Wednesday, December 17, 2014

Crimeware-as-a-Service Banking Malware

SophosLabs researcher James Wyke analyzed the malware family Vawtrak used primarily to steal money from victims’ banking and other financial account. The analysis indicates that the people behind the malware are running the crimeware-as-a-service, targeting specific geographic regions and institutions including Bank of America, Wells Fargo, Capital One, Citigroup, Chase, and Fidelity banks. Banks in Canada include TD Bank, Scotia Bank and Desjardins.

Sophos found Vawtrak was the second most popular malware distributed by web-based exploit kits between September-November 2014 representing 11% of all malware replacing Zbot as the leading banking malware botnet. Vawtrak operators are setting up the botnet to deliver crimeware-as-a-service, rather than following a more traditional kit-selling model that older families such as Zeus or SpyEye once employed.

Monday, December 15, 2014

2015 Security Forecasts

These just keep on coming in. I'm interested in your response to these. Agree? Disagree?

2015 Security Predictions: Retail Repeats, Ransomware, and More  by Tom Cross, Director of Security Research, Lancope, Inc.
Six Enterprise IT Predictions for 2015 by David Gibson, VP, Varonis Systems

Security Threat Trends and Predictions 2015 Report by James Lyne, Global Head of Security Research, Sophos

What Was, What Is, and What Should Never Be: A Look at Security in 2014, 2015 and Beyond by Stephen Coty, Chief Security Evangelist, Alert Logic

Wednesday, December 10, 2014

Game Changer: Court Rules that Target Is Liable for Not Preventing Breach

From Brian Foster, CTO of Damballa:

Almost one year to the day after Target suffered a breach during peak 2013 holiday shopping, a Minnesota court just handed them a lump of coal. In a ruling announced on December 2, 2014, the court said that Target can be sued for failing to prevent their data breach. Their rationale was: Target can be viewed as negligent for failing to heed warnings from its FireEye prevention system and for disabling the inline blocking feature.

Let that sink in a moment.

As an enterprise security professional, ask yourself, Do you immediately take devices off your network when you receive an alert from a prevention tool? Do you ever automatically block a device because of one alert?

I assume you answered “no” to both questions. If I’m wrong, I would love to meet you and understand how you manage the herculean feat of not grinding your network to a halt and handcuffing business operations. 

In a brand new, not-yet-published, security survey conducted by the Ponemon Institute, respondents said they receive an average of 17,000 alerts per week and only 19% are reliable. The rest are false positives.

Put yourself in Target’s shoes. They paid $1.6 million for a system that was supposed to prevent advanced attackers. What they got was a lot of alerts lost in a sea of other alerts –meaningless unless correlated with other pieces of evidence.

Again, ask yourself, which one of 17,000 alerts would you know with certainty to pay attention to?

While comments from a vendor defending themselves and their ability to spot the malware may have made Target's security team seem like the Keystone Kops, fumbling around, carelessly not investigating alerts, this is hardly the case. According to Ponemon, the average sized security staff involved in malware detection and contain is 17.1 full-time headcount. And those staff on average have 7.9 years of professional experience in their field. It’s difficult to view this highly skilled group as clueless and purposefully negligent.

I’m certain the security team at Target would have prevented their attack if it were at all humanly possible. They had lots of expensive tools. They had a full-time Security Operations Center. Apparently, what they lacked was any degree of certainty that the alerts fired by their prevention tools were actionable.

The discussion about prevention versus detection has become escalated this year. The Target court ruling will likely make the discussion a lightning rod. Security experts will tell you they know their prevention system can’t stop advanced threats. They are designed to identify potentially suspicious activity by known ‘bad’ entities, not the unknown. Cyber criminals learned to outsmart those systems with ease.

Ask any CISO what keeps them up at night and they will tell you it’s the ‘unknowns.’ I imagine today’s court ruling will cause many CISOs to lose a few hours more sleep tonight.

Tuesday, December 9, 2014

"On the American reader's need for bright flashing lights ..."

While researching books on internal audit, a new publishing area for us, I came across Joseph Giordano's review of a book. What struck me is how his comments about readers, based, I'm guessing, upon observing his own students, reflects what we've been discussing internally about changing reader habits.

Being a publisher makes this a very important issue. How do we publish detailed technical material in a format that will stimulate purchase and use? Or had the horse left the barn? Maybe the days of a book delivered as a series of tweets isn't so far off, provided Twitter can support multimeda.

From Joseph Giordano:

"I reviewed this book last summer and would love to adapt it into my classes, but I know that my students would NEVER read this. This book is littered with important and insightful tidbits of information. At least 100 times I stopped and said "wow, I never thought of it that way." The fact that I kept falling asleep while reading the book reflects more on the American reader's need for bright flashing lights and inability to process the dry, than the quality of the material. I'm sad that I've become someone who need pictures and graphs and captions and text and even occasional bold type in order to enjoy a well written, well researched tome ... Overall I would call this required reading for auditing instructors, audit nerds, and people who love dry British literature. If he ever comes out with a dumbed down version with end of chapter questions, mini-cases and a test bank then I'm using this book because it is far superior to the competition."

New Survey Shows Widespread Employee Access to Sensitive Files Puts Critical Data at Risk

It's been 18 months since Snowden demonstrated the inability of the Puzzle Palace to identify and mitigate internal threats. Now, a new survey from Varonis Systems and the Ponemon Institute suggests--not surprisingly--that most organizations are having difficulty balancing the need for improved security with employee productivity demands. Employees with needlessly excessive data access privileges represent a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data.

Friday, December 5, 2014

Varonis Perspective on the Sony Breach

This is an amazing story. It's all about not paying attention in Security 101. In the following unattributed analysis, Varonis adds detail and insight on this breach. 


While we have few details on the Sony Pictures attack itself, this very public breach—or pwning in hacker slang--has shown the extent of the actual exposure—it is massive. The always informative Krebs knows, at this point, as much as the rest of us—possible North Korean connection and perhaps the use of destructive erase-all malware. That’s not to say this incident hasn’t revealed significant insights about our collective data security practices: don’t think the Sony incident doesn’t apply to you!

Krebs provides a link to the sprawling Sony directory hierarchy. This should definitively settle any doubt about the scope of this thing.

There are a few points to make. 

Unlike the big-box retailer incidents, this breach is not, for the most part, about personally identifiable information or PII. Certainly, there are employee social security numbers, email addresses, passwords, and health identifiers that are now out there for the world to see. But the Sony breach does not involve millions of consumer records and the subsequent issuing of new credit card numbers along with subscriptions to credit monitoring services.
This incident, though, is centered on sensitive data, perhaps even valuable IP, which was found in the 25 gigabytes of file data scooped up by the hackers. The leaked information should look all too familiar to any worker in a larger organization: readable files and emails, or, as we like to refer to it, unstructured, human-generated data.  So we’re talking employee salaries, financial data, internal presentations, company information under NDA, legal memos, the CEO’s private notes, and on and on. 

We should add that plain-text user passwords were found in files named, um, passwords. They certainly violated the "prime directive" on credentials.

