STE WILLIAMS

Infosec 2013 Over 80 per cent of small businesses in the UK suffered a computer security breach last year, according to new government research. And the proportion of large firms that reported attacks has reached a whopping 93 per cent.

The Department for Business, Innovation and Skills’ 2013 hacking survey found that 87 per cent of small businesses across all sectors had experienced a breach in the last year. This is up more than 10 percentage points on the previous year’s figures. The department is hoping its “Innovation Vouchers” incentive scheme will allow these businesses to protect their assets from the costly attacks.

The department’s Technology Strategy Board is extending its Innovation Vouchers scheme to allow SMEs to bid for up to £5,000 from a £500,000 pot to improve their cyber security using external expertise. BIS is also publishing guidance to help small businesses give cybersecurity a higher profile in their businesses.

The average attack caused a Blighty SMB between £35,000 and £65,000 worth of damage – while large firms breaches set them back by an average of £450,000 to £850,000, although several individual breaches cost more than £1m.

Minister for Universities and Science David Willetts said: “Keeping electronic information safe and secure is vital to a business’s bottom line. Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack. But there are simple steps that can be taken to prevent the majority of incidents.

“The package of support we are announcing today will help small businesses protect valuable assets like financial information, websites, equipment, software and intellectual property, driving growth and keeping UK businesses ahead in the global race.”

The survey, out Tuesday, also revealed that 93 per cent of large organisations (those which employ more than 250 workers) had reported breaches in the past year. The median number of breaches suffered was 113 for a large organisation (up from 71 a year ago) and 17 for a small business (up from 11 a year ago).

Both figures suggest that companies which report hacker attacks are doing so more often. Over three in four (78 per cent) large organisations that responded said they’d been attacked by an unauthorised outsider (up from 73 per cent a year ago) and 63 per cent of small businesses said the same (up from 41 per cent a year ago).

Twelve per cent of respondents said the worst security breaches were partly caused by senior management giving insufficient priority to security.

According to the survey, 36 per cent of the “worst security breaches” were caused by inadvertent human error.

Andrew Miller, PwC information security director, said: “Spending on cyber control as a percentage of an organisation’s IT budget is up this year from an average of 8 per cent to 10 per cent, but the number of breaches and their impact is also up as well so it is clear that there is work to be done in measuring the effectiveness of the security spend.”

Mike Cherry, national policy chairman of the Federation of Small Businesses, welcomed the government’s push to improve security at UK SMEs.

“Cybersecurity is an increasing risk for small and micro businesses and more and more, a barrier to growth. The FSB is very pleased to see the government announce a package of measures including specific guidance for small firms, helping them take steps towards more effective cybersecurity.”

According to Government Communications Headquarters, four in five (80 per cent or more) of currently successful attacks can be prevented by simple best practice, such as ensuring staff do not open suspicious-looking emails or ensuring sensitive data is encrypted.

The 2013 Information Security Breaches Survey (ISBS) was funded by BIS and carried out by PwC in conjunction with the Infosecurity Europe trade show. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/23/breach_survey/

A four-day hacking competition run by the National Security Agency (NSA) to find the top military system designers and administrators has awarded the 13th annual Cyber Defense Exercise (CDX) prize to a team from the US Air Force Academy.

“CDX offers an unparalleled opportunity for some of the nation’s top students to showcase their cyber skills to NSA’s leading practitioners,” said Neal Ziring, technical director of the NSA’s Information Assurance Directorate in a statement.

“America increasingly needs professionals with highly technical cyber skills to help the country remain safe and adapt with greater agility. We need the best and brightest to help us defeat our adversaries’ new ideas.”

Teams from the US Military Academy, US Naval Academy, US Air Force Academy, US Coast Guard Academy, Naval Postgraduate School, the Royal Military College of Canada, and the US Merchant Marine Academy designed and built their own virtual networks, which were then bombarded with malware and system attacks for 84 hours straight by “red team” attackers.

Those magnificent men on their hacking machine

The CDE contest isn’t just about learning to defend networks. The other purpose is to give the 60 computer experts who make up the NSA’s Red Team some opportunity to practice their hacking skills against a motivated set of network operators. Attackers and defenders worked round the clock in the competition to bring down hardware and software, or to keep it up.

The teams of students had to defend their networks (housed in a closed system at Lockheed Martin’s Maryland facility) against publicly available vulnerability attacks but – more importantly – had to log all activity and explain their actions to a panel of examiners. For the second year running, the fly-boys (and girls) were awarded the top prize – the Air Force’s fourth win in 13 years.

Martin Carlisle, who led the 28-member team, said that the skills his team demonstrated will become increasingly important in the years ahead. “Our nation is under attack. We need to train up a new generation of leaders,” he told Reuters.

The win is hard news for the Army’s US Military Academy. The Green Machine’s hacking grunts clinched the first ever CDX trophy in 2001 and were on a five-contest winning streak until last year. Their attempts were beaten back this time, but the competition next year is expected to be fierce. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/23/us_airforce_hacking_competition/

Feature Twenty years after the technology behind FireWall-1 was first developed, the teenage coding prodigy who founded Check Point says that “IT security is [still] very hot”.

Shwed, 44, is the co-founder, chief exec and chairman of Check Point, whose FireWall-1 software, according to the firm, is installed at every Fortune 100 company. Check Point claims FireWall-1 has never been breached.

At the tender age of 10, Shwed began taking weekly computer classes in his home town of Jerusalem and soon began showing up to the computer room every day, so he could learn on his own. By the age of 12, he had secured a summer job coding for a language-translation software company.

Shwed never went to university. While still at school at age 14, Shwed says he started an almost full-time job as a system administrator at Hebrew University in Jerusalem. From the age of 16, the university put him in charge of its computer systems for around two years until he began his national service in the army at age 18.

During his army service in the Israel Defense Forces, Shwed reportedly joined the IDF’s Intelligence Corps (Unit 8200) where he put together military computer networks enabling certain users to access confidential materials blocked to other less privileged and trusted users. Shwed kept the idea in mind when he completed his military service in 1990.

After the army, Shwed joined the Israeli startup company Optrotech as a software developer, where he met Marius Nacht.

Shwed, Nacht and another friend, Shlomo Kramer, who had served with Shwed in the IDF, saw the potential of technology to filter and control traffic to separate computers on business networks from the wider internet. The idea behind what became FireWall-1 was first developed in April 2003. The three friends started Check Point Software a few months later, in July 1993.

The trio realised that businesses that connected themselves to the internet would need safeguards, creating a market for the port control protocol and blocking capabilities that were the main feature of early firewalls. The stateful inspection* technology Shwed developed and patented is still in use in modern firewalls, albeit in a highly revamped form.

It’s hard to imagine now, but at the time few people knew what the internet was – much less that it posed a network security risk that needed guarding. The World Wide Web was a brand new concept, and browser software had not yet been invented.

Shwed, Kramer and Nacht – all in their early twenties at the time – worked in a relative’s apartment for a year, programming for 12-14 hours a day, before emerging with a product after a year’s hard graft.

The team gave FireWall-1 first public debut at the 1994 NetWorld Interop show in Las Vegas. The trio reportedly shared a booth with another company, and brought no promotional items, just their product, FireWall-1. Despite their apparent lack of marketing savvy, FireWall-1 ended up winning the best-in-show award, helping to propel Check Point into the limelight.

In 1994 Check Point signed an OEM agreement with Sun Microsystems. It followed this up with a deal with HP a year later. The firm went public a year after that, in 1996.

Check Point’s range of software products includes firewalls, UTM appliances, endpoint security (partly through the Zone Alarms acquisition), virtualisation security, and various products that integrate network management and security.

Shwed has been at the helm throughout. The 44-year-old comes across as an essentially a geek, albeit one with a shrewd business mind, who is proud of the company and the people it employs.

Shwed is a member of the board of trustees of Tel Aviv University and the chairman of the board of trustees of the Youth University of Tel Aviv University. He is also a member of the board of directors of Yeholot Association, which works to reduce dropout rates in high schools. Shwed is more than rich enough to retire or throw himself full time into charity work like Bill Gates but that would mean relinquishing his role at the company, which he obviously relishes. During the keynote for Check Point’s European user conference, he spoke of the possibility of remaining at the helm for another 10 or even 20 years.

“I like it, so why should I do something else? The chances of founding another firm that’s as interesting and successful aren’t high,” Shwed said, adding that everyone at the company was working to keep Check Point independent.

Shwed added that the attitude adopted by security vendors and experts has changed over the years from “don’t do that it’s dangerous” to an attitude more in tune with understanding business requirements, such as implementing secure links to branch offices and home workers using VPN (virtual private network) technology. Firewall technology has moved away from the perimeter and into the data centre, he said.

The Check Point boss reckons that IT security remains an exciting sector for budding entrepreneurs and technologists. “IT security is very hot,” Shwed said during a press conference at the recent Check Point Experience user conference in Barcelona, Spain “It gets a lot of attention in the media.

