STE WILLIAMS

Science dictates that for every action there’s a reaction.

That’s one of the main points of a new SonicWall study, which reports a 93% decline in point-of-sale (PoS) malware creation since 2014, but counters that news with a reality-check that ransomware grew by a rate of 167 times year-over-year.

The study, conducted by the SonicWall Global Response Intelligent Defense (GRID) Threat Network, found that ransomware was the payload of choice for malicious email campaigns and exploit kits. Ransomware attack attempts went from 4 million in 2015 to a staggering 638 million last year.

“It’s pretty clear that the move to chip-and-PIN credit cards decreased PoS malware over the past couple of years,” says Dmitriy Ayrapetov, executive director of product development at SonicWall. “This is a dramatic drop compared to 2014, which was the high point of PoS malware, the time that top retailers like Target, Home Depot, and Staples were hit with massive data breaches.”

Ayrapetov adds that cybercriminals go where the money is, and during the last year, ransomware has become a very profitable business.

“With ransomware, attackers can hit both small and large businesses,” Ayrapetov says. “And it’s a lot less risky, since the attackers get paid in bitcoins and don’t have to use a credit card. Also, the emergence of ransomware-as-a-service has reduced the barrier to entry, [so] anybody can purchase ransomware-as-a-service now.”

The SonicWall study also found that SSL/TLS traffic grew by 38% last year, partly due to the growth in cloud application adoption. But yet again, the increase in SSL/TLS traffic has created another flaw: an uninspected backdoor into the network that cybercriminals can potentially exploit.

“Companies now need to look inside the network and inspect and protect encrypted traffic,” says Mike Spanbauer, vice president of security, test advisory at NSS Networks, which had an early briefing on the SonicWall report. “It’s really not terribly difficult to make money spreading ransomware. You can now get service agreements. It’s really scary how accomplished a business model they have.”

Other findings of the SonicWall study:

On the plus side: Dominant exploit kits, Angler, Nuclear, and Nutrino disappeared in mid-2016; unique malware samples fell to 60 million in 2016 compared with 64 million in 2015, a 6.25% decrease, while total attack attempts dropped to 7.87 billion in 2016, down from 8.19 billion in 2015.

On the minus side: IoT devices were compromised on a massive scale, leading to numerous DDoS attacks, most notably, the attack on DNS provider Dyn last fall; Android devices saw increased security protections, but remained vulnerable to overlay attacks.

The SonicWare GRID Threat Network is based on more than 1 million sensors placed in more than 200 countries and territories. The GRID Threat Network monitors traffic 24x7x365, developing its analysis on more than 100,000 malware samples collected daily. 

Related Content:

• 3 Takeaways From The HEI Hotels And Oracle MICROS Breaches
• Researchers Show How To Steal Payment Card Data From PIN Pads
• 6 Free Ransomware Decryption Tools
• What To Watch For With Ransomware: 2017 Edition

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/point-of-sale-malware-declined-93--since-2014/d/d-id/1328069?_mc=RSS_DR_EDT

Vyacheslav Khaimov of Brooklyn has pleaded guilty to charges for his role in a massive banking scam that has been operating in several countries since 2015 and cost victims over $1 million in losses, reports On The Wire. Khaimov allegedly made more than $230,000 via the scheme.

According to the FBI, several criminals based in different locations carried out the fraud using malware to illegally access bank accounts and transfer the stolen cash into their accounts via “money mules.”

A police complaint described money mules as “…unsuspecting individuals who believe they are working for a legitimate ‘work from home’ business. As part of their ’employment,’ the mules are instructed, typically via email, to open a bank account and receive the funds that have been removed from victims’ bank accounts.” This money is then allegedly moved into the criminals’ account.

FBI says many of the unsuspecting money mules used by the gang as a front were recruited via email or phone by someone called Samuel Gold who no one had ever seen.

Investigation is continuing.

Read here for details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/brooklyn-man-pleads-guilty-in-banking-scam-involving-money-mules/d/d-id/1328074?_mc=RSS_DR_EDT

Five Taiwan brokerages have received email threats from a group calling itself the Armada Collective asking for around $9,731 in Bitcoin to avoid a distributed denial-of-service (DDoS) attack on their websites, Reuters reports. Cybersecurity firm FireEye believes this is part of a string of such DDoS attacks first seen in Europe in January.

Rick Wang of Taiwan’s security regulator Financial Supervisory Commission said the country’s securities firms have been told to step up safety measures adding, “We have never seen this on such a scale – five companies hit at one time with the same threat.” 

None of the targeted firms have paid the ransom. One of the five came under DDoS attack, and while another firm was also hit, but there was no confirmation that the attacks were related to the threats.

Authorities are probing source of the emails.

Read full story on Reuters. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/taiwan-brokerage-firms-receive-ddos-threats-demanding-ransom/d/d-id/1328073?_mc=RSS_DR_EDT

As the app frenzy that captivated consumers now blazes through the business world, it’s creating an unfortunate by-product: disconcerting security blunders and disasters.

After realizing apps boost businesses by simplifying life for employees, partners, and customers, organizations are feverishly “appifying” their operations: order management, payments, inventory control — you name it. But in their rush, many companies aren’t rigorously assessing the security of these Web and mobile apps, despite their multiple links to critical back-end systems and data.

The Road to Hell Is Paved with Insecure Apps
With the app era’s benefits also comes a tremendous potential for danger, if vulnerabilities exist in those interconnection points. Bad actors are looking to exploit these security gaps and sneak in through the app door.

Compared with other attack patterns, Web app attacks have become the most likely to trigger a data breach, according to Verizon’s 2016 Data Breach Investigation Report. This means Web apps aren’t just exposed, but “disproportionately vulnerable” compared to other attack vectors, according to Verizon. Furthermore, Ponemon Institutefound that data breach costs to organizations jumped almost 30% since 2013 to $4 million on average per incident in 2016.

Let’s shift now from the big picture and zoom in on two app security failures of which I have firsthand knowledge.

A Bank Winds Up with Egg on Its Face
When I was at a previous job, a large bank called me in to help after a faulty app turned a seemingly simple project into a nightmare. Seeking more shareholder participation in proxy voting, the bank decided to make the process more convenient with a mobile app. The bank accepted a low bid from a fledgling contractor and didn’t specify security requirements, except to give the app a sign-in gate. Incorrectly assuming the app had been built with native authentication, the bank distributed it to investors, without reviewing its code or development process.

What the bank didn’t know was that the contractor had used a flawed authentication library available online, which stealthily transferred contacts on users’ phones to a third-party server in China. The bank found out only after scammers flooded its shareholders with phishing attacks.

What’s Inside My Sushi Roll? Phish?
App fiascos aren’t limited to large organizations. When small companies ignore security, consequences can be disproportionately large.

I recently received an email resembling a FedEx notification, but the tracking number format looked strange. Upon further inspection, I found that the “track package” and “unsubscribe” links pointed to a Singapore sushi roll shop’s WordPress website with an open “file upload” function. A hacker, likely armed with a simple script, found the Web app’s vulnerability — the site builder’s mistake — uploaded malicious code, and crafted the phishing attack. I didn’t fall for this one, but others likely did. Study after study reveals disturbingly high success rates for phishing scams.

The RSA Q2 2016 Threat Report, released in September, found the following:

• 1 million+ unique phishing attacks were identified in the prior 12 months — one every 30 seconds.
• In the second quarter of 2016, phishing attacks jumped 308% year-on-year.
• The total cost to global organizations from phishing was $9.1 billion.

See, Assess, and Remediate
Before the cloud and mobility revolutions, applications had simpler, linear architectures, which made securing them easier. Today, apps are intertwined with other apps, Web services, and legacy back-end systems via APIs and custom integrations. They also expose many more functions to many more people via the Internet. This makes them a conveniently accessible target for hackers. The result: it’s much more complicated to find security gaps and weak links.

Consider these three areas where you can take concrete steps to build a safer enterprise and a culture of clean code.

