STE WILLIAMS

What’s This?

Cyberattacks via mobile devices, physical security and malware top the list of threats that US companies are not ready to handle, according to a recent Bitdefender study.

Outsider attacks, data vulnerability and insider sabotage are the main threats companies aren’t ready to handle, according to a Bitdefender survey of 250 IT decision makers at US companies with more than 1,000 PCs.

CIOs know that cybercriminals can spend large amounts of time inside organizations without being detected; Advanced Persistent Threats (APTs) are often defined as threats designed to evade detection.

Accessing any type of data, whether stored in the private or public cloud, needs to be done via multiple authentication mechanisms, Bitdefender’s security specialists recommend. This should involve more than just usernames and passwords. For access to critical data, two-factor or biometric data offers additional control and authorization of qualified and accepted personnel. This is especially significant in organizations where access to critical and sensitive data is restricted, and only then under strict security protocols and advanced authentication mechanisms.

Insider sabotage is the third threat IT decision makers can’t yet handle
“To limit the risks of insider sabotage and user errors, companies must establish strong policies and protocols, and restrict the ways employees use equipment and infrastructure or privileges inside the company network,” recommends Bogdan Botezatu, Bitdefender’s senior e-threat specialist. “The IT department must create policies for proper usage of the equipment, and ensure they are implemented.”

In the past two years, companies witnessed a rise in security incidents and breaches, with a significant increase in documented APT type of attacks targeting top corporations or government entities (such as APT-28). This type of attack intends to exfiltrate sensitive data over a long period, or silently cripple industrial processes. In this context, concerns for security are rising to the top, with decisions taken at board level in most companies.

IT decision makers, CISOs and CEOs are all concerned about security, not only because of the cost of a breach (unavailable resources and/or money lost), but also because their company’s reputation is at risk when customer data is lost or exposed to criminals. The more media coverage a security breach receives, the greater the complexity of the malware causing it. On top of this, migrating corporate information from traditional data centers to a cloud infrastructure has significantly increased companies’ attackable surface, bringing new threats and more worries regarding the safety of the data.

The demand for hybrid cloud, a mix of public cloud services and privately owned data centers, is estimated to be growing at a compound rate of 27% a year, outpacing overall IT market growth, according to researcher Markets and Markets. The company said it expects the hybrid cloud market to reach $85 billion in 2019, up from $25 billion in 2014. (Read the full white paper here.)

This survey was conducted in October 2016 by iSense Solutions for Bitdefender on 250 IT security purchase professionals (CIOs/CEOs/ CISOs – 26 percent, IT managers/directors – 56 percent, IT system administrators – 10 percent, IT support specialists – 5 percent, and others), from enterprises with 1,000+ PCs based in the United States of America.

Razvan, a security specialist at Bitdefender, is passionate about supporting SMEs in building communities and exchanging knowledge on entrepreneurship. A former business journalist, he enjoys taking innovative approaches to hot topics and believes that the massive amount of … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/outsider-attacks-give-nightmares-to-cios-ceos-cisos/a/d-id/1328019?_mc=RSS_DR_EDT

Around 70% of public surveillance cameras were found non-functional due to attack by two ransomware variants.

Washington DC police were the victims of a cyberattack just before the Donald Trump inauguration when 123 of its 187 network video recorders were found to have fallen prey to two ransomware strains, reports Graham Cluley. However, there was no major adverse impact of this and software of the affected cameras were removed and reinstalled.

The police were alerted on January 12 after they found the network video recorders at four of their camera sites, with around four CCTV cameras connected to each recorder, were not functioning, says Graham Cluley quoting The Washington Post. As a result, public surveillance footage between January 12 and 15 were not recorded by 70% of the cameras.

The department’s Chief Technology Officer Archana Vemulapalli said the system design was such that it isolated the camera network and disallowed the ransomware to affect other networks.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/ransomware-attack-on-cctv-cameras-in-washington-dc-ahead-of-trump-inauguration/d/d-id/1328016?_mc=RSS_DR_EDT

Passwords are far from dead – thanks to the Internet of Things, the traditional authentication mechanism will explode in the next decade,

By 2020, the exchange of data between systems will require more than 300 billion human and machine passwords to authenticate, according to a new report out today that concludes that the growth of internet of things (IoT) devices and online accounts will drive this password explosion.

In spite of some hopeful technologists’ predictions of a password-free future, the report’s authors posit that this won’t come to fruition anytime soon if at all. And in the meantime, they believe the password situation will continue to mushroom. 

“Passwords are not dead, in fact, the footprint of passwords will significantly grow over the next four years,” says Joseph Carson, a cybersecurity expert with Thycotic, which with Cybersecurity Ventures co-authored the report.

