China Strengthens its Cyber Warfare Capabilities - How Big is this Threat to the US?

Recently a Chinese military reorganization is increasing the danger posed by People’s Liberation Army cyber warfare and intelligence units that recently were consolidated into a new Strategic Support Force. The announcement of the military reorganization made on Dec. 31 by the Chinese government provided few details of what has changed for three military intelligence units formerly under the now-defunct General Staff Department. U.S. officials and China analysts say the major cyber warfare and intelligence-gathering groups were elevated into the new Strategic Support Force, a military service-level force equal in standing to China’s army, navy, air force and missile services. They include the 3rd Department, or 3PLA, that is believed to have as many as 100,000 cyber warfare hackers and signals intelligence troops under its control. The group includes highly-trained personnel who specialize in network attacks, information technology, code-breaking, and foreign languages. Five members of a 3PLA hacking group were indicted by the Justice Department for commercial cyber attacks against American companies in 2014. The 4th Department, China’s separate military electronic intelligence and electronic warfare service, is also part of the new support force. Additionally, the traditional military spy service devoted to human spying known as 2PLA was combined into the new support force.  More than 500 of the cyber attacks were gauged to involve “significant intrusions” of defense networks. What additional threats do these actions pose to US cyber security? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Microsoft Outlines Strategy for Combatting Online Terrorist Content

Microsoft in a rather long blog post outlined policies for removing "terrorist content" online, which it's defining as anything that supports organizations on the U.N. Security Council Sanctions List.  Specific steps Microisoft will take include: 1) Removing terrorist content, 2) Defining terrorist content, 3) Observing notice-and-takedown, 4) Promoting free expression on Bing, 5) Leveraging new technologies, 6) Investing in public-private partnerships, 7) Providing additional information and resources. The company wnet on to say "Terrorism is one of the truly urgent issues of our time". It has changed its terms of use "to specifically prohibit the posting of terrorist content on [their] hosted consumer services," such as OneNote, a cloud-based document program. "When terrorist content on our hosted consumer services is brought to our attention via our online reporting tool, we will remove it," Microsoft wrote in its post Friday. Microsoft is entering this conversation months later than firms like Twitter and Facebook. But the company says it plays a different role. "Although Microsoft does not run any of the leading social networks or video-sharing sites, from time to time, terrorist content may be posted to or shared on our Microsoft-hosted consumer services.Will these actions impact the security of 'all things Microsoft' in the Internet era? Share your assessment with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Fraudulent SWIFT Messages Target Offshore Banks - Is the Global Banking at Risk?

The methods used by hackers to attack banks in Vietnam and Bangladesh appear to have been deployed over a year ago in a heist in Ecuador. Vietnam's Tien Phong Bank said that it interrupted an attempted cyber heist that involved the use of fraudulent SWIFT messages, the same technique at the heart of February's massive theft from the Bangladesh central bank. Hanoi-based TPBank said in a statement late on Sunday in response to inquiries from Reuters that in the fourth quarter of last year it identified suspicious requests through fraudulent SWIFT messages to transfer more than 1 million euros ($1.1 million) of funds. The January 2015 attack on Banco del Austro is described in a lawsuit filed by the bank in a New York federal court. It ended with thieves transferring $12 million to accounts in Hong Kong, Dubai, New York and Los Angeles, according to court documents.The existence of the lawsuit was first reported Friday, just a just week after global banking communications network SWIFT instructed clients to secure their local computer networks. SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, warned customers that two previous attacks against banks in Bangladesh and Vietnam appeared to be "part of a wider and highly adaptive campaign." Which counter-measures can the global banking system take to mitigate fraudulent SWIFT messages? Send your recommendations to the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

IBM Ushers in the New Era of Cognitive Security

Cognitive security is built upon security intelligence. Cognitive solutions generate not just answers, but hypotheses, evidence-based reasoning and recommendations for improved decision making in real time. As a result, cognitive security will help address the current skills gap, accelerate responses and help reduce the cost and complexity of dealing with cybercrime. Think about the 75,000+ documented software vulnerabilities, 10,000+ security research papers published each year and 60,000+ security blogs published each month. What’s possible now is the ability to quickly interpret this data — created by humans for humans — and integrate it with structured data from countless sources and locations. Security firms now have the means to mine both structured and unstructured data, and continuously extract features and patterns to provide context in real time. The result: Security analysts, armed with this collective knowledge and instinct, will be able to respond to threats with greater confidence and speed.  Cognitive security will empower security analysts with the capabilities to find early warnings of potential attacks and significantly speed detection. Cybercriminals will find the payoffs to be harder and harder to achieve. Can cognitive security fulfill its mission by mitigating cyber crime? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Defacements and Intrusions Now Target US Presidential Campaigns

Democratic and Republican presidential contenders are now the targets of cyber attacks according to US Director of National Intelligence James Clapper said Wednesday. "We already have some indications of that," he said during a cyber-security discussion at the Bipartisan Policy Center in Washington. "I anticipate that as the campaign intensifies, we are probably going to have more of it." The Department of Homeland Security and the Federal Bureau of Investigation are doing "what they can" to educate both campaigns against potential cyber threats ahead of the general election in November, when Republican Donald Trump will likely face off against Democrat Hillary Clinton, Clapper said. "There is a long-standing practice of briefing each of the candidates once they are officially designated, and that shifts in to a higher gear in terms of details after the president-elect is known," he added. Asked for details about specific incidents, Clapper's office referred questions to the FBI. "We're aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations -- from philosophical differences to espionage," FBI spokesman Brian Hale later said. Those attacks ranged from "from defacements to intrusions," he added. The FBI did not immediately respond to a request for additional details. The national intelligence director advises the president and oversees the activity of 17 US intelligence agencies. Which steps should the presidential campaigns take to thwart cyber attacks? Share your recommendations with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

NatCSIRT Conference Preview - July 17-18 in Seoul, South Korea

The Forum of Incident Response and Security Teams (FIRST), a recognized global leader in incident response, has announced the line-up for its 28th Annual Conference, which takes place this June (12th – 18th) in Seoul, South Korea. Opening the conference will be Professor Jong In Lim, Professor of the Graduate School of Information Security at Korea University, and the former Special Adviser in Security to the President. He will deliver a keynote on Korea’s cybersecurity status and its direction toward a better future and consider how the world can respond to global cyber threats by taking a “Security First” approach. Professor Jong in Lim leads a conference program that includes 7 days of workshops, keynote addresses and speaker presentations delivered by industry experts and organisations as diverse as the United Nations and CISCO Systems. Topics under discussion at this year’s conference range from threat intelligence sharing and detecting targeted web compromises, to the missing links between cybercrime gangs and the dark side of online advertisements. Each day of the conference will open with a keynote from an expert in information technology and cyber security, with speakers such as Doug Dooley from Venrock, who will provide a Silicon Valley VC perspective on the subject of Fostering Security Innovation. Kee Seung Baik, President and CEO of the Korea Internet & Security Agency (KISA), the local host of the conference, said that it is a privilege to host the largest and most prestigious cyber incident response conference in Seoul. How valuable are the annual NatCSIRT Conferences to security professionals around the globe? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Google's VirusTotal Anti-Malware API Policy Change Impacts Security Vendors

Next-gen anti-malware focuses on behavior and reputation rather than signatures. It watches networks and traffic and notes behavioral anomalies that might indicate the presence of malware or an intruder. But it is relatively new, and to a certain extent must weaken the anti-malware industry's grip on customers. VirusTotal is an online service that checks suspicious files against an array of anti-malware products and is owned by Google. VT issued a policy change on May 4 which has alarmed many security vendors - "all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services." Since the check is static, it relies heavily on the signature engines of the subscribing vendors. In its own words, it is "a collaborative service to promote the exchange of information and strengthen security on the internet." If a submitted file is found to be malicious, details are circulated to all subscribing companies – and in this sense it is an early and effective threat sharing mechanism. The check is primarily against signature engines, which we know are only part of traditional anti-malware. Taken in isolation, the effect of the test is misleading. Indeed, VT has always said precisely this. Nevertheless, over the last few years some parts of the next-gen anti-malware industry have not hesitated to use VT results to suggest that the traditional industry is failing its customers. VirusTotal also offers an API that allows subscribers to integrate their own systems to the VT database. This allows vendors that detect a suspicious file to automatically check it against VT and return results to the customer as if they were their own. What impact will VT's policy change have on the next-gen malware vendors? Share your thoughts with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Nation-State Cyber APT Attacks are Increasing According to the US FBI

Advanced Persistent Threat (APT) cyber actors continue to target sensitive information stored on U.S. commercial and government networks through cyber espionage,” the FBI said a May 11 notification. The term “APT actor” is a euphemism for state-sponsored or highly sophisticated cyber attackers, usually involving connections to foreign militaries or intelligence services. Two cyber security researchers who examined the FBI notice listing details of the cyber attacks said the tactics appeared similar to those used in the past by Chinese hackers, including the suspects behind the massive theft of records on 22 million federal workers from the Office of Personnel Management.The FBI listed seven major Internet server software types hacked in the past year, including two Adobe ColdFusion security flaws. ColdFusion software is used with large databases. Other attacks involved Apache Tomcat, JBoss, and Cacti, software used for remote data logging. Drupal servers used to operate a large number of websites around the world, including corporate and government sites, also were compromised. Joomla content-management software also was compromised, the FBI said. A seventh compromise affected Oracle’s E-Business Suite software, used for customer management and supply-chain management. State-sponsored hackers exploited vulnerabilities in all seven types of software, and “some of these vulnerabilities are also exploited by cyber criminals in addition to state-sponsored operators,” the FBI said. How effective can pro-active patch management be in preventing this brand of cyber warfare? Share your assessment with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Mozilla Files Suit Against the US FBI to Reveal Tor Browser Vulnerability Details

