STE WILLIAMS

SAN JOSE, Calif., Sept. 23, 2013 /PRNewswire/ — Designers can better protect their IP using the DeepCover Secure Authenticator (DS28C22) from Maxim Integrated Products, Inc. (NASDAQ: MXIM). The DS28C22 is a highly secure cryptographic solution for a host controller to authenticate peripherals or embedded designs, and it offers encrypted communication as an added benefit.

DeepCover embedded security solutions protect sensitive data with multiple layers of advanced physical security and provide highly secure storage of the authentication secret keys. Using the FIPS 180 based SHA-256 authentication algorithm, the DS28C22 combines crypto-strong, bidirectional, secure challenge-and-response authentication with small message encryption. Through bidirectional authentication, the host and the peripheral authenticate one another, protecting the IP in the peripheral from a non-authentic host trying to modify operation of the peripheral. The DS28C22 enables unprecedented security for many applications, including peripherals/disposables, sensors, network equipment, IP licensing, and industrial applications like programmable logic controllers (PLCs).

Key Advantages

— Robust security protects IP from being compromised by counterfeiters or hackers: A bidirectional security model enables two-way authentication and encryption between a host system and slave-embedded DS28C22. Strong die-level protection securely stores the authentication key.

— Simple and total programmability: Includes 3K bits of user memory with four user-programmable modes of protection; SHA-256 option enables customers to securely control end-product features through data settings.

— Added security with factory preprogramming: Maxim’s optional DS28C22 preprogramming service prevents supply chain vendors from compromising a solution; ensures no exposure of cryptographic keys.

— Fast and secure crypto processing: DS28C22 includes a dedicated hardware-accelerated engine for SHA computations.

Industry Commentary

— “We have 20 years of RD experience thwarting invasive attacks,” said Scott Jones, Executive Director at Maxim Integrated. “By using multiple layers of security and SHA-256, we give designers real peace of mind that their data is safe.”

— “Device manufacturers must secure their equipment to allow access only to authorized users. Symmetric cryptography is now commonly used to ensure system security, but keeping that symmetric cryptographic key secure is the most critical component of the implementation,” said Colin Barnden, Principal Analyst at Semicast Research.

Availability and Pricing

— Available in an 8-pin TDFN package.

— Specified over the -40C to +85C temperature range.

— Pricing starts at $0.90 (1000-up, FOB USA).

More products related to industrial control and automation applications are available, as well as hi-res images of the DS28C22 end application and DS28C22 block diagram.

DeepCover is a registered trademark of Maxim Integrated Products, Inc.

About Maxim Integrated

At Maxim Integrated, our designs make the world more integrated. And with analog integration, the possibilities are endless. In Fiscal 2013, we reported revenues of $2.4 billion.

Article source: http://www.darkreading.com/authentication/protect-electronic-devices-with-secure-a/240162824

Frisco, TX – October 17, 2013 – The Health Information Trust Alliance (HITRUST) is announcing today the release of the draft privacy controls to be added to the HITRUST CSF, resulting in the only fully integrated privacy and security framework for the U.S. healthcare industry. By incorporating privacy requirements into the CSF, organizations will now need only one framework to manage their privacy and information security compliance requirements.

With the expectation that more reliance will continue to be placed on electronic health records (EHRs) and on interoperable health information exchanges (HIEs) to improve patient care, minimize errors, reduce disparities, control costs and support public health initiatives, HITRUST believes the healthcare industry must be equipped to protect patient privacy while supporting the flow of health data in a way that benefits individuals and society.

Developed by the HITRUST Privacy Working Group and available now for public comment, the privacy controls were incorporated into the CSF to ensure better alignment between a healthcare organization’s security and privacy programs and provide an integrated approach for protecting health information. The draft privacy controls were created to establish a foundation for a uniform and practical approach to implementing a privacy program, taking into account both the risk and implementation factors that organizations should consider as they work to adequately protect patient, family member and workforce privacy.

“From the beginning, HITRUST has been committed to ensuring the CSF remains relevant and current to the needs of the healthcare industry and organizations utilizing it; privacy was always a component of the initial vision,” said Daniel Nutkis, chief executive officer, HITRUST. “Seven years ago when we began development of the CSF, we made a decision to focus on development and adoption of the security controls, recognizing this as the area where organizations needed greater assistance. Now, with broad adoption achieved, we can complete the vision for an integrated framework.”

By incorporating privacy controls, the benefits of adopting the CSF become even greater by providing organizations with a more comprehensive and flexible framework for managing their security programs and reducing the burden of compliance with all the requirements that apply to healthcare organizations. The newly integrated framework will incorporate both privacy and security controls, but organizations will be able to choose if they wish to obtain certification against the privacy requirements, security or both, allowing them to pursue the approach and pace best suited to their needs.

“Given the multitude of federal and state regulations with privacy and security requirements, having a fully integrated privacy and security framework provides both privacy and security professionals advantages over disparate approaches,” said Kimberly Gray, chief privacy officer, global, IMS Health. “By identifying the controls and requirements that support both disciplines, organizations are able to more effectively manage their information protection programs.”

