STE WILLIAMS

Distributed denial-of-service attacks targeted application and business-logic weaknesses to take down systems; fraudsters used encryption to scramble victims’ data until they paid a ransom; and, attackers increasingly targeted providers as a weak link in the chain of the digital security protecting businesses.

In 2013, there were no major revolutions in the way that attackers compromised, cut off, or just plain inconvenienced their victim’s systems, but their techniques and tactics evolved. From more pernicious encryption in ransomware to massive DDoS attacked fueled by reflection, attackers showed that they still had options available in their bag of tricks.

“As the criminals have become more savvy and more technically knowledgable and understand the victims’ environments better, they are able to see opportunities that they might otherwise overlook,” says Jeff Williams, director of security strategy for the counter threat unit at Dell SecureWorks, a managed security provider.

Based on interviews with experts, here are five advanced attacks from 2013 and the lessons for businesses from those events.

1. Cryptolocker and the evolution of ransomware
While many attackers create botnets to steal data or use victim’s machines as launching points for further attacks, a specialized group of attackers have used strong-arm tactics to extort money from victims. In the past, most of these types of attacks, referred to as ransomware, have been bluffs, but Cryptolocker, which started spreading in late summer, uses asymmetric encryption to lock important files.

The group behind Cryptolocker has likely infected between 200,000 and 250,000 computers in the first hundred days, according to researchers at Dell SecureWorks. Based on the number of payments made using Bitcoin, the company conservatively estimated that 0.4 percent of victims paid the attackers, but it is likely many times more than minimum take of $240,000, the company stated in an analysis.

[As regional troubles spill over to the digital world, companies should reinforce their defenses and demand their suppliers do the same, experts say. See World’s Trouble Spots Escalating Into Cyberthreats For Businesses.]

“What sets it apart is not just the size and the professional ability of the people behind it, but that–unlike most ransomware, which is a bluff–this one actually destroys your files, and if you don’t pay them, you lose the data,” says Keith Jarvis, senior security researcher with Dell SecureWorks.

Companies should expect ransomware to adopt the asymmetric-key encryption strategy employed by the Cryptolocker gang.

2. New York Times “hack” and supplier insecurity
The August attack on The New York Times and other media outlets by the Syrian Electronic Army highlighted the vulnerability posed by service providers and technology suppliers.

Rather than directly breach the New York Times’ systems, the attackers instead fooled the company’s domain registrar to transfer the ownership of the nytimes.com and other media firms’ domains to the SEA. The attack demonstrated the importance of working with any suppliers that could be a “critical cog” in a company’s security strategy, says Carl Herberger, vice president of security solutions for Radware, a network security firm.

“You need to have real-time, critical knowledge from your service providers to determine whether they are being attacked and whether you are the intended victim of that attack,” says Herberger.

3. Bit9 and attacks on security providers
In February, security firm Bit9 revealed that its systems had been breached to gain access to a digital code-signing certificate. By using such a certificate, attackers can create malware that would be considered “trusted” by Bit9’s systems.

The attack, along with the breach of security company RSA, underscore that the firms whose job is to protect other companies are not immune to attack themselves. In addition, companies need to have additional layers of security and not rely on any one security vendor, says Vikram Thakur, a researcher with Symantec’s security response group.

“The onus resides with the security firm to prevent successful attacks from happening, but when they fail, a victim should have a plan to bolster their defense,” Thakur says.

4. DDoS attacks get bigger, more subtle
A number of denial-of-service attacks got digital ink this year. In March, anti-spam group Spamhaus suffered a massive denial-of-service attack, after it unilaterally blocked a number of online providers connected–in some cases tenuously–to spam. The Izz ad-Din al-Qassam Cyberfighters continued their attacks on U.S. financial institutions, causing scattered outages during the year.

As part of those attacks and other digital floods, attackers put a greater emphasis on using techniques designed to overwhelm applications. Such application-layer attacks doubled in frequency in the third quarter 2013, compared to the same quarter a year before, according to denial-of-service mitigation firm Prolexic. Reflection attacks, where attackers use incorrectly configured servers to amplify attacks, grew 265 percent in the same period, according to the firm.

