STE WILLIAMS

Fixating On The Edges

As security folks, we’re trained to look for holes. To identify threat vectors that could result in successful attacks and/or data loss. We need to go through the mental exercises (and sometimes real-life pen tests) to feel good that we’re doing our best to meet our charter and protect our information. But at times this mindset can lead even experienced folks down dark alleys result in getting wrapped up in what I’ll call “edge cases.” You know, fixating on our inability to stop 5% of the attacks, while losing sight of the 95% of attacks you are far more likely to see.

I wish this epiphany was my idea, but per usual it’s because I spend a bunch of time talking to really smart folks kind enough to share their wisdom and perspectives to benefit the rest of us. As I was facilitating a meeting of 20+ CISOs earlier this week, one of the attendees made the point that we (as a business) get so wrapped up on blocking “all” the attacks that we lose sight that it’s not possible to block all the attacks. We want to give a thumbs down to something because there are very random and difficult ways to exploit it.

We’ve seen this over and over again, a point I made in my last column that some folks have a vested interest in dousing the flames of a new and hot innovative technology. Security research correctly focuses on whether something can be broken and how, not necessarily how scalable or practical an attack.

To illustrate my point, let’s revisit the attack the CCC published which showed how to beat TouchID with a 3D mold of a fingerprint captured from the device. From the article: “Essentially, CCC researchers demonstrated that an attacker with physical access to the phone could take a picture or scan the fingerprints of the device’s owner and use that to create a mold of the fingerprint to launch an attack.”

Good thing you got that MakerBot and have a stack of photo-sensitive PCB information lying around, right? Let’s be realistic about the value of that device. Are their launch codes on it? Does it posses the combination to the ten ton lock guarding Fort Knox? The map to the Holy Grail? There would have to be something similarly valuable to warrant producing a 3D mold to gain access to a phone.

It’s like I tell my kids after they get a bunch of money for their birthday: “Just because you have the money, doesn’t mean you should to spend all of the money.” Same goes for security. Just because an attack is possible, it doesn’t mean it’s probable. And we, as an industry, get wrapped up in newfangled ways to defend against the improbable.

Ultimately security, like everything else, involves making a bet. You are betting your job that you’ve got the right people, processes and technologies in place to protect your critical devices and information. To be clear, that’s a bad bet — but it’s the only bet you have. To maximize your likelihood of success and minimize the need to start a job search, you need to play the odds. That means you may have to consciously decide to leave the edge cases unprotected, while making sure you can stop the most probable attacks.

Of course, it’s more art than science to figure out which of those attacks are most probable. But that’s another story for another day. Just keep in mind if the attack you read about in this here fine publication requires a MakerBot, or a can of dry ice, or an oscilloscope, or a soldering iron; and physical access to the device, then can address that risk when you get all of the likely attacks you’ll face mitigated. Which is basically the day before never.

Mike Rothman is President of Securosis and author of The Pragmatic CSO

Article source: http://www.darkreading.com/vulnerability/fixating-on-the-edges/240161884

  • 27/09/2013
  • adm

Apple releases iOS 7.0.2

Apple has shown an open pair of ears and a lively pair of heels in dealing with two lockscreen bugs that it introduced with iOS 7.

Well done, Cupertino!

(To all hardcore Apple fans reading this: that’s not irony. I really mean it.)

The fruity company has just released iOS 7.0.2, fixing the following:

Apple isn’t saying too much about the first hole, letting on neither how it came about nor what needed fixing.

But the company has been reasonably frank in revealing what caused the second vulnerability:

A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped repeatedly. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed. This issue was addressed by avoiding the NULL dereference.

There are three interesting issues buried in here, and it’s probably worth glancing at all of them.

NULL dereferences

Firstly, translating into English, a NULL dereference, also known as a null pointer error, is caused by mismanagement of memory.

When you ask the operating system to reserve a block of memory for your program to use, it typically hands you back the actual memory address you’ve been given, as a numerical value.

If you use the wrong address things will usually break; the operating system may or may not notice, and may or may not be able to do something about it.

It’s a common sort of bug to get the address wrong by a small amount – that’s a buffer overflow, where you overshoot or undershoot, possibly only by a single byte.

It’s also a common sort of bug to access some utterly improbable memory address, by completely messing up the pointer variable where the address is stored.

→ A stored address is known as a pointer, because it points at a memory location. That is about as close to “literary” as programming terminology gets.

And it’s also surprisingly common to try to access memory location zero, because in any operating system that takes security seriously, program variables that haven’t yet been initialised automatically have the value zero.

That’s a consistent way of making sure that uninitialised variables don’t contain data left over in memory from before.

A memory address, or pointer, that has the value zero is a NULL pointer, and any attempt to use it is a NULL dereference.

Most operating systems, therefore, deliberately ensure that memory address zero is off limits to all programs, and always trigger an error if anyone tries to access it.

This handily and automatically catches all null pointer errors, as happened here.

Of course, it’s almost impossible to determine what the programmer intended – who knows what memory location was supposed to be used instead?

So the operating system has little choice but to terminate any program that dereferences a null pointer.

Race conditions

Secondly, the interaction between the restarting lockscreen and the call dialling software is what’s known as a race condition.

There’s a point at which the call dialler checks the state of the lockscreen.

If the restarting lockscreen wins the race, and fires up before the dialler gets there, everything works fine; if the dialler wins the race, the lockscreen can’t tell the dialler what it needs to know.

Race conditions can be very hard to debug because they often occur only under unusual or contrived circumstances, as happened here.

(In this case, you can argue that Apple should make other software wait while the lockscreen is restarting, because of the key security function it performs.)

Failing open

Thirdly, the fact that the dialler assumes the best if it can’t query the lock screen status is a fail open situation.

Fail open can be desirable and correct, even if some aspects of security are reduced: that’s why electrically-operated security doors are typically held locked shut by the presence of power, so a power failure will release the lock and ensure the doors can be opened to let you escape.

(In this case, you can argue that Apple should code things to fail closed: if the lockscreen software doesn’t know or can’t tell you whether the phone is locked or unlocked, treat it as locked, for security’s sake.)

What to do?

You don’t need to know anything that I just told you about pointers, races and failure modes.

Just apply this patch.

Don’t listen to what the hardcore Apple fans might have said, in commenting on our earlier articles, about these not really being bugs “because all you have to do is not lose your phone.”

A locked phone should be locked.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Cbag5CQPHxQ/

  • 27/09/2013
  • adm

Schoolboy arrested over Spamhaus DDoS, world’s biggest cyber attack

Spamhaus LogoIn March 2013, a distributed denial of service (DDoS) attack of unprecedented ferocity was launched against the servers of Spamhaus, an international non-profit dedicated to battling spam.

A DDoS is an attack wherein the servers of a targeted online service are slowed to a crawl with loads of pointless email or file uploads that clog up their processing ability.

The March Spamhaus attack peaked at 300 gigabits per second, Spamhaus CEO Steve Linford told the BBC at the time – the largest ever recorded, with enough force to cause worldwide disruption of the internet.

In April, one suspect was arrested in Spain.

Now, it’s come to light, another suspect was also secretly arrested in April – this one being a London schoolboy.

The 16-year-old was arrested as part of an international dragnet against a suspected organised crime gang, reports the London Evening Standard.

Detectives from the National Cyber Crime Unit detained the unnamed teenager at his home in southwest London.

The newspaper quotes a briefing document on the British investigation, codenamed Operation Rashlike, about the arrest:

The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies.

Officers seized his computers and mobile devices.

The boy’s arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out the massive cyber attack, which slowed down the internet worldwide.

The briefing document says that the DDoS affected services that included the London Internet Exchange.

The boy has been released on bail until later this year, the London Evening Standard reports.

The arrest follows close on the heels of two other London-based arrests resulting from international cyber-policing:

  • Last week’s arrest of eight men in connection with a £1.3 million ($2.08 million) bank heist carried out with a remote-control device they had the brass to plug into a Barclays branch computer, and
  • The arrest of 12 men in connection with a scheme to boobytrap computers at Santander, one of the UK’s largest banks, by rigging the same type of remote-control device found in Barclays – devices that enable remote bank robbery.

Truly, the UK isn’t fooling around when it comes to cybercrime – a fact it’s making clear with the robust work of the National Cyber Crime Unit, which itself will soon be rolled into the even more cybercrime-comprehensive arms of the National Crime Agency.

The National Crime Agency, due to launch 7 October, is going to comprise a number of distinct divisions: Organised Crime, Border Policing, Economic Crime, and the Child Exploitation and Online Protection Centre, on top of also housing the National Cyber Crime Unit.

If the recent arrests are any indication, it would seem that the UK’s on the right track with cyber crime.

