How Vulnerable to Cyber Crime Are the US Fed's Daily Transactions?

The New York Fed stands at the center of the globalized, dollar-denominated world, maintaining as many as 250 accounts for central banks that contain approximately $3 trillion in assets. One of the reasons those funds are concentrated in New York is that the United States is seen as among the safest places in the world for central bankers looking to protect assets. At the same time, that massive pool of money represents a rich and tempting target for international thieves and their growing attempts at cybertheft. The amounts involved are staggering: The Federal Reserve official told CNBC, for what appears to be the first time, that as much as $80 billion is electronically wired into or out of international accounts at the New York Fed on an average day.  "I'm surprised it hasn't happened before," said a former senior New York Fed official who left the bank several years ago, referring to cyberthefts from the Fed. The Society for Worldwide Interbank Financial Telecommunications, which is itself operated by a financial cooperative based in Brussels, said in a statement Tuesday that it "is aware of a malware that aims to reduce financial institutions' abilities to evidence fraudulent transactions on their local systems." SWIFT also said that the Bangladesh hack is not the only time thieves have attempted to break into an international financial institution's software. "There are other instances in which customers' internal vulnerabilities have been exploited," SWIFT said. The cooperative said it made a mandatory software update available to its customers this week. Which steps should the US Fed take to ensure higher security for daily transactions? Share your recommendations with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

CERT CMU Identifies Flaws in HP Data Protector Authentication and SSL Private Keys

The HP Data Protector does not perform user authentication, even when Encrypted Control Communications is enabled, and contains an embedded SSL private key that is shared among all installations.  Missing Authentication for Critical Function.  Data Protector does not authenticate users, even with Encrypted Control Communications enabled. An unauthenticated remote attacker may be able to execute code on the server hosting Data Protector. Use of Hard-coded Cryptographic Key Data Protector contains an embedded SSL private key. This private key appears to be shared among all installations of Data Protector. Data Protector versions 7, 8, and 9 are affected; other versions may also be impacted. Impact: An unauthenticated remote attacker may be able to execute code on the server, or perform man-in-the-middle attacks against the server. Solution: Apply an update HP has released updates to Data Protector version 7, 8, and 9 to address these issues. Affected users may consider the following workaround: Restrict Network Access: As a general good security practice, only allow connections from trusted hosts and networks.How large of a threat do these Data Protector flaws pose to CISOs in private sector and government organizations? Share your assessment with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Which Cyber Security Trends Should Be on the CSO Watch List for 2016?

Conflicting official involvement in cyberspace in 2016 will create the threat of collateral damage and have unforeseen implications and consequences for all organizations that rely on it. noting that varying regulation and legislation will restrict activities whether or not an organization is the intended target. Organizations are increasingly embedding big data in their operations and decision-making process. But it's essential to recognize that there is a human element to data analytics. Organizations that fail to respect that human element will put themselves at risk by overvaluing big data output. Smartphones and other mobile devices are creating a prime target for malicious actors in the Internet of Things (IoT). Cybercrime, along with an increase in hacktivism, the surge in cost of compliance to deal with the uptick in regulatory requirements and the relentless advances in technology against a backdrop of under investment in security departments, can all combine to cause the perfect threat storm. The information security professionals are maturing just as the increasing sophistication of cyber-attack capabilities demand more increasingly scarce information security professionals. While cybercriminals and hacktivists are increasing in numbers and deepening their skillsets, the "good guys" are struggling to keep pace. CISOs need to build sustainable recruiting practices and develop and retain existing talent to improve their organization's cyber resilience. Which cyber threats would you add to the CSO Watch List? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Start-ups Forter, BillGuard and Onfido Seek to Help eCommerce Fraud Detection