“That said, information security is much more competitive; it’s hard to develop something completely new. There are so many segments and sub segments, so you [have to] educate security distributors and the channel.

“But when I first started out I had to persuade people there was a market for the internet, so at least there’s not that problem.” ®

Bootnote

*A stateful firewall is programmed to keep tabs on the state of network connections (such as TCP streams or UDP communications) which move across it – a feature that made the technology more sophisticated than a simple packet filter.

The technology is designed to distinguish legitimate packets from different types of connections originating from rogue or hacker-generated traffic. Only packets matching a known active connection will be allowed to pass by the firewall; others will be rejected or blocked.

This compares with stateless inspection, which is pure packet filtering. Stateless means there is no memory of previous packets, which makes the firewall vulnerable to spoofing attacks as it has no way of knowing if any given packet is part of an existing connection, is a new connection, or is just a rogue packet.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/23/check_point_profile/

Just days after the latest fix, another Java vulnerability has emerged.

Described in this Full Disclosure post, the Reflection API flaw affects all versions of Java SE 7 and, according to researcher Adam Gowdiak, “can be used to achieve a complete Java security sandbox bypass on a target system”.

As always, the victim would need to fail the Java user IQ test – not only still having it installed, but clicking “yes” to allow a malicious app to execute.

Gowdiak writes that his company, Security Explorations, has sent the vulnerability report along with proof-of-concept code to Oracle.

The vulnerability, he writes, is present in JRE Plugin software, the JDK, and the Server JRE.

The company says that since it has been reporting Reflection API issues to Oracle since April 2012, “it looks like Oracle was primarily focussed on hunting down potentially dangerous Reflection API calls in the “allowed” classes space.”

Last week, Oracle issued a patch covering 42 security flaws of which 19 held a top severity rating. The patches included an attempt to alert users when they were about to do something silly, such as allowing an in-browser Java app to actually do anything.

The Register has requested comment from Oracle on the latest vulnerability. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/23/java_reflection_api_an_insecure_mess/

At least two million Google Play downloads gave Android users an unwanted freebie in the form of BadNews, a piece of malware which masqueraded as a legitimate advertising network.

The malware was integrated into 32 different apps in the Google Store, according to mobile security specialist Lookout. Those apps have been downloaded more than two million times, exposing users to embedded advertising – but the ads then push users towards fake app updates – which in turn send out premium-rate SMS messages via the well-known AlphaSMS malware.

BadNews, as the malware has been dubbed by Lookout, slipped by Google’s automated detection by posing as a legit advertising network. Such networks fund free apps by supplying standard-sized advertisements, and thus it shows ads for other applications by the same authors.

After phoning home to the authors’ command-and-control servers, BadNews displays “essential” updates for the popular Russian social network Vkontakte’s app, as well as Skype’s app. Both of these “updates” lead directly to known infected files.

Those infections are APK files so the user still has to agree to the installation, which will be blocked by Lookout (or your other security software of choice). One could argue that that’s hardly worse than the entirely legitimate embedding of links to premium-rate numbers, which don’t even trigger a warning dialogue box, but BadNews does demonstrate how malware authors are gaming the system.

That system starts Google Bouncer – Google’s automatic app taste test, which is supposed to weed out malware before it gets listed. However, five minutes of automated testing won’t spot this kind of scam, so Android depends on the wisdom of the masses.

Lookout said:

It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network. However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization SDK.

Malware apps are quickly identified by the first user who gets burnt. The user (hopefully) shares the experience and prevents further infection of unwitting users, which is why BadNews is such a significant development. Once installed the new malware simply polls a command server every four hours, sending back the user’s phone number and IMEI, which means the malware’s authors can rack up some positive feedback on Google Play before triggering the infection once the software is widely installed.

For users that just means being more wary of peer reviews, and remembering not to install anything which looks dodgy. Users who doubt their ability to judge apps’ potential dodginess should probably install some security software too, or switch to a platform less targeted by malware authors. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/22/android_malware_badnews/

Microsoft has launched a drive to stop people splurging their personal information all over the internet – by asking them to splurge their personal information all over the internet.

As well as series of telly commercials, Microsoft have designed a special questionnaire designed to discover whether visitors are “carefree surfers, digital veterans or somewhere in-between”.

Visitors to the new privacy microsite are asked to share details of which social networks they use, what sort of information they share publicly and how much care they take to cover their tracks online. This data is then harvested by Edelman, the company commissioned to carry out the survey, along with details of the IP address of whoever fills in the survey.

