Thursday, 31 October 2013

Woman Gets the World's First Ticket for Driving With Google Glass

Screen-shot-2013-10-30-at-10.30.58-amCecilia Abadie made history in a way she didn't expect Tuesday night — when a California Highway Patrol officer gave her the world's first known ticket for wearing Google Glass while driving.
Abadie is a project manager at Full Swing Golf in San Diego, and an enthusiastic Glass Explorer. She told her story, and posted the ticket in question, on Google+.
The first violation on the ticket is driving in excess of 65 mph — not an uncommon violation in California. But the second violation reads “Driving with monitor visible to driver (Google Glass)."
To make that part of the ticket stick, however, the officer in question will have to prove that Abadie had the screen active at the time. She says it wasn't.
California Vehicle Code section 27602 says you can't drive if a video screen "is operating and the monitor, screen, or display is visible to the driver while driving the motor vehicle." There are exceptions for GPS and other navigation devices. (If you keep your iPhone open to Google Maps and attached to the dashboard while driving like I do, rest easy.)
Should drivers be ticketed for wearing Google Glass even if the screen is off or in GPS mode? Share your thoughts in the comments.

U.S. Department of Defense to Get Its Own App Store

The_pentagon_january_2008The U.S. Department of Defense is getting its very own app store, so soldiers can more efficiently book plane tickets and call in airstrikes.
The department awarded a contract to Digital Management, a Maryland-based firm, for an initial amount of $2.9 million to build the "mobile device management system," according to a release.
Along with apps that would streamline paperwork and the airstrike process, the department is interested in translation software, facial-recognition apps and a more advanced Google Maps, among other tools.
"Across [the Department of Defense] there is a huge demand for applications," Alana Johnson, a department spokesperson, told Mashable in an email. "Our mission partners are looking for a solution, which closely resembles the experience and user interface that they have grown accustomed to while using their civilian devices."
Jeff Gilmore, a former active duty Air Force officer who developed an app for military use and helped launched the first Defense Entrepreneurs Forum, said there is a desire to make military life more efficient.
"There's a niche need for tools, kind of like productivity tools, that help you out," Gilmore said. "They save you a heck of a lot of time."
Only devices managed by the Defense Department will have access to the store, minimizing the risk of infiltration, Johnson said. What's more, a security system will also be enforced to for protection, and the app store won't contain any classified information that could compromise a defense department mission or plan.
The app store is scheduled to be completed in July 2014.

The Haunted House of Cyber Scares


Trend Micro Halloween Infographic
Don't think supernatural baddies exist? You're about to be proved wrong. Vampires and witches pose some of the most dangerous cyber threats out there. In the spirit of Halloween, Trend Micro released an entertaining infographic that pairs some of the spookiest frights to their cyber counterparts.
The Villains of the NightEven though vampires are the big new heartthrobs, the only thing any sparkling Edward Cullen wants from you is cash from your online bank accounts. Trend Micro associated the bloodsucking fiend to online banking Trojans whose activity has increased by 30 percent from the first to second quarter of this year alone.
Ready to embrace the inner Rick Grimes in you? Zombies are everywhere on the Internet, controlled by botmasters who manipulate them to do their dirty work. These mind-controlled bots engage in an array of wicked acts including stealing information and using device resources. Approximately 30 million connections between bots and command and control servers occurred within the first half of this year.
Ghosts aren't just in scary movies like Paranormal Activity; these creepy spirits are targeted attacks that haunt your online movements as well. Cybercriminals creep around the network and are getting better at attacking individuals and companies undetected. On average, it takes 210 days for a breach to be detected, which is more than 35 days longer than in 2011.
It might a stretch, but sneaky, nocturnal bats embody the threat of mobile spyware. Like bats, remote hackers hide in the dark, using mobile spyware to hear and see what's near your mobile device. It took 18 years for PC malware threats to hit the one million mark, but less than five for mobile malware threats.
Witches can disguise themselves in a variety of forms; just look at the Evil Queen in Snow White for proof. Cybercriminals are the wicked witches of the web who change their malware using polymorphic scripts that automatically change codes for all victims. They use these scripts to target each victim by creating custom malware to take complete advantage of the system.
Battling the MonstersYou can arm yourself all you want with hexes, guns, and holy water but it takes more than garlic cloves and crosses to ward off these evil creatures. To keep yourself safe from cyber terrors, you should invest in comprehensive security solutions. There are multiple ways to arm yourself online. Password managers, like our Editors' Choices Last Pass 2.0 and Dashlane 2.0, generate strong, hard-to-crack passwords to help protect your personal data on websites. Antivirus software, such as Editors' Choice BitDefender Antivirus Plus (2014), is something everyone should have; it helps fortify your devices against malware threats. You have to get out the big guns to take on all these menacing monsters.
Click on the image below to view the full infographic.
Trend Micro Halloween Infographic full

