New study shows most people ignore cyber security warnings

Most people say they want to keep hackers out of their computers, but still ignore cyber security warnings that would do just that.

A group of Brigham Young University researchers has found that even those who say they care about maintaining the integrity of their devices bypass the warning signs.

Over time, computer users have become habituated to ignoring the little black bomb faces and “this is not a secure page” warnings that seem to pop up on a daily basis, Information Systems assistant professor Anthony Vance said.

“We’re accustomed to dismissing those messages,” Vance said. “The way you get things done on computers is to dismiss warnings as quickly as possible and get on with it. And if there’s no harm done, it really discounts the impact of the warning over time.”

 Three BYU professors — from psychology and neuroscience and information systems — teamed up to study how people deal with online security risks.

What they found in a study published recently in the Journal of the Association for Information Systems, Vance said, reinforced their understanding of risk-seeking and risk-averse personalities. Both groups of college student volunteers ignored cyber security warnings. But their brains reacted differently to screens that then informed them their laptops had been hacked.

Researchers attached a net-like helmet of sensors to 62 students’ heads before putting them in an MRI with their laptops.

Risk-averse computer users’ brains lit up with electrical impulses when shown a screen with a Guy Fox mask and skull and crossbones after ignoring warnings.

Risk-takers’ brains, however, showed nary a blip.

Vance said the study shows how people say one thing about cyber security and do another. “If they think about it, they deliberate,” he said. “But in the moment, people tend not to think about it.”

The BYU team has received a $300,000 grant from the National Science Foundation to continue researching security behavior.

In the end, Vance said, the research may help computer security software designers come up with better warning signals that users will actually respond to.

WSJ: The Morning Download: Big Banks Scrutinize Cybersecurity at Law Firms

The Morning Download comes from the editors of CIO Journal and cues up the most important news in business technology every weekday morning. Send us your tips, compliments and complaints. You can get The Morning Download emailed to you each weekday morning by clicking here.

Good Morning. Amid growing concerns about network vulnerability, chief information officers are finding that more of their jobs involve scrutinizing the security of third-party vendors. As the Journal’s Jennifer Smith and Emily Glazer report, big banks are turning the spotlight on their most trusted third-parties–the lawyers with access to everything from trade secrets to market-moving details on mergers and acquisitions. Banks are demanding that firms undergo outside security audits, they report, and implement their own vendor-security programs to prevent data from leaking out through third-party contractors the lawyers hire.

“It’s a lot more than just checking a box,” said Lorey Hoffman, chief information officer at law firm Goodwin Procter LLP. “I walk through our data centers into the [server] cage with examiners” sent by clients. Mr. Hoffman adds that his firm’s external-facing Internet sites get hit 400 to 500 times a week by third-party bots or denial-of-service attacks. “That kind of activity is the new normal and it’s hitting everybody.”

Last year’s Target Corp. breach brought home the cyber vulnerability exposed by third party relationships. Hackers first accessed Target’s systems using the credentials of a refrigeration contractor. After the data breach this summer at J.P. Morgan Chase & Co., which compromised contact information for about 76 million households, big banks are working to reduce their own attack surfaces. While that breach isn’t believed to have originated with a third-party vendor, banks want to do everything they can to prevent future hackers from creeping in disguised in a white-shoe firm’s expensive wingtips.

Email ‘be gone,’ one reader says. A CIO Journal story on Oct. 23, based on interviews with CIOs, concluded that email will remain the dominant communications platform for businesses for a long time. Case closed? Not quite. One reader later wrote in with hopes that the era of email fades sooner rather than later. “I am personally excited to see the emergence of enterprise social networks enabled by mobile, and I am hopeful that we can move organizations to a better way of collaborating and socializing. Legacy be gone,” writes Paul Stokes, CIO of the University of Victoria, in British Columbia.

Former Dow Jones CIO now heading enterprise strategy at AWS. Stephen Orban, former CIO and global head of technology at Dow Jones & Co., has moved on to head enterprise strategy at Amazon Web Services. In a blog post earlier this month, Mr. Orban wrote that he believed in cloud computing so strongly that “I decided to dedicate the next chapter of my career to it.” Dow Jones tells CIO Journal it has hired an interim CTO, Paul Meller, while it searches for a successor.

Good times for cyber insurance providers. Business at Miller Insurance Services LLP has doubled in 2014, with the London company selling “hundreds” of policies following several high-profile data breaches. Nick Fearon, who leads Miller’s cyber insurance practice, tells CIO Journal that business will remain robust for the foreseeable future. “We’re never going to be ahead of the hackers because we’re not that clever,” said Mr. Fearon.

