STE WILLIAMS

Disaster recovery protection level self-assessment

John McCain, the US senator who lost to Barack Obama in the 2008 presidential elections, wants General Keith Alexander, head of the NSA and US Cyber Command, to resign over revelations that US spies bugged the telephone of Germany’s head of state Angela Merkel.

In a strongly worded interview with Der Spiegel McCain blamed “the head of the NSA, the president of the United States, the Congressional Intelligence Committees, all of these contractors we pay that were responsible for performing the background checks. They should resign or be fired.”

Gen Alexander is due to retire in the spring.

McCain admitted there had always been a certain amount of eavesdropping on friends, but the Merkel spying should not have happened. He said he thought the NSA had bugged the German chancellor’s phone for at least a decade because it could, and in the wake of the September 11 attacks in 2001 the agency had determined that all potential sources of information should be tapped.

What was needed is an independent commission to look at the state of play and define new operating parameters for the agency, he said. Furthermore he called on Obama to apologize properly to Merkel, rather than his comment that the US “is not monitoring and will not monitor” her phone calls.

The NSA is supposed to be overseen by Congress and the judiciary, but McCain said there had “not been sufficient congressional oversight,” of the intelligence agency, and whether too many people in the organization had access to too much classified information, citing the cases of whistleblowers Chelsea Manning and Edward Snowden.

In the case of Snowden, McCain opined that the fugitive leaker would most likely never return to the US, but if he did he should be prosecuted for breaking his oath to not release information that would harm the US. That said, he expects Snowden to stay under the protection of Russia’s President Putin.

“President Vladimir Putin will grant him asylum indefinitely. The Russians know if they send him back that that’s a lesson to other people who might defect,” said McCain.

“I’m sure that Mr Snowden has told them everything that he possibly knows. If you believe that Mr Snowden didn’t give the Russians information that he has, then you believe that pigs can fly.” ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/11/nsa_boss_should_resign_over_merkelgate_senator_mccain/

DALLAS, Nov. 11, 2013 /PRNewswire/ — As the holiday season approaches, Trend Micro’s (TYO: 4704; TSE: 4704) Q3 2013 Security Roundup Report is raising concern about the ongoing proliferation of Apple iOS phishing sites, as well as a sizable uptick in online banking malware. These findings suggest consumers should be alert and cautious during the holiday shopping season to protect personal and financial data from being compromised.

“As consumers gravitate to the convenience of online banking, criminals are developing tools at an exceedingly rapid pace to exploit a general lack of awareness,” said JD Sherry, vice president of technology and solutions, Trend Micro. “In addition, Apple has been traditionally perceived as a safe-haven against threats, but our findings reveal that personal information can be jeopardized as phishing scams that target the platform continue to gain momentum. This evidence suggests a potential perfect storm looming in the holiday season as busy commercial and consumer users leverage mobile platforms.”

After a spike in Q2 (5,800 in May), Apple-related phishing sites have remained steady throughout Q3 with 4,100 detected in June; 1,900 in August and 2,500 in September. This raises concern of potential new targets in Q4 with analysts estimating Apple to sell 31 million iPhones and 15 million iPads in the fourth quarter alone.

Trend Micro researchers also identified more than 200,000 malware infections targeting online banking in Q3. Three countries stood out as the most targeted, with the U.S. accounting for almost one-quarter (23 percent) of online banking malware infections worldwide, followed by Brazil with 16% and Japan with

12 percent. Europe’s top countries, Germany and France, had only three percent respectively which may stem from the regions high degree of multi-factor authentication requirements with online banking transactions. Along with these increases, the level of sophisticated obfuscation techniques used by threat actors has also risen. We found within the online banking Trojan called KINS, anti-debugging and anti-analysis routines.

For the complete report, please visit:

http://about-threats.trendmicro.com/us/security-roundup/2013/3Q/the-invisible-web-unmasked/.

A detailed blog post can be reviewed at:

http://blog.trendmicro.com/trendlabs-security-intelligence/3q-security-roundup-the-invisible-web-1-million-mobile-malware-highlight-quarter.

