STE WILLIAMS

Chinese officials Wednesday blamed a country-wide Internet outage on a hack attack. But security and networking experts suspect that the country’s Internet infrastructure was compromised when Chinese government censors inadvertently blocked every website in the world.

What’s Chinese for schadenfreude?

The official story from China didn’t involve stifling freedom of expression. Instead, government officials blamed a domain name system (DNS) malfunction Tuesday for leaving the country’s nearly 600 million Internet users without access to websites for 45 minutes. “We have tracked and analyzed the DNS and found that at least two of the 13 root name servers around the world were affected,” said Dong Fang, an Internet engineer at Chinese security product vendor Qihoo 360, according to the Xinhua News Agency, which is the Chinese government’s official press agency.

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/china-blames-massive-internet-blackout-o/240165552

Tampa Bay, FL, January, 2014

Security Awareness Training firm KnowBe4, LLC, has released an analysis of 372 companies that clearly shows the impact and effectiveness of Security Awareness Training on employees. The study was done over a 12 month period and follows behavior patterns of 291,000 end points, showing a reduction in risky behavior by over 12X. Using an initial baseline of 15.9% for the “phish-prone” (employees prone to click on dangerous phishing links), training methods used by KnowBe4 reduced this to a 1.28% average.

“It is well known amongst IT managers that the weakest link in security is the end user and we sought out a way to effectively address this, says Stu Sjouwerman (pronounced “shower-man”), KnowBe4 founder and CEO. “Nearly 40% of these companies are financial entities who typically are more aware and have tighter restrictions and yet were able to see a huge improvement, showing the program works extremely well.”

Studies recently released and posted on the Sophos blog by forensics and risk management firm Stroz Friedberg, Osterman Research and SecureData Research clearly show risky behavior is still a major concern and growing.

KnowBe4, LLC, and security expert (“The World’s Most Wanted Hacker”) Kevin Mitnick released a new version of the Kevin Mitnick Security Awareness Training 2014trade that includes additional templates and customization options. This brand-new, high quality 30-40 minute web-based interactive training uses case-studies, live demonstration videos and short tests. The training specializes in making sure employees understand the mechanisms of spam, phishing, spear-phishing, malware and social engineering and also includes a new, condensed 15-minute version for executives which specifically focuses on Advanced Persistent Threats in nine languages.

As phishing and social engineering tactics become increasingly sophisticated and difficult to detect, “The threat posed by malware should not be underestimated, particularly considering that employees have consistently proven to be the weak link in companies’ Internet security efforts,” noted Mitnick. “In most cases, their involvement is unintentional – they unknowingly allow access to corporate networks simply because they don’t know what to watch out for. That’s why our security awareness training is designed to ensure they understand the mechanisms of spam, phishing, spear-phishing, malware and social engineering, and are able to apply this knowledge on the job. This allows organizations to create a ‘human firewall’ that actively works to prevent network security breaches.”

Regularly-scheduled phishing security tests with customizable emails help keep employees on their toes. Those users who fall for the simulated phishing attacks can receive instant remedial training. An admin console provides before-and-after reports with instant graphs detailing the effectiveness of the training.

To help organizations determine their risk, companies can request a free phishing security test to determine the percentage of employees who are Phish-pronetrade, or susceptible to phishing attacks. To learn more about KnowBe4’s Kevin Mitnick Security Awareness Training and to access additional cybercrime prevention resources, visit http://www.knowbe4.com.

About Kevin Mitnick

Kevin Mitnick is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecommunications devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and speaker, and has authored three books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC.

