Facing potentially costly and disruptive measures from Google’s proposed plan to deprecate and remove trust in its certificates, Symantec posted a counter-proposal that it claims will balance the needs of all affected parties. In January, security researcher Andrew Ayer discovered about 100 improperly issued certificates traced to the Symantec certificate authority. In March, the Google Chrome announced that an investigation into the Symantec certificate authority business revealed a “series of failures” and proposed a plan that included reducing the validity period for any new Symantec certificates to nine months, revalidating and replacing all Symantec-issued certificates, and removing the Extended Validation status of Symantec-issued certificates for at least one year. Symantec, however, pushed back and argued that Google had singled out Symantec and suggested the search giant was trying to create “uncertainty and doubt” about Symantec’s certificates. But the pressure on Symantec mounted when Mozilla joined the fray and highlighted its own concerns with the Symantec certificate authority. The antivirus company eventually proposed its own solutions to the issues raised by Google and Mozilla. Symantec’s proposal “addresses the concerns raised by Google about our CA business without imposing undue business disruption on our customers and Chrome users that we believe would result if Google implements its proposal,” said Roxane Divol, executive vice president and general manager for Symantec Website Security, in a statement provided to SearchSecurity. “Even though our past mis-issuance events have not, to our knowledge, resulted in customer harm, we consider compliance with industry standards a critical responsibility of our CA business,” Symantec announced in its blog post detailing the plan for the Symantec certificate authority. “We believe our multi-faceted proposal addresses the concerns regarding the trustworthiness of Symantec’s past and future SSL/TLS certificate issuances.” The Symantec certificate authority proposal aims to increase transparency through more frequent and expanded audits, publication of a quarterly letter updating the community on progress Symantec CA is making, and working together with the CA/Browser Forum to develop or update guidelines for handling customer requests that conflict with CA/Browser Forum baseline requirements. Symantec also proposed to offer optional shorter validity certificates; domain revalidation for certificates with validity period longer than nine months; “further increasing our investment in the Security and Risk function of our CA operations, with a focus on our security and compliance controls and risk assessments;” update its Root Program to reflect appropriate use-cases for different types of certificates; and use Symantec’s Global Intelligence Network “to identify encrypted websites that have an increased threat risk based on our rating categorization and take appropriate action to mitigate risk for our certificates associated with such sites.” Symantec noted in its blog post that it sought feedback from its customers, who include “many of the largest financial services, critical infrastructure, retail and healthcare organizations in the world, as well as many government agencies.” Symantec certificate authority practices have come under increased scrutiny since 2015 when Google discovered that Symantec had issued test certificates for domains it did not own — including Google domains. As a result, Google required Symantec certificates be entered into Certificate Transparency logs as well as additional third-party audits for Symantec certificate authorities. Rejected option for Symantec certificate authority?Ryan Sleevi, software engineer and tech lead for Chrome’s networking security team at Google, provided some additional context to the Symantec certificate authority proposal on the Mozilla developer security policy forum.
