iTWire - iTWire - Security iTWire - Technology news, trends, reviews, jobs Sun, 29 Mar 2015 01:11:14 +1100 Joomla! - Open Source Content Management en-gb Telstra vows to encrypt metadata and store it in Australia Telstra vows to encrypt metadata and store it in Australia

One of the many criticisms of the Government’s new data retention regimen is that it will create vast amounts of data that will attract hackers. Telstra says it has the answer.

Barely a day after the Government has seen its new data retention laws become reality, Telstra has made something of a virtue of necessity by announcing that it will store all the required metadata on shore in Australia.

It further says that it will encrypt the data, explicitly stating that it is doing so to deter hackers.

“Previously, we have highlighted the increased security risk associated with retaining more customer metadata we don’t currently need in the delivery of our services to our customers,” says Telstra chief information security officer Mike Burgess. “If some of this is stored and made accessible, then we are creating what has been called a ‘honey pot’ for hackers and criminals to target.”

As is increasingly the case with Telstra statements, Burgess made the announcement in a blog on Friday. “With the legislation having passed through the Parliament, we wanted to assure all our customers that we take data security very seriously and we will be protecting any data collected as part of this new regime.”

{loadposition graeme}

Burgess highlighted that there is still two years before the data retention scheme needs to be fully implemented. “We will be using this time to make sure we have the right protections in place.

“We are still developing our implementation plans but we have already decided to store our customer metadata encrypted at facilities located here in Australia. While geography alone is not a good measure of security, storing the data in Australia should help allay the concerns of some customers.”

He said any security strategies Telstra implements will build on existing measures, including intrusion detection systems and active network monitoring. “We understand that customer metadata has enormous value not just to our customers and law enforcement agencies but also to a range of malicious actors who may seek to gain access to our systems.

“Our commitment to you is to work diligently every day to protect our networks and your data. Cyber security is everyone’s responsibility, so we recommend all our customers install up-to-date security software, make sure they update their operating systems and applications as soon as a new update is released, have robust and varied passwords, and be aware of phishing emails and other scams that contain malicious attachments or links.”

]]> (Graeme Philipson) Security Fri, 27 Mar 2015 14:20:49 +1100
BYOD – Bring your own disaster–-bring-your-own-disaster–-bring-your-own-disaster BYOD – Bring your own disaster

A new report by Flexera Software and IDC should have system administrators trembling.

When an Environmental Protection Agency (EPA) employee was playing the Kim Kardashian Hollywood game app on her mobile work phone, it tweeted out to the EPA’s 52,000 Twitter followers ‘I’m now a C-List celebrity in Kim Kardashian: Hollywood. Come join me….’

Threats to data and security are hidden in innocuous apps. One, a flashlight app illegally transmits a users precise location and data to advertisers, or common banking apps that are capable of capturing device logs, accessing contacts lists, reading SMS messages or even installing packages on the phone.

Welcome to the world of Bring your Own Device where apps can infect the enterprise.

{loadposition ray}

The report (free login required) finds that most organisations are not taking action to block risky app behaviours and don’t realise the significant risk from BYOD policies. This infographic covers most points.

  • Enterprises are broadly adopting BYOD policies: 48 percent of enterprises have already or are in the process of implementing BYOD policies, and another 23 percent plan on doing so within two years
  • Data security is a pervasive challenge: 71 percent of enterprises said data security counts among their biggest challenges when implementing BYOD policies
  • Blocking risky apps is a priority: 47 percent of respondents say they’re instituting policies that block risky app behaviours to mitigate mobile app security risks. Another 22 percent plan on doing so within two years
  • Enterprises are failing to identify risky app behaviours: Despite concerns about security and blocking risky apps, most organisations – 61 percent – have not even identified which app behaviours they deem risky (i.e. Ability to access social media apps like Twitter, apps that report back user data to app producer, etc.)
  • Enterprises are also failing to identify apps deemed risky:  A majority of organisations – 55 percent – have not identified specific mobile apps that exhibit risky behaviors that would violate their BYOD policies
  • BYOD policies are not reducing enterprises’ security risks: Only 16 percent of respondents report that their BYOD policies are resulting in lower enterprise application risk

Note that Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software.  Its software licensing, compliance and installation solutions are essential to ensure continuous licensing compliance, optimised software investments and to future-proof businesses against the risks and costs of constantly changing technology.

