Monday, October 27, 2014

Kaspersky Probes ATM Malware Mystery

Kaspersky Lab this week reported that criminals have been emptying ATMs and infecting them with malware dubbed "Tyupkin." About 50 machines have been infected in eastern Europe, and the attacks have spread to the United States, India and China, based on statistics culled from VirusTotal, Kaspersk... More details here:

Saturday, October 11, 2014

Cloud security: The basics

Wednesday, October 8, 2014

Tuesday, October 7, 2014

Advanced iOS Virus Targeting Hong Kong Protesters

Cybersecurity researchers have uncovered a computer virus that spies on Apple’s iOS operating system for the iPhone and iPad, and they believe it is targeting pro-democracy protesters in Hong Kong. The malicious software, known as Xsser, is capable of stealing text messages, photos, call logs, passwords, and other data from Apple mobile devices, researchers with Lacoon Mobile Security said Tuesday. They uncovered the spyware while investigating similar malware for Google’s Android operating system last week that also targeted Hong Kong protesters. Anonymous attackers spread the Android spyware via WhatsApp, sending malicious links to download the program, according to Lacoon. It is unclear how iOS devices get infected with Xsser, which is not disguised as an app. Lacoon Chief Executive Michael Shaulov told Reuters that Xsser is the most sophisticated malware used to date in any known cyberattack on iOS users. “This is one the most interesting developments we have seen,” he said. “It’s the first real indication that really sophisticated guys are shifting from infecting PCs or laptops to going after iOS devices.” The code used to control that server is written in Chinese. The high quality of the campaign and the fact that it is being used to target protesters suggests that it is coming from a sophisticated attacker in China, Shaulov said. “It is the first time in history that you actually see an operationalized iOS Trojan that is attributed to some kind of Chinese entity,” he said. A Trojan is a term used by cyber researchers to describe malware that enters a device disguised as something harmless. Still, he said his company’s research team has yet to identify any specific victims of the iOS Trojan. Lacoon said on its blog that it is possible the attackers might have deployed the Trojan in other places, in addition to spying on pro-democracy protesters in Hong Kong. “It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments,” they said in a blog post describing their analysis.

Monday, October 6, 2014

CyberSecurity Free Webinar

Oct. 9. Cyberspace as Battlespace. 2 p.m. ET. Black Hat webinar. Free with registration.

Sunday, October 5, 2014

2FA for Feds

Two-factor authentication is gaining traction among online service providers as a way to prevent their customers' accounts from being hijacked.

2FA is relatively simple. In addition to a username and password, a single-use code is sent -- typically to a user's cellphone -- to verify the customer's identity.
Some government departments and branches of the military have been using 2FA for years. However, it usually involves a dedicated token -- just another gadget that has to be lugged around and can be lost, stolen or forgotten.
The complexity and expense of token-based systems has acted as a brake on the more widespread adoption of 2FA in the federal government.
In an effort to change that, Globalscape last week announced an alliance withSMS Passcode.

With governments at all levels looking for economical and effective security solutions, a 2FA system that uses something employees already have -- their mobile phones -- could be an attractive proposition.

While agencies still would need to pay licensing fees to Globalscape and SMS Passcode, much of the overhead of token-based systems could be eliminated.
"It dramatically increases security with only those licensing fees," Greg Hoffer, senior director of engineering for Globalscape, told TechNewsWorld. "That's a lot cheaper than solutions that are hardware based or Web-application firewall-based."

Another benefit of the SMS solution is that it's location aware, he noted.
"If a log-in attempt originates in China and we know your mobile phone is in the U.S. or Canada, the system will block the log-in attempt," Hoffer explained. "So it increases security through geo-awareness."

Holiday Anxiety

With the holiday season approaching, visions of the Target data breach fiasco -- not sugar plums -- will be dancing in many shoppers' heads.
What's a consumer to do? For one thing, consumers can pay closer attention to what's appearing on their credit card statements. They don't have to wait for those statements to arrive in the mail, either. They can check transactions online -- and many regularly do so.

"They should also consider using credit cards that provide more detailed information about credit card transactions," Sean Leonard, founder and CEO of Penango, told TechNewsWorld. "That makes it easier for both the credit card company and consumer to detect fraud."

