Monday, September 30, 2013

Beta Bot: A New Trend in Cyber-Attacks

Beta Bot Malware Blocks Users Anti-Virus Programs

A new warning about malware designed to target payment platforms highlights why anti-virus software is increasingly ineffective at preventing account compromises. And while this new Trojan is not yet targeting online-banking accounts, financial institutions should be aware of the threat. The malware is another example of how fraudsters are increasingly getting around standard modes of authentication, such as usernames and passwords.

The Internet Crime Complaint Center and the Federal Bureau of Investigation recently issued an advisory about Beta Bot, the new malware that targets e-commerce sites, online payment platforms and even social networking sites to compromise log-in credentials and financial information.

When Beta Bot infects a system, an illegitimate but official-looking Microsoft Windows message box named "User Account Control" pops up, asking the user to approve modifications to the computer's settings. "If the user complies with the request, the hackers are able to exfiltrate data from the computer," the advisory states. "Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites."

Beta Bot defeats malware detection programs because it blocks access to security websites and disables anti-virus programs, according to IC3. "This is a good demonstration of how fraudsters' methods are evolving constantly. They are coming up with sophisticated methods that appear so convincing, even people who typically would not fall for their schemes may do so.

Beta Bot's attacks also resemble the ransomware attacks that coupled the banking Trojan known as Citadel with the drive-by virus known as Reveton, which seized consumers' computers and demanded ransom, purporting to be from the FBI.

IC3 and the FBI warn that if consumers see what appears to be an alert from Microsoft but have not requested computer setting modifications from the company, they have likely been targeted for a Beta Bot attack. If infected, running a full system scan with up-to-date anti-virus software is recommended. And if access to security sites has been blocked, then downloading anti-virus updates or a new anti-virus program is advised.

Monday, September 23, 2013

How To Reduce Application Security Risk?

Survey shows serious misalignment between IT Executives & Engineers

Ponemon Institute independently surveyed 642 IT professionals in both executive and engineering positions. The majority of the respondents were at a supervisory level or higher. Over half of the respondents are employed by organizations of more than 5,000 employees.

Based on the responses, the primary finding is that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.

This is a serious and potentially dangerous misalignment. Another troubling conclusion is that most organizations are only taking minimal steps to address application security throughout their development process.

The most effective way to reduce application security risk is to implement a formal, repeatable development process that includes secure coding standards to enable the early detection and remediation of vulnerabilities.

Mature organizations tend to have highly effective application security programs that include the three pillars of a secure SDLC:

  • Application Security Standards
  • Regular Security Assessments for measurement
  • Training for each role in the SDLC

The mature organizations share common characteristics by:

  • Writing and adopting security architecture and development standards.
  • Training their development teams on application security topics based on role, platform, and technology used.
  • Conducting regular assessments on their applications and processes to make sure the implementation of standards is effective.
  • Ensuring that their executives, technicians and staff understand the importance of application security as part of the organizations’ overall risk management strategy and collaborate on ensuring the practices described above are in place.

Saturday, September 21, 2013

iPhone 5S: A Biometrics Turning Point?

Future: Mobile Devices Will Boost Interest in Advanced Authentication

Apple's decision to include a fingerprint scanner in its new iPhone 5S is an important step toward bringing biometrics-based authentication into the mainstream. But there's still a long way to go before biometrics supplant usernames and passwords at the enterprise level.

Owners of the new phone can use a fingerprint to physically unlock their devices instead of using a numeric passcode. Apple will also let users confirm purchases from the iTunes store by swiping a finger on the sensor.

Apple have not yet revealed whether they will allow third-party developers to take advantage of the new TouchID fingerprint technology to build biometrics-based authentication into their apps. While TouchID is an important milestone toward getting users comfortable with using biometrics as an authentication credential, the technology has to expand beyond the Apple universe before it can truly be considered a game-changer or a significant security breakthrough.

Biometrics authentication is not new to the mobile space. Some laptop vendors, including Lenovo, have included fingerprint readers in their devices for several years. Plus, a number of smart phones and tablets already incorporate biometrics to authenticate users. And security vendor McAfee recently introduced an online file storage service that relies on voice recognition to authenticate users. But all of these vendors use closed, proprietary models, which has made it difficult for biometrics to gain traction in the marketplace.

Market penetration for PCs and laptops with fingerprint sensors is about 20 percent, according to the FIDO Alliance, an industry group focused on open standards for authentication. Even if a majority of iPhone users opt for the iPhone 5S, overall smart phone market penetration for fingerprint scanners will remain low, considering that research firm IDC estimates Apple has about 17 percent smart phone market share.

The iPhone's popularity and its reputation as a trendsetter could help more consumers feel comfortable with the idea of using fingerprint scanners on a regular basis. And once they are used to the idea of fingerprint scanners, other types of biometrics won't be far behind. TouchID is the "first example of the potential for large-scale mass-market mobile biometric authentication.

Tuesday, September 17, 2013

Scam Of The Week: Ransomware Uses Child Porn Threat

Cybercriminals have cooked up a new way to blackmail people!

Getting caught viewing child porn is a huge deal and instantly makes you an outcast in most western countries. Cybercriminals have cooked up a new way to blackmail people out of their money, both inside and outside the office.

The ransomware family is called Revoyem (aka Dirty Decrypt) and uses the worst possible strategy to get people to pay up. It starts at a porn site that you have landed on, either on purpose or by accident. Then you are redirected by a malicious ad to an actual child porn themed page with very disturbing images. But while you are there, your PC gets infected with the Styx malware dropper which downloads ransomware and your computer gets locked.

The lock screen again shows disturbing images and now accuses you of watching child porn and what the penalties are. However, here comes your friendly ransomware to the rescue. Just pay the fine and you will not be prosecuted. They tell you to use either MoneyPak or PaysafeCard.

The attack is seen in the U.S., Canada and several Western European countries, is translated for each territory and uses the correct government law enforcement agency as a threat. This looks very much like an Eastern European Cybermafia operation.

WHAT TO DO: In an office environment, call the helpdesk and they will treat this as malware and remove it. At the house, call the police and file a complaint. It is likely the Police already know about it. 

Also take the PC to an expert and get the malware removed. And stay away from unsafe areas on the Internet like gambling and porn sites! Here is how the lock screen looks:

Sunday, September 15, 2013

BYOD, Corporate-Owned or Hybrid Environments?

BYOD: Problem in the reality is smaller than it seems!

Companies nowadays wrestle with the decision of whether to give employees the freedom to use personal mobile devices to access corporate data, or issue secure, mobile devices.

The main issue of the BYOD concept is to deal with corporate control and user privacy and usually at the end of the day this concept can cost to the company more than buying corporate-owned mobile devices. You also have to deal with different OS versions, installed applications, rooted devices, etc. They are some great MDM out there, but no one can deal with the diversity world of mobile devices.

BYOD, Corporate-Owned or Hybrid Environments? That depends of the “type” of business you do, but the best way to start is to limit the access to the resources from mobile devices to those who they really need them. In this way at the end of the day you will find out, that the problem in the reality is smaller than it seem at the moment.

An interesting article about the cost, efficiency, productivity, risk and security implications of BYOD, Corporate-Owned and Hybrid Environments can be found on the following link

Friday, September 13, 2013

How To Develop Security Awareness?

Six Steps To Successful Security Awareness Training

If you would schedule an event to teach people about Internet Security, and make it optional to attend, only about 5% of your entire office population will show up. And guess what, those 5% are probably the people that need it least.

Here are the six elements of a successful Internet Security Awareness Training Program

  • Formulate, and make easily available a written Security Policy.
  • Each employee needs to read the document and sign it as an acknowledgment they understand the policy and will apply it.
  • Give all employees a mandatory (online) Security Awareness Course, with a clearly stated deadline. It is highly recommended to explain to them in some detail why this is necessary.
  • Make this Security Awareness Course part of the onboarding process of each new employee.
  • Keep all employees on their toes with security top of mind, by continued testing. Sending a simulated phishing attack once a week is extremely effective to keep them alert.
  • Never publicly identify an employee that fails a simulated attack, let their supervisor or HR take this up privately. Give a quarterly prize for the three employees with the lowest ‘fail-rate’.
  • If you use posters, stickers and or screensavers, change the pictures or messages monthly. After a few weeks people simple don’t ‘see’ them anymore. It’s more effective to send them regular ‘Security Hints & Tips’ via email.

Wednesday, September 11, 2013

Five Generations Of Cybercrime

Now that cybercrime is in its fifth generation, prevent a security nightmare from happening on your watch

It helps to understand more about the history of hacking, when you need to defend yourself against cyber criminals. Early hacking started when guys like Kevin Mitnick became ‘digital delinquents’ and broke into the phone company networks.

That was to a large degree to see how far they could get with social engineering, and it got them way further than expected. Actual financial damage to hundreds of thousands of businesses started only in the nineties, but has moved at rocket speed these last 20 years.

Generation ONE

Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it. Relatively harmless, no more than a pain in the neck to a large extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another with a floppy disk to transfer the virus.

Generation TWO

These early day ‘sneaker-net’ viruses were followed by a much more malicious type of super-fast spreading worms (we are talking a few minutes) like Sasser and NetSky that started to cause multi-million dollar losses. These were still more or less created to get notoriety, and teenagers showing off their “elite skills”.

Generation THREE

Here the motive moved from recognition to remuneration. These guys were in it for easy money. This is where botnets came in, thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to find and easy to disinfect.

Generation FOUR

Here is where cybercrime goes professional. The malware starts to hide itself, and they get better organized. They are mostly in eastern European countries, and use more mature coders which results in much higher quality malware, which is reflected by the first rootkit flavors showing up. They are going for larger targets where more money can be stolen. This is also the time where traditional mafias muscle into the game, and rackets like extortion of online bookmakers starts to show its ugly face.

Generation FIVE

The main event that created the fifth and current generation is that an active underground economy has formed, where stolen goods and illegal services are bought and sold in a ‘professional’ manner, if there is such a thing as honor among thieves. Cybercrime now specializes in different markets (you can call them criminal segments), that taken all together form the full criminal supply-chain. Note that because of this, cybercrime develops at a much faster rate. All the tools are for sale now, and relatively inexperienced criminals can get to work quickly. Some examples of this specialization are:

  • Cybercrime has their own social networks with escrow services
  • Malware can now be licensed and gets tech support
  • You can now rent botnets by the hour, for your own crime spree
  • Pay-for-play malware infection services that quickly create botnets
  • A lively market for zero-day exploits (unknown vulnerabilities)

The problem with this is that it both increases the malware quality, speeds up the criminal ‘supply chain’ and at the same time spreads the risk among these thieves, meaning it gets harder to catch the culprits. We are in this for the long haul, and we need to step up our game, just like the miscreants have done the last 10 years!

Saturday, September 7, 2013

5 Quick Lessons on Privacy

Privacy Matters - How Easily Someone Could Hack Into Your Life?

Being diligent about your personal privacy is a learned behavior. Often the best way to practice is to take a closer look at the every-day activities in which you and your friends, colleagues and family members take part. 

Below are some quick-hit resources that serve as good reminders of the privacy threats we are exposed to each day.

Thursday, September 5, 2013

Successful Digital Strategy: Bridge the gap between CIO and CMO

CIO & CMO doesn't trust each other, IT doesn't provide fast turn-around!

Business is largely about competition and, even within organizations, a healthy dose of rivalry between colleagues can be a good thing. However, a survey just conducted by Accenture Interactive (see The CMO-CIO Disconnect) points to a downright unhealthy relationship in many C-Suites which can do nothing but damage to firms. 

At a time when many executives say that improving digital reach will be a significant differentiator for their companies, research shows that two of the most important digital leaders — the Chief Marketing Officer (CMO) and the Chief Information Officer (CIO) — do not trust each other, understand each other, or collaborate with each other.

That is very bad news for their businesses and, not incidentally, for their own careers. When IT and marketing departments work at cross-purposes, the results are inefficiencies and mishaps and it is customers who suffer. Potential buyers simply don't have the time or energy to do business with a company that makes things harder for them.

To begin to mend the CMO-CIO relationship, it's important to understand the source of each side's frustrations. CMOs' answers to survey questions make it clear that they view IT as an "execution and delivery" provider, instead of as a strategic partner. CMOs do not believe they are getting fast enough turnaround on projects and adequate quality from the IT departments. Because many CMOs do not believe they are getting the service they want from their IT departments, many bypass the IT department and work with outside vendors. Forty-five percent of marketing executives say they would prefer to enable marketing employees to operate data and content without IT intervention.

For their part, IT executives believe marketers make promises they can't keep and do not provide them with adequate information on business requirements. The CIOs believe the marketing teams often do not understand — or appreciate — data integration or IT standards. Nearly half (49 percent) of CIOs say marketing pulls in technologies without consideration for IT standards. Forty-seven percent say the marketing team lacks understanding of data integration.

CEOs and others in the C-suite should not turn a blind eye to this tension, hoping for it to resolve itself. It is crucial for companies to instill more collaboration and understanding across the functions.

Here are five suggestions for supporting a CMO-CIO relationship that will ultimately benefit customer experience and drive sales:

Identify the CMO as the "Chief Experience Officer."
This is more than simply a change in nomenclature It is a constant reminder to the CMO that the job doesn't end with branding and advertising. The CMO must design and drive a customer experience that is consistently first-rate, at every touch point within the company — a goal that lays more emphasis on the role of IT and the need to reach a deeper understanding.

Signal that IT is the strategic partner to marketing
The CIO cannot be viewed as only the chief technology platform provider; the role must be elevated to a strategic member of the C-suite.

Get the two leaders working from the same playbook
Already, CIOs and CMOs spend more than 30 percent of their respective budgets on technology. It is time for them to agree on key business levers for marketing and IT integration, such as access to customer data and speed to market along with security, privacy, and standardization.

Change the skill mixes
Make sure the marketing department becomes more tech savvy and the IT department better understands marketing. Again, coming together around the consumer and customers will help to breakdown internal silos and align agendas. Upgrading their skills will help both departments make better decisions about technology and understand its impact on business outcomes.

Develop trust by trusting
It is time for leaders in organizations to extend their trust to — and accept it from — business units beyond their own.