Tuesday, 7 April 2015

Huffingtonpost:Don't Be the Weakest Link in Your Company's Cyber Security Plan

The other night, after falling asleep and waking up the next morning, I realized I didn't lock the front door to my home. I have locks on the doors, the windows, an alarm system, hurricane shatterproof windows, and two small dogs with a high-pitch bark that could wake the dead; but all that protection won't do me any good if I forget to lock the front door.

I work for a company that has about 20,000 employees. I own a company that has 18. No matter how big or small your company is we all have something to protect. No matter how many layers of security we have in place, people continue to be the weakest link in their company's Cyber security plan.

Let's go back to the front door analogy for a moment. Even though I have all those layers of security to protect my home, if I don't lock the front door then it's all meaningless and I increase my risk to my family -- what I'm trying to protect. The same holds true for us in business everyday, only the front door isn't always physical it is digital too. Our computers, smartphones and tablets lead directly to our company's front door, providing access to anyone who can get in.

Here's a better way of looking at it.

The company we work for stores our personal information -- social security numbers, first names, last names, phone numbers, and addresses. We should have a strong interest to protect that information because if we don't it could mean the loss or theft of our identities. What about our company's confidential information? We want to protect that too because if we don't, it could mean regulatory compliance fines and reputational damage which could seriously impact our company's bottom line. Some people may lose their jobs if our company can't afford to pay us.

Now, I know what your thinking, "Isn't that why we have a Cyber security team"? Yes, but remember our "front door" analogy? We are at the front door everyday, that digital front door. When we power up our computers in the morning, and open our e-mail, sometimes there's a link or an attachment just waiting to be clicked or open, and that link or attachment, whether we realize it or not, is laden with malicious software (a virus or backdoor) that will leave the front door open to our business. So even though we have a security team in place to protect us, if we click that malicious link or attachment, their hard work and the money they invested to keep the company safe, may not prevent the bad guys from getting in.

So, are you that person? Are you the one who will leave the digital front door to your company unlocked today? Are you the weakest link in your company's cyber security plan? No matter how many firewalls and layers of computer protection your company invests in, if we don't remember to slow down and check the locks on our doors, we could put ourselves and our company at great risk. We all have a role to play to help keep our company's safe.

Be careful what you click. Don't be enticed by tempting messages to watch a funny video or see a nude celebrity. And try to be aware of new social, political, and environmental issues since many hackers use those types of events to entice you into opening that front door. Slow down. Read carefully. Who is the sender? Where you expecting this message or phone call (yes, be on the look out for suspicious phone calls too). If you are unsure then stop what you are doing and ask a security minded professional what they think. If you develop these kinds of behaviors then you won't be the weakest link in your company's cyber security plan. You will have kept the digital front door locked, and your personal and company information safe and secure.

