STE WILLIAMS

Source: Trilogy Media

What security-related videos have made you laugh? Let us know! Send them to [email protected].

b

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/messing-around-with-irs-scammers/b/d-id/1336164?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There’s no doubt that cyber incidents are a top concern for business leaders today. Decision-makers around the world view data fraud, data theft, and cyberattacks as among the top five biggest risks they face, according to the World Economic Forum’s “Global Risks Report.” That’s because cyberattacks can have a huge impact on a business — look at the estimated $300 million in costs after the NotPetya malware shut down operations at Maersk and that Verizon paid $350 million less for Yahoo after it suffered two cyberattacks. The average cost of cybercrime to an organization has risen to $13 million, according to a recent Accenture report. For businesses of all sizes and industries, cyber-risk is business risk.

Security leaders who are struggling to get the resources and support they need to protect their environment against cyberattacks often have an uphill battle when it comes to making their case to the CEO and the board. That’s because they aren’t able to translate cyber-risk into language the business executives can relate to or even quantify the risk. The CFO and heads of every other business unit speak the language of business, but not the security teams. Security leaders need to quantify cyber-risk in business terms; they need to make clear what the impact could be on the organization’s value creation — business operations, reputation, and loss exposure in terms of dollars — all of which affect the future of the organization.

This problem is widespread. According to a recent study conducted by Ponemon and Tenable, more than 90% of respondents report experiencing at least one damaging cyberattack over the past two years, and 60% have had two or more. However, less than half of respondents say they measure the costs of cyber-risks, and only 41% attempt to actually quantify the damage. This lack of confidence in the accuracy of their measures means that security leaders aren’t sharing critical information with their boards about the business costs of cyber-risk. Indeed, some security leaders report that news headlines and perceived risks, rather than quantifiable ones, are driving some top-down decisions.

Risk Quantification Best Practices
Security leaders can learn from other industries about how to quantify risk in business terms, like financial services, which has been out in front when it comes to managing risk. People don’t let banks manage their life savings if they don’t understand the risks and guard against losses. Financial services and cybersecurity aren’t that dissimilar. Both feature increasingly complex systems and could suffer catastrophic damage in the event of failures that can cascade out into entire industries and geographies.

Cyber-risk varies depending on the type of organization affected and the potential harm. Two examples of cyberattacks that pose significant risk have targeted industries that are critical to the functioning of civil society. In 2015 and 2016, Ukraine’s power grid was disrupted by nation-state attacks. Just recently, US officials revealed a much less serious cyberattack in March that briefly affected a grid control center and small power generation sites in California, Utah, and Wyoming. Meanwhile, persistent ransomware attacks over the past few years have forced untold numbers of hospitals and cities in the US and elsewhere to pay cybercriminals in order to get their computers back online. In those examples, the loss of basic utility services and potential harm to human life are key factors in the risk equation. For most businesses, however, the cyber-risk is primarily reputational and financial as a result of: loss of business due to downtime; loss of customers; theft of intellectual property or data; legal, labor, and cleanup costs; and fines due to lack of compliance with regulations.

Reliable, Accurate Metrics
What do top executives and boards need to know to make informed business decisions that affect the organization’s security programs? They must discover where in their environment they have exposures using quantifiable metrics, including what data and assets are vulnerable, as well as the location of prior security incidents and how they happened. That information helps them prioritize technology purchases and deployments based on risk. Decision-makers also need to know how security teams are reducing their cyber exposure over time, as well as how they compare with their peers. Security teams must correlate vulnerability data with other risk indicators, such as threat intelligence and asset criticality, in order to automatically score, trend, and benchmark an organization’s cyber-risk.

There are a number of forces pushing organizations toward more effective cyber-risk management. The growing number of serious and costly cyberattacks has prompted boards and CEOs to take a more proactive role in understanding cyber threats and exposure. The rising costs of cyberattacks and data breaches and regulatory fines are driving demand for better measurement and articulation of business impacts. Many organizations have not adopted security metrics that reflect the role that cybersecurity plays as a core business enabler for organizations — but they need to. 

Related Content:

• Third-Party Cyber-Risk by the Numbers
• Planning a Zero-Trust Initiative? Here’s How to Prioritize
• SOC Operations: 6 Vital Lessons Pitfalls
• Federal CIOs Zero In on Zero Trust

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Developers: The Cause of and Solution to Security’s Biggest Problems.”

