen, was simulated. But... Why password managers are not as secure as you think 07/16/2014 01:27 (Computerworld Malaysia) ...user's credentials with a bogus account, while others made users of some of the password managers vulnerable to phishing attacks. Antone Gonsalves Feds: We beat down Cryptolocker malware, but creator remains at large 07/15/2014 19:28 (Tech Times) Feds: We beat down Cryptolocker malware, but creator remains at large The Department of Justice reports that the Cryptolocker ransomware virus... Massive Malware Campaign Steals Everybody's Passwords 07/15/2014 12:58 (Yahoo! News) 105 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide NightHunter's preferred method of infecting target computers appears to be via phishing emails, Navaraj says. These emails are sent to personnel in the... U.S. malware share rising, Amazon service No.1 in hosting it 07/15/2014 12:11 (Network World) U.S. malware share rising, Amazon service No.1 in hosting it Solutionary s Top 10 list also includes Google and Akamai. In its quarterly report... Fake Flash Player steals credit card information 07/18/2014 09:47 (Help Net Security) ...targeting Android users, warn antivirus experts from Dr. Web. The malware is currently targeting Russian users, but it can easily be modified to... Are endpoints the most vulnerable part of the network? 07/18/2014 03:43 (Help Net Security) ...protections in place even though 74% consider endpoints to be most vulnerable to a cyber-attack, and 76% say the number of endpoints is rising. Only... Russian espionage malware adapted for ransomware scams 07/17/2014 16:57 (SC Magazine) ...that researchers saw the malware being spread via drive-by download and phishing schemes. The firm has yet to link the malware to a specific... Civil service reform: Start with IT/cyber 07/17/2014 16:56 (Federal Times) ...to NSA, it leaves their Central Maryland neighbors, DISA and the Defense Cyber Crimes Center, on the outside looking in. That s problematic. Government-Grade Stealth Malware In Hands Of Criminals 07/17/2014 16:52 (Dark Reading) ...Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, 106 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Edward Snowden urges professionals to encrypt client communications 07/17/2014 10:00 (The Guardian) ...revealing interview with the Guardian in Moscow. The former National Security Agency and CIA computer specialist, wanted by the US under the... NIST Review Report: NSA Has 'Undeniable Incentive' to Defeat Security of NIST Standards; NIST 'Negligent' in Security of Cryptographic Standard 07/17/2014 08:57 (Technology News) ...software and technology products, in order to protect our privacy and cyber security. NIST's Visiting Committee on Advanced Technology (VCAT) Botnets gain 18 infected systems per second 07/17/2014 08:03 (Help Net Security) ...holistic look at the entire cyber underground ecosystem and all facilitators of a computer intrusion," he shared. "Just last month, the FBI Cyber... Google bug-hunting Project Zero could face software developer troubles 07/17/2014 04:29 (Network World) ...bugs. But if the initiative is handled right, it could help. [Phishing attack uses data URI to target Google accounts] "What they may do is shine... Ground commanders with cyber skills 07/16/2014 17:38 (Army Times) ...opposition throws a wide range of threats at the brigade, including phishing scams that install network-crashing malware. The red team s goal... Artist mails NSA ‘uncrackable’ mixtape 07/16/2014 14:23 (We Live Security) ...to highlight the fact that while government organizations can compromise computer systems and devices, the actual cryptography connecting those... No money, no problem: Building a security awareness program on a shoestring budget 107 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 07/16/2014 12:35 (Computerworld) ...cost of the awareness program. So for example, as every successful phishing attack has a cost associated with it, if you are reducing phishing... Can New York’s BitLicense Prevent Another Mt. Gox Catastrophe? 07/21/2014 09:35 (BayPay Members Blogs) ...outlines: Each Licensee shall establish and maintain an effective cyber security program to ensure the availability and functionality of the... Significant Deficiencies Found in Treasury’s Computer Security 07/21/2014 09:13 (Nextgov) Significant Deficiencies Found in Treasury s Computer Security Weaknesses in Treasury Department computer systems that track federal debt are... Funny Facebook video scam leaves unamusing Trojan 07/21/2014 07:29 (Help Net Security) ...wake on users computers, according to research by Bitdefender. The malware, believed to originate from Albania, can access a large amount of... Wanted: hackers to help the EFF make Wi-Fi routers more secure 07/21/2014 07:03 (The Guardian) ...firewall is switched on as this will prevent users visiting any untrusted, dangerous websites. How to protect yourself from phishing