After conducting a review of various privacy frameworks and regulations, the HITRUST Privacy Working Group focused its efforts on the HIPAA Privacy Rule and the privacy controls contained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 revision 4 (r4) Appendix J, as well as other privacy best practices recommended by organizations and experts in the healthcare industry. Based on this assessment, the group recommended the inclusion of specific privacy control categories, objectives, specifications and requirements by implementation level.

The draft privacy controls contain 125 specific changes affecting 35 controls in the CSF, with some of the most significant changes impacting confidentiality, notice, consent and disclosure requirements. The privacy controls will be incorporated into the 2014 HITRUST CSF, and ultimately the MyCSF tool to enable organizations to be able to perform privacy assessments, compliance reporting and remediation.

The draft privacy controls are available for review at HITRUSTCentral.net. Those wishing to provide comments on the draft controls must do so by November 15, 2013.

About HITRUST

The Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the CSF, a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTAlliance.net.

Article source: http://www.darkreading.com/privacy/hitrust-releases-draft-privacy-controls/240162847

This article explains how the CryptoLocker ransomware works, including a short video showing it in action.

The article tells you about prevention, cleanup, and recovery.

It also explains how to improve your security against this sort of threat in future.

CRYPTOLOCKER – WHAT IS IT?

CryptoLocker, detected by Sophos as Troj/Ransom-ACP, is a malicious program known as ransomware.

Some ransomware just freezes your computer and asks you to pay a fee. (These threats can usually be unlocked without paying up, using a decent anti-virus program as a recovery tool.)

CryptoLocker is different: your computer and software keep on working, but your personal files, such as documents, spreadsheets and images, are encrypted.

The criminals retain the only copy of the decryption key on their server – it is not saved on your computer, so you cannot unlock your files without their assistance.

They then give you a short time (e.g. 72 hours, or three days) to pay them for the key.

The decryption key is unique to your computer, so you can’t just take someone else’s key to unscramble your files.

The fee is $300 or EUR300, paid by MoneyPak; or BTC2 (two Bitcoins, currently about $280).

To understand how CryptoLocker goes about its dirty work, please see our step-by-step description.

→ Our detailed article is suitable for non-technical readers. It covers: how the malware “calls home” to the crooks, how the encryption is done, which file types get scrambled, and what you see when the demand appears. You may want to keep the article open in another tab or window to refer to while you read this page.

WHAT DOES CRYPTOLOCKER LOOK LIKE?

CryptoLocker reveals itself only after it has scrambled your files, which it does only if it is online and has already identified you and your computer to the encryption server run by the criminals.

We therefore recommend that you don’t try the malware out yourself, even if you have a sample and a computer you don’t care about, because you can’t easily test it without letting your computer converse with the crooks.

However, we know you would love to see what it does and how it works, so here is a video made by a our friend and colleague Mark Rickus, of Sophos Support.

We recommend this video because Mark has pitched it perfectly: he doesn’t rush; he doesn’t talk down to you; he lets the facts speak for themselves; and he brings an air of calm authority with just a touch of wry humour to what is a rather serious subject:

→ Can’t see the details in the video on this page? Watch directly from YouTube.

HOW DO I DETECT AND REMOVE IT?

You can use the free Sophos Virus Removal Tool (VRT).

This program isn’t a replacement for your existing security software, because it doesn’t provide active protection (also known as on-access or real-time scanning), but that means it can co-exist with any active software you already have installed.

The Virus Removal Tool will load, update itself, and scan memory, in case you have malware that is already active.

Once it has checked for running malware, and got rid of it, then it scans your hard disk.

If it finds any malicious files, you can click a button to clean them up.

If CryptoLocker is running and has already popped up its payment demand page, you can still remove it and clean up, but the Virus Removal Tool cannot decrypt your scrambled files – the contents are unrecoverable without the key, so you may as well delete them.

Even if you don’t have CryptoLocker, it is well worth scanning your computer for malware.

The criminals are known to be using existing malware infections as “backdoors” to copy CryptoLocker onto victims’ computers.

We assume their reasoning is that if you have existing, older malware that you haven’t spotted yet, you probably won’t spot CryptoLocker either, and you probably won’t have backup – and that means they’re more likely to be able to squeeze you for money later on.

CAN CRYPTOLOCKER SPREAD ON MY NETWORK?

Fortunately, CryptoLocker is not a virus (self-replicating malware), so it doesn’t spread across your network by itself.

But it can affect your network, because it searches extensively for files to encrypt.

Remember that malware generally runs with the same permissions and powers as any program you choose to launch deliberately.

So, any file, on any drive letter or network share, that you can locate and access with a program such as Windows Explorer can be located and accessed by CryptoLocker.

That includes USB drives, network file shares, and even cloud storage folders that are made to appear as a drive letters by special software drivers.

A Naked Security reader just commented that from a single infected computer, he was “faced with 14,786 encrypted files over local and mapped network drives.”

So, if you haven’t reviewed the security settings on your network shares lately, this would be a good time to do so.

If you don’t need write access, make files and folders read only.

SHOULD I PAY UP?

We’ll follow the police’s advice here, and recommend that you do not pay up.

This sort of extortion – Demanding Money with Menaces, as a court would call it – is a serious crime.

Even though CryptoLocker uses payment methods (MoneyPak, Bitcoin) that keep you and the crooks at arm’s length, you are dealing with outright criminals here.

Of course, since we don’t have 14,786 encrypted files, like the reader we mentioned above, we acknowledge that it may be easier for us to say, “Don’t pay” than it is for you to give up on your data.

Obviously, we can’t advise you on how likely it is that you will get your data back if you do decide to pay.

IS IT THE WORST VIRUS EVER?

We don’t think so, although that is cold comfort to those who have lost data this time round.

Losing files completely is a terrible blow, but you can lose data in lots of other ways: a dropped hard disk, a stolen laptop or just plain old electronic failure.

The silver lining with CryptoLocker is that the criminals don’t actually take your data – they just leave it locked up where it was before, and offer to sell you the key.

In many ways, malware that isn’t so obvious and agressive, but which steals your files, or monitors your keyboard while you login to your bank, or takes snapshots of your screen while you’re filling out your tax return, can be much worse.

In those cases, the crooks end up with their own duplicate copies of your data, passwords and digital identity.

If you have a recent backup, you can recover from CryptoLocker with almost no consequences except the time lost restoring your files.

Identity theft, however, can be a lot harder to recover from – not least because you have to realise that it’s even happened before you can react.

Even if all you have on your computer is zombie malware of the sort that crooks use to send spam, doing nothing about it hurts everyone around you, and imposes a collective cost on all of us.

That’s why we are urging you to DO THESE 3 security steps, and TRY THESE 4 free tools, even if you haven’t been hit by CryptoLocker.

HOW DO I ENSURE THERE’S NO “NEXT TIME?”

Here are five “top tips” for keeping safe against malware in general, and cyberblackmailers in particular:

• Keep regular backups of your important files. If you can, store your backups offline, for example in a safe-deposit box, where they can’t be affected in the event of an attack on your active files. Your backups will be rendered useless if they are scrambled by CryptoLocker along with the primary copies of the files.
• Use an anti-virus, and keep it up to date. As far as we can see, many of the current victims of CryptoLocker were already infected with malware that they could have removed some time ago, thus preventing not only the CryptoLocker attack, but also any of the damage done by that earlier malware.
• Keep your operating system and software up to date with patches. This lessens the chance of malware sneaking onto your computer unnoticed through security holes. The CryptoLocker authors didn’t need to use fancy intrusion techniques in their malware because they used other malware, that had already broken in, to open the door for them.
• Review the access control settings on any network shares you have, whether at home or at work. Don’t grant yourself or anyone else write access to files that you only need to read. Don’t grant yourself any access at all to files that you don’t need to see – that stops malware seeing and stealing them, too.
• Don’t give administrative privileges to your user accounts. Privileged accounts can “reach out” much further and more destructively both on your own hard disk and across the network. Malware that runs as administrator can do much more damage, and be much harder to get rid of, than malware running as a regular user.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/h_ZMcvEG6u4/

This week’s theme for National Cyber Security Awareness Month is education, so there’s been a focus on teaching people how to be more secure.

Both end users and IT professionals can benefit from knowing more about combating the threats they face, but there are other people who have something to learn: the marketers whose attempts at putting across their messages stray over the line into spamming, and the communications people whose irresponsible use of email risks undoing the good work of educators in training us to spot scams and cons.

Social engineering, phishing and spamming

Phishing and social engineering are at the heart of a lot of cybercrime.  We regularly hear of smart new phishing campaigns, like the recent fake Microsoft update phish, or an institution that’s had data leaked thanks to its staff falling for phishing emails – one of the latest being Saint Louis University (why is it always universities?) which allowed someone access to health data on 3,000 individuals.

These are criminal activities of course, and occasionally lead to prosecution and imprisonment for those behind the campaigns, as in the recent case of a UK resident locked up for five years for his part in a bank phishing campaign which netted £750,000.

We have spam and web filters to help protect people from their attacks, and there are email standards designed to help filters recognise when emails are from a legitimate source.

For the most part we rely on teaching people how not to fall for the scams. We pick out common tell-tale signs, such as spoofed email details or disguised links, and show people how to spot them. We urge them to act with caution and try to avoid being rushed into poor decisions.

But after years of hammering these points home, as scientific studies keep showing, we’re still not good at spotting scams. The phishing methods still work, and as new technologies appear, so do different avenues of attack.

Recent stats from the Australian Communications and Media Authority (ACMA) show another rise in SMS spam, and they’ve had to fine a nightclub for texting 50,000 people without proper opt-out info.

The ACMA also hit back at an online retailer hit with a record fine for spamming its customer lists. That’s a fair bit of activity for just one country, in just the past week or so.

Legitimate spamming?

You may notice something different about these last two cases though: these are legitimate businesses trying to market their products.

But they’ve gone about it in a way which contravenes spam laws, which in itself implies they’ve gone well beyond what most people would consider intrusive – spam laws tend to be designed not to get in the way of marketing activity too much.

If we are constantly bombarded with mass mails from everyone we’ve ever dealt with, and anyone they feel like sharing their address lists with, we come to normalise all this spam. This makes harder for us, with our limited attention spans and rushed-off-our-feet modern lifestyles, to remain alert to cleverly crafted tricks and scams.

Banks and other institutions handling our sensitive data also fail to heed good advice, and send out mails warning us of problems with our accounts while providing helpful links to take us to the login page.

We’re trying to teach people to be wary of such emails and always use a known-good bookmark or type in an address manually rather than following a link, so having examples of what we’re warning against prove to be legitimate and genuine only serves to dim the value of the educational effort.

Another group with similar problems are application developers whose apps demand more rights than strictly necessary. We’re trying to teach people not to blindly approve requests for access to their network connection, their contact lists, or their location. When apps are always asking for access to these things, how are users supposed to tell the legit ones from the scams and cons?

Finally, of course, there are social network providers who rely on hoovering up as much personal information as they can to sell on to advertisers. While these may be something of a lost cause, perhaps one day they’ll learn that overly-complex privacy settings and aggressively harvesting people’s information isn’t going to win them any friends.

Lessons to be learned

So if you’re one of these people, please heed the educational message too.

OK so you’ve got things to sell, you’ve got messages you need to get eyes on, but please think about what you’re doing.

• If you’ve got a marketing message you want to show someone, make it clear that’s what you’re doing. Make sure you only mail people who’re OK with that, and make sure you provide means for them to tell you if they change their mind.
• Don’t try and lure people to your website with promises of wonders and delights, then try and scrape as much personal information out of them as you can.
• If you’re a bank and need to get an urgent message to your customers, maybe email is a good technique, but make sure your customers have agreed to be emailed ahead of time. And try not to make your emails look like every fake phishing scam in the book.
• Make it clear that people should always be wary and distrustful of emails. Make them type in an address or use a bookmark. Don’t give them a link however much easier you think you’re making things for them.
• If you’re building an app and need to have it supported by ads, that’s fine, just make sure they’re not intrusive, or demand device or data access that you don’t really need. If you need access to features or information, make that clear at every opportunity, and explain why.

If people with legitimate messages stick to legitimate techniques, don’t try to trick or scam people and never ask for more than they really need, then it’s going to be easy to spot when someone is asking for something we shouldn’t give them.

Follow @VirusBtn
Follow @NakedSecurity

Image of business woman courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wspkA-q2zbU/

Work is hard sometimes. You’re trying to get to your first meeting of the day, coax some life out of the printer, mop up your coffee spillage, look casual when the girl from accounts walks by, fire off an email to your boss explaining how you came to leave 30,000 confidential patient records on a train to Bexleyheath…

Oops.

Yes, it’s tricky sometimes to get your job done while sticking to all those pesky rules around confidentiality and data protection.

Being escorted out of the building for security negligence is not something you recover from very easily, so don’t try any of these at work:

1. Fall asleep on your keyboard

Urban myth, or genuine faux pas? This German bank clerk nodded off at his keyboard and turned a €64.20 transaction into an unlikely €22,222,222.22 (about $30m). Logging out regularly – perhaps before you pass out – could have avoided this blunder.

2. Post details of your top-secret Naval locations on Facebook

If you’re a naval officer, carrying out your patriotic duties onboard your country’s only aircraft carrier, don’t post details of your secret operations on Facebook. Instead, why not just make sure you get a nice selfie of you and a dolphin. Aww.

3. Give your government files their own train seat – then leave them there

A day-dreaming US Secret Service contractor volunteered to drop off classified tapes at the vault, and then left them on the Metro. It would be comical if it wasn’t so dangerous. Encrypt your data, have a data removal policy, and don’t give your Top Secret files to the intern.

4. Throw confidential papers into a public rubbish tip

In this alarming case of illegal records dumping, the names, social security numbers, and medical diagnoses for 67,000 patients were found by a reporter, rather than someone even less scrupulous. Get a records destruction policy in place for both physical and digital files.

5. Stick your password on the wall behind a famous Royal

Don’t display system logins on huge pieces of paper, stuck to the wall, especially when someone’s got a camera and Prince William works in your office. Here’s some advice on creating complex, but not complicated, secure passwords.

6. Give your password to the Syrian Electronic Army

Employees were left red-faced at Viber and The Onion after they fell for phishing emails sent by the Syrian Electronic Army. Sadly, humans are always going to be the weak link in phishing scams, so keep educating your colleagues, and put on your suspicious hat before clicking links.

7. Snoop around your colleagues’ emails

This Harvard University dean wasn’t sacked, but she pointedly ‘stepped down’ after her good intentions – preserving the privacy of students involved in a cheating scandal – led to misguided execution – she compromised the privacy and trust of her colleagues by allowing a secret search of 16 deans’ email accounts.

If you’re still not sure what security rules you should stick to so you can stay on the right side of employment, ask your friendly IT guy and follow these basics:

• Ensure all your computers, phones and various devices have full, up-to-date malware protection.
• Don’t open strange links in emails that display a very poor standard of grammar.
• Don’t take files – physical or digital – out of your office unless you’ve cleared it with someone in charge. And make sure they’re encrypted. And then don’t lose them.
• Be careful with social media – check your privacy settings regularly (Facebook keeps changing the darn things) and don’t post anything you wouldn’t want your mother or your boss to see.

