Monday 9 December 2013

Spammers Spoil Holiday Cheer

AppRiver Amazon scam Will the season of scams never end? You get junk mail year-round but it seems like during the winter holiday spell your inbox gets flooded more than usual. AppRiver security analysts revealed one of spammers' most recent tricks: fake Amazon orders.
Especially for those of us who want to avoid the floods of crowds at stores, Amazon and other online services offer the perfect way to buy presents. Recently the popular online retailer has been pushing its customers to do a 30-day free trial of its Amazon Prime service . Prime's benefits include free two-day shipping on all purchases and access to the Kindle Owners' Lending Library, which allows users to borrow up to one select popular book per month for free with no due date.
Free shipping is a beautiful thing for avid online shoppers, especially during the gift-giving season. It's also a great way for crooks to trick many unsuspecting users into downloading malware onto their computers.
Scammers are sending out boatloads of fake Amazon.com "Order Details" notifications. In the email, these cyber criminals tell users to open an attachment that contains order details and invoice. Opening this malicious attachment enables malware to infect all running processes on the infected machine, steal all auto-complete passwords from Mozilla Firefox, and attempt to download more malware from its server.
Luckily, a lot of these attachments are broken. Possibly made in a hurry, some of the files aren't formed properly, so the average recipient can't view the attachment, and others are just corrupted.
Just because the spammers failed to make all these fake Amazon attachments work doesn't mean you can take it easy. Don't open suspicious-looking emails, and keep track of what you order online so you know if you're expecting a confirmation email. To protect yourself against existing and future malware attacks, install antivirus software on your device; one of our favorites is Editors' Choice Norton Antivirus (2014). Be a smart shopper this holiday season; spammers are waiting for your guard to go down.

Ad Network Hacks and Info-Sucking Flashlights

Image via Flickr user Tiago A. Pereira When we talk about ad networks, it's important to remember that they are not inherently evil. Without them, free and $0.99 apps might not exist at all, and there would be decidedly less excitement about developing for mobile platforms. After all, everyone needs to make money.
The trouble is that users don't always have control over how much of their information is sent to ad networks, or whether those networks use proper security techniques to keep their information secure. We'll look at both of those problems today.
Brightest Flashlight Free
Flashlight apps are the ones people used to point to when making tired arguments about how mobile devices were just a passing fad. It turns out the real sin of flashlight apps wasn't that they were useless (they are), but that they sucked your information out of your phone.
But consent was at the center of the FTC's case against the developers of Brightest Flashlight Free. While the app gave users the ability to accept or reject a EULA which included transmitting location data, the FTC pointed out that it didn't matter. Even before users could make their choice, the app was already collecting and transmitting user data to third parties. Developers Goldenshores Technologies are now in danger of receiving a hefty $16,000 fine.
When Lookout started their crusade against adware earlier this year, the idea of user consent was key. The trouble is that most of the time, apps don't give users any indication that their data is being harvested. Some security applications, like Lookout, now include app reputation services and can provide alerts about apps that request an inordinate amount of access. Ultimately, though, it's up to the users to decide if they're willing to part with their information in exchange for apps.
Applovin Exploit
In late November, Bitdefender demonstrated another reason to be wary of ad networks when they demonstrated how to pull user information from an ad-serving framework called Applovin. While it was just a proof-of-concept, the security company showed how your data can be intercepted when ad networks don't use proper security techniques.
Bitdefender told SecurityWatch that their experiment hinged on the fact that Applovin (aka Vulna) did not encrypt its data while in transit, nor did it require authentication to access the data. Bitdefender used a man-in-the-middle attack to intercept the data, and noted that their attack could have been stopped if Applovin had used HTTPS.
"We cannot say if the Google Play application review process will prevent the creation of other SDKs or individual apps that present such functionality in the future," Catalin Cosoi, Chief Security Strategist for Bitdefender told SecurityWatch. "Google should definitely give some attention to the issue, as otherwise a malicious programmer might publish a perfectly legitimate app with such a backdoor function and turn it into a data-stealing Trojan later."
Thankfully, the latest version of Applovin does not include these vulnerabilities, which appear to be presented only in versions 2.0.74 through 5.0.3. Unfortunately, users will have a hard time knowing if developers are making use of Applovin, not to mention what version is involved. Bitdefender notes that their Clueful app should detect the vulnerability.

