Thursday, 10 October 2013

Ponemon study shows costs of cybercrime still rising – each attack now costs $1 million

The costs of cybercrime have continued to rise for victims, for the fourth consecutive year, according to a survey conducted by the Ponemon Institute.
Each cyberattack now costs companies nearly $1 million to resolve, on average – and the annualized cost to a sample of U.S. organizations was $11.56 million.
The researchers suggest that cybercrime has become significantly more sophisticated during this period, according to TechWeekEurope.
In a statement, researchers said, “The sophistication of cyberattacks has grown exponentially in recent years, as adversaries both specialize and share intelligence in order to obtain sensitive data and disrupt critical enterprise functions.”
Since Ponemon conducted its first Cost of Cyber Crime study four years ago, the cost to companies has risen 78%. The Institute said that the time taken to resolve such cyberattacks has risen nearly 130%.
The report suggests that big data analytics is one tool companies could use to fight back against such sophisticated adversaries, according to Silicon Angle.
Cybercriminals are hitting frequently, too – 122 successful attacks per week, up from 102 attacks per week in 2012.
The statistics, based on interviews with 1,000 security professionals around the world, in a survey sponsored by HP, found that the average time to resolve such incidents was 32 days.
“The most costly cybercrimes are caused by denial-of-service, malicious-insider and web-based attacks, together accounting for more than 55 percent of all cybercrime costs per organization on an annual basis,” the researchers say.
“Information theft continues to represent the highest external costs, with business disruption a close second.(On an annual basis, information loss accounts for 43 percent of total external costs, down 2 percent from 2012. Business disruption or lost productivity accounts for 36 percent of external costs, an increase of 18 percent from 2012.”
The Ponemon study took in 234 companies, with costs ranging from $1 million per year to $56 million.
ESET offers its own “road map” for smaller businesses to help deal with an increasingly challenging security environment.
ESET Senior Researcher Stephen Cobb says, “Criminal hacking is making headlines with depressing frequency these days, so the task of securing your business against cyber criminals can seem daunting, particularly if your business is of modest size, the kind of place that does not have a crack team of cyber security experts on staff.”

EU cyber agency warns of “outdated” systems in power plants – and suggests new safety measures

Cyber attacks against Industrial Control Systems pose a risk to power plants and other critical infrastructure  - and action is needed to ensure nations stay safe, the EU’s cyber security agency ENISA said today.
ENISA suggested that collecting and using information from such attacks was key to fighting them – with a white paper pointing to a lack of scientific studies about such attacks, and a “culture gap” between IT and operations staff.
“ICS are widely used to control industrial processes for manufacturing, production and distribution of products. Often commercial, outdated off-the-shelf software is used,” ENISA warns. “Security experts across the world continue to sound the alarm bells about the security of Industrial Control Systems (ICS). Industrial Control Systems look more and more like consumer PCs. They are used everywhere and involve a considerable amount of software, often outdated and unpatched.”
Power plants in the U.S. have been widely targeted with cyber attacks, including brute force attacks and sophisticated spear-phishing attacks. We Live Security’s reports can be found here
A phishing expert from trainers PhishMe said last week that all attackers needed was one “lucky” spear-phishing email to “black out” energy companies.
ENISA recommended that companies need to analyze such attacks to speed up response to cyber attacks against industrial systems.
The researchers recommend, “Complementing the existing skills base with ex-post analysis expertise and understanding overlaps between cyber and physical critical incident response teams. Facilitating the integration of cyber and physical response processes with a greater understanding of where digital evidence may be found and what the appropriate actions to preserve it would be.”
Executive Director of ENISA Professor Udo Helmbrecht said: “SCADA systems are often embedded in sectors that are part of a nation’s critical infrastructure, for example power distribution and transportation control, which makes them an increasingly attractive potential target for cyber attacks, ranging from disgruntled insiders and dissident groups, to foreign states.”
“Such systems should be operated in a manner which allows for the collection and analysis of digital evidence to identify what happened during a security breach.”
In ESET’s 2013 malware forecast, Senior Research Fellow David Harley predicted that attacks against ICS would increase.
Cybercriminals targeted U.S. energy companies with a wave of brute force cyber attacks earlier this year, according to the Industrial Control Systems Emergency Response Team (ICS-CERT).
A series of attacks were directed against companies operating gas compressor stations in the U.S. in February and March this year.
“While none of the brute force attempts were successful, these incidents highlight the need for constant vigilance on the part of industry,” ICS-CERT said in its newsletter.
“ The ability to detect anomalous network activity and network intrusions early in an incident greatly increases the chance of a successful mitigation and resolution.”
The organization says it has responded to more than 100 incidents targeting the energy sector between October 2012 and May 2013.
“The majority of these incidents involved attacker techniques such as watering hole attacks, SQL injection, and spear-phishing attacks. In all cases, ICS-CERT evaluates the information available to determine if successful compromise has occurred, the depth and breadth of the compromise, and the potential consequences to critical infrastructure networks.”
A Congressional survey of electrical utilities earlier this year found that companies faced up to 10,000 attacks per month. Out of 53 companies surveyed, more than a dozen described attacks on their systems as “daily” or “constant”. One company complained of being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.”
This April, a spear-phishing attack which targeted an American electrical company was documented in this month’s Monitor report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Smartphone users want more protection – and don’t mind being fingerprinted, says Paypal

Smartphone users want more protection for the data on their cellphone – and are perfectly comfortable being fingerprinted if that’s the best option, accoriding to a new survey commissioned by PayPal.
A survey of 1,000 Americans commissioned by PayPal and the National Cyber Security Alliance found that users were most comfortable with having antivirus or security software on their cellphones to protect their data – with 30% of polled users picking this option, according to The Next Web.
Biometrics – including the fingerprint reader on the iPhone 5S – were also popular with those polled, with 18.7% of users willing to protect their device this way.
 The increasing need for security on mobile devices was also highlighted by other answers from the survey, with one in six of those surveyed saying that they made 25% of their purchases using a smartphone or mobile device, according to CNBC.
Around 70% of users believe that storing financial data on smartphones or mobile devices without additional protection is unsafe.
Reports this week suggested that Android devices may soon be offered a standardised fingerprint ID system, and leaks from within Samsung suggested that future Note and Galaxy devices could ship with the security hardware built in according to Phones Review.
“Mobile devices present unique security advantages including location information and biometric authentication,” said Andy Steingruebl, Director of Ecosystem Security, PayPal. “According to our survey, more than half of mobile consumers are comfortable using biometrics to authenticate themselves on mobile devices. Many users do not realize that location information can help detect and prevent fraudulent transactions.”
 “For example, if a transaction takes place in San Francisco and another one in Dallas a few minutes later, we can investigate for suspicious activity.”
 Apple’s choice of biometric security for its new iPhone has sparked much discussion of biometrics as a way to improve security – as witness We Live Security reports here.
 Stephen Cobb, Security Researcher with ESET says that we may be on the verge of widespread deployment of biometrics. Cobb says, “Successful implementation of biometrics in a segment leading product could bode well for consumer acceptance.”
 “I have been a fan of biometrics as an added authentication factor ever since I first researched multi-factor and 2FA systems 20 years ago, however, user adoption is very sensitive to performance; in other words the iPhone 5S could advance biometrics, or put a whole lot of people off biometrics.”

Compromised Turkish Government Web site leads to malware

Our sensors just picked up an interesting Web site infection, this time affecting a Web server belonging to the Turkish government, where the cybercriminals behind the campaign have uploaded a malware-serving fake ‘DivX plug-in Required!” Facebook-themed Web page. Once socially engineered users execute the malware variant, their PCs automatically join the botnet operated by the cybercriminals behind the campaign.

