Wednesday, January 30, 2013

ENISA Identifies Top Cyberthreats

What are the emerging threats and vulnerabilities, and how should organizations globally respond to them?

ENISA, the European Union cyber-agency, is out with its first-ever Threat Landscape report.

Drive-by exploits, worms/Trojans and code-injection attacks are the three top cyberthreats to organizations, according to the new Threat Landscape report published by the European Network and Information Security Agency.

The ENISA Threat Landscape provides an overview of threats, together with current and emerging trends. One of the key objectives of this report is to give the information security community a comprehensive look at risks.

It is based on publicly available data and provides an independent view on observed threats, threat agents and threat trends. Over 140 recent reports from security industry, networks of excellence, standardisation bodies and other independent institutes have been analysed. 

Among the top 10 threats ID'd by the report:

  • Drive-by exploits (malicious code injected to exploit web browser vulnerabilities) Worms/Trojans;
  • Code injection attacks;
  • Exploit kits (pre-packaged software to automate cybercrime);
  • Botnets (hijacked computers used in attacks such as DDoS).

Among technology trends, mobile gets the most attention because that's the platform where users, data and adversaries increasingly converge.

Please refer here to download the report.

Monday, January 28, 2013

US FFIEC: Proposed Guidance on Social Media

Regulators Address Emerging Social Media Risks to Banking Institutions

The US Federal Financial Institutions Examination Council has issued proposed risk management guidance for the use of social media.

"Social Media: Consumer Compliance Risk Management Guidance," was posted on the Federal Register Jan. 23. It provides an overview of the impact social media sites have on compliance with consumer protection and other applicable laws, especially when interactions between institutions and consumers take place on social media sites such as Facebook and Twitter.

Employees could be using social media from different devices or from home at night. If their accounts are taken over, then a criminal could be posting on that site, giving advice to steer customers to do something they shouldn't, or posting a link that leads them to a malicious site.

There certainly are a lot risks banks need to think about when they start to use social media. The proposed guidance is really about risk assessment. The guidance is intended to help financial institutions understand potential consumer compliance, legal, reputation and operational risks associated with the use of social media, along with expectations for managing those risks.

Although the guidance does not impose additional obligations on financial institutions, the FFIEC expects financial institutions to take steps to manage potential risks associated with social media, as they would with any new process or product channel.

The FFIEC will accept comments on the proposed guidance through March 25. It will publish a final version once it reviews comments received.

Saturday, January 26, 2013

Documentary: A Gift for the Hackers

Privacy is becoming antiquated

Increasingly devices like printers and scanners are being connected directly to the Internet. It’s all very convenient, bit is it safe?

Your mobile, your printer, your hard drive, everything is connected… but it’s like a Swiss cheese. Medical files, financial information, and trade secrets, they’re all there for the taking. It’s shocking, it should not be allowed. It’s a design flaw.

Is this vulnerability in tens of thousands of devices compromising your security and your privacy? Computer security has become a big concern for companies and individuals.

As a result it has also become a big business. The world’s number one producer of computers and printers, Hewlett – Packard (HP), has an annual turn over of 127 billion dollars.

Wednesday, January 23, 2013

Security audit finds Developer OUTSOURCED his JOB to China

Pro-active Log Review Might Be A Good Idea

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet.

The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. The VPN traffic logs showed a regular series of logins to the company's main server from Shenyang, China, using the credentials of the firm's top programmer, "Bob".

"The company's IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob's desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator," said Verizon. "Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one."

After getting permission to study Bob's computer habits, Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities.

The analysis of his workstation found hundreds of PDF invoices from the Chinese contractors and determined that Bob's typical work day consisted of: 

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos 

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time

2:00-ish p.m – Facebook updates, LinkedIn 

4:30 p.m. – End-of-day update e-mail to management 

5:00 p.m. – Go home

The scheme worked very well for Bob. In his performance assessments by the firm's human resources department, he was the firm's top coder for many quarters and was considered expert in C, C++, Perl, Java, Ruby, PHP, and Python.

Further investigation found that the enterprising Bob had actually taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit as well as lots of time to hang around on internet messaging boards and checking for a new Detective Mittens video.

Bob is no longer employed by the firm. ®

Source from The Register

Refer here to read further details.

Thursday, January 10, 2013

The dangers of USB drives

What makes USB drives so great at carrying malware?

Stuxnet, which was discovered in June and has since spread to millions of machines around the world, is the most sophisticated computer attack we've ever seen.

Though its true purpose is unknown—teams of experts across the globe are poring through the code in an effort to divine its intentions—the deviousness of its design has prompted many researchers to call it a "cyber-weapon," one perhaps created by the United States or Israel to disrupt Iran's nuclear program.
What's most interesting about Stuxnet isn't how smart its authors were; it's how dumb they guessed we all would be. 
How did the worm's creators expect to get it inside some of the most secure installations in the world?
After all, sensitive machines often operate behind an "air gap"—that is, their networks are physically separated from the Internet and other dangerous networks where viruses can roam freely.

Getting anything inside one of these zones requires the complicity of an employee. That's exactly what Stuxnet got, because its authors designed the worm to piggyback on the perfect delivery system—the ubiquitous, innocent-looking USB flash drive, the planet's most efficient vector of viruses, worms, and other malware.

What makes USB drives so great at carrying malware?

They're the mosquitoes of the digital world—small, portable, and everywhere, so common as to be nearly invisible

Funny story: At a conference in Australia last year, IBM handed out thumb drives that turned out to be infected by malware. It was a computer-security conference.

We know we shouldn't click on e-mail attachments from strangers, and we know we should be wary of typing our passwords into shady sites online. But the USB disk has somehow evaded our suspicion; few of us look at them and recoil at the dangers that could be lying within.

Indeed, USB sticks evoke exactly the opposite emotion—if you saw a stray one on the street or lying around your office, wouldn't you pick it up and put it in your computer to try to identify the rightful owner? If a company wants to ratchet up security, it's not as simple as banning all thumb drives.

To be extra careful, you'd have to ban iPods, cameras, and every other USB-based doohickey—all of those devices are capable of carrying Stuxnet-like viruses, too.

The only hope is education: Don't trade USB sticks, don't stick an unknown one into your machine, and don't pick one up off the street and plug it in your machine just to see what's inside.

But I don't know if we're ever going to win that battle. It's human nature. If I were a normal person and I didn't work in this bubble of security? If I found a USB drive, the first thing I would want to do is want to plug it in, too.

Saturday, January 5, 2013

Term Of The Month: "Geotagging"

Commonly used via social media applications such as Twitter, Facebook etc.

Geotagging, in general, means geographical identification has been added to various media you may have created, such as a geotagged photographs, videos, websites, SMS messages, QR Codes, or RSS feeds, just to name a few.  

Look at a recent Facebook post you made. Was your location included with it, such as shown in this example?

That is one type of geotagging.

Simply by posting a photo of a meal you have just been served or the great trick your kid performed on the playground, you are potentially broadcasting your whereabouts.

This can be very dangerous if you think someone is stalking you, so consider disabling your smartphone's and/or mobile device's GPS embedding feature.

Thursday, January 3, 2013

How to Catch a Phish?

Helpful hint on spotting a phishing-scam email before it's too late!

You can detect a fake email very quickly simply by focusing on the "From" field in your email header.

Most malicious e-mails say they are from a legitimate company, but the address in the "From" field does not match that in the signature. If you are unsure of the sender's legitimacy, you can also use free tools on the Internet to verify any email address quickly.

Be aware, however, that some of these phishing artists are very adept at masking their identities.