Phantom menace? A guide to APTs – and why most of us have little to fear from these ‘cyberweapons’

“If you work for a government or large institution I’m pretty sure you are being targeted by an APT right now,” says ESET malware researcher Oliver Bilodeau. “But if you work for a restaurant, you shouldn’t worry.”
APTs – or Advanced Persistent Threats – are the most menacing cyber attack there is, some say. Orchestrated by teams of hundreds of experts, they penetrate systems so deeply that they can remain for years, stealing secrets by the terabyte.
Most people, though, have not even heard of them, admits Bilodeau. “Normal people are not a target – unless you are working for governments or big corporations you won’t be,” he says.
Naturally, APTs are so stealthy as to be almost invisible – which means that actually capturing one “in the wild”, is a little like a zoologist finding Bigfoot alive. Oliver Bilodeau’s team did – and were rather surprised by the “cyberweapon” they found, as reported here.
Their hi-tech, undetectable nature has led to extensive debate over whether APTs are an entirely different beast from ‘normal’ malware and intrustions  - or the phrase is just a sales tool. Some We Live Security articles cover the issues here.
Mandiant’s analysis of a Chinese APT – carried out by a professional group believed to employ thousands, found that their attacks had penetrated corporate networks, and remained undetected for more than four years – and at one point stole 6.5 terabytes of data from a single organization.
In 2010, America’s Computer Emergency Response Team warned that not only were APTs numerous, they were “sophisticated” and “difficult to defend against.”
RSA, who fell victim to an attack thought to be an example of an APT, likened the attack in a blog post to “stealth fighters” and suggested that a new era of cyber attacks had begun – requiring new defenses.
But when Bilodeau analyzed his find, he found that the sample – while clearly targeted at governments, wasn’t quite as futuristic as he expected.
“Our detector sent sample programs to our lab,” Bilodeau says, “When virus lab colleagues looked at them they found suspicious origin and behavior. W e noticed that the prevalence was very low and also found interesting reference to government entities in the program itself. That’s when we decided to spend more time analyzing it.”
There was just one problem – the “nuclear bomb” of cyber attacks turned out to be less explosive than one might have expected.
Much of the attack was “low cost, low complexity”, Bilodeau explains in a blog post on We Live Security, and in detail in a white paper. Bilodeau says that companies may feel tempted to use the term to cover their own failings.
“So, before issuing your press-release about getting popped by an APT group, at least make sure that you are not simply overly exposed to simplistic B-list attacks,” he wrote.
“Most of us in the industry think it’s an overblown marketing term (to be polite) but at this point I think we are pretty much stuck with the term. I would have preferred “targeted attacks” since the threats are not usually that advanced.”
Ordinary PC users also have little to fear, he says, “ End-users shouldn’t be concerned because these are highly targeted in nature.”
Goverments and large organizations – especially those dealing in hi-tech and military research – are the targets. APTs differ from ‘normal’ malware largely in their choice of target – and their use of human researchers to filter information, Bilodeau says.
“They have a specific goal. If their goal is reconnaissance and data exfiltration like the ones I’ve analyzed then they differ by the fact that they are very generic, revealing very little information about who is doing the attack and what they are after.”
“Once a machine is compromised then a human gets involved and performs the reconnaissance and document stealing. This makes our job harder because we need to get infected and simulate that our computer is an interesting target.”
“That the malware used in some targeted attacks is not sophisticated,” says Bilodeau, “ In fact, it’s much more simpler in obfuscation than the conventional malware I have analyzed so far. Also that as long as it work (ie: they compromise their targets) these actors won’t put more effort into building better malware.”
The malware targted Vietnamese and Taiwanese government systems – and used “one of the oldest tricks in the world,” Bilodeau says. It was delivered in phishing emails, disguised as a Word document.
“Very simple mitigations would have prevented infection,” Bilodeau says, “Doing security updates, not allowing executable attachments and a little bit of end-user security awareness training. That’s it.”
The threat of APTs, though, is specific to governments, large corporations and military groups, Bilodeau says. Home PC users have little to fear.
“It is malicious actors that have time and money to spend to compromise you,” says Bilodeau. “They will write custom malware, exploits and run infrastructure in the goal of compromising a particular entity. They don’t want to compromise *any* computer – they do targeted attacks.”