Using a credit card to make purchases is preferable to using a debit card, according to Leonard.

"Purchasing with a credit card is better than purchasing with a debit card. Getting money lost to debit card fraud back is a lot harder than disputing a charge on credit card statement," he said.

"If all you have is debit cards," said Leonard, "you should use the credit card feature of the debit card."

Consumers Fed Up With Data Breaches

With news of massive data breaches becoming almost a weekly occurrence, consumers are beginning to lose their patience with the custodians of their personal information.

Survey results from 2,000 consumers released last week by HyTrust, suggest that 51 percent of those polled would bolt from any business involved in a data breach that compromised personal information such as address, Social Security number or credit card details.

Suspicions have been growing among consumers that businesses aren't doing enough to protect the data they eagerly collect from their customers, Eric Chiu, president and founder of HyTrust, told TechNewsWorld.

"We're seeing repeats of the same sorts of attacks over and over," he said. "It means that in the retail world, everyone is playing kick the can. They're not addressing what needs to be addressed now and putting the consumer first."

The survey also revealed some harsh attitudes toward businesses involved in a data breach. Almost half of the respondents (45.6 percent) said companies should be considered "criminally negligent" the moment a breach occurs.
Attitudes on that front appear to be colored by age, though. Only 34 percent of 25-34 year olds were in favor of immediate blame, while 51 percent of respondents 65 and older wouldn't hesitate to lower the hammer on a company involved in a breach.

The same is true for consumers who vowed to vote with their feet against a company that suffered a breach. Three out of every five respondents (60.2 percent) in the 35-44 age bracket said they'd take their business elsewhere, compared to 51 percent overall.

A large majority of the consumers participating in the survey (80.3 percent) felt the officers of a company should be held accountable for a breach.
"Since the Target breach, there's been almost weekly breaches," Chiu said. "Consumers are tired of it. They feel that companies are not really paying attention."

Saturday, October 4, 2014

4 Things Chase Customers Should Do in Wake of Recent Hack

If you’re a Chase bank customer, you’re right to feel powerless right now.
Hackers broke into JPMorgan’s computer systems and stole more than 80 million customers’ personal information, including their names, emails, physical addresses, and phone numbers.
Anyone who used online banking or the Chase smartphone app were affected.
It’s time to play defense.
1. Watch out for scammers. Hackers now have enough information to contact you, and they know you’re a JPMorgan Chase (JPM) customer.
Don’t trust any phone calls, emails, or letters claiming to be from the bank. Instead, directly call the number on your bank card or a previous statement.
Scam artists will seek even more information from you — like your birthday, Social Security number or bank account number — so they can tap into your account and steal your money.
And beware: Scammers will likely scan your Facebook, Twitter, or LinkedIn page first. Expect them to sound like a bank that knows about your personal habits.
2. Don’t change your login or get new cards — yet. According to the bank, hackers didn’t manage to steal usernames, passwords, account numbers or Social Security numbers.
As such, don’t rush to change these things. It’s an unnecessary inconvenience.
More importantly, though, you might have to change all these things later. The New York Timesreported that hackers got root access to the bank’s computer system. That’s as deep as it gets.
So hackers might still be lurking in the bank’s computers — even if the bank claims it closed the hole and has “no evidence” hackers are still inside its network.
3. Check your bank statement regularly. If hackers are still in the bank’s computers, they could grab even more information.
Operate under the assumption you’re at risk of fraud all the time. Carefully review your bank and credit card statements for any unexpected charges — especially tiny ones.
Fraudsters typically test a stolen debit or credit card by charging a few cents on the card. They do it to avoid catching your attention.
4. Stay put. Don’t switch to a different bank. This is the hardest advice to take, because it’s rooted in a sense of despair.
The sad reality is, all banks are under attack.
And if you’re thinking about switching to a geographically close community bank, consider it a trade-off.
The largest banks — Chase, Bank of America, Citigroup, Wells Fargo, and so on — will get hacked more often, because they are bigger targets.
But smaller banks get attacked, too. And they don’t have the means to protect you as well, because they have less money to hire top-notch security teams.
You’re exposed everywhere anyway. That’s the argument of Kate Carruthers, who spent more than a decade doing IT for major Australian, New Zealand and U.S. banks.
“If people knew how these systems are handled and how clunky they are, they wouldn’t use banks,” she said. “But the reality is, they have to. They don’t have a choice.”

