House Oversight and Government Reform Committee Releases Comprehensive Report Confirming CyFIR Software Located and Identified Malware in OPM Data Breach

Majority members of the House Oversight and Government Reform Committee today released a comprehensive and documented report outlining their findings regarding the April 2015 Office of Personnel Management (OPM) data breach, which includes a confirmation that CyTech Services played a key role in identifying and responding to the intrusion that compromised 21 million sensitive government records.
As the report indicates, at OPM’s invitation, CyTech demonstrated their CyFIR Enterprise digital forensics and incident response platform at OPM on April 21-22, 2015. Using CyTech’s innovative endpoint vulnerability assessment methodology, CyFIR identified, within 12 minutes, a set of unknown processes running on a limited set of endpoints. This information was immediately provided to OPM security staff upon detection and was ultimately revealed to be zero day malware that had been in place on the OPM network for more than a year.

Specifically, the report stated, “During CyTech’s April 21, 2015 demonstration, CyTech identified or ‘discovered’ malware on the live OPM IT environment related to the incident. There is no evidence showing CyTech was aware [of the incident] at the time of the April 21 demonstration…Beginning on April 22, 2015, CyTech offered and began providing significant incident response and forensic support to OPM related to the 2015 incident. The documents and testimony show OPM and Cylance recognized CyFIR’s ability to quickly obtain forensic images. CyTech provided an expert to manage the CyFIR tool and continue to provide onsite support through May 1, 2015.” [Chapter 5: The CyTech Story; Page 125]

CyTech CEO Ben Cotton, a 21-year veteran of the U.S. Army Special Forces, lauded the findings outlined in the report, stating, “We are pleased that the report officially confirms what we have known to be true since the day we deployed the software on OPM’s network – By leveraging CyFIR’s total dynamic visibility (TDV) on the endpoint the CyFIR platform detected the malware in OPM’s network within 12 minutes of installation, and CyFIR was able to provide OPM the technical capabilities to forensically investigate, respond to the breach and perform these activities with an unprecedented speed to resolution (S2R). CyFIR worked exactly as it was supposed to in identifying and locating the cyber threat existent in OPM’s production systems.”

John Irvine, Chief Technology Officer of CyTech Services, added, “This validates the efficacy and efficiency of the CyFIR platform, demonstrating its value to the federal government and any organization where network security is a priority. All government entities should be secure and protected with the most comprehensive data security tools available, especially when our national security is at risk. Our concern now is that the large number of government departments and agencies that are connected to the OPM network may have also been compromised and should now be evaluated.

CyFIR’s rapid threat assessment module was designed and built specifically for this type of analysis at the speed and breadth necessary to identify and contain the problem quickly. The technology can rapidly scan all running processes on individual computers and at the enterprise level, dramatically shortening the time it takes to discover, investigate, and remediate a breach through its unique distributed architecture. CyTech remains committed to providing one of the most comprehensive forensic investigation and incident response tools on the market and protecting the privacy and security of trusted information.”



Research finds security risks prevent consumers from “buying” into mobile banking

According to a recent report, banking customers are hesitant to use mobile features due to fraud and security concerns. The findings showed that of those not using mobile banking at all today (36 percent), more than half of them (74 percent) cited security as the major reason, which could slow the overall adoption of mobile banking services during a time where mobile device usage is exploding. Ryan Wilk, director at NuData Security offered the following comment to @DFMag

“We’re not at all surprised to see this reluctance on the part of consumers to adopt mobile banking wholeheartedly. It’s entirely understandable given the onslaught of daily stories about breaches, and the growing awareness about the security vulnerabilities of many mobile apps.

Consumers are gradually being schooled in online security, even if it is by getting their hands burned first. According to the new ACI 2016 Fraud Report, almost one in three UK consumers (29%) has been a victim of card fraud in the last five years, with much of that fraud perpetrated by fraudsters who made online purchases using hacked or stolen card details. Just as chilling, is the figure that a full 17% have been victimised multiple times.

Perhaps customers are learning from these negative experiences, or it might be a trust issue. They likely fear that banks really don’t have control of their mobile security, or a combination of both.

What’s concerning to us is the finding that 44% of those surveyed would significantly increase their mobile banking usage with more security. In general, we’d be in favour, provided this security is actual security and not just more “security theatre” as we’ve seen time and time again. By this, we mean that adding more single-modal endpoint security layers are likely to just add more and more friction into the process and have marginal fraud prevention impacts.

Instead of layering on more solutions that will continue to provide limited data, FI’s can see this study as an opportunity. It’s clear that customers actually want real security. This means looking at the entire lifecycle of the account and continuously identifying patterns of behaviour that indicate fraud. Understanding how good customers behave will enable them to address these customer fears and concerns.

The good news is that these solutions are readily available on the market and are positioned to help banks provide winning customer experiences, improve their rates of false declines and lower account-based fraud.”