The ongoing battle over the US FBI's use of a zero-day in the Tor anonymity browser hit a new gear this week with Mozilla filing a brief to get access to the vulnerability details. The legal brief filed with the U.S. District Court for the Western District of Washington, warns that “the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability.” Tor, popular among web users for the privacy and anonymity features it offers, consists of a modified Mozilla Firefox web browser. The open-source Mozilla now wants to make sure its own code isn’t implicated in the Tor zero-day that was used by the FBI in 2015 to unmask web users accessing child pornography content. “If our code is implicated in a security vulnerability, [the] government must disclose the vulnerability to us before it is disclosed to any other party. We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure,” Dixon-Thayer added. The Mozilla brief is urging the court to require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly. During the criminal case proceedings, Justice Robert J. Bryan ruled that the FBI to reveal the code it used to track the defendants but the government refused, arguing that the details of the exploit was not necessary for the defense’s case. Is the Mozilla case valid? Should the FBI be required to disclose the Tor vulnerabilities? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Cyber Security Certifications for Dedicated IT Professionals

With the tidal wave of cyber threats over the past 4-6 years private sector and educational organizations alike have begun to offer certifications to equip and validate security professionals for this challenging assignment. Stanford University offers the Cyber Security Online Certificate which addresses immediate cyber threats and prevent longer-term emergent flaws created by rapid advancements in information technology including: Principles of computer systems security and digital forensics to identify threats, explore the impact of technology on national security and lessons learned by the U.S. government, test methods for possible system penetrations and design network perimeter defenses, uncover how cryptographic technologies can be an indispensable tool for protecting information. Cisco's Cybersecurity Specialist certification recognizes security professionals who have attained specialized in-depth expertise and proven knowledge in the essential areas of proactive cyber threat detection and mitigation. Designed for professional security analysts and leveraging the features of Cisco and other network security products used today, the Cisco Cybersecurity Specialist certification focuses on the topics of event monitoring, security event/alarm/traffic analysis, and incident response. While the Cybersecurity Nexus offers three levels of certification: CSX Practitioner, CSX Specialist and CSX Expert. And GIAC's Global Industrial Security Professional (GICSP) cert bridges together IT, engineering and cyber security to achieve security for industrial control systems from design through retirement. This unique vendor-neutral, practitioner focused industrial control system certification is a collaborative effort between GIAC and representatives from a global industry consortium involving organizations that design, deploy, operate and/or maintain industrial automation and control system infrastructure. Will these certs ensure that today's security professionals can defend their organizations against cyber threats? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Cyber Unicorns on the Rise - How Will They Impact Your Firm's Security?

Recently heard people in my profession refer to “cyber Unicorns.”  Now Unicorn is a term used by the venture capitalist community to describe companies that reach over $1 billion in capitalization.  The reference, of course, is the rarity with which these events happen. There are many successful VC backed companies, but reaching $1 billion is as rare as finding a Unicorn. The concept of cyber Unicorns is that financial crime achieved via cyber means is no longer a pastime; rather it’s a full time job. Criminal organizations pursue every means necessary to gain access to internal systems and then use multiple schemes to monetize that access. Typical schemes include “cyber ransom” – where a company's data is encrypted and the key provided only on payment of a ransom; exfiltration of intellectual property; acquisition and selling of customer data (especially uniquely identifying data) that facilitates identify theft; creation of phony invoices; illicit transferring of funds, and more. The number of schemes seems to be infinite. To combat these cyber Unicorns, and all the wannabes, firms have to invest in both people and technology. People are needed because they have the ability to make good decisions, do conduct investigations and see obscure patterns quickly. Technology is required because the volume of attacks is sufficient to overwhelm manual efforts no matter how skilled or dedicated the staff.  This augmentation of people by technology is sometimes called creating Centaurs, an homage to the mythical creature that was half-man and half-horse. SOC analysts, and other security and cyber crime investigators, are the modern version of the Centaur, leveraging technology to sift through the universe of data to find relevant data upon which to act. Just what impact will cyber unicorns have on organizations like yours? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

What Are the Top Cloud Software Security Threats?

