iTWire - iTWire - Security iTWire - Technology news, trends, reviews, jobs http://www.itwire.com Sun, 01 Mar 2015 17:40:43 +1100 Joomla! - Open Source Content Management en-gb Which pieces of software have the most (known) vulnerabilities? http://www.itwire.com/business-it-news/security/67113-which-pieces-of-software-have-the-most-known-vulnerabilities? http://www.itwire.com/business-it-news/security/67113-which-pieces-of-software-have-the-most-known-vulnerabilities? Which pieces of software have the most (known) vulnerabilities?

GFI Software product manager Cristian Florian has analysed the 2014 data from the US National Vulnerability Database and made some interesting observations.

The number of vulnerabilities added each year to US National Vulnerability Database has been rising fairly steadily since 2011, with 7,038 in 2014 (see graph above).

"24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has increased compared to last year," observed GFI Software product manager Cristian Florian.

And as various observers have noted over the years, applications rather than operating systems are where most of the action is.

{loadposition stephen08}Florian calculated that 83% of reported vulnerabilities were in applications, with just 13% in operating systems. The other 4%? Hardware devices.

The top five applications - or should that be the bottom five? - come as no surprise. Internet Explorer (242 vulnerabilities, 220 of them rated high), Chrome (124, 86), Firefox (117, 57), Java (104, 50) and Flash Player (76, 65).

Florian noted "web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers."

We don't think Florian means that the popularity of these products magically makes them have more vulnerabilities, only that it leads security researchers (of the black, white or grey hatted persuasion) to scrutinise them more closely.

Florian's analysis of operating system vulnerabilities has been questioned by some, as it separates the currently supported versions of Windows but lumps all OS X and iOS versions together.

Florian OS chart

But if you look at Microsoft's security bulletins, you typically find that any particular vulnerability affects multiple versions of Windows unless it concerns something that was introduced in Windows 8. So don't try adding up all the Windows numbers and claiming that there were more vulnerabilities than in OS X.

Florian's advice seems inarguable: "To keep systems secure, it is critical that they are fully patched."

And because of the attention they get, IT admins should prioritise patching operating systems, web browsers, Java and Adobe's free products (including but not limited to Flash Player and Reader).

"At the end of the day, however, an IT admin’s attention should be on ALL products in his network and not limited to those at the top of the vulnerability list; neither should the assumption be made that those further down the list are safer. Every software product can be exploited at some point. Patching is the answer and that is the key message," Florian concluded.

]]>
swithers@blackandwrite.com.au (Stephen Withers) Security Thu, 26 Feb 2015 17:51:22 +1100
VIDEO: ESET’s new set of next-gen business security products goes live http://www.itwire.com/business-it-news/security/67099-video-eset’s-new-set-of-next-gen-business-security-products-goes-live http://www.itwire.com/business-it-news/security/67099-video-eset’s-new-set-of-next-gen-business-security-products-goes-live VIDEO: ESET’s new set of next-gen business security products goes live

ESET has completely re-engineered its range of business security products, boasting increased usability, performance, administrative flexibility and proactive protection.

Following months of in-depth worldwide business user research, ESET analysed the findings, and after intensive design, engineering, development and testing, used them to develop its all-new range of business security products. 

ESET’s IT security products boast maximum proactive protection for businesses, with low impact on company infrastructure, as well as offering a wealth of new features, such as Botnet Protection, Exploit Blocker, Anti-Phishing and Anti-Theft.

A video from ESET is embedded below. 

Richard Marko, CEO and ESET said: “Building world-class security products is not new to us - we’ve been doing it for more than twenty years.

“But with the digital revolution having changed the operational landscape so fundamentally, we wanted to go back to basics and really understand what our customers need to grow their businesses today and in the foreseeable future.

“The key is to balance usability with performance and agility. The results speak for themselves - I think we have certainly earned our gold star.”

A central company of ESET’s new IT security products is the new ESET Remote Administrator.

It is a platform-independent, remote management console, and has been ‘rebuilt to enhance usability, improve security and lower the overall cost of implementation and management. It offers a built-in task management system to minimise downtime, while allowing actions to be performed automatically based on dynamic group membership.’

ESET says its new user interface simplifies the tasks of monitoring, configuring and controlling network activity to ensure the organisation is forewarned and protected against unwanted and malicious actions.

{loadposition alex08}

Ignacio Sbampato, Chief Sales and Marketing Officer at ESET said: “As businesses continue to evolve their inter-connectivity, they've become a more attractive target for the bad stuff out there, such as targeted attacks and advanced persistent threats.

“Security vendors must offer their customers better solutions that don't hog an organisation’s resources when fighting off threats. That’s why we are offering the market unparalleled value in our new products and services.