From a broader perspective, we expect this is just one very public instance of a problem that can be found in enterprises globally. The amount of human-readable formation is growing exponentially. These documents live in file shares, intranets and in email as attachments, where far too many people have far more access than they really need, and usage is rarely monitored or analyzed for abuse.

No one should be casting any stones: we have all been or are Sony.

As we’ve seen in other breaches, the compromise of one employee email account can expose troves of sensitive data.  It’s likely the hacker harvested credentials —not necessarily of privileged admins or power users-- through PtH and other techniques. With their group memberships and access rights, combined with a loosely permissioned file system, they had a panoramic view of the Sony data landscape.

How did the situation get to be so dire?  Consider these two very common business-as-usual scenarios:

Scenario 1: A folder, containing sensitive data, becomes accessible to large group of people
A folder on your network share is used by your HR department—it might even be someone’s "home drive." At some point, someone makes the folder accessible to a broad group of people (this happens a lot), and it’s forgotten. Usage information about this folder (who is opening, creating, deleting, changing, moving files) isn’t tracked or analyzed (this is the norm).

Over time, sensitive files—say salaries, financial data, etc.—accumulate in these publicly sharable folders. No one really thinks about it, but everyone knows that a certain presentation or spreadsheet is just there so there's no need to formally request the data from the relevant owner. It's a data exposure incident waiting to happen, requiring a hacker to gain access to an average users' credentials—a simple phish mail often will do.

Scenario 2: Company emails become web browser enabled and gets hacked
You’ve enabled web browser access to your email system (try or if you're wondering), so anyone can log into their email from anywhere with only their password. Usage information about your email system is not tracked or analyzed (you can’t see who is sending or reading email or reading and marking them as unread, etc. – this is also the norm). The hacker gains the password of the email account—maybe by just guessing it.  Now the attacker can log in and read all the executive’s email (including the attachments) without leaving his home – and no one will know. Again, very valuable information—merger talks, new customers—in readable formats.

Another Teachable Moment
As Sony’s hackers gained access to more than just passwords, but movie budgets, salaries, social security numbers, health care information and so much more, the Sony breach provides us with yet another teachable moment. It reminded us all the importance of proper access controls, identification of sensitive data – who has access, who is using it, where it’s overexposed to the everyone group and who it belongs to, as well as implementation of real-time alerts.

Forged Best Buy Emails Distribute Malware

AppRiver have tracked phishing emails dressed as Best Buy store updates carrying a Trojan downloader commonly referred to as Kulzuoz or Zortob. At the time of analysis, this program was pulling down what appears to be software geared toward data theft, although this malware has been used extensively to infect users with FakeAV malware.

You can find details here.

Wednesday, December 3, 2014

Top 3 Enterprise Software and Security Trends for 2015

It's the time for prognostications for 2015. Cirius is first out of the gate. Here's what it foresees as significant trends developing in enterprise software and security. 

1. Data jurisdiction and data sovereignty will impact the growth of Office 365 and Azure. 
Satisfy local, grow global: Enhanced national privacy legislation introduced in Australia, Singapore, Germany, Malaysia, as well as the EU Data Protection Directive, is the sign of what is to come. In many cases opinion trumps facts and products like Office 365 and Azure need to demonstrate aggressively that they understand the privacy and security  concerns of partners and resellers. Addressing domestic privacy and data jurisdiction concerns will help facilitate global growth

2."Cloud" will no longer be perceived as a security threat compared to on premise solutions.
The future of security is in the cloud: Cloud solution providers have had to deal with the perception the cloud was "unsecure" from day one. As a result cloud solution providers historically had to over deliver to be a viable alternative to on premise solutions. The reality is that security and compliance are not the core competency of most I.T. departments  and they lack the internal resources to meet compliance requirements and evolving security threats. 
3. Data Loss Prevention will become a hot issue for business leaders.
Who saw what when: Businesses need to know where their business critical information is at all times. Flagging content and communication before it leaves the office is a good start but it is not enough. Machine learning, pattern recognition, and "post-send" message controls are the next wave of DLP functionality that will protect employees, clients and increasingly the brand.

Tuesday, December 2, 2014

Report Connects Iran to Global Critical National Infrastructure Hacks

Reports are starting to come in today that security firm Cylance has published an 86-page report on Operation Cleaver, which discusses Iran's hacking capabilities and motivations to attack global interests beyond the U.S. and Israel, long thought to be behind Stuxnet, and espionage campaigns using Flame and Duqu malware.

"Ask yourself how connected your life has gotten over the last 5 years; how connected businesses and governments have gotten over the last 5 years," said TK Keanini,  Lancope CTO. "In turn, crime and nation-state threats have also become more connected and their capabilities are expanding.

"Regardless of revenge or any other motivation, all nations need to be at a state of readiness and the investment in defense must at the very least match the investment being made in attacks by the adversaries.

"This statement is only bone chilling if you are not paying attention. The threat is real and defenses are in a constant co-evolutionary spiral."

Conflict and Cooperation in Cyberspace: The Challenge to National Security,  edited by Panayotis Yannakogeorgos and Adam Lowther, brings together some of the world’s most distinguished military leaders, scholars, cyber operators, and policymakers in a discussion of current and future challenges that cyberspace poses to the United States and the world. Maintaining a focus on policy-relevant solutions, it offers a well-reasoned study of how to prepare for war, while attempting to keep the peace in the cyberspace domain.

The discussion begins with thoughtful contributions concerning the attributes and importance of cyberspace to the American way of life and global prosperity. Examining the truths and myths behind recent headline-grabbing malicious cyber activity, the book spells out the challenges involved with establishing a robust system of monitoring, controls, and sanctions to ensure cooperation amongst all stakeholders. The desire is to create a domain that functions as a trusted and resilient environment that fosters cooperation, collaboration, and commerce.

5 Pitfalls of Project Management Software Implementation

Project Insight project management software has published its most recent blog post on "5 Pitfalls of Project Management Software Implementation."

Click here to check out Auerbach's project management books.

Monday, November 24, 2014

New Stealth Malware Compared to Stuxnet

Regin is a sophisticated piece of malware revealed by Symantec last night that targets specific users of Microsoft Windows based computers. It has been compared to Stuxnet and is thought to have been developed by "well-resourced teams of developers," possibly a western government as a targeted multi-purpose data collection tool.

Commenting on this, TK Keanini, Lancope's CTO, said, "As threats become more advanced, defenses in turn must also advance which makes the game not Information Technology, but the game of innovation. When you look at this stuff for a long time, you begin to realize that beautiful design is just beautiful and elegant. It is difficult not to applaud a beautifully designed system no matter what team you're on.

"If you asked me what Regin's main objective was, I would not answer surveillance. I would answer evasive and stealth operations because, without it, surveillance and any other objective could not be performed.

"Einstein was quoted as saying that problems cannot be solved at the same logical level they have been created, so the most effective defensive strategy is to leverage technical adjacencies to Regin’s operations that will detect it early in its lifecycle. For example, while there are encryption and clever covert channels being used for communication, with the right detection algorithms (not signatures) these protocol anomalies are obvious. These custom TCP and UDP protocols will show up in state of the art anomaly detection and let your signature based security tools take care of the other threats."

Tuesday, November 18, 2014

Cyber Economics

The economics of cyber threats are simple: cyber attacks are easy to organize and cheap to enact. Any computer anywhere can become the front line of an attack, which is not only difficult to defend against but leads to the need for constant vigilance and flexible defensive moves-both of which are rather more costly. CIOs and CISOs need to reverse these economics and change the game in their favor by driving down the cost to defend and increasing the cost to attack. You can read more about this here.

Friday, November 14, 2014

Call for Chapters: Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations

We have a new book underway, Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations, edited by Dr. Fei Hu from the University of Alabama. If you're interested in participating, here's a link to the Call for Chapters.

Wednesday, November 12, 2014

Catastrophic Windows Bug - Could It Be Microsoft's Heartbleed/Shellshock?

Ars Technica reported today that there's a potentially catastrophic bug targeting all versions of Windows. How surprised or shocked should we be? After years of such shattering news, not very. The bug, which allows execution of malicious code, resides in TLS stack.

TK Keanini, CTO of Lancope, suggests that "System administrators should already have a process to review and patch each Patch Tuesday. Those who have these good habits remain secure; those who have bad habits need reminders or ultimately get compromised before they get around to updating.

"This bug effects the listening side of the connection traditionally the server, but it is difficult these days to make this differentiation with software installing on traditional desktop OS’s as servers.
Online games are particularly notorious in installing listening ports for incoming connections so it is best that everyone just apply the patch regardless of the client or server designation.
"Attackers will just add this to their playbook as they explore your network for access vectors. You have two tasks: 1 is to patch and narrow the aperture of your target surface and but more importantly 2, have the telemetry in place so that if someone is performing this recognizance on your network, you can identify them and shut them down prior to exploitations or exfiltration. Put it this way: if banks had no security cameras or incident response, crooks could show up with tools and torches and take their time as they made their way into the safe."

Amichai Schulman, CTO at Imperva, adds, "The advisory from Microsoft does not state that hosts running web servers are more vulnerable than others to this. It seems that while the same patch includes enhancement to the TLS ciphersuite list, this enhancement has nothing to do with the vulnerability being patched. If this vulnerability is indeed exploitable via SSL/ TLS it is more sever in nature than Heartbleed because this is a remote code execution vulnerability – it allows the attacker to completely take over the server (while Heartbleed attempted, opportunistically to collect sensitive information)."

For more on patch management, see these articles and Security Patch Management by Felicia M. Nicastro.

5 Reasons to Establish a Patch Management Policy

Security Patch Management: Getting Started

Monday, November 10, 2014

Darkhotel Malware Targets Travellers via Hotel WiFi

I can't remember where I heard or read this tale recently, but someone was using hotel wi-fi recently and discovered he had access to someone else' computer. I suspect it's unrelated to Darkhotel, but Darkhotel might exploit the same vulnerability.

Here's the story from Wired.

Commenting on the attacks, Ian Pratt, co-founder at Bromium, said:

"Attacks using Wi-Fi captive portals are certainly on the rise. The networks at hotels are particular attractive as information about the user's name and the organisation they work for is frequently available, enabling very targeted attacks. It is common for hotels to outsource provision of networking services, and hence these third parties become attractive targets to attackers to target visitors staying at many hotels. In some parts of the world state security services specifically take advantage of this.

"Even a VPN is unable to help protect against many of these attacks. Most Wi-Fi networks require you to successfully sign-in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised. Bringing a VPN up at this point plays directly into the attackers hands, bringing the infection onto the enterprise network.

"I don't think execs are getting enough security education, and they are typically some of the worst at following operational security advice they have been given. Worse, there are many examples of exec's using their political clout to ask for IT restrictions that other employees face to be removed for themselves, without understanding the consequences. Everyone needs to understand the risk and the appropriate mitigations."

Thursday, November 6, 2014

Warning on BlackEnergy Rising Threat

As reported at TechWorld, "A cyberespionage group that has built its operations around a malware program called BlackEnergy has been compromising routers and Linux systems based on ARM and MIPS architectures in addition to Windows computers."

Ken Bechtel, malware research analyst at Tenable, warns that "Companies that are not actively monitoring network traffic may not be able to identify BlackEnergy malware in a timely manner. Since routers are neither protected from malware nor routinely scanned, compromising them puts attackers in the catbird seat, granting large scale visibility into the network and plenty of time to scout network defenses before selecting a target.

"In this scenario, the initiative rests completely with the attackers, so traditional network defenses are not enough to detect and remediate the threat. Continuous monitoring can help companies reduce the attack surface by specifically looking for abnormal activity originating in routers."

Wednesday, November 5, 2014

5 Ways Your Phone Can Keep You Safe While Traveling

Wow! Something else to do with your mobile phone besides selfies and sexting.

Personal Security: A Guide for International Travelers

Want to know other ways to protect yourself while travelling? Get a copy of Personal Security: A Guide for International Travelers. It gives you invaluable and--dare I say it?--life saving adviceon how to prevent security incidents and react in life-saving ways during a crisis. This comprehensive manual answers questions such as: Which criteria should you use for selecting the safest hotel or airline? How to deal with corrupt officials? What are special considerations for women, families, elderly, or travelers with disabilities? What support can you expect from your organization and what are your responsibilities?

Tanya Spencer has traveled extensively to high-risk destinations and has trained 1000s of people how to safely navigate the complexities of international travel. Emphasizing prevention, the book covers medical, cultural, and political considerations, so you understand exactly what you must do before and while you are abroad. It provides flexible frameworks, models, and tools that allow you to easily apply the wealth of tips and advice to any travel situation you might face. Before your next trip, benefit from these time-tested strategies for proactively managing travel risks.

Friday, October 31, 2014

Cybersecurity Nightmares

It's Halloween, and it's not just trick-and-treaters that scare us, or TK Keanini. Keanini, Chief Technology Officer at  Lancope, has compiled a number of short and horrifying cybersecurity scenarios entitled "Welcome to My Cyber Security Nightmare."

Welcome to My Cybersecurity Nightmare
This past year, we have seen some pretty scary stuff happen in cybersecurity. Being that Halloween is almost here; I thought I would share with you some scenarios that keep me up at night. These are scenarios that we are not ready to battle, and that are well beyond the horrific headlines we read on a daily basis. If you enjoy a good scare, read on.

User Participation in Cyber-Attacks
Most of the resources cybercriminals use to carry out their objectives are acquired through some method that results in compromised computers on the Internet. These resources remain available until the user or organization detects and remediates the incident. But what if the user participated willingly?  Instead of bad guys having to compromise hosts, what if they instead cut other people such as corporate insiders in on the profits? Given crypto currency, the TOR network, and a few other factors, this could be a nightmare scenario, as we are not ready for this type of surge in distributed attacks.

The recruitment for this could be something like the ‘work from home’ signs you see around your town.  The work could be as easy as downloading and installing a package and could earn the host user as much as $10.00/day. That is $300.00/month for someone to simply leave their computer running and connected. The average citizen is not likely to know what type of activity their computer is involved in on a daily basis.