Tom Brewster News: The dangers of social media 07/20/2014 21:18 (DVIDS) ...want their information (made public), said Cureton, the cyber security chief for Marine Corps Installations Pacific-Marine Corps Base Camp Butler. Indentifying cyber-criminals is No. 1 challenge, high-profile lawyer says 07/19/2014 21:00 (Tribune-Review (AP)) 108 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 27, of Odessa, Ukraine, who is charged with providing the computer servers for a crime ring that stole 160 million credit card numbers from retailers... German NSA Inquiry Chief Proposes Ultimate Cybersecurity Move... Use A Typewriter 07/19/2014 07:04 (Forbes.com) ...Germany. In what could be considered one of the more surprising cyber security admissions of recent times, Patrick Sensburg said on German television... Overcoming the Cloud Forensic Challenge 07/22/2014 08:18 (GovInfoSecurity) ...face in the cloud is detecting a malicious act. A typical computer attack occurs through sequences of incremental steps where each step in an... Modern electric grid fighting cyber vulnerabilities 07/22/2014 08:00 (Pittsburgh - Post-Gazette) ...the grid vulnerable. Utility companies are spending millions annually in cyber security costs, and the trend will continue with investments in... We must end cyber warfare: RSA's Arthur Coviello 07/22/2014 02:43 (Computer World Australia) ...offensive," he told delegates. "The Chinese complain about the National Security Agency [NSA s] digital intelligence gathering. The US complains about... Your iPhone May Be Rigged to Spy on You 07/21/2014 18:39 (Yahoo! News) ...device connects to a PC or a Mac via USB, the mobile device and the computer exchange security certificates that establish a trusted relationship... Researcher: Cryptolocker Not Dead Yet 07/21/2014 17:21 (GovInfoSecurity) ...May 30 disruption it launched against the Gameover Zeus Trojan malware and Cryptolocker ransomware campaigns continued to be successful. "The... 109 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Security researcher: iOS security has been intentionally compromised by Apple 07/21/2014 16:33 (Yahoo! News) ...obvious reasons), he says. In addition to revealing that invisible malware installation is possible in iOS 7, Zdziarski revealed a way of at... DHS 'dos and don'ts' on cybersecurity 07/21/2014 16:00 (The Hill - Blogs) DHS 'dos and don'ts' on cybersecurity Is a cyber-attack on America s electric grid imminent? Is a cyber-attack on America s electric grid imminent? Malware Analysis | Part 1 07/21/2014 11:53 (Linux) ...remote systems memory using dc3dd which was developed by Jesse Komblum at the DoD Cyber Crime Center. Dc3dd is similar to dd but allows us to... 9/11 Commission's New Cyberthreat Focus 07/23/2014 09:21 (Blogs - HealthcareInfoSecurity) ...10th anniversary report, cautions Americans and the U.S. government to treat cyberthreats more seriously than they did terrorist threats in the... Hackers steal data from 1,000 StubHub accounts 07/23/2014 09:20 (CNBC) ...at other websites and retailers or from key-loggers or other malware on the customers' computers. Bank hackers go phishing The company detected... iOS 'backdoor' entry is real, says Jonathan Zdziarski. Not for NSA, says Apple 07/23/2014 07:55 (Tech Times) ...connected to a computer via USB. The iOS device and the computer swap security certificates with each other to establish a secure relationship, Dianne Feinstein: Cybersecurity Information Sharing Act Will Help Protect Us 07/23/2014 07:34 (Technology News) 110 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide issued the following op-ed: Every week, millions of computer networks come under attack by hackers, cyber criminals and hostile foreign nations. Preparing for cyber warfare 07/23/2014 05:36 (The Wickenburg Sun) the question is being raised is America prepped to handle a contemporary cyber war? While there may be no definitive answer to that question... Facebook scams now lead to exploit kits 07/23/2014 04:36 (Help Net Security) ...the following links or they may be shared automatically if the victim s computer has been compromised," the researchers noted. If a scam such... Online fingerprinting: The next privacy battle 07/23/2014 04:31 (GlobeAdvisor.com) The psychology of phishing 07/23/2014 03:19 (Help Net Security) ...three years there has been a dramatic increase in the volume of targeted spear-phishing and long-lining fake emails, which are so sophisticated... Hackers inside Chinese military steal U.S. corporate trade secrets 07/23/2014 00:17 (Computerworld Malaysia) ...release. After much preparation, the attackers launched very specially tailored spear phishing email attacks. CSOs, CISOs, and IT and security... Hacking experts build device to protect cars from cyber attacks 07/22/2014 21:18 (Yahoo! News) ...identify and mitigate potential cybersecurity risks over the past few years. Cyber security is a global concern and it is a growing