A Herald-State College of Florida public forum on cyber security, identity theft

Last week President Obama put a bright spotlight on devilish issues that jeopardize all Americans: cyber security and identity theft.
Data breaches are all too commonplace today, with personal information and industrial secrets a gold mine for hackers operating for either profit or country.
The global threat is so pervasive and steady, nobody is immune. Last year, FBI Director James Comey told CBS' "60 Minutes" this: "There are two kinds of big companies in the United States. There are those who've been hacked ... and those who don't know they've been hacked ..."
While he was talking specifically about the Chinese, hackers around the world are at work.
Which is why Obama issued an executive order Wednesday empowering the Treasury Department to freeze the financial assets of Internet attackers who threaten our national and economic security.
That includes the theft of trade secrets and personal information, declaring a national emergency on these online threats.
The issue is particularly hot now with income tax season coming to a close, and some filers finding their identities compromised as thieves steal their returns.
To put this into focus, the Herald and State College of Florida Manatee-Sarasota are holding our next Community Conversation on this issue -- on April 29.
This public forum offers you the opportunity to engage experts in information technology and security and learn about Internet vulnerability and risk awareness.
Presented by the Herald and SCF in partnership with Manatee Educational Television, we invite the public to not only attend, but to send us your questions and concerns about this vital issue ahead of the forum. We'll address as many of your questions as possible during the forum.
In order to keep the conversation moving along, there will not be an open mike for public comments and questions during the forum.
Please submit those in advance of the event to cwille@bradenton.com or send regular mail to Editorial Page Editor Chris Wille, 1111 Third Ave. W., Bradenton 34205. And please include your name.
The free forum will be held from 6-7:30 p.m. April 29 at SCF's Howard Studio Theater, located on the college's Bradenton campus in Building 11 West, off 60th Avenue West between 26th and 34th streets, accessed from Parking Lot I. Details can be found at www.scf.edu/maps.
The forum will be broadcast by METV at later dates.
The pervasive and insidious problem of data breaches is best illustrated by these figures:
• 80 million customers of the country's second largest health insurance company, Anthem, had their birthdays, Social Security numbers and employment information taken by cyber attackers, the firm announced in February.
• In December 2013 Target discovered individual contact information on 110 million customer accounts -- credit and debit details -- had been stolen.
• In September 2014, Home Depot reported credit card information of about 56 million shoppers was compromised.
State College of Florida is revamping its associate in science degree in Network Systems Technology this coming fall. That will include a Cybersecurity and Digital Forensics specialization, patterned after the National Security Administration's Center of Academic Excellence guidelines.
As the college notes, demand for cybersecurity professionals has grown 12 times faster than non-IT jobs, and 3.5 times faster than the demand for other IT jobs in recent years.

Read more here: http://www.bradenton.com/2015/04/07/5731893_a-herald-state-college-of-florida.html?rh=1#storylink=cpy

The Whitehouse’s New Executive Order On Cyber Crime is (Unfortunately) No Joke

On the morning of April 1st, the Whitehouse issued a new executive order (EO) that asserts that malicious “cyber-enabled activities” are a national threat, declares a national emergency, and establishes sanctions and other consequences for individuals and entities. While computer and information security is certainly very important, this EO could dangerously backfire, and chill the very security research that is necessary to protect people from malicious attacks.
We wish we could say it was a very well-orchestrated April Fool’s joke, it appears the Whitehouse was serious. The order is yet another example of bad responses to very real security concerns. It comes at the same time as Congress is considering the White House’s proposal for fundamentally flawed cybersecurity legislation.
That perhaps shouldn’t be surprising, since so far, D.C.’s approach to cybersecurity hasn’t encouraged better security through a better understanding of the threats we face (something security experts internationally have pointed out is necessary). Instead of encouraging critical security research into vulnerabilities, or creating a better way to disclose vulnerabilities, this order could actually discourage that research.
The most pernicious provision, Section 1(ii)(B), allows the Secretary of the Treasury, “in consultation with” the Attorney General and Secretary of State, to make a determination that an person or entity has “materially … provided … technological support for, or goods or services in support of any” of these malicious attacks.
While that may sound good on its face, the fact is that the order is dangerously overbroad. That’s because tools that can be used for malicious attacks are also vital for defense. For example, penetration testing is the process of attempting to gain access to computer systems, without credentials like a username. It’s a vital step in finding system vulnerabilities and fixing them before malicious attackers do. Security researchers often publish tools, and provide support for them, to help with this testing. Could the eo be used to issue sanctions against security researchers who make and distribute these tools? On its face, the answer is…maybe.
To be sure, President Obama has said that “this executive order [does not] target the legitimate cybersecurity research community or professionals who help companies improve their cybersecurity.” But assurances like this are not enough. Essentially, with these words, Obama asks us to trust the Executive, without substantial oversight, to be able to make decisions about the property and rights of people who may not have much recourse once that decision has been made, and who may well not get prior notice before the hammer comes down. Unfortunately, the Department of Justice has used anti-hacking laws far too aggressively to gain that trust.
As several security researchers who spoke up against similarly problematic terms in the Computer Fraud and Abuse Act recently pointed out in an amicus brief:
There are relatively few sources of pressure to fix design defects, whether they be in wiring, websites, or cars. The government is not set up to test every possible product or website for defects before its release, nor should it be; in addition, those defects in electronic systems that might be uncovered by the government (for instance, during an unrelated investigation) are often not released, due to internal policies. Findings by industry groups are often kept quiet, under the assumption that such defects will never come to light—just as in Grimshaw (the Ford Pinto case). The part of society that consistently serves the public interest by finding and publicizing defects that will harm consumers is the external consumer safety research community, whether those defects be in consumer products or consumer websites.
It’s clear that security researchers play an essential function. It was researchers (not the government) who discovered and conscientiously spread the news about Heartbleed, Shellshock, and POODLE, three major vulnerabilities discovered in 2014. Those researchers should not have to question whether or not they will be subject to sanctions.
To make matters worse, while most of the provisions specify that they apply to activity taking place outside of or mostly outside of the US, Section 1(ii)(B) has no such limitation. We have concerns about how the order applies to everyone. But this section also brings up constitutional due process concerns. That is, if it were to apply to people protected by the U.S. Constitution, it could violate the Fifth Amendment right to due process.
As we’ve had to point out repeatedly in the discussions about reforming the Computer Fraud and Abuse Act, unclear laws, prosecutorial (or in this case, Executive Branch) discretion, coupled with draconian penalties are not the answer to computer crime.