Robert Huber is Chief Security Officer at Tenable. He has more than 20 years of information security experience across financial, defense and critical infrastructure sectors. At Tenable, Robert oversees the company’s global security teams, working cross-functionally to reduce … View Full Bio

Article source: https://www.darkreading.com/risk/why-organizations-must-quantify-cyber-risk-in-business-terms/a/d-id/1336163?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The ubiquity of mobile devices continues to attract attackers as malicious apps have surged 20% across third-party app stores, advertisers and tracking firms account for nine of 10 API calls for top mobile applications, and nation-state actors increasingly target mobile devices, according to a trio of reports released this week.

In one measure of the threat, the number of malicious apps blacklisted by RiskIQ increased 20% over the previous quarter and accounted for 2.1% of all apps tracked by RiskIQ – up from 1.95%, the company stated in its quarterly mobile threat report released on Oct. 24.

In a separate report, security-solutions provider Blackberry Cylance found that a collection of nation-state actors — including China, Iran, and North Korea — have honed their ability to develop and deploy Android and iOS malware over more than a decade. The strong security of mobile platforms has increased gray-market prices for “zero-click exploits” — attacks that can automatically infect devices — to jump to $1 million for Android and $2.5 million for iOS devices, but the platforms still are not immune to attack, says Brian Robison, chief security evangelist at BlackBerry Cylance.

“This preconceived notion that app-store apps are actually safe is a fallacy,” he says. “The motivation behind the app stores have very little to do with security, and much more with protecting the app store’s profit margins as well as protecting the ways developers make money.”

Because so much user activity is conducted on mobile devices, they have naturally become a focus for third parties. While cybercriminals continue to strive to convince users to download and install malicious mobile apps, developers’ reliance on third-party advertising frameworks and other software development kits means that a host of companies have a detailed view into what consumers are doing on their devices.  

In a study of the ten most popular apps in the shopping and food-and-drink categories, The Media Trust, a security and privacy firm, found that 9 out of every 10 times an application reached out to the Internet, the software was contacting a third-party provider. On average, 13 third parties were privy to information during the installation of the software, while 23 vendors tracked purchases. About 70% of the cookies dropped by third parties were advertisers or ad-server networks. Another 18% of the cookies belonged to firms that tracked user behavior.

Often, even the app developers do not know all the third-party activity going on behind the scenes, The Media Trust said.

“App publishers should work with experts on monitoring their apps for unauthorized actors and activities,” the company stated in the report. “These third parties collect user information in real-time, ranging from data users enter to screenshots. Policing these third and nth parties’ activities is both time- and resource-intensive because of the digital supply chain’s lack of transparency, dynamism, and complexity.”

Advanced-threat groups, primarily nation-state actors, have also targeted mobile applications. Driven by two main goals, economic and political espionage and surveillance of dissidents and perceived threats, nation-state actors are targeting mobile devices because of their ubiquity. The assumption that the mobile ecosystem can protect mobile users from such a class of attackers is spurious, says Blackberry Cylance’s Robison.

“Definitely the attackers are getting far more sophisticated,” he says. “The mobile devices are getting far more complex, and it is easier to hide code in different areas and trick users to install the attacker’s code.”

Some Good News

Not all news is bad for mobile security. While advanced attackers have been able to circumvent the security of devices, the app stores are getting better are finding malicious applications and much of the increase in malicious applications is due to a few app stores, where “you’re almost guaranteed to download a malicious app if you choose to patronize it,” according to RiskIQ’s report.

Google for years has focused on cleaning up bad actors on its Play store, and as a result, users have less chance of encountering malicious applications on the store, according to security firm RiskIQ. The number of blacklisted apps in Google’s Play store decreased by 59%, the company’s report stated.

“I doubt that the problem will ever fully be resolved just due to the nature and complexity of the Android ecosystem,” says Jordan Herman, a threat researcher at RiskIQ. “However, we’ve seen steady declines in both the actual numbers of malicious apps in their store and in the percentage of newly blacklisted apps versus the total newly added apps. It seems that their efforts are paying off.”

For the average person who is not a dissident and who does not shop third-party app stores, the most significant threat is the surveilling and profiling conducted by third-party advertising firms. Consumers should focus on reviewing the privacy practices and statement of third party firms and look out for apps the require too many permissions, he says.

“Regardless of what store an app comes from, check the permissions the app is asking for,” says Herman. “If the permissions are unnecessary for the app’s purpose, or the permissions seem numerous, closer scrutiny of the app is not a bad thing.”

