STE WILLIAMS

5 DNS security risks that keep you up at night

Despite the fact that users continue to cling to predictable and insecure passwords, the worst of them all is no longer the most popular.

Security firm SplashData reports that in 2013, “password” slipped from the top spot as the most popular log-in code. Taking over the dubious distinction of most popular (and perhaps least secure) passphrase was the numerical string “123456”.

After “password”, “12345678” was the third most popular login. Rounding out the top five passwords were “qwerty” and “abc123”.

The top five will be enough to make any security administrator cringe, but the list should hardly come as a surprise. Despite countless warnings and advisories to move away from the predictable number sequences, such simple passwords have been pervasive for decades.

SplashData researchers also noted that the prevalence of simple passwords continues despite efforts by application vendors and service providers to mandate more secure passwords. Even when tasked with picking more sophisticated passcode combinations, users are opting for the simplest possible codes.

“Another interesting aspect of this year’s list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies,” said SplashData CEO Morgan Slain.

“For example, new to this year’s list are simple and easily guessable passwords like ‘1234’ at number 16, ‘12345’ at number 20, and ‘000000’ at number 25.”

Other notable entries on the list were “iloveyou” as the ninth most popular bad password and “admin” as number 12; “monkey”, interestingly enough, slipped all the way from the sixth spot last year down to number 17 overall.

Users also seem to harbor delusions of grandeur, as “princess” was the 22nd most popular password. Wordplay appeared at number 24 – “trustno1” – which was obviously not as clever as users thought it was.

The rankings, which were pulled from public dumps of pilfered passwords, added an Adobe feel this year. SplashData said that that company’s massive 2.9 million–user password dump helped get terms such as ‘adobe123’ and ‘photoshop’ into the top 25.

Avoiding the use of easily-guessed passwords is simple enough if users employ a bit of creativity and standard best practices, such as using hard-to-guess mnemonic device and mixing letters and numbers (non-sequential, obviously) in their passwords.®

The Benefits and Significance of Private Platform as a Service

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/20/password_no_longer_the_worst_password_still_a_terrible_password/

5 DNS security risks that keep you up at night

An IT contractor has been arrested over the theft of credit card and personal details of 20 million South Koreans.

Investigators allege an IT worker at the Korea Credit Bureau copied names, social security numbers and credit card details of millions onto a USB stick before flogging them to a marketing firm. He has been charged with stealing and selling data from customers of three credit card firms while working as a consultant.

The huge breach was apparently only possible because the sensitive data wasn’t encrypted, according to an official at the country’s Financial Services Commission. The siphoning off of data is reckoned to have occurred between May and December last year.

The as-yet-unnamed contractor – along with managers at the marketing firms who allegedly bought the purloined data – have all been arrested, the BBC reports.

The Korea Credit Bureau’s role as a national credit reference agency gave it access to databases maintained by South Korea’s three largest credit card firms: KB Kookmin Card, Lotte Card and NH Nonghyup Card.

Chiefs of the three firms publicly apologised for the leaks before offering to resign, owing up to responsibility over the whole sorry mess in a classy move we doubt many Western execs in the same situation would follow.

Sohn Kyoung-ik, head of NongHyup’s card business, has already exited stage left while the boards of the other two firms are still considering their responses, the Wall Street Journal reports.

A blog post by security veteran Graham Cluley includes images of South Korean bank bosses publicly apologising for the data breach, taken during a press conference in Seoul.

The offers of resignations came in the midst of local reports that Korean regulators would “stern punitive measures against financial institutions” in the leak was ultimately blamed on poor controls or management negligence.

The Financial Services Commission, Korea’s national financial regulator, has formed a task force the manage the incident, minimise any harm, and push for improved security to guard against the possibility of similar incidents in future. The FSC published a statement saying the problem has been contained.

“The stolen data does not include credit cards’ password or CVC code therefore it is very unlikely that the leaked information might be misused for financial fraud,” it said. “Prosecutors also judged that there was no further leakage of the stolen data as they arrested those who had stolen the information and first distributed [it]. There has been no case yet reported as direct damage of the incident.”

Since the data theft, about half a million customers have applied for replacement credit cards issued, CNN reports.