Dyre Wolf malware steals more than $1 million, bypasses 2FA protection

Researchers said they've uncovered an active campaign that has already stolen more than $1 million using a combination of malware and social engineering.
The Dyre Wolf campaign, as it has been dubbed by IBM Security researchers, targets businesses that use wire transfers to move large sums of money, even when the transactions are protected with two-factor authentication. The heist starts with mass e-mailings that attempt to trick people into installing Dyre, a strain of malware that came to light last year. The Dyre versions observed by IBM researchers remained undetected by the majority of antivirus products.
Infected machines then send out mass e-mails to other people in the victim's address book. Then the malware lies in wait. A blog post published Thursday by IBM Security Intelligence researchers John Kuhn and Lance Mueller explains the rest:
Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site. The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in.
One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as. This all results in successfully duping their victims into providing their organizations’ banking credentials.
As soon as the victim hangs up the phone, the wire transfer is complete. The money starts its journey and bounces from foreign bank to foreign bank to circumvent detection by the bank and law enforcement. One organization targeted with the campaign also experienced a DDoS. IBM assumes this was to distract it from finding the wire transfer until it was too late.
The success of the Dyre Wolf campaign underscores the need for improved training so employees can better spot malicious e-mails and suspicious ruses like the one involving the phone call to the targets' banks.

Linux Australia hacked, warns personal details exposed

Linus Torvalds was at hacked event, but organisers say payment details safe

Flytrap The names, phone numbers and street and email addresses of delegates for Linux Australia conferences and PyCon have been exposed in a server breach.
The March attack was detected two weeks ago and is revealed in an email to Linux Australia members.
Linux Australia's server held information on delegates to its popular annual conferences for 2013, 2014, and the most recent event held January in Auckland.
PyCon delegates for the 2013 and 2014 conferences are also affected.
Linux Australia told delegates attackers who hit the ZooKeeper conference management system and exposed hashed passwords but not payment information.
"It is the assessment of Linux Australia that the individual utilised a currently unknown vulnerability to trigger a remote buffer overflow and gain root level access to the server," the email signed by the Linux Council of Australia read.
"A remote access tool was installed, and the server was rebooted to load this software into memory.
"A botnet command and control was subsequently installed and started. During the period the individual had access to the Zookeepr server, a number of Linux Australia's automated backup processes ran, which included the dumping of conference databases to disk."
Delegates are urged to change their passwords.
The Linux Australia team operate on a three member response system in which assessments are conducted by two staff, then again by a third. None of the investigators have knowledge of each others' findings.
This is designed to uncover anomalies and inspire more rigorous analysis.
Linux Australia notified Australia's Privacy Commissioner about the breach and has tightened the screws on the rebuilt server. It has committed to better patching regimes.
The group has welcomed assistance from Computer Emergency Response Teams in identifying the exploited unknown vulnerability.