The number of pirated assets is set to rise by 22%

New research on the ecosystem for pirated software and digital assets has been conducted by Arxan and iThreat Cyber Group (ICG). The report reveals that illegal reproduction and distribution of copyrighted material on the Web is booming as a result of security breaches in both mobile and desktop software applications.

Arxan and ICG analyzed data collected over the past three years that examined the distribution of unauthorized digital assets on the Dark Web and indexed sites that are focused on distributing pirated releases. Thousands of sites were analyzed, including over 50 in the sole business of distributing pirate releases. The report focuses on the areas of software, gaming and digital media. The analysis revealed:

6M releases were pirated in 2014.
The extent of digital media piracy is far more extensive than commonly perceived.
-In 2013 and 2014, on average nearly 1 million pirated releases were found.
– In 2015, Videos (TV, Movies, etc., excluding Adult Content) accounted for about 50 percent, and Adult content accounted for roughly 25 percent of releases found.
The cost or un-monetized value of copyright infringing releases in 2014 is estimated to be more than $800 billion.
Piracy of software and digital assets is on the rise.
96M pirated assets are expected by the end of 2015 – an increase of 22 percent over the last three years.
If distribution of pirated games continues at the current rate, over 31,000 unauthorized releases will be active in 2015 – double the number of pirated releases just three years ago. Malware linked to pirated software is an enormous cost to both businesses and consumers. Enterprises will spend $491 billion, due to malware associated with pirated software.

“The findings in Arxan’s State of Application Security prove that piracy is one of the greatest threats to intellectual property and creative content, highlighting the enabling role pirated releases play in spreading extremely harmful malware across a range of industries – where the challenges of defending against it – are complex, but not insurmountable,” said Patrick Kehoe, Chief Marketing Officer of Arxan.

The report found that piracy is on the rise due to poorly protected applications and a rapidly evolving distribution system for pirated releases. Few applications, for example, are deployed with protected binary code. An adversary can directly access unprotected application binary code, analyze and reverse-engineer it back to source-code. With the revealed source-code, pirates are able to copy and/or maliciously modify and then redistribute software quite easily. MetaIntelli’s June 2015 analysis of 96,000 Android apps from the Google Play store found that less than 10% of them had protected binary code.

Hackers are gaining access to digital media using a number of techniques outlined in the report. Most are stealing cryptographic keys that govern access to digital media and using these keys to decrypt encrypted digital media files, and illegally distribute them.

Hundreds of millions of Internet users worldwide are accessing pirate distribution sites. Many of these sites survive based on Ad revenue (i.e., advertisers are paying to promote their products and services on these sites), while others charge users a fee or request donations from their users. The largest content theft sites generated more than $200 million in advertising-driven revenues in 2014.

“The threat posed by piracy cannot be limited to its effects on one company, one industry or one country. The sheer number of cases in the US and abroad, dictates software, digital media and mobile gaming industries become savvier with regards to techniques for combatting pirated releases across national boundaries,” said Jeff Bedser, CEO of iThreat Cyber Group. “The best thing content owners can do is continually monitor the marketplace and equip themselves with intelligence tools and leverage data and application protection techniques to fight piracy head on.”

To view the info graphic and access the full report, visit:



Majority of malvertising attacks are hosted on news and entertainment websites

With news and entertainment websites some of the most popular among internet users, it’s not hard to believe that they are also among the most popular for malvertising, according to a new report by Bromium Labs “Endpoint Exploitation Trends 1H 2015”.

The report highlights the current threat trends within the World Wide Web and has found that the most common attacks target the most popular environments.

“Hackers continue to innovate new exploits, new evasion techniques and even new forms of malware – recently ransomware – preying on the most popular websites and commonly used software”

Key findings from “Endpoint Exploitation Trends 1H 2015” include:

News and Entertainment Websites Hotbed for Malvertising — More than 58 percent of malvertisments (online advertisements with hidden malware) were delivered through news websites (32 percent) and entertainment websites (26 percent); notable websites unknowingly hosting malvertising included,,, and

Attackers Targeting Flash — During the first six months of 2015, Flash experienced eight exploits, an increase of 60 percent since 2014, when there were five exploits. Most active exploit kits are now serving Flash exploits, potentially impacting a large number of Internet users, given the ubiquity of Adobe Flash.

Continuous Growth of Ransomware — In the first six months of 2015, nine new ransomware families emerged: CoinVault, TeslaCrypt, Cryptofortress, PClock, AlphaCrypt, El-Polocker, CoinVault 2.0, Locker and TOX; this is an 80 percent increase from 2014 and represents a significant growth in ransomware since 2013, when there were only two ransomware families: Cryptolocker and Crytowall. Ransomware continues to grow, as cybercriminals realize it is a lucrative form of attack.

Malware Evasion Avoids Detection — Bromium Labs analyzed malware evasion technology and found it is rapidly evolving to bypass even the latest detection techniques deployed by organizations, including antivirus, host intrusion prevention systems (HIPS), honeypots, behavioral analysis, network filters and network intrusion detection systems (NIDS).

A PDF of the full report is available here:



UK and Singapore agree to increase cooperation in cyber security

Earlier this week, Prime Minister David Cameron announced that UK and Singapore have agreed to increase cooperation in cyber security:

Reacting to the announcement, Ian Shaw, managing director of MWR InfoSecurity said, “We fully support this announcement and, infact, we are already active in the region, offering a range of cyber security services to Singaporean businesses and government agencies.”

“We think further cooperation, particularly the funding for research and development, is a tremendous step forward as the security of new technologies is vital for Singapore to meet its ambition to become a Smart Nation. In fact, over the last twelve months, we have been sharing our innovative research in Cyber Defence, Smart Energy and Smart City security.

“One of our Singapore based researchers, Yong Chuan Koh, recently offered insights to Microsoft Office sandboxing – the first in this space. His findings covered the Protected-View sandbox internals including its architecture, its initialisation sequence and the system resource restrictions.”

Speaking before presenting at ReCon Canada recently, MWR Singapore researcher Yong Chuan Koh said, “Criminals will always be looking for ways to fine tune their code to slip past defences and, as the defenders, its our job to make sure they’re unsuccessful. A key part of this, I believe, is research.”

Matt Alderman, VP of Strategy at Tenable Network Security also commented on the announcement stating;

“Singapore’s commitment to security is evident with the creation of the Cyber Security Agency earlier this year.  This agreement with the UK could have a very positive affect in cultivating new talent not only for the implementation of better security capabilities, but better response during security breaches. Singapore and the Asia Pacific region continue to feel the pressures of a shortage of information security professionals.  By 2020, this shortage is predicted to be 1.5M.  Cyber security talent development is a critical initiative and it’s great to see cooperation across regions.”




Every Threat is an Inside Threat

By TK Keanini, CTO, Lancope

While the cybersecurity industry is quick to put a label on things – Advanced Persistent Threat, Big Data Analytics and the ever-descriptive Internet of Things for example – many fail to grasp the similarities between the myriad of attacks that have taken place in recent years.

The reality is that most cyberattacks function like an inside threat. Attackers put a lot of focus on compromising the credentials and access privileges of legitimate organization insiders, and this is evident in the research surrounding data breaches.

The 2015 Verizon Data Breach Investigations Report revealed an increase in stolen credentials in point-of-sale intrusions:

“These are also not mere opportunistic attacks. Many incidents involved direct social engineering of store employees (often via a simple phone call) in order to trick them into providing the password needed for remote access to the POS.”

According to the cybersecurity consulting company Mandiant, 100 percent of breaches it has investigated involved stolen credentials.

Last year’s data breach at Target originated from credentials stolen from an HVAC subcontractor, and attackers who gained information about 56 million credit and debit cards from Home Depot last April did so with stolen credentials from a third-party vendor.

What is behind this shift in tactics?