DDoS Frightfest

DDoS attacks
IBM's recently discovered an alarming fact: distributed denial-of-service (DDoS) attacks are rapidly increasing. The company released a report that offers insight on the attacks and reasons to why they're being performed. According to the IBM Cyber Security Intelligence Index the average number of attacks on a single organization in a week is 1,400 attacks, with an average of 1.7 incidents per week.
DDoS Attacks? What Are Those?You might be wondering, what exactly is a DDoS attack? And what's the difference between attacks and incidents? IBM defines attacks as security events that correlation and analytic tools identify as malicious activity trying to collect, degrade, or destroy information system resources or the data itself. This includes URL tampering, denial of service, and spear phishing. Incidents, on the other hand, are attacks that human security analysts review and deem a problem worthy of deeper investigation.
Who's Targeted and WhyMalicious codes and sustained probes are the two most common attacks that make up for over 60 percent of incidents. A sustained scan is reconnaissance activity that's designed to gather information, like operating systems or open ports, about targeted systems. Malicious codes can be Trojan software, keyloggers, or droppers. It is software created to gain unauthorized access into systems and gather information.
The manufacturing industry is the number one targeted industry with 26.5 percent of DDoS attacks directed towards it. Almost 21 percent of attacks are directed at finance and insurance, and 18.7 percent at information and communication. Health and social services and retail and wholesale are targeted 7.3 and 6.6 percent of the time, respectively.
There are a handful of reasons perpetrators execute their invasions. Nearly half of all attacks are opportunistic, meaning that they takes advantage of existing vulnerabilities without any motivation other than to do damage. Twenty three percent are done because of industrial espionage, terrorism, financial crime, or data theft. Perpetrators discontented with their employers or job account for 15 percent of attacks, while only seven percent constitute attacks done in the name of social activism or civil disobedience.
How Do We Stop the Attacks?Humans are the number one cause of vulnerability in organizations. Forty-two percent of the breaches that happen are due to misconfigured systems or applications. End-use errors make up 31 percent of the breaches, while 6 percent is because of both vulnerable codes and targeted attacks. It's important to crack down on online security protocol with employees to prevent your business from falling victim to these attacks.
IBM offers two essential pieces of advice to help organizations prevent incidents: building a risk-aware culture and managing incidents and response. There should be no tolerance if colleagues are careless about security; it is the management's job to enforce stricter regulations on company security and to track company progress. It is crucial to implement company-wide intelligent analytics and automated response capabilities. Enterprises can easily monitor and respond to systems that are automated and unified.
Click on the image below to view the full infographic.
new DDoS full

Tech Support Scam Update: Still Flourishing, Still Evolving

[Update 30th October 2013: with regard to the ping gambit discussed below, please note that protection.com now responds to ICMP echo requests - in other words, if you now run the command "ping protection.com" you should now see a screen something like this:
ping protection new
Note that this is perfectly normal behaviour for a site that responds to ping requests. It's probable that protection.com is now doing so because its owners have no wish, understandably, to have their site associated with support scammer misuse, having been notified by Malwarebytes that the abuse was taking place. However, the ping interface is rather minimal, and might still be confusing enough for a computer user with little knowledge of network to encourage a scammer to try to persuade the victim that these messages somehow prove that his system is infected. It doesn't, of course: as explained below, to ping the protection.com tells you nothing whatever about the protection status of your computer.
If you have no idea what I'm talking about, read on, or skip to the 'Mac Attack' section of the article. (Hat tip to Les Bell of Macquarie University, Sydney, for drawing this development to my attention.]
If you regularly read this blog (come to think of it, even if you don’t…), you will probably be familiar with the tech support scams I’ve written about here so often. If not, I’m referring to the unsolicited phone calls telling you that your computer has a problem of some sort (perhaps a mysterious virus, corrupted files or disk partitions, or attacks by a remote hacker) that the caller will be pleased to fix for you, for a “small” fee.
This is, however, an area of cybercrime I haven’t looked at lately on this blog: partly because I’ve been getting far fewer of them myself. (Maybe they’ve got tired of my asking them awkward questions and calling them names when the entertainment value has worn thin.) That doesn’t mean they’ve gone away, of course, and it’s about time I brought you up to date with some of the recent tricks I’ve seen and heard reported.
Some relate to the type of ‘problem’ the scammer claims has affected your system, some relate to the ongoing development of new ways of misusing system utilities and legitimate software in order to ‘prove’ that (a) the scammer is really able to identify your system (b) there really is something wrong on that system. And finally, there’s some information on a trick that has been reported as targeting Mac users, but could also be used against PC users.
Our previous blogs on the topic still attract lots of comments, and very interesting and useful they are too. Some of them tell us a lot about the type of social engineering that the scammers are using to ‘soften up’ the intended victim. One commenter was told:
…there have been complaints from my IP address about scam emails sent to the government, that there have been mentions of bombs and terrorism in my messages, and he asked me if I was one of them. Then he said that lots of porn has been downloaded from my PC if I was downloading it or not!
The same comment also describes how the scammer asked:
…if I thought it was a joke that he had my phone number … and he had my address … and of course that the called was being recorded.
I love it when a scammer gets irritated and self-righteous because he doesn’t think you’re taking him seriously enough. However, it’s probably not a good idea to annoy him if and while he has remote access to your computer.
There are several gambits here worth noting.

Dial Tone

One is the use of the threat of government or law enforcement interest and action, based on the supposition that the victim has engaged in fraudulent or terrorist activity, or even sharing pornographic material. This kind of threat is commonly associated with malware and especially ransomware, and seems increasingly associated with support scamming. At any rate, I’ve heard several reports recently of incidents where the scammer has persuaded the victim to allow him access to his machine and taken advantage of the access to install ransomware – or some other type of malware – and then required payment for its removal.
Another is the assertion that ‘knowing’ the victim’s telephone number and address somehow proves the scammer’s claims. In fact, we know that cold-call scammers use a variety of techniques for finding their victims. Sometimes they use automated or semi-automated predictive call dialers (diallers for those of us in the UK…): that is, hardware or dialing software that simply works through a sequence of numbers. This approach is often used by cold-callers to play a recorded message when the call is answered.
(Readers in the UK will probably be all too familiar with automated messages urging them to claim back money they’re owed by Payment Protection Insurance companies – these aren’t all unequivocal scams, but should certainly be taken with a pinch or three of salt, and I may come back to that particular issue in another blog.)
However In support scams (as well as in other scams and even in more legitimate telemarketing operations), the dialer normally connects the call recipient to a live agent when the call is answered. Legitimate telemarketers should (but often don’t) avoid numbers that are on a local do-not-call registry like the US National Do Not Call database, Canada’s National Do Not Call List or the UK’s Telephone Preference Service. Scammers, however, usually have no such qualms.
The disadvantage of the automated dialing method is that they don’t necessarily have personalized information relating to a specific number. However, support scammers are as capable as anyone else of looking up names and addresses in on-line directories and less legitimate sources. (Unfortunately, having an unlisted telephone number isn’t a guarantee that someone won’t sell it on.)
None of this proves in the least that:
  • The scammer is who he says he is, or represents Microsoft or any other company he claims to be working for or with, or the police, or the FBI, the NSA or even the BBC. ;-)
  •  That Microsoft or anyone else has given him information about your system, your IP address, or anything else that’s supposed to show that your system is insecure or ailing.
The threat that the phone call is being recorded is just that: bullying and fearmongering. If anyone seriously suspects you of wrongdoing, you’re still more likely to get a knock on the door than a phone call (or email) that might be from anyone at all. For example, another commenter tells us that he was told that his PC was being used as a slave to download music, presumably illegally. A scammer might also accuse a potential victim of other kinds of copyright infringement, theft of intellectual property, and all kinds of other criminal activity. Don’t let them panic you into parting with credit card information for fear of being wrongfully accused. If it comes to that, don’t let them panic you in other ways, such as telling you that your town or even your country is being buried under an avalanche of malware that anti-virus doesn’t detect but which they can somehow fix.