And as it’s National Cyber Security Awareness Month, check out more of our handy security advice:

• Do these 3 essential security tasks for your family today
• 4 free tools for Cyber Security Awareness Month – and beyond!
• 10 tips for securing your smartphone
• 5 tips for hiring security-savvy IT professionals

Follow @NakedSecurity

Image of shocked man courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/41_AK82p8DY/

This week’s theme in National Cyber Security Awareness Month is all about encouraging new talent to join the industry. Both Sophos and I are huge believers in the importance of encouraging the next generation of talent in information security.

Over the past couple of years we’ve seen numerous reports which highlight the need for more skilled information security professionals.

Not only do we not have enough people, but we are also not making sure we tap enough into the very talented individuals already out there.

Why does this problem exist and why do we care?

Technology is becoming more and more embedded into our everyday lives. We are carrying around mobiles, sharing information constantly and integrating systems in to our power, utilities and healthcare.

As we do this the risk of ever-more severe attacks becomes even greater.

Technology is a growing supporting pillar of our financial markets and critical infrastructure so we need the right talent to keep us all safe.

The rapid proliferation of platforms, devices and applications means we not only need more skilled individuals, but entirely new categories of expertise.

Building that takes time, and if we fail to act soon the skills deficit could have an even greater impact on our society. And without positive application there’s a risk that those with such skills may end up breaking the law to satisfy their need for challenge.

Why are we in this situation?

As part of initiatives like the Cyber Security Challenge, which aims to identify talented individuals of any age or background and get them in to the industry, I talk to quite a few very talented young adults who have as much capability as some already in the industry.

When I ask them why they hadn’t considered a career in cyber security before, they often reply “I didn’t think I was good enough” or “I didn’t realise it would be an interesting job”.

One of the biggest problems is that cyber security isn’t advertised as a career path to children, and often computer science classes are significantly behind the expertise of the children entering the classroom.

What can we do?

We need better mechanisms to recognise talented individuals, whether they developed their skills through academic or less conventional self taught methods.

Gamification is the perfect strategy, making security challenges both interesting and fun to play.

Over the past few years it has become cool to be a geek (well, I would argue it was always cool) so we should capitalise on this and advertise it as a viable career path for those who are interested in computers.

Initiatives like the drone-hacking competition we hosted recently at Sophos really help to encourage interest and develop skills.

Lastly, many security roles within business demand several years’ experience, but that limits the pool. We need to create more internships to allow people to gain experience after they have proved themselves in challenges like the one above.

Security is a key role for our society moving forward and is a rewarding and really interesting profession. If you know someone who is interested in computers, encourage them to find a challenge near you and consider a career in security.

I’d love to hear more about the initiatives you have in your countries to develop cyber security talent or ideas you have to encourage more people to consider the profession, so leave a note in the comments or tweet me at the address below.

Follow @jameslyne

Follow @NakedSecurity

Image of boy at school courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Wq6yE_hzjzo/

Supercharge your infrastructure

Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don’t want to let in.

Time was when getting software to run properly on your mobile phone was such a challenge that it was nigh on impossible for bad guys to write malware that worked.

Most phones used proprietary platforms and there was little or no access to source code. Apps ran in the nice little sandbox of Java. Or, more typically, failed to run.

Now the increasing sophistication of mobiles has opened the door for bad guys to get a grip.

Your secrets are out

A Trojan on your laptop gives someone access to all your data, and maybe even through your corporate virtual private network to all your company’s secrets.

The same is true of your mobile except that the attack gets personal. As well as opening a route to your work data, a Trojan has access to all your friends, relatives and other contacts.

Why did you call that headhunter three times last week? Who is that woman you keep calling? Then there are all your text messages, telling it where you are and when. Off sick and on the golf course?

Worse, a Trojan has a billing relationship with your mobile. Your laptop can’t send premium-rate reverse-billed SMSs but your phone can.

The value of all the data on your device means it is no longer just a phone. This is what propels companies to provide mobile device management (MDM): the ability to control what is on your mobile, to push new work tools to it and to wipe it if it is lost or stolen.

The same technology can be turned against you – as Android developer LSDroid found with its Cerberus anti-theft software.

This is archetypal MDM software designed to help you find a lost or stolen Android phone. It gives you remote control through a website which will tell you if the SIM card has been changed and sound an alarm, even if the phone is in silent mode.

What matters here is the security which controls who has access. This was done using random numbers and the phone IMEI (international mobile station equipment identity). Unfortunately this wasn’t enough and a blogger called Paul built an exploit that could break the security in a couple of hours. The problem was quickly fixed, but it showed that what you think is protecting your data might be doing the opposite.

The price of popularity

Android, being the type of phone chosen by the majority of users, is the one most under threat. Security expert Jon Sawyer from Applied Cyber Security compares this to the days when people claimed Macs were more secure than Windows.

“It was only because so many more people were targeting Windows that it looked less secure,” he says.