Sample screenshot of the fake DivX, Facebook-themed page uploaded on the compromised Web server:
Turkish_Government_Web_Site_Compromised_Hacked_Malware Compromised URL: hxxp://
The malware’s download URL: hxxp:// –
Detection rate for the malicious variant:
MD5: adc9cafbd4e2aa91e4aa75e10a948213 – detected by 3 out of 48 antivirus scanners as Heuristic.LooksLike.Win32.Suspicious.J!89
The following malicious sub-domains are also known to have responded to the same IP (
We’re also aware of the following malicious MD5s that are known to have been downloaded from the same IP (
MD5: 4aacf36cafbd8db3558f523ddc8c90e5
MD5: 3dff37ee5d6e3a1bc6f37c58ac748821
MD5: 4ce289a8e3b4dd374221d2b56f921f6d
MD5: e3f8456d5188fd03f202bfe112d3353d
MD5: 9698be7d8551cb89a95ce285c84c46b1
MD5: be8c528a6bff6668093e9aabe0634197
MD5: 48bcc188a4d6a2c70ee495a7742b68b8
MD5: c0f3501b63935add01a6b4aa458a01b7
MD5: 10c32d95367bb9ab2928390ff8689a26
MD5: 39b59bda3c65989b9288f10789779e96
MD5: aa7dc576d1fe71f18374f9b4ae6869fa
MD5: 00bdd194328c2fe873260970da585d84
MD5: 3ad96ccf8e7c5089b80232529ffe8f62
MD5: 1f18b45b25dd50adf163d91481c851cf
MD5: 9577c1b005673e1406da41fb07e914bb
MD5: 19e31123c1ccc072c257347bba220f0e
MD5: b60ca81cec260d44025c2b0374364272
MD5: 0a960df88c2d27d0d4cc27544011fbb0
MD5: 7d14dcfd00f364c788ba51c6c2fc6bdd
Once executed, the original sample MD5: adc9cafbd4e2aa91e4aa75e10a948213 phones back to:
The following malicious subdomains are also known to have responded to the same IP (
We’re also aware of the following malicious MD5s that are known to have phoned back to the same IP (
MD5: 0e27df7a010338d554dba932b94cb11e
MD5: a6e52ca88a4cd80eb39989090d246631
MD5: ab0d8f81b65e5288dd6004f2f20280fd
MD5: e1bda5b01d1ad8c0f48177cd6398b15f
MD5: b2a381fbc544fe69250ad287b55f435b
MD5: 052ae7410594c5c0522afd89eccb85a7
MD5: ddfac94608f8b6c0acfadc7a36323fe6
MD5: 052ae7410594c5c0522afd89eccb85a7
MD5: ddfac94608f8b6c0acfadc7a36323fe6
MD5: 9325e2dddded560c2e7a214eb920f9ea
MD5: 56aaea2b443ea8c9cea248e64d645305
MD5: 4e0bff23a95e8d02800fecbac184cd5f
MD5: 704c5b12247826cf111b1a0fc3678766
MD5: c5fb893b401152e625565605d85a6b7d
MD5: 540f19ff5350e08eff2c5c4bada1f01f
MD5: 8db8c55983125113e472d7dd6a47bd43
MD5: 7c4d4e56f1a9ceb096df49da42cc00ed

Fake ‘You have missed emails’ GMail themed emails lead to pharmaceutical scams

Pharmaceutical scammers are currently mass mailing tens of thousands of fake emails, impersonating Google’s GMail in an attempt to trick its users into clicking on the links found in the spamvertised emails. Once users click on them, they’re automatically exposed to counterfeit pharmaceutical items, with the scammers behind the campaign attempting to capitalize on the ‘impulsive purchase’ type of social engineering tactic typical for this kind of campaign.

Sample screenshot of the spamvertised email:
Email_Spam_Spamvertised_Fake_GMail_Pharmaceutical_Scams_01 Sample screenshot of the landing pharmacautical scams page:
Email_Spam_Spamvertised_Fake_GMail_Pharmaceutical_Scams Landing URL: – – Email:
The following pharmaceutical scam domains also respond to the same IP:
The following pharmaceutical scam domains are also known to have responded to the same IP (
This isn’t the first, and definitely not the last time pharmaceutical scammers brand-jack reputable brands in order to trick users into clicking on the links found in the fake emails, as we’ve already seen them brand-jack Facebook’s Notification System, YouTube, as well as the non-existent Google Pharmacy. Thanks to the (natural) existence of affiliate networks for pharmaceutical items, we expect that users will continue falling victim to these pseudo-bargain deals, fueling the the growth of the cybercrime economy.
Our advice? Never bargain with your health, spot the scam and report it.