Forter, a start-up that uses a complex algorithm to help e-commerce sites detect fraud, has raised $32 million. The Israeli firm, which was founded 3 years ago by former employees of the country's intelligence agency, is trying to tackle the rising problem of online card fraud in a world where it's easy to buy stolen financial details online. Forter's software takes into account thousands of data points and analyzes user's behaviour as soon as they log on to an e-commerce site. It works using a combination of so-called machine learning and human know-how to recognize fraudulent trends. But because it is automated, the retailer doesn't have to do anything manually. "Every merchant needed to develop their own fraud prevention. They would review their own transactions manually. After all of that, retailers are losing billions of dollars," Michael Reitblat, chief executive of Forter. Reitblat said the software could make a decision in less than half a second. And the idea is that the algorithm gets smarter the more it is used. The start-up claims to have generated 5 to 10 percent of sales increases last year for retailers using the Forter software.  Online fraud detection has emerged as a key tool for companies operating online, and it’s not just about point of sale. Last year, P2P lending platform Prosper Marketplace acquired BillGuard, a finance-tracking firm, to bolster its security credentials. Last week, identity verification startup Onfido raised another $25m to help businesses carry out background checks on individuals. Can Forter and its competitors achieve their mission of helping e-commerce firms detect fraud? Send your predictions to the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Cyber Security Threats: Bad News for IT Organizations, Good News for Vendor Stocks

As cyber security threats increase so do the fortunes of cyber security vendors. That is the dilemma that organizations and the private sector face. The Bessemer Venture Partners' BVP Cyber Index tracked the capital-weighted performance since Jan. 1, 2011, of 29 public companies whose primary business is cybersecurity. Almost half of those companies are valued at more than a billion dollars. The public IT security sector outperformed the stock market by more than two times during that time, and outperformed the market by about five times the month after those breaches were made public. "Since then, it has seen more than twice the gains of the Nasdaq and S&P indexes. The sector spikes in the month after reports of major breaches. Over time, those multiples seem to settle back in line with the overall enterprise technology sector," said Cowan. Does this dynamic always need to result in a lose-lose outcome, or can organizations and the security vendors who build products to keep them save both win? Let's us know your experiences here at the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Hijacking Incidents Exceed 760K Per Year According to Google Security Study

Over 700,000 websites were breached between June 2014 and July 2015, according to a new study by Google and the University of California, Berkeley, which aims to improve web security. The research showed that "miscreants" had routinely hijacked thousands of vulnerable web servers for "cheap hosting and traffic acquisition". Google recorded 760,935 "hijacking incidents" within the period but said that its direct communication with webmasters had curbed the amount of breaches. Google's Safe Browsing Alerts work by sending notifications to network administrators when harmful URLs are detected on their networks. It said that these had increased the likelihood of a "cleanup" by over 50 percent and reduced "infection lengths" by at least 62 percent. As miscreants routinely hijack thousands of vulnerable web servers weekly for cheap hosting and traffic acquisition, security services have turned to notifications both to alert webmasters of ongoing incidents as well as to expedite recovery. The study captures the life cycle of 760,935 hijacking incidents from July, 2014– June, 2015, as identified by Google Safe Browsing and Search Quality. We observe that direct communication with webmasters increases the likelihood of cleanup by over 50% and reduces infection lengths by at least 62%. A sizeable fraction of site owners do not address the root cause of compromise, with over 12% of sites falling victim to a new attack within 30 days. We distill these findings into a set of recommendations for improving web security and best practices for webmasters.Can cyber security vendors design mitigation techniques to stem the tide of hijacking incidents? Share your predictions with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Malware Threats Increased By 36% YoY According to Symantec CyberSecurity Study

In 2015, the number of zero-day vulnerabilities discovered more than doubled to 54, a 125 percent increase from the year before. Or put another way, a new zero-day vulnerability was found every week (on average) in 2015. In 2013, the number of zero-day vulnerabilities (23) doubled from the year before. In 2014, the number held relatively steady at 24, leading us to conclude that we had reached a plateau. That theory was short-lived. The 2015 explosion in zero-day discoveries reaffirms the critical role they play in lucrative targeted attacks. Given the value of these vulnerabilities, it’s not surprising that a market has evolved to meet demand. In fact, at the rate that zero-day vulnerabilities are being discovered, they may become a commodity product. Targeted attack groups exploit the vulnerabilities until they are. Symantec discovered more than 430 million new unique pieces of malware in 2015, up 36 percent from the year before. Perhaps what is most remarkable is that these numbers no longer surprise us. As real life and online become indistinguishable from each other, cybercrime has become a part of our daily lives. Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats. Do CISOs and CSOs feel as vulnerable as this study suggests? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Spearphishing Attack by Cybercriminals Yields $99m USD