Sawyer has found a number of vulnerabilities in phones, among which perhaps the most spectacular was an LG vulnerability that could be made to look like a service update and so did not request permissions. This in turn could modify any file, opening up the phone to any kind of modification including rooting.

As a “white hat”, he contacted LG and waited six months until the flaw was fixed before publishing, but he bemoans the lack of feedback from the security teams at the handset manufacturers.

He also singles out BlackBerry for hostility to security researchers. According to Sawyer, vulnerabilities in Android are rarely the fault of the operating system but often what the individual manufacturers have done at system level.

Google’s Android security team is good, he says, although he would recommend upgrading to version 4.3 or later.

James Lyne of Sophos echoes this view. He says that however good Google’s security people are, Android is probably the weakest of the mainstream smartphone platforms.

Runners up

He contends that BlackBerry is the most secure, both in its BB7 and BB10 incarnations – although for security you have to sacrifice the openness of the BB10 system and then you have to wonder what is the point of going to BB10 in the first place.

Lyne would put Apple and Microsoft in joint second place, but from very different perspectives. Apple checks apps before they go into the store and then is very quick to pull any malevolent ones that get through. Lyne cautions, however, that the “trust me” approach could come back and bite Apple.

“The lack of transparency means there is trust where it isn’t deserved,” he says.

He paints a scenario of malware that might jailbreak as it goes, spreading from iPhone to iPhone and putting the devices outside of Apple’s control.

Today’s mobile malware is very 1990s

That hasn’t happened but Lyne still prefers the PC model of security. He says that today’s mobile malware is very 1990s so all you need to do to prevent it is a simple reputation look-up.

But he warns that “mobile opens up old wounds that previously we’d closed on PCs” – smarter polymorphs and the like. Lyne says of all the operating systems Windows Phone is the best architected to cope with the threats we have not seen yet.

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/18/feature_mobile_security_malware/

Supercharge your infrastructure

Vid A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds.

CryptoLocker, which first surfaced early last month, leaves users in danger of losing important files forever unless they pay up. Typically the crooks relieve them of around $300 (£185).

The malware initially spreads through botnets or as an infected attachment of phishing messages. For example, CryptoLocker appeared in attachments to supposed customer complaint emails sent to firms last month, as an advisory note from security firm Emsisoft explains in greater depth.

More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet. If successful, CryptoLocker will encrypt users’ files using asymmetric encryption, featuring a public and private key pair. The public key is used to encrypt and verify data, while the private key is used for decryption.

The malware encrypts a wide variety of file types on compromised Windows PCs before displaying a ransom message demanding payment within by a fixed deadline, that typically falls within three or four days from the date of infection. Payment is demanded in the form of anonymous prepaid cash services such as MoneyPak, Ukash, cashU or through the Bitcoin digital currency.

Jonathan, a Reg reader who runs a remote IT support business, described the ransomware as the most destructive virus he’d come across in more than 10 years in the business.

“One of my clients has been infected with a new ransomware virus called CryptoLocker,” he told El Reg. “This is the most destructive virus that I have seen in 13 years because it encrypts .doc, .xls, .jpg, and .dwg files, even via network shares.”

“The virus appears to be spread in the UK via emails purporting to come from Companies House. There is no known decryption as yet, other than paying the $300 ransom,” he added.

Decryption is difficult, if not impossible, unless a victim has access to the private key stored on the cybercriminals’ server. Victims are told they need to hand over $300 to cybercrooks to obtain access to the private key within three or four days. Failure to act means the files are locked up in a vault that is fiendishly difficult to break into, perhaps meaning the scrambled files will be lost forever.

CryptoLocker is similar is some ways to other forms of ransomware, such as the Reveton police Trojan, but it’s far more sophisticated in its construction and aggressive in its demands.

The necessary decryption key is never left lying around on host machines. CryptoLocker phones home to a command-and-control server to obtain a public RSA key before it begins the task of silently encrypting files on compromised machines. The same command server also hosts the private key.

Malware that encrypts your data and tries to sell it back to you is not new. As net security firm Sophos points out, CryptLocker chiefly differs because it uses industry-standard cryptography for malign purposes.

“SophosLabs has received a large number of scrambled documents via the Sophos sample submission system,” Sophos explains in a blog post.

“These have come from people who are keenly hoping that there’s a flaw in the CryptoLocker encryption, and that we can help them get their files back,” adds the firm. “But as far as we can see, there’s no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble.”

A video from SophosLab showing the malware in action can be found below. Victims receive little or no indication of problems on an infected machine while the malware is encrypting files in the background.

The may be some hope of recovering previous versions of encrypted files but it’s far better to avoid infection in the first place.

“In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files,” according to an advisory by anti-virus firm Malwarebytes.

More detailed advice on how some files might be recovered from infected machines can be found on borked PC advice website Bleeping Computer.

Another write-up of the threat can be found in a blog post by Trend Micro here.

Malwarebytes, Sophos (more info here) and other firms have added detection for strains of CryptoLocker to their antivirus products as well as blocking sites associated with the malware: factors that ought to provide some defence against infections taking hold.

However, antivirus technology can’t help in recovering encrypted files post-infection.