“We’ve invested heavily in creating a truly spectacular range of security solutions for businesses. Our goal is to exceed our customers’ expectations, offering them first-class security that is unbelievably efficient and effective to install, configure and run.”

ESET first introduced its next-generation security products to the North America region in December 2014.

The company reports that the first feedback from its customers has been overwhelmingly positive with some of the suggestions incorporated right into the product in terms of improvements.

ESET’s video on its new range is embedded below.

Information on all the new products can be found here, and includes:

  • ESET Remote Administrator
  • ESET Endpoint Security for Windows
  • ESET Endpoint Security for OS X
  • ESET Endpoint Security for Android
  • ESET Endpoint Antivirus for Windows
  • ESET Endpoint Antivirus for OS X
  • ESET File Security for Microsoft Windows Server
]]>
alex@itwire.com.au (Alex Zaharov-Reutt) Security Thu, 26 Feb 2015 02:49:42 +1100
ID-based protection for big data a first, says Centrify http://www.itwire.com/business-it-news/security/67061-id-based-protection-for-big-data-a-first-says-centrify http://www.itwire.com/business-it-news/security/67061-id-based-protection-for-big-data-a-first-says-centrify ID-based protection for big data a first, says Centrify

Global Unified Identity Management software vendor Centrify has released what it says is the industry’s first privileged identity management solution for Apache Hadoop-based big data infrastructures, coinciding with an announcement of new partnerships with big data vendors Cloudera, Hortonworks and MapR Technologies.

Centrify Chief Product Officer of Bill Mann said with the release of Centrify Server Suite 2015, organisations can now leverage their existing Active Directory infrastructure to control access, manage privilege, address auditing requirements, and secure machine-to-machine communication with and across their Hadoop clusters, nodes and services.

Mann cited industry data from Allied Market Research showing that the global Hadoop market, powered by the rise in demand for big data analytics, is forecast to grow from $2 billion in 2013 to a staggering $50.2 billion by 2020.

He also cites a report by analyst firm Gartner that with the advent of major compliance mandates, “ongoing concerns about application and data security, it is apparent that sensitive data in Hadoop must be protected as well as sensitive data in traditional databases”.

{loadposition peter}Gartner also said: “With the advent of Hadoop 2.0 — and the expanded, real-time applications — the likelihood of sharing data among many users and applications rather than isolating each application, as was often the case in the first generation, increases security exposures.  Monitoring and auditing:  One aspect of ensuring that information isn't leaking, that changes to cluster are authorised, and that transformations and queries can be traced back to the originating, accountable users of applications and data”.

Mann said Centrify has built new features and compatibility enhancements in the areas of Kerberos network authentication, service account management, and Active Directory and Hadoop interoperability into Centrify Server Suite 2015 -  to address these concerns by Gartner - and extend the security capabilities provided by the Hadoop platform vendors to now offer robust privilege management for Hadoop environments.

According to Mann, this approach also simplifies and streamlines Hadoop deployments by allowing organisations to utilise existing identity management skillsets.  “In addition, to ensure compatibility as well as vendor collaboration when it comes to technical support, Centrify has built comprehensive integration guides and received product certifications from each of the major Hadoop providers,” Mann said.

“Over the past year or so we have had dozens of our enterprise customers begin to embark on their big data journey, and in doing so they saw immediate significant value in their Centrify identity management solution being applied to their new Hadoop deployments.

“These customers encouraged us to optimise our solution for Hadoop, which we gladly did, and by collaborating with them and the major Hadoop vendors, over the past year we have built in important Hadoop-specific enhancements which has culminated in the shipment of Centrify Server Suite 2015.”

The Centrify Server Suite is licensed on a per server basis and pricing in Australia starts at $400 per server and Hadoop customers can request a free evaluation of Centrify Server Suite by visiting here      

]]>
peter.dinham@itwire.com (Peter Dinham) Security Sun, 22 Feb 2015 18:12:08 +1100
Lenovo apologises for Superfish, never installed it on biz or enterprise products http://www.itwire.com/business-it-news/security/67055-lenovo-apologises-for-superfish-never-installed-it-on-biz-or-enterprise-products http://www.itwire.com/business-it-news/security/67055-lenovo-apologises-for-superfish-never-installed-it-on-biz-or-enterprise-products Lenovo apologises for Superfish, never installed it on biz or enterprise products

Lenovo has moved swiftly to douse the Superfish scandal, a third-party program pre-installed, only on consumer notebooks between September 2014 and February 2015.

Earlier today, iTWire covered the breaking news that some Lenovo consumer-class notebooks shipped between September 2014 and February 2015 had the Superfish adware pre-loaded onto them, alongside the ‘man-in-the-middle’ SSL vulnerability and adware issues this raised with consumers and security researchers.

I also included some cheeky questions for Lenovo's famous product engineer, Ashton Kutcher in that previous article. 