Credit card firms will be obliged to cover any customers who suffer a financial loss as a result of the breach, local financial regulators insist.

South Korea has an unfortunate track record in data security breaches. For example, two hackers were arrested for illegally obtaining the personal details of 8.7 million KT mobile customers before allegedly selling them on to telemarketing firms back in 2012.

A year earlier, hackers broke into the popular websites Nate and Cyworld, and stole information from about 35 million social networking users. ®

The Benefits and Significance of Private Platform as a Service

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/22/sk_data_breach_apology/

SEATTLE, Jan. 22, 2014 /PRNewswire/ — The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust, user empowerment and innovation, today recommended a series of best practices to help prevent online data breaches and other exploits, in collaboration with high-profile brands including American Greetings Interactive, AVG, Microsoft, Publishers Clearing House, Symantec and TRUSTe. These recommendations, released today in OTA’s 2014 Data Protection Breach Readiness Guide, were accompanied by several eye-opening statistics.

Leveraging preliminary year-end data from the Open Security Foundation and the Privacy Rights Clearinghouse, the OTA estimated in its guide that over 740 million records were exposed in 2013, making it the worst year in terms of data breaches recorded to date. And yet, after analyzing approximately 500 breaches over the past year, the OTA determined that 89% of all breach incidents were avoidable had basic security controls and best practices been enforced.

“Businesses and organizations have a responsibility to protect consumer privacy and prevent data breaches from aggressive cyberthieves,” said Washington State Attorney General Bob Ferguson. “Consumers deserve to know who they can trust.

The Online Trust Alliance arms organizations with critical information to reduce cyber risk and protect consumers.”

The annual guide is being published in advance of Data Privacy Day, Jan. 28, which the OTA commemorates by holding town hall forums and workshops led by cybersecurity and privacy luminaries in New York, San Francisco and Seattle.

These events come on the heels of several high-profile data breaches victimizing Target Corporation, Neiman Marcus and Adobe–a disturbing trend that undermines online trust and underscores the need to implement best practices.

“Data breaches are nothing new and have been around for quite some time; however, what we are seeing is a significant increase in incidents that not only harm consumers, but businesses as well, leading to a breakdown in consumer trust,” said Tim Rohrbaugh, VP of Information Security for Intersections Inc.

and OTA Board Member. “Having a rigid, black and white approach to security controls and monitoring and being unprepared for an incident will cost businesses more in the end. These town halls are a great venue for business leaders in all sectors to come together and share best practices in improving security controls, customer data management, and data breach incident reporting.”

According to the guide, best practices can only be achieved when companies are no longer complacent with meeting minimum compliance standards for data protection. Rather, they must meet the far loftier data privacy expectations of their own customers, by adopting a comprehensive data stewardship strategy that safeguards data across its entire lifecycle, from collection to deletion. Such efforts go hand in hand with developing an effective Data Incident Plan (DIP), a playbook that can be deployed on a moment’s notice, delineating what steps must be taken when a breach happens. Businesses must be able to quickly assess the nature and scope of an incident, contain it, mitigate the damage and notify all interested parties, including law enforcement and affected customers.

“Consumers and businesses are both victims of rapidly escalating hacking attacks, and as stewards of consumer data it’s incumbent on businesses to adopt best practices to help protect consumers from harm,” said Craig Spiezle, executive director and president of the Online Trust Alliance. “Those companies that fail to do so need to be held accountable, by consumers, regulators and stockholders.

Indeed, the ramifications of a data breach can be far-reaching and long-term, creating a sort of “business shock,” explains the guide. Consequences include a damaged brand, decreased sales, loss of third-party partnerships and contractual penalties imposed by customers, partners or service providers.

Ultimately, the guide urges all businesses to accept two fundamental premises:

One, the consumer data they are collecting invariably contains some form of personally identifiable information. And two, at some point they will inevitably experience data loss. When that happens, it’s best to be prepared.

OTA’s 2014 Data Protection Breach Readiness Guide is available at:

https://Otalliance.org/Breach.html. A public webinar recapping the guide is being hosted on Feb. 12 from 9 a.m. to 10 a.m. PST. To register, visit http://bit.ly/1eFddns. Additional quotes from OTA supporters regarding Data Privacy Day and the guide are available at http://bit.ly/1mB3HaA.