The appearance of CryptoLocker reinforces the need to regularly back up personal data files. And local backups alone may not be enough. In some cases CryptoLocker may even attempt to attack backups located on a network drive connected to an infected PC. For this reason, a belt-and-braces approach featuring non-local and cloud-based backups becomes a sensible option.

Security experts agree that regular data backups are the best safeguard against potential calamity in the face of the threat.

Fabio Assolini, a senior security researcher at Kaspersky Lab, writes in a Twitter update.”It’s not possible to recover the files encrypted by CryptoLocker. It’s not a good idea pay the ransom, backup is your friend.”

Christopher Boyd, a senior threat researcher at ThreatTrack Security, concurred that recovery from backups is the best option: “There are only two real options (neither of which are particularly great).

“You can remove the virus but lose your files (unless you have them backed up), or pay the bad guys with a credit card to get the unlock code (assuming there even is one) to recover the locked data, then – one would assume – attempt to get the money back. Due to the potential complexity of the infection, email exchanges or even remote support may not be an ideal way to try to fix the problem.”

A detailed discussion of the malware that took place around the time it first surfaced – in early September – can be found on a forum dedicated to kernel developers here. ®

CryptoLocker discussion video

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/18/cryptolocker_ransmware/

As IT organizations seek to make better risk-based decisions about security practices, perhaps the number one component for success is the IT risk assessment. However, even when organizations actually conduct a risk assessment, they frequently fall prey to mistakes that can greatly devalue the exercise. Here are some of the most common blunders to avoid.

1. Forgetting To Assess Third Party Risk
Most IT risk experts agree that most enterprises today simply don’t work to gauge the level of IT risk posed by vendor and other partner infrastructure that touches their most sensitive data.

“One area that many companies are not doing enough on is managing their relationships with third-party vendors they use,” says Brad Johnson, vice president of consultancy SystemExperts. “Often, once the lawyers have finally signed off on an agreement, both parties tend to have a very hands-off approach with each other and forget the details of making sure things are staying on course. ”

When organizations fail to really do their due diligence — both before and after a contract is signed — they’re bound to miss critical details that will drastically change how the real risk exposure looks.

“For example, a client company may not be aware that a vendor is storing their regulated data in a public cloud,” says Natalie Kmit, senior information security advisor for security consultancy Sage Data Security.

2. Making Assessments Too Quantitative
True, analytics and numbers are really important for evaluating risk and how it could materially impact the bottom line. But organizations need to understand that the numbers game doesn’t have to be perfect to be effective, especially when it comes to estimating breach impact.

“Ranges of impact to make it easier to get on with the discussion and focus on how you’ll mitigate risk, rather than spending a lot of cycles debating about whether the impact is $20 million or $21 million,” says Dwayne Melancon, CTO of Tripwire. ” Once you figure out whether the impact of a realized risk is catastrophic, painful, inconvenient, annoying, or not a big deal, you can have a good conversation about how much you want to spend to mitigate the most serious risks.”

Melancone says that going overboard with analytics in general can bog down the assessment process and that organizations should be wary of taking so long on things like classifying risk that they are lengthening the assessment cycle to the point of ineffectiveness.

Besides, says Manny Landron, senior manager of security and compliance at Citrix ShareFile’s SaaS Division, there are also qualitative risk factors that organizations need to find a way to incorporate into the assessment.

“Quantitative assignments should be well defined and the cost-benefit assessment should have a qualitative counterpart at each turn,” he says. “Having too narrow a focus, using strictly quantitative measurements, not having a framework to work against and not having sufficient periodically scheduled risk assessments, are all mistakes risk executives should aim to avoid.”

3. Letting Assessment Suffer From Myopic Scope
It’s the rule rather than the exception that most large organizations overlook key assets and indicators in their risk assessments, says Jody Brazil of firewall management firm FireMon.

“Among the most frequent issues are those related to identifying vulnerabilities as ‘risks’ without any greater qualification such as exposure to available access or exploitation,” he says. “There’s also the labeling of individual threats as ‘risk,’ and the failure to properly assign values to specific assets-most often exemplified by treating all hosts or underlying systems as equal.”

Mike Lloyd, CTO of RedSeal Networks agrees, stating that most organizations just don’t keep good enough track of their infrastructure assets they own to properly assess them.

“Most organizations have lost track of the assets they own,” he says. “Performing a risk assessment on the asset inventory system can be like the drunk looking for his keys under the lamp post, even though he dropped them in the alley, because the light is better under the lamp post.”

What’s more, even with complete data sets they’re frequently assessed in separate silos, making it difficult to understand interdependencies.

“Sometimes, an assessment focuses on a very specific application, but fails to embrace the entire infrastructure,” says Gregory Blair, senior director of operations for FPX, a company that develops price-quoting software. “For example, the assessment might look only at an application focused on securing a database and misses the general computing controls that are used in a specific industry – things like encryption, firewall, authentication, and authorization.”

4. Assessing Without Context
IT risk assessments are all about context, whether it is systems context as mentioned above or business context. Organizations that fail to put vulnerabilities and threats in context of the information assets and their importance to the business can’t truly develop a good risk assessment or a way to apply it back to IT practices.

“When assessing risks, many times CISOs lack the context to the business. In other words, they need to ask “What’s being assessed and how does it affect the business?'” says Amad Fida, CEO of big data risk analysis firm Brinqa. “Results that are analyzed without business context provide a “technology” view but not a “business + technology” view.”

[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]

5. Failing To Fold IT Risk Assessment Into Enterprise Assessments
Similarly, businesses want to understand how IT risks interplay with all the other risks set in front of other business units. More often than not, organizations treat IT risks as their own category without considering their broader impact.

“More risk-aware organizations recognize that IT is an integral part of their business success and work to make sure IT is engaged in the business risk conversation,” Johnson of SystemExperts says. “A number of organizations I work with have cross-functional teams that look at risk holistically to better understand dependencies, and these teams make recommendations about which risks the company should focus on from a business perspective.”

Next Page: Assess And Forget Syndrome

Article source: http://www.darkreading.com/risk/10-pitfalls-of-it-risk-assessment/240162808

On Wednesday, Facebook knocked over a privacy policy that kept underage users from posting publicly.

Users between the ages of 13 and 17 had up until now been allowed to share only with friends or friends of friends.

Now, the world is their oyster. They may share information with the general public.

Or, as privacy watchdogs see it, teens are now succulent morsels for marketers to slurp up.

The default setting until now has been to limit posts to friends of friends – kind of a door half-open thing. With Wednesday’s announcement, Facebook has closed the door a bit more on that, with the default for new teen users now set to limit posts to friends.

However, Facebook’s policy changes also now give them the option of opening the door all the way – allowing them to share posts with the general, teeming world of the internet, in all its glory, goodness, depravity and sheer, capitalist drive to sell more potato chips or sports drinks or what have you to those with not-yet-developed neural anatomy.

In a blog post, Facebook said the changes will give teens more control over what information they share with the public.

Teens will also be able to turn on “Follow” so that their public posts can be seen in people’s News Feeds. As always, Facebook said, followers can only see posts for which they are in the audience.

How will this privacy change affect teens? Privacy watchdogs don’t like it one little bit.

As it is, privacy groups were already up in arms before this change.

In September, they sent a letter to the US Federal Trade Commission (FTC), asking that the government take a closer look at Facebook’s proposed privacy changes and how those changes will negatively impact teens.

Of particular concern is a change to Facebook policy that would rubber-stamp the use of teenagers’ names, images and personal information to endorse products in advertisements.

One of the privacy watchdogs petitioning the FTC, the Center for Digital Democracy (CDD), said in a blog posting on Wednesday that letting teens post publicly is yet another blow to privacy safeguards.

In fact, Facebook’s claims that the change will bolster teens’ privacy is bogus, the CDD charges:

Facebook is being dishonest with parents and teens. To parents and teens, Facebook is claiming they are giving them more options to protect their privacy. But in reality, they are making a teen’s information more accessible, now that they have the option to post publicly. Today’s announcement actually removes a safeguard that teens currently have, that they only can expose (share) their posts with friends of friends. Under Facebook’s new plan, a teen can share their information with anyone on Facebook or the Internet.

Beyond that, the CDD says, allowing teens to post publicly pretty much boils down to a win for companies that will be able to more easily hawk things such as junk food at teens:

[The privacy policy] change … potentially [gives] teens the same exposure that adults have on its platform. As marketers stealthily mine social media data, they will capture a teen’s public posts. That data will help create more robust data profiles of teens to be used for targeting. If a teen posts publicly—about a brand or not—it’s all available for marketers. Junk food and other companies have now been given a better opportunity by Facebook to target teens.

Besides more efficiently turning teens into marketing targets, Facebook’s latest announcement is, in my opinion, a declaration that Facebook lives on a different planet than the rest of us.

On this planet, teens (or their friends) apparently don’t accidentally post things publicly, such as a party invitation that leads to 600 gatecrashers trashing the home of parents away on vacation.

In its announcement, Facebook buttered up the teen demographic, saying this age group is “among the savviest people using social media,” and saying that “whether it comes to civic engagement, activism, or their thoughts on a new movie, they want to be heard.”

Maybe they do. Maybe they do.

But do they really want to be heard on Facebook?

I heard they’re hanging out at Tumblr, so maybe that’s wishful thinking on Facebook’s part.

What do you think? If you’re a parent, are you fine with the idea of your teen publicly posting?

Or does it haunt you with the specter of having your kid a) ruthlessly marketed at and/or b) posting truly embarrassing, potentially career-crushing Facebook updates?

Facebook says it takes teens’ safety “very seriously.”

That’s why it’s offering extra reminders before teens will be allowed to share publicly.

When teens choose “Public” in a posting’s audience selector, they’ll see a reminder that the post can be seen by anyone, not just people they know, with an option to change the post’s privacy.

If teens choose to continue posting publicly, they’ll be given one more reminder.

Parents, is that enough of a safeguard, to your mind?

Please share your thoughts in the comments section below.

If you want to stay on top of privacy and security threats on Facebook and elsewhere on the internet, join the Naked Security Facebook page.

Take Our Poll

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HThNNJ_flBo/