Lenovo has issued a statement noting that it has ‘acted swiftly and decisively once these concerns began to be raised’ and apologises ‘for causing any concern to any users for any reason - and we are always trying to learn from experience and improve what we do and how we do it’.

It’s an appropriate apology from 'those who do' to 'those who do' with Lenovo.

Lenovo does state it thought the Superfish software ‘would enhance the shopping experience’ but has clearly been chastened by the unfortunate decision to include Superfish. The company says it is ‘eager to be held accountable for our products, your experience and the results of this new effort’.

The effort Lenovo is talking about is a plan it will announce by the end of February. Lenovo says this plan will help lead it ‘and our industry forward with deeper knowledge, more understanding and an even greater focus on issues surrounding adware, pre-installs and security’.

Lenovo also says it will ’talk with partners, industry experts and our users’ and will get ‘their feedback’ as it spends ‘the next few weeks digging on this issues, learning what we can do better.’

It’s nice to see some genuine contrition.

On a related topic, iTWire colleague Ray Shaw has an article entitled ‘Perhaps it is time to pay for privacy’. The article isn’t about Lenovo and doesn’t mention Lenovo but what Ray writes applies just as much in Lenovo’s situation as it does in all the scenarios Ray discusses.

{loadposition alex08}

It also shines a light on the entire issue of PC makers pre-loading software in an attempt to generate some revenue to offset the cost of computers being priced at ever cheaper prices, although Lenovo told Reuters that “the relationship with Superfish is not financially significant."

With Apple computers, the only software it pre-loads is its own, with Apple able to ensure each Mac actually has all the software you need to get started out-of-the-box, and nothing you don’t need. 

This is in stark contrast to PC makers who put ‘shovel-ware’ on their computers, from 'angsty' Internet Security programs with a month or two of life that beg you to pay for the full year-long version, though to Wild Tangent games that themselves have the whiff of adware, though to various other things that you simply don’t need.

PC makers would be better off providing an icon on the screen showing users what they can download from that company’s servers or its partners should they want additional software.

That said, we’d all be better off with ‘Microsoft Signature’-class Windows machines which don’t have third-party software installed at all for the purest experience.

This is despite Microsoft Signature branded machines costing more, because PC makers had to forego whatever revenue they would have received from third-party software vendors.

Lenovo wants to make it clear that its business range of devices, its ThinkPad notebooks, its desktops, smartphones and all of its server and storage enterprise products have never had Superfish installed onto them.

However, as I noted in my earlier article, there must surely be plenty of business users who have purchased Lenovo’s cheaper consumer range of products to use in BYOD and business environments.

So… let’s hope that out of this negative comes not only a positive for Lenovo, but a positive for consumers and a positive for PC makers who must decide that shovel ware on their computers is just not a good policy and not good for end-users.

Lenovo has listed more information on Superfish here as well as complete uninstallation instructions (including how to remove the security certificate) here.

Lenovo says that Superfish may have appeared on the following models:

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30

You can also go to Filippo Valsorda’s page to independently check whether your Lenovo system (or any other computer) has Superfish installed or not.

]]>
alex@itwire.com.au (Alex Zaharov-Reutt) Security Fri, 20 Feb 2015 18:21:53 +1100
Superfishy: How to remove Lenovo’s Superfish adware NOW http://www.itwire.com/business-it-news/security/67052-superfishy-how-to-remove-lenovo’s-superfish-adware-now http://www.itwire.com/business-it-news/security/67052-superfishy-how-to-remove-lenovo’s-superfish-adware-now Superfishy: How to remove Lenovo’s Superfish adware NOW

Did Lenovo Product Engineer Ashton Kutcher know that the Chinese company he works for has included the notorious SSL-compromising Superfish software on its consumer PCs?

Instructions on how to remove the Superfish adware from your Lenovo computer (or any computer infected by Superfish) are listed below. Lenovo says this adware was installed on consumer PCs late last year, and was removed in January 2015 from installation, but who knows how many business users have purchased cheaper Lenovo consumer computers. 

It's also hard to trust a company that puts up with any adware on its PCs - what else are they doing that we don't know about? What other PCs companies are doing the same thing? Will PC companies ever give up the revenue stream from all the crapware they install?

But first: Lenovo Product Engineer, Ashton Kutcher, likes to ask, and to be asked, questions of great importance that require serious thought.

The kind of questions that could lead to dents being made in the universe.

Well, Lenovo has certainly made a dent in the universe today, after security blogger Marc W Rogers uncovered the startling and shocking news that ‘Lenovo installed adware on customer laptops and compromises ALL SSL’, as Rogers reported at his personal blog.