Carson points to failed predictions such as one from IBM back in 2011 that there would be no more passwords by 2016 as completely off the mark when it comes to maintaining authentication over systems today. “Some companies have supplemented with multifactor authentication such as biometrics; however, they’ve never replaced passwords,” he says. 

As Carson explains, biometrics were once lauded as the ultimate password replacement, but the more analysis that is done, the more clear it becomes that these authenticators are not a good out-and-out replacement for shared secrets.

“Biometrics will never, ever replace passwords. The main challenge is that passwords can be changed. they can be rotated, managed, and protected,” Carson says. “But if a biometric authenticator is ever compromised, you can’t ever replace it.” 

Given that and the fact that passwords are on track to continue to accumulate, it is crucial for enterprises to take stock of their password threat exposure. Just in the Fortune 500 alone, the report predicts that employees will be juggling a total of 5.4 billion password-protected accounts by 2020, with about 1.35 million privileged accounts. 

As users increasingly deal with dozens of accounts at a time, it can be easy for them to look for shortcuts in how they manage and maintain their password portfolio. Carson warns that good password hygiene is essential and that users need to be mindful of risks that they may not have considered. For example, the “social factor” of single-sign-on systems through social media accounts is putting out a tremendous volume of additional passwords that are vulnerable to theft but opaque to the user.

As Carson explains, many people mistakenly believe that when they use a social account to sign in somewhere else, this is just a one-time use password being generated. 

“However, it is actually creating a continuous connection between that vendor and your profile. and that account continues,” he says. “Those passwords are unmanaged, unchanged, and not clearly transparent to the human who owns them. That’s something that definitely needs to be addressed.

Related Content:

• How To Bullet Proof Your PAM Accounts: 7 Tips
• The Trouble With DMARC: 4 Serious Stumbling Blocks
• ‘123456’ Leads The Worst Passwords Of 2016
• What CISOs Need To Know Before Adopting Biometrics

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/endpoint/report-says-death-of-the-password-greatly-exaggerated/d/d-id/1328022?_mc=RSS_DR_EDT

US border agents are asking travelers to hand over their phones and access to their online accounts – be it Facebook, bank accounts, text messages and/or photos – according to a Houston immigration lawyer.

The lawyer, Mana Yegani, is a member of the American Immigration Lawyers Association (AILA). She sent out this tweet on Saturday:

US Border patrol is deciding reentry for green card holders on a case by case basis – questions abt political views, chking facebook, etc

— Mana Yegani (@Law_Mana) January 28, 2017

Yegani told me that she’s getting her information from travelers who’ve said that border patrol agents have been asking for people’s phones and interrogating them about their Facebook posts and political views.

This isn’t necessarily new. The association confirmed to The Independent that it’s been getting anecdotal reports of people’s social media accounts being targeted, but that border agents have been doing so for several years, despite doubts over whether it’s constitutional.

One of the anecdotes about people whose phones were searched over the weekend concerns a traveler using a student visa. Border patrol wanted to see his bank balance, Yegani said, to make sure he had the type of money that they’d expect a bona fide student would need to live here.

This all went down within hours of President Donald Trump’s ban on immigration from seven predominantly Muslim countries, which abruptly began on Friday and sent protesters to flood airports across the US over the weekend.

Scouring of phones and online accounts isn’t happening to every traveler, Yegani said. It’s being done on a “case-by-case basis” and ad hoc, as if the agents haven’t received guidance and don’t have a checklist dictating which accounts to check and what to check for.

She hasn’t received any reports of travelers resisting, but that’s not surprising, Yegani said.

[Foreigners traveling on a visa] are at the weakest level. A person like that is not a US citizen. They’re on a valid visa, but they’re at the mercy [of the agents] who decide whether they should be detained or admitted into the country.

It’s not clear whether this is related to the plan to collect travelers’ social media details that was concocted by the Department of Homeland Security’s (DHS) Customs and Border Protection (CBP) agency in June and quietly enacted in December, in spite of scathing criticism from tech giants and advocates for human and civil rights.

Critics attacked the proposed program, saying that the social media account collection program would “invade individual privacy and imperil freedom of expression” while achieving nothing.

The CBP’s program requesting social media account details was supposed to be opt-in, as opposed to mandatory, but as critics pointed out, not many travelers would likely know that they had the right to refuse such a request. Nor would they be likely to have the confidence to deny anything to US officials who hold their fate in their hands.

Presumably, we’re hearing of social media account interrogation at the border not because it’s new or necessarily has anything to do with the CBP’s program, but more likely that it’s being ramped up in accordance with Trump’s ban.