India readies cyber commandos to thwart attacks in cyber space

At a time when is feeling the heat owing to growing number of cyber warriors globally, especially in neighboring countries like China, a flurry of activities are happening in the country both at the government level as well as private organizations.

The government has already started taking initiatives to set up a that would work towards preventing sabotage, espionage and cyber originating from within or outside the country. In January this year, Shivshankar Menon, National Security Advisor to the Prime Minister had informed that the National Security Council is working out the final details for its implementation the architecture.

However, the biggest challenge for the success of the initiative is the shortage of cyber security experts, also known as cyber commandos.

Earlier this year, the University Grants Commission had sent a letter to the vice chancellors of all the technical universities to introduce cyber security and information security as subjects at the undergraduate and post-graduate level. While few of the universities have already initiated the process, it is taking time in the absence of any proven course curriculum.

In order to address the skill gaps and the demand of cyber warriors that India may require in the future, EC Council (International Council of E-Commerce Consultants), a provider of certifications and training on information security has now come out to cater to the future need. In association with its training partners in India, the US-based company is expecting to offer training to about 40,000 people on areas such as Ethical Hacking, Computer Hacking Forensics Investigation, Security Analysis and Penetration Testing.

“We already have fought two world wars. There is a belief that if a third world war is fought, then it is going to be controlled through computer network. Someone, if gets control over hospitals, weaponries and government departments can easily create havoc in any country. And that’s why there is a greater need of cyber warriors in any country today,” said Akash Agarwal, Country Manager of EC-Council in India.

Presently, few of the universities offer information security as a subject as a part of their Criminology Department. For example, the department of Criminology at the University of Madras offers courses on Information Security and Digital Forensic.

According to different estimates, there was a financial loss of around $390 billion globally last year because of cyber attacks and frauds. Presently, China is the most vulnerable country to cyber attacks with over 40% of the attacks targeted against the country followed by the United States.

India is said to be the eighth most vulnerable country in the world as far as cyber attacks are concerned. Even though estimates say India receives around 2.5% of the cyber attacks happen globally, the impact of those could be humongous considering the financial loss as well as loss of sensitive information.

“We need to understand from the fact that the dependence of the economy and the governance – whether it is banking, e-commerce, travel booking, electric transfers and payment systems – is becoming more and more. The moment you talk about growth in these areas, your first concern is whether the transactions are secure,” said Kamlesh Bajaj, CEO of Data Security Council (DSCI), a Nasscom initiative.

“So it is the trust level in all of these systems, that is critical and that trust will come from security,” he added.

In a report submitted to the Home Ministry and the National Security Council last year, DSCI had proposed the government to appoint a Cyber Security Coordinator at the national level. It had also underscored on the need of public private partnership to respond to the challenges thrown by cyber security.

India, according to various estimates, would require around 500,000 by 2015 to cater to the growing need for securing the cyber space.

Presently, China is estimated to have 25 million cyber commandos. Even a small country line North Korea is believed to have over 15,000 cyber warriors.

Even though there is a lack of any published figure, industry experts believe that India may be having about 2000 people who are capable of monitoring attacks and taking remedial measures, though it is more unorganised now.

CyberSecurity Jobs in India

5 lakh jobs by 2015 in cyber security 

India will require five lakh cyber security professionals by 2015 to support its fast growing internet economy as per an estimate by the Union ministry of information technology. These jobs will come up across industries. The financial sector alone is expected to hire over 2 lakh people while telcos, utility sectors, power, oil & gas, airlines, government (law & order and egovernance ) will hire the rest. 

A large number of these jobs will be around cyber policing and ethical hacking, to check for network vulnerabilities . The need for cyber experts has grown exponentially as the country is heading towards an internet explosion mostly fuelled by e-commerce, e-banking , egovernance and the social media. 

The Data Security Council of India (DSCI), a Nasscom body that frames guidelines related to data security and data privacy for corporates, said, "Security will fuel the growth of businesses. Trust is critical to build customer confidence and trust comes only through safety. Global clients are increasingly demanding high-level compliance to data security, privacy and cyber security regulations."