Month: April 2015

A new survey from 451 Research finds Apple Pay gaining momentum in the mobile payments space, primarily at the expense of PayPal.

“Our latest survey shows planned use of Apple Pay has been on an upward trajectory since it became available six months ago – with the service helping to spark consumer demand for mobile payment technologies,” said Andy Golub, Survey Research Director for 451 Research. “Although consumer perceptions of security remain an issue, the results point to marked improvements in this area.” The March survey, conducted by 451 Research’s ChangeWave service, consisted of 4,168 respondents primarily based in North America, and looked at planned use of mobile payment applications and the issue of security.

Future Demand for Mobile Payment Apps

To gauge overall consumer interest in mobile payment applications, we asked smartphone owners about their planned use over the next 90 days, and the survey results show strong interest.
One-quarter (25%) of smartphone owners say they are likely to use mobile payment apps over the next 90 days (11% /Very Likely/; 14% /Somewhat Likely/). This number is up just 1-pt since 451’s previous ChangeWave survey in December 2014, but is a full 6-pts higher than one year ago. Smartphone owners using iOS (34%) are more than twice as likely to use mobile payment apps compared to Android (16%), BlackBerry (13%) or Windows Phone (5%) users.

Competition Among Mobile Payment Services

Apple Pay is the top choice in terms of mobile payment applications consumers plan on using going forward. A total of 45% say they plan to use Apple Pay – which is a 5-pt jump since December.
PayPal (28%) is still solidly in second place, but is down 4-pts compared to three months ago. As seen in the following chart, PayPal is clearly being impacted by the launch of Apple Pay.
/*Note: June 2014 response choice was Apple Passbook./

“The introduction of Apple Pay has catalyzed a wave of strategic moves across the mobile payments ecosystem,” said Jordan McKee, 451 Research’s Senior Mobile Payments Analyst. “In the wake of Apple’s entrance, Google and PayPal have made significant acquisitions, while players such as Facebook and Samsung are rolling out payment products to remain competitive. Moving forward, the pace of activity will only accelerate as vendors look to capitalize on the growing contactless payments infrastructure and secure a foothold in this rapidly evolving sector.”

Customer Satisfaction

Looking at satisfaction among consumers who are already using mobile payment apps, Apple outperforms, with 66% of those who have used Apple Pay saying they’re /Very Satisfied/ with the service.
PayPal (45%) is in second place, followed by Google Wallet (33%).

Perceptions of Security

The survey also focused on consumer sentiment toward mobile payment security, and asked all respondents whether they consider mobile payments to be more or less secure than traditional credit cards. In an important finding, the results show a slow, yet steady, improvement in the perception of security over the past year. One in four respondents (24%) believe mobile payments are more secure than traditional credit cards (6% /Significantly More/; 18% /Somewhat More/), while 27% think they’re less secure (16% /Somewhat Less/; 11% /Significantly Less/).
This is a net 3-pt improvement compared to December 2014 and a major 26-pt improvement since a year ago.

Other key findings include:

* Respondents interested in buying an Apple Watch are twice as likely (54%) as all other smartphone owners to say they’ll use mobile payment apps (29% /Very Likely/ and 25% /Somewhat Likely/). An upcoming 451 Research reportbased on a new ChangeWave survey will be taking a close-up look at wearable device trends and demand for the Apple Watch.

* /The Secure Storage of Financial Account Information /(84%) is the most important feature in a mobile payment app according to likely users, followed by /Widespread Acceptance Among Merchants/(70%).

* The survey looked at overall consumer interest in Samsung’s new mobile payment service set to launch this summer. A total of 8% of respondents say they’re /Very /or /Somewhat Likely/ to use Samsung Pay in the future. But that number jumps to 25% among Samsung smartphone owners, and surges to 46% among those planning to buy a Samsung smartphone in the next 90 days.

*Methodology: *The findings are based upon a March 11-23, 2015 consumer survey on mobile payment services, and a total of 4,168 respondents from 451 Research’s ChangeWave survey network participated. 451 leverages its ChangeWave network of 25,000 business and technology professionals – as well as early-adopter consumers – to provide a forward-looking view of technologies, companies and the macro economy well in advance of other sources.

(341)

Bromium® Inc., announced the results of its “State of Security Report Card,” a survey of more than 100 information security professionals at the RSA Conference in San Francisco. The survey results reveal that legacy solutions such as firewalls and antivirus are failing to prevent attacks and address the priorities set by their CISOs.

“The results of this survey serve as yet another proof point in a long line of data about the shortcomings of legacy security solutions,” said Clinton Karr, Sr. Security Strategist, Bromium. “Even if you cling to the belief that AV is not dead, the industry seems to be aware that it is in critical condition and is putting more stock in next-generation solutions.”

Specific findings from the “State of Security Report Card” include:

Organizations have room for improvement in prioritizing security – Bromium asked RSA conference attendees to grade their organizations on its ability to prioritize security by allocating the resources they require from A to F, and the majority gave their organizations a B or C:

A grade: 8 percent
B grade: 42 percent
C grade: 32 percent
D grade: 18 percent
F grade: Zero

Firewalls and Anti-virus are failing to prevent attacks – The survey asked RSA conference attendees to grade a variety of security solutions on their ability to prevent attacks and address the priorities set by their CISOs. Twenty percent of respondents gave firewalls a failing grade and 25 percent gave antivirus a failing grade. Among the most popular responses, 42 percent of respondents gave firewalls a B and 36 percent of respondents gave antivirus a C.

Next-generation solutions are performing above average – Next-generation firewalls, network sandboxes, endpoint isolation, host monitoring and threat intelligence solutions all performed well. None of these solutions were given a failing grade. Here is a breakdown of the most popular responses:

58 percent gave next-generation firewalls a B (17 percent gave it an A) 54 percent gave advanced threat protection/network sandboxes a B (20 percent gave it an A)
64 percent gave endpoint isolation/sandboxing/host monitoring a B (17 percent gave it an A)
44 percent gave threat intelligence a B (17 percent gave it an A)

Information Sharing Initiatives Show Promise; Face Hurdles – Bromium asked RSA conference attendees if their organizations would benefit from information sharing initiatives, such as those outlined in President Obama’s Executive Order, and if their organizations would participate. The overwhelming majority (78 percent) said they would benefit from information sharing initiatives, but less than half (48 percent) said they would participate. There is clearly a disconnect in these results, which suggest that information security professionals are concerned about how information sharing initiatives will aggregate and anonymize their organization’s data.

Survey Methodology

Live interviews were conducted with more than 100 RSA USA Conference attendees between April 21 and April 22, 2015.

(291)

Reported child sexual abuse has risen 60% in last four years, according to a freedom of information request made by Shadow Home Secretary Yvette Cooper. At the same time the number of arrests for child sexual abuse offences in England and Wales has fallen by 9%. The number of offences of child sexual abuse reported to the police has soared from 5,557 cases in 2011 to 8,892 last year. 

 
Christian Berg is founder of NetClean, a company working with the UK Home Office, the Department for Homeland Security, organisations, governments and ISPs around the world to stop, track and analyse child sexual abuse material and solve cases.

Christian commented that;

“Unfortunately experience tells us that the volume of child sexual abuse (CSA) crime far exceeds that which is reported to police. Tragically victims, even if they are old enough to speak, are rarely in a position to be able to tell authorities about their abuse. As a result our society has a huge responsibility to ensure we are monitoring for signs, and ensuring that this cannot happen on our watch. 

“CSA is like an addiction – collecting and using these kinds of images and videos is often a gateway. As individuals using this illegal content seek more material, the next stage is participating in actual abuse. CSA does leave evidence and some of the most common-place are images and videos made and traded online. This content is both evidence of and a catalyst for abuse as more material is produced to feed abusers’ addiction. Those who collect, view and distribute child sexual abuse material pose a significant risk to children. By finding this illegal content and bringing it to the attention of the authorities, we can help save current and future victims.

“By tracking the symptoms of this societal ill, i.e. images and videos of abuse, we can find the problem and bring those who abuse children, whether for personal or commercial gain, to justice. We need to do all we can to ensure that abuse is found, flagged to the authorities, and that those authorities have the time and resources to address the crime. Society at large needs to open its eyes to these problems and shoulder the responsibility in ensuring there is no safe haven for those who commit this abuse.”

NetClean’s work with the UK Home Office:

NetClean are working with the Home Office to implement the nationwide Child Abuse Image Database (CAID) and roll out digital forensic investigative tools to 46 law enforcement and police agencies across the country.

The CAID plays a key part in delivering on the UK government’s promise to create a central repository for consolidating data in cases of child sexual abuse material. The new service will enable crime units to share data, information and leads as part of the fight to protect children from exploitation. CAID enables law enforcement agencies to search seized devices for child abuse images and to quickly differentiate between new and existing material, allowing them to focus resources accordingly.

The contract was awarded to L-3 ASA, who is delivering the solution together with NetClean and Hubstream.

For more information: www.netclean.com

(382)

Verizon’s annual Data Breach Investigations Report (DBIR) is now in its eleventh year. It has become one of the most anticipated information security industry reports as it goes into detail about thousands of confirmed data breaches and security incidents from around the globe into emerging and shifting trends.

DFM is pleased to present comments on and highlights from the report by industry experts.

Clinton Karr, senior security strategist, Bromium;

“The Verizon Data Breach Incident Report demonstrates that five sectors are being attacked more than any other: public sector, finance, technology, manufacturing and retail. Logically, cyber attacks are following the money. Retail and finance hold valuable bank account and credit card information, technology and manufacturing hold proprietary intellectual property. Government organizations hold state secrets. Therefore, it follows that investments in information security must change the economics of an attack to discourage malicious actors; by making an attack more difficult, it becomes more expensive and deters attackers to seek different targets.

The Verizon report highlights that historically, 71 percent of known vulnerabilities had a patch for more than a year before breach. However, security teams and operations teams often find themselves at odds: a poorly implemented patch can cause more harm than good, yet waiting to implement a patch leaves an organization to attack. The report underscores this dilemma since just 10 CVEs accounted for 97% of exploits.

Finally, multiple statistics in the Verizon report point to just how worthless signature-based detection has become. 70-90 percent of malware samples are unique to the organization they attack, 75% of attacks spread from victim zero to victim one in less than 24 hours, and the vast majority of attacks only exist for 24 hours; malware simply does not exist long enough for malware research to detect a sample, create a signature and disseminate it.

In fact, Verizon even notes “criminals haven’t been blind to the signature and hash matching techniques used by antivirus (AV) products to detect malware. In response, they use many techniques that introduce simple modifications into the code so that the hash is unique, yet it exhibits the same desired behavior.”

Ultimately, Verizon concludes that “it may not be obvious at first glance, but the common denominator across the top four patterns accounting for nearly 90% of all incidents—is people. Whether it’s goofing up, getting infected, behaving badly or losing stuff, most incidents fall in the PEBKAC and ID-10T über-patterns.” End users are the weakest link in the security chain, but signature-based detection can no longer serve the purpose of protection. The security industry must adopt a new model of endpoint protection based on isolation.”

TK Keanini, CTO, Lancope;

“If you only read one page, or have one take away from the report, it will be the concept of the ‘detection deficit’ as it is appropriately named the primary challenge to all of our defense strategies against this advanced threat.

Figure 5 called the Defender-Detection Deficit – “…the proportion of breaches discovered within days still falls well below that of time to compromise. Even worse, the two lines are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of theprimary challenges to the security industry

This is an architectural problem as many of the networks were built back when advanced telemetry was a nice to have and not mandatory to operations.  There are just too many places for the attackers to hide and remain hidden as they carry out their objective across the attack continuum.  If you are not detecting and remediating attackers on a weekly or monthly basis, chances are they are in your network, you just don’t know it yet.”

Andy Green, technical specialist, Varonis;

“As in previous years, credentials—guessed or previously snatched— are still involved in the largest share of attacks. We also see familiar sectors– public, finance and technology– leading in the number of security incidents reported, with retail and hospitality trailing behind them. Also it’s yet again a safe bet to make that the time to discover a breach will be measured in months not days.

But there are new emerging trends as well: phishing and more deadly APTs, like RAM scrapers are on the rise. Here’s an ominous fact that Verizon discovered as part of their own research: nearly 50% opened e-mails and clicked on phishing links within the first hour! 

Bottom line: hackers are getting better and better at stealthy attacks where they can sneak around perimeter defenses and remain undetected for long periods of time. It’s becoming increasingly important for companies to lock-down internal access controls and protect the data from inside.” 

Mike Spykerman, Vice President of Product Management at OPSWAT;

“The latest Verizon report underlines that although attacks are becoming more sophisticated, many of the tactics that are being used are the same and that there is still a lot more that organizations can do to reduce their risk of data breaches. By properly covering their bases, such as centrally monitoring devices to ensure that they are safe and patched, deploying multi-scanning with multiple anti-virus engines on servers, web proxies, clients and email servers, and educating employees in cyber security, a company’s exposure can be greatly reduced.

(580)

Following confirmation that the BeeBone botnet had been sinkholed last week, OpenDNS IT Pro – Owen Lystrup warns that this is just the first step in stopping these infected machines:

“While the difficult effort of stopping the botnet is complete, it is only the first step to ensuring security for those affected. The next, and perhaps more crucial, steps are to shutdown the servers involved and clean the infected endpoints. As we’ve seen before with cases like Kelihos, botnets can resurface after a dormant period.
“The interagency sinkhole essentially chops the botnet’s capability at its knees. However, unless they have been thoroughly cleaned, the endpoints compromised are still very much infected. The sinkhole merely means outbound traffic intended for what were formerly command and control (C&C) IPs will now get dropped. This result is positive. It means those infected machines will no longer receive instructions from a malicious server – for now.”

Dhia Mahjoub, senior security researcher at OpenDNS, has spent a great amount of time researching botnets – like Kelihos and Zbot, which have similar characteristics to Beebone. And he’s fully aware of the challenges involved with stopping them. “Sinkholes are good for telemetry, which will measure the extent of the threat,” he said. “Step two is for law enforcement to actually take down the involved servers, and to clean the endpoint machines.”

After the press release announcing the takedown, the OpenDNS security research team used the preliminary data to map the known infrastructure and compare it using its own unique view of DNS traffic on the internet. Analysis from OpenDNS shows traffic requests to these formerly malicious domains are still at very high levels. The continued significant traffic to these domains suggests that cleanup efforts have not been effective yet.

In conclusion, Dhia said, “Cleanup is incredibly difficult because the burden lies on the individuals using infected machines, or their ISPs. It’s a huge effort and very expensive. But without it, botnets can potentially pick up where they left off.”

A graph visualising this traffic is available here:

(348)

Following the news that nearly half of ‘Game of Thrones’ upcoming season has leaked online Ken Westin, senior security analyst at Tripwire, explains why this isn’t a traditional hack:

“After the Sony breach many are wondering if HBO may have been hacked and believe that could be the source of the leaked episodes. However, I believe this is not a traditional hack where HBO’s network was compromised, but an example of supply chain security in relation to data. There is a great deal of demand for Game of Thrones episodes as it has an incredible fan base so there is a great deal of motive to find and leak the material. The motion picture industry is compromised of multiple partnerships, no one studio does everything from beginning to end, things like effects, audio mastering, translation and subtitles and a whole host of other work may be farmed out to other entities.

“The marketing process as well requires that “Screeners” be provided which are discs provided for people to review the movie or episodes before they are provided to the general public, either for awards considerations or other purposes. These screeners are watermarked and require a legal agreement not to share the material, however these watermarks can be found and blurred so they cannot be identified when movies are then leaked.

“In many respects the same risks that a movie may go through mirrors that of customer data or other forms of intellectual property, where multiple parties may use the data and it can be passed around and accessed by many different parties. The more demand there is for a given type of data and the more people involved who have access to it the more likely it is to be compromised by a trusted insider.”

(349)

OPSWAT, provider of solutions to secure and manage IT infrastructure, announced the release of a new statistics feature for their free anti-malware multi-scanning service, Metascan® Online. The newly-released malware statistics page provides a list of the 100 most searched for threats from the past week, including detailed scan results. The statistics page is updated daily and provides the ability to track the scan history of a given threat, giving researchers insight into the growth rate of malware detection rates.

The Metascan Online data can be used to investigate the current threats generating the most searches, as well as to monitor the detection rate of new threats. OPSWAT CEO Benny Czarny expressed excitement over the research and data analysis possibilities created by the new technology, stating that “the Metascan statistics tool provides information about the malware samples in our database, giving malware researchers the ability to dig into the types of threats that are currently circulating as well as track how the detection of new threats changes over time.”

To reduce the risk of false positives at least five of Metascan Online’s 40+ anti-malware engines must flag the file as a threat for it to be included. According to Product Manager for Metascan Online, Ronald Melencio, five engines seemed to be the “sweet spot” for detection. He went on to say that “we were concerned about false positives, but if the minimum is set too high we could eliminate real, new, interesting threats.”

The statistics page provides a nearly real-time visualization of the value of multi-scanning. No single anti-malware engine detects 100% of threats 100% of the time, but using multiple engines to scan for threats allows users to take advantage of the strengths of each individual engine and to guarantee the earliest possible detection. While the data included on the statistics page shows only a subset of the most common threats in the wild and utilizes only the Windows-based anti-malware engines in Metascan Online, it provides an indication of the variability of detection rates of common malware by the anti-malware community.

OPSWAT elicited feedback from their partners within the anti-malware and malware research community as they developed this new feature in the hopes that it would provide information that was interesting, but not misleading for consumers. It is important to note that the detection data comes from static analysis performed by Software Development Kit (SDK) and Command Line Interface (CLI) package versions of the anti-malware engines included in Metascan Online and not from endpoint desktop applications which may be capable of enhanced behavioral and other dynamic analysis. Detection rates, therefore, may differ significantly from commercial endpoint performance. Therefore the data should not be used for comparative analysis of desktop or server anti-malware application. To discourage such comparisons, OPSWAT has chosen to anonymize the scan engine names.

About Metascan Online

Powered by OPSWAT’s Metascan technology, Metascan Online is a free online scanner that scans files for malware using more than 40 commercial anti-malware engines from leading security vendors such as Kaspersky Lab, McAfee, AVG, Avira and many others. The Metascan Online API allows users to programmatically upload and scan files or to search for previous scan results using a file’s hash (MD5, SHA1 or SHA256). By utilizing the hash lookup functionality, users can easily see if the file has previously been scanned by Metascan Online and get the scan results without sending the file over the Internet to be scanned.

(544)

More than half of IT professionals (57%) believe their organisation’s senior management does not take enough responsibility for internal security, according to new research from IS Decisions.

Currently, the IT department (80%) takes responsibility for insider threat in nearly twice as many organisations as the C suite (43%) does.

And while security budgets have grown by about a third over the last year, the average amount apportioned specifically to internal security accounts for just 3.6% — despite the increasing potential risks.

However a majority of 68% of IT professionals expect budgets on internal security to grow significantly within their organisation and 67% stated they plan to look at specific tools, technology and data to help tackle insider threat, highlighting further the need for senior involvement.

The findings are part of research revealed in IS Decisions’s new report User security in 2015: the future of addressing insider threat, based on a survey of 250 IT professionals in the UK and 250 in the US.

The senior executives’ worrying lack of support and awareness on insider threat comes after a year of high-profile breaches at major companies like eBay, Target and JP Morgan where lax internal security played a part.

As a result, 37% of organisations across the UK and US are planning an insider threat programme this year, driven mostly by the IT department.

IT pros are also craving guidance on mitigating insider threat from outside of the company, with 91% believing that industry-wide collaboration is needed and 78% wanting clearer guidelines on tackling the issue.

François Amigorena, CEO of IS Decisions, commented, “Senior executives need to wake up to the reality that is insider threat. For good reason, 2014 has been dubbed by many as the ‘year of the breach’, and no company is safe — no matter how large or small.

“We have seen the most senior people in organisations like Target pay the price of poor security practices by losing their jobs, showing just where the responsibility should lie now and what kind of penalties can ensue.

“While IT professionals are clearly very much taking heed of what they’re seeing, C-level personnel must also be on board if 2015 is to be the ‘year of tackling insider threat’”.

The report is available to download via IS Decisions’s website: User security in 2015: the future of addressing insider threat

(466)