]]> (Ray Shaw) Security Wed, 25 Mar 2015 16:31:24 +1100
Vawtrak banking Trojan spreading worldwide Vawtrak banking Trojan spreading worldwide

AVG Technologies has warned that Vawtrak gains access to bank accounts visited by the victim and uses the infamous Pony module for stealing a wide range of login credentials.

Vawtrak is rapidly spreading by drive by download – from spam linked to compromised sites, dedicated malware downloaders and exploit kits.

It uses steganography to hide update files inside of favicons so that downloading them does not seem suspicious. Each favicon is only few kilobytes in size, but it is enough to carry a digitally signed update file hidden inside.

{loadposition ray}

It has a high number of functions it can exploit on a victim’s machine. These include:

  • Disables AV protection
  • Communicates with remote command and control servers
  • Hooks into standard API functions
  • Theft of multiple types of passwords used by user online or stored on a local machine
  • Injection of custom code in a user-displayed web pages (this is mostly related to online banking)
  • Surveillance of the user (key logging, taking screenshots, capturing video)
  • Creating a remote access to a user’s machine (VNC, SOCKS)
  • Automatic updating

Of particular interest from a security standpoint is that by using Tor2web proxy, it can access update servers that are hosted on the Tor hidden web services without installing specialist software such as Torbrowser.

Naturally AVG LinkScanner and Online Shield provide protection.

]]> (Ray Shaw) Security Wed, 25 Mar 2015 16:02:44 +1100
Vulnerable apps – waiting to be exploited–-waiting-to-be-exploited–-waiting-to-be-exploited Vulnerable apps – waiting to be exploited

Despite Google Play and Apple’s iTunes trying to guard mobile users from malicious apps the process is still flawed according to antivirus expert AVG.

AVG’s CTO Yuval Ben-Itzhak says we have learned from the PC days where decentralised distribution and an open platform made it so easy to spread malware and virus. “But controlled distribution via App stores does not mean there are no vulnerable apps out there. Hackers are clever; they have found ways to get around stringent app store controls by exploiting existing vulnerable non-malicious apps either via a different app; by inspecting data on transit or even via the web; while you browse from your mobile.

{loadposition ray}

Here is how

Almost all mobile apps transmit and receive data between the devices and remote servers. This allows apps to update, send statistics, check licenses, monitor analytics, and so on. There are two ways that this leaves app vulnerable: 

  1. No encryption – if data leaving your device is unencrypted, hackers can ‘look inside’ it and get your passwords, credit card number or any other personal details you many not want to share. This is most common on public Wi-Fi hotspots like those found in airports, malls or coffee shops.
  2. Certificate validation – when apps send data to a remote server, it is important that it is the correct one and not one owned by a hacker. The use of digital certificates on the server can help the app validate the server’s identity. Without these digital certificates, data can be at risk.

Most mobile apps store data locally on the devices, usually a log file that records activities within an app, the strings typed in it, cached data/reports, and more. There are two ways that these files can leave apps vulnerable:

  1. No encryption – storing data on the device can greatly improve app performance and user experience. However, leaving private data unencrypted on the device can be dangerous. A separate app installed on the device can potentially have a permission to access such file, ‘look inside’ and retrieve personal data.
  2. Files left after uninstall – when we uninstall apps from our devices, many of us expect that all related files (with our private data in them) are also removed. However, this is no always the case. Apps often have permission to create files in various locations on our devices; these can be left behind when apps are removed. Such fragments can later be accesses by other apps to retrieve data.

It is common for app developers to release their products to market very quickly. As time is short, developers reuse components (SDKs) from third parties to support needed functionality.

The issue with these SDK toolkits is that they are not always secure. Here are a few examples:

  1. Android WebView – many mobile apps display web content. In order to download and render such content on a mobile device, most Android developers use the WebView component. However this component was identified to be vulnerable to remote attacks – CVE-2012-6636.
  2. Dropbox Android SDK – when mobile apps would like to integrate its functionality with cloud storage (like photo apps, wallets, vaults etc.) they integrate SDKs from cloud storage providers. The Dropbox Android SDK was found to be vulnerable – CVE-2014-8889. This vulnerability may enable theft of sensitive information from apps that use the vulnerable Dropbox SDK both locally by malware and also remotely by using drive-by exploitation techniques.
  3. Configuration and development errors – as long as humans continue to code software, vulnerabilities will exist. The increasing complexity of operating systems, databases, app logic and platforms, compounded by short development windows makes it very difficult for developers to catch every error in their code. Unfortunately, this leaves large volumes of untested code that are potentially vulnerable.