About Stu Sjouwerman

Stu Sjouwerman is the Founder and CEO of KnowBe4, LLC. An IT Security expert with 30+

years in the industry, Sjouwerman (pronounced shower-man) was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software developer that was acquired in 2010 by GFI Software, a portfolio company of Insight Partners. Realizing that the end-user is the weak link in IT security and this being seriously neglected, Stu decided to partner with famous former hacker Kevin Mitnick and help IT pros to tackle cybercrime tactics utilizing New School Security Awareness Training combined with regular simulated phishing attacks. Sjouwerman is the author of four IT books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

Company Overview: KnowBe4, LLC provides Kevin Mitnick Security Awareness Training to small and medium-sized enterprises, and recently introduced the brand new KnowBe4 Compliance Manager, SaaS that helps IT administrators and Compliance Officers to automate their audit- and compliance workflows, dramatically cutting down audit costs and improving organizational compliance. KnowBe4 services well over 400 customers in a variety of industries, including highly-regulated fields such as banking, finance, healthcare, insurance and high-tech. KnowBe4 expanded with a YoY growth of 427% 2012 – 2013.

Article source: http://www.darkreading.com/management/socially-engineered-behavior-to-blame-fo/240165591

ABINGDON, England, January 23, 2014 /PRNewswire/ —

The proportion of spam in email traffic continues to fall – in the last three years the share of unsolicited messages has fallen by 10.7 percentage points. It appears that advertisers increasingly prefer the various types of legitimate online advertising that are now available and which generate higher response rates at lower costs than spam can offer.

The criminalisation of spam

In some spam categories commercial advertising is being gradually displaced by criminal mailings, such as spam messages, advertising illegal goods or pornography. A typical example is the Travel and Tourism category that used to account for 5-10% of all spam traffic. These days, commercial adverts like this are rare, but the experts see numerous malicious emails actively exploiting the subject of travel and leisure.

Fake antivirus vendor messages

It is common for IT security experts to recommend that users regularly update their antivirus solutions, and that is something that cybercriminals tried to take advantage of in 2013. In emails that appear to be sent by well-known antivirus vendors such as Kaspersky Lab, McAfee, ESET, Symantec etc., they urged users to update their systems immediately using an attached file. The attachment turned out to contain a Trojan from the infamous ZeuS/Zbot family that is designed to steal sensitive user data, particularly financial information.

Darya Gudkova, Head of Content Analysis at Kaspersky Lab, commented: “For the third year in a row the most prevalent malware spread by email were programs that attempted to steal confidential data, usually logins and passwords for Internet banking systems. At the same time, however, phishing attacks are shifting from bank accounts to social networking and email. This can be partly explained by the fact that today’s email accounts often give access to a lot of content, including email, social networking, instant messaging, cloud storages and sometimes even a credit card.”

‘Gray’ mailings: bypassing the spam filters

In a bid to reach even greater numbers of users, but wary of spam filters that block unwanted messages, advertisers are resorting to trickery. Part of a mass mailing is sent to subscribers who have agreed to receive adverts, and part is sent to addresses taken from huge databases these companies have purchased – to people who never gave their consent to receive such messages. If the mailings are blocked by spam filters, the advertisers contact the security vendor and try to prove their mailings are legitimate by showing the websites where users sign up and can unsubscribe at any time. This poses a new challenge for the anti-spam industry and is leading to the development of new technologies based on sender reputations.

Where’s the spam coming from?

Asia accounted for 55.5% of the world’s spam in 2013 (an increase of 5.3 percentage points compared to 2012), followed by North America with 19% (+ 3.2 points). Eastern Europe’s share almost doubled compared to the previous year, placing the region in third with 13.3%. Western Europe remains in fourth place despite a decrease of 2.4 percentage points, while the share of Latin America in fifth place amounted to a threefold drop compared to 2012.

For more information about spam in 2013, please go to securelist.com

[http://www.securelist.com/en/analysis/204792322/Kaspersky_Security_Bulletin_Spam_evolution_2013

] .

Additional reading:

Spam in December 2013

[http://www.securelist.com/en/analysis/204792323/Spam_in_December_2013 ]

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers.

Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at http://www.kaspersky.com.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report “Worldwide Endpoint Security 2013-2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.