Sleevi wrote that “the Chrome team met with Symantec’s leadership to personally discuss and explain the issues and concerns raised, despite having been in communication with Symantec over these issues for months. As the number of issues that Symantec has had was so great, we were unable to provide our perspective of the many failures and the concerns that they signaled, and thus, a second meeting was scheduled.” In his post, Sleevi shared information about the discussions held over the previous two weeks between Symantec and Google — including offering Symantec an “easy out” option to stay in the certificate authority business by effectively turning over Symantec certificate authority operations over to one or more existing CA. Some browser community members expressed concern over the possibility that the Symantec certificate authority might avoid serious consequences for its pattern of past actions. “I am quite disappointed by Symantec’s proposed remediation plan. Intentional or not, [this] response seems to indicate they don’t really understand the potential consequences of many of their past actions,” wrote Tyrel M. McQueen, associate professor of chemistry at Johns Hopkins University, who commented on the proposal from Symantec on the Mozilla developer security policy forum in his capacity as a private citizen. While noting Symantec’s proposal was “no doubt appealing to Symantec and its customers,” McQueen wrote that it does “not address the significant relying party risks introduced by [Symantec’s] past actions, including allowing various third parties carte blanche to issue certs chaining to publicly trusted roots without meaningful oversight.” McQueen pointed out that no one, including Symantec, “has a full view of all the past actions (e.g. cross-signs, creation of unconstrained CAs, etc.) under their existing roots; and the scope of issues here are more serious than other cases that have led to full dis-trust under Mozilla’s program.” Richard Wang, former CEO of WoSign, the Chinese certificate authority that was dropped from Mozilla’s list of trusted certificate issuers last year, joined the policy list conversation to support Symantec’s proposal. He wrote “it is disastrous for [a] CA and its customers to replace the certificate[s] that exceed[s] your imagination,” and added that WoSign is still working on cleaning up the certificate mess nearly six months later. “Due to the quantity of Symantec customers is more than WoSign and most companies are bigger than WoSign’s customers, I am sure that the interoperability and compatibility failures could bring big problem to Symantec, to Symantec customers and the Browser users,” Wang wrote, adding “I think Symantec’s proposal is good and will benefit its customers that it will not make the world mess.” The post Symantec certificate authority offers counter-proposal to Google appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/symantec-certificate-authority-offers-counter-proposal-to-google/
0 Comments
The U.S. National Security Agency will no longer sift through emails, texts and other internet communications that mention targets of surveillance. The change, which the NSA announced on Friday, stops a controversial tactic that critics said violated U.S. citizens’ privacy rights. The practice involved flagging communications where a foreign surveillance target was mentioned, even if that target wasn’t involved in the conversation. Friday’s announcement means the NSA will stop collecting this data. “Instead, this surveillance will now be limited to only those communications that are directly ‘to’ or ‘from’ a foreign intelligence target,” the NSA said in a statement. As part of that change, the NSA will delete most of the internet communications that were collected using this surveillance tactic. The agency said it decided to stop some of the activities because of technological constraints, U.S. citizens’ privacy interests, and difficulties with implementation. The NSA said it made the change after reporting several incidents in which it inadvertently collected citizens’ communications while using this tactic. The Foreign Intelligence Surveillance Court, which oversees the agency’s spying powers, has issued an order approving the agency’s narrower approach to data collection, the NSA said. Privacy advocates applauded the move. “This change ends a practice that could result in Americans’ communications being collected without a warrant merely for mentioning a foreign target,” said U.S. Senator Ron Wyden of Oregon in a statement. He plans to introduce legislation banning this kind of data collection. Former NSA contractor Edward Snowden tweeted: “This is likely the most substantive of the post-2013 NSA reforms, if the principle is applied to all other programs.” The NSA change specifically involves its upstream surveillance collection, and not the agency’s PRISM program, which allegedly spies on U.S. citizens. The post NSA ends surveillance tactic that pulled in citizens' emails, texts appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/nsa-ends-surveillance-tactic-that-pulled-in-citizens-emails-texts/ WikiLeaks released details of what it said is a Central Intelligence Agency document tracking program called Scribbles, part of the agency’s toolkit for keeping tabs on documents leaked to whistleblowers and journalists. Scribbles allegedly embeds a web beacon-style tag into watermarks located on Microsoft Word documents that can report document analytics back to the CIA. WikiLeaks released information Friday about Scribbles as part of its ongoing Vault 7 Dark Matter release that began last month. Also released is what WikiLeaks said is Scribbles’ source code. A user manual describing Scribbles said the tool can be used to generate batch copies of identical or unique files, each with distinctive watermarks that includes a web beacon-like tag. A web beacon (or web bug) is a transparent graphic image that can be used to report back if a document has been opened and the IP address of the computer that requested the image file. According to WikiLeaks, Scribble works exclusively with Microsoft Office documents. The tool, according to the user guide has been “successfully tested” to work with Microsoft Office 2013 (on Windows 8.1 x64) and Office 97-2016 running on Windows 98 and above. WikiLeaks’ copy of the CIA’s Scribbles user manual says the tool will not work on encrypted or password-protected documents. The CIA also warns that if a document with a Scribbles’ watermark is opened in an alternative document viewing program, such as OpenOffice or LibreOffice, it may result in revealing watermarks and URLs for the user. According to alleged CIA’s documentation, the tool is for “pre-generating watermarks and inserting those watermarks into documents that are apparently being stolen by FIO (Foreign Intelligence Officers) actors.” A CIA spokesperson declined to comment on this latest WikiLeaks release. Instead, it reiterated a statement to Threatpost it made on March 8 regarding the initial Vault 7 dump by WikiLeaks.