In a  lawsuit filed on April 14, 2016 by U.S. Attorney for the Southern District of New York Preet Bharra gives an insider's view on how frighteningly easy it is for a company to be duped out of a huge sum of money. In this case almost $100 million. The civil forfeiture lawsuit was filed in federal court in New York City and is being brought on behalf of an unidentified American company that was suckered out of $98.9 million over a four-week period late last summer. Luckily, the majority of the money has already been recovered and this suit is specifically going after the remaining $25 million that is being held in at least 20 overseas banks, according to court documents. “This is more than twice as large as any reported loss that we have seen,” Ryan Kalember, senior vice president of Cybersecurity Strategy, told SCMagazine.com in an email Friday. What this case perfectly illustrates is the step-by-step process a criminal can take implementing such a scam and all of the warnings that were ignored by the victim. Considering the massive pile of money involved, the scheme itself was extremely simple and used by cybercriminals every day, albeit to normally steal smaller amounts of plain old data. It was a classic spearphishing attack. How large of a threat to US government and commercial security are spearphishing attacks? Send us your comments here at the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Does "Badlock" Present a Legitimate Threat to Windows and Samba Users?

The Security Account Manager Remote (SAMR) and Local Security Authority (Domain Policy) (LSAD) protocols do not properly establish Remote Procedure Call (RPC) channels, which may allow any attacker to impersonate an authenticated user or gain access to the SAM database, or launch denial of service attacks. This vulnerability is also known publicly as "Badlock". The SAMR and LSAD remote protocols are used by Windows and Samba (for UNIX-like platforms) to authenticate users to a Windows domain. A flaw in the way these protocols establish RPC channels may allow an attacker to impersonate an authenticated user or gain access to the SAM database. CVE-2016-2118 identifies this vulnerability in Samba, while CVE-2016-0128 identifies this vulnerability in Windows. The Badlock name launched a guessing campaign in the security community about what the flaw might be. Many assumed the name was a hint about the bug’s nature. The name, SerNet said today in a blog post, “was meant to be a rather generic name and does not point to any specifics.” So, is "Badlock" more hype than a bona fide threat? In this era of cyber terrorism no threat should be taken lightly, yet with limited InfoSec resources many organizations cannot address every 'possible' threat the same. Share your thoughts with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Matthew Keys Sentenced To Two Years for Hacking into the LA Times

"Two years," he wrote. "We plan on filing a motion to stay the sentence...This whole process has been exhausting." Earlier in the day, Keys penned a thank you note to supporters and maintained his innocence. "I did not ask for this fight," he said. "I hope that our combined efforts help bring about positive change to rules and regulations that govern our online conduct." Keys, 28, was convicted last October of conspiring with the hacker group Anonymous to break into the network of the Tribune Co., his former employer. The Tribune Co. owns the LA Times. Keys had been fired from Tribune-Co. owned KTXL FOX 40 in October 2010. Two months later, he handed over the information Anonymous needed to hack its network. According to court documents, Keys passed login information to Anonymous members in an online chat urging them to "go f--- some s--- up." According to the indictment, at least one of the hackers used the credentials he provided to log into the company's server and alter a news story on the Los Angeles Times website. He later went to work for Reuters, which dismissed him after he was charged with the crime. The Justice Department charged him for transferring information in order to damage a "protected computer." Is this punishment consistent with the crime? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Palo Alto Networks' Expands the "Cybersecurity Canon"