How is our digital revolution doing? Guest Columnist Irving Wladawsky-Berger finds the proper response in a line predating Google by almost 140 years: “It was the best of times, it was the worst of times… we had everything before us, we had nothing before us…” Technology has created new opportunities, transforming the lives of billions in the process. At the same time, partly due to technology, employment and income are declining. “It was the spring of hope, it was the winter of despair.”

TECH TACKLES EBOLA

In the fight against Ebola, connectivity can save lives. To stop the next pandemic, connecting the world’s poorest countries to the Internet is a good place to start, writes the WSJ’s Christopher Mims. Ivory Coast, for example, which is so far Ebola-free, is capitalizing on mobile connectivity of its citizens by sending out millions of mass text messages warning about the dangers of Ebola and how to avoid catching it.

Ebola and genetic experiments may one day have a cheap paper-based test. Much like over-the-counter pregnancy tests, it may be possible to carry out complex genetics experiments or cheap tests for viruses like Ebola with paper-based tests, writes MIT Technology Review’s Karen Weintraub. Boston University synthetic biologist James Collins has found a way to “print the ingredients for simple DNA experiments on paper, freeze-dry them, and use them as much as a year later.

Paul Allen ups Ebola funding. Microsoft co-founder Paul Allen has pledged $100 million to fight the spread of Ebola, the Journal’s Brian R. Fitzgerald reports. “The Ebola virus is unlike any health crisis we have ever experienced and needs a response unlike anything we have ever seen,” Mr. Allen said on his website,  Earlier Facebook Inc. CEO Mark Zuckerberg said he and his wife would donate $25 million.

MORE TECHNOLOGY NEWS

Do you know what apps your employees use? Unauthorized cloud-based software is proliferating in the workplace, causing regulatory and security challenges for companies that often don’t even know their employees are using it, the WSJ’s Deborah Gage reports. Some of the services are well known, such as Dropbox and Facebook. But at some companies, employees are tapping hundreds of cloud-based apps to perform functions ranging from Web conferencing to conducting surveys to sharing photos.

U.S. fights critiques of how Web is managed. U.S. officials are fighting off another upswell of dissent from countries irked by the way the Internet is managed, the WSJ’s Drew Fitzgerald reports. More than 190 nations are haggling at the International Telecommunication Union’s conference over whether the ITU’s mandate covering “information and communication technology” specifically includes the Internet, which didn’t exist for most of the organization’s 149-year history. U.S. officials are their allies want to keep the Web separate, while countries including Russia and several Arab states want to give the ITU a stronger hand.

H-P looks to sell corporate-networking business in China. The company is expected to sell at least 51% of H3C Technologies Co., reports the Journal’s Rick Carew and Dana Mattioli. H-P and other U.S. tech companies have come under pressure in China following revelations that the U.S. government collected data and other information at home and abroad; in some cases using infrastructure belonging to American companies.

Google’s Sundar Pichai becomes new product czar. Larry Page is transferring leadership of core Google Inc. products to Sundar Pichai, reports Re/code’s Liz Gannes and Kara Swisher,  citing sources close to the situation. Mr. Pichai will now oversee research, search, maps, Google +, commerce and ads and infrastructure, in addition to Android, Chrome and Google Apps.

UBS CIO: blockchain technology can massively simplify banking. UBS AG CIO Oliver Bussman says the underlying technology behind Bitcoin, called blockchain,” has the greatest potential to disrupt the financial services sector, the WSJ’s Anna Irrera reports. Blockchain is the open, decentralized online ledger which verifies transactions in the digital currency. The Bank of England agreed in its September report, when it described blockchain as a “significant innovation” that could have “far-reaching implications.”

New York City Police to be equipped with mobile devices. The New York Police Department will outfit officers with smartphones and many patrol cars with tablets, the New York Times reports. Among the apps pre-installed will be a mobile version of the NYPD’s Domain Awareness System, which connects video feeds from closed-circuit cameras with law enforcement databases. Funding for the 35,000 smartphones and 6,000 tablets comes from the city’s financial settlement with French bank BNP Paribas, fined for violating financial sanctions.

A win for Microsoft’s Surface business. Among the happy surprises for Microsoft Corp. investors in the company’s successful quarterly financial report was the perkiness in its Surface business, the WSJ’s Shira Ovide reports. Microsoft reported that quarterly sales of the two-year-old tablet-style computer more than doubled from a year ago to $908 million.

Holiday tweet: help wanted. Heading into the holiday shopping season, retailers are bombarding customers’ inboxes and Twitter feeds with help-wanted ads, as traditional hiring methods are failing to produce enough job candidates, the WSJ’s Eric Morath reports. The national unemployment rate fell to 5.9% last month, the lowest reading since 2008. Holiday hires last year surpassed their prerecession peak and the National Retail Federation expects companies will match or exceed that level this year.

Italian lawmakers plan free Wi-Fi to bridge digital gap with Europe. A plan by legislators in Italy to make Wi-Fi free in thousands of public places aims to bridge a gap with other European nations in broadband penetration, e-government and other digital services, Reuters reports. Under the plan, large shops, taxis, airports, law courts and other public places would be required to set up an Internet connection and offer no-password wireless access for no charge.

FCC fines two carriers $10 million over data breach. The agency said that TerraCom and YourTel America exposed the personal data of up to 300,000 low-income consumers, writes the Journal’s Gautham Nagesh. Dale Schmick, operating chief at the two carriers, blamed a security breach and said the company “has rigorous privacy safeguards in place to prevent such data from public disclosure.”

U.S. TV airwaves auction for smartphones delayed to 2016. The Federal Communications Commission delayed to early 2016 an auction of the U.S. airwaves surrendered by television stations that’s meant to help feed the growing number of mobile devices, Bloomberg reports. A lawsuit by broadcasters over the auction procedure has “introduced uncertainty,” said the agency’s incentive auction team leader. The airwaves to be relinquished by the TV stations are prized for their ability to travel long distances and penetrate buildings.

Ballmer reaps tax benefit from Clippers deal. Microsoft Corp. ex-CEO Steve Ballmer got more than a basketball team in his deal to acquire the Los Angeles Clippers – he also stands to gain as much as $1 billion in tax benefits, the Financial Times reports. An analysis of U.S. tax laws shows that Mr. Ballmer could claim about half of the $2 billion purchase price in current terms over the next 15 years against his taxable income. The credits can be claimed under a little-known feature of the tax code covering so-called active owners of sports franchises.

EVERYTHING ELSE YOU NEED TO KNOW

ECB says most of Europe’s banks are healthy. European regulators said that all but 13 of the continent’s leading banks have enough capital to weather a financial storm, an attempt to put to rest years of anxiety about the industry’s health. Nine Italian banks failed the health checks, the biggest concentration of troubled banks in the ECB’s stress tests. Of the 123 banks that the European Banking Authority tested, 24 failed to show that their capital ratios would avoid sinking below 5.5% of their risk-adjusted assets in a deteriorating economy, and another 14 banks came close to failing.

Darker global outlook has bond bears hibernating. Weaker economic indicators have led many investors to reverse their recent opinion that a bond-market downturn was near. It is a change from just a few months ago, when many strategists and investors were predicting that a 30-year bull market in Treasurys was close to an end.

A single firm builds a hill of copper. One buyer has snapped up more than half the copper held in London Metal Exchange warehouses, giving it control over a crucial source of supply and raising concerns among traders about the potential for higher prices. Although the exchange doesn’t identify the owners of metals, eight traders and brokers working for different firms active on the LME said they believe Red Kite Group, a London hedge-fund manager that focuses on metals trading, was the one buying.

Further flaws render Shellshock patch ineffective

Patched systems remain vulnerable.

The Shellshock vulnerability in the commonly used Bash command line interpreter shell is likely to require more patches, as security researchers continue to unearth further problems in the code.

Google security researcher Michal “lcamtuf” Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.

“The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out,” Zalewski said.

“The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug,” he added.

Common vulnerabilities and exposures numbers CVE-2014-6277 and CVE-2014-6278 have been assigned to the vulnerabilties.

Zalewski has discussed the vulnerabilities with the groups that volunteer to maintain Bash and to Linux OS vendors directly involved in attempting to resolve the original Shellshock vulnerability.

“We want to give people some time to update before we share additional details,” Zalewski said.

After the initial disclosure of the Shellshock bug, Zalewski and fellow security researchers Florian Weimer and Tavis Ormandy expressed concern over the continued exposure of the underlying attack surface in Bash.

The three researchers have called for a more robust approach to addressing the issue, and also found a troubling pattern of vulnerabillities in CVE-2014-7186, CVE-2014-7187 and CVE-2014-7169 that Zalewski said suggests the Bash parser may be unsafe.

There is an unofficial patch ready, Zalewski said and he recommends users apply it urgently.

“Somewhere in the middle of all this, Florian Weimer developed an unofficial patch that mitigates this and all future problems in the bash function parser by shielding it from remotely-originating data.

“As of today, this patch is already shipping with several Linux distributions, but many users will need to update manually,” he added.

Zalewski has written a technical analysis of the Shellshock bugs, describing what work was undertaken to patch them and calculating the impact of the combined vulnerabilities.

He notes that Shellshock can go beyond web server common gateway interface (CGI) scripts on modern Linux systems where the /bin/sh command shell is a symbolic link to /bin/bash.

A range of web apps written in PHP, Python, C++ or Java could be vulnerable if they use calls to functions such as popen() or system(), as these are backed by calls to /bin/sh -c in turn, Zalewski notes.

