“Cyberspace is contested every day, every hour, every minute, every second,” said Sir Iain Lobban, Director of GCHQ.

Sir Iain contributed an article entitled “Countering the cyber threat to business”  to the Spring 2013 edition of the Institute of Directors Big Picture policy journal. Sir Iain said that although cyber attacks are now reported frequently in the media, the reports still fail to capture the scope of cybercrime.

“GCHQ’s cutting-edge technology adds a unique perspective on the issue, illuminating the threats in cyberspace. And I have to say that the incidents I see described in the media are just a snapshot of what is going on,” he wrote. “On average, 33,000 malicious emails a month are blocked at the gateway to the Government Secure Intranet – they contain sophisticated malware, often sent by highly capable cyber criminals or by state-sponsored groups. And a far greater number of e-mails, comprising less sophisticated malicious e-mails and spam, is blocked each month.”

Sir Iain set out a guideline entitled 10 Steps to Cyber Security in the article, saying “The responsibility to manage your organisation’s cyber risks starts and stops at board level. Basic information risk management can stop up to 80% of the cyber attacks seen today.”

The post Mainstream media only offer a “snapshot” of scope of cybercrime, says British intelligence head appeared first on We Live Security.

The activists identified themselves as the Syrian Electronic Army, and posted messages saying, “Hacked By Syrian Electronic Army,” in place of headlines on the FT’s technology blog.

Links to YouTube videos purportedly showing executions carried out by Syrian rebel groups were posted to the newspaper’s Twitter feeds. The hacks triggered renewed calls for Twitter to improve its security, according to a Reuters report. Twitter blamed spear-phishing for the spate of recent attacks on accounts owned by media companies.

“Various FT blogs and social media accounts have been compromised by hackers and we are working to resolve the issue as quickly as possible,” the paper said in a statement.

The Syrian group has claimed responsibility for several high-profile attacks against media groups, including an attack on the main Associated Press Twitter account where hackers sent out bogus “news” about an attack on President Obama. The AP Tweet caused panic on stock markets, wiping 143 points off the Dow Jones in minutes. The group has also claimed responsibility for recent hacks against Britain’s The Guardian newspaper, and news organizations such as NPR, CBS and the BBC.

In the wake of attacks this month, Twitter send out an email to media groups saying, “We believe that these attacks will continue, and that news and media organizations will continue to be high value targets to hackers.”

Twitter has provided media companies with guidelines on how to resist such hacks, including steps such as designating specific PCs to access company Twitter accounts.

Twitter has also been reported to be testing two-factor security systems. ESET Senior Research Fellow David Harley explains the benefits of two-factor authentication in a post here.

The post Financial Times becomes latest victim of Syrian Twitter hackers appeared first on We Live Security.

In the past few months, we have analyzed a targeted campaign that tries to steal sensitive information from different organizations throughout the world, but particularly in Pakistan. During the course of our investigations we uncovered several leads that indicate this threat has its origin in India and has been going on for at least two years. The journey began with a code-signing certificate and an exploit and the scope of the investigation has widened ever since. In this blog post, we will highlight several interesting artifacts of the campaign, but more will be revealed in my upcoming presentation at the 7th International CARO Workshop in mid-May.

Code signing certificate

For part of this campaign a code signing certificate was used to sign malicious binaries and improve their potential to spread. This certificate was issued in late 2011 to an Indian company called Technical and Commercial Consulting Pvt. Ltd., based in New Delhi.

When we started our investigation, the certificate had been revoked for files signed after March 31^st 2012. We contacted VeriSign with evidence that this certificate had been used maliciously since it was issued and they promptly revoked the certificate unconditionally. Overall, we found more than 70 signed malicious binaries using this certificate. Since each signed sample comes with an authoritative timestamp, it is possible to draw a timeline depicting when these binaries were produced:

Figure 1 Timeline of signing times. Black lines represent one sample signing time

From the information we gathered, the attackers were actively signing malicious binaries from March until June 2012. Then, there is a gap in the timeline, from the beginning of July until the beginning of August 2012. We then see another spike in certificate usage (even though it had already been revoked) in August and September 2012. There are several possible explanations as to why there is a gap during the summer of 2012, but it is likely that this was the off-season for both the attackers and their targets.

Although the investigation started with this code signing certificate, we then discovered several similar unsigned samples that were used in this campaign. Some of them were collected as far back as early 2011.

Droppers and decoy documents

The first infection vector we saw was using the famous CVE-2012-0158 vulnerability. This vulnerability can be exploited by a specially crafted Microsoft Office documents and allows arbitrary code execution. In the case we analyzed, a two-stage shellcode is executed when the user opens an RTF document. First, the shellcode sends information about the system to the domain feds.comule.com and then downloads a malicious binary from digitalapp.org.

The other infection vector we found used PE files disguised as Microsoft Word or PDF documents, most likely distributed through email. When the user executes the file, the malicious program downloads and executes additional malicious binaries (more on these executables below). To evade suspicion by the victim, a decoy Word document is shown to the user. We have identified several different documents that followed different themes.

One of these themes is the Indian armed forces. We do not have inside information as to which individuals or organizations were really targeted by these files. However, based on our detection metrics, it is our assumption that people and institutions in Pakistan were targeted.

The text in this first document seems to be a collage of various sources. The fake PDF document was delivered through a self-extracting archive called “pakistandefencetoindiantopmiltrysecreat.exe”:

This other PDF document was delivered through an executable called “pakterrisiomforindian.exe”:

In this case, the text comes from the Asian Defence blog, a blog aggregating Asian military news. Our telemetry data shows that this file was first seen in August 2011 on a system in Pakistan.

Payloads

We found many different types of payloads installed by the droppers, all of them were geared towards exfiltrating data from an infected computer to the attackers’ servers. The following table groups the binaries in different families and details their general characteristics.

The information stolen from an infected computer is uploaded to the attacker’s server unencrypted. The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation. The screenshot below shows a typical keylogger log:

The logs are very verbose and display the active window, the characters typed and the special keys in brackets. Since these logs are sent unencrypted, it is easy to detect the presence of an infected machine on your network by examining your HTTP network traffic.

In terms of persistence, many binaries we have analyzed add an entry in the Windows startup menu with a deceptive name. The screen shot below shows an example of such a startup menu:

While this technique allows the different components of the attack to be launched after each system reboot, it cannot be labelled as stealthy. Since targeted attacks usually try to stay under the radar as long as possible, we were surprised to see this technique used in this case.

C&C infrastructure

Most of the analyzed binaries contain a URL from which additional components are downloaded or to which an infected system’s content is uploaded. Sometimes, the C&C URL appears unencrypted in the binary. Other times, it is trivially encoded using a simple one-character rotation (ROT-1) as depicted below:

“gjmftbttpdjbuf/ofu” encrypted to “filesassociate.net”

We uncovered more than 20 domains linked to this campaign. While some still had an active DNS record, most of them did not resolve to an IP address. Using historical data around these domains, we were able to discover where these sites were hosted. It turns out that almost a third of all domains were hosted by OVH. This web hosting service has a reputation for hosting malware and spam content. In a recent HOSTExploit report it was ranked number 5 in the top 50 hosts for concentration of malicious activity served from an Autonomous System.

Most of the domain names are very close to real site or company names. This is a common tactic to try to conceal the true purpose of the C&C server. Two examples are “wearwellgarments.eu” and “secuina.com”. The former is very close to a real website called “wearwellgarments.com” while the latter looks like a misspelling of information security firm Secunia.

Origins of the malicious files

Analyzing this campaign allowed us to identify a few key indicators pointing to the geographic origin of these malicious files. We believe they all come from India. First, the code signing certificate was issued to an Indian company. In addition, all the signing timestamps are between 5:06 and 13:45 UTC, which is consistent with 8-hour work shifts falling between 10:36 and 19:15 in Indian Standard Time. This might seem a bit late, but considering that signing the binary is the last step in the development effort, it is likely that the malware authors were living in this time zone.

We also found several strings in the binaries that are related to Indian culture. In several scripts, a variable called ramukaka is used:

Ramu Kaka is a typical Bollywood-style servant in a house. Considering that this variable is responsible for achieving persistence on the system, this definition is a good fit.

The most compelling argument is found in our telemetry data. We found that many malware variants tied to this campaign appeared in the same location over a very small period of time. Each variant had only minor differences from each other, strongly suggesting an attempt by a malware creator to evade detection by our product. These files all appeared in the same region of India.

Infection statistics

Our telemetry data shows that Pakistan is heavily affected by this campaign. The following graph shows the detection distribution we have observed for all the malicious files we linked to this campaign in the last two years.

Thanks to our sinkholing of three domain names used by this campaign, we were also able to gather statistics on the geographical location of infected hosts.

As one can see, the regional distribution presented in the last two graphs is very different. Ukraine and Kazakhstan account for three quarters of all IP addresses seen during the sinkholing operation. This difference can be explained by the possibility that unique domains are only for specific sub-operation in this campaign. If that was the case, the sinkhole data we are seeing would only be a very partial view of the whole campaign.

Conclusion

This post examined evidence of a far-reaching targeted campaign aimed at different targets throughout the world. Our analysis indicates that the entire campaign originates from India. Although we have seen a number of infections throughout the world, it seems that the most prominent target is Pakistan. Targeted attacks are all too common these days, but this one is certainly noteworthy for its failure to employ advanced tools to conduct its campaigns. String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work.

SHA1 Hashes

CVE-2012-0158 RTF Document:                  3b1d9d65159bea24ab1060e5603f9e3c2d38d08d
pakterrisiomforindian.exe:                   d859f1cf99049f89258c1faa59dcd97f587e45ac
pakistandefencetoindiantopmiltrysecreat.exe: 1db89237ef786c7f22a8d4cd7eccda8f6286a6de
Downloader:                                  08ce405f0a0277de355454862b164ffd94a7ea36
Document uploader:                           DB22E7DEA0C1CAF203072693485DE4E4FD2CB56A
System information gathering:                0D610F3F51750EADCF426E10E6DE5313605400FA
Keylogger:                                   AE7B9CFB10CD65B98C59DC012D6726B66BE92897
Screenshot:                                  A0DD0B8FD0C98E917BFDC96182088CAB5505CCD2
Connect-back shell:                          09D4ECA67B1D071E57C5951D97FE9DD9C62F1580
Self-replication through removable drives:   20A29D1F89C07BAFBB4C61CE208531D68125C8E

Detection Names

Below are ESET threat names related to this case:

Win32/Agent.NLD worm
Win32/Spy.Agent.NZD trojan
Win32/Spy.Agent.OBF trojan
Win32/Spy.Agent.OBV trojan
Win32/Spy.KeyLogger.NZL trojan
Win32/Spy.KeyLogger.NZN trojan
Win32/Spy.VB.NOF trojan
Win32/Spy.VB.NRP trojan
Win32/TrojanDownloader.Agent.RNT trojan
Win32/TrojanDownloader.Agent.RNV trojan
Win32/TrojanDownloader.Agent.RNW trojan
Win32/VB.NTC trojan
Win32/VB.NVM trojan
Win32/VB.NWB trojan
Win32/VB.QPK trojan
Win32/VB.QTV trojan
Win32/VB.QTY trojan
Win32/Spy.Agent.NVL trojan
Win32/Spy.Agent.OAZ trojan

The post Targeted information stealing attacks in South Asia use email, signed binaries appeared first on We Live Security.

In a group test of 11 security apps, ESET Mobile Security detected 100% of threats.

“AV-TEST checked 11 security apps to see if they were able to detect newly discovered apps infected by hidden banking Trojans,” says ESET Senior Research Fellow Righard Zwienenberg. “Attackers are spreading apps named ‘EV-SSL-Zertifikat’ or ‘Smart 1.2 App Security’.”

The test results were, Zwienenberg says, “only partially soothing”. Six out of 11 apps failed. Only five detected all 11 of the threats in the test – among them ESET Mobile Security.

“The detection rate went down heavily with other vendors,” says Zwienenberg.

“Right now, criminals are spreading several apps infected by Trojans. The malware attempts to intercepts mobile TAN (transaction authentication numbers) on the smartphone and thus enable transactions to third-party bank accounts. AV-Test advice is: do not install apps from unknown sources and be certain to use a security app on your smartphone. ”

Earlier this month, Poland’s influential CHIP magazine awarded ESET Smart Security its top prize in its antivirus product category.

The post ESET Mobile Security scores full marks in banking Trojan test appeared first on We Live Security.

“The regulatory environment which we must navigate continues to increase in complexity and is increasingly prescriptive,” Dell said. “Government and regulators are getting more interested not only in how secure we are, but how we secure.”

“Changes in regulation are taking away our ability to protect in the way we see fit, and telling us what controls we need where. That’s not wrong, but it presents a new challenge to how we find and implement infrastructure.”

“We have to become much more agile and proactive – how we look at, how we react to cybercrime. Our posture is changing from ‘observe and analyse’ to ‘detect and respond’,” Dell said, speaking at the 2013 Trend Micro Evolve conference, as reported by The Register. “Possibly our biggest challenge is that criminals don’t have funding cycles.”

Dell said that departments increasingly had to make a “business case” for new security measures, according to CSO.

The post Government regulation poses challenges for bank security, says Australian banker appeared first on We Live Security.

The tests found that Internet Explorer 10 offered a mean malware block rate of 99.96%, with Chrome in second with a mean block rate of 83.16%.

“Safari and Firefox, with mean malware block rates of 10.15% and 9.92% respectively, provided negligible protection but were still more than five times more effective than Opera, which blocked only 1.87% of the malware in this test,” said the company in its report.

The tests were conducted over a period of 28 days, with 550 “test runs” per browser against URLs containing malware, according to NSS Labs. The products under test were Apple Safari 5, Google Chrome 25/26, Microsoft Internet Explorer 10, Mozilla Firefox 19 and Opera 12.

“As the first line of defense against malware infection, browsers must provide a strong layer of protection,” the company says. “NSS tested the effectiveness of five leading web browsers against 754 samples of real-world malicious software, and the results show significantly differing protection capabilities.”

“For every ten web encounters with socially engineered malware, Firefox and Safari users will be protected from approximately one attack. Nine out of ten browser malware encounters will test the defenses of installed anti-­virus or other operating system defenses,” the report says. “By contrast, Chrome users will be protected from eight out of ten such attacks, and Internet Explorer 10 users will be protected from all but about 4 out of 1,000 socially engineered malware attacks.”

The post Internet Explorer 10 beats Chrome and Firefox for blocking malware, says analyst report appeared first on We Live Security.

Cyber Security A to F

You can make the task of getting a handle on cyber security more manageable if you break it down into a series of steps. The following six-step program can help you get started, or revive previous security efforts:

• Assess your assets, risks, resources
• Build your policy
• Choose your controls
• Deploy the controls
• Educate employees, execs, vendors
• Further assess, audit, test

Bear in mind that defending your organization against cyber criminals is not a project, it is a process, one that should be ongoing. Too often we see organizations suffer a data breach these days because the security measures they put in place a few years ago have not been updated, leaving newer aspects of their digital activities undefended.

A: Assess your assets, risks, resources

The first step in this process is to take stock. What kinds of data does your organization handle? How valuable are they? What threats exist? What resources do you have to counter those threats?

Catalog assets: digital, physical

If you don’t know what you’ve got, you can’t protect it. List out the data that makes your organization tick and the systems that process it. (I assume you already have an inventory system for tracking all company computers, routers, access points, tablets, printers, fax machines, etc.)

Be sure to include the systems receiving data and outputting data as well as those that process and store it. For example, if your company depends on a central database of clients and their orders it is possible to focus on that as your main digital asset, and feel fairly secure because it resides on a well-protected server in a locked room. But connections in and out of that database may come from a wide range of end points that exist beyond your physical control. Some of your most valuable data may be highlights and summaries emailed to executives and sitting in their in-boxes. You need to catalog and protect those end points.

Determine risk

You need to answer this question: What are the main threats to your data and systems? Try stating these in terms of actors, actions, assets, attributes, and motives. For example, some people who don’t like your construction company’s use of imported timber (actors) might attack (action) your website (asset) to prevent you taking orders (attribute) to make a point (motive).

This type of breakdown of threats is used in the annual Verizon Data Breach Investigation Report, a document worth reading at this stage because it provides a solid background to internal discussions about risks, one that is based on recent, real world attacks. (You can download the 2013 DBIR here.)

The report uses something called VERIS–as in Vocabulary for Event Recording and Incident Sharing–to provide a standardized way of describing the bad things that happen to data and systems in terms of: “who did what to what (or whom) with what result”.

On the right is a chart from that report which maps the 621 incidents analyzed by Verizon in 2012, based on actions and assets, broken down by actor motive (darker color means more activity). The action categories are: Malware, Hacking, Social engineering, Misuse, Physical, Error, and Environmental. The motives are Financial, Espionage, Activism, and Other.These are handy schemas to use when performing your review of the risks faced by your organization.

The assets are a good way of looking at the focus of the attack. Note that your organization may not fit this “average” profile of activity. Furthermore, this profile is based on incident data that Verizon and its partners analyzed, not the totality of all malicious activity occurring last year.

For help in how to structure your assessment of risk, there is a handy non-technical Cyber Security Risk Management guide from the New York State Office of Cyber Security.

List resources

After cataloging all the digital assets that you need to protect, and reviewing the threats ranged against them, you can feel overwhelmed. Now take heart and list out the resources you may be able to tap as you swing into action. This can include current employees with cyber security skills, outside consultants recommended by friends, partners, and trusted vendors. You may be able to get help from trade associations, local business groups, even the federal government. See the resources at the end of this article for some suggestions.

Build your policy

The only sustainable approach to cyber security begins with, and depends on, good policy (I think it is fair to say that’s the consensus opinion of information security processionals, myself included). Ideally, policy begins with C-level buy-in and flows naturally from there. Your organization needs a high-level commitment to protecting the privacy and security of all data handled by the organization. For example:

We declare that it is the official policy of Acme Enterprises that information, in all its forms, written, spoken, recorded electronically or printed, will be protected from accidental or intentional unauthorized modification, or destruction throughout its life cycle.

From this flow policies on specifics. For example:

Customer information access policy: Access to customer information stored on the company network shall be restricted to those employees who need the information to perform their assigned duties.

You implement this policy through controls, which we discuss in a moment. First, I want to stress that for many companies, information security policy is not optional, no matter how small. I’m not just talking about legal requirements to have policy, which exist in areas such as health and financial data, but the need to have policies to close deals. These days it is not unusual for a company to ask potential suppliers to comply with requirements like this:

Vendor must have a written policy, approved by its management, that addresses information security, states its management commitment to security, and defines the approach to managing information security.

Choose the controls to enforce your policies

Information system security professionals use the term “controls” for those mechanisms by which policies are enforced. For example, if policy states that only authorized employees can access certain data, a suitable control might be:

• Limit access to specific data to specified individuals by requiring employees to identify and authenticate themselves to the system.

That’s a high level description of the control. You will need to get more specific as you move toward selection of actual controls, for example:

• Require identification and authentication of all employees via unique credentials (e.g. user name and password).
• Forbid the sharing of user credentials.
• Log all access to data by unique identifier.
• Periodically review logs and investigate anomalies.

Spelling out the controls will help you identify any new products you may need, bearing in mind that there may be suitable security features available in products you already use. For example, if policy states that sensitive data shall not be emailed outside the organization in clear text a suitable control to apply–encrypting of documents–may be accomplished through the document password protection features in products like Microsoft Office and Adobe Acrobat. (Note: I’m not saying that is strong enough for very sensitive data, but it does make intercepted documents a lot harder to read than ones that are not encrypted.)

Deploy and test controls

Putting controls in place is the deployment phase but this also includes part of the next phase, education. For example, when you roll out a control like unique user IDs and passwords you will need to educate users about why this is happening and how it works (in this example, that process should include explaining what constitutes a strong password–in my experience an alarmingly large percentage of computer users have never had this explained to them). You will also need to test as you deploy, to make sure that the controls are working.

A phased approach to roll out often works better because you can identify problems and find solutions while scale is still limited. Rolling out to more experienced users first is a good way to get initial feedback and improve messaging to be used with the wider population (bearing in mind that some things which experienced users already know may nevertheless need to be explained to the general user population).

When testing a control, you need to make sure that it works technically, but also that it “works” with your work, that is, does not impose too great a burden on employees or processes.

Educate employees, execs, vendors, partners

Security education is too often the neglected step in cyber security. In my opinion, for your cyber security efforts to be as successful as they can be, everyone needs to know and understand:

• What the organization’s cyber security policies are.
• How to comply with them through proper use of controls.
• Why compliance is important.
• The consequences of failure to comply.

Your goal should be a “security aware workforce” that is self-policing. In other words, employees are empowered to say “No” to practices that are risky and report them to management (even if the persons engaged in unsafe cyber practices are management).

In terms of consequences, there is no need to sound overly-draconian, but you do need to spell out, calmly but clearly, that a breach of security could be very bad news for the organization and threaten its continued operation, including employment.

Two areas of education you don’t want to skimp on are firstly, executives, some of whom may feel they are above security rules. Secondly, partners, vendors, and even clients need to know what your security stance is, what you allow and what you forbid. In fact, any data-sharing relationship should be encompassed in policies, controls, and security awareness education. You don’t want the negligence of a partner to expose sensitive customer data that was entrusted to your keeping. Saying “it was not our fault” may not cut it when trying to rebuild trust with customers. There’s a saying “you can know a person by the friends they keep” and some people will judge a company by the organizations with whom it shares data.

Further assess, audit, test…

Step F on the road map is by no means the end of the line, in fact, it is a reminder that this process continues. Once polices and controls are in place and education is under way, it is time to re-assess security, by testing and auditing. You can do some of this in-house but you may also want to engage an outside entity to get an objective perspective on your efforts so far.

Best practice is to assess security on a periodic basis and adjust defenses accordingly. Even when there is no audit scheduled, you will want to stay up-to-date on emerging threats and adjust your controls accordingly. For example, a few years ago it was unusual to see brute force attacks on small business systems but today that is happening all the time. The implication? You probably need to pay more attention to the security of your web server than you have been accustomed to doing. How would you know this is a trend? One way is to subscribe to good security websites, like Dark Reading, Search Security, and of course We Live Security.

You should also be alert to changes in your systems and connections to your data. For example, there are potentially security implications from new vendor relationships, new partnerships, and new digital marketing initiatives. The departure of an employee is another event that requires security attention, making sure that access to data and systems is terminated appropriately.

Cyber security checklist

Yes, there is a lot to think about when tackling cyber security for your organization. Here are some high points you don’t want to miss:

• Do you really know what data you are handling?
• Do your employees understand their duty to protect the data?
• Have you given them the tools to work with?
• Can you tie all data access to specific people, times and devices?
• Have you tried restoring systems from backups lately to make sure they work?
• Who’s in charge of your website hosting and how secure is it?
• Are you regularly eliminating unnecessary data?
• Have you off-loaded security to someone else?
  • Managed service provider, private cloud provider, public cloud provider?
  • Be sure you understand the contract
  • Remember, you can’t off-load your liability or compliance requirements
  • Ask how security is handled, what assurances are given in your contract
• What data security and privacy protection laws and regulations apply to your organization?
  • HIPAA and/or HITECH (covers health data, of employees, or patients, processed for clients)
  • Gramm-Leach-Bliley (cover financial institutions)
  • COPPA, Children’s Online Privacy Protection Act
  • PCI security standards (for credit card data, processing, retailers)
  • Data breach notification (47 states have laws that require notification of consumers whose data is exposed and these laws may apply to you if you have customers from those states)

Cyber security resources

These are mainly pdf files, mainly from other websites:

• FCC Cyber Security Planning Guide
• Critical Controls for Effective Cyber Defense from SANS
• The website for 20 Critical Security Controls
• The Verizon 2013 Data Breach Investigation Report
• Non-technical Cyber Security Risk Management guide
• An example of online cybersecurity training
• The SMB Cyber Security Survival Guide (slides showing threats and road map)
• 45 CFR 165.306 Security standards for HIPAA covered entities
• NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
• NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems
• Resources on the Securing Our eCity website

Note: We should point out that this road map is just a starting point for securing your data and systems and by no means a complete guide to the entire process.

The post Cyber security road map for businesses appeared first on We Live Security.

Admiral Jonathan Greenert, the Navy’s chief of operations, said that spending on cyber defense had continued even against a broader background of spending cuts.

Speaking to Reuters in Singapore before the Reuters Cybersecurity Summit in Washington this week, Greenert said, “The level of investment that we put into cyber in the department is as protected or as focused as it would be in strategic nuclear. It’s right up there, in the one-two area, above all other programs.”

Last week the Pentagon said for the first time that cyber attacks on the United States were directly attributable to China. “In 2012, numerous computer systems around the world, including those owned by the US government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military,” a Pentagon report said. China vigorously denied the reports, saying that the U.S. was “the real hacking empire.”

Greenert said that the Navy put particular importance on cybersecurity because its ships and planes depend heavily on computer networks.

“We’ve got to understand how to defend them, how to exploit them ourselves and how to, as necessary, be able to do offensive effects,” said Greenert. “Many people who look at the future of warfare say it’s bound to start in cyber. The first thing you’d want to do is shut down their sensors, interrupt their power grid, confuse them – and presumably guard against that kind of thing and recognize if it’s starting.”

The post Cybersecurity is “as important” as nuclear deterrent, says top U.S. admiral appeared first on We Live Security.

U.S. Attorney Loretta Lynch said that the suspects had “participated in a massive 21st century bank heist that reached across the internet and stretched around the globe.” Lynch compared the “surgical” heist with the film Ocean’s Eleven.

“These defendants allegedly formed the New York-based cell of an international cybercrime organization that used sophisticated intrusion techniques to hack into the systems of global financial institutions, steal prepaid debit card data, and eliminate withdrawal limits,” the Attorney’s office said in a statement.

The attack targeted prepaid credit cards. By raising the limit on cloned cards the hackers were able to withdraw “unlimited” funds for short periods. In New York, the hackers withdrew $2.8 million in hours.

“It’s usually prepaid debit cards. That’s the card of choice in this. The bad guys know the system and they have been able to exploit it,” said Joe Petro, MD of Promontory Financial Group and a former fraud expert from Citigroup, speaking to Reuters.  “The vulnerability stems from third-party processors, who may not have the same level of security systems that banks are able to have.”

“You have pockets of very strong security and security awareness – some of the big banks do great security research – but the fragmentation of electronic commerce undermines that work,” says ESET Senior Research Fellow David Harley.

“There are several points at which online transactions requiring authentication can spring a leak: poor password practice by uneducated users, poor protection of credentials data by the service provider, interception of credentials and other information in transit through MITM and MITB attacks, security problems with intermediaries such as ISPs and, in this case, card processors. It’s practically impossible to pay cash anywhere but over the counter these days, but security for electronic transactions hasn’t kept pace with the growth in that market.”

The hack targeted third-party payment processing companies for pre-paid MasterCard debit cards issued by two Middle Eastern banks.

The post Worldwide $45m ATM cyber-heist highlights vulnerabilities in card security appeared first on We Live Security.

“Passwords are running out of steam as an authentication solution. They’re starting to impede the development of the internet itself,” says Barrett, as reported in CIO magazine. “It’s pretty clear that we can’t fix it with a proprietary approach.”

Mr Barrett pointed out how passwords published online after data breaches in recent years showed that insecure passwords such as “12345” and “password” remain among the most commonly used, despite attempts to educate users.

“Users will pick poor passwords – and then they’ll reuse them everywhere,” says Barrett. “That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet.”

Barrett is President of the Fast Identity Online (FIDO) Alliance, which aims to replace passwords with a secure, industry-supported protocol which is also easy to use. FIDO is investigating technologies such as fingerprint scanners, voice and facial recognition, as well as existing solutions such as Near Field Communication (NFC) and one-time passwords.

Professional services firm Deloitte said this year that even passwords considered “strong” by IT departments are now vulnerable.
In Deloitte’s Technology, Media and Telecommunications Predictions 2013, the firm predicts that 90% of user generated passwords will be vulnerable to hacking this year.

ESET Senior Research Fellow David Harley says, “Static passwords are problematic – even a good password is next to useless if the provider doesn’t take good care of credentials data and allows unlimited retries. The trouble is, that password authentication on the Internet is cheaper and easier to implement than most of the alternatives.”

Harley’s post, “Passwords and PINS: the worst choices“, outlines some typical traps users fall into.

Products such as ESET Secure Authentication can help businesses add another layer of security.

The post Passwords “are starting to fail us”, says PayPal security chief appeared first on We Live Security.