The attack against Spamhaus, which reportedly topped a collective 300 Gbps, used reflection attacks via open DNS resolvers to generate the massive flood of traffic.

“This technique is still an available option for attackers,” says Radware’s Herberger. “Because there are 28 million vulnerable resolvers, and every resolver needs to be fixed, this problem is not going away any time soon.”

5. South Korea and destructive attacks
Companies in both the Middle East and South Korea suffered destructive attacks designed to wipe data from computers. In 2012, Saudi Aramco and other companies in the Middle East were targeted with a malicious attack that erased data from machines, causing them to become unrecoverable.

This year, South Korean firms were attacked in a similar manner in a multi-vector attack whose finale was the deletion of master boot records on infected computers. While such attacks have happened in the past, they seem to be more frequent, says Dell SecureWorks’ Williams.

“The impact of these attacks have been pretty impressive–30,000 machines needed to be rebuilt in the Saudi Aramco case,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/advanced-threats/lessons-from-5-advanced-attacks-of-2013/240165028

Despite recent controversy over surveillance by the NSA, U.S. voters are still much more worried about identity theft than online tracking of their activities, a new study says.

According to a poll of 1,000 U.S. voters conducted by Benenson Strategy Group on behalf of the Computer Communications Industry Association (CCIA), the vast majority of users are more worried about security than privacy.

“Overall, 75% are worried about their personal information being stolen by hackers and 54% are worried about their browsing history being tracked for targeted advertising,” the study says.

“However, when voters are forced to choose which one is more important to them, their focus is almost unanimously (87%) directed on the need to protect their personal information from those who would use the info to harm them,” the study continues. “Even those worried about tracking (the 54%) are more worried about hacking by an overwhelming majority (84% to 8%).”

Most voters are aware of online risks, according to the poll. Fifty-five percent say they or someone they know has experienced an email account breach, and 62% report receiving a suspicious email from someone who likely had experienced an account hack. Half of the voters polled say they or someone they know has experienced a breach of their financial accounts online.

Most voters are also taking steps to protect themselves, according to the study. Seventy-three percent have chosen to not allow a service to remember their credit card information, 65% have chosen to set their browser to disable cookies, 53% have chosen to block an app from accessing their location information.

Some 68% of respondents have adjusted the privacy settings for their online accounts, the CCIA study says. More than three quarters (76%) of survey respondents indicated they have used a different password for each service they use, and 57% have signed up for a two-step sign-in process. Eighty-three percent have required a password to unlock their devices at some point.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/end-user/survey-us-citizens-more-worried-about-id/240165029

The recent report released by the Inspector General of the Department of Energy about a massive breach at the agency earlier this year detailed a number of important breakdowns in security that lead to the breach. Perhaps one of the biggest lessons to be learned from the report, though, was how important the patching process is to the risk posture of sensitive databases.

According to Gregory H. Friedman, the author of the report, among one of the biggest failures that lead to the breach was the fact that the management information system (MIS) breached by attackers was running on woefully out-of-date software.

“Critical security vulnerabilities in certain software supporting the MIS application had not been patched or otherwise hardened for a number of years,” Friedman reported.

In the same vein, Friedman reported that there was no sense of urgency in replacing end-of-life applications that stood up critical MIS databases.

“Specifically, core support for the version of the compromised application upon which MIS was built ended in July 2012, and the department failed to purchase the extended support that would have provided limited coverage through July 2014,” Friedman said.

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

Patch management has long been a thorn in the side of database administrators, who would just as soon not deal with the performance quirks that come with security updates.

“Database patches tend to introduce not only security fixes, but behavioral changes as well, which cannot be separated out of the cumulative patch,” says Barry Shteiman, director of security strategy for Imperva. “For this reason, many DBAs or system admins decide to not patch, or only patch on a yearly maintenance basis, and even then, I have a strong feeling that only patches that are considered ‘critical’ are installed.”

