Tuesday, April 8, 2014

Hackers Lurking in Vents and Soda Machines

Security experts like Billy Rios of Qualys say computer-equipped machinery like air conditioners can be used to gain access to sensitive company data.CreditJessica Lifland for The New York Times
Continue reading the main storyShare This Page
SAN FRANCISCO — They came in through the Chinese takeout menu.
Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.
Security experts summoned to fix the problem were not allowed to disclose the details of the breach, but the lesson from the incident was clear: Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities.
Hackers in the recent Target payment card breach gained access to the retailer’s records through its heating and cooling system. In other cases, hackers have used printers, thermostats and videoconferencing equipment.
Companies have always needed to be diligent in keeping ahead of hackers — email and leaky employee devices are an old problem — but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines.
Vincent Berk, a security expert with FlowTraq.CreditHerb Swanson for The New York Times
Break into one system, and you have a chance to break into them all.
“We constantly run into situations where outside service providers connected remotely have the keys to the castle,” said Vincent Berk, chief executive of FlowTraq, a network security firm.
Data on the percentage of cyberattacks that can be tied to a leaky third party is difficult to come by, in large part because victims’ lawyers will find any reason not to disclose a breach. But a survey of more than 3,500 global I.T. and cybersecurity practitioners conducted by a security research firm, the Ponemon Institute, last year found that roughly a quarter — 23 percent — of breaches were attributable to third-party negligence.
Security experts say that figure is low. Arabella Hallawell, vice president of strategy at Arbor Networks, a network security firm in Burlington, Mass., estimated that third-party suppliers were involved in some 70 percent of breaches her company reviewed.
“It’s generally suppliers you would never suspect,” Ms. Hallawell said.
The breach through the Chinese menu — known as a watering hole attack, the online equivalent of a predator lurking by a watering hole and pouncing on its thirsty prey — was extreme. But security researchers say that in most cases, attackers hardly need to go to such lengths when the management software of all sorts of devices connects directly to corporate networks. Heating and cooling providers can now monitor and adjust office temperatures remotely, and vending machine suppliers can see when their clients are out of Diet Cokes and Cheetos. Those vendors often don’t have the same security standards as their clients, but for business reasons they are allowed behind the firewall that protects a network.
Security experts say vendors are tempting targets for hackers because they tend to run older systems, like Microsoft’s Windows XP software. Also, security experts say these seemingly innocuous devices — videoconference equipment, thermostats, vending machines and printers — often are delivered with the security settings switched off by default. Once hackers have found a way in, the devices offer them a place to hide in plain sight.
“The beauty is no one is looking there,” said George Kurtz, the chief executive of Crowdstrike, a security firm. “So it’s very easy for the adversary to hide in these places.”
Last year, security researchers found a way into Google’s headquarters in Sydney, Australia, and Sydney’s North Shore Private hospital — and its ventilation, lighting, elevators and even video cameras — through their building management vendor. More recently, the same researchers found they could breach the circuit breakers of one Sochi Olympic arena through its heating and cooling supplier.
Fortunately, the researchers were merely testing for flaws that could have been exploited by real hackers.
Billy Rios, director of threat intelligence at Qualys, a security firm, was one of those researchers. He said it was increasingly common for corporations to set up their networks sloppily, with their air-conditioning systems connected to the same network that leads to databases containing sensitive material like proprietary source code or customer credit cards.
“Your air-conditioning system should never talk to your H.R. database, but nobody ever talks about that for some reason,” Mr. Rios said.
The Ponemon survey last year found that in 28 percent of malicious attacks, respondents could not find the source of the breach. Ms. Hallawell compared the process of finding the source of a breach to “finding a needle in a haystack.”
Ideally, security experts say, corporations should set up their networks so that access to sensitive data is sealed off from third-party systems and remotely monitored with advanced passwords and technology that can identify anomalous traffic — like someone with access to an air-conditioning monitoring system trying to get into an employee database.
But even then, companies require security personnel with experience in detecting such attacks. Even though Target used security technology supplied by FireEye, a company that sounds alerts when it identifies such anomalous activity, its I.T. personnel ignored the red flags, according to several people who confirmed the findings of a Bloomberg Businessweek investigation last month but could not speak publicly about Target’s continuing internal investigation.
Like all else, security experts say, it’s simply a matter of priorities. One Arbor Networks study found that unlike banks, which spend up to 12 percent of their information technology budgets on security, retailers spend, on average, less than 5 percent of their budget on security. The bulk of that I.T. spending goes to customer marketing and data analytics.
“When you know you’re the target and you don’t know when, where or how an attack will take place, it’s wartime all the time,” Ms. Hallawell said. “And most organizations aren’t prepared for wartime.”

Gen Y Bucks Policies on Use of Personal Devices

BSamuel Greengard  |  Posted 2013-12-03  Email Print this article Print
 0  17 Google +2  0 
It's no secret that Generation Y has drastically different values about technology than other generations. But now these differences are playing out in the enterprise, particularly as mobility and the bring-your-own-device (BYOD) movement flourish. A newly released survey conducted by network security firm Fortinet found that younger workers are taking an increasingly hard-line stand on corporate policies that limit and control devices, particularly personal technologies such as smartphones, tablets, smart watches and emerging devices such as Google Glass. The "Fortinet Internet Security Census 2013" polled 3,200 employees ranging in age from 21 to 32 in 20 countries. Among other things, it found that there's a 42 percent increase in the respondents' willingness to break usage rules compared to a similar Fortinet survey conducted in 2012. The research also illustrates the extent to which Gen Y have been victims of cyber-crime on their personal devices, their "threat literacy" and their widespread practice of storing corporate assets in personal cloud accounts. "The study highlights the greater challenge IT managers face when it comes to knowing where corporate data resides and how it is being accessed," says John Maddison, Fortinet vice president of marketing. "Now, more than ever, there is a requirement for security intelligence to be implemented at the network level in order to enable control of user activity based on devices, applications being used and locations."
- See more at: http://www.baselinemag.com/security/slideshows/gen-y-bucks-policies-on-use-of-personal-devices.html/#sthash.mll2bBBX.dpuf

Thursday, March 27, 2014

Android Security Remains a Glaring Problem: 10 Reasons Why

Android has grabbed an unassailable position in the mobile operating system market. In fact, some estimates put Android's global smartphone market share at 87 percent and rising. Most analysts believe that in a matter of years, Android will be as dominant in mobile as Windows was years ago in the desktop PC market. Google, through its partnerships with vendors, advertisers and application marketplaces, will benefit greatly from that.

But there's another far less positive parallel between Windows and Android that cannot be underestimated. According to the latest data from security firm F-Secure, 97 percent of all mobile malware targeted Android devices in 2013. In 2012 that figure stood at 79 percent. What's worse, the total number of malware signatures is on the rise. In 2012, the mobile firm identified 238 Android threats. Now, that figure stands at 804.

Those statistics, coupled with the ongoing concern among enterprise customers that no single security solution even comes close to solving the mobile world's troubles, should make just about anyone worry about Android security.

Read on to find out why: - See more at: http://www.eweek.com/mobile/slideshows/android-security-remains-a-glaring-problem-10-reasons-why.html?kc=EWKNLEDP03262014A&dni=114199973&rni=23389406#sthash.iJZoqGBT.dpuf

Friday, March 7, 2014

Boeing's Secure Black Smartphone: 10 Cool Features We All Might Want

Boeing, a company that is perhaps best known for its work in aviation and as a highly trusted U.S. government contractor, has unveiled a new smartphone it's calling, simply, Black. The handset, designed for U.S. and presumably allied intelligence agencies, will try to maximize device and data security while still providing agents in the field with reliable mobile connections. Boeing's Black smartphone highlights the impact cyber-security is having on governments around the world. Each day, it's believed that the United States and foreign governments like China are spying on government and corporate networks to gather strategic information. A hidden cyber-war is being waged, and the country that has the strongest tools might succeed in gaining an edge that could prove decisive in the event of conflict. This eWEEK slide show looks at the Boeing Black and what makes it such an interesting and potentially useful tool in the intelligence field. Admittedly, the following information is based only on what's been made publicly available. All of the specifications that make the Boeing Black valuable to the intelligence community will likely never see the light of day—at least not for years to come. - See more at: http://www.eweek.com/mobile/slideshows/boeings-secure-black-smartphone-10-cool-features-we-all-might-want.html? 3 Comments for "Boeing's Secure Black Smartphone: 10 Cool Features We All Might Want" AmericanPrivacysaid on March 5, 2014 03:00 pm NSA proof phone made in the USA? Yea Right. Between the Patriot Act and CISPA don't believe this for a second.And if NSA can tap into Google and others without them knowing it, then what would stop NSA from taking the data from Boeing which lifeline is and will remain government contracts. And Verizon as the carrier? Really they are already participating in the Prism program. Certain government officials here in the states already have a "hack-proof" phone and it is NOT available to the public. Visit www.americansrighttoprivacy.com for real solutions that reside in Switzerland. he Swiss specifically established a rate of privacy in their Constitution and reinforced it in their Data Protection Act which maintains that individuals and companies have a right to privacy in their electronic communications. DDG-12said on March 3, 2014 12:18 pm Right. That makes the game "spot the fed" like a child play - just pay attention on their handset. Agents will be compromised the second they pull it out of the pocket. nrmr44said on February 28, 2014 06:02 pm It is too obviously a Boeing Black. They should have made it look like an indigenous Chinese model.