Ransomware crims earning $1m a year

June 16th, 2015

Written by Doug Woodburn for CRN:

Cybercriminals can expect to bank $84,100 (£54,400) in profit from a typical monthly ransomware campaign, according to Trustwave, equivalent to an annual pay packet of just over $1m.

In its latest annual threat report, the security vendor estimated that a large-scale, 30-day ransomware campaign would generate proceeds of $90,000, with an investment of only $5,900 required.

With an estimated return on investment of 1,425 per cent, the spoils of an opportunistic attack can be greater than those from the targeted attacks that have dominated headlines in recent years, Trustwave said.

It claimed all its calculations were based on actual tools and services for sale in underground markets used in real attacks in 2014.

A budding cybercriminal need cough up just $3,000 for ransomware variant CTB-Locker and $500 to rent RIG, an exploit with a promised infection rate of 10 to 15 per cent, Trustwave found.

Purchasing access to compromised websites that will generate traffic of 20,000 users a day will set them back a further $1,800 a day. Finally, camouflage that will ensure the payload is not detectable by anti-virus is theirs for a snip at $600.

Based on estimates that 0.5 per cent of infected victims will pay a $300 ransom, estimated proceeds will come in at $90,000 – without the perpetrators having to write a single line of code. See p67 of the report for a more detailed breakdown.

“To succeed in a targeted attack takes far more expertise and effort than an opportunistic attack that distributes malware to many thousands of users,” Trustwave said.

“In fact, the burgeoning underground market for related tools, services and support allows cybercriminals to carry out these opportunistic attacks and generate significant revenue without developing even a single line of code themselves.”

Commenting on the report, George Quigley, a partner at KPMG’s security practice, said the threat posed by ransomware is growing because of two factors.

“The first is that the expertise can be bought; you don’t need to be an expert to do this,” he said. “The second is that the economics make it more than viable.”

Kaspersky Lab praised for handling of Duqu 2.0 cyber attack

June 12th, 2015

Written by Warwick Ashford for Computer Weekly:

Kaspersky Lab determined the best approach to cyber attack was to not only admit that it had been hacked, but also to provide extensive information on the malware

Moscow-based security firm Kaspersky Lab has been praised for the way it handled a cyber attack on its network, which also hit high-profile targets in Europe, the Middle East and Asia.

When a company suffers an attack, it can pretend it never happened, issue a bland security advisory or admit the attack took place and explain the implications, said independent security consultant Graham Cluley.

“Kaspersky determined the best approach was to not only admit it had been hacked, but also to provide extensive information on the malware (dubbed Duqu 2.0) it found attempting to infiltrate information from its servers,” Cluley wrote in a blog post.

The cyber security firm also co-ordinated blog posts by founder Eugene Kaspersky on his site and on Forbes, live-streamed press conferences in London and published detailed technical analyses of the malware.

“In short, it handled what could have been a corporate crisis well, and reassured customers and partners their data was safe and the integrity of its security products had not been compromised,” said Cluley.

Kaspersky Lab revealed it detected a cyber intrusion affecting several of its internal systems in early spring 2015, using a prototype of an anti-APT (advanced persistent threat) technology.

The ensuing investigation led to the discovery of a malware platform, which Kaspersky Lab has described as “one of the most skilled, mysterious and powerful threat actors” in the world of APTs.

Kaspersky Lab believes the attackers were confident that it was impossible to discover the cyber attack, which included some unique features that leave almost no traces.

The attack exploited zero-day vulnerabilities, and after elevating privileges to domain administrator the malware is spread in the network through Microsoft Software Installer (MSI) files, which are commonly used by system administrators to deploy software on remote Windows computers.

Duqu 2.0: An international threat

Researchers said the Duqu 2.0 attack did not leave behind any disk files or change system settings, making detection extremely difficult.

“The Duqu 2.0 group is a generation ahead of anything seen in the APT world,” the researchers added.

The attackers exploited up to three zero-day vulnerabilities. The last remaining zero-day (CVE-2015-2360) was patched by Microsoft on 9 June (MS15-061) after Kaspersky Lab reported it.