May cyber crooks, both the seasoned and the schoolboys, take heed.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_4W0jJ8zsKY/

  • 27/09/2013
  • adm

Sky-high error in Apple Maps leads drivers onto airport runway

Apple maps image modified from image on Flikr, by Frederik HermannWell, OK, yes, there were signs saying they shouldn’t be driving along the taxiway.

Then there was the motion-activated gate. That was a little officious, but whatever. They drove through.

There were more signs, and lights, and true, painted markings, and there was, actually, something that suggested that airplanes might share that road and that maybe drivers should not be there at all.

They didn’t turn back, though.

“Don’t worry” they said. “We’re good!”

After all, they were using Apple Maps. What could possibly go wrong?

“They must have been persistent,” assistant manager Angie Spear at the Fairbanks International Airport, in the US state of Alaska, told the BBC in the best understatement ever when describing not one, mind you, but two motorists who in the past three weeks have driven not only along the taxiway and through the motion-detection gateway and way, way past all the signs telling them not to be there but also right across one of the runaways – as in, the place where airplanes might squash you and your car like a metal/flesh panini.

According to the Alaska Dispatch, the drivers who followed the directions on their iPhones not only reached airport property, but also crossed the runway and drove right over to the airport ramp side of the passenger terminal.

The drivers were both out-of-towners who apparently trusted their Apple Maps more than signposts telling them to get the heck off the roads they were on.

The mapping application wasn’t telling drivers specifically to drive onto the runway, but it sure made it seem like that was the logical place to go, according to the Alaska Dispatch:

The turn-by-turn directions were specific, using the access route that general aviation pilots use to the East Ramp, which is on the other side of the runway from the main airport terminal.

The map directions concluded by telling drivers to go to Taxiway Bravo, shown as “Taxiway B” on the satellite image in the app. The directions did not tell drivers to cross the main runway used regularly by 737s and other aircraft.

But once drivers reached the taxiway, it was only natural for them to look up and see the terminal on the other side of the runway. So that’s where they drove.

Apple has reportedly issued a temporary fix, so that users searching for directions are told they’re “not available.” The earlier taxiway route no longer shows up.

The airport told the Alaska Dispatch that it had complained to Apple three weeks ago via the local attorney general’s office.

Melissa Osborn, chief of operations at the airport, said the airport was trying to avoid potential future paninis:

We asked them to disable the map for Fairbanks until they could correct it, thinking it would be better to have nothing show up than to take the chance that one more person would do this.

A “lot of legal speak” ensued, Spear told the Alaska Dispatch, but the issue wasn’t fixed until Wednesday, when Apple took directions to the airport off the map, unless users type in the exact street address for the terminal.

In the meantime barricades had been erected to block access to the final stretch of the taxiway.

Sadly, this is par for the course for Apple’s woebegone Maps.

The Maps app has been on the iOS, then iPhone OS, since the first generation of iPhones debuted in 2007. Up until the version released on 19 September 2012, however, Apple Maps was actually powered by Google Maps.

You know, Google Maps? The location app that takes drivers along a different, longer route to the airport’s car park? Without telling them to drive where they might get flattened? That one.

Since it debuted, Apple Maps has been the Rodney Dangerfield of maps apps: it gets no respect, but for very good reasons.

A selection from a vast collection of incidents:

  • Relocated landmarks, buildings in the middle of rivers, missing train stations, and relocated towns, according to Macworld.
  • The wrong location listed for the Apple Store in Sydney, Australia, as The Register reported.
  • Marking an entire city as a hospital, misclassifying a nursery as an airport, and identifying the nearest gas station to be as far as 76 miles away from the user’s location, as Gizmodo reported.

It’s all fun and games (mostly Hide and Seek) until somebody gets hurt.

Typically, Naked Security writes about information security, but in this most recent case of Apple Maps and the airport runway incidents, it’s a case of disinformation leading to serious, tangible, real-world security issues.

I don’t mean to be a Google fangirl, but Apple, you’ve been wandering in the wilderness since you divorced Google Maps.

Oh, and this should probably go without saying, but smartphone users, please, look up once in a while.

The scenery can be quite salubrious, particularly when it comes to signs telling you that your smartphone may have led you astray.

Image of runway courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2vtpl2hLL_k/

  • 27/09/2013
  • adm

How to avoid being one of the "73%" of WordPress sites vulnerable to attack

The WordPress 70%A recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are vulnerable to attack.

The research, carried out by vulnerability researchers EnableSecurity and reported by WordPress security outfit WP WhiteSecurity, was conducted between Sept 12 and Sept 15 shortly after the release of the WordPress 3.6.1 Maintenance and Security Release.

WordPress is the most popular blogging and Content Management System (CMS) in the world and, according to WordPress founder Matt Mullenweg, it powers one in five of all the world’s websites.

As with any research of this kind we should apply a big pinch of salt.

In fact in this case we don’t need to supply our own salt because the research actually comes self-salted thanks to this hilarious rider at the bottom of the article:

The tools used for this research are still being developed therefore some statistics might not be accurate.

You have been warned.

So if the numbers might be wrong why am I bothering to reproduce them here? Because (in my opinion) they are probably true (well true-ish) and even if they aren’t they still highlight an important security issue which isn’t diminished one iota by their sketchiness.

As long as we go into this with our eyes open we’ll be fine.

The research did no more than set out to discover what versions of the popular CMS are in use by the top 1 million websites.

This singular focus is with good reason: the first rule of WordPress security is always run the latest version of WordPress.

If you aren’t running the very latest version of WordPress then the chances are you are running a version with multiple known vulnerabilities – bugs that criminals can use to gain a foothold on your system.

EnableSecurity’s scan of Alexa’s Top 1,000,000 discovered that 41,106 websites were running WordPress, a little over 4%.

They then determined that of those websites at least 30,823 were running versions of WordPress that have known vulnerabilities. From this they concluded that

73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools.

Add your salt now.

Even if we take it as read that 73% of the sites are running vulnerable versions of WordPress we still can’t conclude that 73% are in fact vulnerable. There are common security strategies that the researchers didn’t test for, not least using a Web Application Firewall (WAF) that can put up a protective shield in front of vulnerable websites.

By the way, the first rule of WordPress security, always run the latest version of WordPress, holds true even for sites running behind a WAF. They are not mutually exclusive and should be considered as separate parts of a strategy of defence in depth.

In addition to skipping over reasons why the 73% might be a little on the high side the study also leaps acrobatically past a totally different set of reasons why it might be a bit on the low side.

The limited scope of the research meant that it didn’t account for other forms of automated attacks against WordPress installs such as targeting weak passwords or flaws in popular plugins.

As diaphanous as the study’s precision might be, the broad thrust is correct and it contains a useful message; users of WordPress need to be diligent about security because they are using software that is popular enough to be of interest to criminals who conduct large-scale automated attacks.

10 ways to keep your WordPress site secure

If you are running a website that uses WordPress here are 10 suggestions to help you avoid ending up in the 70% (or whatever large number it is) of vulnerable sites.

  • Always run the very latest version of WordPress
  • Always run the very latest versions of your plugins and themes
  • Be conservative in your selection of plugins and themes
  • Delete the admin user and remove unused plugins, themes and users
  • Make sure every user has their own strong password
  • Enable two factor authentication for all your users
  • Force both logins and admin access to use HTTPS
  • Generate complex secret keys for your wp-config.php file
  • Consider hosting with a dedicated WordPress hosting company
  • Put a Web Application Firewall in front of your website

For more on the subject of patching WordPress have a listen to Sophos Security Chet Chat 117, the latest 15 minute installment in our regular podcast series.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/d6vJvkRHM0k/

  • 27/09/2013
  • adm

Rise Of The ‘Hit-And-Run’ APT

Yet another cyberespionage gang out of Asia has been discovered working on a for-hire basis as advanced persistent threat (APT)-type attackers shift gears toward a more focused, stealthy, “smash-and-grab” strategy using contracted hackers.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

The newly discovered “Icefog” attack campaign, unmasked by Kaspersky Lab this week, features hit-and-run attacks on targeted Windows machines, where the attackers steal what they’re after and then get out. The attack also appears to be “beta testing” a Mac OS X backdoor, according to the researchers, who say it operates out of China, South Korea, and Japan.

Such a for-hire, commando-type operation at first glance may seem to contradict the “p” in APT — “persistent” — but researchers say the in-and-out attack is a better way to remain undetected and successfully complete their mission. “Getting in and out of networks quickly is generally going to be more covert than staying in long-term. Staying in longer does provide an attacker with the opportunity to exfiltrate the data more slowly,” says Roel Schouwenberg, senior researcher, in an email interview. “I think a lot of people have been using the term APT and cyberespionage interchangeably. This group is as persistent as it needs to be to get the job done.”

Moving in and out of the target’s network quickly suggests the attackers have been instructed to grab specific information, he says. “We do think this actor functions as a cybermercenary group,” Schouwenberg says.

The attackers plant a backdoor that’s directly and manually controlled by the attackers. It doesn’t automatically pilfer information and credentials like most traditional cyberespionage attacks do; instead, the attackers interact “live” with the infected machines. And additional backdoors and malware are placed on the victim’s machines for siphoning the data, as well as moving laterally within the victim’s network, Kaspersky Lab found.

Icefog’s unmasking follows that of a Chinese APT group called Hidden Lynx, which also operates on a for-hire basis, hacking specific targets for clients who commission them. Symantec, which published a whitepaper on the group and its attack methods earlier this month, found that the Hidden Lynx gang was behind water-holing attacks that targeted U.S. financial services firms, and also broke into Bit9’s server to gain access to its file-signing infrastructure in order to sign malware. It’s also connected to the infamous Operation Aurora attacks on Google, Adobe, Intel, and others.

Cyberespionage actors are performing more reconnaissance these days from inside-out as well as outside-in, says Tom Kellermann, vice president of cybersecurity at Trend Micro. Trend Micro lately has seen more “smash-and-grab” attacks by cyberspies, he says.

“It looks more like a commando-style op [now],” Kellermann says. “But keep in mind that, realistically, every time they do leave, they are leaving behind a remote access Trojan or a backdoor in some host” in order to maintain a foothold, he says. In some cases, they leave the backdoors on backup servers because those machines are rarely updated or changed, says Kellermann, whose company published a report this week on APTs.

Icefog, meanwhile, has been in operation since 2011. It has targeted mainly defense contractors in South Korea, Taiwan, and Japan, including government institutions, maritime and shipbuilding organizations, telecommunications providers, satellite operators, high-tech firms, and mass media. Kaspersky Lab says it’s likely the gang — which is still actively attacking victims — also targets interests in the U.S. and Europe.

The researchers sinkholed 13 of Icefog’s 70 or so domains to study the attack, and saw more than 4,000 infected IP addresses and several hundred victims. Among the defense contractors that appear to be in the bull’s eye of the campaign are Lig Nex1 and Selectron Industrial Company; shipbuilding firms DSME Tech and Hanjin Heavy Industries; telecom operator Korea Telecom; and media Fuji TV and the Japan-China Economic Association. Kaspersky Lab says the attacks were not necessarily successful against those targets, however.

They spotted “a few dozen” Windows machines that were infected, along with more than 350 Mac OS X machines. The attackers were mostly stealing sensitive documents, email account credentials, and passwords to internal and external resources of the victims.

Unlike traditional APT attacks that linger for months or years, the Icefog attack lasts for a few days or weeks: Once the attackers get the information they were after, they leave — a more focused APT model that Kaspersky expect to become more popular.

“This is another cyberespionage attack featuring a Mac/OSX component. Businesses need to be thinking more about protecting their non-Windows machines,” Kaspersky’s Schouwenberg says.

[Cyberattacks could have real-world economic consequences in the oil and gas markets, even at the pump. See Destructive Attacks On Oil And Gas Industry A Wake-Up Call .]

Destructive APTs
Kellermann says APTs — which mostly are associated with stealing, not destroying information — could begin adopting a more destructive approach in the near future. “As we become better at incident response, we are going to see more manifestations of destructive payloads against you for turning of a CC,” for example, he says. “It’s not just political events that will be the harbinger of destructiveness … they will use this to punish organizations and to obfuscate what they’re doing on the network.

“They’ve done incredible levels of recon and know our networks better than we do, and know our critical failures.”

There has already been at least one high-profile case of this: The recent Dark Seoul DDoS and data destruction attacks on major South Korean banks, media outlets, and other entities were part of a four-year effort to steal information about South Korean military and government operations. The so-called Operation Troy also targeted U.S. Forces Korea, Republic of Korea, the Korean Department of Defense, and the U.S. Department of Defense, and the DDoS and data destruction attacks were merely serving as a smokescreen for the theft of military secrets about South Korea and the U.S., researchers from McAfee discovered.

Advanced threats, such as nation-state APTs, will be the topic of an Interop talk next week by Bit9 CTO Harry Sverdlove, who will present 14 lessons learned from actual advanced attacks.

The full Kaspersky Lab report on Icefog is available here (PDF) for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/rise-of-the-hit-and-run-apt/240161870

  • 27/09/2013
  • adm

Report: 8 Out of 10 Users Infected With A Trojan

Trojans are king: They now account for more than three-quarters of all new malware created and 80 percent of all malware infections, according to new data published this week.

Some 77 percent of all new malware is a Trojan, while worms make up 11.3 percent, and viruses, 10.3 percent, of new malware, PandaLabs found in its second quarter 2013 threat report. The story is much the same for malware infections, with 79.7 percent due to Trojans, 6.7 percent due to viruses, and 6.1 percent due to worms.

“Cybercriminals use Trojans as a key tool to infect users, continually introducing changes to avoid detection, and, in many cases, automating the process of changing the Trojan,” says Luis Corrons, technical director of PandaLabs. “They use scripts and special tools in order to change the binaries run on victims’ computers to evade the signature-based detection used by antivirus firms.”

Overall, the volume of new malware samples rose in Q2 — 12 percent more than the same period in 2013, and 17 percent more than the first half of the year.

China is home to the most infected machines, with 52.4 percent of infections, followed by Turkey, with 43.6 percent, and Peru, 42.1 percent. Europe has the lowest infection rates overall: The U.K. is No. 1 there, with 24.5 percent.

Speaking of China, it got a bit of a reprieve from the spotlight as the main cyberespionage actor in Q2 after controversial NSA spying programs came to light, according to PandaLabs. “China continues to occupy many of the headlines regarding cyberespionage, although in this quarter, the USA has been in the eye of the storm after revelations about the PRISM program that the NSA used to obtain data from users of platforms such as Facebook, YouTube or Skype,” Corrons says.

The full PandaLabs report is available here (PDF) for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/report-8-out-of-10-users-infected-with-a/240161853

  • 27/09/2013
  • adm

Cloud Security Corporation Corporate Update

NEWPORT BEACH, Calif., Sept. 26, 2013 /PRNewswire/ — Cloud Security Corporation, (OTCBB: CLDS) a leading cloud security company, provided the following update. The Company has consolidated its business operations under the name Cloud Security Corporation and recently changed its website to www.cloudsecuritycorporation.com. Company management is focused on continuing to develop cutting edge cybersecurity technology, raising additional operational capital and exploring prospective acquisitions.

“We’re very pleased by recent developments across the board in Cloud Security Corporation,” stated Safa Movassaghi, Chief Executive Officer, of Cloud Security. “We are currently in advanced negotiations with investors and continue to pursue acquisition targets in the technology sector. ”

About Cloud Security Corporation

Cloud Security Corporation is an innovative cloud computing company that creates security, technology, and products. The Company develops products in the remote-access computing sector including enhanced security connections. Cloud Security Corporation has developed patent-protected remote access security devices such as MyComputerKey(TM). The Company also develops online application security products and is expanding into other verticals.

For more information, visit:

www.cloudsecuritycorporation.com

Article source: http://www.darkreading.com/cloud-security-corporation-corporate-upd/240161894

  • 27/09/2013
  • adm

Threat-Intel Sharing Services Emerge, But Challenges Remain

Six years ago, when Mike Hamilton, the chief information security officer for the City of Seattle, wanted to collaborate with other local municipalities, the federal government and critical-infrastructure providers to exchange threat information, no platform existed through which to share threat intelligence.

Instead, the City of Seattle, along with the U.S. Department of Homeland Security and the University of Washington, created a system based on a security information and event management (SIEM) system. Dubbed the Public Regional Information Security Event Management (PRISEM) system, not to be confused with the National Security Agency’s controversial PRISM project, the platform allows the City of Seattle’s information security team to collect threat information from federal agencies and security firms, develop indicators of compromise, and look for malicious activity across the networks of PRISEM members.

Using the system, analysts “can search all the monitored jurisdictions for the indicators of compromise in a number of ways, and we can notify them when we see them talking to bad places,” Hamilton says. “As a whole, we are able to get in front of threats a lot faster than if everyone was operating independently.”

The City of Seattle is one of the few successful collaborations between organizations to share information on online threats, attacks and compromises. Fear of liability, a lack of trust between business rivals and a still-developing standards have slowed the adoption of collaborative threat-intelligence platforms. In addition, the threat intelligence gained from the system was not actionable, but a firehose stream of data through which an analyst was required to sift.

Yet, that may be changing. Last week, Hewlett Packard refreshed its security offerings, among them a threat-intelligence sharing environment known as Threat Central. Customers who subscribe to the system will be able to upload threat data from their HP ArcSight devices or any database compliant with the Structured Threat Information Expression (STIX) standard created by government contractor MITRE.