The end result of this scenario would be a massive number of networked computers available for distributed denial-of-service, cryptographic brute forcing, or remote network sniffing. With the cooperation of the host, the capability list is endless, and because they are making money, the host will be motivated to help the cybercriminals persist. Service providers and law enforcement are not ready for this type of attack. This could lead to botnet armies with size and capabilities we have never seen before.

Expansion of Capability Marketplaces
Another nightmare scenario is for cybercriminals to expand their marketplace networks. Today you look at coordination networks like Uber, Instacart,, etc. These services are facilitators connecting a consumer who wants something delivered with a network of people who can deliver it.

Now think of applying this pattern to cybercrime. On one end there is a criminal who would like the login credentials of a Global 2000 executive. Via TOR networking, they go to a site where they can place their request, submit their crypto currency, and a skilled global workforce accepts this objective and delivers it within the terms of the agreement. This lowers the coordination cost for cybercrime to near zero and connects the demand with the supply in ways that have never been seen to date.

Because so many people are motivated by money, a service like this could turn citizens into cybercriminals if they believe they cannot get caught and that they can easily make a few bucks on the side.
The last thing I will say about this type of participation and marketplace networks is that they fragment security events into small, seemingly disconnected pieces where one event might not look harmful, but only when seen as a whole can the impact and significance be evaluated.

The Next Level of Cybercrime: Click to Compromise
Consider a SaaS service that helped a person compute their cybercrime – Cybercrime as a Service.
The power of big data analytics and machine learning can compute amazing insight for businesses, and it can do the same for criminals. A criminal could log in to a website and declare their objective, and the service would compute several attack plans that the criminal could choose from. This would work in the same way that a user is presented with multiple routes to reach a destination when getting directions online.

This Cybercrime as a Service would have social networks mapped, personal information on each individual, language analysis that yields a level of trust between individuals, mapping to various accounts (some of which may have been compromised), etc. All of this would be creating a corpus of data that can lead the criminal through a directed graph leading to the objective (exfiltration of a file, ransomware, etc.).

Remember, cybercrime is a business and profitable businesses only get smarter and more effective.   These are things that keep me up at night because in our current state, there is nothing that makes these types of attacks hard to execute for cybercriminals, and they could easily turn from nightmare to reality.

Thursday, October 30, 2014

How PCI's 6 Objectives & 12 Requirements Overlap with Critical Security Controls

Tripwire has released an infographic that provides a visual layout of how the PCI DSS 3.0 requirements align with the foundational Top 20 Critical Security Controls.

Not to be outdone, we've published PCI Compliance: The Definitive Guide and 
Information Security Policy Development for Compliance: ISO/IEC 27001, NIST SP 800-53, HIPAA Standard, PCI DSS V2.0, and AUP V5.0.

Information Security Policy Development for Compliance supplies a simplified way to write policies that meet the major regulatory requirements, without having to manually look up each and every control. It's an essential guide for  policy writers who must meet multiple compliance standards or regulations.

Wednesday, October 29, 2014

New Round of Shellshock Attacks Affecting Email

In response to the news of an emerging round of Shellshock attacks which are tapping hosts over SMTP, Gavin Millard, EMEA Technical Director at Tenable Network Security, comments:

"The interesting thing about SMTP attacks is that, if they are email based, its possible that sending one email could infect many different systems which process the email. In tandem, anything that looks at email, such as spam filters based on Linux, could in turn be vulnerable. What that means is that, this latest vector utilising the Bash Bug, is simple to execute and enables remote code execution which could lead to a worm being created and unleashed - potentially with devastating consequences. If you haven't already, hunt down any system that has vulnerable versions of bash and update immediately. Shellshock will be a favourite vulnerability for malicious attackers for some time so we're bound to see more interesting exploits of this massive flaw."

Wednesday, October 22, 2014

Android Ransomware Spreading via SMS

From Eskenzi PR Ltd:

Following the news that a Koler worm is spreading via SMS and holding Android phones for ransom  Mark James, security specialist at  ESET, explains how the attack works and how to get rid of it:

"The natural progression from desktop to mobile device for ransomware was going to pick up momentum at some point and sure enough, we are seeing more and more cases of malware on the mobile platforms (Android). The biggest factor in this is people's assumption that they are safe on a mobile.
"In this particular case, an SMS is used for the initial contact - which in itself can lure a level of trust that emails do not have - if the masked (truncated) link is followed by a page that will display some kind of tasty treat for free (that may include a free service or free app) which once installed will contain the malware, ransom screens are then presented on your device with no apparent way to get rid of them. These often will use such words as "child pornography" designed to scare the individual into paying the ransom to have it removed.
"Removing these type of infections is often very simple and can be done by either booting into safe mode (internet searches will often yield many results on how to do this yourself) and uninstalling the offending application (or the last installed app if you don’t remember the name) or as a last resort, factory resetting the device and restoring from your last good backup ( maybe 1 or 2  days prior to be safe ). The best advice I can give here is DO NOT install any apps from third party websites or links, both Apple and Google Play are by no means 100% safe but they are a lot safer than using a random website to install apps."

Related Books:

Android Malware and Analysis by Ken Dunham and Friends

Android Security: Attacks and Defenses by Anmol Misra and Abhishek Dubey

Monday, October 20, 2014

Chinese Smartphones a Security Threat

While I'm fascinated by this, it's becoming old news. Of course if it's made in China, it's going to report home.

News would be that Chinese manufacturers were acting like their US counterparts and making it difficult if not impossible to the government to access devices. Hats off to (and I shutter to say these names) Apple and Google.

Some soon to be published books:

Secure Development for Mobile Apps: How to Design and Code Secure Mobile Applications with PHP and JavaScript by J. D. Glaser

Android Malware and Analysis by Ken Dunham and Friends

Wednesday, October 15, 2014

CryptoWall 2.0 Ransomware Moves to TOR Network

Dangerous new ransomware variant storms onto the scene using the anonymous TOR network, taking down systems and networks unlucky enough to be caught in its path

Tampa Bay, FL (October 15, 2014) KnowBe4  issued an alert to IT Managers that a  new version of the world's most widespread ransomware CryptoWall has migrated to the TOR network. It has been upgraded to version 2.0, and continues to encrypt files so that a ransom can be extracted if there are no backups or if the backup process fails, often a common occurrence.

KnowBe4, received a panic call from an IT admin who was hit this week with CryptoWall. The admin’s workstation became infected with the malware. The workstation was mapped to 7 servers and within an hour, the entire server farm was shut down. The admin explained he had backups but it would take days to recover the data and get them back up and running. The company’s operations would be severely impacted.

 “The cyber criminals hit pay dirt with this one and the admin ended up paying the ransom, 1.3 Bitcoin, rather than face the serious costs caused by days of downtime, said Stu Sjouwerman, KnowBe4’s CEO. “This is the next generation of ransomware and you can expect this new version to spread like wildfire.”

