Still, it seems that what is happening here is evolution, not extinction. Last month, my colleague Jean-Ian Boutin reported malware that not only combined fake AV with basic screenlocking ransomware (signed digitally, too, though that certificate has been revoked), but also offers a toll-free number where the victim can get help (for a price). According to Jean-Ian, ringing that number gets you in contact with a technician who delivers the same sort of support scam pitch that I've described in detail elsewhere, for instance in this Virus Bulletin paper (co-written with Martijn Grooten, Steve Burn and Craig Johnston: My PC has 32,539 errors: how telephone support scams really work. The obvious difference is that this time the onus is on the victim to call the 'helpline', rather than the 'push' cold-call model.

However, Malwarebytes' Jerome Segura did get a more traditional scam call, and even got his PC trashed (it was actually a virtual machine, of course, so no damage done) when he wasn't quick enough to supply his credit card details. He also reported a new (to me, anyway) variation on the theme of misrepresentation of a system utility to convince the victim that their machine is infected or corrupted. In this case, the utility was MSCONFIG: apparently stopped processes mean Something Nasty is at work. Perhaps the most interesting feature of this call, though, was that both the initial caller and the technician who was supposed to fix the problem insisted that Segura had to ask them to proceed with the 'fix', again putting the onus on the victim.

Today, Paul Ducklin of Sophos reports an instance of a deceptive pop-up used to drive the victim into calling a helpline. He suggests that the mechanism is along the lines of:

"Don't waste your time calling 10,000 people until you find one who is scared enough that you can intimidate them into paying up!

Pre-select your victims by getting them to call you..."

Well, I'm sure there's an element of that, but I think there's also the same element of trying to cover your butt with a 'he called us, we didn't call him' defence. Though if these scammers think that their 'sin' lies in making unsolicited phone calls, they're missing the point. Fraudulent misrepresentation is a scam, regardless of whether the victim initiated the phone call. Fake AV and ransomware is still malware, and malware is criminal behaviour in most jurisdictions. And a pop-up that lies to you about the health of your PC is still criminal if it leads to a fake scan and a subsequent fraudulent transaction, irrespective of the disarmingly accurate (but virtually unreadable) disclaimer that Ducklin references in his article. Bizarrely, it states that anything on the site should not be taken literally or as non-fiction. Well, they got that right.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

As highlighted in the recently released 2013 Global Information Security Workforce Study (GISWS) – the largest vendor-neutral study of its kind conducted by (ISC)² and analyst firm Frost & Sullivan – the largest gap between information security risk awareness and response exists in the secure software development discipline. In fact, respondents ranked application vulnerabilities as their top concern, making application security and secure software development the highest ranking security concern for the information security profession today.

 As the first software security certification, the groundbreaking Certified Secure Software Lifecycle Professionals (CSSLP®s) was created to validate secure software development practices and expertise to address the increasing number of application vulnerabilities. Taking a holistic approach to software security, the CSSLP aims to validate an individual’s competency in addressing security issues throughout the entire software development lifecycle (SDLC).  

 So who is it for? In today's cyber world, it may be easier to answer the question: Who it is NOT for? Professionals not involved in software (or applications): Which means it is aimed at all stakeholders involved in software development. Although focused foundationally on software architects, programmers (engineers) and software development managers, the CSSLP caters to all individuals involved in the SDLC, including software testers, business analysts, project managers, operational personnel, security team members, auditors, and software vendors.  It goes beyond traditional security views with an aim to educate and assess an individual’s competency in software assurance.

 The CSSLP is a base-level certification that addresses software security from a holistic view, and is technology-, code/syntax-, and vendor-agnostic. By holistic I mean:

 It covers the people, process, and technology aspects of software assurance.

1. It covers the network, host, and application aspects of software assurance.
2. It goes beyond just writing secure code and covers the security aspects from the requirements phase to the retirement phase through design, development, testing, and deployment.

 Interested in pursuing the CSSLP? There are two important components that are necessary for success – the first is experience and the second is education. Like any other elite professional certification, the CSSLP assessment gauges an individual's knowledge and competency on software assurance concepts; not merely at a definitive level but also at a functional level. Additionally, just as one would not take a test without first preparing, it would be foolhardy to assume that you can take the CSSLP examination without proper preparation. You can learn more about the requirements and next steps to earn the CSSLP here.

