Monday, December 31, 2012

Protecting Your Personal Info Online

Try Spokeo to find out how much your information is available online!

If you want a good litmus test for how much of your personal information is available on the Internet, try Spokeo.com. The site even compiles personal information on children. Spooky.

Thankfully, you can easily opt out of Spokeo. This won't remove all of your information from the Internet, obviously. But it will make it less simple for someone to find your information all in one place. Hayley Kaplan put together a great step-by-step process on her "What is Privacy?" blog to make it even easier.

This is one example of a great way your company or organization can contribute to the greater privacy good. If you have tips or tricks on how to opt-out of your own or another entity's data-collection processes, publish them and make them easy for your customer or client community to find and follow.

Sunday, December 30, 2012

More Privacy Changes from Facebook

Mark Zuckerberg's Sister Complains Of Facebook Privacy Breach

In November, Facebook made changes, including several improvements, to its privacy policies. At the same time, those changes allowed everyone who has a Facebook account to become searchable. Whereas users were once able to block certain people from finding them on the social network, that functionality has now been removed.

This has implications for victims of stalkers, violent ex's, or really anyone others are trying to track down. By finding a person in a search, there are ways to then get more information about them through unsecured or unblocked information posted on their Facebook friends' timelines.

The recent changes had some unintended consequences that ultimately resulted in a private photo of no-other-than Mark Zuckerberg going viral.

This is a good example of how you should expect ANYTHING you post online could be seen by the world, even if you think you have privacy settings set correctly.

You can still block certain users from seeing some of your content. However, you will be findable as a Facebook user. Be aware of this, particularly if you have certain people interested in locating you, learning of your connections, your whereabouts or your appearance.

Friday, December 28, 2012

Careful with your Instagrams

Did Instagram ever find itself in hot water just before the holidays!

When the popular photo sharing social network updated its policies on sharing users' images, the backlash was immediate

For any Tips readers using Instagram (which is now owned by Facebook), please be aware of the upcoming changes, taking effect January 16.

You will not be able to opt-out. Be sure to read the new Terms of Use; if you don't like them, you may want to delete all your Instagram accounts and content before Jan 16.

In response to the severe negative reaction, Instagram has apologized, saying the misunderstanding is due to what it calls "confusing" language in the Terms of Use statement.

They have promised to revise it and said "it is not our intention to sell your photos." Yet it remains unclear exactly how much access will be given to user content... and to whom.

Stay tuned, as I will be watching the new Terms of Use language closely and will plan to report on it here in the Tips message.

Wednesday, December 19, 2012

What Is Future of Information Security?

Hackers will and always be ahead of us!

It has become extremely hard for fraudster to make money from stealing credit cards, internet banking details, personal information etc due to increase in security measures by majority of the banks.

Now they are hacking, encrypting data and requesting for ransom money before they release the data. They're doing their calculations right, they are requesting the ransom amount which is way less to what it would cost company to recover/decrypt. The senior management finding this approach much easier to recover.

THIS IS THE FUTURE OF INFORMATION SECURITY!

I have been saying this for ages that bad guys will and always be ahead of us. They motive is to make money, for years and years financial crime was the easiest way for them to make money. Due to increase security technologies deployed by banks such as two-factor authentications, chip readers, proactive fraud detections systems etc, it is extremely difficult for fraudsters to make money.

The wider phenomenon of data ransoming is overwhelmingly that of Trojans infecting individual PCs in order to encrypt consumers’ private data, but the latest Australian attack could be an example of a separate trend to target and attack specific types of business.

I believe we will continue to loose the battle with the bad guys because we are not proactive in information security. We always wait for bad guys to setup a trend so we can follow :)

We will take few years to protect their latest tactics and by that time they will already come up with a new way to make money. 

Here are my suggestions:

  • We have to change our strategy, we need to be more proactive!
  • We need to consider security in each and everything!
  • We need to ensure disaster recovery and business continuity is considered in every business!
  • We should stop relying on technologies!
  • We need to understand process and people are more important then technology
  • We need to find innovative ways of protecting our data tailored to business needs


Monday, December 17, 2012

Hackers Encrypt Medical Centre's Entire Database

Attackers demand $4,000 (AUD) to release data

An Australian medical centre is reported to be considering paying a ransom demand of $4,000 AUD after blackmailers broke into the organisation’s servers and encrypted its entire patient database.

According to ABC News, Miami Family Medical Centre on the country’s Gold Coast had called in a third-party contractor to try and restore the data from backups but it remained unclear whether this would prove sufficient to return the database to its previous state. 

"We're trying to work out how to pay the hackers or find someone to decrypt the information," said centre co-owner David Wood. The centre was continuing to receive patients but Wood admitted this was proving "very, very, very difficult" without patient records.

"What medication you're on can be retrieved from the pharmacists [and] pathology results can be gotten back from pathology," he told ABC News.
According to Wood, the attackers had accessed the database directly rather than using a remote Trojan. 

We've got all the antivirus stuff in place - there's no sign of a virus. They literally got in, hijacked the server and then ran their encryption software," he said. "It's people who know how to break in past firewalls and hack passwords to get onto the server." No data had been compromised, Wood claimed.

The attack is not the first to affect medical centres in the country. Barely three months ago, dozens of business were reportedly hit by ransom malware and hijacking, including at least one other small medical businesses.

Not coincidentally, earlier this month US backup firm NovaStor reported an suspiciously similar attack on an unnamed US medical practice around Halloween that encrypted critical data including x-rays.

The business was able to beat the blackmailers thanks to NovaStor’s backup system which is probably the only reason the world got to hear about this near-disaster. That is the obvious Achilles heel of ransom industry – cloud or offline backup.