The malicious program used an advanced method to hide its presence in the system and the code of Duqu 2.0 exists only in the computer’s memory and tries to delete all traces on the hard drive.

Kaspersky Lab then found other Duqu 2.0 attacks in some western countries, the Middle East and Asia, including venues linked to international talks on Iran’s nuclear programme.

Kaspersky said it found the Duqu 2.0 malware in three European hotels used in the negotiations involving Iran and six world powers, and also on its computers.

“Some of the 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal,” Kaspersky Lab said in a statement.

P5+1 refers to the six world powers negotiating with Iran on curbs to its disputed nuclear programme: the US, Russia, China, Britain, France and Germany. The talks have been held in Geneva, Lausanne, Montreux, Munich and Vienna, according to the Guardian.

In addition to the P5+1 events, Kaspersky Lab said the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau, which was attended by many foreign dignitaries and politicians.

According to Kaspersky Lab, the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes, but the company said no interference with processes or systems was detected.

“Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services,” it said in a statement.

The attackers also showed a high interest in Kaspersky Lab’s current investigations into advanced targeted attacks.

Researchers believe the attack was carefully planned and carried out by the same group behind the 2011 Duqu APT campaign, which Kaspersky Lab thinks is sponsored by a nation state.

A sophisticated cyber attack

Kaspersky Lab said Duqu 2.0 had evolved from the earlier Duqu, which was deployed against unidentified targets for years before it was discovered in 2011.

According to researchers, there is an overlap between Duqu and Stuxnet, which has been linked to a US-Israeli project to sabotage Iran’s nuclear programme.

“The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab.

“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high. To stay hidden, the malware resides only in kernel memory, so anti-malware systems might have problems detecting it.

“It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers,” said Raiu.

Eugene Kaspersky, CEO of Kaspersky Lab, warned: “Sooner or later technologies implemented in similar targeted attacks will be examined and utilised by terrorists and professional cyber criminals – and that is an extremely serious and possible scenario.

“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted.

“The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin,” he said.

Kaspersky Lab believes this attack had a much wider geographical reach and many more targets.

“Judging from what the company already knows, Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geo-political interests,” it said.

Symantec security researchers described Duqu 2.0 as a “stealthy, information-stealing tool” that can be used to gain a persistent foothold inside a targeted domain.

A need for serious cyber offense

Symantec said it also found evidence that Duqu has been used in a number of different attack campaigns against a limited number of selected targets.

Among the organisations targeted were a European telecommunications operator, a North African telecommunications operator and a Southeast Asian electronic equipment manufacturer. Infections were also found on computers located in the US, UK, Sweden, India and Hong Kong.

Symantec believes these may have been “stepping stone” type attacks to infiltrate another organisation and eavesdrop on their network.

Tod Beardsley, engineering manager at security firm Rapid7, said Duqu 2.0 represents both the state of the art and the minimum bar for cyber operations.

“Even if one doubts that Stuxnet, Duqu and Duqu 2.0 are sourced from well-financed, highly skilled and geopolitically motivated Western nations, Duqu 2.0 is precisely where we should expect any serious national cyber offensive capability to be,” he said.

According to Beadsley, this, in turn, informs where defensive thinking needs to focus.

“If you cannot defend against a Duqu 2.0-style long-term campaign, you better not have any data or resources that a national offensive cyber organisation will care to compromise,” he added.

Beardsley said Kaspersky has a reputation for being one of the most capable detection and defence organisations in the world, and the fact that it was compromised is a “sobering reminder that the gap between offense and defence is massively lopsided in favour of the attacker”.

He also praised Kaspersky’s handling of the attack on its network.

“It is more transparency than what we usually see with initial breach reports. I’m hopeful that as this story unfolds, Kaspersky will provide more details on exactly how it did detect the activity of Duqu 2.0, since these detection techniques are what CISOs at critical infrastructure networks need to defend and remediate against similar attacks,” said Beardsley.

DDoS attacks starting to resemble APTs, warns Imperva

June 11th, 2015

Written by Warwick Ashford for Computer Weekly:

Like advanced persistent threats (APTs), many distributed denial of service (DDoS) attacks are characterised by long durations, repetition and changing attack vectors

Distributed denial of service (DDoS) attacks are beginning to resemble advanced persistent threats (APTs), according to Imperva’s Q2 2015 Global DDoS Trends Report.

The report is based on more than 3,000 mitigated DDoS attacks against organisations, from 1 March to 7 May 2015.

Like APTs, many of these DDoS attacks were characterised by long durations, repetition and changing attack vectors aimed at evading simple, signature-based defence systems.

During the research period, 71% of all network layer attacks lasted under three hours; and over 20% lasted for more than five day​s.

The longest attack seen during the research period was 64 days, with many other sustained attempts to bring down websites.

Once targeted by an application layer attack, a website will likely be attacked again once every 10 days on average. Some 17% of sites were attacked more than five times; 10% attacked more than 10 times; and several sites were attacked every day, during the 72-day research period.

Botnet hire costs drop

The report highlighted inexpensive botnet-for-hire services used to perpetrate attacks.

With these tools costing as little as $19.99 a month and available for online purchase using Bitcoin, the report said the barrier to mounting such attacks has dropped significantly.

Short, single-vector attacks associated with botnet-for-hire services accounted for approximately 40% of all network layer attacks during the research period.

“Compared to just a few years ago, the frequency, sophistication and duration of attacks have noticeably increased,” said Marc Gaffan, general manager for the Incapsula service at Imperva.

“Professional hackers are mounting advanced attacks that are now resembling advanced persistent threats. We believe that this increased sophistication is due to attackers studying how DDoS mitigation solutions detect and block attacks and implementing new techniques to attempt to bypass them,” said Gaffan.

“As a result, it’s important for enterprises of all sizes to understand the risks DDoS attacks pose and create a readiness plan.”

In May 2015, it emerged that a gang using DDoS attacks to extort bitcoins had begun targeting high-profile organisations in key sectors in Europe, prompting government advisories.

This is in line with the trend of criminal gangs repurposing DDoS attacks initially intended to knock organisations offline by flooding them with network traffic.

But cyber criminals are increasingly using DDoS attacks as a smokescreen to hide other activities, such as stealing data or money, and for extortion.

Extortion gang DD4BC (DDoS for bitcoins) looks set to take this form of attack to a new level, threatening financial and energy sector firms with unprecedented volumes of malicious traffic.

Businesses face spike in ransomware attacks, reports McAfee Labs

June 10th, 2015

Written by Warwick Ashford for Computer Weekly:

Businesses face a substantial increase in the number of ransomware attacks, according to the latest McAfee Labs Report released by Intel Security.

In the first quarter of 2015, McAfee Labs saw a 165% increase from the previous quarter in new ransomware. The malware typically encrypts company data and demands payment for the decryption key.

Researchers said the spike was driven largely by the new, hard-to-detect CTB-Locker ransomware family, a new ransomware family called Teslacrypt, and the emergence of new versions of CryptoWall, TorrentLocker and BandarChor.

McAfee Labs attributes CTB-Locker’s success to clever techniques for evading security software, higher-quality phishing emails and an “affiliate” programme that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages.

McAfee Labs suggests organisations and individuals make it a priority to learn how to recognise phishing emails, including the use of tools such as the Intel Security Phishing Quiz.

In the first quarter of 2015, Adobe Flash malware samples increased by 317%. The researchers attributed the spike in exploits to the popularity of Adobe Flash as a technology; user delay in applying available Adobe Flash patches; new methods to exploit product vulnerabilities; a steep increase in the number of mobile devices that can play Adobe Flash files; and the difficulty of detecting some Adobe Flash exploits.

Industry cleaves to counter threat

Researchers are seeing a continued shift in focus among exploit kit developers, from Java archive and Microsoft Silverlight vulnerabilities to Adobe Flash vulnerabilities.

In the first three months of 2015, 42 new Adobe Flash vulnerabilities were submitted to the US National Vulnerability Database. Adobe made initial fixes available for all of them on the day they were posted.

“With the popularity of a product like Flash, there comes a tremendous responsibility to proactively identify and mitigate security issues threatening millions of users,” said Vincent Weafer, senior vice-president of McAfee Labs.

“This research nicely illustrates how the technology industry works together constructively to gain an advantage in the realm of cyber security  – industry partners sharing threat intelligence, and technology providers acting on information quickly to help prevent potential issues.”

To get the full benefit of software supplier efforts to address vulnerabilities, McAfee Labs is urging organisations and individual users to be more diligent in keeping their products updated with the latest security patches.

Malware reprogrammes SSDs and HDDs to evade detection

The McAfee Labs’ report reveals that the reprogramming modules in malware used by the Equation Group that were discovered in February 2015 have been found to be capable of reprogramming the firmware in solid state drives (SSDs) as well as the previously-reported hard disk drive (HDD) reprogramming capability.

Once reprogrammed, the HDD and SSD firmware can reload associated malware each time infected systems boot and the malware persists – even if the drives are reformatted or the operating system is re-installed. Once infected, security software cannot detect the associated malware stored in a hidden area of the drive, researchers said.

“We at Intel take hybrid software-hardware threats and exploits seriously,” said Weafer. “We have closely monitored both academic proofs of concept and in-the-wild cases of malware with firmware or BIOS manipulation capabilities, and these Equation Group firmware attacks rank as some of the most sophisticated threats of their kind.

“While such malware has historically been deployed for highly targeted attacks, enterprises should prepare themselves for the seemingly inevitable ‘off-the-shelf’ incarnations of such threats in the future.”

McAfee Labs advises that organisations take steps to strengthen threat detection at point of initial attack, such as phishing messages with malicious links and malware-infected USB drives and CDs. McAfee Labs said organisations should also consider security systems that can help prevent data exfiltration.

Other 2015 security developments

The first quarter report identified several other developments in the first quarter of 2015:

  • PC malware growth

The first quarter saw a slight decline in new PC malware, which researchers attribute mainly to the activity of one adware family, SoftPulse, which spiked in Q4 2014 and returned to normal levels in Q1 2015. The McAfee Labs malware database grew 13% during that time, and now contains 400 million samples.

  • Mobile malware

The number of new mobile malware samples jumped by 49% from Q4 2014 to Q1 2015.

  • Secure sockets layer (SSL) attacks

SSL-related attacks continued in Q1 2015, although they tapered off in number relative to Q4 2014. Researchers said this reduction is likely the result of SSL library updates that have eliminated many of the vulnerabilities exploited in prior quarters. Shellshock attacks are still quite prevalent since their emergence late in 2014.

  • Spam botnets

The Dyre, Dridex, and Darkmailer3.Slenfbot botnets overtook Festi and Darkmailer2 as the top spam networks. Their main areas of involvement included pharmaceuticals, stolen credit cards and “shady” social-media marketing tools, the McAfee Labs report said.

Email hacking: another home-seller robbed of £270,000

June 9th, 2015

Written by Nicole Blackmore for the Telegraph:

Home buyers and sellers are at risk of losing hundreds of thousands of pounds because fraudsters are aggressively targeting those involved in housing transactions.

Sophisticated criminals are intercepting emails between buyers, sellers and their solicitors and sending false bank account details to divert the proceeds of house sales.

In some cases, fraudsters posing as sellers contact the legal firm acting for the real sellers and instruct them to send the sale proceeds to a rogue account. In other cases, buyers receive fraudulent emails purporting to be from their solicitors with instructions to send their payment to a different account.

This newspaper first wrote about the issue earlier this month and has since received a stream of letters from readers whose emails were hacked and whose payments were diverted to fraudulent accounts.

Nicholas and Fabienne d’Adhemar were recently swindled in this way. The couple and their two young children, Clementine and Luca, had outgrown their two-bedroom flat in Fulham, south-west London, so decided to sell up and buy their first family house.

They sold the flat for £675,000, which gave them £270,000 to put towards their new property.

Mrs d’Adhemar engaged a solicitor to handle the transaction and sent all correspondence through her secure work email address, but used her personal email account for everything else, including contact with the estate agent, Chestertons.

But 10 days after the sale was completed they received a call from their solicitor, who said NatWest had flagged up a problem with their account.

Alarm bells immediately rang. The couple didn’t have a NatWest account, they banked with HSBC.

Eventually it became clear that fraudsters had accessed Mrs d’Adhemar’s personal email account and, posing as her, emailed instructions to the solicitors to send the money to the NatWest account.

“I had never emailed my solicitors from my personal account before, but Chestertons had copied them into an email sent to me. That must be how the fraudsters found my solicitor’s email address in my account and were able to contact them.”

Mrs d’Adhemar said the criminals took considerable effort to make the emails appear genuine.

Fortunately in this case NatWest was able to freeze the account immediately and reclaim the entire £270,000 before any was transferred away.

“We were very lucky to get all of our money back, but there were a few days when we thought we might lose the house we were buying,” Mrs d’Adhemar said. “The money from the sale of the flat was all we had.”

Jacques Smith, a partner at law firm Rubinstein Phillips Lewis, said the scam is becoming increasingly common. He said house buyers and sellers should make it clear to their solicitor at the start of the process that they have no intention of changing their bank account details, and to ignore any instructions to do so unless they are given in person.

The Solicitors Regulation Authority said member firms are responsible for safeguarding client funds, and had to replace any money that is “improperly withheld or withdrawn from a client account”.

UK cloud use is soaring among business users, claims CIF

May 27th, 2015

Written by Caroline Donnelly, for Computer Weekly:

The UK’s appetite for cloud services shows no signs of abating, as new research suggests 84% of firms have made the move off-premise.

According to a poll carried out by the Cloud Industry Forum (CIF), featuring responses from 250 senior IT and business decision-makers, the cloud adoption rate has soared by 75% since 2010, when the trade organisation first published research on this topic.

“Cloud computing has come a long way in just a few short years,” said CIF CEO Alex Hilton.

“When we commissioned our first major research project into the UK cloud market in 2010, just 48% of organisations had consciously adopted a cloud service. According to our latest research, that figure today stands at 84%.

“During this time, cloud has moved from the edge of the IT estate to its centre, and it is now largely regarded as just another way that we do IT,” he added.

The survey’s findings also revealed that 78% of firms are using two or more cloud services, while half of those polled expect to move all of their IT assets off-premise in the future. Of these, 16% said they’re aiming to do this as soon as possible.

The applications that organisations seem most keen on accessing via the cloud include customer relationship management systems, disaster recovery services, data storage, email and collaboration tools.

Looking ahead, 70% of cloud users expect their use of the technology to increase over the next 12 months, while 12% of those who don’t use any off-premise services at the moment said they plan to start in the coming year.

In light of these findings, CIF anticipates that 86% of UK companies will use at least one cloud service by the start of 2016, with adoption buoyed by the impending demise ofWindows Server 2003.

The on-premise Microsoft server operating system is due to enter end of life in July, and many industry watchers have predicted its demise will lead to a natural uptick in enterprise cloud adoption as time goes on.

“We have every confidence the cloud’s momentum will be maintained, helped in no small part by the retirement of Microsoft Windows Server 2003 and Microsoft Small Business Server 2003,” said Hilton.

“While first-time adoption is likely to slow somewhat, penetration of cloud services in organisations, which appears to be happening at a faster rate than we had anticipated, will continue unencumbered.”

That is, he added, as long as service providers can offer users compelling reasons to ditch on-premise technologies and, in turn, change the way they’ve always done things.

“Cloud service providers [need to] effectively put forward the business case for adoptionand build further confidence among users by improving levels of accountability, capability and transparency,” he added.

The data center of the future? It’s the one CIOs don’t operate

May 22nd, 2015

Written by Niel Nickolaisen for TechTarget:

Technology is ubiquitous and it is constantly changing. Because of that, IT leaders must become really good at deciding which technology battles they should fight. For a while, the really interesting technology innovations came from the non-infrastructure side of life with things like advanced analytics, mobile apps, social, digital marketing, micro-services, data privacy, collaboration, and all manner of compelling things worth fighting for in the corporate corridors of power. In the past couple of years, really interesting innovations are happening in the world of infrastructure. These innovations include cloud orchestration tools, a wide array of cloud services, containerization, software-defined everything and hyper-converged infrastructure. I decided some time ago that if, from among all of these innovations, I have to decide which battles to fight, I am going to let someone else prosecute the infrastructure innovation battles. For me, the data center of the future is the data center that someone else innovates and operates.

Let me provide an example.

Some of my largest customers are asking me to provide them geographical segregation of their data. That means that I need to prevent some of their data from entering certain geographies. If I am operating my own data center, supporting geographical data segregation can be a nightmare. I would have to build out a data center in an acceptable geography, populate it with new hardware and route specific transactions to that data center. Even if I have virtualized my entire application stack, I would need to physically replicate my data center.

Conversely, if I use another’s data center, I create a virtual instance of my application stack and move it to a data center in a geography that is acceptable to my customers. There is still work to do, but this is much simpler and cleaner than building it out myself. Every day this type of application movement becomes even easier as the cloud orchestration tools and technologies get better and better.

When I combine using someone else’s data center with mine, using the new application container technologies, I end up with an extremely nimble, agile and responsive-to-change stack of services. And at the pace of technological change, I need all the nimbleness I can get.

Should I figure out hyper-converged infrastructure options or should I do business with a data center provider who is driving those innovations and making those decisions? Besides, what will make the biggest difference for my organization? Mastering the data center of the future or mastering advanced analytics, digital marketing, social and whatever other non-infrastructure technology advancements are coming my way? For me, I choose not to fight the data center battles.

Of course, I have to be careful in selecting the provider who will deliver my data center of the future. I should only consider someone who is exploring and experimenting with the new and evolving infrastructure technologies. Someone with a track record of flawless delivery of data center services. Someone who, every day, achieves operational excellence and continuous improvement.

In managing all of the things on my technology plate, it makes sense to me to let someone else be the master of data center management and innovation.

Cyber attackers show ingenuity in first quarter of 2015, report shows

May 21st, 2015

Written by Warwick Ashford, for Computer Weekly:

A combination of newer and older threat variations defined the cyber security landscape in the first quarter of 2015, according to the latest report from Trend Micro.

The Re-emerging threats challenge trust in supply chains and best practices report highlights malvertising, zero-day vulnerability exploitation, macro malware and the Freak vulnerability.

Researchers said exploit kits grew in sophistication and added new exploits to their arsenals, increasing their appeal to expert and novice attackers.

They also found that old threats are being reinvigorated with new targeted attack tools, tactics and procedures. For example, those behind Operation Pawn Storm set their sights on new targets, proving that targeted attacks are evolving.

Another trend identified by the report is the shift in focus of crypto-ransomware from consumers to target enterprises.

The resurgence of macro malware suggest cyber criminals are taking advantage of user security complacency, through reliance on sofware defaults, the researchers said.

The start of 2015 also saw the decade-old Freak vulnerability cause patch management challenges. As more vulnerabilities emerge in open-source operating systems and applications, researchers said IT administrators will find it increasingly difficult to mitigate risks.

”From an industry perspective, healthcare and retail point-of-sale systems have seen an uptick in threat activity,” said Trend Micro chief technology officer Raimund Genes.

Major healthcare service providers, such as Premera Blue Cross and Anthem, suffered data breaches in the first quarter of 2015 that exposed millions of customers’ financial and medical data.

“The report reinforces how complacency can present major cyber security risks in an era where the margin for error has been significantly diminished,” he said.

Tech users assailed from all angles

2015 is shaping up to be noteworthy in terms of volume, ingenuity and sophistication of attacks, said Genes.

“The rise in attacks against the healthcare industry, combined with the rise in malvertisements, reflects that technology users are being assailed from all angles,” he said.

According to Trend Micro, businesses and individuals alike need to be proactive in protecting against threats.

Genes said an aggressive and different security posture is critical to keep financial, personal and intellectual property safe.

According to the report, adware topped the list of mobile threats, with Trend Micro now documenting more than five million Android threats to date.

Trend Micro researchers also found zero-day exploits targeting Adobe software usedh malvertisements and no longer required victims to visit or interact with malicious sites to become infected.

The researchers found that iOS and point-of-sale systems continue to be targeted, but considering exploitations in these areas have been in their infancy for several years, researchers believe this rise is primarily due to a lack of preparedness that can be addressed

Businesses and individuals need to ask if they are doing enough to protect themselves from security threats, said Genes.

“While we need to constantly update our systems to protect against new attacks, the first quarter of 2015 clearly showed we need to also watch out for older threats, and how no industry or system should feel exempt,” he said.

20% of security professionals say their company has hidden or covered up a breach

May 20th, 2015

Written by Lewis Morgan, for IT Governance USA:

There are many reasons that an organization would want to cover up a data breach, including avoiding heavy fines, reputational damage and loss of customers.

It’s therefore unsurprising that 20% of respondents to a recent AlienVault survey have witnessed a company hide a breach.

The survey – ‘Ethics, Security and Getting the Job Done’ – was conducted by AlienVault at this year’s RSA conference in San Francisco and surveyed over 1000 people.

Other key findings from the survey:

  • Over half of security professionals utilize hacker forums or associate with blacklist to keep abreast of the latest threats and technologies.
  • Most believe the CISO (chief information security officer) should be ultimately accountable for breaches.
  • Security breaches are used as leverage to increase security budgets.

Javaad Malik, AlienVault security advocate and author of the report, said in a brief about his findings:

“Many companies are realizing that being breached or suffering an incident is the part of the cost of business – however, when the inevitable does occur, the security teams still find themselves under considerable pressure which can contribute to breaches being hidden or vulnerabilities ignored.

“It provides a glimpse into the struggles of professionals working in a very young industry that has been thrust into the forefront of business, politics and media.”

Javaad is right. The last couple years have seen the number of data breaches explode, and we’ve seen many organizations stuck in the thick of it with little preparation. It’s very rare that a data breach occurs and the media covers it by saying, “They were breached, but they handled it really well” and that’s because very few know how to handle it – which may prove to be the reason that 20% chose not to handle it.

Smaller but not unnoticed

May 19th, 2015

Written by Fleur Doidge for CRN:

If SMB customers think they’re not potential targets for hackers or other malicious attackers, they’re mistaken.

Craig Stewart, EMEA vice president at cloud security specialist Zscaler, agrees. They can also become indirect targets when an attacker is aiming for larger or more prominent companies that are customers, partners or suppliers to the SMB, or caught up in a scattergun-type attack.

“I think we’re seeing a lot more smaller businesses outsourcing significant parts of their activities, whether that is email or their invoicing [for example],” he adds. “Edward Snowden wasn’t an employee – he was a contractor.”

Security itself is increasingly outsourced, while it remains easy for attackers to spoof websites and even produce convincing-looking paperwork to back up spurious online transactions. Almost any company can fall prey to ransomware, man-in-the-middle, phishing or honeypot strategies.

“A lot of these strategies probably work better on SMEs,” Stewart says. “BP, Shell, Lloyds, and firms of that size are not going to pay in a CryptoLocker-type ransomware attack. But smaller businesses just might.”

Stewart says we have reached a point, though, where more SMB-focused security products and services are emerging.

In the meantime, the key is not only in educating smaller businesses about the real and evolving risk from malicious attack, but in helping them understand where their own business fits in relation to that risk, in order to choose and deploy something that might protect what’s most important to them.

Rahul Kashyap, chief security architect at security vendor Bromium, notes that classic anti-virus cannot bring back encrypted, locked files in the event of a ransomware attack.

“We only expect this trend to continue because it is so effective,” he says.

“It highlights the importance of best practices, such as end-point protection and external data backups. Often when you are hit with ransomware it is impossible to get your files back because the payment processing may fail or the encryption keys may not work – not to mention the danger of providing your credit card number to these attackers.”

Tim ‘TK’ Keanini, chief technology officer at Lancope, agrees, noting that there is a long-tail dynamic in cybercrime, with more and more categories of customer becoming affected as time goes on. And of course if one point on a supply chain is attacked, the rest of the supply chain can also be affected.

“It really is everybody’s problem,” he says. “And there are so many dimensions to it now.”

This obviously may relate to cloud and mobility, but in addition, for example, physical security may be an important component of the whole solution, Keanini indicated.

Depending on the company, CCTV and practices such as clean-desk policies might be needed as part of an integrated, holistic security approach, especially if there is genuine concern about systems potentially being vulnerable to unauthorised visitors or intruders on-site.

Dan Sibille, vice president of channels at Lancope, confirms that all this means that the seam of potential reward for the channel is certainly worthy of mining. Crucially, medium-sized firms as well as smaller ones are in need of education and training to assist them to understand and apply security technologies.

“There’s a huge opportunity for partners to go in – to offer that value and services around it, putting something together that’s cost-effective for customers,” he says. “And it’s not just about the technical issues.”

Dave Ellis, director of strategy and new products at Arrow ECS, warns that SMBs may be even more vulnerable to cyberattack than larger firms, and not just because they tend to lack the resources and expertise – not to mention the processes and procedures – to protect themselves.

“It’s not that they’re necessarily going to be singled out by a targeted attack, or a hacker who wants to gain credibility, but a lot of attack vectors these days are very broad-based, and many are automated. They’re not really picky about who they target,” he says.

“And smaller companies are more at risk because of that.”

SMBs that are more reliant on their IT infrastructure are, ipso facto, more vulnerable and should consider their situation in detail and take steps to protect themselves, including contingency plans in the event of a breach.

And the need for better staff education is high: “It’s important that users know not to open certain kinds of emails or attachments. Not just setting policy, but ensuring that policy is followed.”

Anti-virus, firewalling, web filtering, intrusion prevention, and other standard security tools will all be required at a basic level. But this will not be enough for a significant proportion of SMB customers, and they will need guidance on deploying cost-effective security that works for them, Ellis reiterates.

“A good way for resellers to get in is to do a health check, or some vulnerability testing,” says Ellis.

Automated or semi-automated tools are available to perform such tests – meaning non-security specialists can get in on the action as well.

Jon Brooks, leader of the financial and executive risks practice at insurer Willis, says the government’s Cyber Essentials guide, released on 5 June (2014), is a good starting point for SMB education.

SMBs must consider the risk in full, the ramifications and the potential liabilities – not only may partners or customers seek redress in the event of a breach, but their long-term standing in terms of reputation and valued supplier status can be at risk. And then there’s the cost of downtime.

“Cyber Essentials at least allows UK businesses to have a common understanding of what that basic level of protection is,” he says.

Cyber Essentials, however, doesn’t refer to mobile phones and other gadgets – all of which need to be considered in an effective SMB security offering. Mobility has definitely increased the risk, notes Brooks.
“There are lots of issues there, and lots of education required. And there’s basic human error,” he adds.

“I think the supply chain risk is misunderstood.”

He points out that the theft of 70 million customer records, including names, addresses, emails and phone numbers from the records of US retailer Target, is believed to have come via its air-conditioning company, FSM – which had itself been attacked.

The security question hasn’t become any easier to answer, for any size of firm. A FireEye study of real-world data collected from 1,216 organisations across the globe, from October 2013 to March 2014, found that 97 per cent had been breached, with all methods of protection being circumvented.

“No corner of the world is remote enough to avoid falling into attackers’ crosshairs, and current defences are stopping virtually none of them,” FireEye wrote in the resulting report.

“Three-fourths of the systems observed in our tests had active command-and-control (CnC) sessions taking place. These systems weren’t just compromised; they were being actively used by an attacker for activities that could include exfiltrating data.”

FireEye’s cross-industry sample reflected a broad range of attackers, techniques, and motives.

The range of security tools used in the FireEye tests – leading-vendor firewalls, intrusion detection and prevention systems, web proxies, network anti-virus, end-point anti-virus, and other anti-malware tools – failed to prevent at least 208,184 malware downloads, including 124,289 unique malware variants.

A quality answer to the undoubted need for security from malicious attacks may be likely to involve combination, dynamic offerings geared to specific requirements.

One thing is for sure: SMBs, like other organisations, will keep needing the channel to help them discover the best solutions for them.