STE WILLIAMS

A coalition of US groups that advocate for teenagers is crying foul over proposed changes to Facebook policy that would rubber-stamp the use of teenagers’ names, images and personal information to endorse products in advertisements.

The coalition, which includes over 20 public health, media, youth, and consumer advocacy groups, sent a letter to the Federal Trade Commission (FTC) on 17 September asking that the government take a closer look at how the proposed changes will expose teenagers to the same “problematic data collection and sophisticated ad-targeted practices that adults currently face.”

The changes to Facebook’s Statement of Rights and Responsibilities will give the site permission to use, for commercial purposes, the name, profile picture, actions, and other information of all of its nearly 1.2 billion user base, including teens.

The group also objects to new language, directed at 13-17 year-old users, that says that if you’re a teenager, and you’re on the site, Facebook assumes it has consent from your parent or legal guardians to use your information.

The proposed language:

If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.

Joy Spencer, who runs the Center for Digital Democracy’s digital marketing and youth project, said parents, for one, should be worried about the proposed privacy policy changes:

These new changes should raise alarms among parents and any groups concerned about the welfare of teens using Facebook. By giving itself permission to use the name, profile picture and other content of teens as it sees fit for commercial purposes, Facebook will bring to bear the full weight of a very powerful marketing apparatus to teen social networks.

The coalition for teens is just the latest to join in the hue and cry over the proposed privacy policy changes.

On 4 September, the top six privacy organisations in the US – the Electronic Privacy Information Center, Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG, and the Privacy Rights Clearinghouse – sent a joint letter to politicians and regulators asking that some of Facebook’s proposed changes be blocked.

Facebook had issued the proposed changes as part of an agreement that was made in settlement of a class-action lawsuit.

However, the changes would actually weaken the privacy policy’s wording, this earlier letter claims, and would violate a 2011 privacy settlement with the FTC.

Furthermore, the amended language regarding teens “eviscerates” limits on commercial exploitation of the images and names of young Facebook users, the letter states.

It reads:

The amended language involving teens – far from getting affirmative express consent from a responsible adult – attempts to “deem” that teenagers “represent” that a parent, who has been given no notice, have consented to give up teens’ private information. This is contrary to the Order and FTC’s recognition that teens are a sensitive group, owed extra privacy protections.

Facebook was supposed to update its policy two weeks ago but has delayed the decision following the six consumer watchdog groups’ petition of the FTC to block the changes.

In an emailed statement to the LA Times, Facebook said that it put on the brakes in order to get this thing right:

We want to get this right and are taking the time to review feedback, respond to any concerns, and clarify the explanations of our practices. We routinely discuss policy updates with the FTC and are confident that our policies are fully compliant with our agreement.

In my opinion, Facebook won’t get it right until it embraces the radical notion of opt-in as opposed to making users continually jump through hoops to opt out of having their personal information used in ever new ways.

As far as deemed consent goes, it’s ludicrous to presume that teens on Facebook are a) there with their parents’ blessing and b) that that presumed blessing somehow includes letting their child’s likeness be plastered onto every money-generating shill that Facebook advertisers can cook up.

The proposed changes predate last week’s truly awful incident, when a Facebook advertiser got hold of two images of a gang-rape and suicide victim and used them in dating ads.

That dating company has since gone offline, its Facebook account has been shuttered, and Facebook has apologized.

The proposed changes go beyond teens’ images, of course, to encompass all their personal data, including their posted activities. Do we really think that the online history of children should be fair game for Facebook, when even adults leave often breathtakingly embarrassing, not to mention career-threatening, trails?

As far as images in particular go, perhaps the case I mention is only tangentially related to the proposed privacy policy changes. Maybe it just comes to mind because it tastelessly featured images of a teen who met a horrific fate.

Maybe it comes to mind because the images of children, to my mind, should be considered too precious to play games with, or perhaps even to generate profits from.

Follow @LisaVaas

Follow @NakedSecurity

Image of girl on phone courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9rtRVzNnFi4/

No, LinkedIn most certainly does not sink its marketing fangs into users’ private email accounts and suck out their contact lists – well, at least, not without users’ permission – the company said over the weekend.

Blake Lawit, Senior Director of Litigation for LinkedIn, on Saturday responded to a class action lawsuit brought last week by four users who claimed that the professional networking site accesses their email accounts – “hacks into,” to use the diction of the lawsuit – without permission.

Lawit’s statement denies the plaintiffs’ accusations:

We do not access your email account without your permission. Claims that we “hack” or “break into” members’ accounts are false.
We never deceive you by “pretending to be you” in order to access your email account.
We never send messages or invitations to join LinkedIn on your behalf to anyone unless you have given us permission to do so.

On Tuesday, four LinkedIn users in the US filed the complaint, which alleges that the company “hacks into” users’ email accounts, downloads their address books, and then repeatedly spams out marketing email, ostensibly from the users themselves, to their contacts.

The suit charges LinkedIn with fuzzily-worded requests and notifications when it comes to just what, exactly “growing” a user’s network entails.

On the screen labelled “Grow your network on LinkedIn”, presented when a new user signs up for the free service, LinkedIn works its marketing sneakiness, the suit says, getting into a user’s email account without a password and then snapping up contacts and the email address for anybody with whom he or she has ever swapped email:

LinkedIn is able to download these addresses without requesting the password for the external email accounts or obtaining consent.

If a LinkedIn user has logged out of all their email applications, LinkedIn requests the username and password of an external email account to ostensibly verify the identity of the user.

However, LinkedIn then takes the password and login information provided and, without notice or consent, LinkedIn attempts to access the user’s external email account to download email addresses from the user’s external email account.

If LinkedIn is able to break into the user’s external email account using this information, LinkedIn downloads the email addresses of each and every person emailed by that user.

The suit mentions “hundreds” of user complaints about the practice on LinkedIn’s own site.

It’s not difficult to see why users might well be appalled, given some of the situations they describe on the site’s help center thread on the topic.

One user, Cynthia Hubbard, describes LinkedIn invitations getting sent out “at [her] alleged behest” to a coworker with whom she “had a great deal of trouble”, to five individuals from opposing in-house counsel and corporate defendants in a lawsuit she was involved in, and to a worker’s compensation client she referred to another law firm and whom she would never personally invite to her contact list, among others.

One reader commented on my coverage last week that he or she had read an account on another posting of this story, about a psychologist whose professional email messages to patients had triggered invitations to connect that were actionable malpractice breaches for which he could face disciplinary action.

In his statement, Lawit says that LinkedIn most certainly gives users the choice to share email contacts and that the company “will continue to do everything we can to make our communications about how to do this as clear as possible.”

From what I can suss out, LinkedIn does tell users what it’s up to, but the language is hidden away and is a far cry from “as clear as possible.”

Users have been decrying LinkedIn’s practices for months, at the very least, without any satisfaction.

It’s easy, in a case like this, to blame users for not reading the fine print. That logic holds that free services are only free from a financial standpoint, but you pay, one way or the other, to keep them alive, including letting a service like LinkedIn vacuum up your contacts for marketing purposes.

There’s merit to that argument.

Then again, there’s no excuse for tucking your marketing practices away where they’re not obvious to users.

The hallmark of clear communication is that you don’t wind up with pages full of comments from outraged, surprised users. And that is exactly what LinkedIn is dealing with now, with the added problem that all that user surprise and outrage has festered and is now boiling up into the legal realm.

Follow @LisaVaas

Follow @NakedSecurity

Image of email access and checking email courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yazTwAETd2o/

News, opinion, advice and research: here’s our latest two-weekly quarter-hour security podcast, featuring Chet and Duck (Chester Wisniewski and Paul Ducklin) with their informative and entertaining take on the latest security news.

By the way, you can keep up with all our podcasts via RSS or iTunes, and catch up on previous Chet Chats by browsing our podcast archive.

Listen to this episode

Play now:

(24 September 2013, duration 14’57”, size 9.0MB)

Download for later:

Sophos Security Chet Chat #117 (MP3)

Stories covered in Chet Chat #117

• Apple patches iOS 10.8.5.
• Fixes the long-standing sudo bug.
• Patches the “text message of death“.
• Releases iPhone 5c and iPhone 5s.
• Photo-leakage hole in iOS 7 lockscreen found.
• Call-anywhere hole in iOS 7 lockscreen found.
• Microsoft issues updates to recent updates.
• Urgent “Fix it” for exploit against Internet Explorer.
• Adobe patches are out, too.
• Plus an important fix for WordPress.
• Firefox scoops our “browser trust” poll.
• And do you give too much to Facebook?

Previous episodes

Don’t forget: for a regular Chet Chat fix, follow us via RSS or on iTunes.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_dcmopXt2WI/

IRVING, Texas, Sept. 23, 2013 /PRNewswire/ — BT today announced the launch of virtual Chief Security Officer (vCSO), a new managed service that provides the full development, management and operation of an enterprise information security team. vCSO is designed to help security executives address the growing challenge of managing a world-class security function.

Information security is no longer a supporting role within IT organizations.

Security threats and risks are at an all-time high, with more cyberattacks each day and the growth of mobility, social media, cloud computing and big data in enterprises adding additional complexity to the enterprise.

With vCSO from BT Advise Assure, an organization can take advantage of a full service that covers all the duties of a Chief Security Officer (CSO) at a much lower cost, enabling them to better balance security demands with strategic business needs.

“With the pace of change in business and technology advances today, it’s never been harder to protect your business. However, for most businesses, IT resources are already constrained and there may be no budget to hire a dedicated security professional,” said Bas Burger, president of US Canada at BT Global Services.

“While many companies are looking at how to build this role into their future organizations, BT has already been thinking about how to solve this problem.

With our vCSO service, companies can get the expert, board-level resources they need to drive security, compliance and governance programs without a costly staffing investment.”

The vCSO service is a flexible delivery model that can be tailored to fit the unique needs of each company. The service is available on both a project basis for specific security initiatives, including emergency scenarios, as well as an on-going retainer for more long-term support. At the start of each vCSO engagement, BT will conduct a full review of the company’s security systems to identify the current infrastructure and areas for improvement. Specific areas where a vCSO can help include:

— Development, implementation and updates of global security policies, standards, guidelines and procedures.

— Reviewing current IT risk assessment processes and conducting Rapid Risk Assessments (RRA) to determine vulnerabilities in the business.

— Designing an information security program roadmap to support specific business requirements.

— Managing and directing the team of security professionals and vendors that maintain the IT infrastructure, including network connectivity, Internet presence, applications and servers, clients, networked devices, wireless, telephony, e-business, IDS, anti-virus, authentication, authorization and firewalls.

— Leading internal management teams across different business functions, internal security councils and governance forums.

— Acting as a consultant and liaison to other IT groups on security matters.

The vCSO service makes it possible for companies to put BT’s 25 years of experience managing information security programs to work for their business.

vCSO brings world-class security expertise and industry professionals from BT Advise Assure into an company’s organization, making sure its IT investments are in line with its business goals, regulatory challenges and overall business strategies.

For more information, please visit:

http://www.globalservices.bt.com/us/en/products/assure_cyber_quick_start .

About BT

BT is one of the world’s leading providers of communications services and solutions, serving customers in more than 170 countries. Its principal activities include the provision of networked IT services globally; local, national and international telecommunications services to its customers for use at home, at work and on the move; broadband and internet products and services and converged fixed/mobile products and services. BT consists principally of four lines of business: BT Global Services, BT Retail, BT Wholesale and Openreach.

Article source: http://www.darkreading.com/management/bt-launches-virtual-chief-security-offic/240161660

ATLANTA, September 23, 2013 – Lancope, Inc., a leader in network visibility and security intelligence, announces the appointment of Tim (TK) Keanini as chief technology officer (CTO). Keanini brings nearly 25 years of network and security experience to his new role, including positions at Cisco and nCircle. He will lead the evolution and positioning of Lancope’s technology architecture toward software-defined networking (SDN), along with other key product roadmap initiatives such as providing security in the private and public cloud.

“TK possesses an incredible amount of industry expertise and has a burning passion to help us further define the evolving market requirements to keep our products and services state of the art,” said Mike Potts, president and CEO of Lancope. “Between his time spent with Cisco, his impactful tenure as CTO of nCircle, and significant contributions to various security standards and patents, TK has always stayed on the cutting edge of security. We are honored to have him on board as we continue to improve today’s position of cyber security one customer at a time.”

Most recently, Keanini served as CTO of nCircle Network Security (recently acquired by Tripwire). During his 12 years at nCircle, he drove product innovation that defined the vulnerability management and configuration compliance market, establishing one of the industry’s leading vulnerability research organizations. He also created a formal intellectual property program that helped spark innovation and protect the company’s long-term product strategy.

Before joining nCircle, Keanini served as Vice President of Network Services for Morgan Stanley Online, building and securing a highly available online trading system that had no reported outages or security incidents while in production. While at Morgan Stanley, he also planned, built and managed multiple data centers from the ground up. Previously, Keanini was a systems engineer at Cisco, advising top financial institutions on the design and architecture of their data networking infrastructure.

“Throughout my career, I have remained heavily involved in the latest security developments and innovations from around the world,” said Keanini. “Lancope brings a very unique perspective and technology to the industry, enabling organizations to leverage their existing infrastructure and assets to more thoroughly protect their networks. I look forward to helping Lancope’s talented and driven team bring the benefits of its behavioral-based monitoring solution to many more organizations across the globe.”

Keanini is a Certified Information Systems Security Professional (CISSP), and has served as a leader in the development of various security standards including CVE, CPE, CCE and CVSS to name a few. Keanini is also a highly visible security expert on social media, growing top tier press coverage for nCircle by 32% in 2012. He is frequently invited to speak at industry conferences held by organizations including RSA, SANS and BSides.

For further details on Lancope’s leadership team, go to: http://www.lancope.com/company-overview/management/.

About Lancope

Lancope, Inc. is a leading provider of network visibility and security intelligence to defend enterprises against today’s top threats. By collecting and analyzing NetFlow, IPFIX and other types of flow data, Lancope’s StealthWatch System helps organizations quickly detect a wide range of attacks from APTs and DDoS to zero-day malware and insider threats. Through pervasive insight across distributed networks, including mobile, identity and application awareness, Lancope accelerates incident response, improves forensic investigations and reduces enterprise risk. Lancope’s security capabilities are continuously enhanced with threat intelligence from the StealthWatch Labs research team. For more information, visit www.lancope.com.

Article source: http://www.darkreading.com/management/lancope-appoints-tim-tk-keanini-as-cto/240161681

MENIFEE, Calif., Sept. 20, 2013 /PRNewswire-iReach/ — Sucuri Inc., a company that offers a complete suite of website security solutions, announces that the company has acquired Unmask Parasites, an online website security service that helps detect hidden content inserted by hackers into benign web pages. Sucuri will also retain the services of Denis Sinegubko, founder of Unmask Parasites, as a member of the company’s research team.

(Photo: http://photos.prnewswire.com/prnh/20130920/MN83573)

Sucuri Co-Founder, Dre Armeda, stated, “This acquisition fits into our vision and commitment to offer the best website security services and products available today and in the future. We’re also very excited to have Denis joining our research efforts. Denis is a very experienced malware researcher and will be a great addition to our growing team.”

As seen on NBC News, CNN, ABC News, The New York Times and many more, Sucuri offers a complete and innovative solution for fighting web-based malware. If a site is hacked, affected by spam, pharma hacks, blacklisted or infected with malware, Sucuri provides solutions to get it back on track quickly.

The company’s core security offerings include website monitoring, alerting and malware removal. Sucuri monitors for malware, blacklisting and website changes, and if a monitor is triggered, clients are alerted by email, text message, direct message on Twitter, or private RSS feed. Once alerted, processes are put into effect to remove any website infections, SPAM, defacements, and blacklisting. Additional add-on preventative and backup services are also available.

According to an article on the site, “At Sucuri, we have been monitoring and engaging in web-based malware since 2004, evolving with the changes year by year. Our service is built around the passion and commitment we have to making a difference in the way the world fights web-based malware. We take pride in every site we work on, and work diligently to update our definitions and algorithms to stay ahead of the problem.”

The company recently launched a website application firewall and intrusion protection service with virtual hardening and patching called CloudProxy.

Additionally, Sucuri’s SiteCheck is a free website scanner that checks sites for spam, malware, blacklisting and many other security issues. Sucuri’s security solutions quickly address malware issues related to Google, WordPress and a host of the most popular sites that the majority of internet users use for work or leisure on a regular basis.

About Sucuri Inc.:

Sucuri Inc. is the leading provider of website protection, malware detection and removal solutions – delivered as a service. Sucuri’s website scanning engine is used by more than a million websites worldwide every month. In simple terms, Sucuri finds and reports website security issues, and cleans up the mess. For more information, visit http://sucuri.net.

“Sucuri,” “Sucuri SiteCheck,” and the Sucuri logo are trademarks of Sucuri Inc.

and may be registered in certain jurisdictions. All other company and product names are trademarks or registered trademarks of their respective owners.

Article source: http://www.darkreading.com/applications/website-security-company-sucuri-inc-acqu/240161682

SHENZHEN, China, Sept. 23, 2013 /PRNewswire/ — Huawei, a leading global information and communications technology (ICT) solutions provider, today announced an end-to-end (E2E) data integrity solution, developed in conjunction with Emulex and Oracle. This solution can help customers prevent silent data corruption in mission-critical services, delivering crucial data protection.

In data access, data goes through various components, transfer channels, and software processing. Errors during this process may cause silent data corruption. Silent data corruption is often overlooked, but it can have great and adverse impact on the services such as databases that require absolute data integrity. Silent data corruption can lead to service disruptions or unrecoverable data loss.

The data integrity solution announced today by Huawei, in collaboration with Emulex, and Oracle enhances the current technology where hosts and storage systems protect data integrity independently. This is done by implementing E2E data integrity protection across applications, hosts, storage systems, and disks. As a result, this solution can help prevent silent data corruption in mission-critical services and eliminate potential downtime, which may cost organizations millions of dollars in revenue.

Huawei Global Certification Test Center (GCTC) has qualified this solution,

including: Oracle Database, Oracle Linux with the Unbreakable Enterprise Kernel, Emulex Gen5 FC HBA, and HUAWEI OceanStor Enterprise Storage System, and confirmed that these components are compatible with industry specifications such as the SCSI Protection Information Model (T10 PI) and Data Integrity Extensions (DIX). HUAWEI OceanStor Enterprise Storage System supports standard T10 PI, which can detect and resolve the silent data corruption. It also provides a PI interface to the host, and supports assorting with the DIX. With this, Huawei becomes one of the early enterprise storage vendors to offer an E2E data integrity protection solution.

“Emulex is pleased to be working closely with Huawei and Oracle to provide exclusive Fiber Channel HBA support within this solution,” said Jimmy Yam, vice president of sales, APAC, Emulex. “This solution enables IT managers the ability to protect data and resources while elevating the reliability and operations of their database environments. Emulex Gen 5 Fiber Channel HBAs provide the industry’s highest level of data integrity with full line-rate performance and no systems overhead with our vEngine(TM) CPU offload technology making SANs faster, and operate better.”

“As a leading contributor to the Linux kernel, Oracle developed and introduced the data integrity feature that is now part of the mainline Linux and included with Oracle Linux. We are pleased to see that technology come to fruition with an end-to-end data integrity solution, as part of our collaboration with Huawei and Emulex. This solution can benefit our mutual customers who rely on the integrity of their data to run their business,” said Wim Coekaerts, Senior Vice President Linux and Virtualization Engineering, Oracle.

Fan Ruiqi, President of Huawei IT Storage Product Line, said, “Huawei is honored to have cooperated with Emulex and Oracle to announce an E2E data integrity solution compatible with T10 PI and DIX. This solution perfectly demonstrates Huawei storage products’ philosophy of being secure and trusted to the storage industry. Huawei storage product line keeps being customer-centric with the endowed mission of protecting customers’ data security. From the innovative RAID 2.0+, 9-magnitude earthquake resistance certification, to the 32:1 centralized disaster recovery solution, Huawei has been dedicated to providing customers with secure and trusted data storage services and will continue to spare no efforts on this road.”

About Huawei

Huawei is a leading global information and communications technology (ICT) solutions provider. Through our dedication to customer-centric innovation and strong partnerships, we have established end-to-end advantages in telecom networks, devices and cloud computing. We are committed to creating maximum value for telecom operators, enterprises and consumers by providing competitive solutions and services. Our products and solutions have been deployed in over

140 countries, serving more than one third of the world’s population. For more information, visit Huawei online: www.huawei.com

Follow us on Twitter: www.twitter.com/huaweipress and YouTube:

http://www.youtube.com/user/HuaweiPress

About Oracle PartnerNetwork

Oracle PartnerNetwork (OPN) Specialized is the latest version of Oracle’s partner program that provides partners with tools to better develop, sell and implement Oracle solutions. OPN Specialized offers resources to train and support specialized knowledge of Oracle products and solutions and has evolved to recognize Oracle’s growing product portfolio, partner base and business opportunity. Key to the latest enhancements to OPN is the ability for partners to differentiate through Specializations. Specializations are achieved through competency development, business results, expertise and proven success. To find out more visit http://www.oracle.com/partners

Article source: http://www.darkreading.com/applications/huawei-announces-an-integrated-data-inte/240161698

As experienced networking professionals with beginner security skills seek to dip their toes in the waters of penetration testing, step one is to look at their network infrastructure through the eyes of an attacker.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

“Put people in attackers’ shoes so and they’ll learn to defend their networks better,” says Steve Pinkham, a security consultant for Maven Security Consulting and the guy behind the Web Security Dojo project. “Plus, let’s be honest, it’s fun to break things, especially when you usually build and maintain things all day.”

Breaking things will definitely be on the agenda when Pinkham and his colleague David Rhoades hit the ground in New York for Interop. The pair plan to lead a workshop for beginners, titled Hands-On Introduction to Common Hacking Tools, that will push attendees to think like attackers while getting hands on experience with the types of tools that both white hat and black hat hackers use to compromise enterprise systems. The class, says Pinkham, will walk through basic attack tests while using the penetration testing execution standard as a platform.

[Do you see the perimeter half empty or half full? See Is The Perimeter Really Dead?.]

Students will be exposed to how penetration testers use tools like Kali Linux, OpenVulnerability Assessment System (OpenVAS), Nmap, Metasploit and Maltego to help them get a better picture of how to assess a network for security.

“You need to deeply understand your network and how everything interacts,” says Pinkham. “What happens typically is that everybody lives inside their silo inside the corporate world and there’s not often someone who does a good job of integrating everything to find bigger picture flaws. There’s always some old box that’s totally forgotten. That’s a lot of what we in the security industry do. I draw a big map and figure out how different parts of that map interact.”

Whether they’re students in his workshop at Interop or those who seek to learn more about penetration and security testing elsewhere, Pinkham emphasizes the importance of hands-on learning when starting out.

“Really, the only way people seem to get it is to either do it themselves or have someone else demonstrate how it happens,” Pinkham says. “You want to give people free tools online and a real-world target. They’re going to pop a shell on it, extract data from it and do all these things to break it themselves.”

He also believes beginners should understand that if they know where to look for free tools, a lot of the heavy lifting is done for them through automation. In particular, networking veterans like those at Interop should seek to get more from Nmap than they may even know is possible.

“Nmap is so good, every other tool takes its data and goes from there,” he says. “So you run your Nmap scan and then you can import it into Metasploit, you can import it into OpenVAS and all of these other tools and get further integration.”

Not only that, Pinkham says, but Nmap is becoming a very good vulnerability assessment tool in and of itself.

“It has tons of scripts built in and there’s more coming out every day that look for a lot of the low hanging fruit,” he says. “When you have new advisories come out, theres often an Nmap plug-in that will be out in a few days and you can look through your network and see if you have any of those just using that tool.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/penetration-testing-for-beginners/240161699

First installment in a series on cyberthreats to the oil and gas industry

Some 30,000 or so hard drives were scrapped and replaced with new ones last year on Saudi Aramco’s internal corporate network after a massive cyberattack destroyed data on the oil and natural gas company’s Windows machines. While the massive attack didn’t directly affect Saudi Aramco’s oil production and exploration systems, it raised the stakes for the increasingly targeted oil and gas industry and also raised concerns of possible market fallout from attacks.

The oil and gas industry today is in the bull’s eye of nation-states, hacktivists, and even cybercriminals, and like other energy sectors, its industrial control systems are about a decade behind the security curve of the traditional IT environment. While Saudi Aramco said the attack was isolated to its corporate network and didn’t directly affect its hydrocarbon exploration and production systems–which run on isolated networks–the reality is that a successful cyberattack could have ripple effects and ultimately result in real-world economic consequences in the oil and gas markets, security and oil and gas industry experts say. It could either directly or indirectly disrupt production, competition, and ultimately, prices at the pump, they say.

If Stuxnet was the tipping point for ICS/SCADA attacks, the data-destruction attacks on Saudi Aramco and on Qatar’s RasGas gas company last year represent a major shift from cyberspying on oil and gas companies to more widespread destruction of their operations.

“I wonder if that’s their Estonia moment,” says Richard Bejtlich, CSO at incident response provider Mandiant, who says his company has been getting more inquiries from Middle East organizations lately. “We’re moving beyond the stage of ‘this is a problem and how do we fix it.'”

A recent Council on Foreign Relations
report report warns that future cyberattacks on the oil and gas industry could threaten the competitiveness of the U.S. oil and gas industry, pointing to the Saudi Aramco, Qatar RasGas, and cyberespionage attacks on Chevron and other U.S. oil companies, as warning shots.

“Some damage was done in each of these cases, but the costs of future breaches could be much higher, whether to corporate assets, public infrastructure and safety, or the broader economy through energy prices. Successful cyberattacks threaten the competitiveness of the U.S. oil and gas industry, one of the nation’s most technically advanced and economically important sectors,” the report said. “While intrusions previously focused on the theft of intellectual property and business strategies, the malware attack on Saudi Aramco reflects a worrying qualitative change toward attacks with the potential for causing physical disruptions to the oil and gas supply chain.”

But a widespread energy catastrophe would be difficult to execute electronically. Plant systems indeed are not as well-fortified electronically as IT systems in many cases, but they also are not as homogenous, which actually makes them more difficult to penetrate on a larger scale. “There are adversaries trying to get to those systems,” says Patrick Miller, president and CEO of EnergySec. “But it’s not like you get into one Windows [machine there] to get into [others]. It’s difficult to cause widespread catastrophic damage. You can do pockets, like Stuxnet [did].”

That doesn’t mean, however, that a high-profile targeted attack couldn’t still incur some economic damage. “Any market has an element of confidence built into it. If you erode confidence in the supply or any of its elements,” it could affect the market, he says.

“A long and slow [attack] could cause quality issues with some of these … it doesn’t necessarily take a frontal assault to [hit] the bottom line. This is an ecosystem,” he says.

Could gas prices be affected? “That’s not even a stretch–yes,” Miller says.

But physical attacks against the energy sector are the biggest worries today, Miller says. “There’s a greater opportunity for cyberattack than there was four or five years ago. The physical attack threat is constant,” he says. “The ability to cause long-term catastrophic damage is far greater from a physical perspective.”

Eyal Aronoff, co-founder of the Fuel Freedom Foundation, says cyberattacks on the oil gas industry are more than just “a nuisance” anymore. The biggest threat, he says, is domestic terrorism, typically politically or economically motivated.

Aronoff maintains that the U.S. market is probably safest from economic injury because it’s so decentralized, while centralized, government-run oil and gas providers in other nations are sitting ducks. “The U.S. is the most protected, because there are hundreds of large companies–billions of dollars in companies–in this space … they are all large enough to overcome any difficulties of a shutdown,” he says. “However, companies like Pemex [in Mexico], centralized government companies, are great risk because of their centralized nature.”

The combination of a physical and digital attack on a government-owned oil company could have long-lasting effects on the oil markets, such as temporary shortages and a price hit, he says. “That could be devastating and could last for very long time … it would definitely affect prices at the pump and might create temporary shortages.”

An engineer for a U.S. oil and gas company who requested anonymity says the chances of a cyberattack affecting petroleum production and gas prices in the U.S. is “pretty slim.”

“We should prepare and mitigate for it, but the [chances] are still slim,” he says. “It would have to be a really big facility” hit that would result in driving up gasoline prices, he says. “And even big plants are somewhat divided into individual units,” which decentralizes the target, he says.

The U.S. has fairly diversified production, he says, with pipelines “moving around,” so the supply issue wouldn’t be as much of a risk. It would more likely result in bad PR and embarrassment for the breached company, he says, which could have a ripple effect on the stock market, for instance.

“There is more flexibility in supply,” he says. But there are exceptions: “There are a couple of facilities of offshore crude [oil] that if taken down would cause major problems,” he says.

A lesser-understood and more insidious threat is the manipulation of the oil trading market by nefarious actors, the Freedom Fuel Foundation’s Aronoff says. “Jacking up the price of gas can cause a recession in the U.S.,” he says.

There have been some anomalies in the oil market that have raised concerns that organized cybercrime may be attempting to manipulate the market for profit, notes EnergySec’s Miller. “There have been some minor situations where just oddities have happened and the market has reacted … My Spidey sense is that the blips we’re seeing are those parties seeing how the market would react to certain situations.”

Miller says the end game could be bankrupting a company, or “devaluing” one. “You might see the transfer of wealth across international borders. If you wanted to buy a company, you would de-value them” surreptitiously and then buy them, he says.

[Old-school but painful data-destroying malware attacks in the Middle East a red flag to revisit incident response, recovery. See The Data-Annihilation Attack Is Back.]

Meanwhile, there’s the Iran factor. The reported U.S. involvement in Stuxnet and its destruction of the Natanz nuclear facility’s centrifuges could come back to haunt it, experts worry. Cyberespionage against oil gas firms by the Chinese could be just the calm before the storm: “Say what you will about the Chinese and their cyber-activity, but they are very polite in at least they only steal data. I’m a little worried if Iran turns around and says ‘it’s payback time,'” says Nick Levay, CSO at Bit9. “It’s pretty easy to break into organizations.”

Levay says while some energy firms are working hard to close security holes in their infrastructures, there are others who aren’t there yet. And that leaves the door open for a determined adversary to do some damage, he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/destructive-attacks-on-oil-and-gas-indus/240161700

For companies developing their own in-house applications or Web services, vulnerabilities need to be found and fixed before deploying code, or firms risk a breach.

In 2012, for example, poor input validation for databases put SQL injection on top of the short list of vulnerability-related attacks, with the three largest breaches compromising nearly 20 million records, according to the State of Software Security Report released annually by application-security firm Veracode. While the tools are available to solve the problems, developers are still focused on features over security.

Part of the problem is the lack of necessary security expertise. Without a focus on security, developers are hard-pressed to find and close the vulnerabilities in their code, says Brian Mizelle, vice president of operations at Cigital, a vulnerability software and service provider.

“What we are finding in the market is that vulnerabilities are piling up, and no one is able to bring that queue down,” Mizelle says. “This is all about fixing them, verifying them, and getting the cycle going again, so companies are not piling on vulnerability after vulnerability, with the same ones showing up every time they test their code.”

A number of companies are trying to solve the problem by offering automated static-code checking and dynamic vulnerability scanning as cloud services. Last week, code-security firm Cigital, for example, released details of two security services that allow companies to check their code for security flaws using either static or dynamic analysis. Veracode and Cenzic are two other firms that have offered similar services. The services range from a simple automated scan of a Web application to additional consulting services to explain the results and help developers close the security holes.

“You have to worry about, not just testing, but fixing,” says Chris Wysopal, chief technology officer for Veracode. “It is very difficult to find skilled application security people. That’s one reason why going to a service provider scales better.”

[A network scanner that can survey the Internet in less than an hour will make it easier for research groups to expose vulnerabilities on the Internet. See Fast Scanning To Fuel ‘Golden Age’ Of Global Flaw Finding.]

When looking for an application assessment service, companies should consider what vulnerabilities the service can detect. The OWASP Top-10 list of Web application vulnerabilities SANS Top 25 Most Dangerous Software Errors are good starting points, but companies should look for deeper scans as well. In addition, the service should recommend strategies for fixing the problems and methods of avoiding the issues in the future, says Bala Venkat, chief marketing officer for Cenzic, a software security firm.

“You really need to have a metric showing the level of security or the level of vulnerability that the application has,” he says. “You can track that and tell them why they have that score and how they go about addressing those vulnerabilities.”

Companies also need to ask questions about how far the software-analysis service can scale, and whether the turnaround time on test satisfy their software development lifecycle, Venkat says. In addition, firms should ask the service provider how they minimize false positives.

Finally, the service’s ability to give clients the benefit of their security expertise is key. Most services have a number of levels: a basic cloud service which includes an automated application scan and more involved services, which include meetings with the developers to explain the vulnerabilities and teach them how to avoid such mistakes in the future.

“The offering has to be based on the risk profile of the customer,” says Cigital’s Mizelle. “You don’t want to be overpaying for something that you are not going to use.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/services/lack-of-security-expertise-app-analysis/240161665