Microsoft uses “telepathy” to warn users off weak passwords

Microsoft has unveiled a rather unlikely weapon in the war against users who choose weak passwords – telepathy.
The telepathic power, of course, comes from computing, not magic, and illustrates very clearly which passwords are easy for a computer to “guess” – the tool Telepathwords, guesses the next letter as you type in a password.
Naturally, going for classic “bad” passwords will lead to Telepathwords guessing every single letter right, The Next Web reports. “For example, if you think a clever password would be p@$$w0rd, think again – the tool guesses it right instantly,” the site reports, “ If your password is zxserisljeerouiaer2345, on the other hand, its telepathic propensity flounders.”
The tool uses a database of real passwords chosen by users, such as those published after site breaches and artificial intelligence software. Users are advised to change passwords immediately if Telepathwords can “guess” them, according to NeoWin’s report.
“To guess the next character you’ll type, we send the characters you have already typed to query our prediction engine,” Microsoft says. “The prediction engine uses a database of common passwords and phrases that are too large for us send to your computer”.
The tool looks for characters that are commonly used next to one another in passwords, as well phrases used in web searches, Microsoft says.
The tool was created by researcher Stuart Schechter and shows, he says, that  adhering to rules put in place to ensure “strong” passwords – such as a requirement for numbers or special characters – often leads to weak ones.
“A surprising number of passwords that follow these rules are easily guessed by malicious hackers: “P@$$w0rd1,” for example, or “Qwerty123!”. If you specify one of these passwords, most login systems won’t raise any objections,” he writes.
Schechter is a specialist in how human behavior affects security, and created the tool using publicly available data, with a view to examining what effect “rules” had on password choice. He describes the process of choosing a password as being like a “brainteaser” to the user, “Create a sequence of eight or more characters that includes at least one uppercase letter, one lowercase letter, a digit, and a symbol, that doesn’t contain any words in English, and that is memorable enough that you can recall it.”
Schechter says that such rules have “potentially serious implications” not just for users, but for entire organizations. He hopes his tool will help educate users in which passwords are genuinely secure, adhere to rules, and are easy to type.
The security of passwords chosen by users has been under discussion recently, after a breach of Adobe’s systems led to 38 million passwords being published online. Two million of these were “123456”.
Half a million craftier customers chose “123456789”, according to a report by The Register, quoting researcher Jeremi Gosni, a self-styled “password security expert” who found the passwords in a dump online.
Adobe initially said that three million accounts were affected, but has since raised that figure to 38 million, with another 150 million at risk.
The Register called the list of passwords “pathetic”, saying that it made their staff, “wonder if criminals should have bothered breaking in to steal them: with 1.9 million users relying on “123456” there’s a better than one in one hundred chance of unlocking an Adobe account with blind luck.”
ESET Senior Research Fellow David Harley says that in cases where a large site has been breached, even users with “strong” passwords are at risk – and should think carefully about other sites where they may have used the same password:“Where your login credentials have been revealed, it’s obviously a good idea to change your password, and in fact the compromised site may force you to do so. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him. (Of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”

Will car-hacking be the “next global cybercrime”? Senator’s letter inspires debate

As wireless technologies and electronic controls are increasingly built into cars, vehicles could become vulnerable to hackers – either stealing information, or injecting malware, a U.S. Senator warned in a letter to 20 major auto manufacturers.
The letter has reignited the debate over the cybersecurity of cars, as vehciles become more heavily computerised.
Senator Edward J Markey, Democrat, Massachussets, pointed out in his publicly available letter that average cars now have up to 50 electronic control units, often controlled by a car “network”.
The open letter has ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the vehicle, according to researchers at the University of Wisconsin-Madison.
Hacks against cars have been demonstrated before – but thus far, have relied on attackers having physical access to the vehicles. At the DefCon conference this year, two researchers showed how they could seize control of two car models from Toyota and Ford by plugging a laptop into a port usually used for diagnostics.
So far, though, attacks where vehicles are “taken over” wirelessly have not been widely demonstrated.
“At the moment there are people who are in the know, there are nay-sayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there,” said Charlie Miller, one of the ‘car hackers’ at Defcon. “We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”
“As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver’s basic right to privacy could be compromised,” Senator Markey wrote. “These threats demonstrate the need for robust vehicle security policies to ensure the safety and privacy of our nation’s drivers.
Markey argues that car companies should use third parties to test for wireless vulnerabilities, and should assess risks related to technologies purchased from other manufacturers.
A report by CNBC earlier this year described some of these threats in detail, describing car-hacking as “the new global cybercrime.”
ESET’s Cameron Camp discusses the prospect of car malware, car-hacking and AV software in an earlier blog post here. Camp discusses the practicalities oof various attacks – and says, “The thought of automotive-based ransomware is very scary indeed – whether or not it could disable your car or simply purport to, it’s still unnerving.”

Apple, Google, Microsoft and other tech giants team up to fight NSA spying tactics

nsa-headquarters-fort-meade-maryland
Eight of the world's largest technology companies have signed a joint letter to the US president and congress, demanding reform on the methods used by government agencies to gather user data.
The open letter, published on the Reform Government Surveillance website, has been signed by Apple, Facebook, Google, Microsoft, LinkedIn, Yahoo, AOL and Twitter. The letter states that "the balance in many countries has tipped too far in favor of the state and away from the rights of the individual – rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It's time for a change."
Reflecting previous rhetoric from all the companies, including joint letters and petitions, the demands made of the US government also match up with the USA Freedom Act, a bill currently being put to the House of Representatives.
The letter also asks for governments to put in place "sensible limitations" on how they make requests for user information. "Governments should limit surveillance to specific, known users for lawful purposes, and should not undertake bulk data collection of internet communications," it adds.
It calls for greater transparency over how data requests are recorded, with the firms once again asking to be able to publish the number and extent of user data requests they receive. Currently, requests made under the US Foreign Intelligence Surveillance Act (FISA) cannot be published by law.
The website also contains statements from various technology executives. Microsoft's general counsel Brad Smith said: "People won't use technology they don't trust. Governments have put this trust at risk, and governments need to help restore it."
Google chief executive Larry Page, meanwhile, said his firm had made significant investment in securing its users' data, which was now being "undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world. It's time for reform and we urge the US government to lead the way."
Revelations stemming from documents leaked by former NSA contractor Edward Snowden caused a crisis of confidence in the tech industry, when it was revealed that the the government had tapped supposedly secure data via firms including Google and Yahoo.
Google has since begun encrypting all of the data stored in its cloud services, while Twitter has begun to use "forward secrecy" measures in order to better protect user data.