US laws around cell phone privacy are fluid. In general, courts have ruled that suspects can be compelled to unlock their phones with biometrics such as fingerprints without violating Fifth Amendment protection against self-incrimination, but that suspects can’t be compelled to give up their passcodes, since a passcode is something we know that can be used against us.

Travelers’ rights vary depending on what type of visa they hold, and Yegani is advising travelers to speak to an attorney before they travel to establish what those rights are.

She had this to say about possible retaliation for refusing to hand over your phone when a border patrol agent requests it:

We’re not telling people to stand up and protest. Just to know they have certain rights. It changes your confidence level. If they tell you to sign a piece of paper, you can say, “I’d like to speak to a lawyer.” Or to your congressperson.

That doesn’t mean you’ll get to do that. But at least you can ask, she said.

On Sunday night, the American Civil Liberties Union (ACLU) put out a call for specific accounts of those affected by the travel ban. ACLU National Political Director Faiz Shakir directed those affected to write to the ACLU at this email address.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Vrxda1APNfc/

It is not time to panic. This is not the end of internet verification checks to make sure we’re humans. This is not the final triumph of bots over bods.

This is just the tale of one robotic arm using a capacitive stylus to move a mouse on a stylus in that quivery, human-like manner that hopefully/sometimes assures online sites that we’re human.

The video was uploaded by YouTuber Matt Unsworth – about whom we know precious little besides the fact that he has access to googly eyes to put on top of his robot arm – last Tuesday.

The robot, clutching the stylus in its claw, ticks off the “I’m not a robot” button after some painfully slow scritching. Then, it opens its claw wide and lets loose the stylus in a perfect mic drop.

…A la our recently departed POTUS No. 44:

It well may be controlled by a human behind the scenes. If that human has plans to trick sites into falling for nefarious robots who really are robots even if they’re faking quivery human movement, he’s going to have to pick up the pace.

After all, CAPTCHAs – Completely Automated Procedures for Telling Computers and Humans Apart – are designed to make it costly and complicated for crooks to write programs that can rapidly do things like register for hundreds of free email accounts. Not slowly, painfully register for hundreds of free email accounts at a pace of a snail frozen in February molasses.

We got the quivery click test a few years ago, when Google simplified its prove-you’re-a-human reCAPTCHA test. To prove we’re not automated bots, it gave us a single, hopefully quivery “I’m not a robot” click to replace the previous deciphering of blobby melted characters and mathematical problems that made our brains hurt.

Google called the new version Invisible reCAPTCHA.

Announced in December, the free service is designed to protect sites and apps from spam and abuse without any need for users to click in a quivery human fashion, select all the kitten pictures on their mobile devices or jump through whatever other hoops developers set up to prove we’re real.

So basically, googly-eyed robot arm can gloat about having beaten the “I’m not a robot test,” and sure, pixellated sunglasses can drop down onto its googly eyes because it thinks it’s all that, but c’mon, it beat Captcha technology that’s on the brink of being outmoded.

Deal with THAT, googly-eyed robot arm!

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/y2zEHJG45jw/

A security firm has floated the theory that malware authors are using German firms as a testing ground for their wares prior to wider distribution.

Four in five (81 per cent) of ransomware detected in corporate environments occurred in North America. Germany is the second-most impacted country by ransomware, leading Malwarebytes to theorise that malware authors could be using companies in Germany as a testbed for their wares.

Anti-malware firm Malwarebytes said ransomware distribution last year more than trebled, increasing 267 per cent between January 2016 and November 2016 alone.

In the fourth quarter of 2016 alone, anti-malware firm Malwarebytes said it had catalogued nearly 400 variants of ransomware. Ransomware detections accounted for 12.3 per cent of all enterprise threats, but only 1.8 percent of consumer threats.

Ad fraud malware, led by Kovter malware, exceeded ransomware detections at times, with two-thirds of all infections logged by Malwarebytes cropping up in the US.

Elsewhere, Asia and Europe saw sporadic spikes in botnet activity. For example, the Kelihos botnet grew 785 per cent in July and 960 per cent in October, while IRCBot grew 667 per cent in August and Qbot grew 261 per cent in November.

Malwarebytes’ global state of malware report can be found here (pdf).

Ransomware is a type of malware that encrypts files on infected PCs before demanding extortionate payments in return for the encryption keys needed to unlock compromised data. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/ransomware_sitrep_report/

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: ‘p’.

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem’s command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated ‘p’ keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper’s developer appears to have abandoned the project. Luckily, it’s not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "pn", 2);
write (fd[1], password, strlen (password));
write (fd[1], "n", 1);

However, encfs is executed with the -S switch which means it’s supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn’t quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper’s assumptions.

