STE WILLIAMS

INTEROP — New York City — Chief information security officer Jay Leek says today’s reality that you can’t stop all cyberattacks means security teams must double down on smarter detection of threats and attacks rather than the traditional approach of mainly trying to prevent them.

Click here for more articles from Dark Reading.

Leek, who is the CISO at financial services and asset management firm Blackstone, says the more you know about your attackers and their M.O., the better chance you have in thwarting any real damage. That entails three main mindset and strategic shifts that security pros need to make, he says, to handle threats and attacks today: better visibility into threats and attacks, better intelligence about them, and a planned response rather than merely reacting to the latest threat, vulnerability, or incident.

“The reality is that bad guys have much more time on their hands than we do,” says Leek, who gave a presentation from the CISO’s perspective here at Interop yesterday. “If you’re focused on prevention and not much on detection, you are flying blind sometimes because you don’t necessarily know where you’re headed.”

Blackstone is adopting what John Pironti, president of IP Architects, says is a prime example of a risk-based model for security — one where security pros serve as advisers to the business on the real risks facing their firms, rather than as the naysayers they sometimes appear to the business side.

“Security is the output” of what the business’ risk profile defines, Pironti says.

Meanwhile, Leek estimates that most organizations spend about 70 percent of their capital, resources, and processes on prevention, but that model is no longer viable in today’s threat landscape. “Our programs, generally speaking, largely reflect the vendor landscape” of mainly prevention-based tools, he says. “Why is this? Because it’s sexier to sell prevention,” he says.

Security teams need to change up their strategy, he says.

1. Better visibility into attacks.
That means investing more in watching what’s happening not just on the network, but in the applications as well, Leek says. “You also need visibility into what’s happening at the host,” he says.

Leek has done this by working with other groups outside of the security team: He has been reaching out to Blackstone’s application developers and network teams to assist, he says. “It’s not just within the security organization. It’s amazing how much your application developers and network guys see.”

Leek says this cross-team collaboration can pay off quickly: A network alert from its IT team’s SolarWinds product discovered a 2-megabit-per-second connection from Shanghai to Bangkok, he says. “Why the hell did that happen?” he says. “Having this kind of visibility and collaboration” can thwart damage from attacks, he says.

“You can train application people to watch” for threats as well, he says. “I don’t have enough people, and I can’t find ones to hire, so I’m trying to figure out how to scale my organization outside the traditional security team,” he says.

2. Get more in-depth threat and attack intelligence.
Leek says security teams need to gather more useful intelligence. “It’s very important that we understand what’s happening in our own environment and in the world around us,” he says.

At the heart of this more drilled-down approach to threats and attacks is the goal of identifying the type of attacker targeting your organization, he says. “It’s very important to understand who the adversary is because this changes the way we respond,” Leek says. “You respond differently if you know it’s a targeted attack,” for example, and not a random one.

If you spot an attack group known for targeting your industry, then that likely means it’s going after your intellectual property, according to Leak, so you can lock down accordingly. “Attribution is key,” he says.

If you know who’s targeting you, you can respond more intelligently and efficiently, he says. If it’s just a random cybercrime attack aimed at stealing financial credentials or other information, you can take the infected machine offline and reimage it. “But if the targeted user is an executive [in the company] and the attack is cyberespionage, maybe you don’t want to take that machine offline or reimage it right away” so you can track the attacker’s movements and glean more intel, he says.

That’s how better intelligence can shape your response, he says.

Blackstone also now is patching only for actively exploited vulnerabilities rather than each and every vulnerability out there, Leak says. With some 5,000 new bugs per year exposed, there’s no way to keep up, he says. “You’re just chasing a number, and you never get to zero,” he says.

[Companies need to focus on, not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less .]

“It used to be a knee-jerk that ‘this is high risk.’ Now we know there’s exploit code [out there] and the adversary is using it,” and we patch for it, Leek says.

3. Shift from react to respond.
“Response is planned,” Blackstone’s Leek says.

A member of his team recently wrote an application that automates the integration of alerts for response and forensics, Leek says. It basically reports on an alert generated by, say, its FireEye system, where that suspicious traffic got through, and which indicators of compromises it includes.

“This is an example of allowing us to automate a lot of processes we have put in place,” Leek says. “We’re planning for [attacks] to happen. We know it’s going to happen.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/ciso-shares-strategies-for-surviving-the/240162184

Elusive attacks on a computer’s volatile memory can be detected through a detailed analysis of processor behavior, according to new research.

Researchers at security vendor Triumfant have discovered that in-memory attacks create a significant delay in system calls that is typically beyond the normal variance of processing time. The ability to detect such attacks — which have generally eluded most security tools because they attack data that is not stored — could enable enterprises to interrupt the attacks before they can do any damage, Triumfant says.

“There’s a temporal dimension to in-memory attacks that is detectable,” says John Prisco, CEO of Triumfant. “We’re seeing delays in system calls that are two or three times the norm, and it’s possible to isolate those processes and shut them down.”

In-memory attacks, recently referred to as Advanced volatile threats (AVTs), enable an attacker to access a computer’s random access memory (RAM) or other volatile memory processes to redirect a computer’s behavior. AVTs allow attackers to steal data or insert malware, but because they are never stored in long-term memory, they can be difficult to detect.

Industry experts suspect that in-memory attacks are on the increase because they evade the prevalent defenses that rely on attack signatures and malware behavior analysis. Oded Horovitz, CEO and founder of security firm PrivateCore, last month presented his company’s findings on server in-memory attacks (PDF) and recommended tools for encrypting such data.

“Hacking hasn’t changed,” said Daniel Clemens, owner of Packetninjas, in a recent Dark Reading report on low-level memory threats. “We still have code, we still have data. Exploiting memory corruption vulnerabilities is effectively flipping data to code for creative execution.”

So far, however, there is little industry data to back up experts’ suspicions about in-memory threats because most security analysis tools focus on stored data. Triumfant hopes its new research will help identify in-memory attacks and provide trend data over time.

“So far, we’ve only tested it in our own environment, but we’ve been able to see a clear pattern,” Prisco says. “System calls that take 20 or 25 milliseconds consistently go up to 50 milliseconds or more when there’s an in-memory attack. When you have processing delays like that — delays that are two or three deltas beyond the norm — then you know that something is not right.”

Triumfant is also working on a way to identify the memory objects responsible for the delays and remove them before they can execute, Prisco says.

“These in-memory attacks are going to become more attractive to the bad guys as conventional malware detection tools get better,” Prisco predicts. “It’s a way to execute the same attacks without being detected.”

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/attacks-on-volatile-memory-can-be-detect/240162195

Facebook loves your face.

It loves your face so much, it bought the Israeli start-up face.com for its facial-recognition technology in 2012.

It loves your face so so much, it uses this facial recognition – based off photos you’re already tagged in and soon your profile picture – to make it easier for your friends to tag you in photos.

Yes, Facebook definitely has, as Wired’s Kyle VanHemert put it, a mission “to secure its status as the world authority in who knows who – a constant, lumbering quest to improve its advertiser-serving ‘social graph’.”

How do you fight back? VanHemert suggested raising a stink with Facebook over the proposed policy changes, changing your profile picture to that of your dog, or – this option just in – buying a T-shirt printed with creepily distorted faces of celebrity impersonators, designed to give Facebook’s facial recognition technology a migraine.

The garments – dubbed the “REALFACE Glamoflage” T-shirts – were designed by Simone C. Niquille as part of her* master’s thesis in graphic design at the Sandberg Institute in Amsterdam.

The shirts are custom-printed and sell for around $65.

The prints feature distorted faces of celebrity impersonators – Barack Obama, Michael Jackson and others – with the aim of creating an easy way to befuddle Facebook’s pattern recognition algorithms, Niquille told Wired:

I was interested in the T-shirt as a mundane commodity… I was interested in creating a tool for privacy protection that wouldn’t require much time to think in the morning, an accessory that would seamlessly fit in your existing everyday. No adaption period needed.

The project was inspired in part by the “ugly T-shirt” envisioned by William Gibson, VanHemert writes.

Gibson’s imagined T-shirt hides the wearer from CCTV surveillance, which in turn is similar to a type of camouflage used by ships in World War I – dazzle camouflage – in which the ships were covered in conflicting geometric patterns meant to scramble their speed, range, size and heading.

The shirts’ strategy is the same, Niquille told Wired: they won’t hide you, but they will mess up whomever’s watching you:

They won’t keep your face from being recognized, but they will offer distraction.

How well they work also depends on how tightly they’re worn, she says: the tighter the fit, the better facial recognition will be able to recognize the faces in the fabric when analyzing photos of the wearer.

Niquille’s thesis, titled FaceValue, is about what the designer calls “the (human) face’s value in a time of rapidly mutating standards and techno norms” – presumably, that includes biometrics, privacy and pattern recognition.

I say “presumably” because her writing tends to the prosaic rather than strictly expository.

An example:

FaceValue is what you and I will have left after CCTV gets hooked to the Facebook databank and parents look younger than their children. FaceValue is what will make a Britney lookalike earn more than Spears herself. FaceValue is what will remain after contemplating the appropriate nose for the day. FaceValue is what you’ll consider while putting in a new chimplant order at RapidAesthet3d the morning after. FaceValue is what stares back at you and me, relentlessly reflected in the surrounding screens as they fade to black.

In fact, the shirts are only one part of her thesis, which also encompasses two other projects: FaceBay, an online marketplace to buy and sell visages, and FaceValue: Accessories, which examines ways in which technology could enhance or augment a user’s physical face – from contact lenses that emitted an image-obfuscating reflection triggered by a camera’s flash to the Chin+, a 3D-printed prosthetic that offered a more prominent jaw, optimized for FaceTime or Skype video calls, as Wired describes it.

Is this a good way to fend off facial recognition?

Will you be ordering a T-shirt? Let us know in the comments section below.

Oh, and if you’re on Facebook and want to hang out with people who use their faces to eyeball Facebook’s every last move, join Naked Security’s Facebook page.

Follow @LisaVaas

Follow @NakedSecurity

*Wired’s article uses both male and female genders to refer to the artist, and as of the time this article posted, I hadn’t been able to determine which is correct, so I went with “she”.

T-shirt images courtesy of Real Face.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/O6LuAOnSw7M/

5 ways to prepare your advertising infrastructure for disaster

The notorious online drug market Silk Road has been shut down by the FBI, its suspected operator arrested and charged with narcotics trafficking conspiracy, computer hacking conspiracy, and money laundering conspiracy, and $3.6m worth of the bitcoin crypto-currency has been confiscated by federal agents.

The site’s alleged founder and main operator Ross William Ulbricht, aka “Dread Pirate Roberts” (DPR) was arrested in a public library in San Francisco on Tuesday. Silk Road’s Tor-based drug bazaar was shut down on Wednesday and users visiting the site were met with an FBI takedown notice.

Ulbricht made a number of operational security mistakes that linked his identity with various online personas associated with Silk Road, according to the FBI court complaint. However, there is no detail in the filing about how the FBI gained access to a Silk Road Tor server on which the site was based – an omission sure to disturb members of the security community at a time when new information is coming to light about the advanced capabilities of the America’s spy organization, the NSA.

“Silk Road has emerged as the most sophisticated and extensive criminal marketplace on the Internet today,” FBI agent Christopher Tarbell wrote in the FBI’s criminal complaint. “From in or about January 2011, up to and including in or about September 2013, ROSS WILLIAM ULBRICHT, a/k/a “Dread Pirate Roberts,” a/k/a “DPR,” a/k/a “Silk Road,” the defendant, owned and operated an underground website known as “Silk Road,” that provided a platform for drug dealers around the world to sell a wide variety of controlled substances via the Internet.”

Silk Road shut for business

Silk Road ran on Tor, a hidden computer network, and only accepted payments in the pseudo-anonymous BitCoin cryptocurrency. The FBI gained access to a Tor server on which the site was hosted and made a snapshot on July 2013.

The price of BitCoins crashed on Wednesday morning after news of the shutdown broke, adding grist to the Benjamin Lawsky, superintendent of the New York Department of Financial Services, characterization of the currency as “a virtual Wild West for narcotraffickers and other criminals“.

The Bitcoin exchange rate slumped after the site was taken down

The FBI says in its statement the it had “located in a certain foreign country the server used to host the silk road’s website,” and had gained access to it via a “mutual legal assistance request”.

This calls into question many of the widely-held beliefs about the security and anonymity of the Tor service.

There is also evidence that Ulbrich may have implicated himself and through lax security policies betrayed the details of the Tor servers.

One slip up was a posting on programmer QA site Stack Overflow under the name Ross Ulbricht that asked “How can I connect to a Tor hidden service using curl in php?”, before changing the account name to “Frosty”. A subpoena by the FBI showed the original account name.

Another screw up came with postings on two forums under the user name “Altoids” in early 2011 advertising the Silk Road, before posting several months later under the “Altoids” username on a Bitcoin forum asking for “IT pro in the bitcoin community” to help out on a “venture-backed company,” then advising them to contact the email address rossulbricht at gmail dot com.

The FBI also obtained data from Google on this Gmail account which closely associated access with separate logins to the Silk Road from similar locations in San Francisco.

Ulbricht had also arranged to have some nine fake identities sent to him for the purpose of procuring new servers. These documents were intercepted by customs and border patrol officials in early July, 2013, and led them to pay a visit to Ulbricht in San Francisco on July 26.

Ulbricht’s alleged online alias of ‘Dread Pirate Roberts’ had made numerous postings on Silk Road seeking identity documents from users. This is a rookie mistake that breaks dead rapper the Notorious B.I.G’s advice to dealers and lowlifes – “don’t get high off your own supply”.

A further point of compromise was that Ulbrich’s real life Google+ profile had shared videos from obscure economics thinktank the Ludwig von Mises Institute – the same videos were linked to by the signature of the Dread Pirate Roberts account on the Silk Road.

According to the complaint, Ulbricht employed several administrators on the Silk Road paying them $1,000 to $2,000 a week. They called him “boss” and “captain” the FBI said.

Bitcoin murder contract

The indictment states Silk Roads made scads and scads of cash, generating some $1.2bn in bitcoin transactions of which $80m was siphoned off by Dread Pirate Roberts during the course of its life. But it was not without problems the FBI claims.

The complaint accuses Ulbricht’s alleged online alias Dread Pirate Roberts of paying a third-party to murder another user of the site, who was trying to extort him.

The Dread Pirate Roberts was contacted in March 2013 by a Silk Road user “FriendlyChemist” claiming to have the details of thousands of the buyers and sellers on the anonymous illegal drug and services marketplace.

“FriendlyChemist” attempted to extort some $500,000 from him in exchange for the information, and eventually stated he needed the money because they owed money to a group of suppliers that used the Silk Road handle “redandwhite”.

Dread Pirate Roberts allegedly got in touch with redandwhite and, when FriendlyChemist continued attempting to extort him, asked if they could have the user killed. Dread Pirate Roberts then supplied them information on FriendlyChemist, including the person’s whereabouts (British Columbia, Canada), the FBI state.

“I would like to put a bounty on his head if it’s not too much trouble for you. What would be an adequate amount to motivate you to find him? Necessities like this do happen from time to time for a person in my position,” Dread Pirate Roberts wrote to redandwhite, who suggested a cost of between $150,000 and $300,000. They settled on a price of $150,000, which was transferred in bitcoins.

Though redandwhite claimed to have offed the person in question, and at the request of Dread Pirate Roberts sent a photo of the body, the FBI says the Canadian Police are not aware of any homicide associated with this case. Nor do they have information on anyone with the details of the aforementioned “FriendlyChemist”.

The shutdown of Silk Road follows the vanishing of Tor-hosted file sharing service Freedom Hosting in early August, and the similarly unexpected and unexplained shutdown of rival Tor-hosted drug mart in September.

“Regrettably it has come time for Atlantis to close its doors. Due to security reasons outside of our control we have no choice but to cease operation of the Atlantis Market marketplace. Believe us when we say we wouldn’t be doing this if it weren’t 100% necessary. Due to the urgency we are allowing all users to withdrawal all their coins for one week before the site, and forum, are shut down permanently,” Atlantis wrote at the time.

Perhaps they knew something the Dread Pirate Roberts didn’t? ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/02/silk_road_shutdown/

5 ways to prepare your advertising infrastructure for disaster

Analysis The US National Security Agency has recently admitted to experimenting with bulk collection of mobile phone locations, but denied it ever actually used the information.

This is unlike its European contemporaries, which apparently devolved the task of collecting mobile phone data to the network operators years ago.

The NSA project was an unsuccessful pilot, according to the spooks’ Director of Intelligence, James R Clapper. He told the Senate Judiciary Committee about the experiment on Wednesday, but denied there was any ongoing analysis of the data the NSA covertly slurped, as the New York Times explains.

But in Europe, network operators are obliged to keep the very same data, just in case law enforcement fancies a look at it.

Back in 2009, a German politician requested access to his location data from T-Mobile. Following various legal challenges the operator eventually complied and the newspaper Die Zeit put it together into an animated map which shows just what the European authorities can do, if they’re minded to.

The difference – and it’s an important one – is the presence of judicial oversight. An agency wanting access to European phone records, which are kept for at least a year, has to apply through the nominated Single Point of Contact (SPOC) which is actually a significant, if whispered, department within every police force and network operator, ready to supply thousands of requests for data every week.

Requests have to be proportional to the crime being investigated and are generally restricted to “was this phone in this location at this time” but can vary. A suspicious death connected to the owner of a particular phone may warrant the authorities slurping its location data for the last 24 hours, while an abducted child might warrant an urgent check for current information.

One of the key deterrents against agents of the state engaging in fishing expeditions is the price charged by mobile operators for access to the data they hold. Naturally, speedy access to data and access to large swathes of it tends to attract higher fees.

Exactly how much they charge, they won’t say. Operators are only supposed to cover their costs. The fact that a budget is needed for every enquiry helps prevent the more obvious checking up on lovers, and the like which the NSA has admitted occurs in its network.

Most of us trust the police, and most Americans (just about) trust their government, but we might not trust the individuals who comprisethese bodies. Perusing the Facebook page of an old partner is almost irresistible. Imagine how much more seductive it would be if one could overhear their phone calls too. Such a system needs robust oversight to prevent humans succumbing to their natural tendencies.

The problem here isn’t that the NSA was tracking phones, or that it requested data from internet companies; the problem was that it did so in the shadows.

Here in Europe we’re doing much the same thing, on a bigger scale and with more success. It’s hard to count foiled terrorist plots, but the same rules solve numerous crimes every day. Most of us don’t want to hide our location from the police or the secret services – but we might want to hide from the humans who make up those forces. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/nsa_admits_tracking_us_cellphones/

Annapolis, MD (PRWEB) October 02, 2013

In support of National Cyber Security Awareness Month (NCSAM), sponsored by the Department of Homeland Security, Secure Mentem, Inc. today launched a new offering, its National Cyber Security Awareness Month Support Package. This support package provides a review of an organization’s current security awareness efforts and then provides the right materials and strategy required to roll out supporting cyber security awareness materials effectively. These materials include: daily tips, posters, newsletters, videos and other content. Secure Mentem also provides detailed instructions on how to hold events, such as bringing in speakers and showing movies, as well as creating interactive experiences such as creating mock cubicles and holding contests.

National Cyber Security Awareness Month (NCSAM) is one of the most successful initiatives for promoting security awareness, which has become the top concern for many organizations. While many security programs already put programs in place, Secure Mentem’s NCSAM Support Package provides a turnkey program for those organizations that have not put a program in place.

“National Cyber Security Awareness Month is a great time to take advantage of our nationwide effort to promote a strong culture of security education and awareness, however it has to be done effectively, in a way that will be impactful and memorable,” said Ira Winkler, President of Secure Mentem. “Our new NCSA package is easy to implement and gives enterprises the tools they need to improve their security posture by educating employees.”

Added Winkler, “As we’ve seen with many data breaches, all it takes is one phishing attack and one vulnerable employee to hand over the keys to the kingdom to the bad guys. Secure Mentem is dedicated to improving cyber security training and awareness not only during NCSA month but also as a year-round effort for all organizations.”

Changing Employee Behaviors, Not Just Checking the Box

“It is traditionally difficult for security teams to obtain support for their efforts. National Cyber Security Awareness Month provides the motivation for organizations to support their security teams,” said Jay Leek, Chief Information Security Officer at Blackstone. “Secure Mentem’s NCSAM Support Package provides an inexpensive and efficient way for organizations to take advantage of the support, and then maintain and grow that support.”

Secure Mentem continues to innovate the security awareness field by constantly address real world problems with highly effective awareness programs.

About Secure Mentem

Secure Mentem, Inc. focuses on the human aspects of information security. Founded by world-renowned experts in the human aspects of security, Secure Mentem integrates their ongoing research efforts into delivering world-class awareness, social engineering, and related security solutions. Secure Mentem is dedicating to changing employee security behaviors by addressing all aspects of human security concerns, and provides both custom services as well as the flagship on demand Security Awareness as a Service solution. Our services and solutions are tailored to organizational cultures and business needs.

Article source: http://www.darkreading.com/end-user/secure-mentem-releases-national-cyber-se/240162172

[The following is excerpted from “Identifying and Discouraging Determined Attackers,” a new report posted this week on Dark Reading’s Advanced Threats Tech Center.]

George S. Patton said, “Nobody ever defended anything successfully — there is only attack and attack and attack some more.” So, is it possible to strike back at your attackers? And more importantly, is it the sensible thing to do?

“Strike back,” “active defense” and “hack back” are terms being used to describe an active response to continuous attacks and breaches. The nature of these responses — and whether they should incorporate an offensive component — is a gray area. These measures can range from reconfiguring defenses ahead of a predicted attack to sending threatening emails, filing lawsuits, operating cyber espionage campaigns and launching cyber attacks of your own.

No matter what the response, you have to first determine where attacks are originating from, who is behind them and what they are looking to achieve. However, the nature of cybercrime makes 100% accurate attribution virtually impossible. Knowing exactly who or what to “deter” is very difficult in cyberspace, as attackers use proxy servers and compromised computers to disguise the origins of their attacks.

Does fighting back make good business sense? Any form of threat deterrence should be evaluated just like any other business activity: You must weigh the costs involved against the damage and losses the organization is incurring from the attacks. Many organizations won’t have the in-house skills needed to carry out this kind of intelligence, so outside experts will often need to be hired.

What are the longer-term benefits and risks? While disrupting an adversary’s operations may give a temporary sense of satisfaction, there’s no evidence as yet that it provides long-term protection for Internet-connected systems.

Indeed, accurately evaluating the possible benefits of threat deterrence is hampered by the lack of hard evidence that using aggressive tactics actually does stop hackers. Those who have implemented strike-back capabilities are unlikely to share their experiences, particularly if they are using potentially illegal methods. Also, the effectiveness of a particular approach will depend very much on the type of adversary faced, and any strike back may provoke further, more destructive attacks. Situations where retaliation and force are used have a tendency to escalate hostilities.

Sending emails warning of prosecution is unlikely to be effective, while sending malicious attachments is fraught with legal problems. There have been reports of physical violence being used, with one company claiming that its representatives visited perpetrators with baseball bats. This form of deterrence, even if it does occur, isn’t really practical if the perpetrators are based, say, a 12-hour flight away. And an enterprise isn’t really in a position to send heavies to visit the local Chinese Embassy.

A denial-of-service attack could occupy an attacker’s human and physical resources, putting it on the defensive. Most organizations are short on IT resources already, though, even without taking on this kind of questionable activity. Strike back doesn’t scale, either, as it would be exhausting to respond to each and every attack, while concentrating solely on one suspected adversary will leave network defenses undermanned to deal with attacks from elsewhere. Taking out a command and control server would hamper an attacker’s ability to deliver and manage attacks, but CC servers are usually compromised machines belonging to legitimate users and businesses.

Some enterprises believe that hacking back is an option as long as nobody finds out. The Commission on the Theft of American Intellectual Property even believes that if the damage from malicious hacking continues at current levels, the government should consider allowing American companies to counterattack. A survey of 181 delegates at Black Hat 2012 found that more than a third had already engaged in some form of retaliation against hackers. Concerns about cyber vigilantism haven’t deterred financiers from investing in active defense firms, either; is a hacker really going to sue for unauthorized access?

Although cybercriminals can effectively hide behind the very laws they flout, legislation allowing companies to effectively build private cyber armies is unlikely. This means there is a real risk that certain types of counterattack cross the line between defending oneself and being a vigilante. Computer hacking is broadly defined as intentionally accessing a computer without authorization or exceeding authorized access, and laws covering computer crimes have been enacted in countries around the world.

Lack of attribution could easily lead to the equivalent of collateral damage — an attack could take down important systems and cause more chaos and damage than any hacker.

To find out more about your options for active defense — and what can be done legally to discourage determined attackers — download the free report.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/identifying-and-discouraging-determined/240162182

Day one of the Virus Bulletin 2013 Conference is over and it would appear that a good time was had by all.

The conference kicked off with a keynote speach by ESET North America CEO Andrew Lee.

Lee explored the ethical complications he believes the anti-virus industry faces as nation states begin to have a more vested interest in “state malware” remaining undetected.

Considering I heard a lot of support and complaints, it is fair to say that it must be an interesting topic. Interesting enough to argue over anyhow.

After Lee’s talk, SophosLabs UK researcher James Wyke was up with his talk, “Back channels and bitcoins: ZeroAccess’ secret CC communications”, where he dove into the latest developments he has uncovered about the Zero Access botnet.

Wyke explored areas beyond his previous research on Zero Access demonstrating the network traffic obsfuscation, the bot herder’s quick response to research papers and novel revenue generating model.

I had the opportunity to interview James after his talk. At just shy of 8 minutes, I think it is worth giving it a listen.

Listen to this episode

Play now:

(2 October 2013, duration 7’49”, size 7.5MB)

Download for later:

Sophos Security Chet Chat #118.33 (MP3)

Tom Cross from Lancope and Holly Stewart from Microsoft presented some thought provoking data on vulnerability disclosure in their talk “Can alerting the public about exploitation do more harm than good?”.

They explored the different approaches to vulnerabilkity disclosure and compared how effective they are at protecting the public when you first consider how widespread attacks are before the wider criminal world knows about them. Thought provoking indeed.

While some consider RTF documents to be simple text files, malware researchers have known better for quite some time.

Paul Baccas, a former colleague of ours, presented his research on targeted document attacks titled “Between an RTF and OLE2 place: an analysis of CVE-2012-0158 samples”.

Baccas explained how the complexity and non-uniform implementation of even seemingly simple file types like RTF are being abused by attackers performing targeted phishing attacks.

While conferences like Virus Bulletin are focused on ground breaking research and an opportunity for experts to collaborate on detection strategies, it is also about relationship building.

In a desperate attempt at defending our honour, Vanja Svajcer of SophosLabs Croatia and Gabor Szappanos of SophosLabs Hungary, took on the team from GData. We won’t discuss the results, but will leave it at “a fun time was had by all”.

Tomorrow I will bring you all the latest from Berlin, including another mini Chet Chat. Stay tuned!

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WHLADGOM4jI/

Online banking is nice and convenient. But it does come with certain risks. Just as you hear of people being robbed at ATMs, or having their cards cloned, so online accounts are also a point of vulnerability.

Follow these 8 tips and you can minimise the risks to your finances and bank safely online:

1. Choose an account with two factor authentication

Try to get a bank account that offers some form of two factor authentication for online banking.

These days many, but not all, banks offer a small device that can be used to generate a unique code each time you log in. This code is only valid for a very short period of time and is required in addition to your login credentials in order to gain access to your online account.

2. Create a strong password

If your bank requires a user-generated password in order to access online accounts make sure you choose one that is strong. The best way to achieve this is by making it long and a mix of upper and lower case letters, numbers, and special characters.

Always avoid using any common words or phrases and never create a password that contain your name, initials, or your date of birth. If your bank allows it, change your password every few months.

When setting up online banking, if your bank asks you to provide answers to some standard security questions remember that the answer you give doesn’t have to be the real one.

So you don’t have to answer “Thumper” to the name of your first pet – make it something else, as if it was a password. Use a password manager if you are concerned about how to remember everything!

3. Secure your computer and keep it up-to-date

Security software is essential these days, regardless of what you use your computer for.

As a minimum, make sure you have a firewall turned on and are running antivirus software. This will ensure you are protected from Trojans, keyloggers and other forms of malware that could be used to gain access to your financial data.

You’ll also want to keep your operating system and other software up-to-date to ensure that there are no security holes present.

4. Avoid clicking through emails

No financial institution worth their salt will send you an email asking you to provide any of your login details.

If you receive an email that appears to be from your bank that asks for such details then treat it with suspicion as it may well be a phishing attempt to trick you into handing your credentials over.

Likewise, be aware of links in emails that appear to be from your bank – this is a trick often employed by the bad guys to get you onto a website that looks like your bank. When you log in to ‘your account’ they will steal your username and password and, ultimately, your cash.

It is always safer to access your online bank account by typing the address into your browser directly.

Also, be aware of unsolicited phone calls that purport to be from your bank. While your financial institution may require you to answer a security question, they should never ask for passwords or PIN numbers (they may ask for certain letters or numbers from them, but never the whole thing).

If in doubt, do not be afraid to hang up and then call your bank back via a telephone number that you have independently confirmed as being valid.

5. Access your accounts from a secure location

It’s always best practice to connect to your bank using computers and networks you know and trust.

But if you need to access your bank online from remote locations you might want to set up a VPN (Virtual Private Network) so that you can establish an encrypted connection to your home or work network and access your bank from there.

Look for a small padlock icon somewhere on your browser and check the address bar – the URL of the site you are on should begin with ‘https’. Both act as confirmation that you are accessing your account over an encrypted connection.

6. Always log out when you are done

It is good practice to always log out of your online banking session when you have finished your business. This will lessen the chances of falling prey to session hijacking and cross-site scripting exploits.

You may also want to set up the extra precaution of private browsing on your computer or smart phone, and set your browser to clear its cache at the end of each session.

7. Set up account notifications (if available)

Some banks offer a facility for customers to set up text or email notifications to alert them to certain activities on their account. For example, if a withdrawal matches or exceeds a specified amount or the account balance dips below a certain point then a message will be sent.