MI5 chief defends spying on web traffic as vital for national security

The head of the UK’s spy agencies has said the monitoring of internet traffic is vital for stopping terrorist threats.
Andrew Parker Security Service Director General speaking at the Royal United Services InstituteSpeaking on Tuesday evening, the director general of the security services Andrew Parker (pictured) dismissed concerns that the UK has been engaging in blanket spying as “utter nonsense”, and said publishing information on spying techniques had provided terrorists with a "gift".
His comments come in the wake of the PRISM and Tempora spying revelations that broke earlier this year. These revealed that both US and UK spying organisations, such as the Government Communications Headquarters (GCHQ), have been monitoring huge amounts of global internet traffic.
He said that the use of such techniques was vital to keep track of the latest terrorists as they use internet communications to plot terror attacks all the time.
“Technologies advance all the time. But MI5 will still need the ability to read or listen to terrorists' communications if we are to have any prospect of knowing their intentions and stopping them,” he said at the event hosted by the Royal United Services Institute (RUSI).
“The converse to this would be to accept that terrorists should have means of communication that they can be confident are beyond the sight of MI5 or GCHQ acting with proper legal warrant. Does anyone actually believe that? “
He went on to justify any snooping by claiming it was only ever done for the public good and focused on those suspected of terrorism, rather than blanket monitoring citizens at large.
“Let me be clear – we only apply intrusive tools and capabilities against terrorists and others threatening national security. The law requires that we only collect and access information that we really need to perform our functions,” he said.
“In some quarters there seems to be a vague notion that we monitor everyone and all their communications, browsing at will through people's private lives for anything that looks interesting. That is, of course, utter nonsense.”
He also hit out at the leaks of confidential documents that laid bare the extent of the spying programme. He said publishing the information had put national security at risk.
“It causes enormous damage to make public the reach and limits of GCHQ techniques. Such information hands the advantage to the terrorists. It is the gift they need to evade us and strike at will,” he said. “Unfashionable as it might seem, that is why we must keep secrets secret, and why not doing so causes such harm.”
Revelations around the spying programmes hit the headlines in June, after Edward Snowden leaked documents that revealed the existence and scope of the spying programmes.
This led to huge uproar among the tech and wider political landscape, and led to more revelations that the US had been spying on EU discussions and that many encryption technologies had been purposefully engineered to allow snoops easy access.

Microsoft releases fixes for Internet Explorer, Word and Excel vulnerabilities

Microsoft Internet Explorer
Microsoft has released fixes for vulnerabilities in a number of key services, including Internet Explorer (IE), Word, Excel, the .Net framework and Windows Kernel-Mode Drivers, in its latest Patch Tuesday.
The vulnerabilities in IE, .Net framework and Windows Kernel-Mode Drivers, were listed as the most serious, categorised as critical. The IE vulnerabilities were disclosed by Microsoft last month after it released a broken patch for them, which was subsequently pulled.
The news was troubling as it meant hackers had been alerted to vulnerabilities before Microsoft had a chance to fully fix them, leaving businesses with a temporary "Fix It" workaround. Trustwave director of security research Ziv Mador said the lack of a true fix was dangerous as the vulnerabilities could be exploited by hackers to mount a remote code execution attack.
"This is the biggie that everyone has been worried about, that was first announced last month and for which Microsoft issued a Fix It," he said.
"The good thing is that if you already applied the Fix It, you do not need to undo the changes before applying this update. The issue with all 10 of these vulnerabilities has to do with how IE handles objects in memory; if items in memory get corrupted in a certain way an attacker could cause that corruption to execute arbitrary code."
The bulletin issued a similar advisory for the .Net framework and Windows Kernel-Mode Drivers vulnerabilities. Ross Barrett, Rapid 7 senior manager of security engineering, warned that if left unpatched the vulnerabilities could theoretically be exploited by hackers for a variety of purposes.
"MS13-081 (vulnerabilities in Windows Kernel-Mode Drivers) addresses an exploit path (CVE-2013-3128), which would give an attacker kernel-level access on a system that attempts to render a page containing a malicious OpenType font," he said.
"Technically one of the CVEs in MS13-082 (vulnerabilities in .Net framework) addresses a variant of the same issue, which Microsoft found by auditing the reuse of that code. In this case the variant would only give user-level access to that attacker. At this time this issue is not known to be under active exploitation."
Barrett added that the vulnerability in the Windows Common Control Library was particularly interesting, as it could theoretically be targeted by a self-spreading worm attack.
"MS13-083 looks like a really fun one – a remote, server-side vulnerability offering remote code execution that is hittable through webpages. This is a genuine article; a real, honest to goodness, potentially ‘wormable' condition," he said.
"If the bad guys figure out a way to automate the exploitation of this, it could spread rapidly and the defence in depth measures of your organisation will be tested. However, this vulnerability was privately reported to Microsoft and is not known to be under active exploitation."
Important patches for vulnerabilities in Microsoft Word, Excel and Windows Common Control Library were also released. Microsoft downplayed the significance of the Word and Excel patches, confirming that an attack would only have real significance if it managed to infect a machine with high-level administrative rights.
"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," read the bulletin.
Persuading businesses to install patches more regularly has been an ongoing problem facing the security community.
Most recently the dilemma was showcased by the fact numerous firms are still running the outdated Windows XP operating system. The news is troubling as in less than six months Microsoft will officially cease support for the OS, meaning new security vulnerabilities will no longer be patched.