But patches within the database aren’t the only ones that greatly affect the security of these sensitive data stores. Applications can be equally as important.

“If an application uses a database back-end — as they always do — and that application is vulnerable to attacks, SQL injection for example, then the database that it has rights to read and write from becomes vulnerable to the same attack,” Shteiman says. “It is a chain reaction.”

Unfortunately, the basic blocking and tackling of patch and vulnerability management continues to lag at many organizations, particularly those within the public sector. A study conducted earlier this year by CentraStage that examined anonymized hardware and software data of thousands of online servers — including those belonging to 6,000 different public sector agencies — found that 40 percent of the machines lacked up-to-date security practices.

According to Dave Rosenberg, CTO at DB Networks, organizations should recognize that the patch process will be imperfect no matter how conscientiously it is pursued.

“Patches are available only after significant problems occur and are detected in the field; after they are understood and addressed by beleaguered developers; knowledge of their availability and distribution to operations is unreliable and time-consuming; and they must be sequenced into production along with many other frequently conflicting priorities,” Rosenberg says, explaining that it is important to complement patch management with continuous monitoring and behavioral analysis to look for exploited vulnerabilities.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/database/database-risks-increase-as-patch-frequen/240164981

5 questions to answer about your DR plan

If you’ve heard of Dogecoin, maybe you thought it was a joke. A cryptocurrency based on what has been called the meme of the year for 2013, it certainly has all the earmarks of an internet prank. But some people are apparently taking Dogecoin seriously – seriously enough, at least, to steal millions of them from online wallets.

In a move worthy of Scrooge himself, the e-heist took place on Christmas Day. Hackers were reportedly able to compromise the systems of online wallet service Dogewallet and reconfigure the site so that all transactions were rerouted to their own address.

“We’re currently looking at logs and have found thousands of attempts to hack our systems,” a message posted to Dogewallet’s site on Wednesday explained. “Specifically, the attack originated from the hacker gaining access to our filesystem and modifying the send/receive page to send to a static address. We’re currently reviewing logs for information.”

It’s not clear exactly how many Dogecoins fell prey to the incident, but the amount is said to be in excess of 30 million. The value of one Dogecoin is currently estimated at around $0.0006, making the amount stolen worth potentially $18,000 or more in real-world dollars.

In a Reddit post on the matter, Dogewallet’s founders say they are scrambling to reimburse users for as much of the lost currency as possible. As The Reg goes to press the big, red “Publish” button on this story, the latest update claims that at least “a few million” Dogecoins have been returned to users so far.

Not everyone in the Dogecoin community buys Dogewallet’s explanation, however. In a separate Reddit thread, some users have speculated that the incident may not have been a hack at all, but the result of a deliberate scam designed to bilk gullible users out of their Dogecoins.

Scam or not – and El Reg does not care to speculate on who may have been behind the theft – many Dogecoin fans have argued that most of these losses could have been prevented if Dogewallet users had learned from the example of earlier cryptocurrencies, such as the daddy of them all, Bitcoin.

As recently as November, an Australian man claimed he lost Bitcoin worth more than $1m from an online wallet that was managed by a service called inputs.io. That service has since been taken down, its homepage replaced with a less-than-reassuring apology.

Indeed, even Dogewallet’s operators weren’t so dreadfully cut up by Wednesday’s sad event that they didn’t take the opportunity to wag their fingers at some of the service’s users.

“Please use offline wallets as online wallets are meant for new users who aren’t using them as a storage of coins,” they wrote. “Offline wallets are more safe and secure than any online wallet due to possible attacks that can originate from anyone, anywhere.”

Anyone, anywhere indeed. Dogewallet has posted the address it believes was the beneficiary of the purloined Dogecoins, but whether that will help recover them is unclear.

As for the future of Dogewallet, it sounds like it doesn’t have one. The service is currently shut down and it doesn’t seem likely to return.