Any business or individual mirror data to a separate system that can’t itself be hacked should be able to defend itself against ransom attacks. The wider phenomenon of data ransoming is overwhelmingly that of Trojans infecting individual PCs in order to encrypt consumers’ private data, but the latest Australian attack could be an example of a separate trend to target and attack specific types of business.

The criminals appear to favour targeting smaller businesses likely to be heavy with valuable data but lack the resources to back it up as comprehensively as might a larger organisation. The culprits for the Miami Family Medical Centre are believed to be Russian, which fits with Trend Micro report from 2012 that suggested the core of the ransom industry could be a single gang.

A Symantec report analysed the boom in such attacks during the last year, suggesting that in the consumer space as many as three percent of victims probably paid up. That statistic was making the tactic hugely profitable, the company said.

Friday, December 14, 2012

NIST Glossary of Infosec Terms

Looking for a gift for your boss who doesn't quite understand information security lingo?

The National Institute of Standards and Technology has one you can give, and it's free. NIST has issued a draft of Interagency Report 7298 Revision 2: NIST Glossary of Key Information Security Terms.

As we are continuously refreshing our publication suite, terms included in the glossary come from our more recent publications. The NIST publications referenced are the most recent versions of those publications. It is our intention to keep the glossary current by providing updates online.

New definitions will be added to the glossary as required, and updated versions will be posted on the Computer Security Resource Center website.

The glossary includes most of the terms found in NIST publications. It also contains nearly all of the terms and definitions from CNSSI-4009, an information assurance glossary issued by the Defense Department's Committee on National Security Systems, a forum that helps set the US federal government's information assurance policy.

NIST is seeking comments and suggestions on the revised glossary, and they should be sent by Jan. 15 to secglossary@nist.gov.

Monday, December 10, 2012

What Security Issues Are Associated With Mobile Devices and App Development?

5 Mobile Security Trends and Actions to Consider

Governments are aggressively going mobile with new devices, app development projects and system integration efforts. Whether buying proven off-the-shelf products or developing mission-critical apps from scratch, there’s little doubt that the future interface for delivering customer service will be tablets and smartphones.

Estimates suggest that at least 50 percent of users will access the Web via mobile devices by the end of 2013. Meanwhile, many governments that implemented cloud-first policies over the past few years are developing new “mobile-first” edicts to match.

Indeed, tech experts described customer data landscape to business leaders with a triangular diagram containing three interacting puzzle pieces: cloud computing, mobile devices and security.

Some of these new apps are being acquired for public-sector workers to use on government-owned devices to improve efficiency. Other apps are citizen-centric, and they must be usable on the many new devices and operating systems now available and those coming soon.

So what security issues are associated with mobile devices and app development? Here are five mobile security trends and some actions to consider as you become more mobile:

More Mobile Data Than Ever

For years, sensitive enterprise data has leaked via USB drives and lost or stolen laptops, but the number of smartphones, tablets and other mobile devices has exploded.

Actions: Establish policies that encrypt mobile data on devices or keep all sensitive data off mobile devices. If accessing sensitive information is required, consider data loss prevention products and keeping all personally identifiable information on protected enterprise servers and off the endpoint devices.

More Mobile Malware

The bad guys are following the crowds, who are buying smartphones and tablets with more power than PCs of a decade ago. The DroidDream and Gemini malware attacks were launched in early 2012, and some call this the “Year of Mobile Malware.” Mobile botnets are also growing.

Actions: Mobile device management services can protect devices by locking down permissions and offering anti-malware software and tools. Training end users is also essential via formal awareness programs that explain how to think before clicking.

Growing Use of BYOD to Work

Some security experts see the BYOD trend as “bring your own disaster.” Nevertheless, one top industry expert predicted that 80 percent of global enterprises will adopt this approach by 2016.

Actions: Meet with business customers about mobile device preferences. Consider piloting BYOD in areas with nonsensitive data. Develop policies for the use of personal devices under different scenarios, even if some business areas opt out.

Authentication Complexity Growing

Despite the push for single sign-on, many enterprises still struggle with more credentials for more apps and devices. Users are tiring of more complex passwords, and the use of biometrics is growing.

Actions: Streamline credentials with federated identity management across government systems, mobile apps and legacy programs. Consider using federal health IT dollars as anchor tenants. Apply government policies to personal devices, if they store business data — after getting employee buy-in.

Mobile Platform Support Is Complex

Whether you’re writing apps for Apple’s iOS, Google’s Android, BlackBerry’s BES or Microsoft’s Windows 8, secure coding is hard work. One technology CEO said, “You’d be hard pressed to find application developers who actively try to mitigate against cross-site scripting attacks, SQL injection attacks and cross-site request forgery attacks.”

Actions: HTML5 is growing as an industry standard across mobile platforms — consider adopting it. Train staff in secure coding. And before deploying a code, test it for holes.

Final Thoughts

Government executives must consider having vendor partners manage specific services or assist with mobile activities. IT consumerization makes this a difficult area to keep up with. 

Please refer to National Institute of Standards and Technology issued draft guidance on mobile security for further details.

Sunday, December 9, 2012

Why Information Sharing is Key to Security?

In order to fight an attack, you have to know the attacker

Booz Allen Hamilton issued a list of the top 10 cyberthreat trends for financial services in 2013. Among the top trends: 

  • Information sharing will be more critical, as legislation could push industry standards to improve threat intelligence information sharing.
  • Vendor and third-party risks will pose security challenges for financial institutions of all sizes.
  • Boards of directors must create and embrace a culture that encourages information sharing across the industry.
  • Hacktivists and extremist groups will increasingly target institutions to disrupt services and destruct data.
  • Cyber-benchmarking will be used to show how banks stack up, from a security standpoint, to their competition.