Although the website expressly states that it “does not request or collect any personal information”, this claim appears to be contradicted by the later statement:

This survey collects information about your response such as the Internet Protocol (IP) address through which you access the Internet and the date and time you access the survey. This information is used to help improve the survey, analyze trends, and administer the survey.

Microsoft’s research indicates that 85% of Americans are concerned about their privacy online, indicating a clear need for privacy-invading questionnaires to help clear the problem up.

In a blog post, Ryan Gavin, Windows general manager, wrote: “Very few of us believe that sharing some personal data online is a bad thing. It’s part of our everyday routines to fill out profiles, login to sites, and oftentimes provide personal information like our credit card or phone numbers in order to take advantage of all the web has to offer. In fact, the more personal and relevant the web gets, the better it can get.

“Yet, at some point, we all draw a line where we are uncomfortable sharing more. And when we think we’re being tracked, particularly by those we may not have a direct relationship with, our tolerance drops,” Gavin said, apparently with a straight face.

And while tracking isn’t bad per se, we typically reach our information-sharing breaking point with very personal data, like items related to our kids or our health.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/22/microsoft_privacy_questionairre/

Almost 400 websites around the world have shut down services as part of a protest against new US cybersecurity laws.

The blackout was organised by hacktivist collective Anonymous in protest against the Cyber Intelligence Sharing and Protection Act (CISPA) – in a similar way to the Stop Online Piracy Act (SOPA) blackout last year, when web giant Google and Wikipedia went dark to highlight the campaign.

So far, none of the names involved in the CISPA shutdown have been as big as those involved in the SOPA protests. The blogs and websites involved are mostly linked to the hacktivist/activist community, according to a list published here.

More than 827,000 people have signed an online petition against the new laws, which are seen as allowing the government to pry into netizens’ online lives using the flimsiest of justifications. The Act also allows the government to share “cyber threat intelligence” with private-sector entities.

The petition blurb says:

Right now, the US Congress is sneaking in a new law that gives them big brother spy powers over the entire web — and they’re hoping the world won’t notice. We helped stop their Net attack last time, let’s do it again.

Over 100 Members of Congress are backing a bill (CISPA) that would give private companies and the US government the right to spy on any of us at any time for as long as they want without a warrant. This is the third time the US Congress has tried to attack our Internet freedom. But we helped beat SOPA, and PIPA — and now we can beat this new Big Brother law.

Although activists have shut down their websites, Anonymous was keen that they continue tweeting using the hashtag #CiscaBlackout. Anons provided supporters with simple HTML code allowing them to quickly black out their own sites.

Opponents of CISPA fear it will allow private companies to share information with the government, including emails and private messages, giving police an unparalleled ability to snoop on American citizens.

Twitter user Dylan Wolters summed up the mood with the following nugget:

Do you really want the Government to know when you access pr0n sites? #CISPAblackout #NOCISPA #ENDCISPA #STOPCISPA twitter.com/Kallisti/statu…

— Dylan Wolters (@thatrottonapple) April 22, 2013

The Electronic Frontier Foundation have launched an online service allowing angry CISPA opponents to write to their senator.

Its FAQ on CISPA says:

The bill purports to allow companies and the federal government to share information to prevent or defend against network and other Internet attacks. However, the bill grants broad new powers, allowing companies to identify and obtain “threat information” by looking at your private information.

It is written so broadly that it allows companies to hand over large swathes of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws.

The CISPA law was passed in the Republican-controlled House of Representatives last week, with 288 votes in favour and 127 votes against, but now has to pass through the Democrat-held Senate to make it into law.

An amendment to the law which would ban employers asking their minions to hand over Facebook or Twitter passwords has already been blocked. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/22/anonymous_cispa_shutdown/

At least nine million Google Play downloads gave Android users an unwanted freebie in the form of BadNews, a piece of malware which masqueraded as a legitimate advertising network.

The malware was integrated into 32 different apps in the Google Store, according to mobile security specialist Lookout. Those apps have been downloaded more than two million times, exposing users to embedded advertising – but the ads then push users towards fake app updates – which in turn send out premium rate SMS messages via the well-known AlphaSMS malware.

BadNews, as the malware has been dubbed by Lookout, slipped by Google’s automated detection by posing as a legit advertising network. Such networks fund free apps by supplying standard-sized advertisements, and thus it shows ads for other applications by the same authors.

After phoning home to the authors’ command-and-control servers, BadNews displays “essential” updates for the popular Russian social network Vkontakte’s app, as well as Skype’s app. Both of these “updates” lead directly to known infected files.