Over the past few decades, organizations have been pumping billions of dollars into strengthening their perimeters and managing vulnerabilities. Meanwhile the rise of remote access and personal devices such as smartphones and tablets have broadened the threat surface and brought more sensitive data in contact with the internet.

Instead of focusing on breaching the perimeter, attackers have just shifted to compromising the human layer, which is more reachable now than ever before. In many organizations, employees have generous access privileges and the ability to log into the network remotely, which means attackers have more opportunities to utilize compromised credentials. Additionally, personal information about employees is also more accessible via social media sites like Facebook or LinkedIn, which gives attackers better insight into how to fool them.

Here’s a hypothetical scenario. An attacker has managed to track down an employee named Mark on social media. Mark likes to talk about his job and his favorite online poker site. The attacker sends Mark an email posing as a representative from the poker site with an attached brochure on new services, complete with malware. Mark opens the attachment without a second thought, and in a few days the malware sends keystroke information including his VPN login credentials back to the attacker.

Now Mark has effectively become an inside threat. Unfortunately, no matter how strong our castle walls are, users who appear legitimate are able to walk right through the front gate.

How do you catch an inside threat?

Since it is nearly impossible to stop a potential attacker at the gate, early detection is key. Fortunately the defender, an attack isn’t over with the initial breach. The perpetrator still has to execute a number of steps before their goal is complete, and we can stop them at any point in this process.

The first thing an organization needs to catch a threat inside their network is visibility. If firewalls are armed guards at the gate, visibility is the security camera monitoring inside the building. Internal network traffic, access logs, policy violations and more need to be watched continuously for suspicious activity. Know what a regular day looks like on your network. Know how much traffic to expect, who is expected to access sensitive information and what applications are used in the day-to-day business operation. Anything that falls outside of those bounds should be investigated. Remember compromised credentials will look legitimate until you isolate anomalous activity such as moving abnormally large amounts of data, repeated logins during nonbusiness hours or remote access from unusual and faraway locations.

You want to be able to identify the following activities:

·       Unauthorized access
·       Violation of organization policies
·       Internal reconnaissance
·       Data hoarding
·       Data loss

Data analytics can make a huge difference here. If an organization is large, it can be impossible to monitor network activity manually. Anything important is quickly drowned out by the plethora of other information. Using network telemetry, a good security analytics tool can help the relevant information rise to the top.

Secondly, keep an audit trail of network transactions for as long as is feasible. Once you detect the attacker on your network, the audit trail can be used to identify how the threat operated and what assets were compromised. It may also help the authorities pursue criminal charges against the attacker.

Lastly, don’t forget that these attackers thrive on compromising the human layer. You should train employees on best practices for using the internet and how to recognize social engineering tactics like phishing. Use network segmentation to limit the amount of sensitive data each user has access to, and monitor traffic from third-party contractors for possible compromised credentials.

As corporations expand in both number of employees and connected devices, it has become easier for cybercriminals to appear as a legitimate threat inside the network. While this trend comes with a new set of challenges than other security concerns, organizations can protect themselves with the right tools and mindset. Early detection of these intruders can keep a security event from becoming the next big breach plastered across the evening news.



OpenSSH Vulnerability Leaves Popular Operating Systems and Devices at Risk

Francis Turner – VP Product Research and Security ThreatSTOP

A new vulnerability has been found in OpenSSH which is used by almost all Linux/BSD distributions, as well as many network infrastructure and security devices to allow “Secure Shell” or SSH connectivity for remote management. OpenSSH is not only utilized in open source systems, but is also commonly used in popular operating systems (OSs) such as Mac OS X, and Linux distributions including Ubuntu and Red Hat, as well as devices manufactured by IBM, HP, Sun, Cisco, Novell, Nokia, Juniper, Dell and many others.

SSH is typically used to log onto another computer over a network; execute commands on a remote computer or network device, such as a router or firewall; or securely transfer files from one computer to another over an encrypted channel or tunnel across the internet. SSH and the related SCP and SFTP services can use either a username and password for authentication, or a pre-shared key file to login to a remote host. Typically the SSH service is setup to allow both types of access initially, and for internal connectivity across a local area network (LAN), both are commonly acceptable.

However it has long been a recommended security policy for devices that are Internet accessible to disable the less secure username/password login capability once the required security keys have been created and configured, as third parties could gain access by simply brute force guessing the password. Unfortunately, following this recommendation is not always possible, for example shared systems such as multi-host servers that provide common services to multiple users and domains may be unable to require that all users have a key, as some Microsoft Windows SSH/SFTP tools do not support the use of keys.

The newly found vulnerability applies to any SSH device running the vulnerable versions of OpenSSH that allows for user/password logins as opposed to shared keys.  An initial review of the vulnerability indicates that it appears to be common across nearly every device that has not yet had password logins specifically disabled because the OpenSSH code is very widely used and this bug appears to have been present for more than seven years.

The vulnerability allows an attacker to attempt many thousands of passwords for a user, instead of the default three to six attempts, before being blocked. What this means is that any vulnerable server or network device which allows user/password logins from the Internet can be remotely accessed if it has a known standard username (e.g. root or admin) and any even slightly popular password. Many networking devices are readily identified as such, and have “admin” as a standard username.

Organizations that have deployed a proactive security intelligence service are protected from the scanners that will be performing this attack. Any attempts by the attackers who are scanning organizations’ networks looking for vulnerable systems will be immediately reported to the vendor. Once reported, the IP address used to scan will be added to their database of known bad actors. All activity from that IP address—inbound and outbound communications—will be blocked going forward. This enables the vendor to protect an organization’s sensitive data by blocking any attempts at data exfiltration via the IP address and any domains or URLs that use the server or host with that IP address.

Security teams can also look up IPs that they suspect are being used for scanning at:



UCLA Health System cyber attack affecting 4.5 million patients

It has emerged this evening that UCLA Health System has been the victim of a criminal cyber attack affecting 4.5 million patients. The attackers accessed a computer network that contains personal and medical records.

Clinton Karr, senior security strategist, Bromium

“Healthcare information security is in critical condition. We have seen report after report of millions upon millions of records breached this year. According to the Department of Health and Human services, more than 120 million people have been compromised in more than 1,110 separate breaches since 2009 – a third of the US population. These data breaches are symptomatic of a failure of healthcare organizations to invest in preventative measures, such as threat isolation.”

Gavin Reid, VP of threat intelligence, Lancope

“This is another in a long series of recently discovered compromises to medical institutions  Carefirst, Anthem, Bluecross and now the UCLA HS. At this point we probably have more breached medical databases than ones that haven’t been compromised. The problem is that no one wants to spend additional money – and at hospitals you better be spending that money on a new medical equipment or something that saves lives.  The hospitals have budgetary needs that impact directly on patient care and lets face it real-life-death situations (better staff, better equipment). The move from paper records in filing cabinets locked away in rooms to online accessible record keeping has been fueled by cost savings and by the increase in medical hardware/software that can take feeds of this data and update automatically. Hospitals have mass adopted online record keeping but haven’t seen themselves as a target like a bank.  The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection and response.

1) Why is this growing?

Three reasons

Large scale attacks to hospital patient records data bases along with areas that are doing medical research can be extremely valuable source data for pharmaceutical and other medical research. Some medical offices have unique patient records & histories spanning years that could never be recreated and have a huge research value. Secondly the patient records themselves often have very complete PII (Personal Identifying Information) sets that are easily used in more common data theft scenarios. The last and increasingly common one is where medical identity theft is used to create fraudulent insurance claims using a stolen identity.

2) What can be done to stop it?

The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection.

3) What can a consumer do to protect him/herself?

Limit who has your personal data when possible – share only with trusted providers that have a need to know.  Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”



Offset Agreements: A Practical Guide

Toby Duthie, Partner, Forensic Risk Alliance & Lukas Bartusevicius, Business Development Analyst, Forensic Risk Alliance.

Offset agreements have played a major role in global defense procurement over the past few decades. Global defense budgets are growing rapidly, leading to fierce competition among suppliers and ever-greater scrutiny of government spending. In order to offset the cost of defense procurement and to source the most cost-effective deals available, buyer countries often require defense vendors to make additional investments in the country, often worth 50 to 100% of the value of the main contract. Agreed offset packages are very complex and secretive, and often have little to do with the vendor’s operations; taken together, this presents major risks to the vendor.

The unique nature of offset packages makes them difficult to compare – valuation of the offset performance is therefore tricky. Offset obligation value is expressed as a percentage of the main contract’s value, which is then processed by a government formula. This is usually a function of the expectations of the performance of the vendor in the prescribed offset package, which is then used to establish performance requirements. Upon successful completion of such arbitrarily prescribed tasks, vendors earn offset credits; once the required amount of offset credits is acquired, the offset is deemed complete.

Due to often complex and evolving requirements in unknown markets, as well as potentially biased expectations and arbitrary measurement, offset discharge becomes a difficult issue to manage. The issue is exacerbated by the fact that offset obligations often are a secondary consideration to the main contract, which may lead to so-called offset-gaps. To deal with management issues and to protect the main contract, vendors often commit significant resources to offset ventures but not always before the main contract has been awarded. However, lack of oversight and compliance measures bring about high third-party risk.

Since 2007, many governments have been cracking down on international corruption. It is estimated that $2.6 trillion is lost annually due to fraud, bribery and other corrupt practices. Government procurement is the most corrupted practice on the international level – according to the OECD, between 1999 and 2014, 57% of all bribes were paid to secure government procurement contracts. International anti-corruption regulations are very flexible when it comes to jurisdiction. The main legal tools – the U.S’s Foreign Corrupt Practices Act, the UK’s Bribery Act and the obligations of the OECD’s Anti-Bribery Convention – cover the same corruption offences: bribery of a foreign official, commercial bribery, record-keeping and internal control violations, and failure of a commercial organization to prevent bribery. Each of these offences carry severe penalties, which is a significant factor as very often the guilty parties are not aware of the violations they are committing. Defense vendors therefore run a high risk of sanctions and fines, and prison sentences on individuals.

The offset industry is booming – which has both positive and negative effects. The highest risk for vendors is non-compliance, which can lead to both sanctions in multiple jurisdictions and the loss of the main contract. As offset deals are unique and non-comparable, strategic business development approach is commonly applied, and internal compliance departments based in home countries are often left outside of the loop. Companies should follow emerging best practice of strengthening its oversight of offset ventures during deal structuring (by thorough due diligence of the stakeholders involved, ensuring all transactions comply with all international regulations, and carrying out analysis of offset valuation); and during discharge (by auditing performance documentation, which is often in a foreign language and prepared in accordance with unknown accounting standards, monitoring credit claim procedures, and ensuring all internal controls, books and obligations are met). Furthermore, vendors should invest heavily in measures that pre-empt and prevent corruption, bribery, money laundering and fraud. Finally, and most importantly, it is vital to remember that in offsets, one size does not fit all – a flexible, tailored approach is of crucial importance.

Forensic Risk Alliance


Forensic Risk Alliance is an international firm of forensic investigators and accountants, data protection experts and eDiscovery specialists with offices in the US, UK, France and Switzerland. It helps businesses to resolve complex and high-risk financial, legal and regulatory challenges. Its people provide independent, conflict-free advice and litigation support services, often in the local language. FRA collects and analyzes data for use in legal disputes and investigations (often cross- border) in a number of areas, including litigation, fraud, bribery and corruption investigations. FRA is one of only ten companies in the world approved to carry out validation audits for the EITI (Extractive Industries Transparency) Initiative which evaluate how well a country’s government conforms to the EITI’s standards of transparency in reporting revenue received from the extraction of natural resources.



Several children saved from live streaming child abuse ring

Eight children have been saved from a life of sexual abuse following the arrest of a group offering live-streamed sexual abuse. The arrests and rescues followed international efforts from Law enforcement authorities in Belgium, Australia and the Philippines.

Europol press release – “The operation began in Belgium as a case against a Dutch citizen in Antwerp who was sexually abusing his very young foster children in Cambodia as well as other children in the Philippines. Authorities tracked his involvement in producing and distributing child abuse images (including his own material) and videos of live child abuse that were filmed in front of webcams. The Dutch suspect and a female abuser were arrested, and all eight of the vulnerable children were removed from harm.” 

Christian Berg, CEO and founder of NetClean, which recently trained Task Force Argos, an Australian law enforcement unit involved in identifying the children, commented:
“Tackling live streamed abuse takes the typical analogy of finding a needle in a hay stack and adds the complication that this needle only exists for a finite period of time. This case is an incredible example of the law enforcement community collaborating to overcome one of the most challenging crime types that the online world has facilitated.

“This kind of case emphasises how critical it is to find those who view or distribute child sexual abuse material, and analyse all of the content they have, regardless of how much there is. One image, one video can sometimes be the clue that brings the whole house of cards tumbling down. This shows that even those who participate in live-streamed abuse, where the digital evidence of abuse is fleeting, can be brought to justice. 

“Those who watch this kind of content often save videos or screenshots of the content to look at again, analysing this material can be critical for breaking cases. But all too often this kind of imagery is hidden in plain sight, within case loads of hundreds of thousands of images of child sexual abuse. Law enforcement need investment, training and the right tools to ensure they can focus on new material, containing new and unrescued victims, not the same images that appear in every paedophiles collection.

“Every computer and every network should be equipped to identify when a child sexual abuse image or video is viewed, downloaded or shared. Finding one individual who uses this kind of content can be the start of a trail of breadcrumbs, leading to the rescue of children and the breaking of international abuse rings.”



Hersheypark investigating possible data breach

Hershey Entertainment and Resorts, the company that owns Hersheypark, is investigating a possible data breach that may have exposed guests’ credit card information.

Commenting on this, Mark Bower, global director at HP Security Voltage, said: “Resorts and hospitality service providers have additional challenges to deal with in respect to payment card security. Card on file transactions are common, meaning card data is often stored longer than typical retailers to maintain customer bookings and for resort service charges after check-in. Feeds from online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information. However, resorts and hospitality organisations can avoid the impact of the advanced attacks common in the retail segment. Proven methods are available to neutralise this data from breaches either at card read a the POS in person or via web booking platforms. Leading travel related organisations, airlines, travel booking aggregators have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement aimed to making data security a “business as usual” matter for any organisation handling card payment data.”



Expert comment on the recent cyber attack against LOT, Polish Airline

A cyber attack against the IT network of LOT, the national airline of Poland, left at least 10 flights with over 1,400 passengers grounded over the weekend.

Cris Thomas, Strategist of Tenable Network Security, commented on the subject:

“Airline flight control computers, like the ones attacked at the Polish airline LOT aren’t anything special. There is nothing different about a computer that issues a flight plan than the one most people use at work every day, other than perhaps the flight plan software itself. As such the computer is susceptible to the same attacks, malware and other issues that plaque every other computer and ideally should have the same security systems in place as well.

Usually the people that attack computer systems want them to keep running, it does not help the bad guys if the computer systems they attack suddenly stop working. So it is a little surprising that the LOT systems were unusable for five hours while the systems were being fixed. It is possible that LOT took the machines offline on purpose to help them institute the fixes. Unfortunately there is a lack of technical information available about what exactly happened.

The quoted statement by Adrian Kubicki, LOT spokesman, that this was the first hack of its kind is incorrect. There have been several similar attacks targeting airports, airlines and related systems over the years. These date back to at least 1997 at Worcester Airport in Massachusetts where a teenager disabled the phone system, radio communications, runway lights and other systems at the airport for six hours.”