Microsoft did not return requests for comment for this story. According to security expert Udi Yavo, CTO and co-founder of enSilo, Scribbles is taking advantage of a feature in Microsoft Office that allows users to embed remote objects, such as images, in documents. “Similar tracking mechanisms are used by document protection security companies in order to track them,” Yavo said. He said Scribbles and similar tools such as web beacons are used by organizations to determine questions like: Did the document leak? Where was it opened? Who was the owner of the document that was opened? When was it opened? Similar digital rights management products are sold commercially by firms like IntraLinks, which sells a tool called DocTrack, a file tracking service that gathers document analytics. Inserting web beacons into Word documents was also a technique described by the Privacy Foundation at the University of Denver Sturm College of Law in 2000. With the release of Office 2016 Microsoft introduced Data Loss Protection, a tool to prevent data leakage and manage file permissions. The tool offered admins the ability to track some document usage. WikiLeaks contends Scribbles is intended for use against “insiders, whistleblowers, journalists or others.” “Regarding privacy concerns, I don’t see here a major concern, since we are dealing with internal classified documents – they should be protected from data leakage,” said Omer Schneider, CEO of CyberX. However, Schneider and Yavo point out remote objects features in Office document have been leveraged in several Office document based attacks. “Sandworm leveraged this feature, as did the latest major Office vulnerability (CVE-2017-0199) that with HTA files,” Schneider said. The post WikiLeaks Reveals CIA Tool ‘Scribbles’ For Document Tracking appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/wikileaks-reveals-cia-tool-scribbles-for-document-tracking/ The recent wave of new mesh router systems has brought with it changes besides the obvious increase in Wi-Fi range. For example, these mesh routers are more likely to insist on WPA2-AES encryption, as many have dropped support for the less secure WEP and WPA options. Not all of them, but many. Here I take a look at another insecure router technology, WPS (Wi-Fi Protected Setup) and how these new mesh routers deal with it. WPS is an alternate way of gaining access to a Wi-Fi network that does away with having to know the SSID (network name) and password. Much of what you read about WPS is incomplete, as it supports at least four different modes of operation. One of these modes, known as PIN authentication, lets a Wi-Fi device get on a network by providing the PIN code of the router. Any router supporting WPS has a PIN code on the label, all you need do is turn the device over to see it. Often, the WPS PIN code can not be changed. WPS got a big public black eye at the end of 2011, when it came out that the PIN authentication method was designed in such a way that it was vulnerable to brute force guessing. I explain the details on my RouterSecurity.org site, but the end result was that a router supporting WPS could be breached with a maximum of 11,000 PIN code guesses. The real scandal is what happened in the subsequent five years: nothing. WPS is still required for a router to be certified by the Wi-Fi alliance. But, finally, the latest crop of mesh routers are doing something about this. I looked at seven of them and found that five do not support WPS at all. One supports WPS, but not the PIN code method, and the last one is so poorly documented, its not clear exactly which modes of WPS operation are supported. GOOD NEWS The five mesh routers that do not support WPS are Eero, Google Wifi, Ubiquiti AmpliFi, Plume and Luma. An Eero tech support article, Frequently asked security questions, says “eero doesn’t support WEP, WPA, or WPS, as these