Government surveillance survey statistics from Comparitech report

In the light of the recent news on the approval of the IP Bill by David Anderson, it is crucial to understand public’s opinion and concerns about government surveillance, data privacy and security. Even if such scrutiny measures are only harvesting large quantities of data from the Internet and emails (bulk interception), the public needs to be aware of the government’s actions and their right to privacy.

Earlier this year, commissioned a survey of 1,000 people across the United Kingdom which questioned respondents on government bulk surveillance and the sale of their personal data to third parties. Part of the survey results unveiled that:

  • 79.3% of respondents say they would not pay a premium for any of the major social networks or Google in exchange for a guarantee that their private information would not be sold to third parties.
  • 47.1 % of the UK survey takers said they think the the government currently snoops on their data.
  • When asked in what scenarios the government should be legally allowed to intercept any communications, 77.2% of respondents answered “terrorism” and 64.9% replied “criminal activity”. 

Richard Patterson, Director of said “The public’s lack of concern for their privacy rights, borne out by these statistics, is worrying and begs the question how much further such rights will be eroded before the realisation dawns on quite what has been sacrificed.“

For more insights and data from Comparitech’s survey visit their blog:



The rise of the information age and what you need to know about cyber defense

In today’s digital age, almost everyone has left a footprint on the World Wide 0Web. With so much data being shared online daily, there are those who use the relative anonymity of the internet to maliciously steal valuable and private information. The question is how does a cyber security professional identify potential cyber issues and combat threats to the security landscape? 

Find out how in this article; 

or simply email: to request a copy.

In November, Cyber Security Exchange Asia will be addressing these issues. If you are interested, you can download the Delegate Information Pack or the Sponsorship Information pack 



Digital Forensics and Information Security Analyst Certification and Career Path guide

By: David Parker

The demand for tech gurus who can solve crimes is growing all the time as hackers from home and abroad seek to crack servers and networks in the United States.

Cyber security is fast becoming a necessary component to all businesses and agencies. The demand for tech gurus who can solve crimes is growing all the time as hackers from home and abroad seek to crack servers and networks in the United States. Why not work to thwart them with a computer forensics certification? Though this is not an easy credential to add to your resume, it will be worth the hard work and effort when you have the gratification of busting cyber bad guys. You will also qualify for a broad range of jobs and your salary will likely see a dramatic increase, too.

The Certification Exam

To become eligible for a computer forensics certification, you will need to pass a test. Prior to the test, you will need to study the field and sharpen both your soft and hard skills. You can get prepared either in a purely academic scenario, by taking forensics courses online, or with professional experience. If you have professional experience only, it may be beneficial to read up on areas that you might might not cover in your daily work. For instance, you might not work with all the laws that apply to the field, and those might show up on a soft skills test.

Your hard skills might be put to the test in a set of practical scenarios where you will need to demonstrate your knowledge in a simulation. You will often be given a significant amount of time to complete the simulation. Successful candidates will analyze the files they’ve been given and then write up a report that could be entered as evidence in a court of law. Certification programs will seek stellar outcomes in areas that include, but aren’t limited to the following subjects:

  • Computer ethics and law
  • Investigation procedures
  • Tools of forensic investigators
  • Legal data recovery that follows the rules of evidence
  • Data structure forensics
  • Assessing evidence
  • Recovering evidence from various operating systems, including windows and Linux
  • Collecting evidence from volatile memory
  • Report writing

Benefits of Certification

Depending upon which professional body provides your certification, you may find that a host of benefits become available to you. Often, certifying bodies allow you to participate in their private listservs, receive group benefits for things like professional liability insurance, and have access to a wide network of other forensics professionals. Other benefits may include access to proprietary professional journals, research and development projects and newsletters.

Once you pass your certification exam, you may find that you are eligible for a wider range of jobs. While your on-the-job experience might have qualified you previously, it is important to gain a respected credential that demonstrates a dedication to the field, as well as providing solid evidence that you have mastered certain areas in the field. Professional designations always help garner immediate respect and qualify you as the professional you are so that you can advance faster without having to prove your worth.

Career Paths

You can then move your career forward with a number of different paths. You can apply to work with law enforcement agencies who are hungry for computer investigators, or you might seek work with a corporation that finds your particular skill set valuable to their information technology department. Some of the job titles that you can consider might include the following:

  • Digital Forensic Analyst
  • Computer Security Incident Response & Recovery
  • Cyber Security Malware Analyst
  • Security Engineer
  • Forensics Cyber Weapons and Tactics Advisor
  • Application Security Analyst
  • Security Auditor
  • Security Manager
  • Penetration Tester

Consultancy Practices

Many computer forensics specialists also pursue careers as business consultants. If you choose this path, you are likely to join a team that might include penetration testers, programmers and other IT professionals with a wide range of specialties. As a consultant, you might work with a firm or on your own. In a firm, you will have a support system that will handle various aspects of work such as benefits, administrative support and a dedicated team. If you work as an independent consultant, you may need to find subcontractors in your field and having a solid network from your certification program could prove invaluable.

Your consultancy practice might take a few different tracks as well. You could work as a legal consultant for law enforcement departments and agencies that don’t keep forensics experts on staff. In that scenario, or you might be called to a job on a moment’s notice. Investigators will need your expertise as soon as possible so that you can begin the evidence-collection process.

It may also be that you consult for legal defense teams, helping to exonerate those who have been wrongfully accused. Those cases will often involve you arriving after investigators have amassed evidence. Your job will then be to provide an independent opinion of the evidence and what it really means for the court. Whether you work for the prosecution or the defense, you will probably be asked to write a comprehensive report along with testifying in court.

Homeland Security Jobs

The Department of Homeland Security is also actively seeking professionals who can help thwart and investigate cyber crimes. After you have done a significant tenure helping to protect the national interest, you might find yourself all the more hireable by independent contractors. If you have some of the following skills, you could qualify for a full-time position with federal law enforcement:

  • Cyber Incident Response
  • Cyber Risk and Strategic Analysis
  • Vulnerability Detection
  • Intelligence and Investigation
  • Networks and Systems Engineering
  • Digital Forensics Analysis
  • Software Assurance

Salary and Career Outlook

Salaries for those with a computer forensics certification vary according to the stage of your career, your chosen path and even where you live in the country, as salaries are often calibrated according to the local cost of living. Nonetheless, the U.S. Bureau of Labor Statistics cites the median annual income for Information Security Analysts at $88,890 for 2014. That number is for a professional with a bachelor’s degree and less than five years’ experience. You might find that you earn more with a higher level of education and experience. The BLS projects that the field will grow by 18 percent through 2024, which is much faster than average for all career fields.



Retail chain Eddie Bauer discovers POS malware at stores

Clothing store chain Eddie Bauer said it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of January may have been compromised in the breach.

George Rice, senior director, payments at HPE Security – Data Security told @DFMag;

Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain — they should be considered insecure even after implementing EMV. A POS terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

Any businesses using POS systems can avoid the impact of these types of advanced attacks. Proven methods, such as Format-Preserving Encryption are available to neutralise data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.2 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.

The good news is that savvy merchants are implementing Format-Preserving Encryption, giving the malware nothing to steal, which also has a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.”



Security issues that could occur within Company Server Rooms

By: Michael Baker

As any business and IT professional will tell you, protecting data within a business is critical so a company server room has to have optimal physical and technical security. Companies need to be aware of the vulnerability of data to hacking by those who would use it for malicious purposes. Hackers could use data about customers or that relating to the company itself for financial gain. The company may also have sensitive information relating to its own operations and future plans that it does not want to share.

Compliance with data regulation is another issue that needs to be taken into account when developing and maintaining security procedures for company server rooms. Loss of data can also impact on the productivity of a company and its staff, with people left for potentially long periods of time trying to resolve customer issues or even with little to do owing to awaiting restoration of IT systems following a breach of security. In this day and age, many companies are operating on a round-the-clock basis and that is certainly the case in respect of IT systems, so any slowdown or halt to productivity can be very damaging indeed. 
In terms of physical security, the server room structure itself needs to be secure. Access should be granted to authorised individuals only. This could mean restricting the number of key holders or, if a company’s budget allows it, the installation of a system using fingerprint recognition technology. Another alternative would be to install a proximity card reader system. It is understood that alarm and alarm monitoring systems are also essential, not just for protection of a server room but also for an entire business premises. In the case of a server room built separately from the rest of the business premises, security caging and toughened security gates would be highly advisable. 

We live in a digital age, of course, so security of data means cyber security as well as physical security of the server room itself. The physical entry system should be aligned with the login systems inside in the room so that only those individuals who have physical access can log on to the systems from within the server room. Have a company-wide cyber security policy and ensure everyone knows their responsibilities. Cyber attacks identify and exploit points of vulnerability and those are often attributable to employees lacking basic knowledge of good cyber security. As for the company itself, it needs to keep abreast of the latest threats and ensure that its systems are up to date. At its most basic, cybersecurity means ensuring that IT systems can proactively identify threats, block access and prevent the loss of data, while having the ability to patch vulnerabilities at the same time.  

The security of a server room starts with the server room fit out and a professional installation company will work with you through each step of the design process to ensure your security needs are met and that compliance with security regulations is taken into account. 

A company server room needs to be secure because data regulators expect full compliance with regulations and customers naturally expect their data to be secure. Loss of information can mean loss of reputation as well as a financial loss for a company.  