If that does not give seven reasons to be concerned then identity theft is really the next step.

AVG’s Yuval Ben-Itzhak has some interesting comments on app vulnerability.

“Most developers are trained to deliver functionality, not security. Most mobile apps require relatively small development teams. With the ever-increasing functionality required and short time to market, the time to spend on finding vulnerabilities is getting much shorter.”

“Developers have abandoned thousands of apps due to low monetization. These abandoned apps linger in the app store, are no longer supported and any vulnerabilities remain indefinitely.” The solution is for app stores to stop worrying about the quantum of apps and start worrying about good apps.

“Developers are not entirely responsible for eradicating vulnerable apps. Official mobile stores employ automatic security scanners to identify malicious apps. These can often be very difficult to detect and it requires lots of resources and attention.”

OWASP – the open software security community has identified 10 main threats in 2015. 

]]> (Ray Shaw) Security Fri, 20 Mar 2015 09:15:03 +1100
KPMG buys First Point Global to expand cyber security business KPMG buys First Point Global to expand cyber security business

Professional services firm KPMG Australia has acquired Asia Pacific cyber security technology solutions business, First Point Global.

The deal, terms of which were not disclosed, is part of a global strategy by KPMG to expand the cyber capabilities, and marks the fourth cyber acquisition by the KPMG international network in the past five months.

First Point Global founding partners John Havers and Jan Zeilinga, and a team of 30 professionals, will join KPMG’s Cyber Security leadership team.  The combined team, to be known as KPMG First Point Global, will offer clients a full spectrum of cyber services spanning consulting, systems implementation and ongoing support.

“Cyber security is one of the greatest risks facing business today. The critical challenge of protecting information systems and assets, and the reputational and regulatory implications of failing to do so continue to raise the stakes on cyber security and governance,” KPMG’s Global Head of Cyber Security Malcolm Marshall said.

{loadposition peter}“Investors and regulators are increasingly challenging boards to step up their oversight of cyber security and calling for greater transparency around major breaches and their impact on the business.

“First Point Global brings a particular strength in placing customer identity management at the heart of our clients’ customer strategies, building revenue as well as managing risk. This, and the other capabilities they bring, are being combined with our own strengths and those of the other acquisitions to make KPMG the clear choice in identity and access management globally.”  

KPMG Australia CEO Gary Wingrove said the acquisition of First Point Global deepens the firm’s cyber capability in Australia, and is a “very smart fit for growing client needs and our firm.”

“KPMG is already well positioned with a strong team focused on cyber risk, protection and cyber crime investigations. Now we can offer a much deeper capability by creating one of the leading cyber security consulting groups in Australia.”

According to John Havers, CEO of First Point Global, digital identity and access management have risen in visibility within the corporate hierarchy, “from the backroom to the boardroom”.

“Ten years ago, we were having discussions with technologists about authentication and authorisation. Our discipline then became important for audit, risk and finance to address growing compliance requirements. Today, digital identity and its management underpins customer-facing services which are strategic for the growth and survival of businesses, and C-level executives and boards care about that.”

Globally, KPMG has identified cyber security as one of six strategic growth initiatives for focused investment, and in the past five months has invested substantially internationally in strengthening its cyber capabilities.

Global acquisitions by MPMG have included Qubera, a leading identity and access management consultancy operating in the USA, UK and India, P3 Consulting, a Frankfurt-based security boutique consultancy, and most recently Finnish cyber security business, Trusteq Oy.

]]> (Peter Dinham) Security Thu, 19 Mar 2015 14:09:50 +1100
Neglect the insider threat at your peril Neglect the insider threat at your peril

It is too easy to give our full attention to the threat from without. However, the threat from within is more significant, and growing.