Privacy Day Workshops

OTA’s 2014 Data Privacy Day workshops in New York (Jan. 28), San Francisco (Jan.

30) and Seattle (Feb. 4) are designed to provide businesses with prescriptive advice about how to navigate complex security and data privacy issues, while enhancing brand trust and product innovation. Speakers include privacy experts from the FBI, Federal Trade Commission, Secret Service and the Attorney General’s Offices of New York, California and Washington State. The events are in collaboration with the Better Business Bureau, Identity Theft Council and the local chapters of InfraGard, and are supported by underwriting from leading organizations including comScore, Intersections, PwC, Sailthru and TRUSTe. To attend a workshop, visit https://otalliance.org/dpd.html.

About The Online Trust Alliance (OTA)

The Online Trust Alliance (OTA) is a non-profit with the mission to enhance online trust and user empowerment, while promoting innovation and the vitality of the Internet. OTA’s goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users’ security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, meaningful self-regulation and data stewardship. Its members include federal law enforcement agencies, and the world’s leading e-commerce, online banking, online security and social media companies. For more information, visit:

https://otalliance.org.

Article source: http://www.darkreading.com/attacks-breaches/online-trust-alliance-finds-data-breache/240165530

San Jose, Calif. – January 22, 2014 – ThreatMetrixtrade, the fastest-growing provider of integrated cybercrime prevention solutions, continues its alignment with Data Privacy Day by announcing several strategies for businesses to change the economics of data breaches and identity theft through global trust intelligence.

The Identity Theft Resource Center recorded more than 600 data breaches in 2013, a 30% increase over the number of breaches in 2012. Target and Neiman Marcus are just two examples of companies that experienced significant breaches recently and more are expected to occur in 2014. Personally identifiable information exposed in past breaches includes credit card numbers, password hints, names, email addresses and other sensitive information.

To make matters worse, in the aftermath of data breaches, the solutions companies put in place to protect consumer identities are far from ideal. Businesses in the past have either implemented intrusive two-factor authentication solutions or offered customers credit monitoring.

“The current way in which companies prevent misuse of stolen identities is broken,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Many businesses that offer credit monitoring, two-factor authentication and other means of protecting personal information following a data breach end up causing additional damage to the customer relationship due to added charges, intrusive features or requesting more personal data. Instead we need solutions that make stolen identities worthless in the hands of cybercriminals.”

While two-factor authentication solutions such as SMS one-time passwords can provide an extra layer of protection, the reality is that they are expensive, can lead to abandonment and only protect the fraction of users that choose to adopt.

As an alternative to two-factor authentication, some businesses offer free trials of credit monitoring services, which expire and can require payment through automatic renewal. Instead of putting consumers at ease, these services can potentially cause backlash if customers perceive companies are profiting from their misfortune. In any case, credit monitoring does not prevent identities from being abused to hack accounts or commit payment fraud.

High profile breaches are a prime example of why businesses across industries – including retailers, financial institutions and others – should not rely on traditional identity verification services to screen users.

“Legacy identity verification solutions are largely a solution for a bygone era because they can prove that an identity exists, but not ownership of that identity,” said Faulkner. “The cat is out of the bag – cybercriminals and consumers are well aware that traditional verification and authentication solutions are no longer effective – and businesses need better strategies in place for customer identity protection.”

Instead of applying bandage-like solutions, ThreatMetrix recommends changing the economics of data breaches and identity theft by transparently rendering stolen data invaluable with global trust intelligence comprising of:

Anonymized Shared Intelligence – A collective problem requires a collaborative solution. Leveraging trusted identity networks that use strict anonymization practices to share intelligence improves security without compromising privacy. Anonymized networks used in this way enable trust to be federated across applications and companies to reduce challenge rates.

Behavior-Based Identity Proofing – Simple reputation systems cause authentic customers to be treated unfairly when their identities or accounts are abused. Analyzing patterns of usage including locations, identities, devices and associations over time provides ‘spoof-proof’ identity screening without false positives – incorrectly labeling legitimate customers as fraudulent.