“We’re going to compensate all invested users and as much non-invested user balances as possible and discontinue the website,” the operators wrote on Reddit. ®

2014 predictions: Top technology trends

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/26/dogecoin_christmas_heist/

Distributed denial-of-service attacks targeted application and business-logic weaknesses to take down systems; fraudsters used encryption to scramble victims’ data until they paid a ransom; and, attackers increasingly targeted providers as a weak link in the chain of the digital security protecting businesses.

In 2013, there were no major revolutions in the way that attackers compromised, cut off, or just plain inconvenienced their victim’s systems, but their techniques and tactics evolved. From more pernicious encryption in ransomware to massive DDoS attacked fueled by reflection, attackers showed that they still had options available in their bag of tricks.

“As the criminals have become more savvy and more technically knowledgable, and understand the victims’ environments better, they are able to see opportunities that they might otherwise overlook,” says Jeff Williams, director of security strategy for the counter threat unit at Dell Secureworks, a managed security provider.

Based on interviews with experts, here are five advanced attacks from 2013 and the lessons for businesses from those events.

1. Cryptolocker and the evolution of ransomware
While many attackers create botnets to steal data or use victim’s machines as launching points for further attacks, a specialized group of attackers have used strong-arm tactics to extort money from victims. In the past, most of these types of attacks, referred to as ransomware, have been bluffs, but Cryptolocker, which started spreading in late summer, uses asymmetric encryption to lock important files.

The group behind Cryptolocker has likely infected between 200,000 and 250,000 computers in the first hundred days, according to researchers at Dell Secureworks. Based on the number of payments made using bitcoin, the company conservatively estimated that 0.4 percent of victims paid the attackers, but it is likely many times more than minimum take of $240,000, the company stated in an analysis.

[As regional troubles spill over to the digital world, companies should reinforce their defenses and demand their suppliers do the same, experts say. See World’s Trouble Spots Escalating Into Cyberthreats For Businesses.]

“What sets it apart is not just the size and the professional ability of the people behind it, but that–unlike most ransomware, which is a bluff–this one actually destroys your files, and if you don’t pay them, you lose the data,” says Keith Jarvis, senior security researcher with Dell Secureworks.

Companies should expect ransomware to adopt the asymmetric-key encryption strategy adopted by the Cryptolocker gang.

2. New York Times “hack” and supplier insecurity
The August attack on the New York Times and other media outlets by the Syrian Electronic Army highlighted the vulnerability posed by service providers and technology suppliers.

Rather than directly breach the New York Times’ systems, the attackers instead fooled the company’s domain registrar to transfer the ownership of the nytimes.com and other media firms’ domains to the SEA. The attack demonstrated the importance of working with any suppliers that could be a “critical cog” in a company’s security strategy, says Carl Herberger, vice president of security solutions for Radware, a network security firm.

“You need to have real time, critical knowledge from your service providers to determine whether they are being attacked and whether you are the intended victim of that attack,” says Herberger.

3. Bit9 and attacks on security providers
In February, security firm Bit9 revealed that its systems had been breached to gain access to a digital code-signing certificate. By using such a certificate, attackers can create malware that would be considered “trusted” by Bit9’s systems.

The attack, along with the breach of security company RSA, underscore that the firms whose job is to protect other companies are not immune to attack themselves. In addition, companies need to have additional layers of security and not rely on any one security vendor, says Vikram Thakur, a researcher with Symantec’s security response group.

“The onus resides with the security firm to prevent successful attacks from happening, but when they fail, a victim should have a plan to bolster their defense,” Thakur says.

4. DDoS attacks get bigger, more subtle
A number of denial-of-service attacks got digital ink this year. In March, anti-spam group Spamhaus suffered a massive denial-of-service attack, after it unilaterally blocked a number of online providers connected–in some cases tenuously–to spam. The Izz ad-Din al-Qassam Cyberfighters continued their attacks on U.S. financial institutions, causing scattered outages during the year.

As part of those attacks and other digital floods, attackers put a greater emphasis on using techniques designed to overwhelm applications. Such application-layer attacks doubled in frequency in the third quarter 2013, compared to the same quarter a year before, according to denial-of-service mitigation firm Prolexic. Reflection attacks, where attackers use incorrectly configured servers to amplify attacks, grew 265 percent in the same period, according to the firm.

The attack against Spamhaus, which reportedly topped a collective 300 Gbps, used reflection attacks via open DNS resolvers to generate the massive flood of traffic.

“This technique is still an available option for attackers,” says Radware’s Herberger. “Because there are 28 million vulnerable resolvers, and every resolver needs to be fixed, this problem is not going away any time soon.”

5. South Korea and destructive attacks
Companies in both the Middle East and South Korea suffered destructive attacks designed to wipe data from computers. In 2012, Saudi Aramco and other companies in the Middle East were targeted with a malicious attack that erased data from machines, causing them to become unrecoverable.

This year, South Korean firms were attacked in a similar manner in a multi-vector attack whose finale was the deletion of master boot records on infected computers. While such attacks have happened in the past, they seem to be more frequent, says Dell Secureworks’ Williams.

“The impact of these attacks have been pretty impressive–30,000 machines needed to be rebuilt in the Saudi Aramco case,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/advanced-threats/lessons-from-five-advanced-attacks-of-20/240165028

5 questions to answer about your DR plan

If you’ve heard of Dogecoin, maybe you thought it was a joke. A cryptocurrency based on what has been called the meme of the year for 2013, it certainly has all the earmarks of an internet prank. But some people are apparently taking Dogecoin seriously – seriously enough, at least, to steal millions of them from online wallets.

In a move worthy of Scrooge himself, the e-heist took place on Christmas Day. Hackers were reportedly able to compromise the systems of online wallet service Dogewallet and reconfigure the site so that all transactions were rerouted to their own address.

“We’re currently looking at logs and have found thousands of attempts to hack our systems,” a message posted to Dogewallet’s site on Wednesday explained. “Specifically, the attack originated from the hacker gaining access to our filesystem and modifying the send/receive page to send to a static address. We’re currently reviewing logs for information.”

It’s not clear exactly how many Dogecoins fell prey to the incident, but the amount is said to be in excess of 30 million. The value of one Dogecoin is currently estimated at around $0.0006, making the amount stolen worth potentially $18,000 or more in real-world dollars.

In a Reddit post on the matter, Dogewallet’s founders say they are scrambling to reimburse users for as much of the lost currency as possible. As The Reg goes to press the big, red “Publish” button on this story, the latest update claims that at least “a few million” Dogecoins have been returned to users so far.

Not everyone in the Dogecoin community buys Dogewallet’s explanation, however. In a separate Reddit thread, some users have speculated that the incident may not have been a hack at all, but the result of a deliberate scam designed to bilk gullible users out of their Dogecoins.

Scam or not – and El Reg does not care to speculate on who may have been behind the theft – many Dogecoin fans have argued that most of these losses could have been prevented if Dogewallet users had learned from the example of earlier cryptocurrencies, such as the daddy of them all, Bitcoin.

As recently as November, an Australian man claimed he lost Bitcoin worth more than $1m from an online wallet that was managed by a service called inputs.io. That service has since been taken down, its homepage replaced with a less-than-reassuring apology.

Indeed, even Dogewallet’s operators weren’t so dreadfully cut up by Wednesday’s sad event that they didn’t take the opportunity to wag their fingers at some of the service’s users.

“Please use offline wallets as online wallets are meant for new users who aren’t using them as a storage of coins,” they wrote. “Offline wallets are more safe and secure than any online wallet due to possible attacks that can originate from anyone, anywhere.”

Anyone, anywhere indeed. Dogewallet has posted the address it believes was the beneficiary of the purloined Dogecoins, but whether that will help recover them is unclear.

As for the future of Dogewallet, it sounds like it doesn’t have one. The service is currently shut down and it doesn’t seem likely to return.