Focus Area #1: See
You need full, uninterrupted visibility into all your applications, whether they were purchased or developed internally. A comprehensive, continuously updated app inventory puts you in control to manage apps’ security. This means understanding development methods and frameworks employed, and knowing all the modular components within the apps. That way, when vulnerabilities affecting these components are disclosed, you’ll know instantly which among your apps are affected.

Visibility also means understanding the threats posed by the Web of third-party service and resource interconnections tapped by your apps. For example, the bank would have avoided embarrassment if it had bothered finding out the components the contractor had used in the app and understood their risks.

Focus Area #2: Assess
Assessment involves probing your apps with a broad, deep scope and getting many parties involved, including app dev, quality assurance (QA), and information security. To reduce coding errors and catch most other ones before code makes it to production, you should do the following:

• Train QA staffers in Web application assessment
• Teach developers secure coding techniques
• Invest in continuous integration environments to automate and accelerate code development and testing

Assessment is an area where the Singapore shop failed badly, as it couldn’t detect a glaring flaw in its website that hackers exploited for a phishing campaign.

Focus Area #3: Remediate
Organizations need to prioritize remediation granularly. They can’t just focus on “crown jewel” apps. Simple code reused in many apps poses threats if it contains vulnerabilities. Remediation also presents an opportunity to promote using secure components and make everyone on the team feel empowered to protect the organization. Finally, the remediation process highlights successes and failures, so you can take steps to continually improve.

The bank and shop can learn valuable lessons from their app blunders and remediation, and lead them to adopt new app security best practices, processes, and tools.

Promise, Not Peril
In the end, don’t lose sight that the goal is to create a safe, efficient environment where the promise of the app era is realized and the peril is diminished.

Related Content:

• Simplifying Application Security: 4 Steps
• Application Security Still Slows Developer Work
• A Temperature-Check On The State Of Application Security

Jason Kent is Vice President, Web Application Security Product Management at Qualys. Prior to that, he held technical security positions at Veracode, BlueCoat, Aruba, and Verizon. Through more than a decade of dedicated AppSec experience, he has established expertise in … View Full Bio

Article source: http://www.darkreading.com/application-security/the-promise-and-peril-of-the-app-era/a/d-id/1328061?_mc=RSS_DR_EDT

Both iOS and Android come with features that are designed to further secure enterprise applications over and above the security level of standard consumer apps. Both operating systems offer some way of segmenting enterprise data from user profile data, in effect, creating a secure container to install enterprise apps and store enterprise data. Furthermore, network transports can be secured on both platforms using technologies such as data encryption, app-specific VPN tunnels, and even some form of direct boot mode, where the device stops being a general purpose mobile device and instead becomes a dedicated device for accessing specific enterprise apps. These features are described in detail on the Android and iOS Web pages.

Both operating systems have also been found to contain pretty serious security vulnerabilities in the past. Both are vulnerable to malware attacks, although iOS less so than Android. And both are prone to exposure from potentially dangerous security vulnerabilities due to the installation of third-party apps.

Each OS also has its own share of documented security issues. For example, Android has/had problems with the Stagefright vulnerability, and Apple has struggled multiple times with loopholes that allowed apps to execute standard library code directly, bypassing security restrictions. Currently, these vulnerabilities have been patched with up-to-date versions of both operating systems, but this does not mean that similar vulnerabilities will not be found in the future. Here are lists of Android vulnerabilities and iOS vulnerabilities from CVE Details. As of January 2017, iOS has had a total of 984 vulnerabilities whereas Android has had a total of 746. 

Open Source Vs. Closed Source: Not A Big Deal
In theory, the open-source nature of the Google Android project does make it more vulnerable to security issues. In reality, this is not the case. The same open-source mindset that has led to rapid development and improvement of Android, also means that when new vulnerabilities are uncovered, they are fixed very rapidly. On the other hand, the closed-source development of iOS should make it more secure and, in many ways, it does. But it also means that security vulnerabilities are fixed in a hierarchical manner, often taking longer to push a fix to market than Android.

The widest security difference between iOS and Google Android is the way these operating systems are deployed and updated. Android suffers from the significantly adverse effects of fragmentation, which means that there are potentially dozens of versions of the operating system in use at any time, even within a single enterprise. Android-equipped devices ship with a specific version of Android. Whether these devices receive future updates to Android is not a foregone conclusion. Some do, many don’t. Those that don’t are left running an older version. This means that security vulnerabilities need to be patched across a wide range of OS versions and devices. In the chart below, you can see that, as of January 2017, the latest Android version 7.1 has only 0.62% coverage in the business category.

As far as iOS goes, the closed-source approach to development and the aggressive way that Apple tends to protect its proprietary technology can hinder data forensics experts in their efforts to diagnose security breaches. Apple is notoriously unhelpful when it comes to opening up parts of their OS to outsiders. And the locked nature of Apple devices adds to this problem. Apple controls the underlying device infrastructure and will not relinquish this control. For example, iOS blocks apps from reading phone number, device UDID etc. from the device. In Android, app developers can pragmatically query all the device information, including the phone number.

The same philosophy is channeled through to the app vetting process for the Apple App store. In comparison with Android apps, iOS apps go through a stringent and thorough process before the app is approved and available for the general userbase to download. Google doesn’t thoroughly test Android apps before they go live onto the Google Play Store. Consider this recent example: a simple Android photo app named Meitu requires authorization to access location, phone status and identity, and a host of sensitive cellular functionality that has absolutely nothing to do with photo editing.

So Which Is More Secure?
Quite frankly, the answer to this question can change day by day. If a major security vulnerability is discovered, such as the aforementioned Stagefright, then that OS becomes incredibly insecure until the vulnerability is fixed. But in a perfect world where no current vulnerabilities exist, then both are equally secure.

The choice boils down to this: If you are comfortable allowing a monolithic company drive the security of your enterprise mobile apps, then iOS might be the most secure for you. (Not to mention Apple’s thorough app vetting process that blocks most of the malicious apps before they even show up on the Apple App Store.) But if you would rather put your trust in a more rapid, open-source development lifecycle in the belief that this is the best way to ensure that vulnerabilities are fixed quickly, Google Android might be the better option. 

Related Content:

• Apple Finally Launches Bug Bounty Program
• Google Adds New Kernel-Level Protections For Android
• Black Hat USA 2016: Mobile Hacking

Satish Shetty is CEO and founder of Codeproof Technologies, an enterprise mobile security company. Shetty has more than 20 years of security and enterprise software development experience. A recognized leader in the mobile device management space, Shetty also has several … View Full Bio

Article source: http://www.darkreading.com/mobile/enterprise-android-vs-ios-which-is-more-secure/a/d-id/1328068?_mc=RSS_DR_EDT

Researchers at Ben-Gurion University of the Negev claim they have developed a technique based on sequences of gestures that identifies a smartphone thief in under 14 seconds.

“It can even be faster, a matter of seconds, depending on how many gestures there are,” says BGU researcher Liron Ben Kimon.

According to Ben Kimon, the researchers culled information from 20 users over a two-week period last fall to develop a model that shows unauthorized users can be identified in under 14 seconds with less than 35 screen actions. She says on average, a user touches a smartphone screen 35 times in 13.8 seconds.

The verification model extracts information from a smartphone’s sensors to identify frequency, pressure and speed of touch combined with the application used. The program also computes 30 seconds of recent history, such as which screens a user touched, the buttons he or she pressed, and how much electricity was used.

“A thief will almost certainly touch the screen more than 35 times to steal information because he is not familiar with an owner’s phone settings and apps,” Ben Kimon said in an announcement of the research today. “The phone can learn the typical touch and sequence pattern and lock out an unauthorized user to prevent data theft or someone you don’t want looking at your messages.”

Ben Kimon underscores that this is still in the research stages and no commercial applications have been formally discussed. Kimon says it would be possible for the system to send an alert to an organization’s incident response system.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: http://www.darkreading.com/mobile/new-method-can-catch-smartphone-thieves-in-14-seconds-/d/d-id/1328075?_mc=RSS_DR_EDT