So that’s why Cryptkeeper sets all its directory passwords to ‘p’: encfs was updated and that broke Cryptkeeper’s interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

“It looks as though cryptkeeper makes assumptions about encfs’ command-line interface that are no longer valid,” McVittie says in a bug report thread.

Cryptkeeper … Type ‘p’ for pwned.

“I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

“I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all.” ®

Sponsored:
Customer Identity and Access Management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/cryptkeeper_cooked/

The information security industry’s rush to adopt machine learning will help businesses burn US$96 billion on big data, intelligence, and analytics by 2021, says research house ABI .

The report by lead number cruncher Dimitrios Pavlakis claims User and Entity Behavior Analytics (UEBA) and “deep learning algorithm designs” will be widely adopted by security companies as they collectively put big data to work detecting threats.

The former machine learning technology, UEBA, is correlation on steroids, capable of detecting anomalies that can indicate if staff logins have been compromised and are being tested across the enterprise network.

It can learn the activities and services most typical of a user to generate alerts when something anomalous occurs, like login attempts to odd network shares. Vendors are buying up across the space including Splunk’s buy of Caspida, and Arksight selling Securonix.

Antivirus vendors, Pavlakis says, are contributing too. Cylance is pushing its fuzzy antimalware capabilities as a something seated in the much attributed but difficult to acquire artificial intelligence space, for example.

Additionally,” … the cyber security industry is investing heavily in machine learning in hopes of providing a more dynamic deterrent,” Pavlakis says.

“This will drive machine learning solutions to soon emerge as the new norm beyond Security Information and Event Management, and ultimately displace a large portion of traditional antivirus, heuristics, and signature-based systems within the next five years.”

Pavlakis says signature-based antivirus will be “absorbed completely” into machine learning technology and agrees with wider analyst predictions that SIEM logging will be cleaved off and woven into UEBA.

Vendors including Gurucul; Niara; Splunk; StatusToday; Trudera, and Vectra Networks are wannabe UEBA innovator leaders in a market that counts Deep Instinct and Spark Cognition as entrants bearing feature-agnostic models, deep learning, and natural language processing, he says. ®

Sponsored:
Customer Identity and Access Management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/infosec_ai_push/

Video Apple has closed its iCloud activation lock check in a possible move to neuter a bypass method that allowed stolen devices to be reactivated at the expense of legitimate devices.

Cupertino’s shuttered iCloud activation lock feature allowed users to check if a second-hand device was registered and locked to a previous owner, a security measure that renders devices unusable unless the owner’s username and password are entered.

The closure could be in response to a reckless activation lock workaround method reported by MacRumors that allowed users to modify hardware chips for stolen activation-restricted Apple devices.

The hack pinches a legitimate serial number from Apple users and applies it to the modified chip, allowing the activation process to continue.

It is not clear if the tampering method is behind Apple’s closure of the activation lock feature, but user reports have surfaced recently that legitimate iPhones and iPads have been inexplicably activation locked to other users’ accounts.

Youtube Video

Buyers wishing to check the activation lock status of second-hand Apple devices can still do so provided they have physical access to the units.

Apple has been asked for comment. ®

Sponsored:
Customer Identity and Access Management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/apple_kills_activation_lock_check/

OpenSSL’s released patches for a trio of denial-of-service bugs.

The first (CVE-2017-3731), turned up by Google’s Robert Święcki, only affects SSL/TLS servers running on 32-bit hosts. Depending on the cipher the host is using, a truncated packet crashes the system by triggering an out-of-bounds read.

It’s version-specific: under OpenSSL 1.1.0 the relevant cipher is CHACHA20/POLY1305 and it’s fixed in 1.1.0d. In OpenSSL 1.0.2, RC4-MD5 (which should have been disabled) is the target, and it’s fixed in version 1.0.2k.

In (CVE-2017-3730), clients can be crashed if a malicious server supplies bad Diffie Hellman parameters in DHE/ECDHE (ephemeral) mode. The client is tricked into trying to dereference a NULL pointer. This only affects OpenSSL 1.1.0 and is fixed in 1.1.0d.

The OpenSSL advisory adds: “Note that this issue was fixed prior to it being recognised as a security concern. This means the git commit with the fix does not contain the CVE identifier. The relevant fix commit can be identified by commit hash efbe126e3.”

There’s a carry propagating bug in the x86_64 Montgomery squaring procedure (CVE-2017-3732). This is also fixed in OpenSSL 1.1.0d and 1.0.2k, and the advisory notes it would be difficult to exploit.

“The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers”, the advisory says.

The advisory is here. ®

Sponsored:
Customer Identity and Access Management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/openssl_patches/