“We’re going to compensate all invested users and as much non-invested user balances as possible and discontinue the website,” the operators wrote on Reddit. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/26/dogecoin_christmas_heist/

A week after Target’s breach and probable compromise of 40 million credit and debit card details, there appears to be little new public information as to how the attack occurred and what remedies Target have taken to prevent it happening again. This is of course both worrying and par for the course unfortunately.

A number of press articles have focused upon the likelihood of PIN data also being accessed by the attackers. According to the New York Daily News, Target spokeswoman Molly Snyder stated “We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised.” The fact that PIN data has even come up in the discussions worries me for two reasons. Either Target finds it necessary to store PIN data along with debit card details in some system or other, or that the compromise vector was via the Point-of-Sale (PoS) system directly.

If Target has been storing PIN data for third-party debit cards, then that is deeply worrying to me. I can’t think of a legitimate reason why any corporation would want to retain this data – unless they have a process for managing delayed or deferred payments (e.g. reducing the amount they pay to merchant bankers for processing cards at non-peak times). Regardless, there’s no way that kind of data should be retained for more than a few hours – and I hate the idea of it happening at all as it exposes customer data to unnecessary threats. Having worked with many other retail organizations around the world, I’ve never encountered any legitimate organization willfully storing PIN data.

So, if that’s been removed from the table, the only other place PIN data could exist (ideally in a transitory and encrypted state) should be at the PoS system. Attacking the PoS system offers a number of challenges. For one, while the PoS register may be networked for inventory tracking and price look ups, the actual card swipe components generally operate autonomously and are secured at the hardware level. This typically means that the attackers must physically compromise or replace the hardware. Unfortunately the attack vector occurs more frequently than people willingly admit. For example, last year 63 Barnes and Noble stores were hacked this way, resulting in the chain removing the customer PIN pads.

Alternatively, the PoS system may route all PIN pad operations through a back office system in order to better handle store cards, gift cards, and other partial payment options. This means that the customer PIN pad simply proxies the data from the PoS to a centralized system. I’d hope that the transaction details (including the PIN) are encrypted, but you never know. Regardless, this store-centralized payment processing system would be an extremely valuable target for attackers. Such a system may make economic sense for a retailer, but it raises their risk profile considerably.

While Target keeps the details of their breach close to their collective chest, there is very little information to form an opinion on negligence or attacker sophistication. That doesn’t mean that people are already lining up with their hands out for compensation. Apparently there are already three class-action lawsuits filed in the wake of the breach – seeking more than $5 million in damages.

I’m not opposed to the use of fines as a means of correcting errant business practices, but my first reaction to hearing about class-action suits is “opportunistic money-grabbers”. I’d rather support a system that forces breached organizations to increase the security of their customer’s data, than a system that forces the attacked organization to simply take out insurance policies and argue over minimum levels of legal compliance. Earlier this month I wrote about an alternative means of upping the information security stature of an organization through the divvying up of data breach fines – in which larger fines are imposed, however a high proportion of those funds are directed back at the organization for investing in new defenses.

U.S. Senator Robert Menendez (a member of the Senate banking committee) is investigating whether the Federal Trade Commission (FTC) has the authority to impose a fine data breaches such as this one affecting Target. If the FTC does not, he intends to propose legislation that would grant it that power. I’d be an advocate for that – subject to a proportion of that fine goes back to directly securing the organization.

It is unfortunate that data breaches are on the rise. However, I see it is a reflection of criminals perpetually targeting where the money is, and the increasing gap between professional hacker and corporate compliance teams. This isn’t the first time Target have been the victim of a data breach, it won’t be the last, and I’d feel comfortable saying that it isn’t the only one happening right now… merely the latest to be detected.

— Gunter Ollmann, CTO IOActive Inc.

Article source: http://www.darkreading.com/attacks-breaches/targets-christmas-data-breach/240165020

Maintaining endpoint security is tougher than ever, security professionals say, thanks largely to the huge influx of mobile devices.