protocols are known to be insecure.” A Google tech support article, Google Wifi security features, says “WPS, a mechanism that lets a device join a wireless network without entering a password, is also not supported for security reasons.” A Plume tech support article, Does Plume support WPS?, says “Plume does not not support WPS as it was discovered to be a less secure procedure for establishing a WiFi network.” A Luma blog posting by Yasin Jabbar, What is Wi-Fi Protected Setup (WPS)?, points out the security issue with WPS, then concludes with “Our Luma WiFi routers natively don’t support WPS.” I could not find anything from Ubiquiti about WPS, but I have used and tested one of their AmpliFi routers and found no indication of WPS support. BAD NEWS Most reviewers agree that the Netgear Orbi system offers the best Wi-Fi for consumers. Rather than dropping WPS entirely, Netgear supports the push button mode of WPS authentication. A Netgear Knowledge Base article, Does my Orbi WiFi System support Wi-Fi Protected Setup (WPS)?, says that “You can use the Sync button on your Orbi router and satellite to connect devices that support WPS.” Page 23 of the Orbi WiFi System User Manual (PDF) also gives the impression that WPS support is limited to the push button method of WPS, although this is not explicitly stated. Even assuming that WPS support is limited to button pushing, it does mean that anyone that can physically touch an Orbi device can get on its network. The manual says nothing about whether WPS can be disabled, so we have to assume it can not. Finally, we come to Linksys and their Velop mesh system. The Velop User Guide (PDF) makes a bad first impression; not only is it undated, there is no reference to a firmware release number either. The Netgear manual that I referred to above clearly shows that it was updated in March 2017. My experience has been that manuals without a date or release number are issued and abandoned. That is, the manual will probably not be updated to to reflect changes in the firmware going forward. Page 17 of the Velop User guide describes how to “Connect a Device with WPS” and says “Wi-Fi Protected Setup allows you to easily connect wireless devices to your Wi-Fi without manually entering security settings.” Easy has always been the mortal enemy of secure. The screen shot of the mobile app on page 17 shows it saying “WPS is a secure way for basic users to connect devices without complicated authentication details.” No one thinks WPS is secure. From the screen shot, it looks as if WPS can be disabled but the manual does not go into this at all. Most importantly, it is not at all clear which types of WPS are supported by the Velop system. My favorite router, the Pepwave Surf SOHO, does not support WPS. That’s partly why it made such a good first impression back in 2013. FEEDBACK The post How seven mesh routers deal with WPS appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/how-seven-mesh-routers-deal-with-wps/ Despite nearing the 100-day mark, the Donald Trump administration has yet to deliver its promised cybersecurity executive order. Before being sworn in, President Trump said he would have a team and a plan for cybersecurity within 90 days of taking office. “Whether it is our government, organizations, associations or businesses, we need to aggressively combat and stop cyberattacks,” he said in a public statement after a meeting with the leaders of the intelligence community on Jan. 6. “I will appoint a team to give me a plan within 90 days of taking office.” Trump also declared via Twitter on Jan. 13 that his administration would produce a cybersecurity report on nation-state hacking against the U.S. government within 90 days, but no such report was released. Last week, the 90-day mark for the cybersecurity executive order came and went, and the Trump administration has yet to issue a new order.