Article source: http://www.darkreading.com/vulnerability/financial-data-leads-the-malicious-spam/240165592

SAN FRANCISCO – January 23rd, 2014 – Zimperium, creators of the world’s first mobile intrusion prevention systemtrade (IPS) powered by artificial intelligence (AI), is today announcing the launch of two new products to protect organizations from advanced persistent threats (APT) on mobile. The launch addresses a huge void in mobile security: more employees are bringing their personal devices to work, but there is no security solution to detect, notify, and protect against advanced cyber-attacks deployed through mobile devices.

Existing Security Solutions Are Not Adequate

Governments and enterprises are extremely vulnerable to cyber-attacks from devices such as smartphones and tablets, suggests a whitepaper published by Zimperium.

Top network and computer security vendors are not experts in mobile security. These providers can protect against network threats, but don’t know how to protect mobile devices from cyber-attacks that can later comprise the entire corporate network. Meanwhile, current mobile security offerings are extremely limited in their scope of protection. These providers only offer protection against predefined types of threats. This protection is narrow, slow to adapt, and does not safeguard against simple tricks or cyber-attacks.

New Solution Sets New Standards

Zimperium is launching zIPS and zCONSOLE, offering organizations the first comprehensive mobile security solution zIPS is the world’s first mobile IPStrade that uses AI to detect advanced cyber-attacks. Leveraging algorithms and machine learning, zIPS monitors how a device behaves and is capable of recognizing unusual usage patterns and safeguarding the device.

zCONSOLE is an easily integrated, cloud-based, mobile unified threat management (UTM) platform that enables IT managers to monitor zIPS devices entering and leaving the network. Each device becomes a powerful sensor that IT managers can monitor using zCONSOLE to detect network attacks.

“Hackers are looking to exploit any weakness in your company’s defenses to steal proprietary information–and mobile devices are one of the weakest links,” say Kevin Mitnick, legendary security researcher. “zIPS is first mobile intrusion prevention system that stops hackers in their tracks, before they can damage your business.”

Co-founded and led by Zuk Avraham, a former military and Samsung Electronics security researcher, and Elia Yehuda, an experienced hands-on security researcher, Zimperium is supported by Raymond Liao of Samsung, the world’s most famous hacker Kevin Mitnick, and early-investors in Sourcefire: Mark Fernandes, Managing Director of Sierra Ventures, and Stephen Northcutt, former President of SANS Technology Institute.

“With zIPS, corporations will now have the opportunity to use BYOD as an advantage to their security. zIPS is the first security solution that can combat modern cyber-attacks on mobile. There is already evidence of attacks that are happening to infiltrate organizations, which only zIPS can prevent,” says Zuk Avraham, Zimperium founder and CEO.

Today’s launch of zIPS and zCONSOLE sets a new standard for mobile security. At just a fraction of the cost of top security solutions, CIOs and IT managers can expect the following groundbreaking features from zIPS:

zIPS runs completely in user-mode – and can be deployed as a standard Android app

zIPS is the first mobile IPStrade

zIPS is using a new technique called “non-intrusive packet monitoring” that protects a user’s privacy

zIPS is the only available solution that is capable of detecting malware running outside of its own sandbox – as seen in self modifying apps

zIPS prevents advanced network attacks when a device is connected to public, uncontrolled networks

zIPS does not rely on signatures to detect threats

zIPS uses machine learning to detect IPv4, IPv6 and unknown attacks (0days)

zIPS is currently available for Android only, but will unveil an iOS beta soon.

Download zIPS for Android: https://www.zimperium.com/mobile-ips

Learn more about Zimperium, visit www.zimperium.com.

About Zimperium

Zimperium is a privately owned mobile security start-up based in San Francisco, with a RD center in Tel Aviv. Its flagship solutions protect mobile devices from cybersecurity threats. The company was founded in 2011 by CEO Zuk Avraham, a highly regarded security expert and Elia Yehuda, an experienced hands-on researcher. Zimperium’s mission is to secure organizations from daily cyber threats in an increasingly mobile world.

