Monday, December 31, 2012

Protecting Your Personal Info Online

Try Spokeo to find out how much your information is available online!

If you want a good litmus test for how much of your personal information is available on the Internet, try Spokeo.com. The site even compiles personal information on children. Spooky.

Thankfully, you can easily opt out of Spokeo. This won't remove all of your information from the Internet, obviously. But it will make it less simple for someone to find your information all in one place. Hayley Kaplan put together a great step-by-step process on her "What is Privacy?" blog to make it even easier.

This is one example of a great way your company or organization can contribute to the greater privacy good. If you have tips or tricks on how to opt-out of your own or another entity's data-collection processes, publish them and make them easy for your customer or client community to find and follow.

Sunday, December 30, 2012

More Privacy Changes from Facebook

Mark Zuckerberg's Sister Complains Of Facebook Privacy Breach

In November, Facebook made changes, including several improvements, to its privacy policies. At the same time, those changes allowed everyone who has a Facebook account to become searchable. Whereas users were once able to block certain people from finding them on the social network, that functionality has now been removed.

This has implications for victims of stalkers, violent ex's, or really anyone others are trying to track down. By finding a person in a search, there are ways to then get more information about them through unsecured or unblocked information posted on their Facebook friends' timelines.

The recent changes had some unintended consequences that ultimately resulted in a private photo of no-other-than Mark Zuckerberg going viral.

This is a good example of how you should expect ANYTHING you post online could be seen by the world, even if you think you have privacy settings set correctly.

You can still block certain users from seeing some of your content. However, you will be findable as a Facebook user. Be aware of this, particularly if you have certain people interested in locating you, learning of your connections, your whereabouts or your appearance.

Friday, December 28, 2012

Careful with your Instagrams

Did Instagram ever find itself in hot water just before the holidays!

When the popular photo sharing social network updated its policies on sharing users' images, the backlash was immediate

For any Tips readers using Instagram (which is now owned by Facebook), please be aware of the upcoming changes, taking effect January 16.

You will not be able to opt-out. Be sure to read the new Terms of Use; if you don't like them, you may want to delete all your Instagram accounts and content before Jan 16.

In response to the severe negative reaction, Instagram has apologized, saying the misunderstanding is due to what it calls "confusing" language in the Terms of Use statement.

They have promised to revise it and said "it is not our intention to sell your photos." Yet it remains unclear exactly how much access will be given to user content... and to whom.

Stay tuned, as I will be watching the new Terms of Use language closely and will plan to report on it here in the Tips message.

Wednesday, December 19, 2012

What Is Future of Information Security?

Hackers will and always be ahead of us!

It has become extremely hard for fraudster to make money from stealing credit cards, internet banking details, personal information etc due to increase in security measures by majority of the banks.

Now they are hacking, encrypting data and requesting for ransom money before they release the data. They're doing their calculations right, they are requesting the ransom amount which is way less to what it would cost company to recover/decrypt. The senior management finding this approach much easier to recover.

THIS IS THE FUTURE OF INFORMATION SECURITY!

I have been saying this for ages that bad guys will and always be ahead of us. They motive is to make money, for years and years financial crime was the easiest way for them to make money. Due to increase security technologies deployed by banks such as two-factor authentications, chip readers, proactive fraud detections systems etc, it is extremely difficult for fraudsters to make money.

The wider phenomenon of data ransoming is overwhelmingly that of Trojans infecting individual PCs in order to encrypt consumers’ private data, but the latest Australian attack could be an example of a separate trend to target and attack specific types of business.

I believe we will continue to loose the battle with the bad guys because we are not proactive in information security. We always wait for bad guys to setup a trend so we can follow :)

We will take few years to protect their latest tactics and by that time they will already come up with a new way to make money. 

Here are my suggestions:

  • We have to change our strategy, we need to be more proactive!
  • We need to consider security in each and everything!
  • We need to ensure disaster recovery and business continuity is considered in every business!
  • We should stop relying on technologies!
  • We need to understand process and people are more important then technology
  • We need to find innovative ways of protecting our data tailored to business needs


Monday, December 17, 2012

Hackers Encrypt Medical Centre's Entire Database

Attackers demand $4,000 (AUD) to release data

An Australian medical centre is reported to be considering paying a ransom demand of $4,000 AUD after blackmailers broke into the organisation’s servers and encrypted its entire patient database.

According to ABC News, Miami Family Medical Centre on the country’s Gold Coast had called in a third-party contractor to try and restore the data from backups but it remained unclear whether this would prove sufficient to return the database to its previous state. 

"We're trying to work out how to pay the hackers or find someone to decrypt the information," said centre co-owner David Wood. The centre was continuing to receive patients but Wood admitted this was proving "very, very, very difficult" without patient records.

"What medication you're on can be retrieved from the pharmacists [and] pathology results can be gotten back from pathology," he told ABC News.
According to Wood, the attackers had accessed the database directly rather than using a remote Trojan. 

We've got all the antivirus stuff in place - there's no sign of a virus. They literally got in, hijacked the server and then ran their encryption software," he said. "It's people who know how to break in past firewalls and hack passwords to get onto the server." No data had been compromised, Wood claimed.

The attack is not the first to affect medical centres in the country. Barely three months ago, dozens of business were reportedly hit by ransom malware and hijacking, including at least one other small medical businesses.

Not coincidentally, earlier this month US backup firm NovaStor reported an suspiciously similar attack on an unnamed US medical practice around Halloween that encrypted critical data including x-rays.

The business was able to beat the blackmailers thanks to NovaStor’s backup system which is probably the only reason the world got to hear about this near-disaster. That is the obvious Achilles heel of ransom industry – cloud or offline backup.

Any business or individual mirror data to a separate system that can’t itself be hacked should be able to defend itself against ransom attacks. The wider phenomenon of data ransoming is overwhelmingly that of Trojans infecting individual PCs in order to encrypt consumers’ private data, but the latest Australian attack could be an example of a separate trend to target and attack specific types of business.

The criminals appear to favour targeting smaller businesses likely to be heavy with valuable data but lack the resources to back it up as comprehensively as might a larger organisation. The culprits for the Miami Family Medical Centre are believed to be Russian, which fits with Trend Micro report from 2012 that suggested the core of the ransom industry could be a single gang.

A Symantec report analysed the boom in such attacks during the last year, suggesting that in the consumer space as many as three percent of victims probably paid up. That statistic was making the tactic hugely profitable, the company said.

Friday, December 14, 2012

NIST Glossary of Infosec Terms

Looking for a gift for your boss who doesn't quite understand information security lingo?

The National Institute of Standards and Technology has one you can give, and it's free. NIST has issued a draft of Interagency Report 7298 Revision 2: NIST Glossary of Key Information Security Terms.

As we are continuously refreshing our publication suite, terms included in the glossary come from our more recent publications. The NIST publications referenced are the most recent versions of those publications. It is our intention to keep the glossary current by providing updates online.

New definitions will be added to the glossary as required, and updated versions will be posted on the Computer Security Resource Center website.

The glossary includes most of the terms found in NIST publications. It also contains nearly all of the terms and definitions from CNSSI-4009, an information assurance glossary issued by the Defense Department's Committee on National Security Systems, a forum that helps set the US federal government's information assurance policy.

NIST is seeking comments and suggestions on the revised glossary, and they should be sent by Jan. 15 to secglossary@nist.gov.

Monday, December 10, 2012

What Security Issues Are Associated With Mobile Devices and App Development?

5 Mobile Security Trends and Actions to Consider

Governments are aggressively going mobile with new devices, app development projects and system integration efforts. Whether buying proven off-the-shelf products or developing mission-critical apps from scratch, there’s little doubt that the future interface for delivering customer service will be tablets and smartphones.

Estimates suggest that at least 50 percent of users will access the Web via mobile devices by the end of 2013. Meanwhile, many governments that implemented cloud-first policies over the past few years are developing new “mobile-first” edicts to match.

Indeed, tech experts described customer data landscape to business leaders with a triangular diagram containing three interacting puzzle pieces: cloud computing, mobile devices and security.

Some of these new apps are being acquired for public-sector workers to use on government-owned devices to improve efficiency. Other apps are citizen-centric, and they must be usable on the many new devices and operating systems now available and those coming soon.

So what security issues are associated with mobile devices and app development? Here are five mobile security trends and some actions to consider as you become more mobile:

More Mobile Data Than Ever

For years, sensitive enterprise data has leaked via USB drives and lost or stolen laptops, but the number of smartphones, tablets and other mobile devices has exploded.

Actions: Establish policies that encrypt mobile data on devices or keep all sensitive data off mobile devices. If accessing sensitive information is required, consider data loss prevention products and keeping all personally identifiable information on protected enterprise servers and off the endpoint devices.

More Mobile Malware

The bad guys are following the crowds, who are buying smartphones and tablets with more power than PCs of a decade ago. The DroidDream and Gemini malware attacks were launched in early 2012, and some call this the “Year of Mobile Malware.” Mobile botnets are also growing.

Actions: Mobile device management services can protect devices by locking down permissions and offering anti-malware software and tools. Training end users is also essential via formal awareness programs that explain how to think before clicking.

Growing Use of BYOD to Work

Some security experts see the BYOD trend as “bring your own disaster.” Nevertheless, one top industry expert predicted that 80 percent of global enterprises will adopt this approach by 2016.

Actions: Meet with business customers about mobile device preferences. Consider piloting BYOD in areas with nonsensitive data. Develop policies for the use of personal devices under different scenarios, even if some business areas opt out.

Authentication Complexity Growing

Despite the push for single sign-on, many enterprises still struggle with more credentials for more apps and devices. Users are tiring of more complex passwords, and the use of biometrics is growing.

Actions: Streamline credentials with federated identity management across government systems, mobile apps and legacy programs. Consider using federal health IT dollars as anchor tenants. Apply government policies to personal devices, if they store business data — after getting employee buy-in.

Mobile Platform Support Is Complex

Whether you’re writing apps for Apple’s iOS, Google’s Android, BlackBerry’s BES or Microsoft’s Windows 8, secure coding is hard work. One technology CEO said, “You’d be hard pressed to find application developers who actively try to mitigate against cross-site scripting attacks, SQL injection attacks and cross-site request forgery attacks.”