However, the White House cybersecurity coordinator, Robert Joyce, said the administration is “close and nearby” to issuing the cybersecurity executive order. Speaking at Georgetown University’s International Conference on Cyber Engagement on April 24, Joyce said Trump’s son-in-law Jared Kushner is working with White House officials Chris Liddell and Reed Cordish to develop strategies for both cybersecurity and modernizing federal IT systems. Joyce indicated that the efforts outlined in the cybersecurity executive order and those covered in the modernization initiative will tie in with each other, saying that “innovation and cybersecurity are intertwined”. A draft copy of Trump’s cybersecurity executive order leaked in February and appeared to be similar to an executive order enacted by former President Barack Obama. Both called for cybersecurity assessments to identify areas of improvement or where new legislation might be needed. Federal IT modernization was also included in the draft copy of the Trump executive order, but Joyce indicated they would likely be in separate orders now. In response to when the new cybersecurity executive order might be rolled out, Joyce was vague and suggested the White House was waiting for the right time in the press cycles. “We want to make sure that the cybersecurity EO emerges with the time and attention it needs,” Joyce said. “And at the same time is sequenced with other things the administration is rolling out so we don’t distract from other important messages that are out there.” In other news:
The post Still waiting for a cybersecurity executive order from Trump appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/still-waiting-for-a-cybersecurity-executive-order-from-trump/ Mike Mimoso and Chris Brook recap this year’s SOURCE Boston Conference and discuss the week in news, including the long term implications of the NSA’s DoublePulsar exploit, and the HipChat breach. Download: Threatpost_News_Wrap_April_28_2017.mp3 The post Threatpost News Wrap, April 28, 2017 appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/threatpost-news-wrap-april-28-2017/ As self-driving cars become more advanced with a greater number of onboard computers, sensors, cameras and WiFi, the amount of data is expected to balloon, providing automakers, insurers and others with rich information to harvest. A single autonomous car could generate as much as 100GB of data every second, said Barclays analyst Brian Johnson, in a note published Wednesday. If extrapolated out to the entire U.S. fleet of vehicles — 260 million in number — autonomous cars and trucks could potentially produce about 5,800 exabytes, Johnson stated. In other words, on a daily basis, there would be enough raw data to fill 1.4 million Amazon AWS “Snowmobile” mobile data center tractor-trailer trucks with 100 petabytes of storage each, for a convey reaching 11,000 miles long. “Even with data compression of 10,000x, that would still be a one-mile long convey,” Johnson stated. ![]() An Uber autonomous test vehicle on the streets of Pittsburgh. Big data will be “at the core of change and disruption” in the auto business, and managing massive amounts of data will require new solutions in storage and analysis, the report said. Security will also be a key area of concern for autonomous car makers. A modern car has 50 to 150 electronic control units (ECUs) – or tiny computers — with as much as 100 million lines of code. And for every 1,000 lines there are as many as 15 bugs that are potential doors for would-be hackers, analysts say. In today’s vehicles, ECUs are linked by an internal controller area network, infotainment systems and an increasing array of cameras and radars for advanced driver assistance systems that are already creating vast amounts of data that is typically used by automakers, but then discarded. “Going forward, any or all of this data can be uploaded to the cloud — either in real time via 4G and beyond, someday through home WiFi uploads, or sporadically through service center uploads (as with the original Tesla Roadster,” the report stated. Cars will produce data related to in-vehicle, environmental, and driver/passenger information. In-vehicle data will consist of historical data, such as vehicle fluid levels, speed and acceleration, GPS positioning and, in the event of an accident, a snapshot of data prior to the crash as well as alerts for first responders. ![]() Otto’s self-driving semi-trailer truck hauling Budweiser down I-25 in Colorado. Driver/passenger data will include information about the use of infotainment systems, HVAC and seat preferences, and even driving styles (i.e., whether the car is used in a “sporty” fashion versus economic driving). “All of this could be recorded, uploaded and used to tailor in-car experiences,” the report stated. Environmental data will include information from LiDAR scanners, cameras and other sensors. “The car can become a roving data gathering vacuum,” Johnson said in the report. “Think of millions of Google StreetView vehicles capable of refreshing live views of every street everywhere several times a day. Not only can this data be added as layers on top of traditional HD-maps in near-real time, it can also be potentially mined for a variety of insights.” For example, video data could be used to determine how full a store parking lot is at any given time