Toronto airport launches self-serve passport kiosks

(Image: Greater Toronto Airport Authority).
If you’re headed down to some warm, snow-less place in the U.S. for the holidays, and you’re passing through Toronto, you may want to take note – you can now use your passport at a kiosk, cutting down your wait time in the customs line up.
About 40 kiosks have been set up in Terminal 1 and Terminal 3 at Toronto’s Pearson International Airport, allowing U.S. and Canadian passport holders to skip the line for customs declarations.
Branded as “automated passport control” kiosks, a traveler can insert his or her passport into one of these machines, use the touchscreen to answer declaration questions, have a photo taken, pick up a printed slip, and then go up to a customs official and show him or her the completed slip. This gives passport holders the chance to make declarations a self-service process.
While the passport kiosks have been up and running since earlier this spring the Greater Toronto Airports Authority (GTAA) officially rolled them out last week, making an announcement alongside U.S. Customs and Border Protection. Travelers have already been taking advantage of the kiosks in airports in Vancouver and Montreal.
By bringing in these kiosks, the goal is to make “Toronto Pearson into an even stronger North American gateway and a truly global airline hub,” the GTAA said in a statement, adding IBM Corp. helped develop the machines.
“Toronto Pearson is committed to the continuous development of our airport facility and our passenger experience,” said Howard Eng, president and CEO of the GTAA, in a statement.
“Our vision is to encourage growth while offering excellent customer service and APC will help us achieve this objective.”
In 2012, 35 million people passed through Pearson, making it the second largest airport in North America based on international passenger traffic.
And according to the GTAA’s numbers, these new kiosks will help about 5 million U.S. and Canadian passport holders move through the airport a little faster – something that will definitely help travelers over the holidays.

Stealing credit card numbers from Apple point of sales terminals? Easier than you might think

Credit Cards
With consumers forming snaking, long lines in stores before the holidays, businesses are adding more and more mobile terminals so their customers can buy directly from salespeople on the floor.
This may speed up the lines – but it may also mean more chances for hackers to steal credit card numbers, says Mike Park, a managing consultant for SpiderLabs at Trustwave Holdings Inc.

What he’s found is that retailers’ mobile point of sales (POS) terminals may be convenient, but they’re also badly set up, with many of them processing unencrypted transactions. Park regularly performs mobile penetration tests for clients in the retail industry, and he soon showed some of them that he was able to grab the credit card numbers of hundreds of customers in about 20 minutes.

“Their main job is being a retailer. They’re not an IT shop, and what they want to do is solve the problem is that we’ve got two cashes, and 10 people on the floor, and we’ve got a huge lineup at the cash. They say, how do we get people in and out of the store faster and make more money, so hey, let’s have a mobile POS,” Park says.
Right now, many of these retailers are using iPads and other Apple devices as their mobile POS terminals because they’re trendy, and also because they seem to feel Apple’s ecosystem is more secure.
But with one of his clients, Park took a mobile POS device, hooked the function that was supposed to encrypt credit cards, since that’s where credit card numbers come in while they’re unencrypted. Then he stole the credit card data and allowed the encrypt function to run. That makes it very difficult for a user to know there’s any difference to his or her transaction.
And while this isn’t something a script kiddie could do, Park says, it’s definitely a possibility for a hacker who knows how to reverse engineer Apple iOS.
“The attack that we envisioned was when an attacker gets physical access to one of these devices by stealing it, or by coercing or convincing an insider to swap a device out for a short period of time,” he says. “[For a] jailbreak, you’re looking at 10 to 15 minutes tops to get all the software you want on there, and then hide the fact that it’s jailbroken, which is very easy to do. And then you’d install your custom malware.”
The problem is two-fold, Park says. It usually starts with poor decisions and assumptions. For example, some large retailers will buy POS devices out of the box, but they don’t bother to ensure they’re encrypting transactions or that the devices themselves are kept secure.
The other piece of the problem is that developers working for these retailers might be familiar with coding for business applications, but aren’t as knowledgeable about securing customized software on mobile devices.
And while regulators at the PCI Security Standards Council have given directions on how businesses should process mobile payments, they haven’t set up any specific rules on how businesses should set up mobile POS device applications, according to Trustwave compliance experts.
“You’ve got a situation where large retailers want to get the stuff out fast, they turn around and ask their developers to develop it, but then they make some poor choices and assumptions in the beginning, during the design and architecture phase, that sort of cascade down into poor choices and design later,” Park says, recalling seeing one client who didn’t bother to encrypt transactions at the head, even though the card reader they bought was fully capable of doing so.
“So it’s a little bit of management, a little bit of coding … And with mobile and iOS, it’s a relatively new technology. Developers and users think it’s magic.”
These poor choices can be costly later on. After all, if there is a breach, neither the customers nor the banks are responsible – that falls on the business that processed the transaction.

Still, it’s not just retailers who need to be concerned – a lot of small to mid-sized businesses (SMBs), like restaurants, are also starting to bring mobile POS terminals into their environments.
Ironically enough, however, smaller businesses tend to have less problems than bigger ones, he Park says, because they tend to get a full mobile POS solution from a vendor that has done its own testing and uses its own software. Bigger companies are the ones who need to customize their software to fit into the rest of their environments.
However, if these devices use a PIN pad, or rely on chip and pin, they’re most likely fairly safe, Park says. He’s most wary of iOS-based POS devices that allow users to punch in their credit card information through the user interface, rather than through a PIN pad.
The best advice is to be vigilant, Park says. SMBs looking to install mobile POS terminals need to ensure the company providing them with the terminal does a lot of testing – and that everything stays encrypted.

HHS Panics About Security Glitches, Offers Sole-Source Contract to Tech Firm

Concerns have increased over the security of personal information collected by the Department of Health and Human Services (HHS) as the volume of personal data has multiplied dramatically with the implementation of Obamacare. Security experts have testified before Congress about flaws they have uncovered at Healthcare.gov, and various press reports have related other potential problems with the website or with information flowing to the Federal Services Data Hub that could be exploited by hackers and identify thieves.  An HHS document dated December 5 describing a more than 500 percent increase in the monitoring of cyber threat indicators since April 2013 may only increase those concerns.
Kathleen Sebelius official portrait
The document states that the agency's Computer Security Incidents Response Center (CSIRC) has experienced more than a five-fold increase in the number of "indicators" monitored by the center in just the last eight months alone.  To cope with the potential threats from this vast increase in data, HHS intends to negotiate a sole-source contract to Cyber Squared, an Arlington, Virginia, cyber security firm after allowing less than four days (including a weekend) for responses from other interested firms, and even explicitly states that HHS is not soliciting competitive quotations.  HHS describes the apparently urgent need for upgraded threat monitoring as follows:

In the past eight months the number of indicators monitored by the CSIRC has grown well over 500 percent. With the inclusion of the federal Healthcare Threat Operations Center (HTOC) information sharing data from HHS CSO, VA-Network Security Operations Center (VA-NSOC), and the Space and Naval Warfare NSOC for Medical Health Systems (SPAWAR NSOC (MHS), the ability to analyze and correlate this much data requires the use of Threat Connect to be effective and efficient in combating cyber threats. This capability will allow for the joint collection and tracking of internally and externally derived indicators more efficiently as well as facilitate the analysis and correlation of a threat.
Some of the terminology used in this document raises questions about the scope of the monitoring. For instance, although the document references the "Healthcare Threat Operations Center (HTOC)", the federal government's 2013 Information Sharing Services annual report to Congress makes no mention of the HTOC among the five Federal Cybersecurity Centers, nor is there any other reference to a "Healthcare Threat Operations Center" on the HHS website or any other government website.  References to each of the other potential data sources can be found on various government websites and documents.
The notice regarding ThreatConnect was posted by HHS at 3:42 PM on Thursday, December 5, and stated that responses would be needed by 8:00 a.m., Monday, December 9.  The documentation accompanying the notice does not explicitly mention the Affordable Care Act or Healthcare.gov, but emails sent Thursday to the listed contracting officer and the HHS press office requesting clarification have not been returned.

Cyber crime the greatest global threat to business today – EY survey

With information security functions not fully meeting the needs in 83pc of organisations, 93pc of companies globally are maintaining or increasing their investment in cyber security to combat the ever growing threat of attack, according to a recent survey released by EY.
‘Under cyber attack. EY’s Global Information Security Survey 2013’ tracks the level of awareness and action by companies in response to cyber threats and canvases the opinion of over 1,900 senior executives across 64 countries.

The respondents included a number of Irish organisations across major industry sectors such as financial services, utilities and technology.

"The ever increasing reliance of business on IT, rising complexity in supply chains, rapid changes in technology and an aggressive cyber threat environment mean that this issue is going to get worse before it gets better. It is no longer a question of if, but when, a company will be the target of cyber-attacks,” said Ivan O’Brien, director at EY Advisory Services.

Austerity measures brought on by the global economic crisis has increased the risk of security breaches that benefit cyber criminals, such as those involving bank accounts or payment card data.

Despite half of the respondents planning to increase their budget by 5pc or more in the next 12 months, 65pc cite insufficient budgets as their No 1 challenge in order to operate at the level business expects.

This challenge exists against a backdrop where 65pc of Irish organisations cite an increase in external security threats and 35pc of Irish organisation cite an increase in internal vulnerabilities in the past year. 



Hugh Callaghan, director, EY EMEIA financial services advisory added: “Ireland is rightly making a big economic play in the hi-tech and software sectors, but in order for this to be sustainable it has to be built on solid foundations of strong cyber security.”

Telus customers want to keep data within Canadian borders

What role does Telus Corp., one of the major telecommunications providers in the country, play in contributing towards our cybersecurity defences?
The answer to that question is in the video below, by Daniel Tobok, managing director of Telus Security Solutions. Tobok and other IT security experts from across Canada – both in the public and private sector – attended Technicity Nov. 23 to discuss the big picture view of protecting our digital assets in the 21st century.
In addition, Tobok discussed current customer concerns heard on a daily basis by Telus. Data sovereignty is just one of those issues, as more Canadian organizations looking to keep data within the Canadian jurisdiction. “The moment it leaves our borders, we lose control, it’s as simple as that,” Tobok says.

Major tech brands form coalition in response to PRISM leaks

(Image provided by Shutterstock.com)
In the wake of government surveillance programs leaked by National Securities Agency (NSA) contractor Edward Snowden, major tech industry firms are forming a coalition and calling on governments worldwide – starting with the U.S. – to reform cyber-listening programs to respect personal privacy, according to an open letter released this morning.
Signed by AOL, Apple Inc. Facebook Inc., Google Inc., Microsoft Corp., LinkedIn Inc., Twitter Inc., and Yahoo Inc., the letter is addressed to the President of the United States and members of Congress. The letter says it’s time for change after the extent of the NSA’s PRISM program was made clear this summer, scooping up metadata from the public Internet and creating individual profiles based on that information. The tech firms promise to do their part by using encryption to prevent unauthorized surveillance and also to push back on government requests for information.
“We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight,” states the letter.
The tech coalition has also launched a new website, www.reformgovernmentsurveillance.com, outlining five principles they’d like to see governments commit to in their surveillance programs:
  1. Limiting governments’ authority to collect users’ information
  2. Oversight and accountability
  3. Transparency about government demands
  4. Respecting the free flow of information
  5. Avoiding conflicts among governments
The firms involved in forming the coalition have been caught up in the story following the release of Snowden’s documents by The Guardian newspaper. The brands represent the most-visited destinations on the web and provide the type of services that would be ideal for the NSA to glean information from – email, social networking, web search, ecommerce, etc.
As reported by The Guardian  Google, Yahoo, and Microsoft were among companies that received financial compensation for Prism-related activities. This was after an October 2011 ruling found some NSA operations in violation of the U.S. constitution’s fourth amendment. Documents name Google and Yahoo as “Prism providers” that are being transitioned to new certifications to comply with a court ruling. Tech firms have repeatedly denied providing any back-door access to their servers since Prism revelations became public in June.
How involved the Canadian wings of these tech companies will be in the new coalition isn’t clear. ITBusiness.ca is seeking comment from several of the member company’s Canadian offices. So far, LinkedIn has responded saying the U.S. government is the only focus of its effort right now. It provided this written statement attributed to Erika Rottenberg, general counsel, LinkedIn:
“These principles embody LinkedIn’s fundamental commitment to transparency and ensuring appropriate government practices that are respectful of our members’ expectations.”

8 cyber-security threats to prepare for in 2014

Just like those running legitimate businesses, hackers and cyber-criminals alike will be making New Year’s resolutions to improve their efficiency and hone their techniques to get a bigger impact for their efforts, according to cyber-security experts.
Expect 2014 to be a year where we see less malware overall, but more potent and effectively crafted malware that targets individuals with pinpoint accuracy. Cyber-criminals will continue to glean personal information from social networks, be willing to hold your data ransom for a price or destroy it, and be rushing to exploit unpatched and outdated software flooding the business market, Websense Inc. says in its 2014 Security Predictions Report. Other security experts agree with the likely threats that businesses should be ready for in the year ahead.
Businesses have to progress past the early 2000s security mantra of creating a hardened perimeter, counting on limited access to ensure a secure environment, says Nick Galletto, a partner with Deloitte Enterprise Risk Services. Hackers are learning to be patient, pick their moments, and steal the credentials of employees to access those secured environments.
“You may have very strong passwords, but if people are willing to give those up, it’s not very good protection,” he says.
1. The overall volume of malware will decrease
While at first glance the fact that Websense is seeing a big decrease in malware volume through its ThreatSeeker Intelligence Cloud looks like a good thing, it’s actually being intentionally done by cyber-criminals. Hackers have figured out that high-volumes of malware run a higher risk of detection and are instead using lower volume, more targeted attacks to evade defenses at businesses.
Think of it as trading a shotgun for a sniper rifle, says Jeff Debrosse, Websense director of security research. The bad guys are going from a widespread blast to crosshairs targeting. ”If someone is shooting randomly, they’re spending a lot on bullets. In this case they’re making each one count.”
Galletto says organizations must track the latest method of attacks, as well as the latest malware code being used to succeed at attacks. More than half of the types of breaches seen today by Deloitte are spear phishing exercises, using tactics like a well-crafted e-mail message to fool someone into giving away a password or becoming infected. “People are the weakest link and the easiest to target,” he says.
2. There will be a major data destruction attack
It is common for hackers to try and get data out from behind an organization’s firewall that has some value – perhaps financial credentials or proprietary IP – and sell it on the black market. But now hackers are also finding ways to profit simply by destroying data. A method using ransomware sees data encrypted by a hacker so its owner can no longer access it. A password will unlock the data, but a ransom must be paid to the hacker to get that code. If the fee isn’t paid, the data is deleted.
“Once someone is exposed to an attack like this, remediation is very difficult,” Debrosse says. “Typically they either pay or they lose their data.”
3. Hackers will target cloud data
With more organizations storing data in the cloud, with providers like Amazon EC2, for example, hackers will turn their attention to cloud providers as a way to get at data. Hackers simply follow the trail of where critical data is being stored, and in some cases they may find that cloud providers are easier to exploit than the enterprises using them.
Make sure your cloud provider includes good security practices as part of its agreement with your company, Debrosse advises. “It’s not across the board that every company that hosts your data is also going to provide you with encryption mechanisms.”
But organizations must also be diligent to make sure their own environments aren’t breached, Galletto says. Practice proactive threat management combined with an incident response plan on how to deal with a network breach once it occurs.
“It’s not if, it’s when something will happen,” he warns.
4. The race is on in the exploit kit market
Hacking is such a commonplace activity now that some cyber-criminals try to make money by packaging together known exploits that exist in software and selling them off in kits to other hackers. That way a hacker that’s looking to get a piece of malware onto a system can just use this pre-cooked solution instead of finding their own exploits to target. A typical kit will contain hundreds or thousands of different exploits that can be targeted.
Blackhole is arguably the most successful exploit kit in history. But this year its author, known as Paunch, was arrested in Russia and the kit was shut down. Now hackers are in a race to replace it as the dominant exploit kit on the market. Neutrino and Redkit are just a couple of alternatives that could fill the void.
“We’re keeping a very keen eye on this to see who becomes the larger player in this space,” Debrosse says.
5. Unpatched Java software will pose a major risk
Anyone who has Java installed is familiar with how often it asks to be updated. Its especially a problem for those working under an organization IT structure that only pushes out patches on a regimented schedule. But it’s not the only piece of aging software that could potentially be targeted by hackers as a vulnerability.
“You still occasionally see Windows NT servers. That exists today,” Galletto says. Windows XP will also see its end of support date come up April 8, 2014, meaning many existing business users will be open to any security flaws discovered and unpatched. “Many organizations don’t have it on their product refresh lifecycle for next year,” he says.
Organizations may shudder at the costs of updating all that software, Debrosse says, but consider the costs of the risk being taken by not updating it.
6. Hackers will turn to professional social networks
LinkedIn and other professional networks may become popular to use by hackers who create fake accounts with the intent of getting closer to corporate executives, Websense says. It’s a piece of cake to create a profile and fill it out with keyword-laden, fake information and start connecting with other users.
“It’s interesting to see how successful those efforts are because people can be very quickly and easily manipulated,” Debrosse says. Some successful methods seen in the field involve posing as a recruiter that is offering high compensation jobs.
It’s a good reason that companies should start monitoring social feeds for discussions about their company, Galletto says. It could reveal that employees are giving up too much information, or communicating with sketchy accounts.
“Social engineering will probably continue to be one of the more aggressively pursued attacks,” he says.
7. You are the weakest link? You’re hacked.
If hackers can’t penetrate the security defenses of a well-prepared company, it will look at who that company does business with and try to break into the network chain there. Outside consultants, contractors, vendors, and anyone who shares information with large corporations or government may be a potential pathway into a secured network.
“Some small contracters could be a one person team,” Debrosse says. “Infiltrating that network gives you a stepping stone into a larger one.”
To guard against attacks coming through a third-party, Galetto says a company must monitor who it is communicating with and whether those sources are legitimate. This is a practice that should be embedded in ongoing risk assessments.
8. Mistakes made in ‘offensive security’
Perhaps not many have actively tried this yet, but more companies are considering a model of offensive security, Websense says. If an attack source is identified, then efforts are made to attack that source and bring it down to cease the attack. Governments in particular have threatened retaliatory strikes against anyone targeting them.
The risk lies in a case of mistaken identity. Often hackers are clever about covering their tracks and routing attacks through other points on the grid. If a company were to take down a router that another firm relies upon, it could be breaking the law.
WEBSENSE


How NSA hacked Google, Yahoo's data centres

 SAN FRANCISCO: The recent revelation that the National Security Agency was able to eavesdrop on the communications of Google and Yahoo users without breaking into the companies' data centres sounded like something from a Robert Ludlum spy thriller. How on earth, the companies asked, did the NSA get their data without their knowing about it? The most likely answer is a modern spin on a century-old eavesdropping tradition. People knowledgeable about Google and Yahoo's infrastructure say they believe that government spies  bypassed the big internet companies and hit them at a weak spot -- the fiber-optic cables that connect data centres around the world that are owned by companies like Verizon Communications, BT Group, Vodafone Group and Level 3 Communications. In particular, fingers have been pointed at Level 3, the world's largest so-called internet backbone provider, whose cables are used by Google and Yahoo.
The internet companies' data centres are locked down with full-time security and state-of-the-art surveillance, including heat sensors and iris scanners. But between the data centres -- on Level 3's fiber-optic cables that connected those massive computer farms -- information was unencrypted and an easier target for government intercept efforts, according to three people with knowledge of Google and Yahoo's systems, who spoke on condition of anonymity.
It is impossible to say for certain how the NSA managed to get Google and Yahoo's data without their knowledge. But both companies, in response to concerns over those vulnerabilities, recently said they had begun encrypting data that runs on the cables between their data centres. Microsoft is considering a similar move.
"Everyone was so focused on the NSA secretly getting access to the front door that there was an assumption they weren't going behind the companies' backs and tapping data through the back door too," said Kevin Werbach, an associate professor at the Wharton School.
Data transmission lines have a long history of being tapped.
As far back as the days of the telegraph, spy agencies have located their operations in proximity to communications companies. Indeed, before the advent of the internet, the NSA and its predecessors for decades operated listening posts next to the long-distance lines of phone companies to monitor international voice traffic.
Beginning in the 1960s, a spy operation code-named Echelon targeted the Soviet Union and its allies' voice, fax and data traffic.
In the 1990s, the emergence of the internet both complicated the task of the intelligence agencies and presented powerful new spying opportunities based on the ability to process vast amounts of computer data.
In 2002, John M Poindexter, who had been national security adviser under President Ronald Reagan, proposed the Total Information Awareness plan, an effort to scan the world's electronic information -- including phone calls, emails and financial and travel records. That effort was scrapped in 2003 after a public outcry over potential privacy violations.
The technologies Poindexter proposed were similar to what became reality years later in NSA surveillance programmes like Prism and Bullrun.
The internet effectively mingled domestic and international communications, erasing the bright line that had been erected to protect against domestic surveillance. Although the internet is designed to be a highly decentralized system, in practice a small group of backbone providers carry almost all of the network's data.
The consequences of the centralization and its value for surveillance was revealed in 2006 by Mark Klein, an AT&T technician who described an NSA listening post inside a room at an AT&T switching facility.
The agency was capturing a copy of all the data passing over the telecommunications links and then filtering it in AT&T facilities.
Documents taken by Edward J Snowden and reported by The Washington Post indicate that, seven years after Klein first described the NSA's surveillance technologies, they have been refined and modernized.
"From Echelon to Total Information Awareness to Prism, all these programmes have gone under different names but in essence do the same thing," said Chip Pitts, a law lecturer at Stanford University School of Law.
Based in the Denver suburbs, Level 3 is not a household name like Verizon or AT&T, but in terms of its ability to carry traffic, it is bigger than the other two carriers combined. Its networking equipment is found in 200 data centres in the United States, more than 100 centres in Europe and 14 in Latin America.
Level 3 did not directly respond to an inquiry about whether it had given the NSA, or the agency's foreign intelligence partners, access to Google and Yahoo's data. In a statement, Level 3 said: "It is our policy and our practice to comply with laws in every country where we operate and to provide government agencies access to customer data only when we are compelled to do so by the laws in the country where the data is located."
Also, in a financial filing, Level 3 noted that, "We are party to an agreement with the US Departments of Homeland Security, Justice and Defense addressing the US government's national security and law enforcement concerns. This agreement imposes significant requirements on us related to information storage and management; traffic management; physical, logical and network security arrangements; personnel screening and training; and other matters."
Security experts say that regardless of whether Level 3's participation is voluntary, recent NSA disclosures make clear that even when internet giants like Google and Yahoo do not hand over data, the NSA and its intelligence partners can simply gather their data downstream.
That much was true last summer when US authorities began tracking Snowden's movements after he left Hawaii for Hong Kong with thousands of classified documents. In May, authorities contacted Ladar Levison, who ran Lavabit, Snowden's email provider, to install a tap on Snowden's email account. When Levison did not move quickly enough to facilitate the tap on Lavabit's network, the FBI did so without him.
Levison said it was unclear how that tap was installed, whether through Level 3, which sold bandwidth to Lavabit, or at the Dallas facility where his servers and networking equipment are stored. When Levison asked the facility's manager about the tap, he was told the manager could not speak with him. A spokesman for TierPoint, which owns the Dallas facility, did not return a call seeking a comment.
Pitts said that while working as the chief legal officer at Nokia in the 1990s, he successfully fended off an effort by intelligence agencies to get backdoor access into Nokia's computer networking equipment.
Nearly 20 years later, Verizon has said that it and other carriers are forced to comply with government requests in every country in which they operate and are limited in what they can say about their arrangements.
"At the end of the day, if the Justice Department shows up at your door, you have to comply," Lowell C McAdam, Verizon's chief executive, said in an interview in September. "We have gag orders on what we can say and can't defend ourselves, but we were told they do this with every carrier."