 CryptoWall 2.0 went live October 1st and is now using the anonymous TOR network, making it very difficult to analyze or take down. Earlier versions of CryptoWall were not using TOR but HTTP, which allowed researchers to analyze the communication between the infected machine and the command & control server so they could take down the servers that delivered the malware. This version of CryptoWall has been tested for months and the malware uses innovative ways to propagate itself, like using ads on websites that take advantage of  vulnerabilities in browsers and unpatched plug-ins.

Sjouwerman advises these three steps as something IT admins HAVE TO, HAVE TO do:

1. Make regular backups, and have a backup off-site as well. TEST your restore function regularly to make sure your backups actually work.

2. Patch browsers as soon as possible, and keep the amount of plug-ins as low as you can. This diminishes your attack surface.

3. Step all users through effective training on security to prevent malware infections to start with.

 For end users, Sjouwerman advises, “Think before you click. Don’t open anything from someone unless you are expecting it. Hover over an email address to make sure its from a valid domain, one you know and recognize.”

Tuesday, October 14, 2014

Russian Hackers Spying on NATO: Business as Usual

Following the news of the new Russian 'Sandworm' hack that is exploiting a bug in Microsoft Windows to spy on NATO, EU, Ukraine and others, Tim Erlin, director of IT security and risk strategy for  Tripwire explains why this is no surprise:

"It's a short path from shoe phones to zero days. It's simply not surprising that this kind of activity has been going on. Russia, the United States, Britain and others have long histories of very strong and effective spy organizations. There should be little surprise that these groups have continued their missions through the boom of technology.

"Defending against such a targeted attack is extremely difficult. When the attacker is willing to spend significant resources to compromise you specifically, the playing field can be very uneven. As an industry, we tend to focus on the many broad threats that exist, but these kinds of targeted and sophisticated campaigns may actually do more damage."

Conflict and Cooperation in Cyberspace: The Challenge to National Security, edited by Panayotis Yannakogeorgos and Adam Lowther of the Air Force Research Institute, brings together some of the world’s most distinguished military leaders, scholars, cyber operators, and policymakers in a discussion of current and future challenges that cyberspace poses to the United States and the world. Maintaining a focus on policy-relevant solutions, it offers a well-reasoned study of how to prepare for war, while attempting to keep the peace in the cyberspace domain.

Thursday, October 2, 2014

Ten Strategies of a World-Class Cybersecurity Operations Center

The MITRE Corporation is offering a free book, "Ten Strategies of a World-Class Cybersecurity Operations Center," by Carson Zimmerman.

Monday, September 29, 2014

Confirmed: Windows 9 to be a free upgrade for Windows 8 users

Maybe now I can take Microsoft off my companies-I-love-to-hate list.

I made the mistake upgrading to Windows 8. Besides the really shitty interface, the install process blew away my email files (I use Eudora), all the Office apps (which I had to repurchase because the authentication codes were in the email files that got blown away), several non-Microsoft apps, my iPod library (which I later recovered), and who knows what else.

Also, security sucks. Despite update Norton files, I get more pop-ups and ads opening new windows than I've ever experienced.

Off course, after the experience of installing Windows 8, I'm leery of installing another Windows OS. I know now what files and apps to backup, but it's the unknowns that scare me.

Friday, September 26, 2014

Anatomy of an Apple Launch

I hate Apple, and Amazon, and Google, and now Microsoft, and Walmart, ..., so I love reading this stuff. And here, "The Informer" gets it absolutely right.

Thursday, September 25, 2014

Major Vulnerability Affecting Linux, UNIX and Mac OS X

According to Ian Pratt, co-founder at Bromium:
"The "shellshock" bash vulnerability is a big deal. It's going to impact large numbers of internet-facing linux/unix/OS X systems as bash has been around for many years and is frequently used as the 'glue' to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.

"Bash is part of the infrastructure, something so pervasive that many sysadmins wouldn't necessarily even know that the security of their applications depend on it.  Any applications known to be using CGI scripts that call system or popen are at particularly risk -- many php, perl and python scripts will fall into this category. Some python modules call os.system without the application doing so explicitly.  Simply disabling bash is typically not an option, though it may help to change applications' default shell to some other bourne shell compatible shell such as 'sh' or 'dash' (though beware -- 'sh' is actually the same binary as bash on some systems). However, if an application invokes bash explicitly it will still be vulnerable.

"Even client systems that don't explicitly run network facing services may be vulnerable too, by way of software such as the DHCP client that may pass data received from a DHCP server through bash. This means that malicious WiFi hotspots could potentially compromise vulnerable systems.

"All Linux/Unix/OS X sysadmins should be scrambling to update bash on all their systems, prioritizing those exposed to untrusted networks.

"Bash is a very complex and feature-rich piece of software that is intended for interactive use by power users.  It does way more than is typically required for the additional role for which it is often employed in gluing components together in applications. Thus it presents an unnecessarily broad attack surface -- this likely won't be the last vulnerability found in bash. Application developers should try to avoid invoking shells unless absolutely necessary, or used minimalist shells where required."

PBS Nova: Rise of the Hackers

Great show last night. Quantum computing will kill security as we know it; but quantum cryptography will trump it and win.

Tuesday, September 9, 2014

Have You Been VNCeen?

This just in from Lara Lackie at Eskenzi PR:

""Hacker summer camp" has come and gone. The annual pilgrimage to Las Vegas (for events like DEF CON, Black Hat and BSides) makes it pretty clear that what happens in Vegas certainly doesn’t stay there, and this year was no exception. Sometimes these stories become water-cooler chatter. Sometimes they’re recounted in buzzing IRC channels, and sometimes they light up Twitter and even major media outlets.

"One of the stories that had the Internet buzzing was that of "thousands of people oblivious to the fact that anyone on the Internet can access their computers." Oftentimes titles like this wind up being hyperbole, however that isn’t the case here.

"On the Saturday of DEF CON, there was a panel on “Mass Scanning the Internet: Tips, Tricks, Results.” I, unfortunately, didn’t make it in to the presentation, however a short time later the tweets were all over my timeline.

"These tweets showed images of peoples’ home automation systems, people watching movies and (what appears to be) an industrial control system for an ice rink. These are just a few examples, but more and more tweets kept popping up with images like these. Among them were all sorts of things that were likely not meant for the eyes of random Internet onlookers.

"These screenshots were not the result of some crazy 0day-laden hacking spree or the computers of RAT victims. Rather, the screenshots were the result of simply scanning the Internet for VNC (remote viewing/access) servers that didn’t require any kind of authentication.

"In what was hardly a hacker summer camp first, the panelists received complaints that what they were doing was illegal. They responded saying that’s not the case. Lancope StealthWatch labs feel that this is missing the point. The point is that all of these machines are out there for anyone who wants to look. And people DO look.

"Lancope’s StealthWatch Labs has monitored attempted remote admin connections to show that the sort of activity talked about at DEF CON is actually happening all the time.

"They have a full blog post discussing their findings and give advice on what to do in order to reduce the number and quality of opportunities presented to those who might be scanning your network.

"To read the blog in full, please click here."