New Pokemon Go Ransomware discovered, industry experts comment

A new ransomware sample poses as a version of Pokémon Go for Windows. These features include a backdoor Windows account, spreading the executable to other drives, and creating network shares.

IT security experts from Lieberman Software, ESET and Tripwire discuss the ransomware:

Jonathan Sander, VP of Product Strategy at Lieberman Software:

Is there anything different/interesting about this ransomware?
“This Hidden-Tear ransomware is either the cutting edge or class clown of the malware world. Generally, ransomware is built to extract money and leave no traces. Hidden-Tear behaves like a malware hybrid that encrypts files and asks for ransom, but all attempts to spread in ways normally associated with a virus. Maybe that’s the start of something new and dangerous. But it’s equally likely this is the work of someone who is taking ideas from all over without really understanding their implications. Anyone who has used software has run into features added where they can’t imagine what the developer was thinking. Hidden-Tear may be a malware developer throwing in features just because it’s possible versus because it’s a good idea.”

What can users do to protect themselves?
“One thing Hidden-Tear does well is try to play on people’s desires. Malware always needs an angle to get you to click, and few things capture the spirit of the day like Pokémon Go. With many Arab countries moving to ban or limit the game, a malware that offers people a way to perhaps play despite the government interference is click bait that’s sure to trap some. People need to use what should be common sense here – in the case realizing that a mobile app appearing on their PC is *actually* too good to be true.”

How successful can this ransomware be?
“If we’re going to measure Hidden-Tear as ransomware, then its success should be measured in cash. It’s likely not got the same professional approach as many eastern European ransomware operations, which often boast legitimate call centers and oddly get high marks from victims on customer service. Without this high grade money collection system, is unlikely it will grab any huge amount of cash unless the creator gets very lucky.”

Mark James, Security Specialist at ESET:

“As with most projects or events that generate so much interest in the IT world, it’s inevitable that malware will soon follow, often tailored to help, mimic or guide you. The whole PokemonGo phenomenon was of course going to be no different; people will want to play it on all platforms, IOS, Android and their desktop systems. This particular piece of malware is a little different though, it not only wants to infect you with ransomware, it appears to have a hidden agenda, most ransomware deletes itself once the job is done, but this particular piece of malware goes a little further by installing a hidden user account with admin privileges, that could enable someone at a later date to remotely connect back to the infected computer and perform other malicious tasks.

It’s currently targeted at Arabic victims but could easily be adapted for global use and we could see it modified and spread in other countries. Malware is constantly changing and the need to have a good multi-layered regular updating internet security product is a must these days if you want to keep safe. Keep your operating system and applications updated and on the latest versions and make sure you have some kind of backup to protect any data you can’t afford to lose. Ransomware these days is a very real threat and having a good backup solution will enable you to restore your data easily and quickly and not succumb to funding criminal activity by paying the ransom.”

Travis Smith, Senior Security Research Engineer at Tripwire discusses:

“Fans of the Pokemon Go game are eager to catch them all, but must be weary of catching malware.  While the malware is not fully production code, it highlights the intent of some malware creators to capitalize on the Pokemon Go craze.  Users looking for Pokemon should be wary of any third party applications or services looking to assist your search. 

The fact that the malware is creating users is a new ransomware development.  It’s unclear if the intent is to maintain persistence or be an indicator to avoid multiple infections of the same box.  Either way, it’s clear the ransomware is looking to spread itself to network shares and removable drives to both spread infection and potentially cripple backups; the primary recovery method for ransomware.”



Hackers attack over 20 hotels from various established brands

Following the news that hackers have attacked 20 hotels run by HEI Hotels and Resorts, including Hyatt, Marriott, Starwood and Intercontinental with a targeted malware, Ken Bechtel, malware research analyst, Tenable Network Security offered @DFMag the following comment;

“The latest string of point-of-sale (POS) malware attacks on retail and hospitality systems is indicative of the evolving threat environment. Mobile devices have become one of the largest growing threats for malware, and storing credit card data in various e-wallets, and in some cases apps, such as those used in fast service coffee shops, provides a lucrative target for profit-driven malware authors.

“However, we often forget that the consumer is at a distinct disadvantage when dealing with POS malware, as this threat is beyond their control. While card holders can help protect their accounts by watching for skimmers, keeping their card within sight while paying bills and checking credit card statements for fraudulent activity, once a POS system is compromised there is nothing the user can do to prevent the activity. It’s the responsibility of the organisation to detect anomalies in credit card transactions and then take ongoing steps to prevent and remediate potential malware threats.

“Unfortunately, many companies struggle to keep up on security due to staff shortages, or a lack of proper tools to look for and identify abnormal network activities that could indicate a new piece of malware on the network. Although one-hundred percent prevention is unrealistic, having complete visibility into the overall security posture will help organisations lessen the risk of exposure to customers and detect vulnerabilities earlier.”