Rogers quotes Superfish’s features:

  • Hijacks legitimate connections.
  • Monitors user activity.
  • Collects personal information and uploads it to its servers
  • Injects advertising in legitimate pages.
  • Displays popups with advertising software
  • Uses man-in-the-middle attack techniques to crack open secure connections.
  • Presents users with its own fake certificate instead of the legitimate site’s certificate.

Now, it has to be said that Lenovo claims the following at its page with ‘Removal Instructions for VisualDiscovery Superfish application’: 

“Visual Discovery / Superfish was previously included on some consumer notebook products shipped in a short window between October and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:”

{loadposition alex08}

Lenovo then states:

  • Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
  • Lenovo stopped preloading the software in January.
  • We will not preload this software in the future.

Marc Rogers also points to Filippo Valsorda’s ‘Badfish’ page which helps Lenovo users determine whether they have Superfish installed on their computers, with his Superfish removal guide page showing you how to ‘remove the [SSL] certificate from Windows’.

Rogers points to Lenovo’s initial response in its forums, slamming Lenovo’s response saying it is “typical of companies caught with their hand in the cookie jar, they try to play it down while at the same time saying they have disabled it until it can be ‘fixed’.”

So, now you know how to get rid of Superfish from your computer.

To see the home page of the company that makes Superfish, go here

Wikipedia’s page on Superfish is here

But let us ask Ashton Kutcher a couple of interesting questions: with your reputation tied deeply into Lenovo, what are you doing to ensure that Lenovo makes a dent in the universe to uphold each user's privacy, security and online safety?

Ashton, will you use your millions to buy a company like Malwarebytes and sell Lenovo a copy of this GOOD software, rather than seeing Lenovo go down the dark path of the adware business?

Lenovo's 'hustle' is one kind no-one needs. Now that Lenovo has suffered from this scandal, what is the best piece of advice Ashton can give Lenovo so it never gets in this position again?

For more information on my cheeky questions to Ashton Kutcher and Lenovo, see my story on Ashton's otherwise excellent talk at Lenovo's recent Tech My Way conference in Australia, where he talked sex with Mila Kunis and explained the types of questions he thinks are worth asking - plus plenty more including a video of all the proceedings on the day. 

]]>
alex@itwire.com.au (Alex Zaharov-Reutt) Security Fri, 20 Feb 2015 12:12:57 +1100
UMA aims to put users back in control of their data http://www.itwire.com/business-it-news/security/67048-uma-aims-to-put-users-back-in-control-of-their-data http://www.itwire.com/business-it-news/security/67048-uma-aims-to-put-users-back-in-control-of-their-data UMA aims to put users back in control of their data

An emerging standard called UMA promises to make it easier to control who can access your data.

As vice president of innovation and emerging technology at identity relationship management vendor ForgeRock, Eve Maler (pictured) is well aware of the importance of identity management.

"Identity is at the centre of everything," she told iTWire. "Without identity you can't authorise, personalise or transact."

While some previous attempts at identity management have focussed largely on people using web browsers, the environment is changing.

{loadposition stephen08}Not only is browser traffic becoming a smaller percentage of the online world given mobile users' preference for apps over web pages, plus the nascent Internet of Things, but she also notes the "new savviness" among users when it comes to granting permission for data access, pointing out that the available controls are poor: you either opt in, or you opt out.

Unlike some people in the IT industry, Maler appears to have a genuine interest in privacy.

As part of her responsibility for directing ForgeRock's involvement in relevant industry standards, she leads the User Managed Access (UMA) and Health Relationship Trust (HEART) standards efforts.

The idea of UMA - which is just coming to fruition, she told iTWire - is to provide an API-based mechanism for "selective sharing" so users can allow or revoke access to their data as they wish, much as they can with Google Docs.

Even though open-source code from the OpenUMA community project has yet to be published (the public review period for the UMA V1.0 candidate specifications closes today), UMA "is getting a lot of interest" in various areas including healthcare, Maler said.

It's one thing for the user to say that certain individuals or classes of individuals may access particular pieces of data, but that can only be effective if the person seeking access can prove who they are.

Attribute-based access control - e.g., permitting access by any registered medical practitioner or some other licensed professional - is hard to do unless there is agreement about the attributes, but role-based identity providers already operate in many countries.

And UMA isn't just about people. There are some "really interesting Internet of Things implementations" that may be revealed around April this year, she said.

ForgeRock is involved because it realises that almost all consumer-facing companies have multiple apps and multiple logins, resulting in a poor user experience and poor security - though this is not simply a single-sign-on issue, Maler stressed.

Globally, customers of ForgeRock's identity and access products include Toyota Europe (for connected cars), US insurance company GEICO, and AOL.

Closer to home, the list includes Perpetual (investment services), NSW Department of Education, Vodafone NZ, Spark New Zealand (formerly Telecom New Zealand), and NZ Department of Internal Affairs.

]]>
swithers@blackandwrite.com.au (Stephen Withers) Security Fri, 20 Feb 2015 10:08:57 +1100
Intel Security: social engineering hacking the human OS http://www.itwire.com/business-it-news/security/67042-intel-security-social-engineering-hacking-the-human-os http://www.itwire.com/business-it-news/security/67042-intel-security-social-engineering-hacking-the-human-os Intel Security: social engineering hacking the human OS

Intel’s Security arm McAfee isn’t the first to write about hacking the human OS, and it won’t be the last, with the ‘latest persuasion techniques’ revealed.

Days after Kaspersky Lab unveiled details of a billion dollar cyber heist against mostly Russian and other global banks, as reported by iTWire, Intel Security’s latest report has arrived with an endorsement by the European Cybercrime Centre at Europol.

It ’reveals the latest persuasion techniques leveraged by cybercriminals to manipulate employees to do things they normally wouldn’t, usually resulting in the loss of money or valuable data.’

Kaspersky’s report unveiled how bank computers and networks were breached by targeted phishing attacks, which Intel Security says ‘demonstrates the inherent weakness in the ‘human firewall’ and the need to educate employees about the top persuasion techniques in use in the digital world.’

To pause for a moment and insert my own thoughts, perhaps we would call this ‘the weakest link’.

Raj Samani, the EMEA CTO at Intel Security, and an advisor at Europol’s European Cybercrime Centre said: “The most common theme we see when investigating data breaches today, is the use of social engineering to coerce the user into an action which facilitates malware infection.”

Paul Gillen, Head of Operations at the European Cybercrime Centre at Europol agreed, stating: “Cybercriminals today do not necessarily require substantial technical knowledge to achieve their objectives.

“Some well-known malicious tools are delivered using spear-phishing emails and rely on psychological manipulation to infect victims’ computers.

“The targeted victims are persuaded to open allegedly legitimate and alluring email attachments or to click on a link in the body of the email that appeared to come from trusted sources.”

{loadposition alex08}

Intel Security’s report, Hacking the Human OS, reveals cybercriminals are deploying the same ‘selling’ and ‘scamming’ techniques used in the real world, to extract valuable data from employees.

The 20 page report can be downloaded in full here (PDF link), while an executive summary has also been made available and can be downloaded here (PDF link).

Other highlights include:

  • Two-thirds of the world’s email is now spam aiming to extort information and money
  • A sharp increase of malicious phishing emails has resulted in more than 30 million suspect URLs recorded by McAfee Labs
  • 80% of all workers are unable to detect the most common and frequently used phishing scams
  • As the global cost of cybercrime reaches an estimated $445bn, Intel Security encourages businesses to address and educate employees on the “Six Levers of Influence” now used in the digital world by hackers

Intel says its report ‘reveals the extent and severity of social engineering with McAfee Labs identifying a dramatic increase in the use of malicious URLs with more than 30 million suspect URLs identified towards the end of 2014.’

The increase is attributed to the use of new short URLs, which often hide malicious websites, and a sharp increase in phishing URLs.

These URLs are often ‘spoofed’ to hide the true destination of the link and are frequently used by cybercriminals in phishing emails to trick employees. With 18% of users targeted by a phishing email falling victim and clicking on malicious link, the increased use of these tactics is cause for concern.

McAfee’s team of 500 researchers points to the fact that two-thirds of all global email is now spam that aims to extort information and money from the recipient. This provides more incentive for consumers and employees to be on guard for the most prolific phishing and scams techniques currently in use.

Intel’s Raj Samani added: “Today, cybercriminals have become expert at exploiting the subconscious of a trusted employee, often using many of the ‘selling’ tactics we see in everyday life. Businesses must adapt and employ the right mix of controls for ‘People, Process and Technology’ to mitigate their risk.”

The company says the importance of security training and policy management ‘has never been more apparent’, yet a points to a recent study by Enterprise Management Associates which found that only 56% of all workers had gone through any form of security or policy awareness training.

Intel Security’s ‘Hacking the Human OS’ report reveals some of the basic persuasion techniques currently in use by cybercriminals, which all businesses and employees should be aware of:

The Six Levers of Influence To Watch for in the Digital World

  • Reciprocation: When people are provided with something, they tend to feel obligated and subsequently repay the favour
  • Scarcity: People tend to comply when they believe something is in short supply e.g. a ‘spoof’ email claiming to be from your bank asking the user to comply with a request or else have their account disabled within 24 hours
  • Consistency: Once targets have promised to do something, they usually stick to their promises because people do not wish to appear untrustworthy or unreliable. For example, a hacker posing as a company’s IT team could have an employee agree to abide by all security processes, and then ask him / her to perform a suspicious task supposedly in line with security requirements
  • Liking: Targets are more likely to comply when the social engineer is someone they like. A hacker could use charm via the phone or online to ‘win over’ an unsuspecting victim
  • Authority: People tend to comply when a request comes from a figure of authority. This could be a targeted email to the finance team that might appear to come from the CEO or President
  • Social Validation: People tend to comply when others are doing the same thing. For example, a phishing email might look as if it’s sent to a group of employees, which makes an employee believe that it must be okay if other colleagues also received the request