Palo Alto Networks created the cyber security canon “to identify a list of must-read books for all cybersecurity practitioners -- be they from industry, government or academia -- where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete.” Since 2001, the CERT Insider Threat Center has collected and analyzed information about hundreds of insider cybercrimes, ranging from national security espionage to theft of trade secrets. The CERT Guide to Insider Threats describes CERT's findings in practical terms, offering specific guidance and countermeasures that can be immediately applied by executives, managers, security officers, and operational staff within any private, government, or military organization. “What makes the book valuable is that it is backed up with real data,” noted Palo Alto Networks’ Chief Security Officer Rick Howard. “ Moore, lead researcher at the CERT Insider Threat Center, noted, “The book was the result of years of research by staff at CERT and our organizational partners dedicated to helping organizations understand and mitigate the risk of insider threat. Thanks to everyone who contributed to the research, to the Software Engineering Institute for their support, and to Palo Alto Networks for creating the canon and hosting the event.” How useful is this cyber security canon the CSOs and CISOs around the globe? Share your feedback with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Nasdaq Report Addresses Cybersecurity and Building a Culture of Responsibility

Tanium commissioned a survey with the Nasdaq to study the accountibility of CEOs and CIOs for cyber security. Business and government leaders grapple daily with innovation’s double-edged sword: as new technologies introduce unprecedented levels of efficiency, speed, and capability to the world, a new wave of cybersecurity risks immediately follow, threatening that very technology and the people who use it. In many instances, the technology organizations use to protect themselves has dramatically failed to keep pace with the speed and agility of modern threats, creating billions of dollars of damage from data breaches annually. But this is only half the story. Less visible is the widespread lack of personal and organizational accountability for the protection of a company’s most sensitive data. This accountability gap shows up as dissonance between corporate leaders’ current awareness and readiness for cybersecurity challenges and where they need to be. In “The Accountability Gap: Cybersecurity & Building a Culture of Responsibility,” they worked with a global panel of cybersecurity subject-matter experts to define the seven inherent challenges that make up cybersecurity vulnerability: Cyber Literacy, Risk Appetite, Threat Intelligence, Legislation & Regulation, Network Resilience, Response, and Behavior. The research team at Goldsmiths, University of London developed a statistical model for scoring readiness, awareness and  vulnerability for these challenges and assessed through a survey of 1,530 non-executive directors (NED), C-level executives,Chief Information Officers (CIO), and Chief Information Security Officers (CISO) across the United States, United Kingdom, Germany, Japan, and Denmark, Norway, Sweden, and Finland (Nordics). The intention of the study was to identify and understand where the gaps exist across all organizational levels around cybersecurity vulnerability from a people, process, and technology perspective. How can business and government organizations their leaders instill a culture of cyber security? Share your recommendations with the Cloud and Cyber Security Center:  http://cloudandcybersecurity.blogspot.com/

Can Biometrics Thwart the Risk of Online Cyber Crime?

Biometrics analyze unique behavioral and physical characteristics as a means of personal identity. Some of the biometric modalities currently being used for personal identification include DNA, facial recognition, fingerprints, voice recognition, iris scan, palm prints and vein pattern. Combining these powerful technologies is allowing consumers to better protect themselves in our ever-connected world. Biometric technology has swiftly emerged as a go-to solution for improving digital security and while fingerprints and facial recognition are being used more and more to stop online theft, how fast you type could soon be stopping hackers. Mobile identification company TeleSign launched Behavior ID on Tuesday, an online application that tracks a user's behavior to prevent cybertheft. The application records behavior such as how a user moves their mouse, presses a touch screen, or the way they type. This increases the level of identity assurance for every user account a company has, according to Steve Jillings, CEO of TeleSign.  "The power of Behavior ID is its ability to adapt to the user, transparently producing a digital fingerprint from a user's behavior to confirm their identity and develop an ongoing authentication without requiring the consumer to do anything," he said in a press release. "Best of all, these unique biometric patterns are extremely accurate, from the way we move our hand on a mobile device screen or with a mouse, it is virtually impossible to precisely imitate another person's behavior." How effective can the integration of biometrics into cyber crime prevention be? Share your assessment with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

The Rise of Ransomeware Attacks - What are CSOs To Do?