Such alerts could give quick notice of suspicious activity on your account.

8. Monitor your accounts regularly

It should go without saying that monitoring the your bank statement each month is good practice as any unauthorised transactions will be sure to appear there.

But why wait a whole month to discover a discrepancy? With online banking you have access 24/7 so take advantage of that and check your account on a regular basis. Look at every transaction since you last logged in and, if you spot any anomalies, contact your bank immediately.

The above tips should go a long way to ensuring that you enjoy the advantages offered by online banking without experiencing any of the pitfalls.

If you have any more advice to add to this, please do so in the comments below.

Safe banking to you all!

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jj21BDdiCdk/

Facebook loves your face.

It loves your face so much, it bought the Israeli start-up face.com for its facial-recognition technology in 2012.

It loves your face so so much, it uses this facial recognition – based off photos you’re already tagged in and soon your profile picture – to make it easier for your friends to tag you in photos.

Yes, Facebook definitely has, as Wired’s Kyle VanHemert put it, a mission “to secure its status as the world authority in who knows who – a constant, lumbering quest to improve its advertiser-serving ‘social graph’.”

How do you fight back? VanHemert suggested raising a stink with Facebook over the proposed policy changes, changing your profile picture to that of your dog, or – this option just in – buying a T-shirt printed with creepily distorted faces of celebrity impersonators, designed to give Facebook’s facial recognition technology a migraine.

The garments – dubbed the “REALFACE Glamoflage” T-shirts – were designed by Simone C. Niquille as part of her* master’s thesis in graphic design at the Sandberg Institute in Amsterdam.

The shirts are custom-printed and sell for around $65.

The prints feature distorted faces of celebrity impersonators – Barack Obama, Michael Jackson and others – with the aim of creating an easy way to befuddle Facebook’s pattern recognition algorithms, Niquille told Wired:

I was interested in the T-shirt as a mundane commodity… I was interested in creating a tool for privacy protection that wouldn’t require much time to think in the morning, an accessory that would seamlessly fit in your existing everyday. No adaption period needed.

The project was inspired in part by the “ugly T-shirt” envisioned by William Gibson, VanHemert writes.

Gibson’s imagined T-shirt hides the wearer from CCTV surveillance, which in turn is similar to a type of camouflage used by ships in World War I – dazzle camouflage – in which the ships were covered in conflicting geometric patterns meant to scramble their speed, range, size and heading.

The shirts’ strategy is the same, Niquille told Wired: they won’t hide you, but they will mess up whomever’s watching you:

They won’t keep your face from being recognized, but they will offer distraction.

How well they work also depends on how tightly they’re worn, she says: the tighter the fit, the better facial recognition will be able to recognize the faces in the fabric when analyzing photos of the wearer.

Niquille’s thesis, titled FaceValue, is about what the designer calls “the (human) face’s value in a time of rapidly mutating standards and techno norms” – presumably, that includes biometrics, privacy and pattern recognition.

I say “presumably” because her writing tends to the prosaic rather than strictly expository.

An example:

FaceValue is what you and I will have left after CCTV gets hooked to the Facebook databank and parents look younger than their children. FaceValue is what will make a Britney lookalike earn more than Spears herself. FaceValue is what will remain after contemplating the appropriate nose for the day. FaceValue is what you’ll consider while putting in a new chimplant order at RapidAesthet3d the morning after. FaceValue is what stares back at you and me, relentlessly reflected in the surrounding screens as they fade to black.

In fact, the shirts are only one part of her thesis, which also encompasses two other projects: FaceBay, an online marketplace to buy and sell visages, and FaceValue: Accessories, which examines ways in which technology could enhance or augment a user’s physical face – from contact lenses that emitted an image-obfuscating reflection triggered by a camera’s flash to the Chin+, a 3D-printed prosthetic that offered a more prominent jaw, optimized for FaceTime or Skype video calls, as Wired describes it.

Is this a good way to fend off facial recognition?

Will you be ordering a T-shirt? Let us know in the comments section below.

Oh, and if you’re on Facebook and want to hang out with people who use their faces to eyeball Facebook’s every last move, join Naked Security’s Facebook page.

Follow @LisaVaas

Follow @NakedSecurity

*Wired’s article uses both male and female genders to refer to the artist, and as of the time this article posted, I hadn’t been able to determine which is correct, so I went with “she”.

T-shirt images courtesy of Real Face.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Gt3SdJX7ruY/