 When you see dark clouds, there will likely be a storm. And with hackers targeting the application layer, the future for organizations that pay little to no attention to this software (or application) security is bleak. The CSSLP is ultimately intended to educate a company's workforce so they can weather inevitable storms in the application space. And while earning the CSSLP certification is a vital and key step in your professional cyber security career, one cannot stop the continuing education process afterwards. It’s time we closed the widening gap between risk awareness and risk response in the software development discipline and getting your CSSLP can certainly help your organization in this endeavor, besides helping you professional in your career

 The bottom line as outlined by the Global Workforce Study: deepening engagements in software development cannot occur in isolation or be the exclusive responsibility of the information security workforce. Other relevant functional groups—software developers, application owners, and the quality assurance and testing teams—must internalize secure software development best practices and engage, as standard operating procedure, with information security professionals.

"Security researcher Hugo Teso was able to "hijack" the systems to feed false navigation information to a simulated jet that made it change course."  BBC

It's not hard to think of scenarios where a well-resourced, competent and overtly malicious yet non-suicidal adversary could wreak havoc by redirecting aircraft, missiles, anti-missile-missiles, drones etc. using similar techniques, or simply interfere with them, hence one would have thought that information security was an obvious safety-critical requirement for their navigation and comms systems ... like for example the 30 to 50% of US military drones said to be "hack-proof"(hack-proof indeed: a bold claim!).  

No doubt cost is a major factor.  Security is costly.  Effective high-tech security in high-risk situations is very costly, but so too are incidents if/when they do occur.  The war is asymmetric since adversaries need only clamber through the one tiny breach in an otherwise inpenetrable defence wall to overwhelm the castle.  Are we spending enough?

Regards,
Gary Hinson  IsecT Ltd. 

One chooses their career path for different reasons – whether it be following in a parent’s footsteps or an innate desire to help others. I was inspired by a chemistry teacher to pursue a career in chemical engineering and found success in engineering nuclear weapons for Atomic Energy Commission, securing SCADA systems that controlled vital resources such as the Hoover Dam, and enhancing information and software security standards through credentials and education.  

Throughout my vast career, I’ve seen computers shrink from room-sized to pocket-sized with more power in one device today than throughout an entire operating system twenty years ago. In 2002, I had to disable Internet capabilities from everyone in my agency [the U.S. Department of the Interior] because of a judges’ order. Imagine how this would affect business operations in organizations now.

Security wasn’t originally in my purview until my organization was sued for $76 billion dollars: That staggering blow would make anyone more focused on security! But now cyber security is one of the most rapidly growing industries with a near 0% unemployment rate due to the myriad of threats. Application vulnerabilities, in particular, was identified as the number one threat in the recently released 2013 (ISC)² Global Information Security Workforce Study. The problem originates from the acceptance of insecure software as a cost of doing business. If a car company put out a car with faulty brakes, they would have to recall all of those vehicles. Software companies are not held to the same standard and our Certified Security Software Lifecycle Professional (CSSLP®) credential was developed to address this need and to consider security throughout the entire software development lifecycle.

Hear more in my interview with Gary McGraw on the Silver Bullet Podcast - http://www.cigital.com/silver-bullet/show-084/top.

SMART is a mnemonic with many accepted meanings, but in this article it stands for: Specific, Measurable, Achievable, Relevant, Time-oriented. The term is coming originally from project management where it is used to set objectives (called Key Performance Indicators – KPIs) and to track them. For security specialists it is important to be able to set and track KPIs for the goals they want to achieve when evaluating, designing, implementing security solutions or when doing risk assessment.

Presenting SMART goals to a management board can make security goals be easier to understand and ... to approve.

While on the first view these terms are overlapping, they are actually very tight interconnected and they are influencing each other.

Specific

Specific means that there is a need to have a dedicated goal instead of a general goal when trying to define and implement security. Since 100% security (also called 360 degrees security ) is in reality never possible (which unfortunately many sell and even more buy), it is very important to define security goals that address a particular set of problems and not all possible problems. For example, when defining the goals, the following have to be defined:

• what is to be secured
• against what is the objective secured
• what happens if the security goals are not met (the risks against we try to provide security)
• who or what should provide the security
• in which way will be the security provided

Measurable

To have a measurable security goal or strategy, you need to be able to answer the question: how will I know that I accomplished the goal? If a goal is not measurable, it is probably not specific enough, or it is not attainable, relevant or time oriented (see below the definitions - the terms are interconnected and are influencing each other).

You need to define some metrics for the topics defined in the scope so that you can measure and track their achievement. For example, if you plan the security of a web portal, you will know that you achieved your goal of securing the web application if:

-          no unauthenticated user is allowed to access the portal

-          a PEN test on the portal shows zero vulnerabilities

-          your portal survives a DDoS

Achievable

This term is probably the most complicated one to be addressed because it requires a lot of experience in order to be done right. In theory, everything is achievable, but in practice we all know that some goals are more realistic than others. The most common constrains that can influence a security goal can be the budget, time, resources, scope and many others. To make sure that your goals are achievable, you should be able to answer the question: how exactly can this goal be achieved? Or, do I have what I need to achieve this goal?

It is not enough only to define goals (e.g. use defense in depth), you need to be able to achieve them(the exact steps how to implement this good security principle). 

Relevant

A security goal is relevant if it makes sense to be implemented and if it really applies to your problem. This means that there is some value which must be secured and that the cost of protecting it is less than the value (positive ROI) to be protected. Easier said than done since you can’t easily measure credibility, trust or market share - which usually have to suffer when a company has a security incident . You can’t secure everything, or protect against any possible risk, so it is imperative to choose the goals that really matter (sorry for those who sell security policies). A security goal can have all other attributes mentioned above, but it might lack relevance, so it is not worth to be implemented.

When you make risk assessment, you need to describe all risks and make them measurable, so that you can assess how important they are. So, measurability might help to determine if a goal is relevant (if it is worth securing). A multi-layer security approach will help you to identify relevant goals for the respective layer. If you partition, you can see the problems of a layer easier than all the problems of the entire system. Relevancy should also be searched in the solutions meant to achieve a security goal. For example, if you see a lot of attacks on a certain open port which you know that nobody uses, it makes no sense to install an application firewall to filter the access to that port if you can simply close the port (hardening a system).

Time-oriented

In security, we are always confronted with time. Time is always critical, because if securing something takes too much time to implement, it might be not worth securing it anymore (think of intellectual property). If you were to secure a building, one thing is to close the door with a key, and another thing is to take the time and do an extensive analysis and then install expensive security systems, video surveillance, set a human guard, etc. But, it might be that all you need is to close the door, because this would solve the emergency. Time can make also a goal to become irrelevant - if you can’t secure your web application until the first users register, it might be too late after that (this doesn’t mean that you shouldn’t secure it after that). It can also make a goal unachievable – some operations need time to be implemented and if you don’t have that time, you can’t achieve your goal.

You goals are time-oriented if you can answer: When should it start? When it should end?

Sorin Mustaca

(ISC)2 CSSLP, CompTIA Project+, Security+ 

• Understanding the company objectives and upcoming Internet related projects
• Establishing the estimated growth number of subscribers/users
• Working with the network team to understand how the network will grow
• Estimating the total traffic per second generated by clients and integrated systems
• Sizing the farms according to demographic demands
• Implementing traditional security technologies like load balancers, firewalls and intrusion prevention systems 

They do everything right.

Unfortunately after all the sizing work is done, they find that application traffic load is increasing in unprecedented ways and their applications are unable to handle traffic load spikes.

Their services/applications collapses again and again.

Finally, administrators are asked by their less than happy management team:

“How could you have sized the service/application so poorly?”

The lesson to be learned here is: You can do everything right when sizing your application/service, but you need to be ready for the unpredictable.

What is the unpredictable?

Attacks and legitimate traffic peaks.

Knowing this, how can you ready your network?

Step 1 of 3: Clean the pipe

Let´s assume, for example, that you have an application running on a web farm and you´re constantly being hamered by bogus http traffic.

The best way to handle them is to block it upfront. An Intrusion Prevention System, NG firewall, ANti-DDOS and Traffic Control Engine (the DPI ones) are great tools to ensure that your farm will receive only valid traffic.

Step 2 of 3: Close the pipe

Let´s assume a situation where your service/application server pool is able to handle 150,000 transactions per second (tps) at its best. If this is true, why would you allow more than the maximum supported number of transactions to ever reach your servers? Why not rate-limit the traffic to guarantee that your servers will receive only the traffic they can handle?

This is a completely valid approach because we’re talking about protecting an infrastructure. Remember, our task as security and network professionals is to keep the network and the Internet running even when under attack or heavy load.

Step 3 of 3: Estimate the load

The last important aspect to consider is controlling the traffic generated by clients and networks. I cannot imagine a computer, tablet, or smartphone that can generate more than 10 transactions per second; even considering all the traffic that happens in the background (i.e. updates, synchronizations, etc.) in addition to the human generated traffic.

Establishing a limit for the transactions per second generated by each IP sounds like a good idea and can possibly be implemented by many administrators (each case is a case, of course).

But sometimes, you cannot simply rate-limit the transactions per second generated by an IP address because you can have many IPs that are used in network address translation (NAT).This means you may have many clients sharing a single IP address. In those cases, you can monitor the traffic generated by the subnets and estimate a safe-limit to control the aggregated traffic. You can also control the traffic load targeted by your individual servers too.

Next steps

It is a critical task to size a service your sercice and application properly; but it´s just as important to implement counter measures that can assure that your system will run under the designed conditions. Failure to recognize and implement those controls can jeopardize your service/application and your business.

Be ready for the unpredictable.

Best Regards

A Safe and Secure Online volunteer was asked by a child, “If I tell someone, will it stop?” Just imagine the impact you can have in shaping a child’s life by having the skills to answer a simple question.

Through the (ISC)² Foundation, (ISC)² members in Switzerland now have the resources and support to help by providing free cyber security education to children, parents, and teachers in their local communities (plus earn CPEs for presenting). To commemorate Safer Internet Day today, 35 Swiss (ISC)² members have mobilized to launch Safe and Secure Online in Switzerland.

The program’s presentation materials are available in French, German, and English to (ISC)²-certified members who have completed training that covers program materials and advice on communicating with children. Topics in the presentation include how to avoid identity theft, recognize dangers with common practices such as geo-tagging, manage passwords, safely download music, avoid falling into malicious traps, and how to safely interact online and know where to go for help. The presentation also includes hard-hitting videos, both risks to personal safety and the systems and devices children use. 

Since 2006, (ISC)²’s Safe and Secure Online program has brought its certified cyber security expert members into schools to educate over 95,000 students and 2,000 parents in Canada, Hong Kong, the United Kingdom, and the United States.

I would like to personally thank the (ISC)² Switzerland Chapter, as this launch wouldn’t be possible without their commitment to localize the program for Switzerland. These volunteers play a key role in carrying out the program and organizing local school visits.

Don’t have time to volunteer? Donate directly to the (ISC)² Foundation to support members making a difference in their local communities. As little as US$5 from each member can save a child from a cyberbully or online predator.

Schools in Switzerland interested in receiving a free presentation can learn more at www.isc2cares.org or contact the (ISC)² Switzerland Chapter at sso@isc2chapter-switzerland.ch.

In the last year or so, I've noticed an upsurge of nuisance messages relating to PPI rebates: these range from automated phone calls pressuring the recipient to press a button to talk to a salesman in order to meet a non-existent deadline for a non-existent claim, to calls from Indian call centres - those seem to have replaced support scams for a while, to Twitter and comment spam. (Actually, banks have been pushing for a deadline on payouts, but the automated messages I've heard have talked about 'today' or 'tomorrow', not April 2014...)

Strangely, given the quantity of comments I moderate, I hadn't personally come across this as comment spam, but ESET Ireland's Urban Schrott sent me a link included in a comment to one of his own blogs. While I find it hard to put much faith in firms that advertise by comment spam and describe themselves as Mis-Selling Specialists, I can't say it's an out-and-out scam without further investigation: Permanent TSB is one of several lenders ordered by Ireland's central bank to review all PPI sales since August 2007. However, there are some pretty good reasons for avoiding this kind of offer, even on the basis of No Win No Fee.

• Companies like this are charging heavily (25-30% or more) for doing something that people can do themselves for free.
• Some even ask for an upfront fee, and I'd be surprised if that often gets returned even if the bid is unsuccessful (and there's no evidence that having a company do it for you will be more successful or less work).
• The company's fee is likely to be X% of the whole of the mis-sold PPI, not just the amount paid to date.
• And there isn't (in the UK, at any rate) much regulation of the claims industry, so getting money back from a rogue company is hard.

For more information on why using a claims company is usually a bad idea (and when it might not be a bad idea, Martin Lewis has examined the issue in some depth at MoneySavingExpert.com including this MSE Reclaim PPI for Free guide. Not to mention his 10 things you need to know if using a PPI claims firm blog. The main agency pressuring financial institutions to recognize legitimate PPI claims  is the Financial Services Agency, which has a great deal of information on its web site.

Note, by the way, that PPI is quite different to income protection insurance, which is intended to protect the customer from lack of income, rather than protecting the lender. Though that doesn't mean I'd necessarily recommend income protection either.

David Harley
ESET Senior Research Fellow

Many so called “futurists” have predicted the passing of the PC era.

But is it really gone? Is the Personal Computer really dead, or are these just marketing gags?

Being curious, I asked some friends what they use for their “computing” activities and how they use their devices.

First of all, it is important to clarify who are my friends and what they do.

My circle of friends - and I am not talking about Google Plus’ circle, but people whom I meet in person almost every day - vary from seniors (70+) with little to no IT know-how, to professionals who use computers for their work (not directly IT-related) and IT professionals who are making a living with computers.

The seniors have never held a tablet in their hands, but they know what one is. They all have PCs in their homes, connected to Internet, some of them even a laptop (with WiFi) as well as a PC. All of them use their PCs only for browsing, photo archiving, online shopping, sometimes emailing and even video conferencing (very few).  So, for these people, the PC is far from dead, it is their main communication platform.

The professionals who use their computers for their work are the bridge between the seniors and IT professionals. They know some things about computers because they have to use them in their every-day work. They have tablets (most of them iPads, very few Android), have at least one laptop and at least one PC in home.

Interestingly, the IT professionals, have the same devices as the previous category, and also some special devices like NAS servers, media centers and video and audio streaming devices to use with the media centers.

Both categories make good use of their PCs. They are not using them for browsing, communication, shopping, online banking and so on, they use them mostly for entertainment and long term storage. They store pictures and files and they do backups on NAS devices or USB hard drives, they stream movies and they share music and files on the local network.

For all other activities they use laptops and tablets.

But, how well can someone use a tablet to do some “real” work?

As an author, the first thing David did after buying a tablet, perverse though it seems, was to download a couple of office apps. The next was to buy a Bluetooth keyboard, a VGA adapter and a card reader.

Then he downloaded a couple more apps to enable it to take the best advantage of all the stuff that sits on the network drive, and a stylus for freehand work. Result: a tablet that does what most people do with a tablet. Serious work can be done on it in the absence of a 'real' PC and he even uses it for presentations. The drawback is that it now has a similar footprint as a netbook.

And in fact, on a long flight David now carries an iPad, a Kindle (better screen for prolonged reading) and a laptop.

I did more or less the same… I bought a special case for the iPad which incorporates a Bluetooth keyboard so that I can write better and transform the iPad into a netbook. After some unsuccessful attempts to do some real work on it, I gave up and went back to the laptop. Some of you might think that I haven’t tried enough – which is probably true.

It all started with the good old PC, a TV, a mobile phone, then a notebook, a netbook, a PDA, an MP3 player, a digital camera. All of them dedicated devices, which later were combined into one: a smartphone, a tablet.

What we see now is a fragmentation of computing technologies because they tend to become more and more specialized again.

But did you ask yourself how we ended up here? If you have multiple devices at home, you want to interconnect them so that you can share resources and information. But a file server doesn't need to be big iron running Unix or VMS anymore: it can be a small box housing a small RAID 1 that can be accessed by a whole range of devices from PCs to iGadgets, or (stretching the definition a bit) streaming media content from devices that we would never have considered an internet device 20 years ago. You want to see how much electricity you consumed, to listen music, to see a movie, and you want only that and nothing more. We see more and more devices interconnected and exchanging information. It is the TV, the thermostat, the wristwatch. But the “internet of things” offers more potential than that. We can assume that this kind of “things” will gradually become less of a gimmick for DIY fans, less like technology desperately hunting for profitable applications, and we'll stop thinking about them because they will have become part of our lives.  

However, we already have a situation in the home where data has taken on an identity of its own independently of devices. It may live in a private internal cloud or out in the bigger “cloud”, but we access and use it from a variety of devices that we could describe as smart terminals.

So, what about security?

As I’ve seen with my small study group, the home user is getting used to the idea of using all sorts of devices at home where he doesn't waste a lot of time thinking about security.

The business world is still struggling with the security aspects of BYOD. But we think that it will not take long until they will understand that BYOD means more than a security nightmare. It also means less hardware costs, happier and more productive employees, less support calls.

The PC will definitely no longer be what it was years ago.  You are - or will soon be - no longer actively using the PC as a workstation either at home or at work. It will transform into something else, but its functionality will be there, somewhere, to serve you in many new different ways.

The PC is dead, long live the PC.

Sorin Mustaca, CSSLP, Security+, Project+

David Harley, CITP FBCS CISSP