Article source: http://www.darkreading.com/mobile/cyber-defense-specialist-gets-backing-of/240165598

Google has shot down a researcher’s claims that an exploit he posted online showing how an attacker could snoop on phone calls or other conversations on a user’s machine constitutes a security flaw, maintaining that Chrome’s speech-recognition feature complies with the W3C’s specification.

Researcher Tal Ater, who stumbled across the issues when working on his JavaScript Speech Recognition library called annyang, says he reported the exploit to Google’s security team on September 13, and six days later, Google engineers had suggested fixes for it. “On September 24, a patch which fixes the exploit was ready, and three days later my find was nominated for Chromium’s Reward Panel (where prizes can go as high as $30,000.) Google’s engineers, who’ve proven themselves to be just as talented as I imagined, were able to identify the problem and fix it in less than 2 weeks from my initial report,” Ater wrote in a blog post this week exposing the exploit.

But Google never issued a patch. Ater says Chrome remains vulnerable and leaves users open to snooping attacks via malicious websites abusing the speech recognition/microphone feature. Meanwhile, Google maintains that the feature complies with the W3C specification for browsers and is safe.

“The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification,” a Google spokesperson said.

The exploit requires that the user enable microphone use on a website, and most sites ask for permission for microphone activation. According to Ater, though, that can be abused.

“When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there,” he said in his post. “To make matters worse, even if you do notice that window (which can be disguised as a common banner), Chrome does not show any visual indication that Speech Recognition is turned on in such windows – only in regular Chrome tabs.”

But a microphone indicator does show up in Chrome or in the URL bar of a pop-up window, and the latest version of Chrome does not allow a hidden pop-up Window, according to one security source who asked not to be identified.

Ater told Dark Reading that while Chrome does comply with new changes to the W3C’s Web Speech API Spec, that specification is still not officially on the standards track. “However, the word ‘spec’ is quite misleading here, as it is currently not a W3C standard, nor is it on track to become one. Only late in 2014 is it scheduled to become a W3C recommendation,” Ater said in an email interview.

“Thankfully, Google and Apple are not waiting for things to standardize before implementing it, and are continuously pushing the Web forward, experimenting with new technologies in their browsers, and helping shape the spec itself,” he says. “But when you’re so ahead of the bleeding edge, you can’t fall back on the spec, and it is your responsibility to your users to make sure any security issues which are found in your software are handled promptly.”

He says the bugs he found on their own may be relatively minor, but that doesn’t mean they couldn’t result in an attack. “But often the severity of a security breach is more then the sum of its parts. Its severity should be measured by the amount of damage a creative hacker can inflict with it, which is what I aimed to show in the video I sent Google,” he says.

Ater says the changes that allow Speech Recognition in background tabs and windows are a step in the right direction for users, but only if the spec also addresses the security implications. And earlier this week, he joined the group that published the Web Speech API Specification, and hopes to “contribute a small part to fix this,” he says.

Privacy Sensitivity

Ater’s argument appears to be more about the W3C specification than Chrome, says Chris Wysopal, CTO of Veracode. “His beef is with the standard spec, that it’s not making it clear enough to users that they are granting permission for this website to use the microphone forever,” Wysopal says. “That probably will be all kinds of tricky ways websites can hide that and have a window open so you might not notice what’s going on.”

In the post-NSA revelations world of heightened privacy concerns, Ater’s exploit is yet another example of concerns about how much access users are granting to their machines as well as mobile apps. “This is just one of many problems we have with the idea that we’re entering the realm of more privacy where we’re granting devices access to pictures, cameras, phones, and GPS locations,” Wysopal says. “Users are not really quite aware of how the website or app connecting back to the service is using this information. Is it collected all the time?

“I think this is the tip of the iceberg with the problem we are going to start to see more and more,” Wysopal says. “We don’t have a good paradigm for the user to understand” this, he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/google-dismisses-chrome-browser-micropho/240165617

Thirteen people have been indicted for installing Bluetooth-enabled, banking-data-gobbling skimmers at gas stations in the Southern US, Manhattan District Attorney Cyrus R. Vance, Jr. said in a statement released on Tuesday.