of day and what prices are advertised in a store window, according to Johnson. ![]() “Moreover, installed cameras can displace the aftermarket dash-cam video market and record pre-crash images,” Johnson wrote. Companies most likely to capitalize on vehicle big data are automakers that are building from scratch, such as Tesla, which offers a “clean sheet in-car architecture with a solid base of data,” and third-party parts suppliers, such as Delphi, which is expected to provide analytics engines for legacy and newly manufactured cars and trucks, Barclays said. Mobileye, a maker of vehicle vision chip technology (called EyeQ), also has a strong lead in the mapping and camera sensing market, the report claimed. ![]() Mobileye and Delphi plan to start production in 2019 on their “Central Sensing Localization and Planning” platform for self-driving cars in urban and highway driving conditions. Intel recently acquired Mobileye for $15.3 billion to help advance an alliance between the two companies and BMW, which plans to ship self-driving cars by 2021. Last year, Intel CEO Brian Krzanich emphasized how critical the automotive market has become to the company, and said the industry must be prepared for the deluge of data that will require an “unprecedented” level of “computing, intelligence and connectivity.” Krzanich said there’s a need for the auto industry to be prepared for that data deluge that could amount to 4TB of data being generated from a single car each day. Intel’s investment arm, Intel Capital, also plans to spend $250 million of additional new capital over the next two years for the development of autonomous driving technology. Intel has partnered with self-driving technology makers, such as vehicle camera company Mobileye, and carmakers such as BMW, to produce fully-autonomous vehicles by 2021. ![]() The BMW i3 autonomous car co-developed by BMW, Intel and Mobileye. While the oft-cited use case for automotive big data is in support of location-based marketing, Barclays believes the mountain of data will be mined for vehicle-related services, such as usage-based insurance plans and predicting required maintenance. The highest-value use case, however, would be to support level 4 and 5 fully autonomous driving through digital maps and sensor data videos, which would provide training data for autonomous algorithms. “Indeed, within mapping, Auto Big Data could support crowd-sourced live video covering every mile of road in the world,” Johnson wrote. “While currently it is not feasible to stream constant video to the cloud, in the future it would be feasible as bandwidth and storage costs drop exponentially.” The Society of Automotive Engineers International, a U.S.-based industry standards organization, has established six autonomous driving categories where Level 0 represents no automation and Level 5 is a fully autonomous vehicle that controls all aspects of driving previously performed by humans. ![]() The exabytes of data expected to come will reside mainly in the cloud, where data analytics and cloud storage platforms will be required to create and store useable information. Those who capitalize on the Auto big data will be able to compress the data and extract key data “events,” Johnson stated. “Even in a world beyond 5G, the amount of raw data is impractical to process, so… the node and edge analytics engines in the car could become more important than the motors in vehicles,” Johnson wrote. By 2020, 75% of the world’s cars will be connected to the internet via embedded Wi-Fi, and the growth of internet-connected vehicles will bring in around $2.94 billion in revenue, according to a report by Topology, a division of TrendForce market research. In addition, autonomous or fully self-driving vehicles will enter mass production by 2020 because more major auto makers in recent years have committed to those vehicles’ R&D, according to Topology. Automakers are already investing heavily in artificial intelligence technology to control self-driving cars. For example, Ford plans to spend $1 billion over the next five years on A.I. in support of the development of autonomous vehicle technology. “A common saying in Silicon Valley… is that ‘data is the new oil’ — and enthusiasm for businesses that generate and analyze data is common across the technology space,” Johnson wrote. “Unlike oil, ultimately a finite and diminishing resource, data and uses of data expand exponentially.” The post Your car will eventually live-stream video of your driving to the cloud appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/your-car-will-eventually-live-stream-video-of-your-driving-to-the-cloud/ Google and Facebook have confirmed that they fell victim to an alleged $100m (£77m) scam. In March, it was reported that a Lithuanian man had been charged over an email phishing attack against “two US-based internet companies” who were not named at the time. They had allegedly been tricked into wiring more than $100m to the alleged scammer’s bank accounts. On 27 April, Fortune reported that the two victims were Facebook and Google. The man accused of being behind the scam, Evaldas Rimasauskas, 48, allegedly posed as an Asia-based manufacturer and deceived the companies from at least 2013 until 2015. “Fraudulent phishing emails were sent to employees and agents of the victim companies, which regularly conducted