Actions: HTML5 is growing as an industry standard across mobile platforms — consider adopting it. Train staff in secure coding. And before deploying a code, test it for holes.

Final Thoughts

Government executives must consider having vendor partners manage specific services or assist with mobile activities. IT consumerization makes this a difficult area to keep up with. 

Please refer to National Institute of Standards and Technology issued draft guidance on mobile security for further details.

Sunday, December 9, 2012

Why Information Sharing is Key to Security?

In order to fight an attack, you have to know the attacker

Booz Allen Hamilton issued a list of the top 10 cyberthreat trends for financial services in 2013. Among the top trends: 

  • Information sharing will be more critical, as legislation could push industry standards to improve threat intelligence information sharing.
  • Vendor and third-party risks will pose security challenges for financial institutions of all sizes.
  • Boards of directors must create and embrace a culture that encourages information sharing across the industry.
  • Hacktivists and extremist groups will increasingly target institutions to disrupt services and destruct data.
  • Cyber-benchmarking will be used to show how banks stack up, from a security standpoint, to their competition.

The remaining five trends highlight the need for stronger identity and access controls, more focus on risk-protection processes and people, the need for predictive threat intelligence, and why reliance on the cloud and mobile is critical.

Underlying those 10 trends is the need for banking institutions to understand who's behind attacks waged against them, says Bill Wansley, a financial fraud and risk consultant for Booz Allen Hamilton.

Wansley's three-pronged approach to fighting cyberthreats:
Identify the attackers' capabilities, know their intent and appreciate the opportunities they have to do harm.
A distributed-denial-of-service attack, for instance, may not cause long-term damage to your infrastructure or compromise consumer privacy, but it definitely can do some damage to your reputation, depending on the intent of the attack and the actors behind it.

Hacktivists attack to damage reputation; criminals attack to commit fraud. Until you understand the actors, you can't adequately prepare for the threat. That's Wansley's key point, and it makes perfect sense. But I believe that the most critical step is information sharing.

The more we share about attacks - vulnerabilities and vectors - the more we will learn about how the attacks are waged, what they're after and who's behind them. Besides, that need for more information sharing supports, we need to understand the actors without that we can't adequately prepare for the threat.

Refer here to download the report.

Friday, December 7, 2012

10 Key Considerations for Mobile Security

Simple steps to consider for Enterprise Mobile Security

With the expansion of mobile device usage in enterprises as a communication method for corporate and personal information, mobile devices have become an additional source of risk to the enterprise.

To assist the business in managing the risk, several security controls should be considered when deploying mobile devices. They include, but are not limited to:  

1) Strong authentication

2) Data loss prevention (DLP) and data protection controls: Data protection controls include data-at-rest encryption and secure-channel communication.

3) Life-cycle management for enterprise apps: This refers to the ability to inventory, report and control apps on a mobile device, which includes provisioning, updating and deleting enterprise apps.

4) Malware protection

5) Device compliance and antitheft methods: This refers to the ability to perform compliance inspections on the device according to corporate policy and implement loss/antitheft capabilities.

6) Privacy controls: Privacy controls include restricting available device information and real-time auditing of apps to assist with data leakage events.

7) SMS archiving

8) Selective wipe capabilities: Selective wipe refers to the ability to remove specific apps/files from the device without affecting an employee’s personal data and environment (i.e., bring your own device).

9) URL filtering 

Over-the-air (OTA) device management: OTA is a requirement for mobile management and includes device life-cycle management (i.e., discovery, registration, update, deletion, decommissioning).

Wednesday, December 5, 2012

NIST Issues Credential Revocation Guide

Revocation Model for Federated Identities

Organizations can't easily revoke authentication credentials when they employ more than one identify provider. With multiple identity providers and unique requirements for organizations to federate them, no one approach exists to manage them.

To address this dilemma, the National Institute of Standards and Technology has issued NIST Interagency Report 7817: A Credential Reliability and Revocation Model for Federated Identities.

IR 7817 describes and classifies different types of identity providers serving federations. For each classification, the document identifies perceived improvements when the credentials are used in authentication services and recommends countermeasures to eliminate some identified gaps.

With the countermeasures as the basis, the document suggests a Universal Credential Reliability and Revocation Services model that strives to improve authentication services for federations.

Here's how NIST explains the challenge:

Identity providers establish and manage their user community's digital identities. Users employ these identities, in the form of digital credentials, to authenticate service providers. The digital identity technology deployed by an identity provider for its users varies and often dictates a specific authentication solution in order for the service provider to authenticate the user.

A federated community accommodates two or more identity providers along with the specific authentication solution. With the diverse set of identity providers and the unique business requirements for organizations to federate, there is no uniform approach in the federation process. Similarly, there is no uniform method to revoke credentials or their associated attributes.

In the absence of a uniform method, IR 7817 investigates credential and attribute revocation with a particular focus on identifying missing requirements for revocation. As a by-product of the analysis and recommendations, the report suggests a model for credential reliability and revocation services that serves to address some of the missing requirements.