The 20 page report can be downloaded in full here (PDF link), while an executive summary has also been made available and can be downloaded here (PDF link)

]]>
alex@itwire.com.au (Alex Zaharov-Reutt) Security Thu, 19 Feb 2015 22:50:45 +1100
VIDEO: ThreatMetrix’s 6 cybercrime predictions for 2015 http://www.itwire.com/business-it-news/security/67039-video-threatmetrix’s-6-cybercrime-predictions-for-2015 http://www.itwire.com/business-it-news/security/67039-video-threatmetrix’s-6-cybercrime-predictions-for-2015 VIDEO: ThreatMetrix’s 6 cybercrime predictions for 2015

From prior to TrustDefender through to ThreatMetrix today, Andreas Baumhof has been at the cutting edge of cyber security, with his annual cybercrime predictions definitely worth perusing.

I remember meeting Andreas Baumhof through Ted Egan in Australia back in late 2005, when they both had the idea to secure computers and identities in a whole new way.

Andreas was the cyber brain behind the idea, and Ted Egan provided the business brain, with both working their butts off to nurture the idea and create TrustDefender, which they turned into a reality over several years to the point that it merged with ThreatMetrix.

At the time, Ted Egan was the tireless CEO of TrustDefender for most of its life, drumming up business, finding investors, travelling internationally to security conferences and doing business deals with some of the leading cyber security experts from the US and the UK to keep TrustDefender funded.

Meanwhile Andreas worked incredibly hard to take the TrustDefender software suite to new heights of understanding the intelligence behind key threats, providing proactive protection, both for consumers, but more for business, the finance sector, government and enterprises.

Just months before the ThreatMetrix acquisition, which Ted had worked hard to help bring to life, he stepped aside allowing Andreas become TrustDefender CEO, while still working behind the scenes to ensure a successful merger and transition for both companies.

Two of the founders of ThreatMetrix were Alisdair Faulkner and David Jones, also from Australia, who took ThreatMetrix to the US in 2009 and found their ideal CEO in Reed Taussig, who had and still has a solid track record running, developing and publicity listing top tech companies.

Fascinatingly, both TrustDefender and ThreatMetrix were actually founded in Australia in 2005, co-incidentally about a city block apart, with the founders knowing each other at the time, but not knowing that one day their companies would merge - even thinking they were initial competitors.

It turns out that 1 + 1 = 4, meaning they are much greater together than the sum of their parts, with both companies being incredible examples of Australian success stories who now, via ThreatMetrix based in the US, are world leaders in the customer digital identity, fraud prevention and security space.

Today, Andreas Baumhof is the Chief Technical Officer and Senior VP of Engineering at ThreatMetrix, while Ted Egan is the VP of the booming Asia Pacific region, with both part of the vibrant ThreatMetrix team that is securing the world and challenging the security status quo.

In December last year, I interviewed ThreatMetrix President and CEO, Reed Taussig, on building trust on the Internet, preventing fraud, protecting digital assets without impacting the user experience, maximising revenue and more, which you can see here.

But Baumhof has also been busy, and wrote up on his LinkedIn site his series of 6 cybercrime predictions for 2015.

Baumhof says that, following a year of high-profile data breaches and last year’s stunning and unprecedented Sony hack, consumers and businesses will face increased cybersecurity risks in 2015.

So, he identified several trends in the industry, including the good, the bad and the ugly.

What do businesses need to do to avoid falling victim to data breaches and other attacks?

What needs to be done to educate consumers about growing cybercrime threats?

Baumhof says they need to be aware of several predictions for 2015:

1. Data breaches will be larger and more sophisticated than ever before

The breadth and depth of the data breaches seen by the world in 2014 was shocking — spanning major banks, e-commerce giants, healthcare giants, casinos and others — exposing hundreds of millions of usernames, passwords and credit card details.

The coming year will be no different, and businesses and consumers need to be prepared for continued changes in the cybercrime landscape.

{loadposition alex08}

2. Mobile will represent more than half of transactions during the 2015 holiday season

During this year's Cyber Week, from Thanksgiving Day through Cyber Monday, mobile accounted for 39 percent of all transactions.

Baumhof says that by 2016, he and ThreatMetrix predict this number will surpass 50%.

Additionally, as retailers make the looming switch to Europay-Mastercard-Visa (EMV) payments systems by the October 2015 deadline, those systems also accept mobile capabilities such as Apple Pay, which will also contribute to increased mobile payments. Consumers are far more comfortable shopping on mobile devices than they were even a year ago, often overlooking security risks, and mobile usage will continue to grow.