Related Content

• Android 0-Day Seen Exploited in the Wild
• Deconstructing an iPhone Spearphishing Attack
• Android Malware ‘Triada’ Most Active on Telco Networks
• Security Considerations in a BYOD Culture
• Mobile App Threats Continue to Grow

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/mobile/mobile-users-targeted-with-malware-tracked-by-advertisers/d/d-id/1336166?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A significant distributed denial-of-service (DDoS) attack lasting approximately eight hours affected Amazon Web Services yesterday, knocking its S3 service and other services offline between 10:30 a.m. and 6:30 p.m. PDT.

The attack struck AWS’s Router 53 DNS Web service, which led to outages for other services that require public DNS resolution: Elastic Load Balancing, Relational Database Service, and Elastic Compute Cloud. AWS alerted customers while the attack was ongoing to inform them of “intermittent errors with resolution of some AWS DNS names.” Starting at 5:16 p.m., a small number of specific DNS names experienced a higher error rate. The issues have been resolved.

Amazon says its Shield Advanced DDoS mitigation tool helped in managing the attack; however, some users were unable to connect because it categorized legitimate customer queries as malicious.

Around the same time as the AWS attack, Google Cloud Platform also experienced a range of problems. It’s believed the incidents are separate; GCP claims its issue was unrelated to DDoS.

Read more details here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/eight-hour-ddos-attack-struck-aws-customers/d/d-id/1336165?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We’re seeing much effort toward protecting consumer privacy worldwide — in Congress, with the GDPR, and other initiatives. But how can we protect web privacy without establishing the identity of the websites users visit? Extended Validation (EV) certificates are a highly effective way to provide this information and protect consumers.

However, Google and Mozilla have announced that they are eliminating interface indicators showing that a site has been authenticated with an EV certificate, arguing that the EV user interface does not protect users as intended. We believe this is a mistake and encourage them to come up with innovative ways to use EV data rather than hide it. Here are four reasons why.

Reason 1: EV has helped protect web identity and privacy for a decade.
For years, websites that want to show users their confirmed identity have gone through the EV process when buying SSL/TLS certificates from public certificate authorities (CAs). Similar to banking rules, EV certificates include encrypted, in-depth information about the business and the owner. Financial sites, online retailers, hospitals, and other businesses use them to protect their customers and their brands from phishers. The most common alternative to EV certificates is Domain Validation (DV) certificates, which contain no identity or contact information.

For the past decade, browsers have distinguished websites that use EV certificates with a distinctive indicator. This indicator conveys very useful information, as the incidence of phishing sites using EV is nearly zero. Once Google and Mozilla remove the EV indicator from their Chrome and Firefox browsers, users will only see a site’s URL, just as they do for DV sites. We believe this change is based on flawed analyses.

Reason 2: Phishing on DV sites is skyrocketing, and users are safer with EV.
Until recently, almost all phishing and malware was on unencrypted http sites that displayed a neutral UI. Users were trained to “look for the lock symbol” for security. But when Google and Mozilla incentivized websites to move to encryption through their “Not Secure” warnings, phishers’ motivation to include free, anonymous DV certificates increased. Predictably, virtually all phishing has now moved to DV-encrypted websites that display the lock symbol.

Browser companies contend that EV marks are unnecessary because end users don’t understand them. However, not all users are alike, and it would be more accurate to say “Not all users understand them.” For those who do understand, these browsers have taken away the opportunity to know when a site comes from a company with a known, verified identity.

Reason 3: EV indicators offer intuitive, proactive security.
Without the EV identity browser indicator, users are back to looking at the URL and trying to puzzle out if it’s legitimate or not. Or, if they’re lucky enough that the browser identifies a phishing site as such, they may receive a warning. URLs are notoriously difficult to parse, with many phishing techniques building upon the ability to create a confusing URL. Take the example of 2018’s massive British Airways breach, which compromised 380,000 customers’ personally identifiable information and payment data and was enabled by the use of the deceptive URL baways.com.

Some say the EV UI should go away because users don’t understand the specific organization information that’s displayed. We believe this is a reason to improve the indicator — not remove it.

An improved EV indicator would have the potential to offer proactive security, protecting users before they share data. Browser phishing filters are reactive, meaning some users will of necessity get hurt before the filters can find them. And to evade the filter, a banned phisher can simply shut down the offending site and then anonymously run the same scam from a new domain.

Some industry watchers object that if user trust in EV sites increases, then phishers will simply get EV certificates. That’s possible, but once a phisher with an EV certificate uses it for a scam, the issuer will surely revoke the certificate and add the organization’s name and domains to its flag list — blocking their ability to get another EV certificate from that CA forever. Therefore, sustainable, high-volume phishing schemes become unsustainable using EV certificates.