threat for... 111 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide DHS cyber executive to retire 07/22/2014 11:26 (FederalNewsRadio.com) ...the private sector. In 2013, DHS launched the Enhanced Cybersecurity Services initiative to increase classified information sharing. DHS recently... Wounded special-ops veterans take on new enemy: child porn 07/25/2014 07:02 (News.Gnom.es) ...which has Zepeda setting his sights on a new enemy, and using computer forensics in the battle against child pornography. From my first case, Hackers only need to get it right once, we need to get it right every time 07/25/2014 03:31 (SC Magazine) ...of the law. This certainly holds true in the world of cyber security, where the criminals are faceless and motivated by large financial rewards. New type of ransomware bucks established trends 07/25/2014 03:25 (Help Net Security) ...recently spotted a new ransomware family they detect as "Onion." The malware itself is called CTB-Locker, and analysis of its code revealed that, Hackers exploiting Internet Explorer to expose security flaws on a huge scale 07/24/2014 21:00 (The Guardian) ...the techniques, told the Guardian. That way they will only attack a computer they know is vulnerable and avoid alerting security companies to... Cyber Command tests gov't collaboration in wake of attacks 07/24/2014 17:46 (SC Magazine) ...U.S. Cyber Command (USCYBERCOM) recently oversaw a two-week exercise in attack readiness called Cyber Guard 14-1. The U.S. Cyber Command (USCYBERCOM) Hackers steal user data from the European Central Bank website, ask for money 07/24/2014 05:50 (Network World) 112 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide The affected individuals could be at a higher risk of fraud and phishing attacks following this security breach, said Jon French, a security... Global Survey: NSA, Retail Breaches Influenced Corporate Security Strategies the Most 07/28/2014 09:39 (Fort Mill Times) Many organizations face daily perimeter-oriented attacks, such as phishing, designed to give attackers a foothold to steal the privileged credentials... 'Masquerading': New Wire Fraud Scheme - BankInfoSecurity 07/28/2014 09:05 (Bankinfosecurity) ...bank's commercial customers, not the bank itself. And they differ from spear-phishing attacks in that they don't just target specific employees, The Top 5 Most Brutal Cyber Attacks Of 2014 So Far 07/28/2014 08:33 (Forbes.com) and the extent of the damage done, still unclear. The state government said that it is notifying 1.3 million people including current and former... Collateral damage of Snowden leaks being felt in cyber, public trust 07/28/2014 00:49 (FederalNewsRadio.com) Collateral damage of Snowden leaks being felt in cyber, public trust The National Security Agency's top lawyer said the disclosures from former... A new cyber exercise: Test your security team's incident response capabilities 07/27/2014 09:10 (Lohrmann On Cybersecurity - Government Technology) A new cyber exercise: Test your security team's incident response capabilities The Michigan's Cyber Civilian Corps, state and local government... NSA director: Cyber attacks need international norms 07/27/2014 06:09 (Aspen Daily News Online) ...NSA has seen dozens of terrorists use published information to change their cyber attack tactics, Ledgett said. When people say there are no... 113 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Toddler dad case hinges on digital sleuthing 07/25/2014 20:35 (AJC.com) showing the stakes of getting it right or wrong. And only on myajc.com, delve into the world of digital forensics by clicking here. By Ariel Hart New backdoor 'Baccamun' spreads through ActiveX exploit 07/25/2014 15:45 (SC Magazine) ...newly discovered backdoor program, called Baccamun, are spreading the malware via an ActiveX exploit, researchers revealed. Attackers using a... Canadian spy agency says Chinese hacked into NRC computers, network shut down 07/29/2014 09:29 (The Guardian) Banks as Cybercrime Fighters? - BankInfoSecurity 07/29/2014 09:20 (Bankinfosecurity) ...comment about reports that SIFMA is pushing for the formation of a cyber war council, which would bring together a committee of financial industry... Android 'Fake ID' flaw could leave millions open to attack 07/29/2014 08:00 (The Guardian) ...them run malicious code on the device and infect the Android phone with malware. They could do the same using the signature of the Android Near... Personal Privacy Is Only One of the Costs of NSA Surveillance 07/29/2014 06:46 (Wired) ...Obama administration s stated goal of securing the internet and critical infrastructure and undermine global trust in the internet and the safety... NRC Hack Attack Forces It To Shut Down Computers; Could Take A Year To Recover 07/29/2014 04:40 (Huffington Post Canada) 114 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide AV engines are riddled with exploitable bugs 07/29/2014 04:02 (Help Net