Shoaib Yousuf

Top Skimming Trends to watch in 2012

2012-01-27T20:55:00.004+11:00

2012: Year of the Skimmer

Fraud losses linked to card skimming are quickly hitting epidemic proportions. So what are the top card-skimming trends financial institutions and financial-services providers should be on the lookout for in 2012? Industry experts weigh in to offer their domestic and global perspectives.

The top six trends to watch:

ATM attacks;
Network hacks;
Crime rings aiming for retail;
Skimming at self-service points of sale;
International fraud migration; and
EMV in the U.S.

ATMs: The No. 1 Target

In 2011, debit fraud losses for the first time outpaced losses associated with credit fraud. The reason for tipping of the fraud-loss scales: skimming.

ATM Skimming

ADT Security Solutions in early 2010 estimated financial losses per ATM-skimming incident averaged $30,000. Now, as the average loss to ATM skimming has jumped $20,000, it's clear card fraud and skimming are increasing. And the industry can expect more fraud losses in 2012 as global crime rings enhance their networks and improve their techniques to exploit lingering magnetic-stripe technology.

ATMs are typically the last to be upgraded from a hardware perspective.

More Network Hacks

Institutions and retailers need to focus more attention on locking down their networks. Now that more networks and systems are connected, as institutions and businesses work to achieve enterprise-level data management, they increase their risk of exposure. If a system is compromised, fraudsters can easily access every server, POS device, ATM, PC and network that's connected to that system.

The widespread deployment and use of common and well-known operating systems, such as Windows, compounds the problem. Fraudsters know how to get in, and with evolving malware, it's getting easier for them to wage successful attacks.

Advances in wireless communications also will reap greater skimming crime rewards in 2012. Network security holes aside, skimming schemes themselves will become easier, as wireless communications and Bluetooth technology have made it increasingly easier for fraudsters to remotely transmit card data once it's been skimmed.

Crime Rings Aim for Retail

Pointing to 2011's skimming breaches at Michaels and Save Mart/Lucky Supermarkets, open communication between retailers and card issuers kept fraud losses and card compromises in check. Once the fraud starts to occur, it just makes everyone's job easier when the retailers take a transparent and proactive approach.

Those attacks have illustrated how critical the need for retailers to invest in real-time fraud monitoring is. The incidents also prove retailers have an incentive to move toward the Europay, MasterCard, Visa standard. At least 50 percent of the card-present fraud is charged back to the merchants. They are now motivated to make a move to EMV because they won't see those chargeback charges. And there is more authentication with the chip, so that will help fraud as well.

A Security Soft Spot

As the Lucky's breach and countless others that target self-service payments devices, including pay-the-pump gas terminals, prove, any terminal that accepts credit and debit cards will be targeted by fraudsters. Even ATM vestibule doors, which read debit swipes for entry, are compromised with ease.

But despite the fact that EMV and anti-skimming measures have displaced ATM attacks in those markets, ATM fraud continues. During the last six months of 2011, Europe saw upticks in low-tech ATM-fraud schemes, such as cash-trapping. Cash trapping, like it sounds, prevents bills from being dispensed. European ATM deployers are addressing the trend with physical ATM inspections and investments in enhanced tampering-detection technology.

Geo-Blocking and International Backlash

Despite innovative moves to curb card fraud in Europe, skimming remains a global problem. Even as fraud migrates and different global regions progress in their adoption of EMV, losses associated with skimming continue to escalate.

This year, more fraud migration and increasing losses, especially in the United States. Part of that migration will be spurred by steps European countries are taking to shut off mag-stripe acceptance as a way to reduce financial losses associated with skimming.

Migrating Fraud

The United States can expect skimming to increase. Why? Fraud will migrate from other parts of the world, where card security is more sophisticated.

Compliance with EMV in western Europe and parts of central and eastern Europe over the last five to 10 years initiated the migration of fraud. Now that EMV is the standard in neighboring Mexico and Canada, hits to U.S. card issuers and acquirers will be substantially higher. Card fraud linked to skimming will be the catalyst.

EMV in the U.S

Movement toward EMV compliance, to address growing card fraud, is not far off for the United States. Visa and MasterCard have both issued soft dates for a U.S. movement toward EMV. MasterCard set an April 2013 deadline for all U.S. ATMs to be EMV compliant; and Visa announced compliance dates of 2013 and 2015 for U.S. merchants.

Last week, Visa provided EMV guidance and suggested EMV adoption best practices for U.S. merchants and card issuers.

In 2013, the responsibility for fraud losses will shift from the EMV card issuer to the acquirer. Given that stipulation, 2012 will see an increase in EMV activity.

20 critical controls for effective cyber defence

2012-01-24T21:36:00.002+11:00

Baseline of high-priority information security measures and controls

The Centre for the Protection of National Infrastructure is participating in an international government-industry effort to promote the top twenty critical controls for computer and network security. The development of these controls is being coordinated by the SANS Institute.

The Top Twenty Critical Security Controls are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks.

The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks.

Outside of the technical realm, a comprehensive security program should also take into account many other areas of security, including overall policy, organisational structure, personnel issues and physical security. To help maintain focus, the twenty controls do not deal with these important but non-technical aspects of information security.

The twenty controls and supporting advice are dynamic in order that they recognise changing technology and methods of attack. All twenty controls, together with a brief description, are given below. For further information, visit the SANS website.

CONTROL 1 - INVENTORY OF AUTHORISED AND UNAUTHORISED DEVICES

Reduce the ability of attackers to find and exploit unauthorised and unprotected systems. Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the enterprise network, including servers, workstations, laptops, mobile, and remote devices.

CONTROL 2 - INVENTORY OF AUTHORISED AND UNAUTHORISED SOFTWARE

Identify vulnerable or malicious software to mitigate or root out attacks. Devise a list of authorised software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorised or unnecessary software.

CONTROL 3 - SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON LAPTOPS, WORKSTATIONS, AND SERVERS

Prevent attackers from exploiting services and settings that allow easy access through networks and browsers. Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system.

CONTROL 4 - CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION

Proactively identify and repair software vulnerabilities reported by security researchers or vendors. Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities - with critical problems fixed within 48 hours.

CONTROL 5 - MALWARE DEFENCES

Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading. Use automated anti-virus and anti-spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent systems from using auto-run programs to access removable media.

CONTROL 6 - APPLICATION SOFTWARE SECURITY

Scan for, discover, and remediate vulnerabilities in web-based and other application software. Carefully test internally developed and third-party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and data type).

CONTROL 7 - WIRELESS DEVICE CONTROL

Protect the security perimeter against unauthorised wireless access. Allow wireless devices to connect to the network only if they match an authorised configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points.

CONTROL 8 - DATA RECOVERY CAPABILITY

Minimise the damage from an attack: Implement a trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly; back up sensitive systems more often. Regularly test the restoration process.

CONTROL 9 - SECURITY SKILLS ASSESSMENT AND APPROPRIATE TRAINING TO FILL GAPS
Find knowledge gaps, and fill them with exercises and training. Develop a Security Skills Assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices.

CONTROL 10 - SECURE CONFIGURATIONS FOR NETWORK DEVICES SUCH AS FIREWALLS, ROUTERS, AND SWITCHES

Preclude electronic holes from forming at connection points with the Internet, other organisations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved and that any temporary deviations are undone when the business need abates.

CONTROL 11 - LIMITATION AND CONTROL OF NETWORK PORTS, PROTOCOLS, AND SERVICES

Allow remote access only to legitimate users and services. Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes.

CONTROL 12 - CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES

Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious e-mail, attachment, or file, or to visit a malicious website; and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords that follow known standards.

CONTROL 13 - BOUNDARY DEFENCE

Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines. Establish multilayered boundary defences by relying on firewalls, proxies, demilitarised zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including through business partner networks (“extranets”).

CONTROL 14 - MAINTENANCE, MONITORING, AND ANALYSIS OF SECURITY AUDIT LOGS

Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines. Generate standardised logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies.

CONTROL 15 - CONTROLLED ACCESS BASED ON THE NEED TO KNOW

Prevent attackers from gaining access to highly sensitive data. Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to non-public data and files.

CONTROL 16 - ACCOUNT MONITORING AND CONTROL

Prevent attackers from impersonating legitimate users. Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that follow known standards.

CONTROL 17 - DATA LOSS PREVENTION

Stop unauthorised transfer of sensitive data through network attacks and physical theft. Scrutinise the movement of data across network boundaries, both electronically and physically, to minimise the exposure to attackers. Monitor people, processes, and systems, using a centralised management framework.

CONTROL 18 - INCIDENT RESPONSE CAPABILITY

Protect the organisation’s reputation, as well as its information. Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

CONTROL 19 - SECURE NETWORK ENGINEERING

Keep poor network design from enabling attackers. Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy network architecture with at least three tiers: DMZ, middleware, private network. Allow rapid deployment of new access controls to quickly deflect attacks.

CONTROL 20 - PENETRATION TESTS AND RED TEAM EXERCISES

Use simulated attacks to improve organisational readiness. Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises—all out attempts to gain access to critical data and systems— to test existing defences and response capabilities.

Prioritisation of the critical controls:

The twenty controls are a baseline of high-priority ‘technical’ information security measures and controls that can be applied across an organisation to improve its cyber defence. In order for a control to be a high priority, it must provide a direct defence against attacks.

Controls that mitigate known attacks, or a wide variety of attacks, or attacks early in the compromise cycle, all have priority over other controls. Controls that mitigate the impact of a successful attack also have a high priority. Special consideration is given to controls that help mitigate attacks that have not yet been discovered.

Insider Scams and Fraud a Growing Trend

2012-01-23T11:02:00.000+11:00

Teenager Sentenced for Card Skimming

A 17-year-old was slapped with a 60-day jail sentence after he was busted for skimming credit and debit details while working the drive-thru window at a McDonald's restaurant in Olympia, Wash. This insider scam highlights a card fraud trend the industry needs to watch.

This case highlights just how easy it is for insiders to perpetrate card fraud, especially in a retail environment. Even if we protect the ATMs and POS devices, insider fraud like this will take place due to the ease with which criminals can get their hands on the appropriate devices. This is an industry that clearly needs an elegant and innovative solution (not EMV) that can at least make it an order of magnitude harder for skimmers to succeed.

Transactions Monitored

In the McDonald's incident, the teen's card-fraud scheme was foiled before exceeding $13,000 in losses after transaction monitoring traced the fraud. Detectives connected the dots and linked fraud to the Olympia McDonald's when contacted by the Washington State Employees Credit Union about fraudulent transactions hitting member accounts.

The credit union found one commonality: All of the compromised cards had been used at the same McDonald's. McDonald's management later confirmed the juvenile suspect had worked the drive-thru every time one of the compromised cards had been used.

The teenager used the stolen card numbers, which he collected with a handheld skimming device, to buy gift cards at retail stores such as Walmart and Toys R Us, according to a news report. With the fraudulently purchased gift cards, he allegedly bought about $13,000 worth of merchandise that he later sold on Craigslist and eBay for profit.

The purchases the teenager made included iPads, computers, video game systems and digital cameras, according to the Thurston County Prosecuting Attorney's Office.

The teen has been in custody since Nov. 16, after his parents refused to post bail. On Monday, he pleaded guilty to two juvenile counts of forgery and two juvenile counts of identity theft. As part of his sentence, the court has asked that he pay restitution to the victims whose cards were compromised.

The investigation is ongoing because other suspects may be involved.

Stuxnet Analysis Report by Cyber Security Forum Initiative (CSFI)

2012-01-20T10:40:00.001+11:00

A must-read report which will answer many of yours questions regarding STUXNET!!

The Cyber Security Forum Initiative (CSFI) is a non-profit organization headquartered in Omaha, NE and in Washington DC with a mission "to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training to assist the US Government, US Military, Commercial Interests, and International Partners."

CSFI was born out of the collaboration of dozens of experts, and today CSFI is comprised of a large community of nearly 5000 Cyber Security and Cyber Warfare professionals from the government, military, private sector, and academia. Our amazing members are the core of all of our activities, and it is for them that we are pushing forward our mission.

So, after quite some time of working behind the scenes, and making an effort to focus on essence rather than buzz, the CSFI have published their official report on Stuxnet.

Scope of Research

Find the source code of the attack
Reverse engineer the code
Create a countermeasure and recommendation from these type of attacks
Understand the political motivations behind this attack
Explain how such a piece of malware can be used in cyber warfare scenario
Can Iran retaliate using the same form of cyber attack?

Feel free to download the report form here: CSFI_Stuxnet_Report_V1

As well as watch the demonstration video on the CSFI website: http://csfi.us/?page=stuxnet

Ramnit Worm Threatens Online Accounts

2012-01-18T20:04:00.000+11:00

Facebook Targeted by Fraudsters Seeking Log-in Credentials

Ramnit is a worm, which means, unlike malware, it can spread to other computers without being sent through e-mail or a malicious website. Ramnit, which surfaced in April 2010, continues to evolve.

In August 2011, security vendor Trusteer was the first to discover Ramnit's merger with the Zeus variant designed to target online banking accounts. The Ramnit-Zeus hybrid was superior because of its advanced man-in-the-browser capabilities, which enabled it to steal online banking and corporate log-in credentials.

The Ramnit hybrid bypassed two-factor authentication, and between September 2011 and December 2011, Trusteer estimated that some 800,000 machines had been infected.

Once launched on a corporate PC, Ramnit's browser penetration module steals internal and software-as-a-service credentials. Incoming web pages can then be modified using an HTML injection to request and steal more sensitive information.

Ramnit's man-in-the-middle looks like an actual social-media or bank-account sign-in page that captures a user's ID and password, and sometimes other personal information en route to the actual log-in page.

The difference, however, is that the page in the middle captures authentication data and allows the attacker to gain access to the victim's accounts at will.

Ramnit compromised 45000 Facebook accounts and now targeting financial accounts...

Researchers advises that the Ramnit worm, which last year defeated two-factor authentication measures used to protect online banking accounts and corporate networks, is now targeting Facebook - a development that should especially concern financial service businesses.
Lab researchers working for the Israel-based provider of cyberthreat management services say Ramnit has been linked to the compromise of more than 45,000 Facebook log-in credentials, primarily hitting users in the United Kingdom and France.

"We suspect that the attackers behind Ramnit are using the stolen credentials to log in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further," says a blog posted on Seculert's website Jan. 5.

"In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks."

Because users often use the same log-in and password credentials for multiple accounts, the threat of Ramnit attacks should be concerning to every industry, not just financial services, though financial institutions often have the most to lose when consumers online banking accounts are breached.

"As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands," Securlet says.

A Call for Multifactor Authentication

Bill Wansley an analyst at Booz Allen Hamilton, says every organization should take Ramnit's rapid evolution as a sign that outdated authentication measures are no longer effective.

"Passwords are not very useful for anything anymore," Wansley says. "They are just too easy to forget, copy or break. Everyone needs to go to multifactor authentication - like Google has recently - for social-media sign-in, and certainly for anything that is for financial or medical-related accounts."

Passphrases are better than passwords, but multifactor authentication is the new standard. "Nobody should be using their social-media passwords or phrases for their financial accounts," Wansley says.

In the financial space, cybercriminals increasingly use older malware to capture individual passwords and personal information that is later exploited to gain access to financial accounts.

"The Ramnit example is typical of these type attacks," Wansley says. "Ramnit is actually an older malicious code that has been updated with new features to achieve other purposes."

Signcryption: New Technology & Standard to improve Cyber Security

2012-01-15T19:57:00.001+11:00

Signcryption is a technology that protects confidentiality and authenticity, seamlessly and simultaneously

For example, when you log in to your online bank account, signcryption prevents your username and password from being seen by unauthorized individuals. At the same time, it confirms your identity for the bank.

UNC Charlotte professor Yuliang Zheng invented the revolutionary new technology and he continues his research in the College of Computing and Informatics. After nearly a three-year process, his research efforts have been formally recognized as an international standard by the International Organization of Standardization (ISO).

News of the ISO adoption comes amidst daily reports of cyber attack and cyber crime around the world. Zheng says the application will also enhance the security and privacy of cloud computing.

“The adoption of signryption as an international standard is significant in several ways,” he said. “It will now be the standard worldwide for protecting confidentiality and authenticity during transmissions of digital information.”

“This will also allow smaller devices, such as smartphones and PDAs, 3G and 4G mobile communications, as well as emerging technologies, such as radio frequency identifiers (RFID) and wireless sensor networks, to perform high-level security functions,” Zheng said.

“And, by performing these two functions simultaneously, we can save resources, be it an individual’s time or be it energy, as it will take less time to perform the task.”

Indian Hackers has hacked Symantec Norton AntiVirus software!

2012-01-13T21:27:00.000+11:00

Symantec's Norton AntiVirus source code exposed by hackers

Symantec, the makers of Norton AntiVirus, has confirmed that a hacking group has gained access to some of the security product's source code.

An Indian hacking group, calling itself the Lords of Dharmaraja, has threatened to publicly disclose the source code on the internet.

So far, there have been two claims related to Symantec's source code.

First, a document claiming to be confidential information related to Norton AntiVirus's source code was posted on Pastebin. Symantec says it has investigated the claim, and that - rather than source code - it was documentation dated from April 1999 related to an API (application programming interface) used by the product.

And secondly, the hacking group shared source code related to what appears to have been the 2006 version of Symantec's Norton AntiVirus product with journalists from Infosec Island.

Chris Paden, a Symantec spokesperson, confirmed to InfoSec Island that some of the firm's source code had been accessed:

"Symantec can confirm that a segment of its source code has been accessed. Symantec’s own network was not breached, but rather that of a third party entity."

"We are still gathering information on the details and are not in a position to provide specifics on the third party involved."

"Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."

"Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is four and five years old. This does not affect Symantec's Norton products for our consumer customers. Symantec's own network was not breached, but rather that of a third party entity."

"We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."

"However, Symantec is working to develop remediation process to ensure long-term protection for our customers' information. We will communicate that process once the steps have been finalized.

Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts."

It's hard not to feel sympathy for Symantec - who appear to have been caught in the crossfire between a hacking gang and the Indian authorities.

Although Symantec customers may not be at risk, it's easy to see how the software company will feel bruised by the publicity that the Lords of Dharmaraja have generated through their hack.

WPS-enabled Wi-Fi routers are vulnerable to brute force attack

2012-01-11T21:16:00.001+11:00

Security flaw found in Wi-Fi Protected Setup

The US Computer Emergency Readiness Team (US-CERT) warned of a security flaw in a popular tool intended to make it easier to add additional devices to a secure Wi-Fi network.

The organisation cited findings from security researcher Stefan Viehbock, who uncovered the security hole in the so-called Wi-Fi Protected Setup, or WPS, protocol, which is often bundled into Wi-Fi routers.

The WPS protocol is designed to allow unskilled home users to set up secure networks using WPA encryption without much hassle. Users are then able to type in a shortened PIN instead of a long passphrase when adding a new device to the secure network.

That method, however, also makes it much easier for hackers to break into a secure Wi-Fi network, US-CERT says. The security threat could affect millions of consumers, since the WPS protocol is enabled on most Wi-Fi routers sold today.

The basic problem is that the security of the eight-digit PIN falls dramatically with more attempts to key in the password. When an attempt fails, the hacker can figure out whether the first four digits of the code are correct. From there, it can then narrow down the possibilities on the remaining digits until the code is cracked. Viehbock said that a hacker can get into a secure Wi-Fi hotspot in about two hours using this method to exploit a vulnerability.

Here's how US-CERT describes the flaw:

When the PIN authentication fails, the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known, because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103, which is 11,000 attempts in total.

It has been reported that some wireless routers do not implement any kind of lock-out policy for brute-force attempts. This greatly reduces the time required to perform a successful brute-force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition, because of the brute-force attempt, and required a reboot.

US-CERT said in its warning that there is no known fix to the security problem. Instead, the group recommends that users disable the WPS function on their routers. The warning lists several wireless router vendors as selling devices that are affected by the security hole: Buffalo, D-Link, Cisco Linksys, Netgear, Technicolor, TP-Link and ZyXEL.

US-CERT indicated in its warning that it notified router vendors that are affected by the security issue in early December, but so far the vendors have not offered a response, nor have any of them issued statements.

Android Network Toolkit for Penetration Testing and Hacking

2012-01-09T19:37:00.005+11:00

Zimperium have unveiled the Android Network Toolkit for easy hacking on the go!

ANTi is a smartphone, android based, penetration testing toolkit that can scan a network, find vulnerabilities, run exploits, produce reports and more.

There is a free version with limited functions and several paid versions that scale up in functionality. The videos linked at the bottom of this article are interesting.

ANTi – Android Network Toolkit – [zimperium.com]

What is Anti?

ZImperium LTD is proud to annonce Android Network Toolkit – Anti.
Anti consists of 2 parts: The Anti version itself and extendable plugins. Upcoming updates will add functionality, plugins or vulnerabilities/exploits to Anti

Using Anti is very intuitive – on each run, Anti will map your network, scan for active devices and vulnerabilities, and will display the information accordingly: Green led signals an ‘Active device’, Yellow led signals “Available ports”, and Red led signals “Vulnerability found”.

Also, each device will have an icon representing the type of the device. When finished scanning, Anti will produce an automatic report specifying which vulnerabilities you have or bad practices used, and how to fix each one of them.

Anti – Android Network Toolkit Capabilities Video/Demo by ZImperium LTD – [youtube.com]

Hacking a Mac using Android Network Toolkit CSE in ANTI3 by ZImperium LTD – [youtube.com]

How Developers Can Secure their Code?

2012-01-05T21:35:00.003+11:00

5 Application Security Tips

Over the last 30 years, many organizations have done an amazing job of automating their business, resulting in productivity gains, efficiencies and innovations.

Unfortunately, the threat landscape has changed dramatically during this time. A lot of that application code, written without security in mind decades ago, is still the heart-and-soul of many enterprises. That code was designed for a world where computers could not be accessed remotely.

Since then, it has been wrapped, integrated, connected, ported, and most importantly, exposed. That application code is not strong enough to withstand today's threat.

OWASP has a number of free and open-source resources that developers can use right now to help secure their code.

5 Tips for Developers

Start with the OWASP Top Ten - This awareness document will help you understand, identify, and fix the most critical application security risks quickly.

Get hands-on with WebGoat - WebGoat is a deliberately flawed application that is riddled with holes to give people the opportunity for hands-on learning. It is open-sourced to help developers and security testers get experience with real vulnerabilities.

Leverage the OWASP Cheat Sheets - This is a fantastic series from leading experts globally. Let me know what you think of the Cross-Site Scripting Prevention Cheat Sheet, one of OWASP's most popular pages.

Verify Your Applications - There is no substitute for getting real facts about the security of your application portfolio. OWASP Application Security Verification Standard helps developers get started scanning, testing and code reviewing with tools like OWASP Zap and CSRFTester.

Get Training - Perhaps the hardest thing about application security is that there are so many different ways that software can fail, particularly when it's targeted by a motivated attacker. The key is training to get started with securing applications quickly.

If instructor-led training isn't possible, eLearning solutions are available to allow developers to learn on-demand and get hands-on, practical experience with vulnerabilities, security controls and real code. Training is a remarkably effective way to reduce vulnerabilities.

Before you trust your business to application software, make certain that the people who are writing your code know how to defend your business and its assets. It's time to learn.

How-to encrypt and password protect your personal folders & files in Windows and Mac

2012-01-02T18:44:00.001+11:00

TrueCrypt - Free Open-Source Disk Encryption Software

You can’t easily password protect folders or files in Windows / MAC yet, but you can remove the permissions for users or use TrueCrypt to create mountable encrypted containers that can only be accessed with the correct password.

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention.

No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Encryption does not mean it has to be slow or difficult. In fact, TrueCrypt makes it really fast and you can access all files as if they were unencrypted. Here is how you can do it:

Download TrueCrypt from http://www.truecrypt.org/downloads (latest stable 7.1 09/26/11)
When you install TrueCrypt select Extract files, this will extract the program without actually installing it.
Now start the TrueCrypt.exe
Click on Create New Volume and this screen will pop up:
Select Standard for now
Find a place for your encrypted container. Think of it as a real file that is password-protected. Store it for example here: C:\Users\yourusername\Desktop
Make sure you have enough disk space.
Select an algorithm. Don’t know what to choose? Use the default!
Enter a size for the encrypted container.
Set a password for your encrypted container. Don’t make your password too short or it will be easy to crack
Move your mouse for some time to get a good encryption and click on Format
Back on the TrueCrypt main screen, enter the path to your encrypted container (or click on Select file and browse to it)
Finally click on Mount, you can now access your encrypted password-protected container like any other hard drive via the explorer! Awesome? It is!

There are various other methods to password protect and encrypt folders. However, TrueCrypt is the best free solution and using the to effectively protect your private folders.

If you need more protection, simply create an encrypted container and store your files on a flash drive. Flash drives with 8GB or more are cheap and can be used to store all your private files. You could also use an external USB hard drive for storing the password-protected encrypted folders.

2011 - Year of the HACK and DATA Breaches

2011-12-31T23:59:00.007+11:00

This year’s headlines have been made up of data breaches, hacks, APT attacks and mergers and acquisitions

Like a sleeper agent, it embeds itself in key industrial systems and waits, gathering intelligence and biding its time. It studies design documents to find weak spots for future attacks that could bring a nation to its knees.

It is the description by US security firm Symantec of the newly discovered Duqu worm in its report ‘W32.Duqu: The precursor to the next Stuxnet.’

Duqu is based on the sophisticated Stuxnet worm that shut down an Iranian nuclear fuel processing plant and set back its nuclear program by years. Duqu has so far infected industrial systems in eight countries: France, the Netherlands, Switzerland, Ukraine, India, Iran, Sudan, and Vietnam.

While at this point Duqu is only able to gather intelligence, Symantec judges that it is “essentially the precursor to a future Stuxnet-like attack” against industrial control systems. These systems are used to control everything from nuclear power plants and the electricity grid to oil pipelines and large communication systems.

The discovery of Duqu was a major security event in 2011; not exactly because of the effect that the worm has had, but for its potential. Duqu signals a growing trend of malware developed not to steal identities and profit financially, but to disable and destroy critical infrastructure – the life blood of modern society.

News of Duqu was followed by a (now-mistaken) malware attack on a US water utility network that destroyed the industrial control system of a key water pump.

Destruction of critical infrastructure has been the elephant in the room for the information security profession. Many recognize the danger, but it is seen as too esoteric and remote to worry about. It is someone else’s (i.e., the government’s) problem.

But if major critical infrastructure collapses from a cyberattack, whether your boss’s iPad makes the company’s network less secure is not going to matter all that much.

Cyber Wasteland

From the mega breach at Sony to the annoying self-righteous breaches perpetrated by Anonymous et al., 2011 was a wasteland of data loss.

In March, RSA – the company that ensures its elite customers are water-tight – sprang a leak when it was penetrated by a spear-phishing attack that hooked one of its employees and resulted in a huge catch for cyberattackers.

In an open letter to RSA customers, executive chairman Art Coviello said that a sophisticated “advanced persistent threat” (APT) attack had extracted valuable information related to its SecurID two-factor authentication product used by remote workers to securely access their company’s network.

"Destruction of critical infrastructure has been the elephant in the room for the information security profession"

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”, Coviello said.

Coviello, it turned out, was wrong about this assumption, as numerous SecureID token customers – including US defense giant Lockheed Martin – reported attacks resulting from the RSA breach. In an effort to limit the damage, RSA agreed to replace the tokens for its key customers.

In response to the RSA breach, APT became the new catchword for cyberattacks. “It’s not our fault our networks were breached and our data stolen, it was an APT. What could we do?”, whined many companies in the ‘year of the breach’.

April was the Cruelest Month

April was indeed a cruel month for Sony, which admitted that hackers had gained access to names, addresses, email addresess, birth dates, passwords and IDs for over 100 million PlayStation Network, Qrocity, and Online Entertainment customers.

The massive size of the breach, as well as the delay in informing customers, attracted the attention of the US Congress. A House Commerce Committee panel held a hearing on the breach, but Kazuo Hirai, chairman of Sony Computer Entertainment America, declined to appear.

Panel chairman Mary Bono Mack (R-Calif.) criticized Sony for the delay in informing its customers of the data breach and the manner of notification through its blog. “I hate to pile on, but – in essence – Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”

More Breaches!

Marketing firm Epsilon had a breach of its extensive database, which contained the names and emails of customers at such high-profile partners as BestBuy, Walgreens, Marriott, Lacoste, Marks & Spencer, JP Morgan Chase, Barclays, Citibank, US Bank, and Capital One.

While Epsilon initially downplayed the breach, its partners could not. They began issuing warnings to millions of their customers about the breach, cautioning them to be on the lookout for subsequent spam and phishing attempts as a result of the compromised email addresses. Reuters put a $100 million price tag on the incident, which falls directly on Alliance Data Systems, Epsilon’s parent company.

And for much of 2011, Anonymous and its offspring were claiming credit for what seemed like a breach a week – in the name of improving security by showing how incredibly bad many organizations’ information security really is.

Not with a Whimper, but a Bang

In the arena of mergers and acquisitions, 2011 started off with a bang, with Dell’s acquisition of SecureWorks, an Atlanta-based security-as-a-service provider with 3,000 clients worldwide, and Verizon’s $1.4 billion purchase of Terremark, a Miami-based managed IT infrastructure and cloud service provider with advanced security offerings.

Also early in the year, Sourcefire bought Immunent, a cloud-based anti-malware startup, for $21 million, and Google agreed to acquire Zynamics, a Germany-based forensic specialist, for an undisclosed consideration.

In April, storage giant EMC acquired NetWitness, a Herndon, Va.-based network monitoring specialist, and added it to RSA. While the purchase price was not disclosed, some estimates put the price tag as high as $500 million. Too bad RSA did not have network monitoring in March!

After the April showers, there was a spurt of acquisition activity in May. In that month, Symantec acquired Clearwell Systems, a provider of e-discovery, data archiving, and data backup products, for $390 million, augmenting its information management and governance portfolio.

In addition, cloud provider VMWare purchased Shavlik Technologies, a Minnesota-based patch management and cloud-security firm; Thoma Bravo bought Tripwire, a Portland, Ore.-based network security firm; and Sophos acquired Astaro, a Germany-based private network security firm.

Other noteworthy information security acquisitions in 2011 included: IBM’s purchase of Q1Labs, a Waltham, Mass.-based provider of security event and log management software; McAfee’s purchase of NitroSecurity, a Portsmouth, N.H.-based security information and event management firm; and Check Point’s acquisition of Dynasec, an Israeli-based governance, risk, and compliance firm.

“Prediction is very difficult, especially about the future.”

Despite the wisdom of those great minds, I will venture to make some predictions for 2012. First, I predict that the world will not end. If I’m wrong about that, then no need to read further.

Certainly, Stuxnet, Duqu, and their heirs will increasingly plague governments, critical infrastructure operators, and information security professionals. It’s time to take these threats as seriously as the mundane security problems of everyday life in the 21st century.

The explosion of mobile device use, particularly in the workplace, will increasingly concern information security staffs for years to come. Malicious mobile malware has become widespread, and this trend is likely to accelerate.

Enterprises will have to come to grips with social media, particularly as cybercriminals find it a fertile ground for mischief. Should employees be banned from using it at work or is it the next great efficiency tool? The answer is: Yes.

Of course, the cloud – companies will likely accelerate cloud adoption to improve the bottom line, while security professionals will struggle with the implications of giving up control over key corporate information assets.

And the boldest prediction of all: there will be more data breaches in 2012.

Hackers could shut down train lines?

2011-12-30T18:26:00.003+11:00

Hackers who have shut down websites by overwhelming them with Web traffic could use the same approach to shut down the computers that control train switching systems, a research conducted by a security expert.

Stefan Katzenbeisser, professor at Technische Universität Darmstadt in Germany, advised that switching systems were at risk of "denial of service" attacks, which could cause long disruptions to rail services.

"Trains could not crash, but service could be disrupted for quite some time," Katzenbeisser told Reuters.

"Denial of service" campaigns are one of the simplest forms of cyber attack: hackers recruit large numbers of computers to overwhelm the targeted system with Internet traffic.

Hackers have used the approach to attack sites of government agencies around the world and sites of businesses.

Train switching systems, which enable trains to be guided from one track to another at a railway junction, have historically been separate from the online world, but communication between trains and switches is handled increasingly using wireless technology.

Katzenbeisser said GSM-R, a mobile technology used for trains, is more secure than the usual GSM, used in phones, against which security experts showed a new attack at the convention.

"Probably we will be safe on that side in coming years. The main problem I see is a process of changing ... keys. This will be a big issue in the future, how to manage these keys safely," Katzenbeisser said.

The software encryption 'keys', which are needed for securing the communication between trains and switching systems, are downloaded to physical media like USB sticks and then sent around for installing -- raising the risk of them ending up in the wrong hands.

DDoS Testing Methodology

2011-12-27T19:36:00.005+11:00

A methodology to measure the resiliency of network infrastructure against DDoS and botnet attacks

Distributed denial of service (DDoS) attacks are rampant, successfully targeting Fortune 100 businesses, not to mention government, news media, communication and financial networks throughout the world. It has become more important to assess network equipment and application servers using these same attacks. Only through realistic attack simulation can organizations visualize their own weaknesses and vulnerabilities within the IT infrastructure and how resilient these elements are when under attack.

DDoS Testing Methodology

BreakingPoint has created a definitive DDoS testing methodology that creates a variety of attacks to help users find their network weaknesses before others do. Such attacks include the following:

DDoS designed to consume all available bandwidth, all disk space or all available CPU cycles
DDoS designed to disrupt important information flow such as routing tables by injecting false routes, thus causing packets to be misrouted
DDoS designed to break the physical layer of the network and obstruct the communication between the end-point and the user
Botnets designed to send large quantities of unsolicited e-mail to trigger Delivery Server Notifications to spoofed originating email addresses

To download the methodology please refer here (registration may be required)

SC Webcast: Top cyber threat predictions for 2012

2011-12-22T20:08:00.004+11:00

Learn about the top (internal and external) security predictions of 2012

With the tremendous growth of workforce mobility, telecommuting, and enterprise social networking, 2012 is again likely to pose some complex cyber security challenges for businesses worldwide.

As such I thought you might be interested in SC’s upcoming webcast which will get to grips with what the experts predict to be the top cyber threats in the year ahead.

You can secure your complimentary place here - http://www.scwebcasts.tv/?btcommid=40027

LIVE WEBCAST: CYBER SECURITY IN 2012 – TOP 5 THREAT PREDICTIONS
Streamed live to your desk: 26th January 2012, 3pm GMT
http://www.scwebcasts.tv/?btcommid=40027

This webcast will enable you to:

Learn about the top (internal and external) security predictions of 2012 (from mobile threats to spear phishing)
Understand the impact of social networking's impact on enterprise security in 2012 to help you prioritise your response
Develop ideas for a 360 degree cyber security strategy that keeps up with the sophistication of attacks in the year ahead

Speakers:

Aaron Sheridan, Senior Security Engineer, FireEye
Clive Longbottom, Founder and Industry Analyst, QuoCirca
View more information at http://www.scwebcasts.tv/?btcommid=40027

CSET™ Version 4.0.1 Available for Download

2011-12-20T22:41:00.001+11:00

The Cyber Security Evaluation Tool (CSETTM) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets.

The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) has released an interim Version 4.0.1 of the Cyber Security Evaluation Tool (CSET™). This new version of the tool can be downloaded from the CSSP website:

http://us-cert.gov/control_systems/satool.html.

This interim Version 4.0.1 release addresses some minor issues identified in report formatting and corrects a problem with Zone Security Assurance Level (SAL) calculations.

Additionally, this release incorporates a new sub-report to isolate and show user comments in a single location, includes modifications to clarify how firewall analysis is performed, and improves upon the gap analysis for pass/fail standards.

Purpose of CSET

CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.

The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.

CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others.

When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.

Key Benefits of CSET

CSET contributes to an organization's risk management and decision-making process
Raises awareness and facilitates discussion on cybersecurity within the organization
Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability
Identifies areas of strength and best practices being followed in the organization
Provides a method to systematically compare and monitor improvement in the cyber systems
Provides a common industry-wide tool for assessing cyber systems

Five reasons not to jailbreak your iPhone

2011-12-18T19:26:00.001+11:00

Crackers are reported to be making inroads into jailbreaking iOS5

Even though the iPhone 4S jailbreak is on the way - and while many users are excited about the ability to customize and do more with the iPhone 4S - there are a number of reasons you shouldn’t jailbreak your new iPhone.

While an iPhone 4S jailbreak will deliver the iPhone experience many have been looking for, jailbreaking is not for everyone.

The biggest issue is that users will be voiding their warranty and, even though the jailbreaking process was ruled legal in 2010, Apple was very clear that doing so voids users’ warranties.

And, whilst there are many times you can restore to a standard Apple iOS version before going in for repair, this is not always going to be the case.
Users will also lose Genius Bar support on the iPhone – in the past some users have been able to get support by not mentioning that their iPhone is jailbroken, but again, if the Genius finds out that the handset is jailbroken, you may lose out on support.
The third issue with jailbreaking is that there are usually no more is fast upgrades to new releases of iOS.

If you are waiting for the jailbreak, you should also avoid installing iOS 5.0.1 to your iPhone 4S. This isn’t as big of an issue for small upgrades like this, and in the case of [earlier versions] a jailbreak was available very quickly.

But, when it comes to major upgrades that bring new features, you may be forced to wait a while, or go back to a stock iPhone experience.
Apple has many controls in place to keep apps from slowing down your iPhone, but jailbroken apps don’t need to stick to these guidelines.

Many users who have gone back from jailbreaking cite a poor user experience and buggy nature of their jailbroken iPhones as a reason for going back to normal. If you know exactly what you are doing, or don’t mind troubleshooting to find out what is causing an issue, you will be OK, but many iPhone owners don’t want to hassle with things like this.
Finally, consider the security risks. If you have a jailbroken iPhone and are installing apps from various sources, one of them could contain malware.

The threat of malware has caused concern for Android users, and so far we haven’t seen a large number of malware infested jailbreak apps, but the threat remains. If you do jailbreak, be vigilant about what you download.

Ultimately, jailbreaking your new iPhone 4S is up to you. If you know what you are doing, you can follow these instructions to jailbreak your iPhone 4, and stay tuned for how to jailbreak the iPhone 4S and iPad 2 as soon as the tools are available.

What does it really take to exploit a printer?

2011-12-16T21:12:00.002+11:00

Printer Hack: Researchers Can Set Media’s Pants on Fire

In the past couple of weeks, there has been quite a bit of press and blogging about a security vulnerability in HP printers that was discovered by researchers in the Intrusion Detection Lab at Columbia University.

In a nutshell, the researchers found a way to replace the operating firmware on an HP printer with firmware of their own design that can do bad things, and they also found a way to do it to a printer that is on a private network behind a firewall.

MSNBC ran an “exclusive” story about it calling it a “devastating attack” to which “millions of printers” could be subjected. Its lede suggested that hackers could cause the printer to catch fire, or be used for identity theft, or be used to take control of entire networks.

In practice, this isn’t an easy vulnerability to exploit on a large scale.

Let me explain:

First, you need to target a printer that supports PJL and its largely undocumented remote firmware update (RFU) function. Many printers support PJL, but RFU is less commonly supported. Many printers don’t have any mechanism for remote updates, and many others use something other than PJL’s RFU function for remote updates.

Once you've found a printer that supports PJL and its RFU function, you'll need to make sure that it will apply a firmware update without checking its authenticity. I can’t speak for other manufacturers, but my employer’s products have been using digital signature verification for firmware updates for at least the seven plus years that I have worked for them.

Next, you need to be able to create new firmware to do your bidding. To do that, you need to know what is the manufacturer and model of your target. The researchers demonstrated exploitation of a victim’s printer that was on a private, firewalled network, but didn’t mention how they determined which make and model of printer would be used by a particular victim. They would need to know that in order to send the correct firmware image to the victim.

And then there is the matter of reverse-engineering printer firmware. It is certainly possible, but not very practical when you consider that there are thousands of different printer models to contend with.

The researchers say that “rewriting the printer’s firmware takes only about 30 seconds”, but they are referring to the time it takes for the printer to update its flash memory and not how long it takes for someone to reverse-engineer a printer to do something malevolently useful.

Next, you need to get the victim to print a document that contains the firmware update code, and of course they need to print it on the printer that you targeted. I don’t know if it is possible to embed an RFU in a printable document in such a way that isn’t obvious when the document is viewed, as most people do before they print something. Perhaps they will disclose that detail at the Chaos conference.

Now, finally, you own the victim’s printer.

U.S. power grid is a big & soft target for cyberattack

2011-12-14T20:54:00.003+11:00

MIT study report shows security gaps widening, risk increasing as power nets improve

The "malicious attack from Russian hackers that cracked security on an Illinois water utility and destroyed one of its main pumps turned out to be what Wired called a "comedy of errors" after interviewing the prime suspect for a story that ran last week.

That doesn't mean utilities in the U.S. – especially electrical utilities – are not desperately vulnerable to attack.

The U.S. electrical grid in particular is not only just as vulnerable as it was before the risk of cyberattack became obvious, the negative impact of a real hack keeps rising, according to a two-year study published today by researchers at the MIT Energy Initiative in Massachusetts Institute of Technology Sloan School of Management.

U.S. utilities are building more intelligence into their networks to make power distribution more efficient, but the mesh of regulations and regulators involved is such that their security efforts are incomplete, inadequate and uncoordinated, according to the 268-page study (PDF of full report, or by section), which also examined risks from weather, the impact of federal regulations, rising prices for fossil fuels and competition from sources of renewable energy.

The risk of a Stuxnet-like attack on utilities was dismissed by many security experts after the revelation that reports of a successful attack on the Illinois water utility hack were mistakes, the possibility that it is possible was not.

Current risks of cyberattack on electric utilities

Loss of grid control resulting in complete disruption of electricity supply over a wide area can occur as a result of errors or tampering with data communication among control equipment and central ofﬁces.
Consumer-level problems ranging from incorrect billing to interruption in electric service can be introduced via smart meter tampering.
Commuting disruptions for electric vehicle operators can occur if recharging stations have been modiﬁed to incorrectly charge batteries.
Data conﬁdentiality breaches, both personal and corporate, can provide information for identity theft, corporate espionage, physical security threats (for example, through knowing which homes are vacant), and terrorist activities (for example, through knowing which power lines are most important in electric distribution).

"Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011"

With rapidly expanding connectivity and rapidly evolving threats, making the grid invulnerable to cyber events is impossible, and improving resilience to attacks and reducing the impact of attacks are important…

… For the electric grid in particular, cybersecurity must encompass not only the protection of information but also the security of grid equipment that depends on or is controlled by that information. And its goals must include ensuring the continuous and reliable operation of the electric grid…

…We believe the natural evolution of grid information technologies already points toward such an approach: the development and integration of increasingly rapid and accurate systems control and monitoring technologies should facilitate quicker attack detection—and consequently, shorter response and recovery times.

Cyberattack response and recovery measures would be a fruitful area for ongoing research and development in utilities, their vendors, and academia. – Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011

U.S. utilities – electric, water and others – are so vulnerable and so insensible to security concerns that using passwords only three characters long doesn't raise a huge stink among companies that largely either refuse to believe there's a target painted on their backs or believe it's too expensive to do anything about it.

The top 5 information security certifications

2011-12-12T19:41:00.002+11:00

Recent Security Incidents Push Demand for Information Security Professionals

The top 5 information security certifications include the CISSP, CISM, GIAC, CEH and vendor credentials offered by companies such as Cisco and Microsoft. These certifications are in demand not only for their demonstration of IT security proficiency, but also because certified candidates go through training that reflects a higher standard of ethical conduct - a topic that has renewed focus by hiring managers.

In 2012, the rise in security incidents and mobile devices creates hot demand for certifications such as the GIAC, which are technically focused in specific areas of forensics, incident response and application security.

Top 5 Certifications

Based on a review of job boards and various research conducted by IT security recruiters and employers, here is the list of the top five security certifications:

CISSP

The Certified Information Systems Security Professional continues to be the gold standard in certifications.

The CISSP, which is known for its high-level overview on the profession, has recently opened the certification for further specialization in areas such as architecture and management.

The push for this credential is also coming from the U.S. Department of Defense 8570.1 Directive, which requires all government and contract employees working on DoD IT projects to carry an approved certification for their particular job classification.

CISSP certification is usually for mid and senior management IT security positions. This certification is offered through (ISC)2, the not-for-profit consortium that offers IT security certifications and training.

The CISSP examination is based on what (ISC)2 terms the Common Body of Knowledge (or CBK). Candidates interested in taking the exam must possess a minimum of five years of direct full-time security work experience in two or more of the 10 (ISC)2 information security domains (CBK), and agree to abide by their codes-of-ethics and policy for continuous education.

In addition, they need to pass the exam with a scaled score of 700 points or greater out of 1000 possible points. The exam is multiple-choice, consisting of 250 questions with four options each, to be answered over a period of six hours.

For further information please refer here.

CISM

Certified Information Security Manager is in demand, as organizations increasingly need executives to focus on governance, accountability and the business aspects of security.

As with the CISSP, the 8570 Directive requires CISM certification for senior managers that particularly focus on governance, compliance and risk management issues.

CISM is ideal for IT security professionals looking to grow their career into mid-level and senior management positions. CISM is offered by ISACA, an international professional association that deals with IT Governance.

The CISM designation is awarded to individuals with an interest in security management who meet the following requirements: They need to successfully pass the CISM exam; adhere to ISACA's code of professional ethics; agree to comply with the continuing education policy.

They also must submit verified evidence of a minimum of five years of IT security work experience, including a minimum of three years of management work experience; and submit an application for CISM certification.

For further information please refer here.

GIAC

Global Information Assurance Certification is rising in demand specifically in areas of incident handling, forensics, intrusion detection and reverse malware engineering.

Many organizations are seeking such experts for their IT security teams because of the growing threat landscape and rise in security incidents. Usually, professionals turn to GIAC certifications to get further expertise in a particular discipline.

The GIAC is essentially geared toward mid-level security professionals who are looking to carve out a niche career path for themselves. The certification is offered by Sans Institute, a cooperative research and education organization.

There are no official prerequisites to take the GIAC certifications. Any candidate who feels that he or she has the knowledge may take the exam. Candidates can pursue GIAC exams with or without purchasing SANS training.

The exam fees usually include two practice exams and one proctored exam. Each exam has an expiration date of 120 days accessible from their SANS Portal Account. Exams are taken online, however SANS now requires that a proctor be present when candidates take their test.

For further information please refer here.

CEH

Certified Ethical Hacker is gaining popularity as companies seek experts to perform web application and penetration testing to ensure their infrastructure is secure.

A blooming field is security testing, and certifications like CEH are challenging technically and very valuable. This certification is useful for entry-to-mid-level practitioners that are looking to conduct vulnerability assessments.

CEH is offered by the International Council of Electronic Commerce Consultants(EC-Council), a professional certification body. EC-Council's goal is to certify security practitioners in the methodology of ethical hacking. It largely demonstrates an understanding of the tools used for penetration testing.

To obtain the CEH, candidates can choose a path of self-study or complete a training course offered by EC-Council. Candidates must have at least two years of security experience and must sign an agreement to not misuse the knowledge acquired.

For further information please refer here.

Vendor Certifications

Securing an organization's infrastructure and keeping up-to-date with emerging technologies are critical. Vendor certifications, including Cisco's Certified Network Associate Certification (CCNA) and Microsoft's Certified Systems Engineer (MCSE), with focus on security and Check Point's Certified Security Expert (CCSE), are particularly in demand.

The top information security certifications Dice has tracked for 2011 include Cisco CCNP Security and Check Point Certified Expert. These certifications are also on the rise because of their in-depth technical focus.

They help in understanding the technical skills associated with what professionals are trying to defend, and the inherent security capabilities of the infrastructure.

For most entry-level positions requiring one-to-two years of experience, employers seek vendor certifications, Security+ and the CEH credential. Mid-to-senior positions demand more mature training in CISSP, CISM and GIAC.

Other certifications in demand include Security+, Offensive Security Certified Professional, Cloud Security Alliance's new Certificate of Cloud Security Knowledge, Systems Security Certified Practitioner and Certified in Risk and Information Systems Control.

Certifications cannot be a substitute for on-the-job experience, but they are turning out to be a good measure for both proficiency and character.

Beware of SCAMMERS on dating websites!

2011-12-10T19:53:00.001+11:00

Heartless SCAMMERS

Don't give your heart away online, at least not before you've met that special somebody in person. Some Aussies have been stung for more than $100,000 in online dating and romance scams by "lover" claiming to be desperate for money because of an accident or robbery overseas.

A common scenario is to pretend to be a soldier or aid worker on an overseas mission in need of extra cash to pay costs and get a "leave pass" to visit.

The Australian Competition and Consumer Commission (ACCC) is working to create new guidelines to combat scams. They received more than 1600 complaints about online dating scam relating to more than $17 million in losses between January and October this year.

And of those, more than 200 people have lost $10,000 or more. ACCC deputy chairman Dr. Michael Schaper said more people lost money in dating scams than any other type of scheme.

If you have been talking or communicating with them (Scammers) for a period of time, it can be hard to say no. Please beware of such scams and never give money or share private information. Other red flags can include bad punctuation and spelling.

Dating website operators have until December 16, 2011 to comment on draft guidelines before they are launched next year.

Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond

2011-12-08T20:45:00.002+11:00

Utility Cyber Security is in a State of Near Chaos

Market analysis and consulting provider Pike Research has released a report examining the current state of utility cyber security, and the prognosis is far from comforting.

The report, titled Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond, concludes that although a great deal of attention has shifted to protecting systems that govern infrastructure over the past eighteen months, utilities have a long way to go in protecting critical networks.

The report quotes:

"Utility cyber security is in a state of near chaos. After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended,"

One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.

"Cyber security solutions remain challenging to implement, especially as attackers gain awareness of the holes between point solutions," the report maintains.

The market for industrial control systems security solutions is fairly wide open, and the Pike report contends that there will be an influx of competition in the field over the next few years.

"Security vendors have finally found time to focus on industrial control system (ICS) security, not only on advanced metering infrastructure (AMI) security – although a few security vendors have focused on ICS from the outset. The utility cyber security market will be characterized by a frantic race to gain the upper hand against the attackers, while at the same time strong competitors attempt to outdo each other," the report warns.

The Pike report focuses on the following issues:

What factors could drive smart grid cyber security investment?
How important could industrial control system (ICS) security be?
What has changed since Stuxnet was discovered?
What is the effect of the lack of smart grid cyber security standards?
What are the most promising smart grid cyber security technologies?

Last week, the National Institute of Standards and Technology (NIST) released the updated standards guidelines for converting the nation's outdated power grid structure to a modern smart grid operation.

The NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0 outlines the game plan to "integrate information and communication technologies with a power-delivery infrastructure, enabling two-way flows of energy and communications," according to the NIST.

"Making such dramatic changes to the power grid requires an overarching vision of how to accomplish the task, and this updated Framework advances that vision," said NIST's National Coordinator for Smart Grid Interoperability George Arnold.

"Utilities, manufacturers, equipment testers and regulators will find essential information in the Framework that was not previously available," Arnold continued.

The updates include the addition of twenty-two standards to the previously released seventy-five issued in the standard's first edition in 2010.

Securing Smartphones in the Bring-Your-Own-Device (BYOD) Era

2011-12-06T19:25:00.001+11:00

5 Security Challenges BYOD Presents

Most organizations remain uncomfortable in letting their employees use their own mobile devices to access their IT systems. Yet, in many instances, those charged with securing their enterprises' IT understand that it's just a matter of time before they must grant workers permission to employ those devices.

BYOD stands for bring your own device, and it's one of the hottest challenges IT security organizations face as a growing number of employees use their own BlackBerrys, iPhones, iPads and Droids to access their employers' IT systems. In instances where such practices are banned, employees are demanding that the prohibition be lifted.

That's causing much reflection among IT security professionals. Executives and managers charged with IT security have identified five challenges that must be surmounted before their organizations can allow secure access to their systems by smartphones and tablet computers owned by their employees. These challenges include policy enforcement, physical theft, malware prevention, IT support and employee education.

Policy Enforcement

Many IT security leaders aren't sure if their teams are ready to take on additional responsibilities of continuously monitoring these devices and people's behavior.

Physical Theft

Think about it: Chances of losing a mobile device owned by an individual - or having it stolen - is a lot greater than one owned by the employer. A personally owned device goes everywhere with its owner; that's not necessarily true with a company-owned device. That provides little comfort for IT security managers responsible for safeguarding sensitive corporate data.

Except for BlackBerrys, most other mobile devices don't readily support encryption. Someone steals an iPhone or an Android smartphone, the unencrypted data on those devices could be exposed to the thief.

But by placing proper controls on user-owned devices, gaining access by unauthorized individuals to sensitive data can be prevented. If employees want to use their own smartphones or tablet PCs for work, they must agree to seven security controls (see 7 Steps to Secure Mobile Devices), including strong passwords and remote wipe.

Such an approach places part of the security burden on the employee. And, half of the employees who had been using their own devices to access the state network decided not to so when the Delaware implemented its BYOD policy a year ago.

Malware Prevention

Devices used for personal activities are more prone to malware; after all, they're accessing a number of consumer sites that don't necessarily provide the security as do many sites designed for business-to-business transactions.

Many CIOs worries not only about insecure applications downloaded on these devices, but so-called jail-broken smartphones and tablets that are opened and altered to permit use of software the manufacturer didn't architect the device for.

Many banks scrutinizes all employee-owned devices before it allows them to access its networks to ensure they're safe and not jail broken. The bank also makes sure all personally owned devices contain anti-malware software that includes features to alert bank security personnel should a virus surface.

IT Support

Letting employees use their own devices presents a nightmarish scenario for many organizations, supporting a wide range gadgets, operating systems and software. Organizations must define which devices to support based on how they'll be used. It may be OK to limit certain devices to access specific applications, such as e-mail, and restrict their access to other programs behind the firewall.

Employee Education

Getting employee to know about the policy and why it's important for them to implement security controls requires education.

Indeed, security awareness and training is a crucial element in allowing employees to use their own mobile devices, and it's important that IT security leaders prepare their staffs - and themselves - for the advent of widespread adoption of BYOD.

How can a person remove personal information from the Internet?

2011-12-04T18:08:00.002+11:00

A Concerned Reader Wants to Know...

First, the bad news. As soon as any kind of information, including personal information, is online, anyone can copy and store or post it elsewhere. What's worse, there are tools that are constantly searching the Internet for specific types of data.

Once they find it, they can grab it, copy it, post it and store it - for any number of purposes.

4 steps you can take if something gets online that you don't want:

Delete what you can yourself as soon as possible.
Contact the website(s) where it is located and ask them to remove it.
Enlist the help of a lawyer or online data removal service (e.g. Reputation Defender, Reputation Changer) to remove what you can't, or what the website won't.
Remain diligent and check often (for instance, by setting a Google Alert) to ensure you catch any reposting of the information.

Norway hit by major data-theft attack

2011-12-03T18:24:00.001+11:00

Industrial secrets from companies were stolen and "sent out digitally from the country

Data from Norway's oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country's history.

Industrial secrets from companies were stolen and "sent out digitally from the country," the Norwegian National Security Authority said, though it did not name any companies or institutions that were targeted.

At least 10 different attacks, mostly aimed at the oil, gas, energy and defense industries, were discovered in the past year, but the agency said it has to assume the number is much higher because many victims have yet to realize that their computers have been hacked.

"This is the first time Norway has unveiled such an extensive and widespread espionage attack," it said. Spokesman Kjetil Berg Veire added it is likely that more than one person is behind the attacks.

The methods varied, but in some cases individually crafted e-mails that, armed with viruses, would sweep recipients' entire hard-drives for data and steal passwords, documents and confidential documents.

The agency said in a statement that this type of data-theft was "cost-efficient" for foreign intelligence services and that "espionage over the Internet is cheap, provides good results and is low-risk." Veire would not elaborate, but said it was not clear who was behind the attacks.

The attacks often occurred when companies were negotiating large contracts, the agency said. Important Norwegian institutions have been targeted by hackers before.

In 2010, some two weeks after Chinese dissident and democracy activist Liu Xiaobo was named that year's Nobel Peace Prize winner, Norway's Nobel Institute website came under attack, with a Trojan Horse, a particularly potent computer virus, being installed on it.

Other attacks on the institute in that same period came via email, containing virus-infected attachments.

Refer here to read further details.