Reason 4: The industry needs an evolving EV standard.
Member companies of the CA Security Council were among those that put together the original EV specification, envisioning a standard that would continue to evolve and improve. To combat phishing and raise identity standards for websites, we believe browser companies should work together to develop common security indicators and work with CAs to help train and educate users on security best practices. 

As phishing attacks continue to increase and evolve, our identity and security standards — and user education — must as well. EV certificates represent a great opportunity for innovation and collaboration that will benefit web users and the whole industry.

 Related Content:

• 6 Actions That Made GDPR Real in 2019
• Data Privacy Protections for the Most Vulnerable — Children
• A Realistic Threat Model for the Masses

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Developers: The Cause of and Solution to Security’s Biggest Problems.”

Senior Fellow Tim Callan contributes to Sectigo’s standards and practices, industry relations, product roadmap, and go-to-market strategy. A founding member of the CA/Browser Forum, Tim has more than 20 years of experience as a product and strategic marketing leader for … View Full Bio

Article source: https://www.darkreading.com/risk/its-time-to-improve-website-identity-indicators-not-remove-them/a/d-id/1336141?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Apple has removed 17 mobile apps from its App Store after a security vendor reported them as infected with malware.

But an unknown number of people who downloaded the free apps continue to be at risk of having their devices being used to quietly carry out ad-fraud related tasks such as continuously clicking on links or opening Web pages without any action on their part.

In a report Thursday, Wandera described the 17 malicious apps it found as containing clicker Trojan malware designed to generate revenues for their developer by fraudulently inflating traffic on pay-per-click websites. An attacker can also use such malware to drain the budgets of rival websites by artificially inflating the amount they owe to an ad network, Wandera said.

The apps were found receiving instructions from a known command-and-control server. Commands from the C2 server included those that could silently load websites, deliver targeted advertising, remotely reconfigure infected devices, and sign up users for expensive services without their knowledge.

The list of infected free apps, which Wandera has published on its website, included productivity, travel, platform utility, restaurant finder, and video-editing apps from India-based AppAspect Technologies. The developer currently appears to have at least 51 apps on Apple’s App Store, of which 35 are free.

Michael Covington, vice president of product at Wandera, says the company only tested the free apps. So it is unclear if AppAspect’s paid products are similarly infected.

Apple, unlike Google, does not provide any information on download numbers for apps on App Store. As a result, it’s hard to determine with any certainty how many people might have downloaded the infected AppAspect software, Covington says. But based on how the India-based developer’s Android versions of the same apps have performed, it is safe to assume that a significant number of iOS users have been impacted, he notes.

Wandera discovered nine AppAspect apps for Android on Google’s Play Store that are counterparts of the iOS versions. Those apps have nearly 1.1 million installs in total. “Because the developer seems to have spent more time developing on the Apple App Store — with 51 apps on the App Store versus 28 on Google Play — we assume their iOS apps reach even more users,” Covington says.

None of the 28 Android apps that AppAspect has on Google’s Play Store currently appear infected. However, some of the apps were previously reported as malicious and removed. The developer appears to have uploaded the again to Play without the malware, Wandera said.

Bypassing Security Controls

Both Apple and Google have implemented substantial measures over the years to quickly identify and remove rogue apps from their mobile app stores. Their respective stores continue to be by far the safest location for users to download Android and iOS apps. But the sheer volume of apps being uploaded to these stores and the ingenuity of some developers has resulted in malicious apps frequently getting uploaded anyway.

In Apple’s case, the company’s app review process is designed more to ensure that iOS apps meet optimal usability and performance standards, Covington says. 

Apple also verifies that developer’s API calls as intentioned and often rejects developers that violate the company’s rules for how an app should run.

“We believe these [AppAspect] apps bypassed the Apple vetting process because the Trojan developer didn’t put any “bad” code directly into the app,” Covington notes. “Instead, the [apps were] configured to obtain commands and additional payloads directly from the CC server, which is outside of Apple’s review purview.”

Related Content:

• Mobile Users Targeted With Malware, Tracked by Advertisers
• Cyber-Risks Hiding Inside Mobile App Stores
• Lessons From the War on Malicious Mobile Apps
• 8 Tips for More Secure Mobile Computing

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/mobile/apple-boots-17-trojan-laden-apps-from-mobile-store/d/d-id/1336168?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple