STE WILLIAMS

Win a Samsung 40-inch LED HDTV with The Reg and HP!

The recent spike in traffic on the Tor anonymizing relay network is probably due to botnet activity rather than any recent political developments, research by Tor Project members has concluded.

The overall number of clients accessing the Tor network on a daily basis has more than doubled since around mid-August, but so far researchers have been at a loss to find any reason for the increase.

Partly this is due of the design of the Tor network itself. Preserving users’ anonymity is the whole point of the project, so the network doesn’t keep logs of IP addresses or other identifying information that could help pin down where the extra traffic is coming from.

Members of the “Tor Talk” mailing list have posted numerous theories, ranging from increased activism in Syria, to public reaction to recent revelations about US surveillance operations, to an attempt by an unknown force to DDoS the Tor network itself. But according to Tor Project member Roger Dingledine, who has been investigating the matter for the past week or so, none of these is likely to be correct.

“The fact is, with a growth curve like this one, there’s basically no way that there’s a new human behind each of these new Tor clients,” Dingledine wrote in a blog post on Thursday.

Instead, Dingledine believes Tor client software was installed on millions of computers surreptitiously, “pretty much overnight,” probably hidden inside some other, as-yet-undetermined software package.

“Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them,” he wrote.

The most likely explanation is that someone is trying to set up a botnet that uses the Tor network to conceal the source of its packets. The problem, Dingledine observes, is that Tor wasn’t really designed with that kind of traffic in mind.

“My first observation is ‘holy cow, the network is still working’,” he wrote. “I guess all that work we’ve been doing on scalability was a good idea.”

There is still more work to be done, however, and the increase in traffic has caused measurable strain on the network. What steps the Tor Project will take to make the network more resilient to botnets and other anomalous traffic spikes are still open to debate. For now, Dingledine encourages all Tor users to upgrade to Tor 0.2.4, which introduces a new connection-handshaking method that uses fewer CPU resources.

“In parallel, it would be great if botnet researchers would identify the particular characteristics of the botnet and start looking at ways to shut it down (or at least get it off of Tor),” Dingledine says.

“And finally, I still maintain that if you have a multi-million node botnet, it’s silly to try to hide it behind the 4000-relay Tor network … Another facet of solving this problem long-term is helping them to understand that Tor isn’t a great answer for their problem.” ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/05/tor_traffic_spike_botnet/

A massive spike of millions of new Tor clients during the past few weeks appears to be the handiwork of a botnet, not a post-Edward Snowden anonymity bump or the Syrian civil war fallout that some had suspected.

Researchers from Dutch security firm Fox-IT today said they have traced the Tor traffic to a botnet that dates back as far as 2009, known as SBC, using the “Mevade.A” or “Sefnit” malware families. SBC traditionally has used mainly HTTP for its command-and-control communications (CC), but began using Tor for CC around the time of the Tor spike.

“The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks,” blogged Fox-IT’s Yonathan Klijnsma.

[Gen. Keith Alexander aims to set the record straight on controversial NSA spying programs, calling out how leaked surveillance programs helped derail specific terror plots. See NSA Director Faces Cybersecurity Community At Black Hat.]

Fox-IT says the botnet’s mission is unclear, but it comes from a Russian-speaking region and is likely involved in financial cybercrime operations.

The Tor Project today also confirmed a botnet is likely behind the millions of new Tor clients — and the numbers keep rising. “Where do these new users come from? My current best answer is a botnet,” Roger Dingledine, project leader, director, and researcher for The Tor Project, said in a blog post today.

That shoots down theories that the growth came from activists in Syria, Russia, or the U.S., or more journalists using the anonymous browsing service in the wake of NSA domestic spying programs leaked to the press by Snowden. Dingledine also dismissed the theory that the jump was due to large-scale adoption of the so-called Pirate Browser, a Tor-based bundled anti-censorship browser from Pirate Bay: “… we’ve talked to the Pirate Browser people and the downloads they’ve seen can’t account for this growth,” he says.

“The fact is, with a growth curve like this one, there’s basically no way that there’s a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them,” Dingledine says.

Tor’s Dingledine says the botnet appears to be running the CC as a hidden service, and the new clients aren’t shooting out traffic to websites or other locations. That appears to eliminate DDoS attacks, for instance.

Why enlist Tor for botnet CC?

Gunter Ollmann, CTO at IOActive, says this isn’t the first time Tor has been exploited for botnets, but it’s mostly been for smaller ones. “There have been a handful of botnets that have made use of Tor or onion routing for various parts of their network. They haven’t been very big botnets,” Ollmann says.

Tor provides a way to obfuscate CC traffic, he says. “It can hide the final destination of their command-and-control servers. It’s a way of helping to obfuscate or delay any takedowns for their command-and-control servers,” he says.

It’s also a way to drop bigger files onto victim machines, he says. “Many of the botnets you’ll see using Tor or peer-to-peer networks will use those channels as a way for shipping bigger files to install on computers,” especially in pay-per-install schemes, he says.

The Tor Project is asking for help from researchers to take down the botnet. Dingledine says he sees the botnet as more of an experiment at this point.

“I still maintain that if you have a multimillion node botnet, it’s silly to try to hide it behind the 4000-relay Tor network. These people should be using their botnet as a peer-to-peer anonymity system for itself. So I interpret this incident as continued exploration by botnet developers to try to figure out what resources, services, and topologies integrate well for protecting botnet communications,” he says. “Another facet of solving this problem long-term is helping them to understand that Tor isn’t a great answer for their problem.”

The extra traffic incurred by the botnet hasn’t caused any major problems yet, but Dingledine also laid out several options for Tor to sustain the traffic of the millions of new bot clients, which appear to be running the current version of the client, he says. Among the possible actions Tor could take: encourage users to upgrade to the new Tor 0.2.4 version that has stronger security and lower processing overhead, temporarily disable some features of the Tor client performance features, or reduce the network load.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/botnet-behind-mysterious-spike-in-tor-tr/240160884

PORTLAND, OREGON — September 5, 2013 — Tripwire, Inc., a leading global provider of risk-based security and compliance management solutions, today released results from an extensive study focused on the state of risk-based security management with the Ponemon Institute. The study examined the disconnect between an organizations commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary for effective security programs across the organization.

The study respondents included 749 U.S. and 571 U.K. professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.

“Risk-based security is an extremely complex problem where predictability and outcomes are constantly changing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “This means that even the most secure and sophisticated organizations experience risk because there are too many variables in play. Effective communication and collaboration across the organization are crucial in mitigating this risk.”

Key findings from the survey include:

64% said they don’t communicate security risk with senior executives or only communicate when a serious security risk is revealed.

47% said that collaboration between security risk management and business is poor, nonexistent or adversarial. 51% rated their communication of relevant security risks to executives as “not effective.”

When asked why communicating relevant security risks to executives was not effective:

68% of the respondents said communications are too siloed

61% said communication occurs at too low a level

61% said the information is too technical to be understood by non-technical management

59% said negative facts are filtered before being disclosed to senior executives and the CEO

“Risk provides the common language that enables a broader business conversation about cybersecurity risks, particularly when dealing with non-technical executives,” noted Dwayne Melancon, chief technology officer for Tripwire. “However, it’s clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals.”

For more information about this study please visit: http://www.tripwire.com/ponemon/2013/#collaboration

About the Ponemon Institute

The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations in a variety of industries

About Tripwire

Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at www.tripwire.com or follow us @TripwireInc on Twitter.

Article source: http://www.darkreading.com/management/tripwire-survey-64-of-it-profs-dont-comm/240160886

That the U.S. is stocking its cyber arsenal should come as little surprise, but recent revelations from documents leaked by fugitive Edward Snowden revealed just how much.

Today, reports by the New York Times and The Guardian revealed that theNational Security Agency (NSA) and its U.K. equivalent, Government Communications Headquarters (GCHQ), have engaged in a long-running and wide-ranging effort to defeat the encryption widely used on the Web, including SSL, VPN technologies, and new protections used on 4G smartphones.

The disclosure follows the release of a mountain of information contained in documents leaked recently to The Washington Postprovide a peek at just how much the United States has embraced offensive cyber activity – something security experts say is likely to continue as other countries build cyber arsenals of their own.

“The best way I can explain why is to paraphrase a maxim echoed throughout history which is ‘The best defense is a good offense,'” says Leo Versola, vice president of technology at security solution provider AhnLab. “Defense has always been much harder to successfully implement than offense for obvious reasons. However, I don’t think this will necessarily change the way we [the U.S.] approach other countries suspected of conducting similar operations.”

“Warfare,” says Versola, “is shifting from a physical to a virtual battlefield and the rules of engagement are evolving.”

According to documents obtained by the Washington Post, U.S. intelligence services carried out 231 offensive cyber-operations in 2011. In addition, under a $652 million project code-named GENIE, U.S. specialists have broken into foreign computer networks and placed malware dubbed “implants” on tens of thousands of machines every year.

By the end of 2013, GENIE is expected to control at least 85,000 implants in machines across the globe – roughly four times the number available in 2008, according to the U.S. intelligence budget. Many of the NSA implants are designed by the agency, but $25.1 million was set aside this year to make covert purchase of software vulnerabilities as well.

“Offensive cyber operations will continue to play a key part of the government’s strategy in the future; it only makes sense from a tactical and strategic perspective,” says Rob Kraus, director of research with Solutionary’s Security Engineering Research Team (SERT), adding that “disarming a country through the use of cyber warfare can be very powerful and can be very effective without ever requiring boots on the ground.”

Perhaps the most famous reputed example of America’s offensive capabilities is the Stuxnet malware designed to target Iran as part of an intelligence effort code-named ‘Olympic Games.’ The operation has still not been officially acknowledged by the government despite the New York Times unmasking it in 2012. Snowden has also credited the United and Israel with creating Stuxnet.

The expansion of these activities is tricky, given the lack of precedent and clear public lines of responsibility for the execution of direct cyber-warfare, says Philip Lieberman, president of Lieberman Software.

“Many existing branches of the military have undertaken an expansion of their missions into cyber-warfare, but details of actual operations are sparse,” he adds. “The USA vs. China intelligence and cyber-warfare scenarios have been complex and opaque, with both sides accusing the other with both having difficulty in attribution of actions to either side. Welcome to the world of the other side being and friend and enemy simultaneously.”

The use of cyber-weapons by the U.S. however comes with a major drawback – the prospect of another country returning the favor, says Kraus.

“One thing to consider is that we are one of the best connected countries in the world, which also provides our adversaries with a larger base of targets to choose from and cause harm to the US,” he says. “So it is not all about offense, but defense must be considered. This is why it is important for the U.S. to continue spending on protecting critical infrastructure.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/privacy/security-experts-expect-us-cyber-offensi/240160914

Facebook has privacy advocates up in arms again–this time in the wake of new proposed changes to its data use policy.

A coalition made up of Consumer Watchdog, the Electronic Privacy Information (EPIC), the Center for Digital Democracy, Patient Privacy Rights, U.S. PIRG, and Privacy Rights Clearing House, have asked the Federal Trade Commission to enforce a previous consent order with Facebook. The privacy advocates say Facebook’s newly proposed Statement of Rights and Responsibilities and Data Use Policy violate Facebook’s 2011 settlement with the FTC.

“The changes will allow Facebook to routinely use the images and names of Facebook users for commercial advertising without consent. The changes violate Facebook’s current policies and the 2011 Facebook settlement with the FTC. The Commission must act to enforce its Order,” the coalition said in a letter to the FTC.

“Facebook has long played fast and loose with users’ data and relied on complex privacy settings to confuse its users, but these proposed changes go well beyond that,” said John M. Simpson, privacy director for Consumer Watchdog. “Facebook’s overreach violates the FTC Consent Order that was put in place after the last major privacy violation; if the Commission is to retain any of its credibility, it must act immediately to enforce that order.”

The proposed changes by Facebook are especially detrimental to Facebook members who are minors, the group says.

Facebook’s new proposed policy says: “If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.”

That leaves the images and names of minors on Facebook vulnerable, according to the privacy advocates.

Under the Proposed Data Use Policy, Facebook says it now can use any information it receives about members to serve more relevant advertising. “Facebook also makes the remarkable claim under the proposed new policies that ‘User names and User ID’s are the same thing’” This reflects a profound misunderstanding of privacy protection – names are often ambiguous, User IDs are unique identifiers, and it is the misuse of User IDs that has contributed to many of the privacy problems on Facebook,” the privacy group wrote in its letter to the FTC (PDF).

“We urge you to act. The right of a person to control the use of their image for commercial purposes is the cornerstone of modern privacy law,” the coalition said. “Consumer privacy groups have worked diligently to preserve this right and to protect the interests of Facebook users. Now it is up to the FTC based on the Order that is already in place.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/privacy/consumer-groups-to-ftc-block-facebooks/240160899

Google has once again found itself all over the IT news for a spot of bother with its security software.

The good news is that the problem isn’t quite as dramatic as the recent code verification bugs in Android, because it doesn’t open any security holes.

In fact, it doesn’t affect Android users at all.

It’s a fault, apparently, or was until the app was withdrawn, in the Google Authenticator software in the Apple Store.

The bad news is that if you were affected, you’d have found quite the opposite of security holes: you’d have been locked out of your own accounts.

To explain, the Google Authenticator app is a software based Two Factor Authentication (2FA) token.

More precisely, it’s a One Time Password (OTP) generator, commonly used to implement the second factor in a 2FA login process.

To protect an account with the Authenticator, you prime the app with a random secret key generated by the server hosting your account; this secret key is saved on the server side, too.

The secret key may be provided as a barcode you simply scan in, or as a character code you type in by hand.

Later on, when you want to login, for example from your laptop, you type in your username and regular password in the regular way, and then read off the relevant one time password displayed by the Authenticator app:

This completes the 2FA process, with your username and regular password being the first factor, and the OTP the second.

To make the OTP unique for every login, either a counter (which is bumped up by one every time you try to login) or the current time (to the nearest 30 seconds) is mixed together with the secret key, and hashed to create the OTP.

→ Google Authenticator has some features specific to Google accounts, but can be used with many third party sites as well. It is based on open standards called HOTP (HMAC-Based One-Time Password Algorithm, RFC4226) and TOTP (Time-based One-time Password Algorithm, RFC6238).

The big deal in this, of course, is that both you and the server need to have and to hold the secret keys, from this day forward, for better for worse, for richer for poorer, in sickness and in health…

…because if either of you forgets the secret key that goes with an account, you won’t be able to come up with matching OTPs next time you try to log in, and that will be that.

As the Authenticator app itself warns you when you try to delete an account on its list:

Removing this account will remove your ability to generate codes, however, it will not turn off 2-factor authentication.

Before removing: turn off 2-factor authentication for this account, or ensure you have an alternate mechanism for generating codes.

Sadly, removing all your accounts is exactly what happened during a recent upgrade to the iOS version of the Authenticator.

As I said, at least it wasn’t a security hole, though that’s probably cold comfort to anyone who ended up locked out of their own accounts.

And remember that a bug of this sort, no matter how regrettable, is not the most likely way you’ll lose access to accounts that you’ve protected with Google Authenticator.

You’d be just as stuck if you went on an overseas trip and left your mobile device behind by mistake, or if someone stole it, or if you accidentally dropped it over the side of a Harbour Ferry.

So, to reduce the risk of a Denial of Service against yourself, no matter how much you trust the Google Authenticator software:

• Keep backup copies of the barcodes or starting keys for any account you add to the Google Authenticator. (NB. Don’t store the backups on the laptop you’re protecting with 2FA in the first place! Encrypt them and store them offline, and preferably offsite.)
• Consider using alternative OTP software, instead or as well as the Authenticator, that makes it easier to take a secure local backup of the secret keys for your accounts after they’ve been activated.
• Generate account recovery codes for services on which you will be activating 2FA, and keep them in a safe place.

Backup is still important, even in the modern Cloud Era!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KUbESaxAeDM/

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Bank account-raiding Trojan Hesperbot has infected computers in UK, Turkey, the Czech Republic and Portugal, The Register has learned.

Net security firm Eset said the software nasty is distributed via rather convincing-looking emails, which are dressed up as legit package tracking documents from postal companies or correspondence from an internet provider and other outfits.

These messages try to trick marks into downloading and running a malicious Windows executable, cunningly named with a .pdf.exe file extension.

Once installed, Hesperbot can silently snoop on passwords by logging a user’s keystrokes, take screenshots, record from a video camera if one is connected, intercept network traffic, and pipe all this snaffled data to the crooks’ command server. The Trojan can also set up a hidden VNC service, allowing miscreants to remotely log in and take control of the computer.

Armed with this information, crooks can try to log into victims’ online bank accounts to siphon off their cash.

And on top of that, marks are persuaded to install software on their Symbian, Blackberry or Android phone, which is the mobile malware component of Hesperbot.

It’s estimated hundreds people have fallen for the scam in Turkey, and dozens in each of the Czech Republic, Portugal, the United Kingdom.

“Analysis of the threat revealed that we were dealing with a banking trojan, with similar functionality and identical goals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new malware family, not a variant of a previously known trojan,” said Robert Lipovsky, ESET malware researcher who leads the team analysing the malware.

More details can be found in a report here. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/05/hesperbot_online_banking_trojan/

A new, advanced banking Trojan is infecting users in Turkey, the Czech Republic, Portugal, and the United Kingdom, according to researchers at ESET.

In a blog posted on Wednesday, the researchers warned of a Trojan called Win32/Spy.Hesperbot, which does keystroke logging and sets up a remote proxy on the end user’s machine. Hesperbot also does some advanced tricks, such as creating a hidden virtual network computing (VNC) server on the end user’s machine, ESET says.

The Trojan uses a very credible-looking, phishing-like campaign that appears to come from trustworthy organizations to lure its victims, ESET says. “The aim of the attackers is to obtain login credentials giving access to the victim’s bank account and to get them to install a mobile component of the malware on their Symbian, Blackberry or Android phone,” the blog says.

So far, the Trojan hasn’t spread too far. ESET estimates that it has infected several hundred users’ computers in Turkey, and even fewer in the Czech Republic, Portugal, and the United Kingdom. It tries to trick users into loading the malware by sending emails that appear to be tracking information from the local postal service, the blog states.

“In the course of our research, we also stumbled upon an additional component used by Win32/Spy.Hesperbot,” the blog says. “This malware, detected by ESET as Win32/Spy.Agent.OEC, harvests e-mail addresses from the infected system and sends them to a remote server. It is possible that these collected addresses were also targeted by the malware-spreading campaigns.”

The attack is new and may not yet be recognized by all antivirus systems.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/end-user/new-advanced-banking-trojan-discovered-i/240160826

In the past, companies could avoid the world’s trouble spots, pulling out of war-torn countries and unstable regions to avoid conflict. Yet, as the world’s citizens become more savvy online, local unrest is quickly transforming into global threats that companies cannot easily evade.

The Syrian Electronic Army’s recent attacks against media firms’ domain-name infrastructure is only the latest example of the escalation of local conflicts to the global digital stage. Over the last year, distributed denial-of-service attacks by the Iranian cyber militia known as the Izz ad-Din al-Qassam Cyber Fighters has cost U.S. and European banks millions of dollars. And, attacks by hackers aligned with North Korea’s interests have hit both South Korean and U.S. servers.

“The threat landscape has expanded in ways that are almost unimaginable,” says Jeffrey Carr, a cyber threat consultant and founder of Taia Global. “You can’t really anticipate all the different threat actors out there that might be interested in your website, your IP [intellectual property], or your reputation.”

So far, the impact of such digital attacks have been mild, if embarrassing. While security researchers and providers have warned that vulnerable critical infrastructure could be targeted by attackers with catastrophic results, attacks by purported hacktivist groups and patriotic hackers have been limited to denial-of-service attacks, defacements, and propaganda. Most groups seem deterred by the potential repercussions of a serious cyberattack, says Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, a startup focused on advanced threats.

“All these actors are cautious actors, because they don’t want to incur too much of a reaction,” he says. “That is likely to continue unless there is actually a conflict in which the regime decides that a greater level of retaliation is needed.”

The ongoing civil war in Syria and the possible punitive bombing of strategic government sites by the U.S. and Western nations has increased tensions, however. So far, Western nations have refused to intercede in the Syrian conflict, which has claimed more than 100,000 lives in the last two years and produced more than 2 million displaced refugees, according to tallies kept by the United Nations and the Syrian Observatory for Human Rights. Yet, with the U.S. and European nations building a case showing that the Syrian government used chemical warfare against rebels, the conflict looks ready to escalate.

The digital side of the conflict could escalate as well. The Syrian Electronic Army has reportedly claimed it would strike back at the United States, if the nation struck at potential chemical weapons storage sites or took other punitive actions.

“We should not be shocked that other countries are using their capabilities to gain whatever advantage they can in the economic sphere or the geopolitical sphere, and that means that the private sector in this country is absolutely a target of these attacks because they are a key part of our infrastructure,” he says.

Knowing that attacks come from Syrian hacktivists or government-sponsored hackers can help companies tune their defenses and implement additional protections around critical data, says Alperovitch. Companies should develop a greater ability to defend their own networks, starting with a good legal framework for what is allowed, he says.

“You are going to have to enable the private sector to allow them to do more in defense of their private networks,” he says. “With these lower-level attacks, we won’t see a response from the U.S. government.”

[Protecting domains requires registry locks as well as other measures, including two-factor authentication and administrative access control. See Domain Security Needs More Than Registry Locks.]

For the government, the issue is complicated by the fact that attributing attacks to actual actors is difficult. Bouncing communications between multiple computers to hide the source of the controller’s system is technically easy, says Raj Samani, chief technology officer for McAfee’s Europe, Middle East and Africa group.

For that reason, companies should never assume that hacktivists are who they say they are, he says. The barriers to become a hacktivist are low–anyone with some knowledge, a few free online tools and a flair for dramatic Pastebin posts can create their own hacktivism group or pretend to be one, he says.

“Hitting the mark on attribution is very difficult in the cyber world,” Samani says. “If I attack your PC today, I can come from any computer in the world, and for you to really go after me, you have to go through a very painstaking and laborious process.

For that reason, companies should learn what they can through investigating details of the attack, but not lose focus of the general mission to reduce their attack surface area and harden their systems, says Taia Global’s Carr.

“You will never know everyone out there; you will never be able to plan for every contingency,” he says. “So while it is good to know and keep up with who the threat actors are, you cannot anticipate unknown threats.”

Finally, companies need to not just lock down their own systems, but ensure that their suppliers are doing the same. The recent domain takeover that made The New York Times inaccessible for hours, and in some cases days, happened because the news organization’s supplier of DNS services, MelbourneIT, had a third-party reseller whose credentials where compromised.

“In many cases, it is not a question about security but of transparency,” says McAfee’s Samani. “Do you have transparency about all of the risks in your supply chain? And in most cases, the answer is no.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/advanced-threats/worlds-trouble-spots-escalating-into-cyb/240160851

WATERLOO, ON and PALO ALTO, CA – The FIDO (Fast IDentity Online) Alliance, an industry consortium revolutionizing online authentication with the first standards-based specifications, today announced that BlackBerry (NASDAQ: BBRY; TSX: BB) has joined the Alliance and been appointed to the Board of Directors.

FIDO members commit to share technology and collaborate to deliver open specifications for universal strong authentication that enables FIDO-compliant authentication methods to be interoperable, more secure and private, and easier to use. BlackBerry is among the first mobile platform and mobile device suppliers to engage with the FIDO Alliance to equip customers with easy-to-use strong authentication, allowing them to easily move from site to site securely without having to enter identifying information multiple times. As a FIDO Alliance Relying Partner (RP), BlackBerry will be able to better serve its millions of customers on BlackBerry.com, and people who use BBMtrade, BlackBerry Protect and other BlackBerry services around the world, as well as developers submitting apps on the BlackBerry Worldtrade storefront.

“We welcome BlackBerry to the FIDO Alliance board as one of the world’s leading mobile platforms and mobile device providers. BlackBerry’s addition to the FIDO Alliance moves the mobile industry closer to universal strong authentication using the open FIDO specifications that embrace all use cases,” said Michael Barrett, FIDO Alliance president. “We also prize BlackBerry among the Internet’s leading relying parties, with the potential to allow millions of users to utilize open strong authentication.”

From initial design and manufacturing to developing tamper resistant hardware and software for securing data at rest or in transit, security has been the central element of the BlackBerry value proposition since its inception. BlackBerry provides all the components to offer secure Enterprise Mobility Management (EMM) for BlackBerry, iOS and Androidtrade devices. BlackBerry also demonstrates the same dedication to perfecting and standardizing security protocols.

“BlackBerry is deeply committed to remaining the Gold Standard in mobile security while providing a model for others to adopt and follow,” said Brian McBride, Technical Director for Identity at BlackBerry. “Offering safe, reliable access for our customers across the globe is inherent to everything BlackBerry does as an organization. We are both excited and proud to join the FIDO Alliance to help extend mobile security best practices and standards to the global community as the alliance strives to achieve universal secure authentication.”

The FIDO protocol will support a full range of authentication technologies, including biometrics such as fingerprint scanners, voice and facial recognition, as well as existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, Near Field Communication (NFC), One Time Passwords (OTP), embedded Secure Elements (eSE), and many other existing and future technology options. The open protocol is designed to be extensible and to accommodate future innovation, as well as protect existing investments. The FIDO protocol allows the interaction of technologies within a single infrastructure, enabling security options to be tailored to the distinct needs of each user and organization.

Organizations that want to influence the development of the FIDO specifications and ensure that the open standards address their use cases and requirements should join the FIDO Alliance now. FIDO Alliance members will define the market requirements, contribute to the FIDO specifications and be part of the ecosystem that will address the broad range of use cases and technologies. The FIDO Alliance invites all companies and organizations to join the Alliance and become active members.

About BlackBerry

A global leader in wireless innovation, BlackBerry revolutionized the mobile industry when it was introduced in 1999. Today, BlackBerry aims to inspire the success of our millions of customers around the world by continuously pushing the boundaries of mobile experiences. Founded in 1984 and based in Waterloo, Ontario, BlackBerry operates offices in North America, Europe, Asia Pacific and Latin America. BlackBerry is listed on the NASDAQ Stock Market (NASDAQ: BBRY) and the Toronto Stock Exchange (TSX: BB). For more information, visit www.blackberry.com.

About The FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The Alliance plans to change the nature of authentication by developing standards-based specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to easily and securely authenticate users of online services.

Article source: http://www.darkreading.com/mobile/blackberry-joins-fido-alliance-and-board/240160856