The defendants allegedly forged bank cards using the banking details from victims in the southern states; used the cards to deposit, withdraw and thereby launder $2.1 million (£1.27 million) through ATMs and banks in New York City; and withdrew part of the stolen money on the West Coast.

All in all, the countrywide crime spree involved more than 70 different bank accounts.

The four lead defendants are accused of installing card skimming devices to copy credit and ATM numbers, and PINs used by customers at Raceway and RaceTrac gas stations throughout Texas, Georgia, and South Carolina.

The devices were impossible for gasoline-buying customers to detect, given that the skimmers were installed internally, the DA said.

It’s a heck of a lot easier to detect thieves’ attempts to get at your credit card when they’ve done something like clumsily glue a card catcher onto the front of an ATM, of course, and then made it even more obvious by hanging around the machine waiting for a victim to give up on getting her card back, as happened to Jamillah Knowles, who wrote about her catch of a card catcher for Naked Security in June.

ATMs are usually made of molded plastic and have to be attached onto cash machine hardware. The color and texture could well not match, the fit likely won’t be exact, and the skimmer could be slightly loose.

In fact, when Australian detectives warned about skimmers during the holiday season back in 2012, the advice we passed on was to grab whatever device you’re putting your card into and give it a good wiggle.

That, obviously, is no help here, given the internally installed skimmers used, but I pass it on because it’s good advice in other skimmer scenarios.

At any rate, having Bluetooth-enabled devices made it easy for thieves to get at the stolen data without having to physically remove the skimming devices.

Not that wireless-enabled credit card skimmers are new, mind you. Security journalist Brian Krebs has cataloged all sorts of skimmers, including some that even send information to fraudsters’ phones via text message.

So convenient!

With their Bluetooth-enabled card skimmers, the defendants in this case allegedly spent a year and two days – between 26 March 2012 and 28 March 2013 – using the forged cards at ATMs in Manhattan, siphoning funds out of their victims’ accounts in increments under $10,000.

Keeping the withdrawals under $10,000 avoided cash transaction reporting requirements.

They then allegedly deposited the stolen money into their own bank accounts in New York.

Others in the crime ring are alleged to have promptly withdrawn the money at banks in California or Nevada.

The four lead defendants are Garegin Spartalyan, 40; Aram Martirosian, 34; Hayk Dzhandzhapanyan, 40; and Davit Kudugulyan, 42.

Originally arrested and charged on 21 March, 2013, the four lead defendants are now facing a 426-count indictment with felony charges of money laundering, criminal possession of stolen property, grand larceny, criminal possession of a forgery device, and criminal possession of forged instruments.

The earlier arrests sparked an investigation that eventually led the police to nine other defendants.

Those nine – Azat Aramyan, 25; Norayr Aramyan, 25; Argine Ananyan, 34; Rosa Unusyan, 24; Sona Minasyan, 51; Armen Abroyan, 36; Hasmik Miribian, 64; Artur Pogosyan, 31; and Rose Vardui Pndlyan, 47 – have been charged with two felony counts of money laundering, either in the second or third degree.

Follow @LisaVaas

Follow @NakedSecurity

Image of man at gas pump and credit cards courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CV9FTAisX7k/

First there was online banking. Then PayPal. Now, there’s Bitcoin. It’s a brave new world, but with Bitcoin exchange rates so high those coins are too precious to lose.

That’s where a Bitcoin wallet comes in. A wallet is a program, app or service that holds coins, keeps them safe and makes it simple to backup, spend or accept.

With Bitcoin, a wallet doesn’t just offer security. It offers bookkeeping, portability and simple ways to give and receive cash.

What is a Bitcoin wallet?

It’s rather like an online bank account, but even simpler to use.

Each Bitcoin is a unique solution to a mathematical problem, consisting of a short string of text which represents a figure. Let’s say you give someone a coin or fractional coin – the text string changes as it enters their wallet, and once a global network validates the transaction, your original coin is invalidated and the new coin becomes yours.