A recent survey of 500 IT decision makers and 4,000 employees around the world by Clearswift found that 88% of businesses had experienced an IT or security incident in the previous 12 months.

Worse, 73% of those incidents were attributable to employees, ex-employees, contractors and partners (compared with 58% in the previous 12 months.

Businesses are clearly facing a growing threat from insiders. Guy Bunker, CTO at Clearswift offered, "Many businesses are still struggling to accept that one of their biggest security risks could come from people they employ in their organisation." People who open malware laden emails, who visit data-sucking websites or who share their access credentials with others.

Due to the 'squeaky wheel' or the 'raised nail' philosophy of most corporate agendas, events such as Snowden or Sony Pictures have strengthened focus on outside threats. With this in mind, just 28% of the survey respondents thought that their boards of directors treated internal breaches with the same degree of importance as external ones.

{loadposition davidh08}
In fact 14% suggested that until a significant internal breach occurred, little more than lip service would be paid to this threat source.

Of course the majority of internally triggered breaches are not malicious ("we have more to fear from the bumbling of fools than the machinations of the wicked" as the saying goes), but that does not lessen their impact.

Clearswift specifically identifies limited awareness and understanding of threats, along with a general contempt for following company protocol as major drivers for internal breaches.

It all comes back to basic security hygiene.

  • Limit access to resources beyond those needed for each employee's role
  • Test outbound as well as inbound data streams
  • Trust employees, but verify their behaviour (to paraphrase Ronald Reagan)
  • Take away all computers and issue paper, pencils and an abacus to each employee
]]> (David Heath) Security Wed, 18 Mar 2015 23:36:54 +1100
Security frameworks 'too complicated' says Telstra executive Security frameworks 'too complicated' says Telstra executive

Security frameworks are "way too complicated," Telstra chief information security officer Mike Burgess told a media and analyst briefing at the Cisco Live conference today.

Furthermore, it is possible to follow a security framework carefully and still be hacked, he said.

Not only are frameworks too complicated, there are too many of them. Australian Cyber Security Research Institute CEO Gary Blair referred to "a surplus of frameworks" that are too complex for most organisations.

Cisco senior vice president and chief security trust officer John Stewart said another problem with formal frameworks is that they tend to be out of date by the time they are promulgated.

{loadposition stephen08}The industry struggles to provide consistent security across businesses, as everyone has their own 'best practices,' he observed.

So Stewart recommends starting with a few questions that make a meaningful difference, and then scaling up.

What's really needed, according to Stewart, is an automated, data-driven approach to security.

It isn't that humans will not be involved. Cisco security business group vice president and CTO Bret Hartman said there is a need to balance the roles of people and automation in security systems, but warned that people are "very often the weaker component" due to insufficient knowledge or the inability to react sufficiently quickly.

"The human factors issue is incredibly difficult to cope with," added Stewart.

]]> (Stephen Withers) Security Wed, 18 Mar 2015 17:13:44 +1100
Atmail hoses spam with Spamhaus from $0.60/user/year$060-user-year$060-user-year Atmail hoses spam with Spamhaus from $0.60/user/year

Atmail has powered with email security experts Spamhaus to offer spam protection services at an affordable price.

Australian email provider Atmail, which powers 45 million inboxes worldwide, has joined forces with global spam monitoring and blocking service Spamhaus.

Spamhaus filters malicious emails before they arrive to the server and was founded way back in 1988. Since then, Spamhaus has not only won awards, but also works with ‘Law Enforcement to identify and pursue spammers worldwide, protecting over 2 billion mailboxes globally.’

Atmail notes that 196.3 billion emails sent globally per day, of which a whopping 64% are spams.

For the environmentally conscious, this is said to contribute ’20,100,100 tons of carbon dioxide per year’ - which really does go to show just how much hot air is in all of that spam.

More fun email and spam facts can be seen in Atmail’s infographic embedded below.

Atmail’s email solutions power the inboxes of global and Australian ISPs such as Optus, iiNet and TPG.

Spamhaus will be added to Atmail as ‘an added feature’ at a price starting from 60c per user per year, and will deliver ‘the ability to reject more than 90 per cent of spam emails even before they enter the email server.’