3. Information sharing will continue to rise

While cybercrime threats will evolve in sophistication during the coming year, information sharing about those threats within and across industries will grow to combat those cybercriminals.

For example, the retail industry is already paving the way for growth of information sharing with the Retail Cyber Intelligence Sharing Centre), but there is still room for improvement.

Ultimately, Baumhof notes, these alliances protect consumers by effectively differentiating between authentic and suspicious transactions without adding friction to the customer experience.

4. Cybercriminals will identify new opportunities to compromise personal information

In 2014, there were many high profile data breaches that were deemed unprecedented.

Hundreds of millions of user accounts have been compromised, including The Home Depot breach and the Russian cybercrime ring exposing 1.2 billion passwords. Most recently, the Sony hack showed that cybercriminals are shifting their focus to cyber sabotage.

For 2014, Baumhof predicted the password apocalypse which he wrote about for BizJournals - and the number of major data breaches over the past year targeting user login information shows that prediction was true.

There are endless opportunities for hackers to steal personal information, says Baumhof, and that's not going to stop in the coming year — it's going to get worse.

5. The Internet of Things will continue to be a security nightmare

One of the first major hacks to the Internet of Things came in early 2014.

It can be near impossible to know when one of the many connected devices used day-to-day is compromised — from smart phones to washing machines to refrigerators — and as more devices are added to the Internet of Things in the next year, protecting these devices will become even more difficult.

Baumhof presciently asks: If we can't even protect our most critical assets, how can we be expected to protect a smart fridge?

6. Health systems will become a major target for cybercriminals

In 2014, U.S. healthcare spending hit $3.8 trillion.

Unfortunately, almost one-third of that is wasted to fraud. As more money is dedicated to the health care market, cybercriminals will follow the trail to cash in on the market.

Throughout 2015, insurance, healthcare and pharmacies will be new focuses for fraudsters.

As healthcare information makes the shift electronically via the Health Insurance Portability and Accountability Act (HIPAA), fraudsters will find ways through its security holes to commit health care fraud and steal personal information.

Baumhof notes that we’ve seen from the recent Anthem attack the impact one data breach can have on the country.

Last year saw some of the most threatening cyber attacks of all time and in 2015, fraudsters will develop even more advanced strategies to target businesses across industries.

Therefore, businesses and consumers must keep online security top-of-mind and implement preventative measures to protect against cybercrime.

]]>
alex@itwire.com.au (Alex Zaharov-Reutt) Security Thu, 19 Feb 2015 19:29:26 +1100
Billion dollar bank cyber heist 'biggest ever' http://www.itwire.com/business-it-news/security/66978-billion-dollar-bank-cyber-heist-biggest-ever http://www.itwire.com/business-it-news/security/66978-billion-dollar-bank-cyber-heist-biggest-ever Billion dollar bank cyber heist 'biggest ever'

Criminal hackers have stolen as much as US$1 billion from mainly Russian banks, says security company Kaspersky labs, in the biggest cyber crime in history.

The attacks have been made directly against banks over the past two years by an international gang Kaspersky has dubbed ‘Carbanak’.

The gang, which appears to be based in the Ukrainian capital of Kiev, wrote phishing emails to targeted bank employees, tricking them into opening malware files which enabled access to the banks’ computer networks, from where they were able to monitor administrators’ computers.

They then copied the behaviour of various employees, transferring millions of dollars into their own accounts in transactions that were indistinguishable from legitimate behaviour.

Reuters reports that in some cases, Carbanak was able to inflate account balances before pocketing the extra funds through a fraudulent transaction. Because the legitimate funds were still there, the account holder would not suspect a problem. The money was then retrieved at ATMs.

{loadposition graeme}

Over a hundred banks and other financial institutions in 30 countries, mostly in Russia, have been affected. No-one has yet been arrested. Kaspersky Labs said it is working with Interpol, Europol and police forces in a number of countries in an attempt to identify gang members. Investigations are underway in Russia, Ukraine, China and the Netherlands.

"These attacks again underline the fact that criminals will exploit any vulnerability in any system," said Sanjay Virman of Interpol’s Digital Crime Centre. "It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures."

Kaspersky Labs will publish a report on the Carbanak crimes today. In an advance copy obtained by The New York Times, it says the thefts were limited to US$10 million per transaction, and were often much smaller so as not to attract undue attention.

None of the affected banks has acknowledges the thefts, as they do not want to draw attention to problems with their electronic security systems, US President Barak Obama said at a cybersecurity event at Stanford University last week that the US Congress should pass a law making such disclosure mandatory.