CLSID still isn’t a unique identifier for your PC

Another commenter told us that he received a call from someone claiming to be Microsoft Support. The victim was told that his computer would not receive Windows updates because of infection. He was convinced by the CLSID gambit that the scammer really knew of a problem with his system, not realizing at that time that CLSID does not uniquely identify a Windows PC (see Support desk scams: CLSID not unique for more details), so he allowed the scammer to access his PC remotely. (AMMYY, LogMeIn and Team Viewer are legitimate remote access programs commonly misused by support scammers for this purpose.)
When I questioned how they could tell my computer was infected, he directed me to do something. A window showed several IP addresses (all my computer) and another number next to each IP address that looked like MAC addresses, but I am not certain. The next column had a label of some sort that I can’t remember, but it seemed to indicate that each was a foreign or infected file.
My colleague Aryeh Goretsky suggests that the utility misused in this case was the Windows netstat utility, though we’re not sure exactly what version or combination of parameters might have been used. Aryeh points out that the values the commenter suggests are MAC addresses might be IPv6 addresses, which are displayed in hexadecimal notation. Here’s an example:
[fe80::841c:83ff:993f:cf0e%13]:445
This screenshot shows the Windows 8.0 version used with the –n parameter, which displays addresses and port numbers numerically. Of course, ‘Foreign Address’ doesn’t mean infected, but non-local.
(Click on any of the images below if you want a closer view.)
netstat
And this screenshot shows the default display (again, in Windows 8.0),
netstat2
The command ‘netstat -? will display the options available on your particular system at the command line.
Another commenter told us that he’d been told to ‘press Windows R’ (i.e. bring up the Run command) and then type ‘inf location virus’ into the dialog box.  Fortunately, this commenter knew that the inf command – strictly speaking, a search term – simply shows the contents of a folder normally named C:\Windows\Inf, which contains files used in installing the system. Inf doesn’t recognize – and in fact simply ignores – any parameters even if they’re as sinister-sounding as ‘virus locations’.
inf copy
I discussed the misuse of the inf search term at some length in Support Scammers (mis)using INF and PREFETCH, but clearly it’s still being used. So, it turns out, is prefetch: Virus Bulletin’s Martijn Grooten, with whom I’ve worked several times on support-scam-related issues, recently reported its reappearance in one of his blog articles for Virus Bulletin – Phone support scams: an old scam with some new tricks. In this instance, the scammer homed in on the fact that rundll32.exe was found in the Windows Prefetch folder (not surprisingly, as it’s an essential system utility), and ran a Google search that flagged the fact that malicious files sometimes masquerade as rundll32.exe. Presumably, in the hope that a victim would be convinced that prefetch was really flagging malware in this instance.
Martijn also mentioned the Indexing Service gambit flagged by Kaspersky’s David Jacoby that I talked about in yet another blog – New Support Scam Gambits: Frozen Virus a Frozen Turkey. The image below, from my older blog, shows typical misuse, where the VBScript ‘service not running’ message is claimed to be proof that a software or hardware licence has expired. In fact, the error message simply shows that there is no such service as ‘software warranty’.
indexing service
Or ‘software warrenty’, in the example cited by Martijn: scammers are often notable for their haphazard spelling and command of English in general, though good English is by no means an infallible indication of honesty and good intentions.

View to a Shill

And, naturally, the old favourite Event Viewer (eventvwr.exe) still rates a mention in Martijn’s blog (after all these years!), continuing to be misrepresented as showing the presence of imaginary malware or system problems that the scammer can ‘fix’ for you.
event-viewer

Mac Attack

However, the last gambit I’m going to talk about on this occasion is something a little different. While there has been the occasional hint of Mac-specific scam action, cold-calling scammers don’t usually have a script prepared for Mac users. (I particularly appreciated the scammer who, when I said I was using a Mac – as in fact I was at that time – went to consult her supervisor and then came back and said she was unable to ‘help’ me.) However, a recent blog article for Malwarebytes by Jerome Segura describes how a company called Speak Support offering “Mac® Techical Support” misused the internet utility ping in the hope of convincing a potential victim that he has no active protective software on his system.
When Jerome allowed Speak Support to access his Mac remotely using TeamViewer, the tech opened a terminal window and used ping from the command line to query a site called protection.com. This is what I got when I did the same thing.
wilbur:~ davidharley$ ping protection.com
PING protection.com (72.26.118.81): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
^C
--- protection.com ping statistics ---
10 packets transmitted, 0 packets received, 100.0% packet loss
The ^C shows where I got bored with counting timeouts and terminated the request.