About Trend Micro

Trend Micro Incorporated a global leader in security software, rated number one in server security (IDC, 2013), strives to make the world safe for exchanging digital information. Built on 25 years of experience, our solutions for consumers, businesses and governments provide layered data security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem.

All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro(TM) Smart Protection Network(TM) infrastructure, and are supported by over 1,200 threat experts around the globe. For more information, visit TrendMicro.com.

Article source: http://www.darkreading.com/vulnerability/trend-micros-latest-threat-report-highli/240163763

CHICAGO – November 11, 2013 – Trustwave today announced the acquisition of data security provider Application Security, Inc. The company’s automated database security scanning technologies strengthen Trustwave’s ability to help organizations protect high-value data, reduce security risks and achieve compliance with mandates and regulations.

Application Security, Inc. pioneered the research and development of security software for relational databases and big data stores–helping businesses and government agencies uncover critical configuration mistakes, access control issues, missing patches, or any toxic combination of settings that could lead to denial-of-service attacks, unauthorized data modification and data breaches.

Trustwave will continue to develop, support and offer both Application Security, Inc. products, DbProtect and AppDetectivePRO, and will integrate and use those products throughout the Trustwave portfolio of information security, compliance management and threat intelligence offerings. The acquisition gives Trustwave the ability to:

Secure data in more places–Application Security, Inc. deepens Trustwave’s data and advanced threat protection capabilities, augmenting Trustwave’s existing managed security services and extending protection of data and management of threats across endpoints, networks, applications and databases.

Improve compliance management–Application Security, Inc. enriches Trustwave compliance auditing and management services by streamlining and automating the process of testing and monitoring databases so that businesses can improve the way they address the requirements of regulations and mandates including PCI DSS, HIPAA and SOX.

Mitigate more data-centric vulnerabilities–Application Security, Inc. enhances Trustwave’s penetration testing and vulnerability management services, with additional database scanning and testing capabilities that offer customers more comprehensive vulnerability scanning, logging and monitoring across their networks, applications and databases.

“Attacks from cybercriminals, malicious insiders and other threats have increased the spotlight on the security of high-value data and the importance of protecting it no matter where it lives or where it’s going,” said Trustwave Chairman and Chief Executive Officer Robert J. McCullen. “Disparate products and manual tools and processes just can’t keep up with the pace of today’s threats. By joining forces with Application Security, Trustwave can help customers strengthen security across their environment–from the network, applications, Web, and down to the data itself–so they can more effectively fight cybercrime, protect data and reduce security risks.”

Founded in 2002, Application Security, Inc. was, until the completion of the acquisition, a privately-held company headquartered in New York. The acquisition has closed, and financial terms were not disclosed.

About Trustwave

Trustwave is a leading provider of compliance, Web, application, network and data security solutions delivered through the cloud, managed security services, software and appliances. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its TrustKeeper portal and other proprietary security solutions. With more than two million businesses enrolled in TrustKeeper, Trustwave has helped organizations, ranging from Fortune 500 businesses and large financial institutions to small and medium-sized businesses, manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices worldwide. For more information, visit https://www.trustwave.com.

Article source: http://www.darkreading.com/applications/trustwave-acquires-application-security/240163791

You definitely don’t want to show up on one of HD Moore’s Internet scans. But some 35,000 — and counting — servers have been found exposed on the Internet by the renowned researcher and his team in their ongoing global scanning project aimed at detecting networked devices in danger of attack. In the latest twist, popular server firmware exposed on the Net also contains multiple zero-day bugs that leave corporate servers open to outside attackers.

Rapid7 late last week disclosed several previously unknown security bugs in Supermicro’s Intelligent Platform Management Interface (IPMI) protocol implementation in its Baseboard Management Controller (BMC) firmware that, in effect, give attackers near-physical access to the affected servers. BMC firmware and its corresponding IPMI interface are basically remote management tools for the servers. The flaws were found in firmware version SMT_X9_226 of Supermicro’s product, and Supermicro recently updated the firmware with version SMT_X9_315, which Rapid7 found only addresses some of the zero-days as well as some other flaws.

Among the flaws Rapid7 found were static encryption keys, hard-coded credentials, and buffer overflows. Moore, who is chief research officer for Rapid7 and creator of Metasploit, says his team has not been able to confirm that Supermicro’s firmware update fixes the static encryption key and hard-coded credentials issue.

Supermicro had not yet responded to a press inquiry as of this posting.

Moore previously had revealed major holes in embedded devices, home routers, corporate videoconferencing systems, and other equipment on the public Internet that is open to abuse by bad guys. He and fellow researcher Dave Farmer in July announced they had discovered around 300,000 servers online at serious risk of hacker takeover via bugs in IPMI and BMC. An attacker could steal data from attached storage devices, tinker with operating system settings, install a backdoor, sniff credentials sent via the server, wipe the hard drives, or launch a denial-of-service attack on the servers, according to the researchers.

[A widely deployed protocol and controller used in servers and workstations both contain serious vulnerabilities that, in effect, give attackers near-physical access to the machines. Some 300,000 servers were discovered online at risk to this threat. See New Gaping Security Holes Found Exposing Servers. ]

The Supermicro bugs are the latest example of how data centers can also be unknowingly exposed on the public Net. And the rub: Even if Supermicro fixes all of the bugs, that doesn’t mean its customers will apply the patches.

“The problem is that nobody updates them, so it doesn’t matter if the vendor patches it or not. The most we can do is awareness,” says Tod Beardsley, Metasploit engineering manager for Rapid7. Metasploit now offers scanning modules for its framework that organizations can use to determine whether their servers are at risk, he says.

“Exploiting [these bugs] is going to give you control over the BMC, which is then a short walk to the server itself,” he says. “You can enable a KVM and have a remote mouse as if you are standing in the data center … then you can steal all the data.”

Robert Graham, CEO of Errata, which has been conducting Internet scan research of its own, says Moore’s IPMI research is the most critical to enterprises because it shows how corporate servers and data centers are exposed.

Even though many of the flaws that are found in Moore’s, Errata Security’s, and others’ scans go ignored by many users and vendors, it’s still necessary because the bad guys are doing the very same scans, Graham contends. “IPMI is dangerous, and that has been known for a long time [by hackers],” he says.

Exposing the vulnerable devices ultimately pressures vendors to do something to improve security, he says. Graham says “making a stink” about these problems prevents vendors from holding their users hostage. “When they say [to researchers], ‘Please don’t disclose this vulnerability because it affects my users’ … it means, ‘I’m holding my users hostage,'” Graham says.

So what can enterprises do to protect their servers from getting hacked via IPMI or BMC bugs?

Johannes Ullrich, head of SANS Storm Center, says protecting the IPMI interface is a tricky balance. “There is little one can do to protect an IPMI interface if the interface is needed to remotely administer the system, in particular, given the backdoor fixed passwords. The best you can do is limit access to the IPMI interface via a firewall, and maybe by changing default ports if this is an option,” Ullrich said in a SANS ISC diary post. “Once exposed, an attacker will have the same access to the system as a user with physical system access. Remember that turning off a system may leave IPMI enabled unless you disconnect power or network connectivity.”

Running the IPMI traffic over a separate management network or VLAN is also an option, Errata’s Graham says.

“No matter how many updates you get, assume you’ve still got a problem. [IPMI] should always be managed [as if in a] hostile [environment],” he says.

Beardsley says security pros should talk with their IT and network staff who run their data centers. “Ask them nicely to make sure this stuff is not exposed on the WAN,” he says.

Rapid7’s full report on the Supermicro bugs is here.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/data-center-servers-exposed/240163802

Sophisticated threats and APT have become such a focal point of the security industry that we hardly hear about the most common threat facing enterprises — malware in the form of viruses, botnets, and worms. If you listen to the marketing coming from security vendors, you might get the impression that these are issues of the past because everyone is scared of targeted attacks. No one, but antivirus vendors, are talking about how everyday there are thousands of new infections occurring across corporate desktops.

The truth is that talking about defending against everyday, run-of-the-mill malware isn’t sexy and doesn’t sell products. Sticking your head in the sand only exacerbates the problem, however, because these threats are not going away and the malware authors are getting better. The authors keep making malware stealthier and finding new ways to profit on old attacks while we’re doing our best at defending our networks, yet being told by antivirus vendors that they’ve got it covered.

Cryptolocker has been the most recent eye-opener that non-targeted malware is still a real problem for many companies. These same companies who thought they had their corporate data protected by keeping their antivirus products up-to-date are getting hosed by a single user opening up the wrong e-mail attachment. In the case of Cryptolocker, office documents and other file types on the local hard drive and connected network share are now encrypted using public key cryptography. Unless the ransom is paid using Bitcoin or Money, only the malware author can decrypt the files.

The use of public key crypto is only one of the interesting advances in recent iterations of malware like Zeus, Andromeda, Vertexnet, and Cidox. Unlike the Robert Tappan Morris who created the Morris Worm from 25 years ago, today’s malware isn’t part of a failed informal research project. Instead, malware authors are out to make money and to do that they must write resilient, stealthy software. Most of the newly observed techniques are focused on more effective persistence mechanisms, evading analysis by security researchers, and detection by malware sandboxes like Anubis and Cuckoo.

The more basic features are simply clever tricks to help malicious PDFs evade detection so they’re more likely to end up in a user’s inbox where they’ll open and infect their computer. HTTP Host header spoofing has helped malicious traffic look legitimate when the HTTP requests are actually part of the Cidox command and control framework.

But the advances don’t stop there. McAfee has identified several several different pieces of malware that have added new polymorphic capabilities that do more than just modify their binaries a few times a day or each time they’re run. The changes include modification of known data and executable procedures like opcodes for the prologue and epilogue sequences to evade signature-based detection.

According to a recent report from malware analysis appliance vendor, Fireeye, more malware samples are including abilities to defeat file-based sandboxes used to analyze and detect malware. In addition to the typical virtual machine-based detection where malware will change its behavior when running in a virtual machine, new variants are monitoring for human interaction before executing their full malicious payload. Two methods outlined in the Fireeye paper including watching for user clicks and displaying dialog boxes that require a user to click. Once the malware is satisfied a normal user is executing it, then it proceeds to carry out its true purpose.

As we’ve seen with the average malware infection, protection measures shouldn’t stop at just keeping antivirus up-to-date and ensuring backups are working. Defensive capabilities must be layered so that even if one system gets compromised, it does not impact every other system. Going back to traditional security tenets like implementing network segmentation and principal of least privilege can have a significant impact in limiting the damage that an infected machine can do.

The Twenty Critical Security Controls for Effective Cyber Defense published by the SANS Institute is an excellent framework for building the necessary defenses to protect against malware attacks. In addition to malware protections and data recovery capabilities, the Twenty Critical Controls promotes controlled use of administrative privileges, boundary defense, secure network design, secure endpoint configuration, and much more.

One area not covered in detail by the Twenty Critical Controls, but certainly appropriate when discussing the method of propagation for many of today’s malware attacks, is user awareness. It is a touchy subject because many security pundits state that any attempts to educate and train users on security is a lost cause. They say the money is best spent elsewhere but how can that be when desktops and laptops are getting infected even when antivirus, Internet security gateways, and other controls are in place.

User awareness efforts don’t need to be expensive and time consuming in order to be effective. One of the most useful methods is to reinforce common sense computer use such as not opening up attachments from people you weren’t expecting to receive attachments from — such as the more believable phishing messages sourced by the Cutwail botnet that look like legitimate flight and hotel notifications yet contain a malicious attachment.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/tech-insight-viral-arms-race-brings-new/240163803

A US school basketball coach who posted a photo onto Facebook that showed her fiancé’s hand on her breast has been fired, but her varsity football coach fiancé was let off the hook with only a reprimand.

According to The Independent, the photo was taken during a summer vacation.

The image shows the former coach, Laraine Cook, in a bikini in front of a lake with her fiancé, Tom Harrison.

Mr. Harrison is an American varsity football coach at the same school, Pocatello High School, in Idaho School District 25.

He kept his job, receiving only a reprimand.

If you’re like me, the first thing that will have popped into your head was that there must be an arcane law regarding punishment accruing to the person whose body part is held in Facebook photos, vs. the person doing the holding (i.e. holder is exempt, whereas holdee is fired).

Therefore, those who seek retribution need only go hold somebody’s something and then proceed to circulate a photo of said holding.

But this is, in fact, neither accurate nor relevant. Apparently, neither are the 10 state championships Harrison won for the school since 1982, nor his induction into the Idaho High School Football Hall of Fame in 2000.

Rather, Cook said that officials told the couple she was getting fired because she was the one who posted the photo on Facebook.

Ms. Cook, for her part, told Local 8 News that she’d like to return to coaching and teaching and doesn’t feel that the photo was worth losing a job over:

I don’t feel that photo was something to have me terminated on. I don’t feel that it’s an immoral photo, and that’s what the termination is based on.

I would love to be able to coach those girls again. I love teaching. I love coaching. I love working with the kids.

I don’t do it because the money is great. I do it because I really enjoy it.

School district spokesperson Shelley Allen told news outlets that authorities are not moved by the fact that some parents, rather than being appalled by breasts, hands and/or photos of them together, have asked for the coach to be reinstated:

Parents expressed their concerns and asked the administration to reinstate Coach Cook.

After discussion between superintendent [Mary] Vagner, secondary director Bob Devine, human resources director Doug Howell and Pocatello High School administration, it was decided that the decision would remain.

According to the Idaho State Journal, Vagner has refused to comment on the case, citing personnel privacy.

She did, however, tell the journal to check out the Code of Ethics of the Idaho Teaching Profession.

Under that code’s section on “Commitment to the Profession,” there is a statement that teachers “shall not engage in conduct which is offensive to the ordinary dignity, decency, and morality of others.”

In fact, as the journal noted, the assistant general counsel for the National Education Association, Michael Simpson, has warned teachers about the dangers of social media.

He wrote:

Many teachers believe they have the absolute First Amendment right to post anything they want on social networking sites, including party pix and diatribes about the boss. After all, they’re on their own time and using their own resources. Sadly, the courts say otherwise. Thanks to Facebook and MySpace, what used to be private is now very public.

Simpson gives a slew of examples of teachers being punished for social media postings. As of 2010, he said, there had been only three court cases involving teachers who claimed that their First Amendment rights were violated by being punished because of their postings on social networking sites.

The results weren’t good, he wrote:

The teachers lost every case.

Until they acquire tenure, Simpson says, most beginning teachers can be fired for any reason at all, including no reason whatsoever, given that they’re not entitled to know why or to have a due process hearing.

The only things that nontenured teachers can’t be let go for is discrimination or in retaliation for free-speech activities.

What are free-speech activities? Simpson says the category is “fairly limited”, covering only speech when teachers speak out as citizens on “matters of public concern” and when their speech doesn’t disrupt the school.

Ms. Cook, I’m sorry you lost your job. I agree with your supporters: I thought the photo was pretty tame.

But your termination should stand as a lesson to all young people who enter the field of education, or even to kids who have a vague notion of perhaps going down that noble road at some point in the future: namely, anything we post online can come back to haunt us.

Said posts can easily wind up in front of the wrong eyes, and the chances for that happening are higher when teachers encourage students to look them up on social media.

Even if we think that our own postings aren’t objectionable, this story is proof that there will always be others out there who disagree – and sometimes, those people are our employers.

Follow @LisaVaas

Follow @NakedSecurity

Image of dismissed stamp courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bsN-HCL33oM/

If, like a good netizen, you keep a close eye on security issues like malware, cybercrime and hacking, you have most likely seen your news feeds awash with noise over the last few weeks, as the News International phone hacking saga reaches a headline-grabbing trial stage.

Of course, as far as hacking goes, there’s not much to see here; the so-called “phone hacking” involved required little more than googling the default PIN number for various phone service providers, to get access to the voicemail of the rich and famous.

But what impact might this repeated use of the term “hacking” be having on our sense of privacy and security?

Real phone hacking

A phone hacking story from South Korea almost got lost in last week’s news flood, but in this case there seems to have been at least a little real technical naughtiness going on.

A man, named only as Choi, was sentenced in a Seoul high court to 18 months jail time for snooping on a woman’s phone, according to the Korea Times.

His initial sentence, imposed by the Seoul District Court, was for 10 months suspended for 2 years, but the higher court overruled this and insisted on actual jail time.

Choi was hired by the woman’s suspicious husband, who paid 900,000 Won (£520, $840) for his services.

He was apparently able to implant a “bugging program” on the woman’s phone by simply sending her a text message luring her to follow a booby-trapped link, although few details on the exact nature of the bugging are available.

Once the phone was compromised, Choi recorded 180 of the woman’s phone calls, and passed on transcripts to her husband.

In passing the 18-month sentence, the court ruling explained its decision as reflecting the damage the man’s actions may have caused to the sense of cyber security felt by the general public:

The court decided to sternly punish the defendant for creating privacy concerns among the public

The issue of public perception is important here, as in many cases security is only as good as people think it is.

Sense of insecurity

Your e-retail website may be running on the most secure platform, with elite ninja admins ensuring maximum safety and compliance with the strictest standards at all times, but none of that matters if the shopping public think it’s too risky to enter their card details. Without public trust, you’re just not going to get any business.

If the mass public starts to think all online transactions are too risky, or all smartphones are too likely to leak private information all over the place, they will stop using these things, with potentially serious effects for the workings of the world.

The good things about the web – suppressed political causes uniting on Twitter, scientific problems crunched by volunteer botnets of pooled processing power, unending streams of amusing cat videos – will be lost to us thanks to the erosion of trust in the internet and the machines that make it up.

Part of the perception problem is the use of the term “hacking”, a multi-purpose word denoting both general computer fiddling for the joy of it, and general computer intrusion with malicious or criminal overtones.

Thanks to the influence of Hollywood, the image conjured up by the word “hacker” in most minds, including it seems police and judges as well as the average Jolene in the street, is of an invincible, unstoppable and almost always evil genius who can do anything they want with our computers and information.

News of the hacking world

At the moment it seems as though two major news items, the NSA/Snowden leaks and the phone hacking scandal, have teamed up to hit the news-reading public with a double whammy of privacy worries.

From one side we’re being told that super-elite government geeks can break in anywhere and spy on anything, while from the other we hear that seedy private eyes hired by journalists can break into our phone lines and listen to whatever they want too.

While security experts will be able to read between the lines and figure out that no, the NSA hasn’t really got a backdoor into all forms of encryption and no, those journos couldn’t really listen to anything other than voicemails left on unprotected phones, the general public is being peppered with an ever more worrying view of the digital world.

The facts may be distorted and misrepresented, but the message is clear: you have no privacy, and not much security either.

Perhaps it’s an exaggeration to suggest that people will really stop using smartphones or online shopping sites, but every dent in the armour of trust makes using these things a little less of a pleasure and a little more like a risky chore.

Blame game

So who is to blame for the perceived state of cyber insecurity?

People like Mr Choi should clearly be punished for actions which jeopardise people’s sense of security and privacy. Exploiting vulnerabilities and implanting malware are criminal acts, and stealing our privacy can have just as much impact on our happiness as stealing our cash.

Some of the fault must also lie with the people building the systems and software we use, of course.

Default hard-wired passwords are always a bad idea, and there seems to be a major lack of awareness that these systems even exist, let alone the need to change passwords on them. If a smartphone can be compromised by simply following a URL in an SMS, then there’s clearly a security hole or two to be patched up there too.

There is arguable reason to criticise the government agencies and private companies which seem to have insatiable appetites for our personal data, and often seem happy to use suspect means to acquire it.

But part of the blame must go to the media who spread unnecessary FUD about the dangers of technology and the wild wild web. This is something I’m sure I too have been guilty of in the past, despite efforts to remain skeptical and helpful.

Some of it must also, I’m afraid, rest on the shoulders of the mass public which is doing all this perceiving. If people are happy to see technology as a magical black box which they can have no understanding or control of, they cannot possibly expect to keep their privacy intact.

You yourself, of course, are a Naked Security reader and are thus making an effort to keep up with the world of cyber security, but the vast majority of people are blissfully ignorant of the workings of their phones and computers, and how they should be acting to keep their identity and information safe.

They are thus easily taken in by media hype and scary stories. And they need our help.

What can be done

Our cars are safer and more secure than they once were. This is in part thanks to improvements in technology such as airbags and crumple zones, but we have a significant influence too.

We wear our seat belts, we drive with due care and attention, we lock the doors when we park up. This is not something we learn just from playing around with a car, it is socially conditioned and almost instinctive.

With the internet we have no such instincts yet. Perhaps in a few generations’ time it will be natural to choose good passwords, to update and patch our software, and to avoid entering sensitive info on untrusted sites or insecure connections, but for now people have to make the effort to learn these habits.

So we should always try to find out all we can about the tools and systems we use, the risks they may pose and how to minimise the dangers. We should strive to learn, and once we have some understanding, we should spread it out to those around us.

Once the public perception of cyber security shifts from something outside our control that is stolen from us by hackers, Google or the NSA, to something that we should take responsibility for ourselves, something we should make efforts to control and protect, the world will feel, and indeed be, a safer place.

Follow @VirusBtn
Follow @NakedSecurity

Image of hackers, magnifying glass and smartphone and username and password courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NI9PbpFWMPs/

Email delivery: Hate phishing emails? You’ll love DMARC

Financial firms and banks across London will be hit with a cyber war game scenario tomorrow to test how well they could hold up under a major IT attack.

Sources whispered to Reuters that the cyber stress test already known to be taking place sometime this month would actually hit the finance sector on 12 November.

“Waking Shark II” will hit companies with a series of announcements and scenarios to mimic how a massive cyber attack might play out on stock exchanges and social media. Regulators, government officials and other financial firms’ staff will coordinate the “attack” from a single room, the people familiar with the matter said.

Hundreds of bank workers will then fight the simulated attacks from their offices. Scenarios are likely to include how banks can ensure the availability of cash at ATMs, how they could deal with a liquidity squeeze in the wholesale market and how well they can communicate and coordinate with each other.

The exercise comes two years after the first Operation Waking Shark, which was run by the Financial Services Authority. News of the latest cyber war game first came last month, courtesy of the Daily Telegraph.

Professor David Stupples, head of centre for cybersecurity sciences at City University, London, said the exercise ought to involve tests against physical security, whose importance was illustrated by recent attacks where cybercrooks placed hardware keyloggers on the systems of high street banks.

“There’s a great concentration on hackers disrupting access to computers but they aren’t testing physical security,” Professor Stupples told El Reg. “DDoS is old hat and never going to cause that much of a problem. By contrast, losing customer details through smart malware has an enormous damage potential.”

The tests are been devised and run by computer ops people and greater imagination was needed to introduce scenarios such as the potential involvement of disenchanted employees, according to Professor Stupples.

“They are stress testing systems against known threats,” he said adding that elements of the unpredictable ought to be included to properly test the robustness of banking systems against a greater range of attack scenarios.

Barry Shteiman, director of security strategy at datacentre security firm Imperva, was much more positive about the planned focus of the stress test exercise.

“I commend the Bank of England, the Treasury and Financial Conduct Authority for this great idea. In the past few years, we’ve seen some focused and proactive security programs in the UK.

“Notable are some of the contained DDoS mitigation campaigns that test bank readiness and business continuity planning exercises where employees work remotely and the data centre moves to DR (disaster recovery mode) to ensure that the business still functions under disaster conditions.

“Having a committee planning security controls, cyber attack response steps, and a high-level protection plan is an important initiative. This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats,” he added. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/11/uk_cyber_stress_test/

Email delivery: Hate phishing emails? You’ll love DMARC

British spies intercepted LinkedIn profile pages and injected malware into them to ultimately infiltrate the networks of mobile operators and other telcos in Belgium.

That’s according to the latest round of documents leaked by master squealer Edward Snowden.

German weekly Der Spiegel reported that when some engineers working at Belgacom – which is partly state-owned – accessed LinkedIn, the UK’s eavesdropping nerve-centre GCHQ detected the web requests and served up malware-infected pages to its victims before the social-networking website could respond.

It’s claimed GCHQ was able to do this by attaching equipment to key components of the world’s internet backbone, granting the intelligence agency the ability to intercept and meddle with the net’s traffic.

Apparently, the compromised profiles looked no different to the legit web pages. It’s claimed Blighty spies had slipped a small software nasty into the spoofed pages using tech dubbed “Quantum Insert”. When the targets pulled up what they thought was their LinkedIn pages, the hidden malicious code attempted to exploit vulnerabilities in their systems, turning the machines into surveillance tools for GCHQ.

Blabbermouth Snowden, who had worked as an IT contractor for the US National Security Agency before blowing the lid on the work of spies on both sides of the Atlantic, is holed up in Russia where he holds temporary asylum status.

A document marked as “top secret” by GCHQ that was leaked by Snowden suggests that Britain’s spies had done their homework about the engineers they wanted to target in Belgium. They apparently pinpointed IT experts working in network maintenance and security.

Spooks then narrowed the field to engineers who had accounts on LinkedIn and/or used the Slashdot.org. Once they had identified their targets, they slipped them bogus profiles that then allowed the spies to sneak into Belgacom’s internal network. It has been reported that they also penetrated the telco’s subsidiary biz BICS, which runs a GRX router system.

Der Spiegel reported in September that GCHQ had infiltrated Belgacom as part of “Operation Socialist”, whose mission was to gain access to the company’s Core GRX routers in order to run man-in-the middle attacks against targets roaming with smartphones.

Billing outfits – Switzerland-based Comfone and Mach – were also on the list of companies for GCHQ to spy on using the Quantum Insert method, the German newspaper said.

LinkedIn, according to one of the documents leaked by Snowden, was a particularly good candidate for Quantum Insert, with the claim in 2012 that spooks using the network had a “success rate per shot [that was] looking to be greater than 50 per cent.”

But the company insisted that it had not aided British operatives to spy on Belgium’s biggest telecoms network.

“LinkedIn would not authorise such activity for any purpose,” it said. The firm added that it had not been told about the “alleged activity.” ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/11/gchq_used_fake_linkedin_profiles_to_access_belgian_telco/

Codenomicon, a world leader in software to find and fix security vulnerabilities in industrial control systems, today introduced the latest version of the market-leading DEFENSICS testing platform. Codenomicon DEFENSICS 11.1 provides testing and reporting with capabilities that conform to ISASecure’s Embedded Device Security Assurance (EDSA) Communications Robustness Testing (CRT) requirements. The ISA Security Compliance Institute (ISCI), which administers the ISASecure compliance certification, is in the final stages of approving Codenomicon DEFENSICS 11.1 as a Recognized Test Platform for the CRT portion of ISASecure’s EDSA cyber security certification. Codenomicon DEFENSICS provides complete coverage for the rigors of ISASecure EDSA testing. As part of the ISASecure testing package, Codenomicon is releasing a new DEFENSICS Industrial Control Systems (ICS) load tester. The Codenomicon DEFENSICS ICS Load Tester is now available to all Codenomicon customers at no additional charge.

For more information, contact:

(In U.S.A.) Mike Ahmadi, CISSP, Global Director, Medical Security, Codenomicon Ltd.

mike[at]codenomicon.com

(In Finland) Antti Kiiveri, Head of Marketing, Codenomicon Oy

kiiveri[at]codenomicon.com

About Codenomicon

Codenomicon’s market-leading DEFENSICS software finds known and previously-unknown security vulnerabilities in software, firmware, and hardware. Codenomicon’s customers include the US FDA, ATT, Verizon, Comcast, Roche, Cisco, and Microsoft. Industry regulators, manufacturers, supply chain components companies, software and firmware developers, and end-user enterprises rely on Codenomicon’s solutions to discover zero-day vulnerabilities and Common Vulnerabilities and Exposures (CVE) that cause Denial of Service (DoS) and data leakage, which are the unknown vulnerabilities Advanced Persistent Threats (APTs) use to break into systems. For more information, go to www.codenomicon.com or contact [email protected]

Article source: http://www.darkreading.com/privacy/codenomicon-releases-defensics-111-with/240163762