Atmail says this new offering aims to:

  • Free up highly valuable infrastructure bandwidth and resources
  • Protect the reputation of atmail customers’ organisation by eliminating spam being forwarded through email accounts hosted by the company
  • Lower operational costs for the thousands of customers using atmail
  • Improve email system performance

Daniel Viney, the Product Manager at atmail said: “Spamhaus is an excellent spam monitoring and blocking provider.

“We are very pleased to partner with Spamhaus and offer their full ‘Anti-Spam Datafeed Service’ as an option within our product stack. The company is run by expert investigators, forensic specialists and network engineers located around the world, whose mission is to track the Internet's spam operations and sources, and protect users worldwide.

"Spamhaus infrastructure has the data and technology to help atmail deliver an even better service to our thousands of customers, and the package is available now through”

{loadposition alex08}

Simon Forster of Spamhaus Technologies said: "Spamhaus is looking forward to partnering with atmail to make Email communications safer for their clients. Preventing spam and malware from getting into user’s mailboxes also helps to make the Internet a safer place for all.”

The atmail anti–spam package starts at $0.60/user/year, and includes:

  • SBL (Spamhaus Block List) - Contains IP addresses that are controlled by known spammers
  • XBL (Exploits Block List) - Contains IP addresses of virus-compromised computers that are sending Spam
  • PBL (Policy Block List) - Contains IP addresses that should not be delivering unauthenticated SMTP email
  • DBL (Domain Block List) - Contains list of domains used in spam which link to fraud, phishing and malware sites
  • Custom configuration to increase the effectiveness of SpamAssassin

More information on Atmail's Spamhaus offering is available here at Atmail's site. 

]]> (Alex Zaharov-Reutt) Security Wed, 18 Mar 2015 09:22:22 +1100
Android fragmentation is killing enterprise use Android fragmentation is killing enterprise use

Android Lollipop 5.x was released ‘for general availability’ in November 2014. Why are only 1.4% of Android devices running it?

iOS is doing OK with about 72% running iOS 8.x but there is still that pesky 25% running iOS 7.x and 3% earlier than that. This is mainly due to it running slower on older hardware that will ‘expire’ soon. Apple’s usually taciturn CEO Tim Cook called Android “a toxic hellstew of vulnerabilities and securities …”

The majority of Windows Phone users are on 8.x and with its free offer to upgrade to Windows 10 Mobile (probably 2016) and the fact that Microsoft provides updates (similar to Apple) fragmentation in this OS should be a non-issue.

The problem with fragmentation – 98.4% in Androids case - is that there are over a billion devices running at least five earlier versions that are all vulnerable to malware, data theft, and other major security vulnerabilities. Google does not update these – the manufacturer has to. Google’s recent response “We will not fix issues in Jelly Bean 4.3.1 and prior.” What that means is unless you have a recent KitKat 4.4 device or Lollipop you are screwed – the only way to get a little more secure is to buy a new device.

{loadposition ray}

One major corporate user has banned Android devices on its network. “We simply cannot cope with managing the plethora of Android devices and apps on our network. We are happy to support iOS 8.x and Windows Phone 8.x – and apps from their stores but that is it!” This company uses a Symantec mobile management suite to control personally owned devices as well as access to company data and email.

The comment on iTunes and Windows Store is interesting – both test all apps before listing and changes are monitored and retested. Google Play has found and removed malware from apps on its store but the issue is that there are thousands of alternative Android app stores that do not take the responsibility.

This article is not about scaremongering – the vast majority of reported vulnerabilities in Android thankfully do not seem to take hold. But the fact is that Android is the only mobile OS that has an active Botnet with millions of users unaware they are infected.

What can you do?

The average consumer with an Android device must run an antivirus/malware product – there are several in the Google Play store – AVG, AVAST, Norton to name a few. If they connect to corporate email only the chance of infection of the corporate network is low. The issue however escalates when they use remote access programs to gain access to server data or use terminal emulation.

Google could use the carrot and stick approach with device makers – either they update the OS or they don’t get it! But as Android is merely a thinly disguised vector for delivering advertising revenue to Google it probably won’t do that either.

In the interim Google is trying to take parts of Android out and spin them into API’s and apps it can update and control. And it is not the major manufacturers who are at fault – you can be reasonably sure Samsung, LG, Sony and HTC will provide some updates.