Winging it and Pinging it

So what does this tell us? The utility was designed, back in the early days of networking, to determine whether a server was available by sending it ICMP (Internet Control Message Protocol) packets, and to measure how long it took for an acknowledgement to be received. In this instance, the packets are not being acknowledged, which you might think means that protection.com is not online.
However, it’s very common (and has been for many years, certainly back when I was administering Unix systems) for Internet-facing servers to be configured not to respond to ping requests, as a countermeasure against certain classes of Denial of Service attack. So it’s not surprising if the protection.com domain is configured not to respond. And that appears to be the case: protection.com is certainly online at the time of writing, even though ping isn’t acknowledged. The domain actually belongs to Life Alert, which describes itself as “a Personal Emergency Response and Home Medical Alert System company”, and seems to have no connection whatsoever with Speak Support and its activities.
However, the essential message here is that the use of ping tells you nothing about whether the Mac is protected against malware. However, the Malwarebytes blog suggests that scammers are asserting – quite incorrectly and presumably with intent to mislead – that the ‘lost packets’ message that results is an indication that the system is unprotected.
I should make it clear that this wasn’t a cold call: Jerome actually made a call proactively to a ‘support line’ advertised on a web site that offered Mac support ‘expertise’. He suggests that:
It’s quite possible the next time cold call scammers phone you up, they’ll already have a script made for Mac users as well, just in case.
An interesting speculation, but at the moment, I’m not seeing any reports of cold-callers who use this gambit when a potential victim says that they’re using a Mac. In fact, you’d think that even the most naïve user would be slightly suspicious if someone rang him to say his Windows PC was in trouble when he was actually using a Mac, but I guess there are ways round that.
There are, however, two aspects to this scam that are of particular interest. One is that the attack is clearly aimed at Mac users, albeit Mac users who go out of their way to contact Speak Support, and it might indeed fool a Mac user with no experience of old-school Internet utilities or Unix command-line prompt.
The other interesting aspect is that this isn’t actually a Mac-specific attack, since the ping utility is supported on many platforms, including Windows. The screenshot below shows the same ping request on a Windows 8.0 machine.
ping protection copy
And this, just for complete information, is what a successful ping request looks like:
ping virgin
I hate to think what a support scammer would claim that successfully pinging virgin.com tells us about the system I’m running, but it took me quite a few attempts to find a well-known domain that does acknowledge ping requests.
Martijn, Steve Burn of Malwarebytes, and independent researcher Craig Johnston and I put together papers for Virus Bulletin 2012 – My PC has 32,539 errors: how telephone support scams really work – and CFET (Computer Forensics Education and Training) 2012 – FUD and Blunder: Tracking PC Support Scams – which cover much of this material in a lot more detail.
Hat tips to Martijn, Jerome, Greg Wasson for a conversation at this year’s Virus Bulletin, and the many people whose comments have added to our knowledge of this scam.

Windows XP users already facing malware invasion – before Microsoft “pulls plug”

Windows XP users already face far higher risks from malware  – with XP users facing infection rates six times higher than Windows 8 users, according to a report released by the company. Microsoft will withdraw support for the ageing platform in April next year – despite the fact that one in five PCs on Earth still use it.
Per 1,000 PCs scanned, 9.1 XP machines had been infected – as compared to 1.6 for Windows 8, according to a report by V3.
“Microsoft Windows XP was released almost 12 years ago, which is an eternity in technology terms. While we are proud of Windows XP’s success in serving the needs of so many people for more than a decade, inevitably there is a tipping point where dated software and hardware can no longer defend against modern day threats and increasingly sophisticated cybercriminals,” Microsoft wrote in a statement this week.
Around 21% of PCs worldwide still run Windows XP, according to a report by Neowin, speaking to Holly Stewart, Senior Program Manager of the Microsoft Malware Protection Center. In the U.S., 13% of PCs still use Windows XP.
“On April 8 2014, support will end for Windows XP. This means Windows XP users will no longer receive security updates, non-security hotfixes or free/paid assisted support options and online technical content updates. After end of support, attackers will have an advantage over defenders who continue to run Windows XP,” Microsoft said.
Google and Mozilla have both said they will continue to support their browsers after that point. The OS, however, will be vulnerable. After April, only companies paying for custom support will be protected – and up to a third of organizations are expected to still use Windows XP machines, according to earlier research by British firm Camwood.
Some security experts predict a “wave” of attacks at that point, with cybercriminals having banked exploits in anticipation of that moment.
“The average price on the black market for a Windows XP exploit is $50,000 to $150,000 – a relatively low price that reflects Microsoft’s response,” said Jason Fossen of security training company SANS earlier this year.
“When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks. But if they sit on a vulnerability, the price for it could very well double.”
Many firms have been slow to migrate from the ageing platform – despite the fact that Microsoft recommended leaving at least 18 months to migrate.

Big companies still fall for social engineering “hacks” by phone – and it’s not getting better

Major companies such as Disney, Boeing and General Electric are still handing out information to “hackers” using the most basic tool of all – the human voice.
The Social Engineer Capture the Flag competition held at the Defcon security conference this year issued its full report today – and it’s grim reading, as major companies continue to “leak” crucial information in basic social engineering attacks via the telephone. Ten major US companies were targeted – and most handed out information to the attackers.
Major hacks such as the recent defacement of the New York Times home page rely on “social engineering” – fooling people into handing over information, before sending targeted emails to penetrate networks.
This year’s test found that even huge companies such as the 10 under test were not immune – and the “hackers” were also untrained, using only publicly available information (such as Facebook pages) to select targets and “craft” their phone calls, according to a report by Computer World.
The attackers were available to capture information such as which operating system was used on company systems, whether wireless access was available, whether a company used a virtual private network – and information such as who supplied vending machines and catering services. All of this could be used by hackers as the basis of an attack.
“Social engineering has played some role in nearly every major hack you have read about over the last few years, yet this year’s competition clearly illustrates how poorly prepared companies are to defend against socially engineered attacks,” said Chris Hadnagy, Chief Human Hacker, Social-Engineer, Inc.
“While there continues to be improvements in the quality and preparation of the contestants, there have not been any significant improvements by companies to secure information available on the internet and educate and prepare employees against a disciplined social engineer.
“For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target company’s employee-only online portal. It’s disheartening to note that after years of attacks and years of warnings, these valuable pieces of information are still so easily found and exploited.”
The contest organizers selected 20 untrained contestants (10 men, 10 women), and chose brands who US customers rely on – as these would have access to their personal and financial information.
Only this week, Adobe revealed that details for 38 million users had leaked in an attack on their systems.
“The bottom line is the firms did really poorly,” says Michele Fincher of Social-Engineer.inc, which stages the contest each year, according to a report by CIO magazine.
“The companies who happened to do well did so accidentally or out of ignorance in they either couldn’t answer the question or didn’t know how, so the call shut down. Very few said, ‘I am not allowed to give out this information.’”
Social engineering is the basis of many hacks and attacks – some We Live Security reports on the subject can be found here.
The organizers noted that the untrained “attackers” crafted cleverer cover stories – ie rather than being students or researchers – and stuck to them better, taking laptops with them and using notes on the “victim” companies. They also voiced surprise at the amount of information available during the “research” phase – where callers were able to pick who to target within each company, using data collection tool Maltego as wel as Google, LinkedIn, Bing, Facebook and other sites such as BlogSpot.
“This was an excellent competition,” the organizers said, “One thing we do not, see, however, are any significant improvements on the part of companies to educate and prepare themselves against social engineering attacks.”

IT chiefs' power to say no to cloud use and BYOD is over

Laptop showing cloud and mobile devices
AMSTERDAM: Firms must accept that cloud computing use and the bring your own device (BYOD) trend are the new normal and incorporate them into security strategies, according to RSA programme committee chairman Hugh Thompson.
Thompson said cuts to enterprise budgets in the past five years has radically changed security professionals' place in the business, during a speech at the RSA Conference 2013.
"In the past, security professionals had veto powers. Five years ago if somebody in the business came up with some public cloud strategy that was going to save loads of money, if we said 'no' the enterprise would listen to us. Then we had a financial downturn," he said.
"Now it's not the same. For example, five years ago businesses took a hard line to bring your own device and insisted on business handsets, but now that's changed. How many times do you see a business professional pull out a BlackBerry these days? Today I think most of us have accepted we can't stop this transition."
The RSA chief said the transition means security professionals' roles are now more about enabling rather than choosing what new technologies are used.
"We're transitioning into a spotter role. One where we ask the business where it wants to go and help them get there. Even though we're at the most threatening stage in our history, we're no longer in the business of saying no," he said.
He said the change means security professionals will have to be more aware of the businesses' needs than ever before and will have to find cost-effective ways to protect networks and data.
"In the next five years the business of security will be a business, not technology, industry. We'll be aligned with the direction of the business and tasked to spot things that don't matter," he said. Thompson added that, to do this, professionals will have to rethink the way they work to reduce cost and improve their overall efficiency.
Thompson added that security professionals should learn from other industries that have gone through similar transitions, such as insurance. "Previously when trying to get car insurance they'd just ask your age and what you drive. Contrast that to the way they do it today," he said.
"Now they ask you loads of questions, like what children I have, my level of education, how long I've been married. These are hard questions – based on statistics – that let them know if I'm a good investment."
Thompson listed education as another key strategy that security professionals could use to cost-effectively boost businesses' defences.
"People are all on LinkedIn, Facebook and Twitter. But we still need to educate them about what is OK to do. We need to get them to understand; you should feel free to talk about your cat and what you had for dinner on these services, but don't put a post up about your IT project, that's not cool," he said.
The comments from Thompson counter those of the chairman of John Lewis who said earlier this year that firms must learn to listen to IT teams and to sometimes accept no for an answer when considering new tech projects.

BT boosts cyber security by hiring 137 new staff

BT logo
AMSTERDAM: BT has recently hired 137 new personnel to help battle growing cyber security issues, explaining that it is seeking out talent from new areas, not just university recruitment schemes.
BT Security chief executive Mark Hughes said this strategy of seeking talent from new areas is vital for all firms if they hope to avoid falling victim to hackers. He argued that the current UK cyber skills gap means firms must recruit and nurture talent wherever they find it.
"Recruiting skilled people is a big deal for BT. For example, recently we added about 137 people to my team alone. Some of these were apprenticeships, some were people with existing network skills, some were graduates," he said at the 2013 RSA conference, attended by V3.
"In addition to that we're involved in the Cyber Security Challenge UK. As a leading internet service provider you need quite a broad network of skills. People who are good at cryptography aren't necessarily good at managing devices. That's why we're going through other streams while still looking at universities."
The Cyber Security Challenge is a public competition designed to help find people with the skills to work in the security industry. Entrants go through a series of challenges to discern their strengths and weaknesses, in areas such as code tracking, attack mitigation, penetration testing and cryptography. BT has been a constant supporter of the initiative and has partnered with the GCHQ to create the final stage of the 2013 challenge.
Hughes highlighted the company's experience in finding skilled penetration testers as a key reason the company recruits outside of universities. "Penetration teams are key people and they are tricky to recruit for a variety of reasons. I'm aware of what people like CREST [the Council for Registered Ethical Security Testers] are moving to do to help with this, but the skills are sometimes grown in house."
CREST is an independent body that provides accreditation to penetration testers, which has been praised by numerous companies within the security community for its efforts to create a constant set of standards within penetration testing.
Hughes cited BT's experience in mitigating threats during the 2012 Olympic games as proof of the need to constantly recruit skilled security professionals.
"What we learned during the games is the age-old truth that a lot of technology won't solve your problems. The technologies we have are getting better and better, but so are the criminals," he said.
"Having the right people with the rights skills and understanding around the systems is so important. It's as much about having the right process and people in place that understand the network enough to take real-time action, as it is about having the right technology."
The BT chief said as well as new skilled people, businesses will also have to continue adapting their systems to deal with new threats. "The nature of current threats means it is no longer a case of build it [security] and walk away, it's about setting it up as something that's going to continue to evolve," he said.
Despite the growing nature of the threat Hughes said there are still some areas BT will not recruit from. "We don't employ anyone with a conviction, but I invest a lot in what I call my security academy, which is where if I see someone with specific skills I invest," he said.
Outside recruitment the BT chief highlighted information sharing as another way businesses can protect themselves from hackers. Hughes paid special creed to the UK's Cyber Security Information Sharing Partnership (CISP).
"Another key lesson we learned is about sharing intelligence. We've talked about it a lot but recently it has finally begun to happen in a number of areas where we operate. In the UK we have CISP, which we're a part of. Thanks to things like it we're really beginning to see actionable intelligence being shared," he said.
The UK government launched CISP in March as a part of its ongoing Cyber Security Strategy. The CISP initiative is designed to increase the amount of threat data being shared between the public and private sector by creating a central information hub.

NSA and GCHQ spied on Google and Yahoo network traffic

eye-spy-snoop-numbers
The NSA and GCHQ have been accessing and collecting data flowing between the data centres used by Google and Yahoo, according to the latest documents released by whistleblower Edward Snowden.
The Washington Post reported that it had seen material which showed that the spy agencies had direct access to traffic flowing between the firm’s data centres, enabling it to view content stored on services such as Gmail and Drive.
The NSA and GCHQ did this by tapping the telecoms links between the locations, under a project called MUSCULAR, which used interception points in the network to copy the entire data flows between the data centers to its own storage facilities, The Washington Post reported.
If true the revelations mark yet another disturbing level of surveillance by the spy agencies as it shows the direct traffic for major US tech giants were considered fair game. Google engineers were said to have "exploded with profanity" when they were made aware of the snooping.
V3 contacted Google and Yahoo for comment on the revelations but had received no reply at the time of publication.
The Washington Post reported that Google said it was "troubled by allegations of the government intercepting traffic between our data centers" and it claimed it was unaware of the activity.

“We have long been concerned about the possibility of this kind of snooping, which is why we continue to extend encryption across more and more Google services and links,” the company said.
Yahoo also denied knowledge of any spying on its services. “We have strict controls in place to protect the security of our data centres, and we have not given access to our data centres to the NSA or to any other government agency,” The Washington Post reported.
The revelations follow a raft of leaks from whistleblower Edward Snowden that showed the US and UK have been spying on citizens, firms and world leaders for a number of years.
Originally it was revealed that data from phone calls and public web traffic was being monitored under the PRISM programme. Operation Tempora also came to light, showing that the UK was tapping into telecoms networks to gather data that was being sent around the globe.
More recently it has been revealed that phones used by world leaders such as German chancellor Angela Merkel have been tapped for data on communications, although the US claims no content was ever recorded.

Twitter Unrestricted File Upload Vulnerability

Security expert Ebrahim Hegazy has found another serious vulnerability in Twitter, he has discovered an Unrestricted File Upload Vulnerability.

The popular Ebrahim Hegazy has found another serious vulnerability in Twitter, the cyber security analyst and Consultant at Q-CERT has discovered a flaw in the social media that allows Unrestricted File Upload.
When a user creates a new application on Twitter from Twitter Developer Center (https://dev.twitter.com/) the procedure allows for the authors to upload an image to associate with the application.
ebrahim Unrestricted File Upload Vulnerability
The image Uploader will check for the uploaded files to accept certain image extensions only, like PNG, JPG while other extensions won’t get uploaded.
The Unrestricted File Upload Vulnerability allowed the expert to bypass this inadequate security check and to successfully upload .htaccess and .php files to twimg.com server. I remind to the readers that twimg.com is working as a CDN (content delivery network) for Twitter which mean that every time user uploads a  file it will be hosted on a different server/subdomain  of twimg.com. The twimg.com was one of the demons attacked by the Syrian Electronic Army during the offensive against Twitter.
In CDN’s usually scripting engines are not allowed to run, the a normal scenarios a successful exploitation of uploading htaccess & PHP files to a server that supports the PHP is:
But in Twitter case the consequences are:
  • It could be used to make twimg.com as a Botnet Command server by hosting a text file with commands, so infected machines would connect to that file to take its commands. Since twimg.com is a trusted domain by users so it won’t grab the attention.
  • Hosting of malicious files.
  • It could be used to upload a text page with a defacement content and then add the infected sub-domains of twimg.com as a mirror to Zone-h.org which would affect the reputation of Twitter.
The following videos are the proof of the concept of the Unrestricted File Upload Vulnerability in Twitter

 http://www.youtube.com/watch?feature=player_embedded&v=4g2uwJ7H7zM

http://www.youtube.com/watch?v=kh4yxZbp6Gw&feature=player_embedded

Twitter recognized the criticality of the Unrestricted File Upload Vulnerability and added Hegazy name to their hall of fame. I personally reached Ebrahim Hegazy that revealed me that he has also found an Open redirection Vulnerability in Twitter on 15th Sept. that has also been fixed, following the POC:
I conclude with a personal consideration, it’s shame Twitter hasn’t a bounty program, in my opinion is fundamental to incentive hackers to ethical disclosure of the bug. An attack against a social media could have serious repercussion on the users and on the reputation of the platform, if hackers sell the knowledge of the flaw on the black market a growing number of cyber criminals could benefit by it.

The Battle for Power on the Internet

We're in the middle of an epic battle for power in cyberspace. On one side are the traditional, organized, institutional powers such as governments and large multinational corporations. On the other are the distributed and nimble: grassroots movements, dissident groups, hackers, and criminals. Initially, the Internet empowered the second side. It gave them a place to coordinate and communicate efficiently, and made them seem unbeatable. But now, the more traditional institutional powers are winning, and winning big. How these two side fare in the long term, and the fate of the rest of us who don't fall into either group, is an open question -- and one vitally important to the future of the Internet.
In the Internet's early days, there was a lot of talk about its "natural laws" -- how it would upend traditional power blocks, empower the masses, and spread freedom throughout the world. The international nature of the Internet circumvented national laws. Anonymity was easy. Censorship was impossible. Police were clueless about cybercrime. And bigger changes seemed inevitable. Digital cash would undermine national sovereignty. Citizen journalism would topple traditional media, corporate PR, and political parties. Easy digital copying would destroy the traditional movie and music industries. Web marketing would allow even the smallest companies to compete against corporate giants. It really would be a new world order.
This was a utopian vision, but some of it did come to pass. Internet marketing has transformed commerce. The entertainment industries have been transformed by things like MySpace and YouTube, and are now more open to outsiders. Mass media has changed dramatically, and some of the most influential people in the media have come from the blogging world. There are new ways to organize politically and run elections. Crowdfunding has made tens of thousands of projects possible to finance, and crowdsourcing made more types of projects possible. Facebook and Twitter really did help topple governments.
But that is just one side of the Internet's disruptive character. The Internet has emboldened traditional power as well.
On the corporate side, power is consolidating, a result of two current trends in computing. First, the rise of cloud computing means that we no longer have control of our data. Our e-mail, photos, calendars, address books, messages, and documents are on servers belonging to Google, Apple, Microsoft, Facebook, and so on. And second, we are increasingly accessing our data using devices that we have much less control over: iPhones, iPads, Android phones, Kindles, ChromeBooks, and so on. Unlike traditional operating systems, those devices are controlled much more tightly by the vendors, who limit what software can run, what they can do, how they're updated, and so on. Even Windows 8 and Apple's Mountain Lion operating system are heading in the direction of more vendor control.
I have previously characterized this model of computing as "feudal." Users pledge their allegiance to more powerful companies who, in turn, promise to protect them from both sysadmin duties and security threats. It's a metaphor that's rich in history and in fiction, and a model that's increasingly permeating computing today.
Medieval feudalism was a hierarchical political system, with obligations in both directions. Lords offered protection, and vassals offered service. The lord-peasant relationship was similar, with a much greater power differential. It was a response to a dangerous world.
Feudal security consolidates power in the hands of the few. Internet companies, like lords before them, act in their own self-interest. They use their relationship with us to increase their profits, sometimes at our expense. They act arbitrarily. They make mistakes. They're deliberately -- and incidentally -- changing social norms. Medieval feudalism gave the lords vast powers over the landless peasants; we're seeing the same thing on the Internet.
It's not all bad, of course. We, especially those of us who are not technical, like the convenience, redundancy, portability, automation, and shareability of vendor-managed devices. We like cloud backup. We like automatic updates. We like not having to deal with security ourselves. We like that Facebook just works -- from any device, anywhere.
Government power is also increasing on the Internet. There is more government surveillance than ever before. There is more government censorship than ever before. There is more government propaganda, and an increasing number of governments are controlling what their users can and cannot do on the Internet. Totalitarian governments are embracing a growing "cyber sovereignty" movement to further consolidate their power. And the cyberwar arms race is on, pumping an enormous amount of money into cyber-weapons and consolidated cyber-defenses, further increasing government power.
In many cases, the interests of corporate and government powers are aligning. Both corporations and governments benefit from ubiquitous surveillance, and the NSA is using Google, Facebook, Verizon, and others to get access to data it couldn't otherwise. The entertainment industry is looking to governments to enforce its antiquated business models. Commercial security equipment from companies like BlueCoat and Sophos is being used by oppressive governments to surveil and censor their citizens. The same facial recognition technology that Disney uses in its theme parks can also identify protesters in China and Occupy Wall Street activists in New York. Think of it as a public/private surveillance partnership.
What happened? How, in those early Internet years, did we get the future so wrong?
The truth is that technology magnifies power in general, but rates of adoption are different. The unorganized, the distributed, the marginal, the dissidents, the powerless, the criminal: They can make use of new technologies very quickly. And when those groups discovered the Internet, suddenly they had power. But later, when the already-powerful big institutions finally figured out how to harness the Internet, they had more power to magnify. That's the difference: The distributed were more nimble and were faster to make use of their new power, while the institutional were slower but were able to use their power more effectively.
So while the Syrian dissidents used Facebook to organize, the Syrian government used Facebook to identify dissidents to arrest.
All isn't lost for distributed power, though. For institutional power, the Internet is a change in degree, but for distributed power it's a qualitative one. The Internet gives decentralized groups -- for the first time -- the ability to coordinate. This can have incredible ramifications, as we saw in the SOPA/PIPA debate, Gezi, Brazil, and the rising use of crowdfunding. It can invert power dynamics, even in the presence of surveillance censorship and use control. But aside from political coordination, the Internet allows for social coordination as well to unite, for example, ethnic diasporas, gender minorities, sufferers of rare diseases, and people with obscure interests.
This isn't static: Technological advances continue to provide advantage to the nimble. I discussed this trend in my book Liars and Outliers. If you think of security as an arms race between attackers and defenders, any technological advance gives one side or the other a temporary advantage. But most of the time, a new technology benefits the nimble first. They are not hindered by bureaucracy -- and sometimes not by laws or ethics either. They can evolve faster.
We saw it with the Internet. As soon as the Internet started being used for commerce, a new breed of cybercriminal emerged, immediately able to take advantage of the new technology. It took police a decade to catch up. And we saw it on social media, as political dissidents made use of its organizational powers before totalitarian regimes did.
This delay is what I call a "security gap." It's greater when there's more technology, and in times of rapid technological change. Basically, if there are more innovations to exploit, there will be more damage resulting from society's inability to keep up with exploiters of all of them. And since our world is one in which there's more technology than ever before, and a faster rate of technological change than ever before, we should expect to see a greater security gap than ever before. In other words, there will be an increasing time period during which nimble distributed powers can make use of new technologies before slow institutional powers can make better use of those technologies.
This is the battle: quick vs. strong. To return to medieval metaphors, you can think of a nimble distributed power -- whether marginal, dissident, or criminal -- as Robin Hood; and ponderous institutional powers -- both government and corporate -- as the feudal lords.
So who wins? Which type of power dominates in the coming decades?
Right now, it looks like traditional power. Ubiquitous surveillance means that it's easier for the government to identify dissidents than it is for the dissidents to remain anonymous. Data monitoring means easier for the Great Firewall of China to block data than it is for people to circumvent it. The way we all use the Internet makes it much easier for the NSA to spy on everyone than it is for anyone to maintain privacy. And even though it is easy to circumvent digital copy protection, most users still can't do it.
The problem is that leveraging Internet power requires technical expertise. Those with sufficient ability will be able to stay ahead of institutional powers. Whether it's setting up your own e-mail server, effectively using encryption and anonymity tools, or breaking copy protection, there will always be technologies that can evade institutional powers. This is why cybercrime is still pervasive, even as police savvy increases; why technically capable whistleblowers can do so much damage; and why organizations like Anonymous are still a viable social and political force. Assuming technology continues to advance -- and there's no reason to believe it won't -- there will always be a security gap in which technically advanced Robin Hoods can operate.
Most people, though, are stuck in the middle. These are people who have don't have the technical ability to evade either the large governments and corporations, avoid the criminal and hacker groups who prey on us, or join any resistance or dissident movements. These are the people who accept default configuration options, arbitrary terms of service, NSA-installed back doors, and the occasional complete loss of their data. These are the people who get increasingly isolated as government and corporate power align. In the feudal world, these are the hapless peasants. And it's even worse when the feudal lords -- or any powers -- fight each other. As anyone watching Game of Thrones knows, peasants get trampled when powers fight: when Facebook, Google, Apple, and Amazon fight it out in the market; when the US, EU, China, and Russia fight it out in geopolitics; or when it's the US vs. "the terrorists" or China vs. its dissidents.
The abuse will only get worse as technology continues to advance. In the battle between institutional power and distributed power, more technology means more damage. We've already seen this: Cybercriminals can rob more people more quickly than criminals who have to physically visit everyone they rob. Digital pirates can make more copies of more things much more quickly than their analog forebears. And we'll see it in the future: 3D printers mean that the computer restriction debate will soon involves guns, not movies. Big data will mean that more companies will be able to identify and track you more easily. It's the same problem as the "weapons of mass destruction" fear: terrorists with nuclear or biological weapons can do a lot more damage than terrorists with conventional explosives. And by the same token, terrorists with large-scale cyberweapons can potentially do more damage than terrorists with those same bombs.
It's a numbers game. Very broadly, because of the way humans behave as a species and as a society, every society is going to have a certain amount of crime. And there's a particular crime rate society is willing to tolerate. With historically inefficient criminals, we were willing to live with some percentage of criminals in our society. As technology makes each individual criminal more powerful, the percentage we can tolerate decreases. Again, remember the "weapons of mass destruction" debate: As the amount of damage each individual terrorist can do increases, we need to do increasingly more to prevent even a single terrorist from succeeding.
The more destabilizing the technologies, the greater the rhetoric of fear, and the stronger institutional powers will get. This means increasingly repressive security measures, even if the security gap means that such measures become increasingly ineffective. And it will squeeze the peasants in the middle even more.
Without the protection of his own feudal lord, the peasant was subject to abuse both by criminals and other feudal lords. But both corporations and the government -- and often the two in cahoots -- are using their power to their own advantage, trampling on our rights in the process. And without the technical savvy to become Robin Hoods ourselves, we have no recourse but to submit to whatever the ruling institutional power wants.
So what happens as technology increases? Is a police state the only effective way to control distributed power and keep our society safe? Or do the fringe elements inevitably destroy society as technology increases their power? Probably neither doomsday scenario will come to pass, but figuring out a stable middle ground is hard. These questions are complicated, and dependent on future technological advances that we cannot predict. But they are primarily political questions, and any solutions will be political.
In the short term, we need more transparency and oversight. The more we know of what institutional powers are doing, the more we can trust that they are not abusing their authority. We have long known this to be true in government, but we have increasingly ignored it in our fear of terrorism and other modern threats. This is also true for corporate power. Unfortunately, market dynamics will not necessarily force corporations to be transparent; we need laws to do that. The same is true for decentralized power; transparency is how we'll differentiate political dissidents from criminal organizations.
Oversight is also critically important, and is another long-understood mechanism for checking power. This can be a combination of things: courts that act as third-party advocates for the rule of law rather than rubber-stamp organizations, legislatures that understand the technologies and how they affect power balances, and vibrant public-sector press and watchdog groups that analyze and debate the actions of those wielding power.
Transparency and oversight give us the confidence to trust institutional powers to fight the bad side of distributed power, while still allowing the good side to flourish. For if we're going to entrust our security to institutional powers, we need to know they will act in our interests and not abuse that power. Otherwise, democracy fails.
In the longer term, we need to work to reduce power differences. The key to all of this is access to data. On the Internet, data is power. To the extent the powerless have access to it, they gain in power. To the extent that the already powerful have access to it, they further consolidate their power. As we look to reducing power imbalances, we have to look at data: data privacy for individuals, mandatory disclosure laws for corporations, and open government laws.
Medieval feudalism evolved into a more balanced relationship in which lords had responsibilities as well as rights. Today's Internet feudalism is both ad-hoc and one-sided. Those in power have a lot of rights, but increasingly few responsibilities or limits. We need to rebalance this relationship. In medieval Europe, the rise of the centralized state and the rule of law provided the stability that feudalism lacked. The Magna Carta first forced responsibilities on governments and put humans on the long road toward government by the people and for the people. In addition to re-reigning in government power, we need similar restrictions on corporate power: a new Magna Carta focused on the institutions that abuse power in the 21st century.
Today's Internet is a fortuitous accident: a combination of an initial lack of commercial interests, government benign neglect, military requirements for survivability and resilience, and computer engineers building open systems that worked simply and easily. Corporations have turned the Internet into an enormous revenue generator, and they're not going to back down easily. Neither will governments, which have harnessed the Internet for political control.
We're at the beginning of some critical debates about the future of the Internet: the proper role of law enforcement, the character of ubiquitous surveillance, the collection and retention of our entire life's history, how automatic algorithms should judge us, government control over the Internet, cyberwar rules of engagement, national sovereignty on the Internet, limitations on the power of corporations over our data, the ramifications of information consumerism, and so on.
Data is the pollution problem of the information age. All computer processes produce it. It stays around. How we deal with it -- how we reuse and recycle it, who has access to it, how we dispose of it, and what laws regulate it -- is central to how the information age functions. And I believe that just as we look back at the early decades of the industrial age and wonder how society could ignore pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we dealt with the rebalancing of power resulting from all this new data.
This won't be an easy period for us as we try to work these issues out. Historically, no shift in power has ever been easy. Corporations have turned our personal data into an enormous revenue generator, and they're not going to back down. Neither will governments, who have harnessed that same data for their own purposes. But we have a duty to tackle this problem.
I can't tell you what the result will be. These are all complicated issues, and require meaningful debate, international cooperation, and innovative solutions. We need to decide on the proper balance between institutional and decentralized power, and how to build tools that amplify what is good in each while suppressing the bad.
This essay previously appeared in the Atlantic.

Report: NSA Has Broken Into Google And Yahoo Data Centers

Documents obtained from NSA leaker Edward Snowden and interviews with knowledgeable officials reveal the program, The Washington Post reported Wednesday.