The remaining five trends highlight the need for stronger identity and access controls, more focus on risk-protection processes and people, the need for predictive threat intelligence, and why reliance on the cloud and mobile is critical.

Underlying those 10 trends is the need for banking institutions to understand who's behind attacks waged against them, says Bill Wansley, a financial fraud and risk consultant for Booz Allen Hamilton.

Wansley's three-pronged approach to fighting cyberthreats:
Identify the attackers' capabilities, know their intent and appreciate the opportunities they have to do harm.
A distributed-denial-of-service attack, for instance, may not cause long-term damage to your infrastructure or compromise consumer privacy, but it definitely can do some damage to your reputation, depending on the intent of the attack and the actors behind it.

Hacktivists attack to damage reputation; criminals attack to commit fraud. Until you understand the actors, you can't adequately prepare for the threat. That's Wansley's key point, and it makes perfect sense. But I believe that the most critical step is information sharing.

The more we share about attacks - vulnerabilities and vectors - the more we will learn about how the attacks are waged, what they're after and who's behind them. Besides, that need for more information sharing supports, we need to understand the actors without that we can't adequately prepare for the threat.

Refer here to download the report.

Friday, December 7, 2012

10 Key Considerations for Mobile Security

Simple steps to consider for Enterprise Mobile Security

With the expansion of mobile device usage in enterprises as a communication method for corporate and personal information, mobile devices have become an additional source of risk to the enterprise.

To assist the business in managing the risk, several security controls should be considered when deploying mobile devices. They include, but are not limited to:  

1) Strong authentication

2) Data loss prevention (DLP) and data protection controls: Data protection controls include data-at-rest encryption and secure-channel communication.

3) Life-cycle management for enterprise apps: This refers to the ability to inventory, report and control apps on a mobile device, which includes provisioning, updating and deleting enterprise apps.

4) Malware protection

5) Device compliance and antitheft methods: This refers to the ability to perform compliance inspections on the device according to corporate policy and implement loss/antitheft capabilities.

6) Privacy controls: Privacy controls include restricting available device information and real-time auditing of apps to assist with data leakage events.

7) SMS archiving

8) Selective wipe capabilities: Selective wipe refers to the ability to remove specific apps/files from the device without affecting an employee’s personal data and environment (i.e., bring your own device).

9) URL filtering 

Over-the-air (OTA) device management: OTA is a requirement for mobile management and includes device life-cycle management (i.e., discovery, registration, update, deletion, decommissioning).

Wednesday, December 5, 2012

NIST Issues Credential Revocation Guide

Revocation Model for Federated Identities

Organizations can't easily revoke authentication credentials when they employ more than one identify provider. With multiple identity providers and unique requirements for organizations to federate them, no one approach exists to manage them.

To address this dilemma, the National Institute of Standards and Technology has issued NIST Interagency Report 7817: A Credential Reliability and Revocation Model for Federated Identities.

IR 7817 describes and classifies different types of identity providers serving federations. For each classification, the document identifies perceived improvements when the credentials are used in authentication services and recommends countermeasures to eliminate some identified gaps.

With the countermeasures as the basis, the document suggests a Universal Credential Reliability and Revocation Services model that strives to improve authentication services for federations.

Here's how NIST explains the challenge:

Identity providers establish and manage their user community's digital identities. Users employ these identities, in the form of digital credentials, to authenticate service providers. The digital identity technology deployed by an identity provider for its users varies and often dictates a specific authentication solution in order for the service provider to authenticate the user.

A federated community accommodates two or more identity providers along with the specific authentication solution. With the diverse set of identity providers and the unique business requirements for organizations to federate, there is no uniform approach in the federation process. Similarly, there is no uniform method to revoke credentials or their associated attributes.

In the absence of a uniform method, IR 7817 investigates credential and attribute revocation with a particular focus on identifying missing requirements for revocation. As a by-product of the analysis and recommendations, the report suggests a model for credential reliability and revocation services that serves to address some of the missing requirements.

Wednesday, November 28, 2012

Chinese Capabilities for computer Network Operations and Cyber Espionage

Chinese Cyber Threat in the Open

When people are discussing nation-state cyber threats against the U.S. in public, they often do so in whispers, assuming that all information is classified. However, it may come as a surprise to many the amount of information that currently exists in the public domain.

One example of this can be found in a compelling report compiled this year for the U.S.-China Economic and Security Review Commission, called “Occupying the Information High Ground: Chinese Capabilities for computer Network Operations and Cyber Espionage,” the paper covers such provocative topics as the Chinese strategic view of cyber warfare, how they’re organized, distinctions between state sponsored and criminal activity, to name just a few.

This paper makes several interesting observations (which will be explored in later posts). Some of them include:

  • Effects of early Chinese Computer Network Attack preparation may not be observable until after conflict erupts.
  • The U.S. lacks comprehensive policy on response to large scale network attack if there is not definitive attribution.
  • Beijing may use cyber policy and legal frameworks to create delays in US command decision making and response in the event of conflict.

While this paper pulls information from a number of sources, it is also possible to gain some insight into potential targets – at least from an industrial espionage standpoint – just by looking at what the Chinese government openly states it will do.

A good place to delve even more deeply into this topic is China’s own “12th 5-Year Plan.” This is the guiding document for the country’s economic plan and they stick pretty close to it. A good analysis of the plan as it pertains to energy can be found here.

Based on the volume of news and other analysis, it can be assumed that industrial espionage is culturally rampant in China. If that’s the case, it also seems inevitable that someone over there will be targeting (the typically more mature) U.S. assets and operations to enhance their own industrial capabilities.

In reading through the KPMG paper above it becomes apparent that Hydro Electric utilities may be targets for cyber espionage:

  • 3 out of 7 strategic investment areas in the 5 year plan relate to energy: clean energy, energy conservation, and clean energy cars
  • Hydroelectric is an area targeted for high growth
  • China’s big 5 power looking at overseas investments…including renewable energy

While there is no actual technical data (logs, reports) supporting the fact that Hydro is being targeted for cyber attacks, and the KPMG paper focuses primarily on business perspectives as opposed to cyber, it is these “open source” business perspectives that guide us toward identifying which cyber assets and information might be potential upcoming targets.

Friday, November 23, 2012

How to Audit Business Continuity

It's Not About the Process; It's About the Plan

Although business continuity is in many ways relatively straightforward, it is not really a technical or scientific discipline compared with security or quality. Auditors need fixed points of reference for comparisons. Standards (in various guises) provide them with a route map to follow. This allows them to check the process, but not really the effectiveness, of the program.

For example, it is easy to check the number of employees who have been through a business continuity management induction, but much more difficult to determine if this has had any impact upon corporate resilience. This factor has often caused full-time BC practitioners to claim that they alone can properly audit a BC plan or program.

There might be some justification for this. An auditor, for instance, could successfully audit a hospital for its compliance against pre-agreed hygiene standards, but would not be credible at determining a surgeon's technical competence at performing a difficult operation. However, few BC practitioners have the formal audit skills that colleagues in internal audit possess.

Many consultants try to gain these skills by undertaking various audit training courses, but often find the concentration on process and compliance frustrating. To be successful in auditing a business continuity program, both professional knowledge of BCM and appropriate audit skills are required.

The goal of a BCM program is to protect the organization, to ensure adequate levels of resilience exist to withstand the consequences of disruptions and to ensure that there is company-wide BCM awareness and operational consistency.  

To continue with the medical analogy, there is little value in a surgeon claiming an operation was a technical success if the patient died of poor aftercare. Similarly, there is little point in an organization gaining BCM certification from compliance authority if it goes out of business as soon as a serious problem occurs.

Resilience, not process consistency, is the ultimate measure of success. So given these warnings and caveats, what must an auditor do to add value to a BCM program?

First, he or she must understand the business fully. There are some good places to start, such as the company's annual report, to understand missions and values; the external auditors report to highlight weaknesses or exposures; as well as risk registers, previous business impact analyses and other available management reports.

It is rarely useful to start with the business continuity plan itself. The second stage is to familiarize oneself with the BCM process that is in place. 

  • Does it follow any recognized standard (internal or external)?
  • How well has it documented? Do people know about it and their role in it?
  • Conducting selective interviews with senior management and other interested parties can help judge how serious they are in supporting BCM.

Remember: A significant budget for commercial IT recovery capability does not in itself demonstrate management commitment to an embedded business continuity culture. Having acquired this level of contextual understanding, auditors can start to ask questions and review the applicability of the responses. 

Many of the questions are basic, but often throw up uncomfortable issues. Typical areas to cover include:

  • Do you have plans for all critical systems, processes and functions, and how do you know which are the most critical?
  • Are the plans accurate, complete and up-to-date? Is the documentation easy to follow in an emergency?
  • Have roles and responsibilities been defined?
  • Are the response strategies devised appropriate to the potential level of disruption?
  • Are the plans tested? If so, how, when and by whom?
  • Are the test results evaluated, lessons learned and plans enhanced?
  • Are the initial response structures well-known and fully tested?
  • Are appropriate communications with external parties defined and tested?
  • If pre-defined alternate locations are designated, do staff know how to access them?
  • Are all critical resources backed up and recoverable?
  • Are personnel trained in their post-incident roles?

The most important thing for the auditor to reflect on is not the documentation, but the resilience capability that can be demonstrated. A poor audit is one in which the auditor treats it as a document review. It is not enough to have a well written plan unless that plan is part of a tried-and-tested process.

Monday, November 19, 2012

10 Supply Chain Risk Management Best Practices

NIST Interagency Report Aims to Mitigate Vulnerabilities

The National Institute of Standards and Technology has issued a new report to help organizations mitigate supply chain risks. NIST says the 10 supply chain risk management practices can be applied simultaneously to an information system or the elements of an information system.

The practices are:

1) Uniquely identify supply chain elements, processes and actors. Knowing who and what is in an enterprise's supply chain is critical to gain visibility into what is happening within it, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into the supply chain, it is impossible to understand and therefore manage risk and to reduce the likelihood of an adverse event.

2) Limit access and exposure within the supply chain. Elements that traverse the supply chain are subject to access by a variety of actors. It is critical to limit such access to only as much as necessary for those actors to perform their roles and to monitor that access for supply chain impact.

3) Establish and maintain the provenance of elements, processes, tools and data. All system elements originate somewhere and may be changed throughout their existence. The record of element origin along with the history of, the changes to and the record of who made those changes is called "provenance."

Acquirers, integrators and suppliers should maintain the provenance of elements under their control to understand where the elements have been, the change history and who might have had an opportunity to change them.

4) Share information within strict limits. Acquirers, integrators and suppliers need to share data and information. Content to be shared among acquirers, integrators and suppliers may include information about the use of elements, users, acquirer, integrator or supplier organizations as well as information regarding issues that have been identified or raised regarding specific elements. Information should be protected according to mutually agreed-upon practices. 

5) Perform supply chain risk management awareness and training. A strong supply chain risk mitigation strategy cannot be put in place without significant attention given to training personnel on supply chain policy, procedures and applicable management, operational and technical controls and practices. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, provides guidelines for establishing and maintaining a comprehensive awareness and training program.