According to a recent study by InfoWorld there are twelve cloud security threats that demand the highest priority for CISOs. They include: Data breaches, compromised credentials and broken authentication, hacked interfaces and APIs, exploited system vulnerabilities, account hijacking, human factors and malicious insiders, Advanced Persistent Threats, permanent data loss, lack of due diligence, cloud service abuses, DoS attacks and shared technologies-shared dangers. The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. When an organization elects to store data or host applications on the public cloud, it loses its ability to have physical access to the servers hosting its information. As a result, potentially sensitive data is at risk from insider attacks. According to a recent Cloud Security Alliance Report, insider attacks are the third biggest threat in cloud computing.Therefore, Cloud Service providers must ensure that thorough background checks are conducted for employees who have physical access to the servers in the data center. Additionally, data centers must be frequently monitored for suspicious activity. Virtualization alters the relationship between the OS and underlying hardware - be it computing, storage or even networking. Which threats pose the greatest risks to your cloud software and infrastructure? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

ADP Client Companies Hacked By Cyber Thieves Seeking Tax Information

Earlier this week ADP explained how fraudsters managed to siphon W-2 tax forms using a convenient online feature. The incident seems small in scope. But it shows how fraudsters have adopted novel techniques to steal personal information -- especially the kind that can later be used to claim tax refunds. ADP didn't say when the theft occurred, and wouldn't tell CNNMoney how many people had their detailed income data exposed. But it noted the incident affected "around a dozen" of the company's 630,000 corporate clients. One of them, US Bank, is where 1,400 people were affected. That's about 2% of the company, according to the bank. Here's how it happened, according to ADP. Many companies provide pay information to their employees online. This makes it easier to download past W-2 forms whenever they're needed for doing taxes or applying for a loan. ADP offers this to their corporate clients via a public-facing website. To register, an employee has to use a "unique company registration code" and some personal information, such as a Social Security number and birthday. ID thieves are interested in W-2 data because it contains much of the information needed to fraudulently request a large tax refund from the IRS in someone else’s name. How secure are the employee records of global and domestic private sector firms? And which mitigation steps should they take? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Best Practices to Mitigate Cyberthreats - What Works for Your Organization?

Data breaches are occurring more often these days.  It’s primarily because there is plenty of money to be made. As a result, cyberthieves are proving progressively more sophisticated and increasingly determined in their efforts to evade and break through security solutions.Keeping your data safe requires staying a step ahead of the bad guys. By following these eight best practices, you can get out in front of the problem and reduce your vulnerability to malicious attacks from both inside and outside the business. Moreover, you’ll be ready to implement quick countermeasures if a breach should occur. Here are eight mitigation tactics recommended by TeraData Magazine:  1) Align Functional and Strategic Intelligence Resources, 2) Develop Collaborative Culture for Sharing Information, 3 Allocate Resources Based Upon Threat Potential, 4 Design Programs to Suit the Organizational Mission, 5) Identify Gaps in Security Intelligence, 6) Automate Data Filtering, 7) Maintain Global Awareness, and 8) Know Your Enemies. Yes, these tactics are rather 'generic' in nature. Nonetheless, which tactics does your organization find most effective in combating cyber crime? Share your recommendations with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

 

United Cyber Caliphate (UCC) Publishes Guide on Internet Encryption

A hacker from the pro-Islamic State (IS) “Kalachnikv E-security Team,” part of the United Cyber Caliphate (UCC), posted a guide about the benefits of using virtual private network (VPN) services to encrypt Internet usage and recommended particular services over others. A report from Flashpoint called Hacking for ISIS: The Emergent Cyber Threat Landscape, initially seen by ArsTechnica,  says that ISIS in April merged four independent pro-ISIS cyber teams into a single group called the United Cyber Caliphate. The group is made of the Sons Caliphate Army, the Caliphate Cyber Army, the Ghost Caliphate Section and Kalashnikov E-Security Team. These sound like rather scary organizations, but Flashpoint says they can’t do that much harm as they lack the expertise to conduct sophisticated digital assaults. “Until recently, our analysis of the group’s overall capabilities indicated that they were neither advanced nor did they demonstrate sophisticated targeting,” Flashpoint co-founder and Director of Research & Analysis for the Middle East and North Africa Laith Alkhouri said. “With the latest unification of multiple pro-ISIS cyber groups under one umbrella, there now appears to be a higher interest and willingness amongst ISIS supporters in coordinating and elevating cyber attacks against governments and companies.” The report reveals that British citizen Junaid Hussain was the leader of ISIS’s former Cyber Caliphate Army. Known as TriCK and part of a well-known black hat hackers group called TeaMp0isoN, Hussain joined ISIS in the summer of 2014. Since then, he has tried to recruit other colleagues into his team, but he hasn’t been very successful. What are the potential risks of this hacking threat to western high value targets? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/