Those infections are APK files so the user still has to agree to the installation, which will be blocked by Lookout (or your other security software of choice). One could argue that that’s hardly worse than the entirely legitimate embedding of links to premium-rate numbers, which don’t even trigger a warning dialogue box, but BadNews does demonstrate how malware authors are gaming the system.

That system starts Google Bouncer – Google’s automatic app taste test, which is supposed to weed out malware before it gets listed. However, five minutes of automated testing won’t spot this kind of scam, so Android depends on the wisdom of the masses.

Lookout said:

It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network. However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization SDK.

Malware apps are quickly identified by the first user who gets burnt. The user (hopefully) shares the experience and prevents further infection of unwitting users, which is why BadNews is such a significant development. Once installed the new malware simply polls a command server every four hours, sending back the user’s phone number and IMEI, which means the malware’s authors can rack up some positive feedback on Google Play before triggering the infection once the software is widely installed.

For users that just means being more wary of peer reviews, and remembering not to install anything which looks dodgy. Users who doubt their ability to judge apps’ potential dodginess should probably install some security software too, or switch to a platform less targeted by malware authors. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/22/android_malware_badnews/

Japan’s technology-illiterate police have put themselves in the firing line once again after recommending what amounts to a blanket ban on the use of the Tor anonymiser network in the country.

The FBI-like National Police Agency is set to request ISPs to voluntarily block communications if the customer is found to have “abused” the service online, according to The Mainichi.

Given that there’s no way of actually checking what Tor is being used for in a particular instance, as it anonymises traffic, the implication is that if someone is using it they must be up to no good.

The recommendations were made at the end of last week by an NPA panel set up to work out how best to tackle cyber crimes using Tor.

The panel claimed it has been used in the past to commit internet fraud, help paedophiles groom kids online and, tellingly, enabled leaks from Tokyo’s Metropolitan Police Department.

Most recently it was used in a high profile case in Japan which exposed the NPA’s lack of cyber savvy.

A hacker known as Demon Killer disguised his IP address using the system, and took control of other PCs with the iesys.exe virus to post bomb threats on popular message boards.

In a massive loss of face for the NPA, the Feds arrested four suspects who turned out to be victims of iesys.exe – which was used to send the offending emails from their computers – and even managed to extract false confessions.

One suspect was held for weeks before Demon Killer posted another message while he was still in custody.

The hacker then led the NPA a merry dance, luring them to an island near Tokyo where they captured a cat carrying a memory stick in its collar containing the source code for the virus. Thirty-year-old IT worker Yusuke Katayama was finally arrested soon after once the cops studied CCTV footage from the area.

It might not be particularly popular among Japanese law enforcers, but Tor has a more laudable reputation elsewhere, having been used to good effect by pro-democracy activists in the Middle East during the Arab Spring.

It remains to be seen what kind of backlash from the ISP community and Japanese netizens the new police recommendations lead to. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/22/tor_japan_police_ban/

Japan’s technology-illiterate police have put themselves in the firing line once again after recommending what amounts to a blanket ban on the use of the Tor anonymiser network in the country.

The FBI-like National Police Agency is set to request ISPs to voluntarily block communications if the customer is found to have “abused” the service online, according to The Mainichi.

Given that there’s no way of actually checking what Tor is being used for in a particular instance, as it anonymises traffic, the implication is that if someone is using it they must be up to no good.

The recommendations were made at the end of last week by an NPA panel set up to work out how best to tackle cyber crimes using Tor.

The panel claimed it has been used in the past to commit internet fraud, help paedophiles groom kids online and, tellingly, enabled leaks from Tokyo’s Metropolitan Police Department.

Most recently it was used in a high profile case in Japan which exposed the NPA’s lack of cyber savvy.

A hacker known as Demon Killer disguised his IP address using the system, and took control of other PCs with the iesys.exe virus to post bomb threats on popular message boards.

In a massive loss of face for the NPA, the Feds arrested four suspects who turned out to be victims of iesys.exe – which was used to send the offending emails from their computers – and even managed to extract false confessions.

One suspect was held for weeks before Demon Killer posted another message while he was still in custody.

The hacker then led the NPA a merry dance, luring them to an island near Tokyo where they captured a cat carrying a memory stick in its collar containing the source code for the virus. Thirty-year-old IT worker Yusuke Katayama was finally arrested soon after once the cops studied CCTV footage from the area.

It might not be particularly popular among Japanese law enforcers, but Tor has a more laudable reputation elsewhere, having been used to good effect by pro-democracy activists in the Middle East during the Arab Spring.

It remains to be seen what kind of backlash from the ISP community and Japanese netizens the new police recommendations lead to. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/22/tor_japan_police_ban/