Cybercriminals using "ransomware" are shifting their sights from individual targets to bigger ones, Intel Security Group's Steve Grobman said Monday. "We're now starting to see the shift from not only consumers [to] even soft-target organizations and businesses, like hospitals, universities and police stations," he told CNBC Grobman, Intel Security's chief technology officer, also said key infrastructures in the U.S. are at risk of a ransomware attack, and greater coordination between government and private entities is needed to fight off such infiltrations. A ransomware attack occurs when a cybercriminal essentially takes the victim's files and information hostage in exchange for money. These types of attacks rose 26 percent in the last quarter of 2015 from the previous quarter, according to a report from McAfee Labs and Intel. The hackers demanded to be paid in Bitcoin, a digital currency that's difficult to trace back to actual people. Hucks says the district followed the kidnappers directions, bought several bitcoins online, then carefully negotiated a "proof of life" type transaction to make sure the cyberkidnappers would deliver what they promised. "We chose to send the payment for one machine, first, so that we could ensure that it would work." Hucks says the criminals sent a code for one computer. He entered the code, and the computer returned to operation. Horry County then deposited the equivalent of $10,000 into the hackers' Bitcoin account and the school computer system was back up and running. Cybercriminals, many originating in Eastern Europe or the Russian Federation, according to experts, target small- and middle-sized institutions.Which counter-measures can best protect both government and private sector organizations from the rise in ransomware attacks? Send your recommendations with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Google Pulls Jihadist App From the Play Store

What happens when free speech threatens US national security? A Taliban app was discovered on Friday by SITE Intel Group, a website devoted to tracking jihadists online. The propaganda product was taken down shortly thereafter. A Google declined to comment on the app disappearing from its store, citing a policy that the company doesn't discuss specific apps. But the spokesman said the company does remove apps from Google Play that violate its policies. Jihadist groups, including the Taliban, have successfully used the Internet and social media to spread propaganda and recruit fighters. Apps, however, are strictly regulated by Google and Apple. It's much harder to sneak a jihadist app by the stores' gatekeepers than post a recruitment tweet on Twitter. The Taliban app, called "Alemarah," gave people the ability to keep up with the latest Taliban news. They could watch videos made by the group, and read stories and updates written in Pashto. The Taliban has other ways to get its message out to supporters. It has a Twitter Account,  in which an official spokesman sends updates about Taliban activity. And it has an active channel on the encrypted messaging app Telegram. How can private industry proactively mitigate against similar threats from the Taliban, ISIS and other terrorist groups in the future? Share your recommendations with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

China to Require Users to With SPs Which Are Under PRC Control

At the heart of China's censorship efforts is a delicate balancing act. Unlike communist North Korea, which bans online access to its general population, China is encouraging Internet usage as it rushes to construct a modern economy. This year, the number of Internet users in China surpassed the USA for the first time, hitting 233 million by the end of March. However, China's government does not tolerate opposition and is wary of the variety of views and information the Web brings. New draft regulations say that websites with access to China would have to register their domain names with service providers that are under Chinese control. That requirement appears to be aimed at creating "a white list" of approved domain names and cutting off access to others, said Lokman Tsui, an assistant professor at the Chinese University of Hong Kong who specializes in technology and new media. The most basic tool at the Chinese government's disposal — and, perhaps, the one most easily circumvented by dissidents — is to ban access within China to websites such as Voice of America or to certain stories that contain sensitive words and phrases. For example, several recent USA TODAY stories about Tibet are currently blocked within China.  What does the future hold for Chinese citizen's rights to access information vis-a-via the PRC government stringent control over Internet use? Share your comments with the Cloud and Cyber Security Center:  http://cloudandcybersecurity.blogspot.com/