Security) ...could lead to man-in-the-middle attacks that deliver malware instead of updates. "Exploiting AV engines is not different to exploiting other... Georgia Tech launches early warning system for cyberthreats 07/29/2014 03:43 (Network World) ...called BlackForest, which will complement the institute's malware and spear-phishing intelligence systems. [Georgia Tech warns of emerging threats... Mystery 'Onion/Critroni' ransom Trojan evolves to use more sophisticated encryption 07/29/2014 03:24 (Computerworld Malaysia) ...with the program that kicked off the peak of the ransom malware age now largely neutered thanks to police intervention the criminals have already... Chinese hackers steal Israel’s Iron Dome missile data 07/29/2014 02:05 (The Guardian) ...occurred between 10 October 2011 and 13 August 2012, according to security firm Cyber Engineering Services (CES), talking to independent security... The CIA Fears the Internet of Things 07/28/2014 14:16 (Nextgov) ...Agency s directorate of science and technology, said today s concerns about cyber war don t address the looming geosecurity threats posed by the... CyberPatriot Having Big Impact on STEM Education and Career Choices, Data Shows 07/30/2014 09:26 (KAIT ABC-8) ...or comments about this page please contact pressreleases@worldnow.com. SOURCE Air Force Association ARLINGTON, Va., July 30, 2014 /PRNewswire-USNewswire/ UAB students help fight hackers in new 'Facebook suite' 07/30/2014 08:37 (MyFoxAL.com) 115 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...next big computer hack. UAB has actually had a reputation for its cyber security expertise for a number of years. One of the bigger examples... This Is Why Ex-NSA Chief Keith Alexander Can Charge $1 Million A Month For Cyber-Security 07/30/2014 00:16 (Yahoo! News) ...Ex-NSA Chief Keith Alexander Can Charge $1 Million A Month For Cyber-Security Former U.S. Cyber Command and National Security Agency head Gen. Report: Hackers stole data from Israeli defense firms 07/29/2014 17:37 (SC Magazine) ...(UAVs) and ballistic rockets. Columbia, Md.-based security firm Cyber Engineering Services shared the details of the breach with Krebs, telling... Scan Shows Possible Heartbleed Fix Failures 07/29/2014 17:07 (Dark Reading) ...failing to revoke the old cert, an attacker could use it in phishing attacks, according to the July 2014 status report by Venafi. "Heartbleed... Keylogger Malware in Hotel Business Centers 07/29/2014 16:53 (US-CERT) Keylogger Malware in Hotel Business Centers Overview The United States Secret Service (USSS) has investigated incidents where malicious actors... IG scolds NOAA on security deficiencies, recommends fixes 07/29/2014 16:23 (SC Magazine) ...implementation of mobile device protections boosted the probability of malware infection, primarily because unauthorized devices had been connected... Homeland Security wants corporate board of directors more involved in cyber-security 07/29/2014 16:06 (Computer World Australia) Homeland Security wants corporate board of directors more involved in cyber-security Setting corporate cybersecurity policy and taking actions... 116 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide House passes DHS cyber bills 07/29/2014 15:39 (Federal Times) ...procedures to DHS in order to gain liability protections in the event of an attack. RELATED For cyber-defense, automation alone is not enough DHS eyes... Canada blames China for cyber intrusion at National Research Council 07/29/2014 11:43 (ComputerWorld) ...carried out by highly sophisticated state-sponsored hackers, the government of Canada said The IT infrastructure of the National Research Council... 117 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Copyright (C) 2014, Cyber Defense Magazine, a division of STEVEN G. SAMUELS LLC. 848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-18-8465, DUNS# 078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com Cyber Warnings Published by Cyber Defense Magazine, a division of STEVEN G. SAMUELS LLC.Cyber Defense Magazine, CDM, Cyber Warnings, Cyber Defense Test Labs and CDTL are Registered Trademarks of STEVEN G. SAMUELS LLC. All rights reserved worldwide. Copyright © 2014, Cyber Defense Magazine. All rights reserved. No part of this newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, recording, taping or by any information storage retrieval system without the written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect the views of the publisher, and the publisher hereby disclaims any responsibility for them. Cyber Defense Magazine 848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-18-8465, DUNS# 078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com www.cyberdefensemagazine.com Cyber Defense Magazine - Cyber Warnings rev. date: 07/30/2014 118 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 119 Cyber Warnings E-Magazine – July 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide