STE WILLIAMS

The numbers show career opportunities for cyber defenders.

Anyone thinking about a career move might want to give the cybersecurity market a look — or a second look for those already in it. The statistics paint an encouraging employment picture.

Cybercrime damages are predicted to cost the world $6 trillion annually by 2021, according to the “Cybercrime Report” by the editors at Cybersecurity Ventures. That’s up from $3 trillion in 2015, which is fueling a burgeoning market, with cybersecurity spending expected to reach more than $1 trillion cumulatively from 2017 to 2021.

Unfilled Positions
In 2014 there were 1 million unfilled cybersecurity jobs globally, according to Cisco. By 2021 that number will grow to 3.5 million openings. The cybersecurity unemployment rate has plummeted to 0%, and it’s expected to remain there for the next several years. Near term, we expect the world to employ 6 million cybersecurity workers by 2019. There’s also a shortfall of cyber defenders at organizations of all sizes and types, ranging from Fortune 500 and Global 2000 corporations to small-to-midsize businesses to governments and schools globally.

Situation Worsening
The labor crunch has intensified over the past year, with more than 200 cybersecurity startups raising venture capital — much of that intended for new hires. VC funding shows no signs of slowing down in 2018 or in the foreseeable future.

There’s also a sound argument that every IT position should also be a cybersecurity position — and that all IT workers should have some level of responsibility for protecting and defending apps, data, devices, infrastructure, and people. If so, then the workforce shortage is even worse than the data suggests.

CISO Demand
Estimates from various sources suggest somewhere between 50% to 70% of large companies globally have a dedicated CISO (chief information security officer) today. The most recent “Annual Cybersecurity Jobs Report” (2017 edition) from Cybersecurity Ventures posits that 100% of large companies globally will have a CISO by 2021.

Given the scarcity of experienced people to fill these positions, there will be a lot of first-time CISOs heading up security for their employers over the next decade, an altogether different problem. But this does remove some barriers in the way of climbing the corporate security ladder.

Salary Outlook
Developing skill sets in specific technical domains is the best way to boost one’s salary. Threat intelligence, security software development, cloud, auditing, and big data analysis are some of the hot skills that may lead to a pay raise,  according to (ISC)², a non-profit organization that provides education and certification for security professionals. 

Or, switching into sales, going to work as a cybersecurity sales engineer could lead to a bump in pay by as much as 50%. Some sales engineers earn upward of $200,000 annually.

CISOs command the top pay, which is expected to average more than $240,000 annually in 2018, according to according to Robert Half Technology’s 2018 Salary Guide. The highest cybersecurity salaries are between $350,000 and $400,000 for CISOs in cities such as San Francisco and New York.

Lack of Interest
Expanding the pipeline of candidates is critical for any industry dealing with a workforce shortage. The cybersecurity labor crisis may be due in part to a lack of interest in the field. A 2017 survey by the University of Phoenix says it’s not a field that attracts job applicants. “Eighty percent of respondents said [they] have no interest in pursuing a career in cybersecurity,” said Dennis Bonilla, executive dean of the College of Information System and Technology at the University of Phoenix, in an interview with WNCN, a CBS local news station in North Carolina. According to a study by Raytheon, less than half of high school students have been approached by a parent, teacher, or guidance counselor about an education or career in cybersecurity.

Higher Education
A lack of interest in cybersecurity careers can’t be quantified by one or two surveys. Other data suggests there’s growing interest from students entering college, and IT workers thinking about cybersecurity as an upgrade to their current positions. There are more than 125 colleges and universities in the US alone offering a master’s degree in cybersecurity. Dozens of those programs offer online-only classes and degrees, so even students who can’t attend in person can get a degree.

The cybersecurity numbers add up to a lucrative field that desperately needs more people.

Related Content:

• Top 8 Cybersecurity Skills IT Pros Need in 2018
• An Action Plan to Fill the Information Security Workforce Gap
• How to Keep Blue Teams Happy in an Automated Security World

Steve Morgan is the founder and CEO at Cybersecurity Ventures and Editor-In-Chief of the Cybersecurity Market Report. The Cybersecurity Market Report is published quarterly and covers the business of cybersecurity, including global market sizing and industry forecasts from … View Full Bio

Article source: https://www.darkreading.com/operations/thinking-about-a-career-move-in-cybersecurity/a/d-id/1330944?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Deal combines privileged access management products, technologies.

Secure access vendor Bomgar has acquired identity management firm Lieberman Software in the latest in a string of cybersecurity consolidation moves over the past few weeks.

Bomgar, which sells secure and privileged access control software for endpoints, pointed to Lieberman’s products and technology as a move toward a stronger privileged access and identity management solution that combines both companies’ offerings.

“With our combined technologies, we will deliver a true defense-in-depth PAM [priviledged access management] solution with a quick time to value, rapid deployments, and a winning user experience,” said Matt Dircks, CEO of Bomgar, in a statement. Financial details of the deal were not disclosed.

Read more about the acquisition here.

 

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/operations/identity-and-access-management/lieberman-software-acquired-by-bomgar/d/d-id/1330959?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The term is one of 1,100 new entries added to the Oxford English Dictionary this week.

Ransomware, n.: A type of malicious software designed to block access to applications or files on a computer system until a sum of money is paid.

This is how the Oxford English Dictionary (OED) defines ransomware, which is one of 1,100 new entries added this week, reports The Washington Times. OED updates its growing list of 829,000 words four times each year and works with experts to determine which terms make the cut.

The entry further explains common forms of ransomware are designed to encrypt users’ data and show a message threatening to permanently delete it, or publish it online, if the ransom isn’t paid in time. In early use, the term referred to a type of open-source software, which is available for free but requires payment for access to all features, functions, and updates.

Read the full dictionary entry here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/ransomware-added-to-oxford-english-dictionary/d/d-id/1330960?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A useful approach for securing cloud-native platforms can be adapted for securing apps running on top of the platform as well.

In 2016, Justin Smith wrote a great article about securing cloud-native platforms such as CloudFoundry and OpenShift. Smith describes what he calls the “Three R’s” — rotate, repair, and repave — and how they can improve security. The model is powerful, but Smith focuses on the platform itself. Those same techniques, with minor modifications, can be extended to securing the apps running on top of the platform.

Let’s dive into the three R’s, and see how they apply to the platform.

Rotate
The first R stands for rotate. A cloud-native platform relies on automation, so different parts of the system need to access and modify others. To do this, they use a mix of different tokens, ranging from username and password to UUIDs (universally unique IDs, a 128-bit number) to private keys and certificates. Over time, many systems and individuals have access to these tokens, inevitably resulting in tokens being leaked, giving attackers control over our systems.

The rotate principle means you should rotate your keys as often as possible. This way, leaked credentials will quickly become irrelevant, often before the attacker even gets to use them. Rotating credentials requires rethinking how you manage them, switching from a reliance on manual tracking to use of a central key management system, and the automation of the creation and consumption of access keys. (CloudFoundry recently launched CredHub for this purpose.)

This security principle applies to cloud-native apps pretty much as is. Although platforms rely on credentials for steps like SSH (Secure Shell) access and system provisioning, apps need them for accessing databases, third-party services, and interacting with the platform itself. Cloud apps typically store credentials in the platform’s configuration or environment variables, which makes the values available to the app. Such a centralized credential storage makes it fairly easy to rotate keys — simply generate a new token, update the app’s configuration, and restart all running instances.

Rotating application credentials is a great way to improve app security in cloud-native apps. All it requires is a bit of automation. Note that this often requires having two valid credentials at any given time — one used by the current system and one being rolled out. Such pairs allow you to rotate credentials with no downtime, as old running instances will keep using the old keys until all are restarted.

Repair
The next R stands for repair, as in repairing known vulnerabilities in your systems. Known vulnerabilities account for the majority of successful exploits, and high-profile vulnerabilities such as Heartbleed and Shellshock demonstrate their severity well. Each of these are usually easy to fix, often by simply grabbing the fixed version, but doing so at scale is hard.

Using a cloud-native platform implies that you can automate the creation and deployment of your containers. This presents the opportunity to automate the tracking of known vulnerabilities in your operating system or its dependencies, trigger the creation of new containers and images, and streamline the rollout of those new systems to the cloud. Handling such automated repair well should be a key criterion when picking the platform to use. 

Repair applies to applications, as well. As demonstrated by the Equifax breach, a vulnerable application library (in that case, a remote command execution in the Java Struts2 library) can cause as much damage as an OS dependency, and it won’t be fixed by patching the underlying server. The steps are similar as well — automate tracking of newly disclosed vulnerabilities, repackage (in this case, rebuild) and roll out the new version.

The key distinction between app and platform lies in where this process takes place. Most developers are uncomfortable rolling out a library update without going through their automated testing, implying that this tracking should occur earlier in the dev process, integrated into your source control (e.g., GitHub, BitBucket, or GitLab), or as part of your continuous integration and continuous delivery/deployment (CI/CD).

Repave
The last-but-not-least R is repave. The original repave concept involves recreating servers frequently in case they’ve been compromised, removing the risk of a compromised server causing damage. Smith suggests switching from boasting about how long our servers can run to how quickly we can shut them down.

This concept doesn’t really apply to apps, as code always needs some server to run on (even if you’re using “serverless” computing). Frequent repaving of the underlying server would also help deal with servers compromised via an app-layer vulnerability. However, I suggest replacing this R with a new one: readjust.

Readjust/Divide and Conquer
Cloud-native applications take great advantage of microservices. In addition to being easier to maintain, they make our systems more flexible, as we use the same services in different constellations and execution paths, creating new business value with far less effort. Cloud-native platforms typically support locking down the permissions of each microservice individually, granting it only the permissions it needs to get the job done.

Unfortunately, maintaining granular permissions across many applications is hard, so developers reuse the same policies and credentials in multiple applications to lessen the load. This means each policy and service account needs to have the total permissions each microservice needs to operate — far more than what an individual policy would have allowed. To make things worse, it’s not clearly known which app needs each permission in the policy, so it’s hard to make them stricter over time.

To successfully mitigate the damage a compromised microservice can cause, make sure you regularly readjust the permissions to the minimum necessary for each. Doing so with cross-service policies will be hard, so I recommend requiring that each microservice maintains its own policy and credentials, making such constant adjustments feasible.

Switching to a cloud-native platform may be scary, as it shuffles your priorities. However, if this is done well, you can use the increase in automation and greater speed to your advantage and make both the platform and the apps running on it more secure.

Related Content:

• 9 Ways to Protect Your Cloud Environment from Ransomware
• How Containers Serverless Computing Transform Attacker Methodologies
• 5 Steps to Better Security in Hybrid Clouds

Guy Podjarny is CEO Co-Founder at Snyk.io, focusing on securing the Node.js and npm world. Guy was previously CTO at Akamai, founded Blaze.io (acquired by Akamai), helped build the first Web app firewall and security code analyzer, and was in the Israeli army cyber units. … View Full Bio

Article source: https://www.darkreading.com/cloud/securing-cloud-native-apps-/a/d-id/1330951?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What was the last cryptocoin straw that broke Facebook’s ad back?

… perhaps the exitscammer who left nothing but a bananagram on startup Prodeum’s website before clearing out with all $11 of investments?

We don’t know what flipped the switch, but Facebook on Tuesday inserted a new Clause 29 in the “Prohibited Content” section of its advertising policies that bans ads for cryptocurrency.

From hereon out, all cryptocurrency ads are verboten, including those notoriously dodgy initial coin offerings (ICOs) and binary options (financial contracts that give the buyer the right to buy or sell an asset for a specified price on or before a certain date).

Clause 29 now reads like so:

Ads must not promote financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings, or cryptocurrency.

Facebook provided these examples:

• “Start binary options trading now and receive a 10-risk free trades bonus!”
• “Click here to learn more about our no-risk cryptocurrency that enables instant payments to anyone in the world.”
• “New ICO! Buy tokens at a 15% discount NOW!”
• “Use your retirement funds to buy Bitcoin!”

…use our retirement funds to buy Bitcoin? What a great idea!

Then we can all retire to live out our days in our cars… if, that is, we fall victim to one of the sundry ways there are to get taken for a crypto ride, such as if the value nosedives, or if the exchange gets hacked, or if digital wallets get frozen, or if exchanges claim to “lose” them a la Mt. Gox, or if we’re held at gunpoint by robbers who want our passphrases.

This is what Facebook product management director Rob Leathern had to say about keeping us all safe from cryptocurrency outfits that tend toward the slimy:

We want people to continue to discover and learn about new products and services through Facebook ads without fear of scams or deception. That said, there are many companies who are advertising binary options, ICOs and cryptocurrencies that are not currently operating in good faith.

Facebook knows it might not catch every scammy ad, but it will keep tweaking as it goes along to make it tougher for the shysters to fleece us, Leathern said:

This policy is intentionally broad while we work to better detect deceptive and misleading advertising practices, and enforcement will begin to ramp up across our platforms including Facebook, Audience Network and Instagram. We will revisit this policy and how we enforce it as our signals improve.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JB8HR6rouug/

Facebook collects and analyzes information about users’ emotional states: whether we feel worthless, defeated, anxious, or like a failure. It also collects and analyzes our geographic locations, be it by via GPS, cellular data, Bluetooth or Wi-Fi.

It has access to enough information about us that it can ascertain our intentions and activities, often in real-time speeds of less than a second. This information is behind what founder Mark Zuckerberg has said is the platform’s “ability to quickly reach people worldwide in an emergency,” and it’s why he’s confirmed Facebook’s “unique position to prevent harm” with services such as Safety Check.

So why couldn’t Facebook help to stop a killer who posted that he would murder a man in four minutes? And why is it that Facebook couldn’t tell police where the killer was, after he had fatally shot 74-year-old Robert Godwin Sr. on a Cleveland street last April?

… in spite of the killer having filmed a first-person view of the shooting and having uploaded it to his Facebook page, where, according to The Guardian, it remained for more than two hours and was copied, reposted and viewed millions of times?

Those are the questions Godwin’s family is asking in a lawsuit it filed against Facebook on 19 January. The family is charging the social network for negligence and wrongful death.

Godwin’s murderer was Steve Stephens, a 37-year-old job counselor for teens and young adults. Godwin, the father of ten, was out picking up cans in a plastic shopping bag, his daughter, Debbie Godwin, said. She described him as a gentle man.

Not because he needed the money, it was just something he did. That’s all he was doing. He wasn’t harming anyone. We called him the junk man. He’d pick up things off the street and fix them. He picked up bikes and he fixed them.

On 16 April 2017, minutes before he shot Godwin, Stephens posted this desperate, threatening message, saying he was at his “breaking point”:

FB my life for the pass year has really been f*ck up!!! [sic] I lost everything I ever had due to gambling at the Cleveland Jack casino and Erie Casino… I not going to go into details [sic] but I’m a my breaking point I’m really on some murder shit…FB you have 4 minutes to tell me why I shouldn be on death row!!!! I’m dead serious #teamdeathrow

After the shooting, Stephens fled the scene. Police found him days later in Pennsylvania. They tried to pull him over, but after a brief pursuit, Stephens shot and killed himself.

The lawsuit alleges that Facebook knowingly failed to report Stephens’ commission of a felony to law enforcement authorities and, because of that, Godwin was killed “within a reasonable vicinity of Mr. Stephens’ location at the time the Facebook defendants learned of his intention to commit murder.”

Other allegations from the lawsuit included that Facebook knew that Stephens had previously made violent threats; that it knew the killer owned firearms and had a violent predisposition; that he wasn’t willing to wait any longer for a response from Facebook before carrying out his threats; that Facebook did nothing, in spite of Stephens’ reiteration that he was going to commit random killings on the public, along with who he was and where he was located; that he had subsequently murdered Godwin on a public street, “just minutes from the location where he previously advised the Facebook Defendants of his criminal intentions; and that still Facebook took no action, failing to alert the police, in spite of having “more than sufficient time to act and prevent Robert Godwin, Sr.’s death.”

This is not about free speech or posting violent content, the Godwins stressed in their suit. It’s about data mining that could have saved the life of Robert Godwin Sr. had Facebook used it for that instead of just for maximizing advertising revenue.

Besides Facebook, the suit also named ad-tracking company Atlas Solutions and social analytics firm CrowdTangle, the latter of which “collects information about Facebook users for the specific purpose of helping publishers and media companies surface stories that matter, measure their social performance and identify influencers.”

Within days of Godwin’s murder, Zuckerberg gave his condolences to the Godwin family and said that Facebook has “a lot more to do” to avoid such tragedies. In a blog post, Vice President of Global Operations Justin Osofsky said at the time that Facebook “prioritize[s] reports with serious safety implications for our community, and are working on making that review process go even faster.”

The lawsuit seeks an amount in excess of $25,000 for compensatory damages; punitive damages; the costs, expenses and attorney’s fees incurred by the plaintiff; and “any further relief” the court deems appropriate.

Facebook associate general counsel Natalie Naugle told The Guardian that the company has policies that prohibit direct threats of harm and that it gives users tools to “report content that violates our policies, and take swift action to remove violating content when it’s reported to us”.

We sympathize with the victim’s family, who suffered such a tragic and senseless loss.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oeEmIxvGDKU/

In November, exercise-tracking app Strava published a “heatmap” of user activity which it cheerily boasted comprised a billion activities, three trillion lat-long points, 13 trillion rasterized pixels and 10 TB of input data.

It took a while, but late last week someone wondered “how many Strava users are members of the military or national security groups, and are uploaded their activity?” The answer is “plenty – and they’ve revealed where they work, where they live, when they were sent to a new outpost and where to ambush them when they least expect it.”

Ever since Nathan Ruser, an international security student at the Australian National University, observed that Strava’s data included the exercise routes of military and natsec personnel, locating military installations in Strava’s has become a social media sensation.

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq

— Nathan Ruser (@Nrg8000) January 27, 2018

For example, in Australia, it’s now possible to see where people exercise at the secretive deep desert Pine Gap sigint station:

All activity + cycling routes around and inside Pine Gap military facility, Australia #Strava https://t.co/ZRYpYyMVvq https://t.co/K9dtVn3iVp pic.twitter.com/CE9jNWU6F5

— Ketan Joshi (@KetanJ0) January 28, 2018

Observers have also noted that Strava hasn’t revealed much more than was already already visible on Google Earth. For example, here’s Pine Gap again, this time from Google:

Google’s got a much clearer image of Pine Gap

Strava’s explanation of how it made the Heatmap says it excluded data that users asked to be kept private. The service allows users to create multiple “privacy zones” with a radius of up to 1km. When users enter such the zones, their digital tracks disappear in order to make it harder to figure out where they live or work.

Data revealing the location of sensitive facilities, or the habits of military personnel, would therefore have been excluded if users had employed Strava’s privacy setttings.

However, as Ruser later tweeted, the location of bases isn’t the only concern: the ability to establish “pattern of life” information also makes the Heatmap a serious source of risk – mainly because people weren’t keeping their information private.

If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any Pattern of life info from this far away pic.twitter.com/Rf5mpAKme2

— Nathan Ruser (@Nrg8000) January 27, 2018

The Daily Beast’s Adam Rawnsley noticed the app can even reveal troop movements, if new Strava users pop up in an area around a military base:

Pretty faint but data from the Strava exercise app shows like China has deployed joggers to its disputed Woody Island in the South China Sea, in addition to fighter jets and HQ-9 SAMs pic.twitter.com/HG6zkb8tcw

— Adam Rawnsley (@arawnsley) January 27, 2018

It also, by the way, possible to extract people’s names, profile pictures, and heart rates from Strava’s backend:

It just keeps getting deeper. You can also trivially scrape segments, to get a list of people who travelled a route, and trivially obtain a list of users. #Strava pic.twitter.com/U9DnPsyHUD

— Paul D (@Paulmd199) January 28, 2018

We are just now all seeing how much you can learn from this data now that it is publicly accessible, but all of that *already was possible* if one had access to the data. https://t.co/rB2fto3w6H

— Dino A. Dai Zovi (@dinodaizovi) January 29, 2018

Beyond the military frenzy, however, El Reg agrees with observations that the heat map is sufficiently detailed to pose a risk to individuals. Infosec bod Brian Haugli noticed that the heatmap reaches all the way to your door:

You can see individuals that are using Strava by zooming it to houses that have a short line. Strava gives the ability to set up privacy zones, but it’s not on by default. pic.twitter.com/azqZFXiVQZ

— Brian (@BrianHaugli) January 28, 2018

Even if individuals had set up the area around their homes as privacy zones, which Haugli noted is not the default, the dataset still contains a level of personally identifying information that shouldn’t have been published by Strava, according to European privacy researcher Lukasz Olejnik.

Olejnik said at the least, someone should have conducted a privacy impact statement before pressing “publish” on the dataset.

He told The Register in an email: “This highlights the challenges of location data anonymisation, and how mass datasets reveal unexpected patterns. Organisations should carefully consider consequences on multiple levels prior to publishing private data.

“That said, making a privacy impact assessment of this kind of a project would be quite an adventure.”

Olejnik also tweeted that Europe’s General Data Protection Regulation (GDPR) considers location to be sensitive information, meaning publication should be handled with care. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/29/strava_heatmap_military_base_locations/

The Internet Engineering Task Force (IETF) has emitted another small advance in its program to protect as much of the Internet as it can, with a request that email systems finish encrypting all their connections.

In RFC 8314, Windrock’s Keith Moore and Oracle’s Chris Newman explain that there some interactions between email clients and servers still aren’t encrypted.

Implementations of protocols like IMAP, POP, and SMTP have supported TLS for years, but often not “in a way that maximises end-user confidentiality”, an RFC penned by the pair said.

For example, there’s the enduring but imperfect STARTTLS: it eventually sets up an encrypted channel for passing messages, but only after it uses cleartext communications so the client and server can negotiate capabilities and configuration.

The RFC recommends this be deprecated. Instead, TLS should be negotiated immediately when a connection is initiated, on a separate port, for all protocols between the client and the message transfer agent (MTA). This is referred to as “implicit TLS” in the RFC.

That would apply to IMAP over port 993, POP (port 995), and SMTP Submission (port 465).

Those writing client software (Outlook, Mac Mail, Thunderbird and so on) need to deprecate other connection methods, the RFC says.

Likewise, mail service providers are told to wind up old insecure protocols: “MUAs and Mail Service Providers (MSPs) (a) discourage the use of cleartext protocols for mail access and mail submission and (b) deprecate the use of cleartext protocols for these purposes as soon as practicable”, the RFC says.

“Servers provided by MSPs other than POP, IMAP, and/or Message Submission SHOULD support TLS access and MUST support TLS access for those servers that support authentication via username and password”, it continues.

Port 25 remains in use in too many places, and the authors want that to end: MSPs should transition users at least to STARTTLS (or better, Implicit TLS) as soon as possible.

And, of course, systems and services need to deprecate old encryption and implement at least TLS 1.1 or later. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/01/ietf_attacks_cleartext_email/

There’s a hot security news topic right now that combines the ETERNALBLUE exploit and cryptomining.

ETERNALBLUE is infamous for having been used in the WannaCry worm, so the combination of this method of breaking in, followed by a cryptomining payload, has been dubbed WannaMine.

WannaMine attacks aren’t new, but our Support team has recently had a surge in the number of enquiries from people asking for advice about the issue.

Support therefore asked us if we’d make a Facebook Live video about it…and here it is.

(We’ve also included a Questions and Answers section below, based on the video.)

(Can’t see the video directly above this line, or getting an error such as “no longer available”? Watch on Facebook instead.)

Note. With most browsers, you don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.

QUESTIONS AND ANSWERS FROM THE VIDEO

Q. Is WannaMine like WannaCry? Is it ransomware that scrambles my disk?

A. The name “WannaMine” is a portmanteau word that refers to a malware family that uses the network spreading capabilities of WannaCry to deliver cryptomining malware rather than ransomware.

Q. What is cryptomining malware? Is it as dangerous as ransomware?

A. Cryptomining is when crooks secretly get your computer to do the calculations needed to generate cryptocurrency, such as Bitcoin, Monero or Ethereum; the crooks keep any cryptocoin proceeds for themselves.

To make money with cryptomining, you need a lot of electricity to deliver a lot processing power on a lot of computers.

By illegally installing cryptominers inside your network, the crooks therefore steal your resources to do their work.

Q. Can cryptomining damage my computer?

A. We’ve seen stories of mobile phone batteries bulging due to overheating when the device was deliberately forced to do mining calculations for hours on end.

However, WannaMine doesn’t run on mobile phones – it attacks Windows computers.

Nevertheless, even if no permanent damage is done, you’ll probably find your laptop batteries draining much faster than usual, your fans running flat out, and your laptop being noticeably hotter than usual.

Also, if malware like WannaMine can penetrate your network, you are at serious risk of other malware at the same time, including ransomware.

We frequently see evidence of cryptomining left behind on computers that were zapped by ransomware, so don’t ignore WannaMine infections if they show up.

Q. If I don’t own any cryptocoins and I’m not part of the cryptocurrency scene, am I still at risk?

A. Yes.

WannaMine malware attacks aren’t trying to locate your digital cryptocurrency stash and steal it.

They want free use of your computer for cryptomining calculations of their own, whether you’re interested in cryptocurrency or not.

Q. Can security software prevent WannaMine attacks?

A. Yes.

Exploit prevention software (e.g. Sophos Intercept X) can block the ETERNALBLUE attack to prevent malware like this from entering your network in the first place.

Anti-virus and host intrusion prevention software (e.g. Sophos Endpoint Protection) can stop the malicious processes that allow the WannaMine attack to proceed, even if the exploit triggers at te start.

Network security software (e.g. Sophos XG Firewall) can block the network activity required for malware like WannaMine to work.

Q. What else can I do?

A. Patch promptly, and pick proper passwords.

WannaMine malware typically includes the same ETERNALBLUE exploit that was abused by WannaCry and allowed it to spread.

This exploit was patched last year in Microsoft update MS17-010, so a properly patched network wouldn’t be open to the exploit in the first place.

If the ETERNALBLUE hole is already closed, WannaMine can try to spread using password cracking tools to find weak passwords on your network.

It only takes one user with poor password hygiene to put your whole network at risk.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sYVLcDnjZOc/

Microsoft will tighten the screws on scummy developers who use scare tactics to frighten people – particularly non-tech savvy folks – into paying for unnecessary software.

Think applications that offer to scan your Windows PC for free, and then – conveniently – claim your computer is under attack by viruses, or has serious defects, and that the only way to save your files is to fork out fifty bucks for a magic cleanup tool.

That kind of crap – the junkware you strip from relatives and friends’ desktops at the weekends – is soon going to be nuked on sight by Windows Defender.

An update this week on the website of Microsoft’s antivirus package states that Redmond will soon consider the aforementioned “coercive messaging” as grounds for automatically removing software as “unwanted programs.”

“Programs must not display alarming or coercive messages or misleading content to pressure you into paying for additional services or performing superfluous actions,” Microsoft explained.

This crackdown will hit apps that trick people into “performing other actions such as taking a survey, downloading a file, signing up for a newsletter, etc” in order to remedy bogus problems with their computers.

In short, vendors that use scare tactics to get you to install, pay for, and use their system utilities will now have to be very careful about how they advertise, least Microsoft deem their products unwanted software and flag the applications for removal.

In particular, Microsoft says, the rules will be aimed at killing off the dubious claims made by filesystem and Registry “cleaner” apps that try to charge users for performing routine or unnecessary tasks.

“This update comes in addition to our other long-standing customer protection requirements designed to keep our customers from being deceived by programs that display misleading, exaggerated, or threatening messages about a system’s health,” explained Barak Shein of the Windows Defender Security Research team on Tuesday.

“This requirement aims to protect customers from programs that present aggregate ‘error’ results with no specific details, without providing customers with the ability to assess and validate the so-called errors.”

Microsoft said the new rules will go into effect on March 1, meaning any application in violation of the rules will have one month to clean up their act, or have their software deleted from desktops by the built-in Windows Defender antivirus and other Microsoft security products. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/31/microsoft_windows_defender_scareware/