To someone who is sending money, your wallet is just an address. All they need to know is where to send your coins. The QR code on the right of this image is another way to represent the address on the left. When you make a face-to-face transaction, the sender simply snaps the QR code rather than exchanging emails.

Since coins are just characters, you could store them in a text file. But that wouldn’t be smart.

They could be viewed by anyone with access to your device and without the benefits of a wallet, they would be hard to spend.

NB. It’s a good idea to make sure you are really clued up on the world of Bitcoins if you are holding significant sums. The reason the real world has banks is that we recognise it’s quite risky, as an amateur, to try to secure your house enough to hold your life savings. Securing your own computer is hard but in the Bitcoin world you don’t have a bank as a buffer to rely on.

Types of wallets

• Local – Installed on your own device
• Online – Provided with your account at a store or Bitcoin exchange

Installing your wallet on a smartphone or PC allows you to send and receive Bitcoins as easily as exchanging emails – you only need the address of another wallet. But if you want to buy Bitcoins with local currency, or ‘cash out’, you need to do that via an online currency exchange, which will include an online wallet with the subscription.

Either way, security is enhanced by having both local and online wallets and learning to move money between them.

Local wallet

A wallet installed on your portable device makes for quick transactions, but phones can get lost and laptops can be hacked.

It’s a good idea to transfer any incoming coins promptly to an offline device, an encrypted cloud service, or into cash.

There is a difference between transferring coins and backing up your wallet – always do both! With an app tied to your NAS (network-attached storage) or online service, backup is a no-brainer.

Online wallet

Online wallets hold subscribers’ money at their servers, and accounts are backed up and instantly available from anywhere in the world.

However, online Bitcoin exchanges are still immature and many have suffered outages or breaches. In a study of 40 exchanges, 18 of them had failed, leaving clients penniless!

Choosing a Bitcoin exchange

Bitcoin exchanges collect sensitive personal data, even demanding access to bank accounts and credit reports. Carefully scrutinize their reputation, focusing on these things:

• Highly regarded with few complaints
• Infrequent downtime or delayed transactions
• Do they (a) offer a private key under subscriber control OR (b) are funds exposed to the internet small compared to offline reserves

Note that (a) and (b) are mutually exclusive. That is, if you control the keys, the contents of an online wallet will be exposed to the internet. Neither method presents a big risk if you sweep assets into your offline wallet or encrypted cloud storage after each transaction.

7 Bitcoin wallet security tips

1. Never store your wallet identifier with your password.
2. Initiate major transactions (including cash exchange) from your own PC – not one that is shared – or one that boots as a dedicated virtual machine
3. Use your phone wallet for small transactions when traveling. Just as with a real wallet, carry only the cash required for anticipated transactions. By their very nature mobile devices are continuously exposed to outside threats.
4. If you must engage in a large transaction away from home, use your phone to access an online wallet. It can be unsafe to access an online wallet from a PC that you do not own.
5. Limit internet-connected wallets to the minimum reserve that you absolutely must leave online for ready access.
6. Backup your wallet after every transaction to encrypted storage or an offline device, and then sweep to another wallet. (Do this even for transactions with your primary wallet – it adds a layer of protection by recreating the coin and shifting it to a wallet that is not shared with the buyer or seller.)
7. There is a difference between user authentication and encryption. It is not sufficient that your backup device or service requires a login – it must be encrypted too. If you use a cloud backup service, find out whether they encrypt from end-to-end. In this way, your data cannot be viewed by the backup service itself, by anyone in between, or by others sharing your WiFi or mobile data service, so your cash is sealed from the moment it leaves your device until you restore the data at some point in the future

Follow @Security_FAQs
Follow @NakedSecurity

Image of Bitcoins courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/E1bqLHOR4a8/

CrowdStrike has confirmed that governments across the world are spying on everyone online with a new report on cyber-espionage.

A year-long study by the security intelligence firm has identified more than 50 groups of cyber threat actors, blaming groups in China, Iran, Russia, North Korea, and Syria for high profile attacks.

