Tuesday, April 8, 2014

Hackers Lurking in Vents and Soda Machines

Photo
Security experts like Billy Rios of Qualys say computer-equipped machinery like air conditioners can be used to gain access to sensitive company data.CreditJessica Lifland for The New York Times
Continue reading the main storyShare This Page
SAN FRANCISCO — They came in through the Chinese takeout menu.
Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.
Security experts summoned to fix the problem were not allowed to disclose the details of the breach, but the lesson from the incident was clear: Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities.
Hackers in the recent Target payment card breach gained access to the retailer’s records through its heating and cooling system. In other cases, hackers have used printers, thermostats and videoconferencing equipment.
Companies have always needed to be diligent in keeping ahead of hackers — email and leaky employee devices are an old problem — but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines.
Photo
Vincent Berk, a security expert with FlowTraq.CreditHerb Swanson for The New York Times
Break into one system, and you have a chance to break into them all.
“We constantly run into situations where outside service providers connected remotely have the keys to the castle,” said Vincent Berk, chief executive of FlowTraq, a network security firm.
Data on the percentage of cyberattacks that can be tied to a leaky third party is difficult to come by, in large part because victims’ lawyers will find any reason not to disclose a breach. But a survey of more than 3,500 global I.T. and cybersecurity practitioners conducted by a security research firm, the Ponemon Institute, last year found that roughly a quarter — 23 percent — of breaches were attributable to third-party negligence.
Security experts say that figure is low. Arabella Hallawell, vice president of strategy at Arbor Networks, a network security firm in Burlington, Mass., estimated that third-party suppliers were involved in some 70 percent of breaches her company reviewed.
“It’s generally suppliers you would never suspect,” Ms. Hallawell said.
The breach through the Chinese menu — known as a watering hole attack, the online equivalent of a predator lurking by a watering hole and pouncing on its thirsty prey — was extreme. But security researchers say that in most cases, attackers hardly need to go to such lengths when the management software of all sorts of devices connects directly to corporate networks. Heating and cooling providers can now monitor and adjust office temperatures remotely, and vending machine suppliers can see when their clients are out of Diet Cokes and Cheetos. Those vendors often don’t have the same security standards as their clients, but for business reasons they are allowed behind the firewall that protects a network.
Security experts say vendors are tempting targets for hackers because they tend to run older systems, like Microsoft’s Windows XP software. Also, security experts say these seemingly innocuous devices — videoconference equipment, thermostats, vending machines and printers — often are delivered with the security settings switched off by default. Once hackers have found a way in, the devices offer them a place to hide in plain sight.
“The beauty is no one is looking there,” said George Kurtz, the chief executive of Crowdstrike, a security firm. “So it’s very easy for the adversary to hide in these places.”
Last year, security researchers found a way into Google’s headquarters in Sydney, Australia, and Sydney’s North Shore Private hospital — and its ventilation, lighting, elevators and even video cameras — through their building management vendor. More recently, the same researchers found they could breach the circuit breakers of one Sochi Olympic arena through its heating and cooling supplier.
Fortunately, the researchers were merely testing for flaws that could have been exploited by real hackers.
Billy Rios, director of threat intelligence at Qualys, a security firm, was one of those researchers. He said it was increasingly common for corporations to set up their networks sloppily, with their air-conditioning systems connected to the same network that leads to databases containing sensitive material like proprietary source code or customer credit cards.
“Your air-conditioning system should never talk to your H.R. database, but nobody ever talks about that for some reason,” Mr. Rios said.
The Ponemon survey last year found that in 28 percent of malicious attacks, respondents could not find the source of the breach. Ms. Hallawell compared the process of finding the source of a breach to “finding a needle in a haystack.”
Ideally, security experts say, corporations should set up their networks so that access to sensitive data is sealed off from third-party systems and remotely monitored with advanced passwords and technology that can identify anomalous traffic — like someone with access to an air-conditioning monitoring system trying to get into an employee database.
But even then, companies require security personnel with experience in detecting such attacks. Even though Target used security technology supplied by FireEye, a company that sounds alerts when it identifies such anomalous activity, its I.T. personnel ignored the red flags, according to several people who confirmed the findings of a Bloomberg Businessweek investigation last month but could not speak publicly about Target’s continuing internal investigation.
Like all else, security experts say, it’s simply a matter of priorities. One Arbor Networks study found that unlike banks, which spend up to 12 percent of their information technology budgets on security, retailers spend, on average, less than 5 percent of their budget on security. The bulk of that I.T. spending goes to customer marketing and data analytics.
“When you know you’re the target and you don’t know when, where or how an attack will take place, it’s wartime all the time,” Ms. Hallawell said. “And most organizations aren’t prepared for wartime.”