Working together is the only way to defend against the widespread attacks that companies, government agencies and educational institutions are seeing today, says Ted Ross, director of field intelligence for HP Security Research.

“The adversary figured this out a long time ago,” he says. “And if we don’t collaborate effectively as a community then, we will be attacked in ways that people are not expecting.”

HP’s Threat Central is only the latest threat-intelligence collaboration platform to arrive. A wide variety of other platforms have been created by large companies, small startups and even academic research groups.

Georgia Tech, for example, has created a system for malware analysis and threat-data sharing called Apiary, which can quickly analyze malware and return information to the more than 100 organizations working with the university on the beta project. Malware-analysis-as-service firm ThreatGRID has its own system for analyzing binaries and creating indicators of compromise from the files. The service, which processes up to 500,000 suspect files every day, allows teams to collaborate and share their findings with teams from other companies.

The Open Threat Exchange, a community driven project managed by unified-security provider AlienVault, allows anyone using the Open-Source Security Information Manager (OSSIM) or Alien Vault’s own product to upload threat data, investigate threats and download indicators of compromise.

Threat Connect, a threat analysis and collaboration environment created by security services firm Cyber Squared, pulls data from a number of sources to allow security analysts to more quickly triage and analyze threats.

“Threat intelligence is a really complicated area, so everyone has a different approach to providing a customer a solution for threat intelligence,” says Adam Vincent, CEO of Cyber Squared. “Collaboration is definitely a main part of that, but each company has a different perspective on the problem.”

Yet, all the firms face two common problems. When a threat information-sharing platform is small, the participants know each other and are more likely to share. But as they grown, distrust sets in and fewer companies share and more just consumer information, says Dean De Beer, chief technology officer of ThreatGRID.

“The majority of companies are consumers,” he says. “You have people who are giving up a lot of data, and they will get tired of not getting much back.”

In those cases, the companies who run the services have to step up and add at least a baseline value to the service to keep the most productive customers coming back, De Beer says.

[Companies participating in threat-intelligence programs have suffered from too much information, and they struggle to deal with information that is neither actionable nor relevant. See Dolloping Out Threat Intelligence.]

While the disparate levels of benefit that each customer gets is one problem, another issue is the lack of trust. Both the City of Seattle and another threat-information sharing system run by the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) have been successful because their constituents are not competitors. In the business world, that is a harder sell.

For that reason, Cyber Squared, HP, and Georgia Tech allow every member to share or restrict any information and do it anonymously.

“A big part of the challenge is getting commercial entities to cooperate,” says Lars Harvey, president of Internet Identity, which released a study on the challenges facing threat-intelligence sharing this week. “We have to figure out a way to get larger and broader exchanges going on.”

The industry also has to change the perception that it is taking information, creating a product or service, and not giving enough back, says Barmak Meftah, CEO of AlienVault. The security-management provider made its platform free to make customers more confident in their motives.

“The Achilles’ Heels of the industry is that it is very vendor driven, and each vendor has a myopic view of these attacks,” he says. Intrusion detection vendors look for signatures, vulnerability management providers look for weak points in the network, and next-generation firewalls look for signs of malware on the network. “The concept of threat capture has been very myopic and very closed and captive.”

Yet, companies have to solve these problems and find ways to work together better, says Seattle’s CISO Hamilton. The attackers are benefiting from exchanging information on attack strategies, vulnerabilities and better ways of monetizing compromises. Defenders have to do it to, he says.

“From a 30,000-foot level, this is the way that the world needs to work,” Hamilton says. “The one-stop shop for sending all you threat information to a vendor, looking to boil that ocean—that doesn’t scale. But done regionally like we are doing it—that can scale.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/threat-intelligence/threat-intel-sharing-services-emerge-but/240161881

  • 27/09/2013
  • adm

Nexgate Releases First-Ever Global Social Spam List; Publishes Report On Social Spam

SAN FRANCISCO, September 24, 2013 – Nexgate, an innovator in social media brand protection and compliance today announced the availability of a first-of-its-kind Global Social Media Spam List to root out spam across branded social media accounts, as well the release of its new 2013 State of Social Spam research report (available at http://nx.gt/SocialSpamReport) from Nexgate’s team of data scientists detailing social media spam techniques and trends taken from analysis of more than 60 million unique social posts and comments including 25 million social media user accounts.

Social media spam is a fast growing attack and exploit vector for cybercriminals. Traditional security defenses, like email and Web filtering are designed to detect spam and malicious content entering the corporate network; however, social media and its spam lives outside the corporate network and on the accounts of the brand itself, thus rendering anti-malware and anti-spam technologies from the leading providers useless.

Investment in social media advertising alone is expected to reach nearly $7 billion in 2013, as marketers scramble to engage customers, partners and prospects on Facebook, Twitter, YouTube, and the other leading social networks. As the money flows to social media, the bad guys quickly follow with Facebook spam alone generating an estimated $200 million.

According to new research just released in Nexgate’s State of Social Media Spam Report, 1 in 21 social messages contain risky content, and 15% of all social media spam contains a URL to a potentially dangerous source. Brands investing in social media face a four fold threat from this growth in spam, including diversion / dilution of their ROI by hosting spammers’ ads, exploitation of their target audience by spammers, and damage to brand trust.

Nexgate’s new Global Social Media Spam List is the first and only such list created to stop spam on branded social media pages across social networks. Available immediately as part of its enterprise social media brand protection and compliance service, the list is compiled from spam and spammers detected across more than 25 million individual social media users accounts, 10,000 branded accounts, and analysis of more than 60 million pieces of social content. Spammers are added to the list based on detection techniques using Nexgate’s patent-pending social content and application classification technology. This complete technology set includes the ability to scan content, the applications being used to publish the content, and the profile that is publishing on social media accounts to identify and automatically remove spam from brand-owned pages based on the classification of spam content, spam apps, and spammer profiles. It also includes coverage for malware, inappropriate content, confidential data, regulated data, and more. Nexgate’s new Global Social Media Spam List is enabled by default for Nexgate customers. Spammers on the list are automatically blocked from posting content to any social media account protected by Nexgate.

Additional findings in the just released Nexgate State of Social Media Spam Report include:

Since the start of 2013, social media spam has increased 355%

1 in 21 social media messages across Facebook, YouTube, Google+, and Twitter contain risky content, such adult language, hate speech, private or regulated data, or spam

1 in 200 social media messages contain spam, including lures to adult content and malware

Spammy apps, like-jacking, social bots, and fake accounts are among the most widely used methods of distributing social media spam

5% of social apps are classified as spammy

15% of all spam contains a URL

Spammers often spam at least 23 different social media accounts

“There’s no question social media spam is on the rise and is a real challenge to enterprise brands,” said Alan Webber, Principal at Asymmetric Insights. “As evidenced in Nexgate’s 2013 State of Social Media Spam report, spam volumes increase at a faster rate than content on branded pages. Thus, efficiently addressing this problem is critical to the overall success of social media personnel and brand managers who wish to effectively engage with their customers and prospects.”

“The dramatic rise in social spam is a significant burden to big brands, and is caustic to the ROI of social media marketing programs,” said Devin Redmond, Co-founder and CEO, Nexgate. “Teams that ignore spam are effectively sponsoring it and deteriorating their programs effectiveness and overall brand trust. The teams that are fighting it are typically struggling because most tools aren’t designed for the sophisticated nature of the problem, and thus they’re left to manually remove spam content via their internal teams resource or expensive outsourcing partners. Given this and the rise in spam volumes, it’s no wonder moderation costs have more than doubled. Just like spam in email, dealing with social media spam requires advanced technology to root out the bad stuff. Nexgate’s robust capabilities mean that enterprise social media teams can automatically and cost-effectively protect their brand and their audience in a more scalable way.”

More Information:

Global Social Media Spam List

State of Social Media Spam Report

Nexgate Enterprise Suite

For more information on Nexgate, its new Global Social Media Spam List, or to download the new 2013 State of Social Media Spam Research Report, visit nexgate.com.

About Nexgate

Nexgate provides cloud-based brand protection and compliance for enterprise social media accounts. Its patent-pending technology seamlessly integrates with the leading social media platforms and applications to find and audit brand affiliated accounts, control connected applications, detect and remediate compliance risks, archive communications, and detect fraud and account hacking.

Nexgate is based in San Francisco, California, and is used by some of the world’s largest financial services, pharmaceutical, Internet security, manufacturing, media, and retail organizations to discover, audit and protect their social infrastructure.

Article source: http://www.darkreading.com/applications/nexgate-releases-first-ever-global-socia/240161832

  • 27/09/2013
  • adm