Passive Two-factor Authentication – Use cookieless device identification technologies in combination with rich contextual information such as account usage, location profiles and business risk to reduce unwanted and intrusive step-up authentications.

“ThreatMetrix uses anonymized device, identity and transaction data to determine whether or not customers are who they claim to be without needing to know their name,” said Faulkner.

To effectively protect customers, businesses should leverage a global data repository that can process transactions in real time and verify their authenticity against anonymized user profiles and past behavior. The ThreatMetrixtrade Global Trust Intelligence Network (The Network) is the most comprehensive global repository of identity and fraud data and protects hundreds of millions of users and revenues each day from cybercrime. Its real-time analytics evaluate logins, payments, new account registrations and remote access attempts to differentiate between good and bad actors.

Data Privacy Day takes place on January 28 and is sponsored by the National Cyber Security Alliance. ThreatMetrix, a Data Privacy Day Champion, will continue its commitment to Data Privacy Day by publishing additional news on protecting consumer identities throughout the month of January.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Article source: http://www.darkreading.com/end-user/threatmetrix-shares-strategies-for-imple/240165576

AUSTIN, January 22, 2014 – HID Global, a worldwide leader in secure identity solutions, today announced it has acquired IdenTrust, Inc. (IdenTrust), a leading provider of solutions for globally interoperable digital identities that can authenticate, encrypt, and create electronic signatures for every type of transaction or activity where proof of identity is essential. The acquisition significantly expands HID Global’s ability to provide some of the most secure identity solutions to governments, corporations, and financial institutions around the world.

IdenTrust is the largest supplier of digital identities for the Department of Defense’s External Certification Authority (ECA) program and the General Services Administration’s Access Certificates for Electronic Services (ACES) program, and it provides identity management solutions for over twenty of the world’s largest financial institutions. In the United Kingdom, IdenTrust digital certificates secure more than six billion payment transactions annually, with an aggregate value exceeding $7 trillion.

“The acquisition of IdenTrust complements the previous acquisition of ActivIdentity and considerably strengthens our HID Global value proposition around secure authentication, providing us with a Trust Framework for issuing, authenticating and using digital identities based on open standards,” said Denis Hbert, President and CEO of HID Global.

“This acquisition, long in the making due to regulatory requirements, is very positive for IdenTrust, its customers, other shareholders and employees,” said Karen J. Wendel, President and CEO of IdenTrust. “HID Global provides IdenTrust with a strong, financially-stable owner with a highly complementary product portfolio, while IdenTrust offers HID Global enhanced access to the banking, corporate, and government identity markets. The combined solution offering is unmatched in the industry.”

Headquartered in San Francisco, IdenTrust has its operations center in Salt Lake City, Utah, as well as sales offices in Washington D.C. and London, England.

Stay Connected with HID Global

Visit our Media Center, read our Industry Blog, subscribe to our RSS Feed and follow us on Facebook, LinkedIn and Twitter.

About HID Global

HID Global is the trusted source for innovative products, services, solutions, and know-how related to the creation, use, and management of secure identities for millions of customers around the world. The company’s served markets include physical and logical access control, including strong authentication and credential management; card printing and personalization; visitor management systems; highly secure government and citizen ID; and identification RFID technologies used in animal ID and industry and logistics applications. The company’s primary brands include ActivID, EasyLobby, FARGO, Codebench, LaserCard and HID. Headquartered in Austin, Texas, HID Global has over 2,100 employees worldwide and operates international offices that support more than 100 countries. HID Global is an ASSA ABLOY Group brand. For more information, visit www.hidglobal.com.

About IdenTrust, Inc.

IdenTrusttrade (identrust.com) is a leader in trusted identity solutions recognized by financial institutions, government agencies and businesses around the world. The only bank-developed identity authentication system, IdenTrust provides a legally and technologically interoperable environment for authenticating and using identities in more than 175 countries. IdenTrust enables end-users to have a single identity that can be used with any bank, any application, and across any network. IdenTrust identities are globally interoperable under uniform private contracts.

Article source: http://www.darkreading.com/privacy/hid-global-acquires-identrust-to-expand/240165531

TDoS (telephony denial of service) attacks are targeting essential public services such as hospitals, swamping their switchboards so legitimate calls can’t get through.