Gen Y Bucks Policies on Use of Personal Devices

BSamuel Greengard  |  Posted 2013-12-03  Email Print this article Print
 
 
 
 
 0  17 Google +2  0 
 
 
 
 
 
It's no secret that Generation Y has drastically different values about technology than other generations. But now these differences are playing out in the enterprise, particularly as mobility and the bring-your-own-device (BYOD) movement flourish. A newly released survey conducted by network security firm Fortinet found that younger workers are taking an increasingly hard-line stand on corporate policies that limit and control devices, particularly personal technologies such as smartphones, tablets, smart watches and emerging devices such as Google Glass. The "Fortinet Internet Security Census 2013" polled 3,200 employees ranging in age from 21 to 32 in 20 countries. Among other things, it found that there's a 42 percent increase in the respondents' willingness to break usage rules compared to a similar Fortinet survey conducted in 2012. The research also illustrates the extent to which Gen Y have been victims of cyber-crime on their personal devices, their "threat literacy" and their widespread practice of storing corporate assets in personal cloud accounts. "The study highlights the greater challenge IT managers face when it comes to knowing where corporate data resides and how it is being accessed," says John Maddison, Fortinet vice president of marketing. "Now, more than ever, there is a requirement for security intelligence to be implemented at the network level in order to enable control of user activity based on devices, applications being used and locations."
- See more at: http://www.baselinemag.com/security/slideshows/gen-y-bucks-policies-on-use-of-personal-devices.html/#sthash.mll2bBBX.dpuf

Thursday, March 27, 2014

Android Security Remains a Glaring Problem: 10 Reasons Why

Android has grabbed an unassailable position in the mobile operating system market. In fact, some estimates put Android's global smartphone market share at 87 percent and rising. Most analysts believe that in a matter of years, Android will be as dominant in mobile as Windows was years ago in the desktop PC market. Google, through its partnerships with vendors, advertisers and application marketplaces, will benefit greatly from that.

But there's another far less positive parallel between Windows and Android that cannot be underestimated. According to the latest data from security firm F-Secure, 97 percent of all mobile malware targeted Android devices in 2013. In 2012 that figure stood at 79 percent. What's worse, the total number of malware signatures is on the rise. In 2012, the mobile firm identified 238 Android threats. Now, that figure stands at 804.

Those statistics, coupled with the ongoing concern among enterprise customers that no single security solution even comes close to solving the mobile world's troubles, should make just about anyone worry about Android security.

Read on to find out why: - See more at: http://www.eweek.com/mobile/slideshows/android-security-remains-a-glaring-problem-10-reasons-why.html?kc=EWKNLEDP03262014A&dni=114199973&rni=23389406#sthash.iJZoqGBT.dpuf

Friday, March 7, 2014

Boeing's Secure Black Smartphone: 10 Cool Features We All Might Want

Boeing, a company that is perhaps best known for its work in aviation and as a highly trusted U.S. government contractor, has unveiled a new smartphone it's calling, simply, Black. The handset, designed for U.S. and presumably allied intelligence agencies, will try to maximize device and data security while still providing agents in the field with reliable mobile connections. Boeing's Black smartphone highlights the impact cyber-security is having on governments around the world. Each day, it's believed that the United States and foreign governments like China are spying on government and corporate networks to gather strategic information. A hidden cyber-war is being waged, and the country that has the strongest tools might succeed in gaining an edge that could prove decisive in the event of conflict. This eWEEK slide show looks at the Boeing Black and what makes it such an interesting and potentially useful tool in the intelligence field. Admittedly, the following information is based only on what's been made publicly available. All of the specifications that make the Boeing Black valuable to the intelligence community will likely never see the light of day—at least not for years to come. - See more at: http://www.eweek.com/mobile/slideshows/boeings-secure-black-smartphone-10-cool-features-we-all-might-want.html? 3 Comments for "Boeing's Secure Black Smartphone: 10 Cool Features We All Might Want" AmericanPrivacysaid on March 5, 2014 03:00 pm NSA proof phone made in the USA? Yea Right. Between the Patriot Act and CISPA don't believe this for a second.And if NSA can tap into Google and others without them knowing it, then what would stop NSA from taking the data from Boeing which lifeline is and will remain government contracts. And Verizon as the carrier? Really they are already participating in the Prism program. Certain government officials here in the states already have a "hack-proof" phone and it is NOT available to the public. Visit www.americansrighttoprivacy.com for real solutions that reside in Switzerland. he Swiss specifically established a rate of privacy in their Constitution and reinforced it in their Data Protection Act which maintains that individuals and companies have a right to privacy in their electronic communications. DDG-12said on March 3, 2014 12:18 pm Right. That makes the game "spot the fed" like a child play - just pay attention on their handset. Agents will be compromised the second they pull it out of the pocket. nrmr44said on February 28, 2014 06:02 pm It is too obviously a Boeing Black. They should have made it look like an indigenous Chinese model.