Among the groups profiled in the report is a Russian group (dubbed Energetic Bear) that collects intelligence on the energy industry.

CrowdStrike reckons that the groups it is tracking make up the majority of the sophisticated threats attacking enterprises across the globe. Groups can be distinguished by the differences in their tactics, techniques, and procedures, such as the tools and infrastructure they use for attacks, their level of sophistication and the working hours hackers put in to running attacks.

All this doesn’t point to a “smoking gun” as such but does provide more than enough circumstantial evidence for CrowdStrike researchers to have a high degree of confidence in the theories they put together.

Other cyberespionage crews of note include Magic Kitten, an established group of cyber attackers based in Iran who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting the Iranian political opposition in the run-up to the country’s May elections last year.

A lot of the information points to cyber-espionage activity being economically driven but it can also be a spillover from political disputes, according to CrowdStrike. Cybercrooks and hacktivists, such as the Syrian Electronic Army with loose ties to government, also play a part in the threat landscape.

Attacks by cyber-espionage players are rarely destructive – with some notable exceptions that may became a pattern, in the case of the sabre-rattling North Koreans. The North Korean state’s winter training cycle may result in increased cyber-activity from the rogue Communist country. This could include destructive attacks against South Korea along the lines of the Windows-wiping malware that hit banks and media organisations.

CrowdStrike also reckons that net infrastructure hosted outside the country, but abused by the Norks in cyberespionage attacks, is also being used for cybercrime.

CrowdStrike’s report is notable for lacking incidents attributable to the NSA’s elite TAO hacking crew. Revelations from NSA whistleblower Edward Snowden revealed TAO was responsible for installing “50,000 malware sleeper cells” in computer networks worldwide.

GCHQ, outed by Snowden for APT-style attacks against Belgacom, is also absent. “We haven’t seen any customers victimised by anything that ties back to those countries [USA and UK],” Adam Meyers, VP of intelligence at CrowdStrike, told El Reg.

Popular tactics of Russian and Chinese attackers include watering hole style-attacks that assault targets by infecting the websites most frequently surfed by workers at a targeted organisation. Attacks of this type were successfully used last year against the Council on Foreign Relations, the U.S. Department of Labor and several foreign embassies, CrowdStrike reports.

“Compromising and weaponising a legitimate website has significant advantages over spear phishing, which historically has been the most common method of launching a targeted attack,” CrowdStrike’s Meyers explained. “A strategic web compromise does not require social engineering a victim, which can expose an adversary to detection. We believe this will tactic will be used with increasing frequency among the adversaries that we are tracking.”

Meyers told El Reg that the methods and tactics of cyberspies are starting to be applied by cybercriminals. For example, the high profile breach against supermarket chain Target.

“The Target attackers got in elsewhere before moving across the network to hit cash registers with a malicious update,” Meyers explained. “This is straight out of the cyber-espionage actors’ playbook.”

“Cyber criminals are often ahead of cyberspies in the sophistication of their malware but behind in their tradecraft,” Meyers added.

CrowdStrike’s Global Threats Report: 2013 Year In Review document (summary available here, registration required for full download ) – which focuses on adversaries rather than the malicious code they use – is designed to allow security professionals to differentiate between targeted and commodity attacks, thus saving time and focusing on the most serious threats to their business.

An infographic here summarises how the web has become an arena of conflict for spies worldwide.

“One of the advantages of focusing on adversaries, rather than malicious code, is that humans have detectable habits and often make mistakes,” Meyers added. “We believe that the data we have collected here is not only a good summary of what happened in 2013, but a harbinger of the attacks to come in 2014. This is the type of information that enterprises can use to develop better, more effective defenses.”

CrowdStrike predicts that 2014 will bring increased targeting of vulnerabilities in Windows XP, which will reach end-of-life from Microsoft this April; greater use of black markets for buying and selling custom-made malware; and increased targeting of attacks around major events, such as the Winter Olympics in Sochi, the US withdrawal from Afghanistan, the World Cup in Brazil, the 2014 G20 Summit, and major national elections.