multimillion-dollar transactions with [the Asian] company,” the US Department of Justice (DOJ) said in March. These emails purported to be from employees of the Asia-based firm, the DOJ alleged, and were sent from email accounts designed to look like they had come from the company, but in fact had not. The DOJ also accused Mr Rimasauskas of forging invoices, contracts and letters “that falsely appeared to have been executed and signed by executives and agents of the victim companies”. “We detected this fraud against our vendor management team and promptly alerted the authorities,” a spokeswoman for Google said in a statement. “We recouped the funds and we’re pleased this matter is resolved.” However, the firm did not reveal how much money it had transferred and recouped. Nor did Facebook – but a spokeswoman said: “Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation.” Big firms targeted“Sometimes staff [at large firms] think that they are defended, that security isn’t part of their job,” said James Maude at cyber-security firm Avecto, commenting on the phishing threat facing big companies. “But people are part of the best security you can have – that’s why you have to train them.” He also told the BBC that Avecto’s clients have recounted phishing attempts that used senior staff’s hacked email accounts to convince employees that a request to wire out money was genuine. The sophistication of phishing scams has increased lately, according to a recent Europol report. “CEO fraud” – in which executives are impersonated by the scammer – was a particular worry. “The request is usually time-sensitive and often coincides with the close of business hours to make verification of the request difficult,” the report explained. “Such attacks often take advantage of publicly reported events such as mergers, where there may be some degree of internal flux and uncertainty.” In order to avoid succumbing to such fraud, firms are advised to carefully verify new payment requests before authorising them. The post Google And Facebook Duped Out Of $100 Million In Phishing Scam appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/google-and-facebook-duped-out-of-100-million-in-phishing-scam/ Ransomware dominated malware-related data breaches investigated by Verizon last year, appearing in 71 percent of cases, according to the annual Verizon Data Breach Investigations Report (DBIR) released Thursday. Compared to last year’s DBIR report, ransomware attacks are up 50 percent. Still, Verizon suspects the true number of ransomware attacks and victims is likely going under reported. The DBIR, an analysis of more than 40,000 incidents (including 1,935 breaches) investigated by Verizon, shows that cybercriminals targeted manufacturing, the public sector and education the most, but Verizon senior network engineer Dave Hylender said the healthcare industry was hit the hardest with ransomware. “Organized criminal groups continue to utilize ransomware to extort money from their victims, and since a data disclosure in these incidents is often not confirmed, they are not reflected in statistical data,” Verizon wrote. Last year, ransomware attacks against healthcare organizations dominated headlines such a Locky ransomware attack against the hospital chain MedStar and Samsam ransomware attacks that crippled two California hospitals. Last year also saw the emergence of new types of ransomware and ransomware business models, with the DBIR citing Petya and Mischa specifically. “Ransomware has evolved over the past year,” Hylender said. “We are seeing new strains with new attributes.” Instead of immediately infecting and encrypting data, criminals are now taking their time infiltrate systems and targeting high-value data with ransomware, he said. “Ransomware gangs are using unforeseen and unusual command lines and are using new packaging techniques for their malware so they can evade detection,” Hylender said. Last year there was no shortage of unique ransomware from those that used fileless attack techniques, to campaigns that coupled elaborate phishing attacks with complex malicious Word macros.
State-affiliated actors were responsible for a quarter of recorded phishing attacks, up from nine percent last year. “Targeted phishing campaigns continue to be the tip of the spear for espionage-related breaches,” Verizon wrote. Hardest sectors hit by cyberespionage were manufacturing (representing 38 percent of attacks investigated by Verizon), public (34 percent), professional (9 percent) and education (7 percent), according to the DBIR. The interesting change in the DBIR is the rise of academia as a target of these attacks, Hylender said. Colleges are centers of innovation and are building technologies that would certainly be targeted by state affiliated groups, he said. “Criminals are realizing that intellectual property and trade secrets are being held by institutions of higher learning. And, state actors are realizing it’s easier to break into a university system and steal the R&D there than break into a government system or a well-developed and well-protected manufacturer’s system,” Hylender said. In the report, Verizon offers several words of advice for business. One, don’t go out of your way to give hackers a reason to attack you. “Stay off the radar of any potential hacker,” Verizon said. It also suggests keeping an ear to the ground when