6) Use defensive design for systems, elements and processes. The use of design concepts is a common approach to delivering robustness in security, quality, safety, diversity and many other disciplines that can aid in achieving supply chain risk management. Design techniques apply to supply chain elements, element processes, information, systems and organizational processes throughout the system.

Element processes include creation, testing, manufacturing, delivery and sustainment of the element throughout its life. Organizational and business processes include issuing requirements for acquiring, supplying and using supply chain elements.

7) Perform continuous integrator review. Continuous integrator review is an essential practice used to determine that defensive measures have been deployed. Its purpose is to validate compliance with requirements, establish that the system behaves in a predictable manner under stress and detect and classify weaknesses and vulnerabilities of elements, processes, systems and any associated metadata.

8) Strengthen delivery mechanisms. Delivery, including inventory management, is an essential function within the supply chain, which has a great potential for being compromised. In today's environment, delivery can be physical such as hardware or logical such as software modules and patches. 

9) Assure sustainment activities and processes. The sustainment process begins when a system becomes operational and ends when it enters the disposal process. This includes system maintenance, upgrade, patching, parts replacement and other activities that keep the system operational. Any change to the system or process can introduce opportunities for subversion throughout the supply chain.

10) Manage disposal and final disposition activities throughout the system or element life cycle. Elements, information and data can be disposed of at any time across the system and element life cycle. For example, disposal can occur during research and development, design, prototyping or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys and partial reuse of components.

NIST says the recommendations in the interagency report are for information systems categorized at the FIPS 199 high-impact level. But NIST says agencies and other agencies can choose to apply the recommended practices to specific systems with a lower impact level, based on the tailoring guidance provided in the draft of NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.

Refer here to download the report.

Sunday, November 18, 2012

Beware of 12 SCAMS during Christmas

Study investigated behaviours of Americans but it's still relevant to Australians

A Harris Interactive study, conducted online among over 2,300 U.S. adults, investigates the online habits and behaviors of Americans, including those who indicate that they will engage with the Internet and mobile devices while shopping this holiday season.

While Americans have become accustomed to shopping online, and will do so in droves, they are also using their mobile phones for more of their everyday activities.

As 70% of those surveyed plan to shop online this holiday season, a surprising 1 in 4 (24%) of them plan to use their mobile devices, and while aware of the risks, they are willing to give away their personal information if they can get something they value in return.

In fact, despite the fact that 87% of smartphone or tablet owners surveyed are at least somewhat concerned that their personal information could be stolen while using an app on a smartphone or tablet, nearly nine in ten of them are willing to provide some level of personal information in order to receive an offer that is of value to them.

Among those Americans planning on using smartphones and/or tablets to purchase gifts this holiday season, over half (54%) are specifically planning to use apps for shopping and/or banking during the holiday season; as such, mobile devices have proven irresistible to cybercriminals, and now they are targeting mobile users through malicious applications.

With roughly three in ten (28%) American smartphone and/or tablet owners admitting they do not pay attention at all to app permissions and 36% paying attention but specifying they do not always do so, Cyber-Scrooge criminals are ready to pounce.

‘Tis the season for consumers to spend more time online - shopping for gifts. 88% of those Americans who plan on shopping online during the 2012 holiday season plan on using a personal computer to do so, and 34% will use a tablet (21%) and/or smartphone (19%).

But with nearly half (48%) of Americans planning to shop online on Cyber Monday for sales (45% using a computer, 10% using a mobile device), here are the “12 Scams of Christmas,” the dozen most dangerous online scams to watch out for this holiday season, revealed by McAfee.

1. Social media scams - Cybercriminals know social media networks are a good place to catch you off guard because we’re all “friends,” right? Scammers use channels, like Facebook and Twitter, just like email and websites to scam consumers during the holidays.

Be careful when clicking or liking posts, while taking advantage of raffle contests, and fan page deals that you get from your “friends” that advertise the hottest Holiday gifts, installing apps to receive discounts, and your friends’ accounts being hacked and sending out fake alerts. Twitter ads and special discounts utilize blind, shortened links, many of which could easily be malicious.

2. Malicious mobile apps - As smartphone users we are app crazy, downloading over 25 billion apps1 for Android devices alone! But as the popularity of applications has grown, so have the chances that you could download a malicious application designed to steal your information or even send out premium-rate text messages without your knowledge.

3. Travel scams - Before you book your flight or hotel to head home to see your loved ones for the holidays, keep in mind that the scammers are looking to hook you with too-good-to-be-true deals. Phony travel webpages, sometimes using your preferred company, with beautiful pictures and rock-bottom prices are used to get you to hand over your financial details.

4. Holiday spam/phishing - Soon many of these spam emails will take on holiday themes. Cheap Rolex watches and pharmaceuticals may be advertised as the “perfect gift” for that special someone.

5. iPhone 5, iPad Mini and other hot holiday gift scams - The kind of excitement and buzz surrounding Apple’s new iPhone 5 or iPad Mini is just what cybercrooks dream of when they plot their scams. They will mention must-have holiday gifts in dangerous links, phony contests (example: “Free iPad”) and phishing emails as a way to grab computer users’ attention to get you to reveal personal information or click on a dangerous link that could download malware onto your machine.

6. Skype message scare - People around the world will use Skype to connect with loved ones this holiday season, but they should be aware of a new Skype message scam that attempts to infect their machine, and even hold their files for ransom.

7. Bogus gift cards - Cybercriminals can't help but want to get in on the action by offering bogus gift cards online. Be wary of buying gift cards from third parties; just imagine how embarrassing it would be to find out that the gift card you gave your mother-in-law was fraudulent!