According to the annual State of the Endpoint study, conducted by the Ponemon Institute and sponsored by Lumension, 71 percent of security professionals believe that endpoint security threats have become more difficult to stop or mitigate over the past two years.

More than 75 percent said mobile devices pose the biggest threat in 2014, up from just 9 percent in 2010, according to Ponemon. Some 68 percent say their mobile devices have been targeted by malware in the past 12 months, yet 46 percent of respondents say they do not manage employee-owned mobile devices.

“We’ve seen the threat landscape fundamentally change over the last five years,” said Larry Ponemon, head of the Ponemon Institute. “Trending data shows increasing concern, year over year, over the explosion of mobile devices on the network. It’s now IT’s greatest risk. And unfortunately, 46 percent of our respondents report no efforts are in place to secure them.”

Advanced persistent threats (APTs) are also increasingly concerning for survey respondents. This year, 39 percent report APTs as one of their most concerning risks, up 55 percent from 2009. While 40 percent report they were a victim of a targeted attack in the past year, another 25 percent say they aren’t sure if they have been, which suggests that many organizations don’t have security mechanisms in place to detect such an attack, the study says. For those that have experienced such an attack, spear-phishing emails sent to employees were identified as the No. 1 attack entry point.

Respondents also report that the volume of malware continues to be an escalating problem. The survey found that 41 percent say they experience more than 50 malware attacks a month, up 15 percent from those that reported that amount three years ago. And malware attacks are costly, with 50 percent saying their operating expenses are increasing and 67 percent saying malware attacks significantly contributed to that rising expense.

Despite rising costs, IT budgets have not increased for the majority of survey respondents. While 65 percent say they prioritize endpoint security, just 29 percent say their budgets have increased in the past 24 months.

The Ponemon Institute and Lumension will hold a webcast on Jan. 8 to discuss the study results.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/mobile/study-mobile-devices-escalating-endpoint/240165011

Outriders is a BBC Radio 5 Live programme that describes itself as “exploring the frontiers of the web.”

It’s hosted by Jamillah Knowles, and it goes to air early on Tuesday mornings, so this week’s episode came out on Christmas Eve.

With the festive season in mind, Jamillah interviewed Naked Security’s Paul Ducklin about security and safety on line, including:

• Should friends let friends run Windows XP?
• Is gifting someone a computer enough on its own, or should you go the extra mile and help the recipient set it up properly?
• What extra steps do you need to take if you’re giving your children tablets so they can go online unsupervised?
• If you buy yourself a new computer this Christmas, what precautions should you keep in mind when you get rid of your old one?

You can download the programme as an MP3 from the BBC’s podcast repository, check out this and all previous Outriders shows on the BBC Podcasts website, or “tune in” and listen directly from the BBC’s site now:

(BBC Radio 5 Live: Outriders 24 Dec 2013)

Duck is on for the first ten minutes of the show.

Just remember: computer security is a smart choice for your whole digital lifestyle, not just for Christmas.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wxoBptwmQkU/

Are you on tech support duty for your nearest and dearest over Christmas and New Year?

Are you busily trying explain data leakage, drive-by downloads, exploits, keylogging, phishing, ransomware, rootkits, spyware and why that 5GB Mavericks download isn’t just for show…

…when really you’d rather be snowboarding (or at the beach, depending on your latitude)?

Let the Sophos Threatsaurus and our handy online Threat Index help you teach your friends and family how to stay secure.

→ Video won’t play or too small on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.

From APTs to Zombies, from Anti-Virus to Web Firewalls, and with a fascinating history of viruses and malware from 1949 (really!) to the present day, the Threatsaurus tells you what you need to know.

There’s no jargon, no sales blurb, no hyperbole and no sense of impending doom like you get from some guides to online safety.

The Threatsaurus explains the facts about threats to your computers and to your data in simple, easy-to-follow language.

It’s a free download – no registration, no password, no email address.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/z2wUaLwcGTg/