Wednesday, April 3, 2013

Ameristar Network Inc. Completes Filing for "Current Information Tier" Status on OTC Markets (Pink)

PR Newswire NEW YORK, April 3, 2013 NEW YORK, April 3, 2013 /PRNewswire/ -- AmeriStar Network, Inc. (OTC Markets: AMWK)("AmeriStar") has complied with the filing requirements of OTC Markets and has been moved to the Current Information Tier. Since the merger of SecurDigital, Inc. into a subsidiary of the Company in February 2011, the Company has transformed itself into a mobile applications and SaaS provider of Cloud-based software solutions. SecurDigital is in final stages of product development and is undertaking the marketing of its SecurDigital mobile applications. According to CEO Bruce Magown, "Awareness in the marketplace about identity theft, industrial espionage and cyber-attacks has increased exponentially, with wireless mobile devices being particularly vulnerable -- and that's what we help protect by securing the communication." SecurDigital, Inc. with its proprietary technology is poised to protect corporations, governments and even individuals from scanning, hacking and espionage through a major advance in the delivery of secure and interoperable wireless communications. Eliminating the exposure of wireless communication to scanners or hackers, its SecurVoice™ technology can be delivered to subscribers over the Internet using the Software-as-a-Service ("SaaS") model. SecurVoice™ is the world's first totally secure, wireless, digital communications "software only" solution for security and interoperability over wireless and VoIP communications, and it works across multiple carriers, operating systems and hardware, performing wireless "interoperability" for WiMAX and WiFi products globally. The market for mobile security applications in an environment marked by increasingly dangerous and sophisticated hackers and criminal elements has been estimated to exceed a billion dollars worldwide. Statements in this press release may be "forward-looking statements" within the meaning of the Private Securities Litigation Reform Act of 1995. Words such as "optimizing," "potential," "anticipate," "goal," "intend" and similar expressions, as they relate to the company or its management, identify forward-looking statements. These statements are based on current expectations, estimates and projections about the company's business based, in part, on assumptions made by management. These statements are not guarantees of future performance and involve risks, uncertainties and assumptions that are difficult to predict. Actual outcomes and results may, and probably will, differ materially from what is expressed or forecasted in such forward-looking statements due to numerous factors, including those described above and those risks discussed from time to time in Company filings with the Securities and Exchange Commission. These statements and other forward-looking statements are not guarantees of future performance and involve risks and uncertainties. AmeriStar Network, Inc. assumes no responsibility to update any of the forward-looking statements in this news release. Neither the Company nor any other person assumes responsibility for the accuracy or completeness of these forward-looking statements. Nothing in this press release should be construed as either an offer to sell or a solicitation of an offer to buy or sell shares of AmeriStar Network, Inc. in any jurisdiction. SOURCE AmeriStar Network, Inc. The above news release has been provided by the above company via the OTC Disclosure and News Service. Issuers of news releases and not OTC Markets Group Inc. are solely responsible for the accuracy of such news releases.

Army has lost control of its mobile devices, says DOD IG

By Defense Systems StaffApr 02, 2013 The inspector general of the Defense Department reports that the Army’s Chief Information Office/G-6 has, in essence, lost control over commercial mobile devices (CMD) within the Army, and that more than 14,000 smartphones and tablets are untracked. The upshot is that the Army CIO office does not have an effective cybersecurity program that identifies and mitigates risks surrounding CMDs and removable media, according to the DOD IG. “The Army did not implement an effective cybersecurity program for commercial mobile devices,” wrote Alice Carey, assistant DOD inspector general for readiness, operations and support, in a memorandum dated March 26. “If the devices remain unsecure, malicious activities could disrupt Army networks and compromise sensitive DOD information.” According to the IG report, entitled, Improvements Needed With Tracking and Configuring Army Commercial Mobile Devices, the “Army CIO did not implement an effective cybersecurity program for CMDs. Specifically, the Army CIO did not appropriately track CMDs and was unaware of more than 14,000 CMDs used throughout the Army.” (The figure excludes Blackberry devices.) Additionally, the Army CIO did not ensure that commands configured CMDs to protect stored data. According to the DOD IG, the CIOs at the U.S. Military Academy (USMA), West Point, NY, and the Army Corps of Engineers’ Engineer Research and Development Center (ERDC), Vicksburg, MS, did not use a mobile device management application to configure CMDs to protect stored data, which means that they did not have the capability to remotely wipe data stored on CMDs that were transferred, lost, stolen or damaged. Also, the CIOs at USMA and ERDC allowed users to store sensitive data on CMDs that acted as removable media. “These actions occurred because the Army CIO did not develop clear and comprehensive policy for CMDs purchased under pilot and non-pilot programs,” states the IG report. In addition, the Army CIO inappropriately concluded that CMDs were not connecting to Army networks and storing sensitive information. “As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data.” In response, the Army and Defense Information Systems Agency (DISA) agreed to develop a mobile device management (MDM) process to verify that users of CMDs are following Army and DOD information assurance policies and implementing the appropriate security controls to protect CMDs. Establishment of MDM and mobile application store architectures will be designed to make all CMDs managed mobile devices, which would result in the ability to observe every DOD-managed CMD, as well as the applications operating on the devices. Additionally, the Army will gain the ability to wipe or remove a device from the environment, as well as monitor applications used, websites visited, plus data viewed, saved or modified on the mobile devices. To that end, the Army issued a request for proposal for the MDM and mobile application store and expects to make an award this month, with initial operating capability expected by October 2013, with full operating capability available before the end of fiscal year 2014.

Monday, April 30, 2012

Kenneth Van Wyk: We need more secure mobile devices

As things stand now, all bets are off if you lose your smartphone Computerworld - When you combine the words "mobile device" and "security," you get an oxymoron. That's the state of security in the mobile world, and it's been that way since day one. That has to change. Smartphones and tablets are increasingly doing heavy lifting in the corporate world, and are ever more likely to be repositories of sensitive data. But where do we start in making them more secure? For now, forget about malware and sophisticated hacking. We first need to close the most gaping hole of all for mobile devices, one that every expert I have talked to over the years has agreed on: If a bad guy gets physical access to a mobile device, all bets are off. A few months ago, the folks at the OWASP Mobile Security Project backed up this assessment. They did a threat modeling exercise of mobile devices and determined that two of the most glaring issues are the loss or theft of the device and insecure communications. A basic problem is that anyone who gets his hands on someone else's smartphone can access the user's login credentials with ridiculous ease. Mobile apps contribute to this problem. I myself have realized that some of the mobile apps that I use store login credentials and other sensitive data where they shouldn't be, and in the last month or so, I've read about numerous cases of such iOS app weaknesses. Using nothing more than a USB cable, an attacker can in many cases get to login and/or session credentials for many high-profile apps, on both iOS and Android platforms. For starters, mobile app developers must keep in mind when writing their software that devices can easily be lost or stolen -- and recognize that a lost device shouldn't be a free ticket to valuable data. Most modern mobile platforms provide mechanisms for reasonably protecting things like user login credentials. These mechanisms are generally called keychains. Current versions of both Android and iOS have keychain APIs that app developers can and should be using. While not perfect, they do provide significant protection over simply storing usernames and passwords -- even when hashed -- in plaintext files (e.g., plist or properties files). Second, other user data on mobile devices should be encrypted. This is something that users have to do themselves, but Android and iOS both provide mechanisms for doing that reasonably securely, and third-party add-ons like SQLcipher for AES encrypting SQLite databases are even better. If you look for strong mobile encryption mechanisms, you can find them. Next, we need better default protection settings in our mobile platforms. For example, on Apple iOS devices, sensitive data (including things stored in app keychains) is protected by hardware encryption that is keyed with a combination of a unique 256-bit device key and the user's own device lock code. Since that device key can be obtained by an attacker with physical access to a device, the protection afforded the user by the keychain essentially comes down to how strong his device lock code is. The default setting on iOS is a four-digit PIN, which just isn't up to the task. Usability advocates will argue that strong device passwords on mobile devices are annoying and won't be accepted by users. That's a fair argument -- strong passwords on a smartphone or tablet really are a hassle to work with. (Trust me.) Still, I'd prefer something stronger than four-digit PINs to unlock a device (and the data it holds). For the longer term, device vendors need to be shooting for stronger keying mechanisms -- perhaps a PIN in combination with a biometric like a fingerprint, facial pattern scan or voice recognition. For now, though, what I suggest to people who are serious about the security of their mobile devices is to carefully select the apps they use. It's easy enough to do some cursory static analysis of an app and its files using tools like iExplorer (formerly iPhone Explorer). At the very least, make sure your apps don't store login credentials in properties files and the like. Next, turn on strong passwords and use a reasonably strong one. A PIN just doesn't cut it. The mobile computing world is as vibrant as any tech environment in the world today. To call the growth explosive would be an understatement. It's easy to lose sight of core security principles in such a rapidly moving world. Still, developers should at the very least make use of security APIs when the platform allows. There's just no excuse for not making use of keychains and other secure data storage mechanisms.