it comes to understanding the type of defenses needed based on reliable threat intelligence. And then, there is the obvious – secure your environment. “Implement a timely and effective patch management program; conduct regular penetration-testing activities,” it suggests. Verizon also recommends implementing two-factor authentication and offering security awareness training for staffs. “People are still not using two-factor authentication and hackers are still using brute force passwords attacks. There are all sorts of things we tell people to do to be more secure. Nevertheless, people continue to practice poor security hygiene. Will things change next year? Why would criminals morph and change their tactics if what they are doing today is easy, successful and making them a great deal of money.” The post Ransomware, Cyberespionage Dominate Verizon DBIR appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/ransomware-cyberespionage-dominate-verizon-dbir/ BOSTON—Collaboration is important when it comes to fighting ransomware, but the lack of communication around the issue remains a serious impediment, law enforcement says. “If we don’t know about it and no one keeps track of it, then no one cares,” Frank McLaughlin, a detective with the Boston Police Department’s cybersecurity division said during a SOURCE Boston panel Thursday morning. Collaboration was a big theme throughout the panel on which McLaughlin was joined by officials from Kaspersky Lab and McAfee. “It’s incumbent on everyone in the information security industry to communicate how businesses are affected [by ransomware],” McLaughlin said, “We don’t get better as police officers without help from the community.” McLaughlin said he’s spent the last 20 years dealing with violent crime but recently shifted gears and now helps carry out cyber investigations for the BPD. He acknowledged the BPD doesn’t see a whole lot of ransomware – those cases are mostly reported to the FBI – but he’s learning about it. The FBI began encouraging ransomware victims to report infections last fall. While McLaughlin couldn’t speak for the FBI, he said the BPD only receives a few calls periodically about ransomware. “We get a couple of calls here and there but people mostly don’t want to report it to the police because if they fill out a police report it becomes public record,” McLaughlin said. That stigma – that the public feels the police can’t help them – is tough to overcome, Paul Roberts, the panel’s moderator and editor in chief of The Security Ledger, said. “These things are washing up in local precincts and people don’t know what to do. It’s like any other endemic problem,” Roberts said. That’s ultimately a win for attackers, Michael Canavan, head of sales at Kaspersky Lab added. “The lack of reporting is increasing the success of attackers, “Canavan said. “They know if corporations or individuals are less likely to report it, there’s less of a barrier for entry. There’s a responsibility to report. It helps feed information databases for people like Frank and helps drive up the cost of attacks for attackers.” The call to action to share more data seemingly comes as ransomware is more popular than ever. Ryan Naraine, the head of Kaspersky Lab’s North America Global Research and Analysis Team said early on in the panel that the trend has grown exponentially. “It’s a foolproof business model,” Naraine said, “It generates a level of anxiety and desperation; people will pay.” The fact that attackers are incorporating ransomware into targeted attacks is alarming as well, Naraine said. “Attackers are using scary APT techniques and tactics to infect organizations, stay there, then sometimes demand one Bitcoin, $1500 per machine to unlock them,” Naraine said. “Attackers are deliberately keeping their prices low – they’re not demanding billions of dollars.” McLaughlin, who’s taking a Master’s degree class pertaining to computer security, said he’s fortunate to be taking the class with members of the FBI and has time to discuss with them how they can better parse information that comes in. He said he understands that having more data on ransomware attacks and encouraging victims to report such attacks are some of the first steps toward combatting them. “With the volume of calls we get on a daily basis, it won’t get looked at,” McLaughlin said, “but if we can find a way to collect that information and work with the FBI we could say ‘Hey, those IP addresses came from the same part of the world, maybe this issue isn’t 15 different attackers, it’s 5.’” Education around the topic should be a focus too, the detective said, suggesting that maybe the threat of ransomware should be treated like a warning riders see on the subway or on the highway. “If we had a PSA, even a billboard geared toward physical safety with a clear and concise message and link, it could help,” McLaughlin said, “From a policing standpoint I can’t protect you from getting robbed every day, I can’t protect you from getting shot but there are things that fall on us as individuals, we should have a duty and an obligation to do an awareness campaign or something.” The post Lack of Communication Achilles’ Heel for Ransomware Fighters appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/lack-of-communication-achilles-heel-for-ransomware-fighters/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |