Month: July 2016

Commenting on the news that Google want to collect your medical details (http://www.bbc.co.uk/news/technology-36783521), Lee Munson, security researcher for Comparitech.com said:

“In an age when personal information has become the new currency, many people have begun to take their online privacy seriously, checking web terms of service, opting out of intrusions they don’t like, viewing app permissions and so on. 

“But that may not be enough. 

“Judging by the way in which Google’s DeepMind has found its way into a project that grants it access to millions of patient’s eye scans, an awareness of the commonly unknown may also be required. 

“For those oblivious to the fact that the NHS is sharing patient data with 1,500 third parties, and the fact that the only opt-out is through an email to the trust’s data protection officer, DeepMind, et al, may appear to be overstepping the mark, even though there is nothing illegal or untoward about the way in which it is gathering information. 

“The moral of this story, then, is to question everything now and even more so in a future that is likely to see ever more data-sharing between the health service and private companies.”

(224)

The prpl Foundation, the open-source, community-driven, collaborative, non-profit foundation with a focus on enabling next-generation datacenter-to-device portable software and virtualized architectures, has announced the formation of its first Carrier Interest Group (CIG). The charter of the CIG is to ensure that the technical needs of major international carriers are represented and communicated to the wider prpl community and contribute to prpl’s coordinated response to new regulations put forth by government agencies, such as the FCC in the US, which potentially limit the use of open source software.  

The new group will also help define possible new enhancements for OpenWrt software and hardware with the aim to produce carrier-grade, commercial standards for improving the security of home gateway, home network and smart home devices.

Wojtek Makowski, CTO of the French embedded software for the digital home company, SoftAtHome, and Pasquale Bombino, VP of engineering at connected solutions specialist ADB, will co-chair the prpl Carrier Interest Group and lead the way in shaping its guidance and recommendations. Both companies are key providers of CPE software for network and television operators.

“This is a great opportunity to blur two worlds (open source and commercial entities) that are much closer than they are perceived; through prpl we have the concrete possibility to speed-up carrier-grade products leveraging the power of the distributed and cooperative approach typical of open source communities,” said Pasquale Bombino, VP of engineering at ADB and co-chair of the prpl Carrier Interest Group.

“The prpl Foundation represents a structured, credible, reliable approach to foster common efforts of the industry and key open source communities, such as OpenWrt, to build innovative software solutions,” said Wojtek Makowski, co-chair of the prpl Carrier Interest Group and CTO of SoftAtHome.  “The prpl Carrier Interest Group in particular will act as a bridge between open source communities and commercial entities, such as carriers and their technology ecosystem, to help narrow the gap between the requirements of both sides.”

Earlier this year, the Home Gateway Initiative announced its dissolution after it fulfilled its mission to set out key specifications for home gateways, home networks and the smart home. The prpl Foundation aims to further this initial work by developing the use of open standards to help manufacturers make their products and components more secure and interoperable.

“The prpl Foundation is uniquely positioned to carry on the good work that the HGI has started with its HGI Virtualization document published earlier this year,” said Art Swift, president of the prpl Foundation.  “We have a proven track record in what it takes to be successful when working with open standards through our vibrant, active community and an outstanding ability to deliver quality, peer-reviewed and actionable guidance.  We are pleased to welcome ADB and SoftAtHome to prpl and hope others see the potential of IoT in the home to become much safer and more secure in the future.”

The first meeting of the prpl Carrier Interest Group took place in Paris on the 28th and 29th of June and assembled key members of prpl, the OpenWrt and related developer communities, as well as major software vendors providing software for the carriers, CPE equipment providers, chipset vendors, and members of the Broadband Forum.  

“SoftAtHome was pleased to host this first face-to-face meeting. Carrier inputs were much appreciated and the meeting clearly showed that an open source community and commercial entities can work together in a coordinated manner,” concluded Makowski.

(213)

On the recent DDoS attack on Pokemon Go, security experts at Imperva Incapsula, Plixer and Correro provided the following comments: 

Ofer Gayer, product manager for DDoS at Imperva for the Incapsula product line: “Since online gaming platforms like Pokemon Go are highly sensitive to latency and availability issues, they’re ideal DDoS attack targets. Mitigating DDoS on game servers is a particularly complex task. Gamers are very sensitive to the impact on latency, so what may be considered negligible for most services can be very frustrating for the gaming community. This can be affected by multiple factors, most prominently the distribution of scrubbing locations and time to mitigate (TTM).”

Thomas Pore, director of IT and Services at Plixer: “News of this DDOS immediately reminds me of when Lizard Squad took down XBOX Live and PSN. Initially I thought this could be motivated by amusement, or even in allegiance to the conspiracy theorist that Pokemon Go is a secret surveillance operation. Whatever the motive is, everyone involved suffers; gamers suffer from the inconvenience of the outage and the money stops streaming in to Nintendo-Niantic. Maybe this will remind gamers that there is more to life than chasing Pokemon around. 

Since PoodleCorp has threatened a larger attack in the future, it’s possible that we’ll see more problems down the road or maybe they are looking for fame from an incident caused by overwhelming popular demand.”

Stephanie Weagle, senior director at Corero Network Security, comments: “The reports that Pokemon GO has suffered service disruptions and outages due to DDoS appears to have left players frustrated. 

“The online gaming industry is highly susceptible to DDoS attacks due to the competitive nature of the games themselves, monetary gains or the notion that organized cyber crime syndicates can grab headlines with their successful attacks.

“DDoS attack tools are easily procured and at low cost allowing any creative attacker the ability to cause service disruptions at a click of a mouse.

“Traditional security infrastructure, or legacy DDoS mitigation solutions are not sufficient to handle the flood of DDoS attacks, especially since attackers have become more savvy in their techniques; launching low-level, multi-vector attacks that evade scrubbing solutions. In-line, automated DDoS mitigation is the only effective defense in the world of online gaming.”

More information can be found here:

http://www.independent.co.uk/life-style/gadgets-and-tech/gaming/pokemon-go-down-servers-ddos-attack–

(258)

According to the new Visa Biometric Payments study, consumers across Europe are interested in using biometrics when making a payment – especially when integrated with other security measures. Nearly three-quarters see two-factor authentication, where a biometric is used in conjunction with a payment device, as a secure way to confirm an account holder. 

 Robert Capps, VP at NuData Security, an award winning behavioural biometrics company shared the following comments with @DFMag

“This study proves that there is a strong desire on the part of consumers to have secure AND frictionless user experiences when interacting and transacting online. The desire, however, might not match up with the reality of the situation. Physical biometrics such as fingerprints, selfies and voice authentication are seen by some as the ‘holy grail’ in user authentication, but they aren’t fool proof, and there are other challenges that may block their widespread adoption in non-face-to-face interactions.

The fact that 53% of respondents see fingerprints as a viable security solution isn’t surprising, given that they are already part of the authentication lexicon, and solutions such as Apple’s Touch ID have given consumers a glimmer of the future of biometrics, while delivering an outstanding user experience.  Such solutions have a central place in the overall security mix, part of a good multifaceted approach, but they are still static data points that can potentially be misused in the wrong hands. While not generally acknowledged by the general public, fingerprints can be spoofed and unlike passwords, fingerprints last a lifetime.  The lasting and permanent nature of fingerprint data may actually have more negative impacts than passwords which can at least be changed.

Loss of fingerprint data is not just a theoretical concern, as several large breaches over the last couple of years have exposed fingerprint data en masse. As stolen data is often traded and consolidated into larger, more accurate consumer profiles that can be used for a number of nefarious purposes from espionage, to identity theft, and financial fraud.

Selfies and voice biometrics also have contextual issues in that it may not always be appropriate to take a selfie or provide a voice sample to authorize an online transaction. Particularly in a place where such activity may be frowned upon or disruptive (such as a meeting, on public transit, airports, or in a culturally sensitive place).

Beyond the social and cultural issues, there are concerns about how a move to physical biometrics may provide a false sense of security to consumers and institutions, given the wealth of physical biometric data that is shed by a person through their day to day life.

While liveness verification has become a standard in modern physical biometric verification systems, they are not without flaws that allow pre-recorded or captured biometric data to be replayed. Voice samples are recorded with every voicemail you record. Fingerprints are left behind on every object you touch. Your iris and facial data is recorded with every photo you pose for. Recent data breaches have also shown that high fidelity physical biometric data can be stolen in bulk, just like credit card numbers and user credentials – effectively making these physical biometrics more static data that can be stolen and reused to impersonate you in non face-to-face transactions.

The way forward is to balance the need for a frictionless customer experience and actual security that focuses on the use of non-static signals and indicators of human identity – signals that cannot be stolen, reused or replayed for impersonation.

Passive biometric solutions identify suspicious activity in a completely passive and non-intrusive way by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information. So, even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at your behavioural events, biometrics, device, geography and other layers to determine if you are the real actor behind the device or fingerprint.

Users can even be rewarded for good behaviour with a white glove experience, or extra perks and incentives, giving bands and e-commerce companies the unheard of potential to actually improve their brand experience with their security layer.”

(202)

The public sector is under great pressure to reduce spending, increase efficiencies and adopt cloud models, transforming service delivery.  Despite the benefits, cloud computing presents worrying hurdles relating to Interoperability, data security, governance and cost.
With these matters in mind, GovNewsDirect have conducted a public sector survey, specifically for Central Government, Local Authorities & the Blue Light & Justice sector.

In partnership with NetApp, specialists in Data Management and Cloud Storage Solutions, the survey objective was to identify the current adoption & barriers of cloud services throughout the public sector. 

The survey received over 550 respondents, including C-Suite, Directors and Heads within ICT, Procurement, Finance and many other departments. The report highlighted the key concerns, constraints and challenges organisations’ face when adopting cloud operations as part of their workflow and back office operations..

Key Survey Findings:

Efficiency and cost reduction were cited as the two most anticipated benefits to be realised by cloud adoption.

Almost a 1/3 of respondents who had already deployed workload in the cloud had or were planning to repatriate their workload to a different cloud provider.

More than half of respondents stated that the reason to repatriate would be cost or low service levels.

Over 1 in 5 respondents showed little or no confidence that their data is secured or could be recovered in the event of a failure / disaster.

Respondents indicated that cloud computing will play a significant role in supporting their digital transformation programs and would play an increased role in operating models for the future. One respondent expressed concerns on data security and was “not sure that some cloud providers have adequate credentials or controls to safeguard our data. Independent audits we’ve had done in the past reaffirms our cautious approach.” Disturbingly, many respondents revealed they were unclear as to where responsibilities lie for the protection of data within the cloud. 

“Your Data in The Cloud: Manage, Move & Protect 2016” survey highlights that the shift to cloud computing still raises high concerns and the anticipated benefits are not as easily obtained as originally expected. That said, total G-cloud spend has climbed to over £1bn and is set to increase further.

Due to the diversity of applications deployed across government and the rapidity at of evolving technology, flexibility is essential, whereby organisations can capitalise on the resources from whichever cloud model meets their specific need. 

Despite the challenges identified via this survey, government organisations want to face the problems head on and are keen to connect cloud environments, liberating data and providing their organisation with a unified view of their IT landscape, firmly putting government back in control of their data.

The details of the survey can be found here: http://assets.govnewsdirect.co.uk/forms/netapp_your_data_in_the_cloud

(171)

Following the revelations that the UK railway network has suffered at least four major cyber attacks over the last year, Alex Mathews, Head of Technology EMEA at Positive Technologies shared the following;

“At the heart of any modern railway infrastructure lie microprocessor-based railway control systems. They employ object controllers that manage traffic lights, track circuits, switchgear, and rail crossings.

“If hackers manage to gain unauthorized access to such systems and bypass functional protection mechanisms, they may perform a wide variety of actions like throwing points under a train or falsifying data on track occupancy, making busy tracks looks like vacant ones and vice versa. Consequences of such actions may include not only financial losses (railway tracks not used or derailing of a freight train due to misleading signaling that points to a dead-end), but also a human toll (trains colliding due to spoofed traffic light signalling).

“Positive Technologies experts pay close attention to the issue of railway infrastructure security and carefully study existing ICS vulnerabilities to design protection systems to counter these threats. During the last several years, the specialists discovered dozens of high severity vulnerabilities and attack vectors that may directly affect industrial security of railway transportation, which was demonstrated at Positive Hack Days, the international conference on practical cybersecurity. The forum featured a model railway (images available on request) where all its elements including trains, level crossing gates, and traffic lights were managed by an ICS.

“The forum participants were suggested to perform a number of tasks that showcase possible consequences of hacker attacks on railway infrastructure objects. The competition demonstrated that hacking industrial systems some of which were designed without any regard to cybersecurity standards is a task easy enough even for beginners.” 

(149)

It is being reported that there was a spike in cyber attacks on Philippine government web sites, including a key Malaccañang agency, following the United Nations International Arbitration court’s ruling in favour of the Philippines on the West Philippine Sea territorial dispute. However, it was not clear if the attacks were carried out by parties associated with China itself, as they apparently emanated from multiple countries. So far, the government has not been able to pinpoint the origin of the attacks. All were categorised as DDoS, or Distributed Denial of Service actions.

Stephen Gates, chief research intelligence analyst at NSFOCUS, commented;

“The fact that miscreants were able to negatively impact 68 government-based websites, demonstrates that these entities have little if any DDoS defences in place.  Today, DDoS attacks can easily be defeated with the right Cloud DDoS Protection Services combined with on-premises DDoS Protection Solutions.  Why don’t organisations already have these defences in place?  Most likely its due to the belief, “Why would anyone attack us?”  Any website can be taken offline without DDoS defences in place.  It’s just a matter of time….

Often the sources of DDoS attacks are not the attacking machines.  They’re just unknowingly infected, and can be located anywhere in the world.  The real source of the attack is from the individuals who have command & control over the botnet infected machines in the first place.  Those individuals could be lying on a beach, climbing a mountain, riding in a car, or having a coffee in a café. Geographic location is of little importance.”

(124)

The Microsoft corporation won a major legal battle yesterday against the United States Justice Department when a federal appeals court ruled that a warrant for a suspects data does not extend to information stored in overseas computers, handing a victory to privacy advocates. Circuit Judge Susan Carney said communications held by U.S service providers on servers outside the United States are beyond the reach of domestic search warrants, reversing a 2014 ruling by a US district court requiring Microsoft to turn over emails stored on a server in Dublin.

Simon Crosby, CTO and co-founder at Bromium, comments;

“Although privacy advocates will claim that this is a major win, it is really a win for the rule of law. Microsoft has long maintained that if the US Government wants data stored on a server in Ireland, it can do so by pursuing its claims through the Irish legal system. Microsoft’s position has been vindicated. This is an excellent outcome and we all owe Microsoft our gratitude for preventing the US Government from overreaching its authority. If it has succeeded here there would be negative effects on the tech industry, in particular cloud and SaaS providers – in effect a chilling consequence on the computing industry.”

Jamie Moles, Principle Security Consultant at Lastline added the following thoughts;

“This is a common-sense ruling overriding the lower courts mistaken judgement that the USA court system had supremacy over all other countries sovereignty and judicial systems.    The effect internationally had this ruling been upheld would have been a massive chilling of relations with American businesses across the globe and the American Judiciary would have been lining itself up for a significant fight with the European Union over data privacy laws.

Additionally it would likely have meant significant corporate re-structuring  as American owned businesses would have rushed to change their corporate structures so that their European subsidiaries ownership was moved to non-USA parentage.  

This can be a bit complex, but as a theoretical example:- 

Microsoft could have restructured by creating a new holding company that was based somewhere like Cayman Islands (or some other corporate haven) and changed their structure so that ownership of the European subsidiaries was moved to the holding company instead of Microsoft Corporation.   If they then moved Microsoft Corporation under this holding structure too it is feasible that the USA judiciary would then have their demands to access data frustrated because they have no jurisdiction over the holding company and Microsoft Corporation has no ownership of either the holding company or the European subsidiaries – so cannot be compelled to produce the data in court.

This is all moot now as the ruling has been changed,  but would have made for interesting times had it been upheld.”

(183)

A recent article in The New York Times, “US Cyberattacks Target ISIS in New Line of Combat” about how the military is using computer-network attacks alongside traditional weapons for the first time.

Richard Cassidy, technical director EMEA, at Alert Logic has offered some insight into this new “cyberbomb” tactic.

What type of attack do you think the military might be using?

Richard Cassidy: “Government and military organisations have long been aware of the need to ensure effective capabilities in dealing with threats to national security in this new age of cyber warfare that we’ve seen proliferating quite rapidly over the past 3 to 5 years. Key considerations in any cyber warfare strategy will be based upon both disruptive operations and counter intelligence activities; ultimately working to render efforts (or potential targeted campaigns) by any terrorist or cyber-criminal group, either useless or of too high a risk to initiate in the first instance. Military organisations will quite clearly be working to understand the tools, techniques, tactics and procedures in use by these dissident groups and as such will be poised to proactively research and analyse how each threat proliferates from initial reconnaissance of targeted networks through to malware activity both within the targeted environment and external communication attempts to malicious domains/IP’s. Overall we’ll find that the tools in operation wont differ a great deal from what is already available openly on both the Internet and DarkWeb, which to all intents and purposes makes lives a great deal easier when conducting such operations.

The ability to disrupt will be born out of a diverse and constantly evolving toolset, allowing military organisations to disable environments where attacks may be launched (through Infrastructure based threats, DNS level attacks and blocking capabilities), in addition to monitoring key DarkWeb communication channels to monitor for creation and movement of malware that may be used by these organisations, with a view to identifying sources and disabling the chain at a grass roots level. Counter-Intelligence operations may well reap far more rewards in terms of taking the fight direct to the source(s) of such nefarious activity, often by reverse engineering malware through specially crafted environments designed to track and monitor this behaviour, a huge degree of detail can be retrieved often leading military organisations right to a specific individual or group of individuals involved in terrorist or criminal activity from a cyber perspective.”

Is this the first time the military is using cyber attacks against ISIS? If so, why do you think the military is now implementing this tactic? Was it a technology issue?

Richard Cassidy: “It should be clear that cyber attacks have long been a tool in the arsenal of most military organisations across the globe, and we’ve seen some examples of this specifically when looking at breaches or attempted breaches against U.S military and government organisations from other parts of the world. “State Sponsored” is a term we have become more accustomed to today, more than ever before and for obvious reason. How often governments have condoned or even utilised cyber attack capabilities as part of operations against known terrorist or criminal groups is a point of contention and clearly no reliable data source exists; it is however a key capability that we need to be able to execute on as a country, given the evolution of how these groups are now working to target nations, key infrastructure, utilities, security and public organisations.”

Will this set the “cyber” precedent for combat with future enemies?

Richard Cassidy: “We are already at a point where to implement an effective and reliable defence strategy in the interest of national security, there needs to be capabilities in both physical and virtual warfare approaches. We can no longer rely on just physical intelligence and operational activities to remain one step ahead of terrorist or criminal groups; we now have to focus a great deal of resource in cyber warfare activities, given that we are seeing increased activities by these groups in this area. If you look at the astonishing number of exploits and vulnerabilities that have existed in online environments (right across all industries), coupled with application weaknesses that can be targeted relatively easily, exposing weaknesses at the very gateway to key information stores and network infrastructures, then it’s no wonder at all that government and military organisations are already ensuring their own “cyber” capabilities in terms of protecting themselves. The path of least resistance still remains a key threat vector in all aspects of security and online warfare represents a key focus (as we’ve seen over the past several years) for terrorist organisations, given the ease at which these type of attacks can be instigated and sustained with relatively little resource overall.”

(141)

It is being reported that Wendy’s credit card breach is larger than first thought. Originally less than 300 of the company’s 5,800 locations were impacted. This afternoon Wendy’s said the number of stores impacted by the breach is “significantly higher” and that the intrusion may not yet be contained.

@DFMag received the following commentary from George Rice, senior director, payments at HPE Security – Data Security:

“More than ever, retailers must put data security at the top of their priority lists. Common approaches to security may no longer be secure as criminals are armed with increasingly effective malware and hacking tools.

Retailers should develop security strategies that meet the highest cryptographic standards, are easy to maintain and allow for continuous advancement of the merchant’s payment ecosystem.

We recommend a data-centric approach to data security. This allows for sensitive data to be protected at the moment of acceptance and remain protected throughout its lifecycle in the organisation.

Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain — they should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

Fast food, and any businesses using POS systems, can avoid the impact of these types of advanced attacks. Proven methods are available to neutralise data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.

The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.”

Rice also offers these tips for retailers:

“Only collect customer data that you need and can adequately protect. Why do you need date-of-birth or social security numbers, for example? Encrypt or tokenize everything you determine to be mission-critical.

Protect data at the moment of submission by the customer. Criminals know to embed malware near to data acceptance points, like point-of-sale systems or web front-ends.

Only unprotect or unencrypt data when absolutely necessary. A high percentage of the time, applications and users can work equally well with a surrogate value.”

(109)