In the spring of 2013, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a warning about such attacks, which were then zeroing in on emergency call centers.

The emergency call center assaults, which tied up systems and prevented legitimate calls from getting through, were sent by extortionists initially claiming to represent a payday loan collections company.

When the target failed to cough up the demanded money, the attackers launched a TDoS.

More recently, according to an article published on Monday from the New York Times, scammers are posing as debt collectors seeking repayment on loans purportedly taken out by individuals or employees at places such as hospitals.

When they meet resistance, the scammers are again threatening to bring down phone lines, and then they flood the lines with repeated calls sent automatically over the internet, knocking businesses’ and government agencies’ phones offline for legitimate callers.

Besides one hospital, other essential public services such as a sheriff’s office in the US state of Texas and a Coast Guard cutter have been attacked, the NYT reports.

The DHS said in October that there have been over 200 such attacks identified against public sector groups.

The NYT describes a TDoS that happened two years ago to a Texas hospital’s intensive care unit. The CIO for the hospital chain, who requested anonymity so as to protect the hospitals, told the newspaper that the unit’s phone lines were knocked out of commission for about 6 hours because of the TDoS onslaught of robocalls.

Another TDoS was unleashed on the phone lines of several emergency dispatch centers in Tarrant County, Texas, last year.

That attack and others launched against emergency dispatch call centers skipped over 911 lines, but emergency hotlines aren’t always spared in TDoS attacks.

Case in point: UK police in April 2012 arrested two teenage boys following a series of prank calls and TDoS attacks launched against the Anti-Terrorist Hotline.

As the NYT notes, like most internet-enabled fraud, these schemes are tough to track and investigate. The calls, relying on automatic dialing software and internet phone services, enable huge volumes of calls to be placed at very low cost, hidden in layers of anonymity, from anywhere in the world.

Some victims pay the demanded money.

Ralph A. Gagliardi, agent in charge with the Colorado Bureau of Investigation’s identity theft and mortgage fraud units, told the NYT that he traced payments from the victim in one such attack in Colorado to Nigeria via an intermediary in Florida.

Succumbing to extortion is not what law enforcement advise, of course.

At the time of the emergency call centre attacks, the DHS and FBI have offered these recommendations for targeted organisations:

• Don’t pay the blackmail.
• Report all attacks to the FBI by logging onto the website www.ic3.gov. Use the keyword “TDoS” in your report title. If applicable, identify your organisation as a public safety answering point (PSAP) or Public Safety organization.
• List as many details as possible, including:
  • Calls logs from the “collection” call and TDoS
  • Time, date, originating phone number and traffic characteristics
  • Call-back number to the “collections” company or requesting organization
  • Method of payment and account number where the “collection” company requests the debt to be paid
  • Any information that you can obtain about the caller, or his/her organization
• Contact your telephone service provider; they may be able to assist by blocking portions of the attack.

There are also telephone security technologies out there. That is, in fact, what the hospital chain CIO turned to. He told the NYT that the solution he plugged in has been effective.

If you have more tips about protecting your business, or yourself, against telephony scams, vishing (i.e., phishing for people’s private information over the phone) or your own stories of dealing with robocalls, please share them in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Image of phones courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/h03GxiCI9Kc/

Tags: Apple, chet chat, data breach, ftc, iTunes, kcb, korea, mac malware, mobile app, OS X, sophos security chet chat, South Korea, sscc, Starbucks

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/N-07OfN1F3M/

Organized and politically motivated cyberattackers are changing their methods, finding new, less direct methods of launching targeted attacks on enterprises and government agencies, according to a report issued today.

The report, issued today by threat intelligence company CrowdStrike, offers a detailed look at the motivations, methods, and practices of five organized cyberattack groups — including the Syrian Electronic Army as well as groups in China, Iran, and Russia — during 2013.

The methods of these politically motivated groups are changing, according to the report. While targeted attacks historically have begun with phishing attacks directly on members of the targeted organization, more sophisticated groups are now using more indirect methods — attacking third parties and collecting information from targeted users by infecting their favorite websites.

Using specific examples from recent attacks, the CrowdStrike report illustrates recent shifts in attacker strategy, such as the trend toward making targeted attacks by infiltrating a trusted third party. The report outlines details of exploits by the SEA — a group that CrowdStrike calls Deadeye Jackal — in which critical user data was extracted through the breach of third-party communications platforms and applications, such as Truecaller, TangoME, and Viber Media.

“Expect to see adversaries targeting third-party vendors [in 2014] in an attempt to compromise the ultimate target,” the report states. “Third-party vendors often have less-robust security than their larger customers, and their networks offer an avenue through which those customers can be compromised.”

Similarly, many organized cybergroups have changed their methods for tricking users into downloading malware, CrowdStrike says. While many attackers traditionally have sought to infect the user through by sending a fake email — sometimes called a phishing attack — some organized groups are now using strategic Web compromises (SWC), the company reports.

SWCs — sometimes called “watering holes” — are legitimate websites that have been infected by an attacker in order to steal the personal data of those who frequent the site. For example, an attacker looking to collect data on political officials might infect the site of a conference or event that is attended by those officials.

“Where these groups used a lot of spearphishing in the past, we have seen many more SWCs in the last year,” says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. SWCs are harder to detect and remediate than phishing attacks, and it’s harder to identify who launched them, he notes.

SWCs played key roles in recent attacks by organized Chinese hacker groups on the U.S. Department of Labor and the Council on Foreign Relations, the CrowdStrike report says.

Organized attackers often find that an indirect route to a target is easier than a direct attack, according to CrowdStrike. A China-based group that CrowdStrike has dubbed Emissary Panda is focusing much of its attention on compromising the systems of foreign embassies, rather than going after government systems in their home country. Similarly, a China-based group that CrowdStrike calls Numbered Panda has been conducting spearphishing attacks under the guise of the G20 Summit, an event that attracts top government officials from most of the world’s top industrialized nations.

“Targeted intrusion operators like to leverage major events in their operations,” the report states. In 2014, organized groups will likely build phishing attacks and SWCs around events such as the Winter Olympics, the World Cup, the G20 Summit, and upcoming national elections in Egypt, Iraq, Tunisia, and Turkey, CrowdStrike warns.

One group that targeted national elections in 2013 was an organized cel in Iran that CrowdStrike calls Magic Kitten. The group attempted to affect the outcome of Iran’s elections through a series of attacks targeting political dissidents and those supporting Iranian political opposition, according to the report. The group’s preferred attack vector is spearphishing, accompanied by malicious Word documents and image files, which enabled the attackers to retrieve information about victims’ computers, do keylogging, file execution, voice recording, and file exfiltration.

CrowdStrike, which is currently monitoring more than 50 groups of cyberattackers in countries all over the world, predicts that such politically motivated groups will continue to evolve their tactics to avoid detection and take advantage of vulnerabilities in new technologies, such as the emerging generic top-level domains (gTLDs) that are scheduled to go into operation this year.

“These gTLDs will be used by adversaries to support more effective phishing attacks,” the report says. “CrowdStrike also expects new vulnerabilities to be discovered and exploited in network-facing software with regard to handling gTLD hostnames.”

“One of the things we tried to do with this report is to look forward at potential future attacks, rather than just looking back at the year,” Alperovitch says. “With good threat intelligence, every organization should be able to do predictive analytics based on its history and the history of security events. If you know what your attacker did last year, you can get a sense for what he might do this year.”

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/politically-motivated-cyberattackers-ado/240165539

The new year already is bringing a string of startups to the security scene backed by executives from high-profile companies: Shape Security yesterday emerged with its new website security technology, while video security firm EagleEye launched its cloud-based security service for video and security camera surveillance.

Shape Security, which has been in stealth mode for two years and is led by former management from Google, Cisco, Mozilla, and VMware, pulled back the covers on its approach to defeating website attacks by botnets and malware. Shuman Ghosemajumder, Shape’s vice president of product and former Google click fraud czar, says the startup is giving attackers a taste of their own medicine and using real-time polymorphism at the Web user interface to thwart botnets and malware so they can’t take advantage of the Web source code interface anymore.

“Rather than trying to detect all these attacks and catalog the ways attacks have operated in the past — bad IPs, strange behaviors — we wanted to do something fundamentally to the application” to deter attackers, Ghosemajumder says. Shape’s technology mixes up the static appearance of HTML scripts at the interface so attackers can’t use them for credential-stuffing, application-layer DDoS, and man-in-the-browser attacks, he says.

“The website never looks the same way twice” to the attacker, so he can’t create scripts to abuse it, he says. “By renaming the HTML scripts … to something else … and constantly changing on every single page load.”

Ghosemajumder says the concept is a new security layer for websites that doesn’t change Web functionality. “It’s not about changing programming behavior. It’s not a vulnerability in an app that you can change by coding: It’s about solving an inherent vulnerability in the Web,” he says.

Shape’s new ShapeShifter appliance sits in front of the Web server and continuously changes up the attack surface of a website. “We are focused on stopping automated attacks [against a website user interface] … even SQL injection,” he says. “What we are aiming to do is make it so expensive for attackers to attack a website that’s protected by ShapeShifter that they will do the rational thing and not invest in a new process — [they will] take their scripts and go after softer targets.”

Robert Lentz, former chief information security officer at the Department of Defense and member of the board of directors of FireEye, says Shape’s technology addresses a security problem that has been tough to hack. “Shape is operating on a previously inaccessible layer of the security problem: the fact that everyone has a user interface, but user interfaces are inherently vulnerable to attacks from malware, bots, and scripts.”

Shape’s beta customers are in the financial, commerce, and health-care industries. “Our initial customers asked for a box to plug in,” Ghosemajumder says. The company also plans to offer a cloud-based version with a virtual image, he says.

Shape also has backing from Google executive chairman Eric Schmidt’s TomorrowVentures and former Symantec CEO Enrique Salem.

Dean Drako, founder and former CEO of Barracuda Networks, yesterday announced his new startup, Eagle Eye Security, which also has been operating in stealth for two years. Eagle Eye also rolled out its cloud-based security camera video management system, which encrypts video and event data. “Cameras are moving into the IP realm, and IT guys are taking them over [gradually],” Drako says. “We have a highly encrypted connection to our cloud servers, where the box phones home. No ports are broken, and no public IP addresses are on our box.”

Eagle Eye also encrypts the video to prevent tampering and unauthorized access, he says.

According to a survey the startup conducted, some 49 percent of IT professionals handle their organizations’ video security system, and half say it’s likely they will go to the cloud for some video storage within two years.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/security-startups-take-shape-out-of-stea/240165568

WASHINGTON, January 21, 2014 – The National Retail Federation today sent a letter to congressional leaders outlining the retail industry’s commitment to protecting sensitive consumer data in the wake of the recent international cyber attacks and thefts.

“The National Retail Federation and our 12,000 members are committed to combating this criminal threat to our industry and our customers, and we strongly recommend the adoption of meaningful steps to fight cyber theft and credit card fraud,” NRF President and CEO Matthew Shay wrote in the letter sent to Senate Majority Leader Harry Reid, D-Nev. and House Speaker John Boehner, R-Ohio.

The letter reiterated the retail industry’s long-held support for replacing current credit and debit cards with cards that would store data in an embedded computer micro-chip and require the use of a PIN rather than a signature. Current cards use easy-to-hack 1960s technology.

“For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN and Chip card technology for customers in Europe and dozens of other markets,” Shay said.

NRF expressed its support for an immediate transition from magnetic-stripe cards to more-secure and advanced PIN and Chip cards to better protect consumer data from theft, hacking and skimming. PIN and Chip cards are widely used in more than 80 countries throughout Europe, Asia and Africa.

“The retail industry is eager to work with banks and card companies to fight cyber attacks and reduce fraud,” Shay said. “These efforts include installation of sophisticated new PIN-enabled point-of-sale-systems and readiness to adopt cards with more secure microchip technology, but the fact remains that retailers cannot do this alone.”

NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.5 trillion to annual GDP, retail is a daily barometer for the nation’s economy. NRF’s This is Retail campaign highlights the industry’s opportunities for life-long careers, how retailers strengthen communities, and the critical role that retail plays in driving innovation. www.nrf.com

Article source: http://www.darkreading.com/end-user/national-retail-foundation-urges-transit/240165540