Personally I think Android is a fine OS – its update mechanisms suck because of the customisations done by manufacturers and others who would rather sell new products than waste time – sell and forget.

The answer for enterprise (business at least) seems to be to support iOS and Windows Phone 8.1 – Windows 10 will be no issue.

]]> (Ray Shaw) Security Tue, 17 Mar 2015 17:06:34 +1100
Will Barbie share your daughter's secrets? Will Barbie share your daughter's secrets?

Mattel is about to release Hello Barbie - an internet-connected voice-interacting version of the popular doll.  What could possibly go wrong?

We've experienced the faux rage of the Siri and Samsung TV voice recognition systems.  In the case of Samsung, it was pretty-much a beat-up, while there was probably more to the issue with Siri.

But remember, before using Siri, you agreed to this: "By using Siri or Dictation, you agree and consent to Apple's and its subsidiaries' and agents' transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Siri, Dictation, and dictation functionality in other Apple products and services."

…and you should probably take it with a rather large grain of salt, but we also have this from a couple of weeks ago:  "Guys, I'm telling you, if you've said it to your phone, it's been recorded…and there's a damn good chance a 3rd party is going to hear it," user Fallenmyst wrote on Reddit. "I heard everything from kiddos asking innocent things like 'Siri, do you like me?' to some guy asking Galaxy to lick his <xxxxx>.  I wish I was kidding."

Which brings us to Barbie.

{loadposition davidh08}

In introducing the doll at the recent 2015 New York Toy Fair, Mattel's spokesperson said, "Welcome to New York, Barbie."  With that, Barbie recorded the statement, sent it back over the Internet to a bunch of back-end servers which, using voice-recognition technology, quickly crafted a conversational response; "I love New York! Don't you? Tell me, what's your favourite part about the city? The food, fashion or the sights?"

Never mind that all three choices are far too grown-up for the typical 8-year-old owner, it seems more concerning that whatever the child says is recorded and transmitted to places unknown.

We are told that there will be a 'push-to-talk' button (on prototype models, it is on the belt buckle) and that without the button depressed, Barbie will be totally deaf, but the possibilities for abuse are surely endless.

Like all such systems, the manufacturers claim that 'live' sound will only be used to improve the speech to text capabilities, but that of course means two things - that humans are listening, and that a repository exists.

Presumably, there will be some requirement for parents to create an account on Mattel's servers; obviously they will also have to connect it to their home WiFi.  But what of other WiFis?  What if a group of girls want a talking Barbie slumber party?

"If I had a young child, I would be very concerned that my child's intimate conversations with her doll were being recorded and analysed," Angela Campbell, faculty adviser at Georgetown University's Center on Privacy and Technology, said in a statement.  "In Mattel's demo, Barbie asks many questions that would elicit a great deal of information about a child, her interests, and her family. This information could be of great value to advertisers and be used to market unfairly to children."

...and what of child abuse?  What if the young owner speaks of such things?  In most states of Australia, there is mandatory reporting.

ToyTalk's chief executive Oren Jacob (ToyTalk is the San Francisco-based startup that created the doll's technology) stressed that the audio files it captures will only be used to improve the product, such as, for example, by helping the company build better speech recognition models for children.  "The data is never used for anything to do with marketing or publicity or any of that stuff. Not at all," Jacob said.

One assumes he's never heard the term 'function creep.'

{loadposition davidh08}

"Kids using 'Hello Barbie' aren't only talking to a doll, they are talking directly to a toy conglomerate whose only interest in them is financial," said Susan Linn, executive director of the Campaign for a Commercial-Free Childhood (CCFC), in a statement. "It's creepy -- and creates a host of dangers for children and families."
Perhaps even more concerning is the comment from ToyTalk, indicating that parents may optionally receive daily or weekly emails with access details to listen to their child's conversations.  Linn found this to be 'troubling.'  This writer would call it exceedingly creepy.

Just chalk this one up to a company that has no qualms about pushing the privacy envelope with their much-loved doll.  Readers might like to cast their minds back to the November 2010 fiasco where experts heavily criticised Mattel for a hidden video camera in Barbie's necklace and a play-back screen on her back (along with upload abilities, of course).

]]> (David Heath) Security Mon, 16 Mar 2015 22:02:55 +1100