Jeff Stapleton to Speak at Biometrics Unplugged and at SecureWorld

Jeff Stapleton, author of Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity, is speaking at these conferences:

Biometrics Unplugged on September 15 in Tampa, FL

SecureWorld on Oct 29-30 in Dallas

Monday, September 8, 2014

Manufacturers Losing Intellectual Property to Security Breaches

While this isn't new, spies have been stealing IP since there's been IP to steal, the techniques have changed. And while the PRC seems to be villain #1, our so-called allies, such as Israel and France, are just as active.

So, what's a person to do? You can start with Trade Secret Theft, Industrial Espionage, and the China Threat.

This book provides an overview of economic espionage as practiced by a range of nations from around the world—focusing on the mass scale in which information is being taken for China's growth and development. It supplies an understanding of how the economy of a nation can prosper or suffer, depending on whether that nation is protecting its intellectual property, or whether it is stealing such property for its own use. The text concludes by outlining specific measures that corporations and their employees can practice to protect information and assets, both at home and abroad.

Wednesday, August 13, 2014

"Digital Forensics Explained" Cited a Expert Testimony in US Supreme Court Case

Greg Gogolin's book,  Digital Forensics Explained, was cited 8 times in a recent US Supreme Court case (expert testimony). The case concerned whether evidence admitted at petitioner’s trial was obtained in a search of petitioner’s cell phone that violated petitioner’s Fourth Amendment rights.

Monday, June 2, 2014

CISOs Reveal Top Firms Failing on Security Awareness Training

Is this a failure of will, or of process, or of failing to enforcement policies and procedures? There's something to be said about a draconian approach to enforcement. Touchy-feely really doesn't work.

With resources like these books available, there's no reason for this failure.

Managing an Information Security and Privacy Awareness and Training Program, Second Edition
Asset Protection through Security Awareness

Here's a partial list of available articles:

Why Information Security Training and Awareness Are Important

The ABCs of a Persuasive Security Awareness Program

Implementing an Information Security Awareness Program

Wednesday, May 28, 2014

New Online Banking Trojan Program Combines Zeus and Carberp Features

How sweet is this? Zberp, the new threat, has a wide range of features, and is sure to provide hours of fun and challeges to security mavens.

Commenting on this, Lancope CTO, TK Keanini, said, "Attackers continue to innovate and are not afraid of borrowing techniques from one another. The trend is definitely to leverage toolkits and libraries from each other, as no one bad guy has to code it all himself anymore.

Another trend is that most of their communication channels are encrypted so this is bad news for packet inspection tools. Even if you capture terabytes of packets, the payloads are encrypted. This is where Netflow and IPFIX flow analysis comes in handy because directionality and other behavioural traffic patterns can identify infections even if the channels are using SSL.

As attackers continue to innovate, it is time that defenders do the same. Get creative, think like the adversary and be creative with your countermeasures. This is exactly what the adversary does not want you to do."

Wednesday, May 21, 2014

Russia, China urge to develop and introduce rules for information security

First, I don't believe this for a minute. It's like Cold War propaganda. But wait, we're now in a new Cold War.

But you'd think they'd have better translators for this stuff.

I just finished the latest novel from Tom Clancy, Inc., Command AuthorityWhat's interesting about this, aside from Tom, like L. Ron Hubbard, writing books from the grave, is how closely the book comes to recent events in the Ukraine. Of course, the Putin-liked Russian leader controls all media and is given to long diatribes against enemies, internal and external, real and imaginary.

So, I decided to read the last year or so of the Russian English-language press to see how they covered the lead to the Russian invasion of the Urkaine.

What I found, and this applies to the Chinese English-language press, were barely literate articles, many penned by "Americans." What this amounted to was illiterate propaganda. The outrageous claims were funny enough (and I know our politicians are wont to make outrageous claims that can't be substantiated), but the writing was abysmal. (One editorial printed the lyrics to "Feel Like I'm Fixin' to Die Rag" verbatim. I'm willing to bet they didn't get permission to do that.)

Anyway, how effective can propaganda be when its laughable on so many levels?

Monday, May 19, 2014

IPv6 and Telecom IPv4 Is Finally Running Out. Now What?

As this  recent article explains, it's the 11th hours for IPv4 address. If you haven't taken this threat seriously yet, maybe it's time.

The Handbook of IPv4 to IPv6 Transition: Methodologies for Institutional and Corporate Networks by John J. Amoss and Daniel Minoli

  • Addresses the migration and macro-level scalability requirements
  • Discusses IPv6 network constructs, AutoConfiguration techniques, and the suite of IPv6 and related protocols
  • Describes IPv6 enterprise/institutional network migration scenarios and coexistence issues
  • Examines scenarios and techniques for introducing IPv6 into carrier networks
  • Explores application aspects of IPv6 transition, issues related to mobile environments, and security in IPv6 networks

Wednesday, May 14, 2014

Is Infosec Getting More Stressful?

Is Infosec Getting More Stressful? 

Frankly, I think everything is getting more stressful, and not just at work.

But specifically regarding InfoSec, external threats and pressure are increasing, helped by wide media coverage of intrusions. And, internal pressure must be building, too. Just think about the Target CIO falling on his sword because of the data theft. Now there are real costs to personnel as well as the enterprise.

What do think?

Tuesday, May 6, 2014

Internet of Things to Redefine Scope of IT Security

A recent report from Gartner is sounding the alarm about the burgeoning threat from IoT.
I've been riding this horse for a long time now. But recently, attacks on these systems are headlining the mainstream media: hijacked baby monitors, hijacked cars and drones, hacked medical devices, ...  Attacks are limited only by the imaginations of the hackers, which seems endless.

If you haven't investigated for yourself what IoT means for your enterprise and yourself, it's not too late to start.

We have some articles on IoT, M2M, NFC, RIFD, sensors, CPS, etc.

The Internet of Things

Internet of Things: A Context-Awareness Perspective

Internet of Things (IoT) Reaching Tipping Point

MTC/M2M Middleware

And, we also have a slew of books on the subject:

Unit and Ubiquitous Internet of Things

The Internet of Things: From RFID to the Next-Generation Pervasive Networked Systems

Cyber-Physical Systems: Integrated Computing and Engineering Design

Machine-to-Machine Communications: Architectures, Technology, Standards, and Applications

The Internet of Things in the Cloud: A Middleware Perspective

Thursday, April 10, 2014

Enterprise Open Source Intelligence Gathering

I just returned from Infosecworld. As with RSA, threat intelligence was a big topic. The session on "Enterprise Open Source Intelligence Gathering" was eye-opening. While I was familiar with some of the techniques used by the good guys and the bad guys, it's still amazing how easy it is to gather information from the Web, much of it PII or stuff that the military might classify as SECRET or above.
This session was lead by Tom Eston, who's Manager, Profiling & Penetration for SecureState. He has a really interesting blog, Spylogic. You might want to check it out.

More on Infosecworld after I catch up.

Friday, March 28, 2014

Who knows what evil lurks in the Internet of Things?

According to a recent article in CIO, the Internet of Things is creating a scary world. And to think Cisco has started advertising it on TV.

Be frightened. Be very frightened. What you don't know can hurt you.

So, rather than curse the darkness of impending IoT doom, read Unit and Ubiquitous Internet of Things.

Written by Huansheng Ning, it
  • Introduces essential IoT concepts from the perspectives of mapping and interaction between the physical world and cyber world
  • Outlines a fundamental architecture for future IoT, based on the IoT layered model, topological structure, various existence forms, and corresponding logical relationships
  • Presents specific case studies that illustrate various application scenarios
  • Establishes an IoT technology system based on the knowledge of IoT scientific problems
  • Provides an overview of core technologies, including basic connotation, development status, and open challenges

Tuesday, March 25, 2014

New Zero-day Vulnerability Used in Targeted Attacks against Word

"A remote code execution vulnerability (CVE-2014-1761) in MS Word is currently being exploited in the wild. "At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010," said Microsoft, which acknowledged that the vulnerability also exists in Microsoft Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011.

Dana Tamir, director of enterprise security at Trusteer, noted that the vulnerability can be exploited when Microsoft Word opens and parses specially crafted Rich Text Format (RTF) data. The exploit causes system memory corruption that enables the attacker to execute arbitrary code. An attacker who has successfully exploited this vulnerability could gain the same user rights as the current user.  As a result, that attacker can infect the victim's system with malware if a user simply opens the specially crafted RTF file.

The vulnerability could also be exploited through Microsoft Outlook. This is because Microsoft Word is the default email reader in most Outlook versions. In this case, previewing the message in Microsoft Outlook is enough to successfully exploit the vulnerability and download malware on the user’s machine.

A web-based scenario can also be used if the attacker creates a webpage that contains the malicious RTF-file, or if the malicious file is provided as content to websites that accept or host user-provided content or advertisements. Attackers may use this technique for conducting drive-by downloads and watering-hole attacks that infect website visitors.

Microsoft has posted a blog that discussed possible mitigations and temporary defensive strategies that can be used while the company is working on a security update.

Papa John’s Offering a Free Pizza

Papa John’s is offering consumers a free pizza. By simply placing an order for $15 or more between today and April 7 using promo code STATS at, you can get a free pizza on your next order.

While we don't offer free books, you might want to check out these anyway:

How I Discovered World War II's Greatest Spy and Other Stories of Intelligence and Code by David Kahn; ISBN 978-1-4665-6199-1

Trade Secret Theft, Industrial Espionage, and the China Threat by Carl Roper; ISBN 9781439899380

Managing Risk and Security in Outsourcing IT Services: Onshore, Offshore and the Cloud by Frank Siepmann; ISBN 9781439879092

Intrusion Detection in Wireless Ad-Hoc Networks by Nabendu Chaki and Rituparna Chaki; ISBN 978-1-4665-1565-9

The State of the Art in Intrusion Prevention and Detection by Al-Sakib Khan Pathan; ISBN 978-1-4822-0351-6

Core Software Security: Security at the Source by James Ransome and Anmol Misra; ISBN 9781466560956 

Monday, March 17, 2014

Critical Stuxnet-level Vulnerabilities Discovered in UK Power Plants

It was reported on Friday that three critical vulnerabilities were discovered in UK power plants.

"The security and integrity of Industrial Control Systems (ICS) should be a global concern," said TK Keanini, chief technology officer of Lancope. "The reality is that if these systems were ever vulnerable and reachable via the Internet, they are likely already compromised – simple as that.  Not only should these companies patch the system but care should be taken to investigate the systems integrity. Advanced malware can sometimes install itself and fooling the patching software into thinking it has already been patched – like a Jedi mind-trick "These are not the droids you are looking for" manner.

"Infiltration of these systems is just one step of the larger picture. These industrial facilities must also make it harder for the adversary to remain hidden as they perform their operations. Raising the cost for your adversary to operate is the critical factor these days as infiltration is almost inevitable. Remember the people attacking these ICS systems are the type of people who do not want to be identified."

"These are critical vulnerabilities that allow a remote attacker to gain complete control over systems running Yokogawa CENTUM CS3000 by sending just a few packets to the vulnerable system," said Tom Cross, Lancope's director of security research. "The availability of functioning exploits in the Metasploit framework means that its easy for attackers to target these vulnerabilities. It is extremely important that operators of Yokogawa CENTUM CS3000 install the available security updates immediately.

"It's important to emphasize that the software that controls industrial plant facilities can have serious security vulnerabilities just like any other kind of software. Although we like to think that these systems aren't connected directly to the Internet, it has happened, and often, there are indirect links through back office networks that exist because of the need for the business to monitor its plant operations. Ultimately, its valuable for vulnerabilities like these to be discovered, disclosed, and patched. Identifying and fixing vulnerabilities is part of the process of making these systems more resilient to attack. Frankly, there is much more work to be done in the Industrial Control Systems area before we can have a high degree of confidence that these systems are well protected."

For more on ICS and SCADA security, see these books and articles:

Handbook of SCADA/Control Systems Security

Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS

Smart Grid Security: An End-to-End View of Security in the New Electrical Grid

Security and Privacy in Smart Grids

"SCADA Security: What Is an Industrial Control System?"

"SCADA Security"

Thursday, February 20, 2014

Shameless Promotional Plug: FREE PMP® or PgMP® Practice Exams

Take a full-length PMP® or PgMP® Practice Exam online right now.

These practice tests, developed here, let you answer questions at your own pace and save your test so you can work on it at different times. It scores your test as a percentage of questions answered correctly, as well as by domain.

PMP® Practice and Simulation Tests

PgMP® Practice and Simulation Tests

After you take the test, you can order one of these books to help you master any weak areas in your PM or PgM knowledge.

For the PMP® Exam
PMP® Exam Challenge!, Sixth Edition
PMP® Exam Practice Test and Study Guide, Ninth Edition
The PMP® Certification Exam Study Guide

For the PgMP® Exam
PgMP® Exam Challenge!

Other books to help you get ahead:

The Basics of Achieving Professional Certification: Enhancing Your Credentials
This easy-to-use guide can help you achieve professional certification make informed decisions about the many options available. It can also help avoid the pitfalls of making the wrong choice as a result of being incorrectly informed. Examining the range of professional certifications offered by associations and organizations, it explains how to select the right professional certification and outlines best practices for completing the certification process.

Determining Project Requirements, Second Edition: Mastering the BABOK® and the CBAP®

Tuesday, February 18, 2014

NSA Comedy Tour 2.0: An Evening of NSA Themed Comedy, Ethics & Tech

NSA Comedy Tour 2.0: An Evening of NSA Themed Comedy, Ethics & Tech

I almost wish I was in SF to see this. Ethics? Well, I guess ethics are situational. I'm sure the NSA believes it acts ethically, and if you don't agree, you're not a patriot (at least in its eyes).

And speaking of ethics, if you have concerns about it, here are some books and a free-to-read article:

Ethics in IT Outsourcing

Ethics and Project Management

"Introduction to Computer Ethics"

Thursday, February 6, 2014

Data Privacy Day Tips

I have to confess that I was unaware that Data Privacy Day was last week.

Data Privacy Day occurs every year on January 28 and is intended to remind us to more carefully consider our privacy choices throughout the year.

Computer users are encouraged to think about privacy choices the next time a new online profile is created, or load an app on a phone, or sign up for a frequent shopper card at your favorite retail establishment.

“And with the big data movement hell bent on collecting as much information about us whenever possible, apparently innocuous or unimportant details can be pieced together in new and surprising ways,” said Chester Wisniewski, senior security advisory at Sophos.

Following are three simple privacy diet tips from Sophos to help trim the fat and protect user’s privacy:

1. Turn off geolocation, and leave it off.
Whether you're a Twitter user, a soldier in a war zone, or a fugitive from the law, geolocation can carry serious unintended consequences even when it's used on purpose.

Users have to be careful to avoid being tripped up by a steady supply of less-than-honest app writers. Geolocation data has been silently hoovered up and sent home by phone software as diverse as flashlights and mobile apps for kids.

2. Turn off Wi-Fi. Turn it on when you need it.
To trim the next few privacy pounds dieters need to turn off Wi-Fi on their smartphones, tablets and laptops. You can still use Wi-Fi but you have to switch it on when you need it and turn it off again when you don't.

As it searches for networks to join, your phone will offer up the names of Wi-Fi networks you've used previously. Many Wi-Fi networks are named after the places where they're located, so that your phone's electronic greeting can read like a history of where you've been. Alongside the networks it's joined your phone will also broadcast its MAC address almost constantly. Commercial organizations have begun to show serious interest in that little unique ID because it can be used just like a cookie to track and profile your movement in the real world.

3. Log out when you have finished
Dieters on the Privacy Plan should log out of any system they've finished with. Stopped using your laptop? Log out. Checked your bank balance? Log out. Done updating your Facebook status? Log out. Everything you've used but haven't logged out of is an open back door that leaves your privacy at the mercy of Clickjacking attempts, Cross-Site Referral Forgery attacks, social media tracking beacons and people just sitting at your keyboard when you're not there.

“Data Privacy Day is the perfect time to think about all the computing devices and gadgets you use, including smartphones and tablets,” said Rebecca Herold, an information security and privacy expert, internationally recognized as "The Privacy Professor," and author of  Managing an Information Security and Privacy Awareness and Training Program, now in its second edition. “Many people don’t realize these devices are continually collecting personal information about the user, such as where you work or attend school, travel, shop … the list goes on. Everyone should be aware of the information they are putting out there and the data being collected without their knowledge or consent.

“As we embark on 2014, we truly are in a new and expanding ‘Internet of Things’ where numerous amounts of data are being collected every day. All individuals, businesses and government organizations should make privacy a priority by being educated about new, expanding data collection points and put appropriate protections in place to protect personal information,” added Herold.
Herold encourages all consumers to ensure they aren’t giving away too much information when their personal data is collected, and she believes they have the right to demand that the entities collecting their information are protecting it and using it properly.

Huawei Faces Indian Inquiry over Hacking Claim

Huawei faces Indian inquiry over hacking claim.

Poor Huawei. They can't catch a break. While this doesn't seem to be a supply chain issue, something that fascinates me, it still reflects negatively on the PRC and its quasi-owned companies.

I suspect there are some national security issues at play here, too. China is nothing if not aggressive in pushing the fear buttons on its neighbors.

Tuesday, February 4, 2014

Kentucky Senate passes bill to let computer programming satisfy foreign-language requiremen

Flash back time. I recall when college had a language requirement, as well as many others (like showing up for class).  I knew a guy then who was an engineering or chem major who argued long and vociferously that Fortran (that tells you how long ago this was) should be considered a "language" and satisfy the college's foreign language requirement. At the time, his protestations went nowhere.

Now, the state of Kentucky has passed a billed allowing programming to satisfy the foreign language requirements.

In high school my kids had to pass a Regents Exam in the foreign language of their choice (among the very few offered). They did not have a choice about programming or any other computer course beyond Office.

Thursday, January 30, 2014

McAfee Labs 2014 Threats Predictions Report: Cybercriminals Will Exploit Mobile Devices, the Cloud, and PCs

This doesn't sound like news, just more of the same. New technologies that enable business—-like the cloud and mobile devices-—are also attracting the attention of cybercriminals. In 2014, hackers are expected to exploit new attack surfaces and expand and refine their stealthy attack maneuvers. Think ahead and prepare your defenses now so that you can effectively safeguard your organization in the new year.

Here's McAfee's view of what's expected in 2014:
  • The BYOD trend is fueling attacks on mobile devices that will target enterprise infrastructures.
  • Cybercrime exploits will become more difficult to detect than ever before.
  • Nearly all major social media platforms will be subject to theft of user authentication credentials for the purpose of extracting user identity data.
For a copy of the report, McAfee's site.

David Kahn recounts the desperate efforts to gather information during WWII and the Cold War

In this interview, David Kahn – universally regarded as the dean of intelligence historians – recounts the desperate efforts to gather information during World War II and the Cold War. In How I Discovered World War II's Greatest Spy and Other Stories of Intelligence and Code, Kahn provides insight into the dark realm of intelligence and code. By revealing the past, this work helps guide present and future intelligence efforts. Kahn is the author of The Codebreakers and Seizing the Enigma: The Race to Break the German U-Boats Codes, 1939-1943, which was the basis for the movie U-571.

Friday, January 17, 2014

Target Breach Notification Cautions

According to security firm Sophos, "the number of Target data breach victims is increasing with rumblings of records dating back more than a decade being impacted.

"With the high number of individuals receiving data breach notifications, it's important that you remember security best practices. Beware of clicking on links received in e-mails without first checking the link to ensure it is taking you to the desired site. Hackers frequently use this phishing technique to mislead consumers and direct traffic to malicious sites.

"If you encounter a suspect link, contact the vendor directly by typing in the company address directly in the browser.

"An examination of Target’s breach notifications may confuse some consumers and could easily be mistaken for phishing.  James Lyne, global head of security for Sophos includes examples and further detail here.

"There are bound to be many copycat hackers jumping on this trend and telling good from bad content is going to be difficult for consumers."

I don't recall buying anything from Target, ever, but yesterday received an email from with the subject: Important message from Target to our guests. Guests? Does this mean anyone who has ever hit the site, or do guests=customers? The message was signed by Target's CEO and offered one year of free credit monitoring. I didn't click through for the offer.

Wednesday, January 15, 2014

The Winners and Losers in the Landmark Net Neutrality Ruling

The Winners and Losers in the Landmark Net Neutrality Ruling
Being a content creator, and seeing aggregators such as Google and Facebook as being the primary beneficiaries of Net Neutrality, I think this ruling is great. If something is worth seeing, hearing, or reading, it's worth paying for.

Thursday, January 9, 2014

Monday, January 6, 2014

Resolve to Raise Privacy Awareness in 2014

In this month's Privacy Professor Tips, Rebecca Herold  provides insightful and useful commentary of privacy issues including social media and smart appliances

Thursday, January 2, 2014

District Judge Upholds Government’s Right to Search Electronics at Border

As reported in the New York Times, among with issues against the ruling was that workers might have sensitive information on their devices. The judge said workers don't have to store that information, so it isn't an issue.

Just something else information security needs to worry about.