8. Holiday SMiShing - “SMiSishing” is phishing via text message. Just like with email phishing, the scammer tries to lure you into revealing information or performing an action you normally wouldn’t do by pretending to be a legitimate organization.

9. Phony e-tailers - Phony e-commerce sites, that appear real, try to lure you into typing in your credit card number and other personal details, often by promoting great deals. But, after obtaining your money and information, you never receive the merchandise, and your personal information is put at risk.

10. Fake charities - This is one of the biggest scams of every holiday season. As we open up our hearts and wallets, the bad guys hope to get in on the giving by sending spam emails advertising fake charities. 

11. Dangerous e-cards - E-Cards are a popular way to send a quick “thank you” or holiday greeting, but some are malicious and may contain spyware or viruses that download onto your computer once you click on the link to view the greeting.

12. Phony classifieds - Online classified sites may be a great place to look for holiday gifts and part-time jobs, but beware of phony offers that ask for too much personal information or ask you to wire funds via Western Union, since these are most likely scams.

Using multiple devices provides the bad guys with more ways to access your valuable “Digital Assets,” such as personal information and files, especially if the devices are under-protected. One of the best ways for consumers to protect themselves is to learn about the criminals’ tricks, so they can avoid them.

Beyond that they should have the latest updates of the applications on their devices in order to enjoy a safe online buying or other experience. We don’t want consumers to be haunted by the scams of holidays past, present and future – they can’t afford to leave the door open to cyber-grinches during the busy holiday season.”

Friday, November 16, 2012

Securing Mobile Devices Using COBIT 5 for Information Security

ISACA published (Members Only) guidelines for Securing Mobile Devices 

Securing Mobile Devices Using COBIT 5 for Information Security should be read in the context of the existing publications COBIT 5 for Information Security, Business Model for Information Security (BMIS) and COBIT 5 itself. This publication is intended for several audiences who use mobile devices directly or indirectly.

These include end users, IT administrators, information security managers, service providers for mobile devices and IT auditors. The main purpose of applying COBIT 5 to mobile device security is to establish a uniform management framework and to give guidance on planning, implementing and maintaining comprehensive security for mobile devices in the context of enterprises.

The secondary purpose is to provide guidance on how to embed security for mobile devices in a corporate governance, risk management and compliance (GRC) strategy, using COBIT 5 as the overarching framework for GRC.

Refer here to download. (Members Only)

Wednesday, November 14, 2012

SCADA Safety In Numbers: Report highlighting SCADA insecurities

40% of SCADA systems connected to the Internet are vulnerable and can be hacked by less savvy cyber-criminals

A new report that attempts to quantify the risks to Industrial Control Systems (ICS) contends that more software flaws are being detected in the sensitive systems since the 2010 discovery of Stuxnet, but the report may be based on some faulty assumptions, according to one ICS expert.

The report, SCADA Safety In Numbers, (.pdf) was produced by Russian vulnerability management vendor Positive Technologies Security. The analysis is based on data collected from an array of vulnerability databases and exploit packs. It found that more than 40% of SCADA systems connected to the Internet are vulnerable and can be hacked by less savvy cyber-criminals.

The study also found that 64 vulnerabilities were discovered and reported in industrial-control system products by the end of 2011. And nearly 100 coding errors were reported already this year. The authors contend that for each of the bugs disclosed over the last two years, they “searched for generally available methods of exploiting the [vulnerabilities] and provided an expert evaluation of the related risks.”

“The fact that this paper attempts to identify and classify vulnerabilities based on risk level is inappropriate,” said Langill, who is also known throughout the industry by his handle SCADAhacker.

Just because a device in an ICS system is potentially vulnerable and accessible via the Internet does not necessarily mean it poses any risk to the end-user, Langill said. An end-user may have followed recommended practices and placed a device in special “zones” that offer “hidden” security controls to protect against compromise, he said.

A claim in the report that 39% of the ICS systems in North America are vulnerable to compromise is suspect and based on faulty analysis, Langill said. In order for an attacker to capitalize on a specific vulnerability, they would also have to be able to overcome all of the existing layers of security that are in place, Langill said, turning a seemingly simple exploit of a vulnerability with a high CVSS score into a very sophisticated attack that would be difficult to execute and realistically classified with a very low "effective" CVSS score.

“It is important not to confuse a ‘component’ vulnerability with a ‘system’ vulnerability," Langill said. "It is possible, and not uncommon, for vulnerable components to be installed within an ICS network that is equipped to provide a barrier against various threats. Therefore, the system compensates for these known and unknown vulnerabilities by creating isolation within the ICS architecture."

Langill said many of the vulnerable components listed in the report are from companies that do not represent any significant market share, potentially skewing the results against the actual number of vulnerable systems. He also noted that most ICS architectures contain far more embedded devices than they do Windows-based hosts, yet nearly all disclosed vulnerabilities in the report are designed to specifically target a Windows environment.

In my humble opinion, despite the weaknesses identified in the Positive Technologies report, there is still value in the research in regards to drawing more attention to the problem of sensitive ICS systems that are exposed by way of the Internet

Pls refer here to download the report.

Monday, November 12, 2012

Incident Response: Gathering the Facts

Not Knowing Numbers Behind Event Makes Risk Assessment Hard

To know how best to respond to IT and communications failures, organizations first must collect information on such incidents. 

The European Network and Information Security Agency, as reflected in its report that focused on mobile- and land-based networks, is collecting information about incidents so European member nations can improve their response to such events.