]]>
graeme.philipson@itwire.com (Graeme Philipson) Security Mon, 16 Feb 2015 04:50:18 +1100
From identity theft to Catfishing: the risks of seeking love online http://www.itwire.com/business-it-news/security/66973-from-identity-theft-to-catfishing-the-risks-of-seeking-love-online http://www.itwire.com/business-it-news/security/66973-from-identity-theft-to-catfishing-the-risks-of-seeking-love-online From identity theft to Catfishing: the risks of seeking love online

The increasing proliferation and popularity of online dating sites has caught the attention of scammers, with users of the services running the risk of becoming victims to identity theft, phishing, webcam blackmail and a dating scam with the unlikely name of catfishing.

In a newly published report coinciding with Valentine’s Day, security company Norton by Symantec has warned that users of online dating sites need to be careful with what identifiable information they use on their dating profile.

“As with anything you post online, it’s out there for everyone to see, and while there are a plethora of legitimate daters on these sites, you still don’t know what kinds of individuals you are dealing with,” says Norton in its newly published security report.

“You can run the risk of becoming a victim of stalking, harassment, catfishing, identity theft,  webcam blackmail and even phishing scams.  In order to help mitigate these risks, be very careful with what information you provide on your profile,” Norton advises.

{loadposition peter}And, it seems, online dating is big business these days, with Norton citing figures from dating service eHarmony which measured interest in dating from 2012 to 2014, with the average yearly interest around Valentine’s Day increasing by 113%.

Norton says the big boost in Valentine Day activity suggests online dating is becoming more entrenched in Australian culture.

Norton describes Catfishing as a “different kind of scam in and of itself” – in short, it’s a scam involving an online dating service user assuming the identity of someone else.

According to Norton, the tactic of catfishing is used by online predators to try to trick people into an online romantic relationship: “Catfishers will always make up excuses as to why they can’t meet you, talk on the phone or meet up on webcam. If the user’s profile seems too good to be true, it probably is. Do a reverse online image search of their photos, and if they appear in other places, under other names, you may have caught yourself a catfish”.

Norton also has some advice as to the do’s and don’ts for online daters when creating a profile. It also lists the ways you can spot an online dating scam:

Profile Do’s and Don’ts:

•    Create a username that you have not used on any other accounts. Your username can be searched, and anything tied to that username can come up easily

•     The same applies for the photos you post on your profile. A user can do a reverse image search and easily locate other websites where that photo is posted. So, in this case, it’s ok to go selfie crazy!

•    Set up a free email account to use with your dating account that has a unique name. Most sites offer their own in-site messaging that protects the anonymity of their members; however, people will often move their conversations to email or telephone as they get friendlier online

•    When the time comes for a phone call, set up a free Google Voice account, which will generate a separate phone number and forward it to your mobile. That way you can protect your phone number until you feel comfortable enough to give it to your potential match

•    When choosing an online dating site, be sure to choose a reputable, well-known website. Research the sites you’re interested in. Some sites allow you to either delete or disable your account. Since users sometimes return to online dating, the site retains your information. Make sure you check the sites’ privacy policy and verify how data with these accounts are handled. Some dating sites make profiles public by default, which means that they can be indexed by search engines

•    Check the privacy policy to see how the service will handle your data. One popular online dating site recently got into some hot water by secretly experimenting with, and manipulating their member’s data

•    Join a paid site. Since members have to pay to communicate with each other, this means that there will be more legitimate daters and less scammers. Some of the paid sites also conduct criminal background screenings.

How to spot online dating scams:

•    An individual may contact you with a sob story, about being stranded in a foreign country, or a sudden family emergency. If they ask you for money, you should report them to the service you are using and then block them

•    To help verify the identity of the person that you’re talking to, ask for a recent photo. If they protest or makes excuses as to why they can’t provide a photo, it is best to err on the side of caution

•    If you’ve been chatting up a potential sweetheart for a while, and they continually put off meeting in real life, this could be a red flag

•    Don’t visit links sent to you by people you haven’t talked to for very long. Scammers will pose as a member and try to get their target to click on links, usually leading to porn or webcam sites, and sometimes can even lead to malicious sites that download malware onto your computer

•    If someone requests a webcam chat, be especially careful about your behavior. The criminal can record the webcam session and they can use it to blackmail you. If the conversation you’re having starts to take an uncomfortable turn, it’s okay to disconnect the chat

•    Scammers create fake profiles that are run by programs called bots. Their objective is to get you to click on a link that will lead to either porn, malware or scam you out of credit card information. It’s actually quite easy to spot a bot, as they have a set of predetermined “canned” responses. If you notice that the conversation you’re having seems a bit off, or the person isn’t answering your questions directly, chances are it’s a bot.

]]>
peter.dinham@itwire.com (Peter Dinham) Security Fri, 13 Feb 2015 14:33:34 +1100