Windows XP will reach end-of-life on 8 April 2014, meaning that Microsoft will no longer release security patches for Windows XP after that date. Vulnerability researchers are likely sitting on backlogs of unreported Windows XP vulnerabilities with plans to publicly release or privately sell the vulnerabilities’ details after this date. As such, CrowdStrike expects to see a rise in XP-targeted exploits and a resulting rise in XP infections by the middle of this year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/23/crowdstrike_cyberespionage_unveiled/

The Benefits and Significance of Private Platform as a Service

Domain Name registrar Network Solutions has blamed a backlash over extra fees for secured domains on a “badly worded e-mail”.

Customers of Network Solutions recently received an e-mail saying that to combat domain hijacks, “Starting 9:00 AM EST on 2/4/2014, all of your domains will be protected via our WebLock Program”. This would only allow pre-registered Certified Users to make any changes to a domain name’s configuration settings.

Network Solutions would check all requests for changes via an outbound call to the pre-registered telephone number, with the recipient to use a unique nine-digit PIN to confirm their intentions; and all Certified Users would be notified of the request to make a change, along with which user made the request.

All of which is well and good, but it was this line in the e-mail, spotted by Tweeter Brent Simmons, that enraged customers:

To help recapture the costs of maintaining this extra level of security for your account, your credit card will be billed $1,850 for the first year of service on the date your program goes live. After that you will be billed $1,350 on every subsequent year from that date.

The e-mail was sent to 49 customers.

According to Domain Name Wire, Web.com (owner of Network Solutions) has backed down from what looked like an enforced price premium, with COO Jason Teichman saying the program will be opt-in, and that all customers targeted by the program will get a call from the company.

The program will only be put to the top 30,000 or so customers – the largest 1 per cent of Network Solutions’ book – and the charge will cover an entire customer account, regardless of how many domains are registered by that customer.

The program, in other words, focuses on big-name brands and major resellers, for whom $1850 is back-of-the-sofa stuff and the service sounds like a good idea. As does asking them politely to pay up, Network Solutions now realises. ®

5 DNS security risks that keep you up at night

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/23/network_solutions_backs_down_says_security_fee_is_optin/

The Benefits and Significance of Private Platform as a Service

US attorneys have charged thirteen people in connection with a massive fraud operation which netted some $2m in stolen funds.

The Manhattan District Attorney’s office says that four defendants masterminded a plot to install card skimming devices at gas pumps throughout the southern US and then use a network of money mules to withdraw and transfer funds from the stolen cards in a money laundering operation.

According to District Attorney Cyrus Vance, the four defendants installed the skimmers inside pumps at Raceway and Racetrac chain gas stations in Texas, South Carolina and Georgia. The skimmers, which were rigged with Bluetooth connectivity and invisible from outside the pump, could then be remotely accessed by the group.

Having the stolen card data and PIN numbers from customers, the four were then said to have printed out forged bank cards and withdrew the cash from ATMs in amounts less than $10,000 and redeposit the funds in a series of bank accounts around Manhattan.

Using a collection of nine money mules located in California and Nevada, the funds were once again withdrawn in a series of small transactions at designed to avoid police detection and redistributed. In total, authorities believe that the operation employed the use of 70 different accounts controlled by various members of the group as part of the laundering attempt.

“Cybercriminals and identity thieves are not limited to any geographic region, working throughout the world behind computers,” Vance said.

“In this case, the defendants are charged with stealing personal identifying information from victims in southern states, used forged bank cards on the East Coast, and withdrew stolen proceeds on the West Coast.”

The attorney’s office said that the four ringleaders in the operation will each face a catalog of 408 felony counts ranging from money laundering and grand larceny to possession of forged devices and forgery instruments.

Meanwhile, the nine people who acted as money mules in the operation will each be hit with two felony counts of third-degree money laundering. ®

5 DNS security risks that keep you up at night

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/23/us_card_scammers_pull_2m_petrol_heist/