Without the data and an analysis of the information, officials in government and industry can't determine the best way to respond. Report author states:
"We could go to any country and ask a politician if they know how many incidents there were in the banking sector and what their social impact was. They don't know the answer. And that is difficult to make policy and even to assess the risks of cybersecurity incidents without knowing the numbers behind it."
Among the major findings of the report:

  • Hardware/software failure and third-party failure were the root causes for most outages;
  • Incidents primarily caused by natural phenomena such as storms and floods lasted, on average, for 45 hours;
  • A strong dependency exists on power supply of mobile and fixed communication services, noting that battery capacity of 3G base stations is limited to a few hours, and this means that lasting power cuts cause communication outages.
Please refer here to download the report.

Friday, November 9, 2012

What to Do About DDoS Attacks

Security Tips for the Banks

The distributed-denial-of-service attacks that have hit 10 U.S. banks in recent weeks highlight the need for new approaches to preventing and responding to online outages.

Attackers have broadened their toolkits, and DDoS is a not just a blunt instrument anymore. Banking institutions should: 
  • Use appropriate technology, including cloud-based Web servers, which can handle overflow, when high volumes of Web traffic strike;
  • Assess ongoing DDoS risks, such as through tests that mimic real-world attacks; Implement online outage mitigation and response strategies before attacks hit; 
  • Train staff to recognize the signs of a DDoS attack.
In layman's term, during a DDoS attack, a website is flooded with "junk" traffic - a saturation of requests that overwhelm the site's servers, preventing them from being able to respond to legitimate traffic. In essence, DDoS attacks take websites down because the servers can't handle the traffic.

Most banks have failed to address this vulnerability to high volumes of traffic. Starting in mid-September, DDoS attacks have resulted in online outages at 10 major U.S. banks.

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters has taken credit for the hits, saying the attacks are motivated by outrage related to a YouTube movie trailer deemed offensive to Muslims. But security experts say DDoS attacks are often used as tools of distraction to mask fraud in the background.


To reduce their risk of DDoS takedown, banks need to address three key areas: 
  1. Layered user authentication at login, which consumes bandwidth;
  2. Reliance on Internet service providers not equipped to handle extreme bandwidth demands; and
  3. The internal management of Web servers, which limits banks' ability to hand off traffic overflow when volumes are excessive.
Fraud should always be an institution's top concern, meaning addressing DDoS threats should be a priority. "DDoS protections have quickly become a new industry best practice. But DDoS attacks pose unique challenges for banks and credit unions.

The additional layers of security institutions already implement, such as enhanced user authentication, transaction verification and device identification, demand more bandwidth. So when a bank is hit by a DDoS attack, bandwidth is strained more than it would be at a non-banking e-commerce site.

Thursday, November 8, 2012

How to crack/reset your Windows account?

Have you lost or forgotten your Windows password?

It's one of the security best practice to enable password on your Windows user account to ensure you have adequate protection from malicious access to your personal files. 

It is a common practice to forget your computer password if you're not using it for a while or perhaps just returned from holidays. Unfortunately, currently Windows operating systems doesn't have an option to reset your password like we commonly see in web applications such as Facebook, Hotmail etc.

In the majority of the cases, I have seen users have to format and reinstall the Windows to access their computer again but unfortunately they have to sacrifice  loss of their personal data if they haven't backed-up.

So what to do? How to crack/reset the password of the Windows operating system?

I recently come across this nice password resetter tool "Password Resetter", which cracks windows password in minutes without affecting your personal data.

As stated on their website that it can recover 99,9% of passwords from nearly any Windows installation in a matter of seconds! You do not need to remember old passwords in order to crack your Windows password.

Password Resetter recovers the lost Windows administrator or user password from any Windows Operation System. It supports Windows Vista, XP, NT, 2000 and the newest Windows 7.

How to use Password Resetter?

1) Download a copy of Password Resetter.

2) Burn the image on CD/DVD. The package comes with the detailed tutorial.

3) Once the bootable CD/DVD is ready, boot the system with this CD/DVD. Select the user account and then click on reset button.



Another cool feature?

It supports USB, which means you can crack/reset your Windows password with USB drives in case you do not have CD/DVD.  

This is not a freeware, you will need to purchase this software for around $35 for personal use.

Wednesday, November 7, 2012

BeAware of Facebook Scams

Scammers are targeting Facebook users

There is a new phishing scheme targeting Facebook users. Falsely notifying the user of a blocked account via email, the scam attempts to get victims clicking - leading them straight to a malicious website that will steal their information. 

See below for example this current social engineering attempt.



If you get an email like this, simple delete and never click anything! Optionally, before deleting you can forward the email to the Facebook security team so they can fight against such scams.

Tuesday, November 6, 2012

How To Protect From ATM Traps

Avoid Getting Ripped Off at the ATM

Crooks around the globe are using new (and improving) technology to steal your information right at the ATM - and right under your nose. With a variety of devices - from tiny surveillance cameras to look-alike keypads to card readers - these criminals are able to get at your account number, your PIN and really any other kind of details they'd like (even what you look like or the kind of car you drive).

Because these criminals are no dummies, they often target ATMs off the beaten path, in places rarely checked by the network operator or without much traffic or people around. If you must use an ATM in a desolate location, be aware of anything that looks hinky. That scratched up card reader or loose keypad may just be evidence of a planted skimming device. Abandon the machine and try to find another.


ATM Traps


Quite a few financial institutions have built mobile apps designed to help you locate ATMs. Consider downloading one (from the financial institution itself!) if you need to find ATMs in out-of-the-way locations.

Monday, November 5, 2012

No Minimum Age Limit for Identity Theft

Never Too Young to be Scammed

Young children have become increasingly at risk for identity theft. In fact, ID theft among victims age five and younger has doubled - just since 2011. According to the 2012 Child Identity Theft report from AllClear ID, children are 35 times more likely to be victims of identity theft than adults.

The impact of identity theft on a child's life can be devastating, affecting the ability to get a loan, scholarship, apartment, credit card or job. For specific ways to protect your child's identity, read the Federal Trade Commission (FTC) fact sheet, "Safeguard Your Child's Future."

It contains instructions for checking your child's credit report, placing an initial fraud alert, requesting a credit freeze, and filing a report with the FTC.

Friday, November 2, 2012

NIST Drafts Guidance on Securing Smart Phones & Tablets

3 Key Facets of Mobile Device Security

Securing mobile devices - whether employee or enterprise owned - has become vital for many organizations and government agencies as the devices increasingly take the place of PCs and laptops.

The National Institute of Standards and Technology has issued a draft of guidance that defines the fundamental security components and capabilities needed to help mitigate risks involved in using the latest generation of mobile devices.

Andrew Regenschied, one of the co-authors of Special Publication 800-164 (Draft): Guidelines on Hardware-Rooted Security in Mobile Devices, says many mobile devices lack a firm foundation from which to build security and trust. 
These guidelines are intended to help designers of next-generation mobile phones and tablets improve security through the use of highly trustworthy components, called roots of trust, that perform vital security functions.
On laptop and desktop systems, Regenschied explains, roots of trust are implemented in a tamper-proof separate security computer chip. But the power and space constraints in mobile devices have led manufacturers to pursue other approaches, such as leveraging security features built into the processors these products use. NIST says the guidelines focus on three security capabilities to address known mobile device security challenges: device integrity, isolation and protected storage.

According to NIST, a tablet or phone supporting device integrity can provide information about its configuration and operating status that can be verified by the organization whose information is being accessed. Isolation capabilities can keep personal and organization data components and processes separate. That way, NIST says, personal applications should not be able to interfere with the organization's secure operations on the device. Protected storage keeps data safe using cryptography and restricting access to information.

To achieve the security capabilities, the guidelines recommend that each mobile device implement three security components that can be employed by the device's operating system and applications:

  • Roots of trust, which combine hardware, firmware and software components to provide critical security functions with a very high degree of assurance that they will behave correctly;
  • An application programming interface that allows operating systems and applications to use the security functions provided by the roots of trust; and
  • A policy enforcement engine to enable the processing, maintenance and policy management of the mobile device. NIST is seeking comments on the draft guidance.

Those with suggestions should submit them to 800-164comments@nist.gov by Dec. 14.

Tuesday, October 30, 2012

Symantec: Internet Security Threat Report 2012

Comprehensive report from Symantec, worth reading!

Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts and more. Over 8 billion email messages and more than 1.4 billion web requests are processed each day across 15 data centres.

Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and over 50 million consumers.

Download: Symantec Internet Security Threat Report (registration may be required).

Tuesday, October 23, 2012

FBI Warns of Mobile Malware Risks

Android Devices Hit by Two New Trojans

The Federal Bureau of Investigation has issued a consumer alert warning of malware attacks against mobile devices that run the Android operating system. Trojans pose serious risks for any personal and sensitive information stored on compromised Android devices, the FBI warns.

But experts say any mobile device is potentially at risk because the real problem is malicious applications - which in an open environment are impossible to control. And anywhere malicious apps are around, so is the potential for financial fraud.

Two Trojans

The alert from the Internet Crime Complaint Center, a unit of the FBI, addresses two new Android Trojans known as Loozfon and FinFisher.

Recent attacks showed Loozfon has the ability to steal a mobile user's phone number as well as contact details. In one type of Loozfon attack, unsuspecting consumers were lured in by advertisements promoting fraudulent work-at-home opportunities.

The alert does not specify how those ads were promoted - through e-mail, SMS/text or both. But the FBI warns that links within the ads lead to websites designed to push Loozfon to users' device.

FinFisher, on the other hand, is spyware that targets Android smart phones, hijacking specific components that enable hackers to remotely control and monitor a compromised device, regardless of its location. The spyware is transmitted to a smart phone by clicking infected web links or by opening SMS messages sent directly to the mobile user, usually falsely appearing to provide links to system updates, the FBI states.

Bad Rap for Android?

The Android operating system is not the cause of the problem. It's the openness of the app marketplace that allows malware to run rampant, not the Android OS itself. This is one of the first consumer-focused, security-oriented lists for mobile I've seen. That's a good thing, but it also is a pretty definite signal that security is becoming a problem.

Until the mobile industry can figure out a way to better control or vet readily available apps, mobile malware concerns will mount. I'm not saying there should only be one store, but there does need to be some sort of reputational measure, akin to what SSL [secure socket layer] site certificates can help provide.

Saturday, October 20, 2012

Social Media: Addressing Risk

A Refresher on the Risks, Mitigation Strategies

The biggest social media concern for risk managers is the potential reputational impact to the organization. Reputational risk comes in two areas, one is from the company's own social media activities, which tend to be a little less regulated and controlled at the corporate level than other communications going through traditional public relations and advertising channels. 

The other area of reputational harm comes from public discussion about the organization via social media, whether it's true or not true. It could be a rumor. It could be a fact. But it can spread like wildfire. 

To mitigate the risks, an organization first and foremost needs to develop a social media policy. [The company] has to be able to control what's coming out of the company via social media for the official channels. In the policy, it's important to designate who can talk about the company and what they're talking about. 

Also, guidelines should be established to provide employees with reminders about how their statements can reflect on the company and to be cautious of their own activities using platforms like Facebook, Twitter and LinkedIn.

Organizations also need to monitor social media to be aware of public attitudes towards the company and what's being said. And have a plan in place to respond if there's an incident that results in a negative issue being communicated via social media.