Zalewski also addressed the length of time it has taken to discover the Bash bug:

“As for the inevitable “why hasn’t this been noticed for 15 years” and  “I bet the NSA knew about it” stuff – my take is that it’s a very unusual bug in a very obscure feature of a program that researchers don’t really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on.”

Meanwhile, researchers are assembling proofs of concept code that can be used to exploit Shellshock.

Rob “mubix” Fuller has started up the Shellshocker-pocs repository on Github for this purpose, and it contains exploits against PureFTPd, SIP VoIP proxies, the Qmail mail server, SSH secure shell, and dynamic host control protocol (DHCP) IP address allocation servers.

Read more: http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx#ixzz3Ei2vaGPD

Vulture Beat: Internet of Things will be vulnerable for years, and no one is incentivized to fix it

The Internet is no longer just accessible from your laptop or mobile phone. It’s now part of television sets, baby monitors, ovens and cars. It is increasingly embedded into medical devices and other critical devices. The Internet is everywhere and the Internet of Things (IoT) is a trend that will continue to grow.

Unfortunately this growth in technology is being matched by an equally large growth in security concerns. Just last month multiple presentations at the Black Hat and Defcon security conferences highlighted weaknesses in various IoT devices. Although there has been some additional focus on the challenges of IoT security, such as the OWASP Top 10 for Internet of Things Security, the future is still going to be an uphill battle.

Lack of updates will be IoT’s Achilles heel

An ineffective or nonexistent plan for deploying security updates will be the single largest impediment to security for the Internet of Things. The reality is that vulnerabilities appear in all code from time to time. A solid security lifecycle that considers security throughout design and development will have notably fewer security issues. However, all software manufacturers must be ready to quickly respond to a vulnerability and release a patch to protect their users.

We must learn from past failures

The impact of a poor patching plan can be observed directly today just by looking at iOS and Android. Both of these operating systems made by talented organizations with plenty of security resources, and both of them quickly make patches available when a security issue is found. However, while Apple controls the distribution of patches directly to its users through iOS updates, a patch bound for an Android device must jump through numerous delays by device manufacturers and network operators. As a result, Android devices may not receive critical patches for months or years. And with less than 18 percent of Android devices running the latest Android version, 82 percent of devices are missing key security updates and capabilities.

Today’s incentive model hurts patching of IoT

Let’s imagine a security vulnerability is discovered within an Internet-connected oven, fridge, or baby monitor that you’ve recently purchased. Will a patch be delivered to address the issue? Let’s review the incentive model of the various parties to see how this would play out.

Manufacturer

• Wants to make product sales
• Includes Internet connectivity as a feature – not their specialty area
• Concerned with public reviews of the product which drive sales

Customer

• Wants the device to work for its primary purpose
• Considers the Internet connectivity as a nice, often secondary, feature
• Majority don’t want to be hassled with “fixing” things

Criminal Organizations

• Want devices under their control for botnets and distributed attacks
• Want to remain hidden and not impact device performance so there is no effort to “fix” the device and eradicate their malware

If we evaluate the above factors, we’ll see that patching vulnerabilities on Internet-connected devices is going to be a very low priority for the manufacturer. The criminal organizations will exploit vulnerabilities present on a wide number of outdated devices. If they’re smart, which they are, the criminal organizations will run their malicious activities in the background without impacting the overall performance of the device. This means the customer won’t notice the malware, and the security vulnerability will have no impact on the customer’s opinion or review of the device. Therefore, if the device reviews aren’t negatively impacted by a security vulnerability, the manufacturer will have few incentives to patch the device.

IoT vulnerabilities have many victims

Although manufacturers may not be rushing to fix these flaws, there is still a lot of damage that will result.

Owners of Internet enabled devices

Customers will lose on the privacy front. Their private data will be monitored and sold without their knowledge. As the IoT expands, this data will become even more personal and will include health data, location and video streams of their house, children, and more.

Applications across the Web

Web applications all across the Internet will also be at risk. Vulnerable Internet-enabled devices will be compromised and added to malicious botnets. These compromised devices will send spam, participate in denial of service attacks, and even harvest and test stolen credentials across the web. The victim websites that are targeted will be unrelated sites and web applications that now must not only defend against malicious attackers but also the ever-expanding botnets of compromised devices from the Internet of Things.

Effective patch deployment is a big problem

The vast majority of device hacks will remain unnoticed and without impact to the device owner. However, some vulnerabilities will be discovered and will be so severe that the public will demand a patch. But how will this play out?

In these situations a manufacturer may scramble to issue a patch. But then what? How is the patch actually delivered to the device? Will all customers be requested to reboot their oven, car, or pacemaker and navigate through an update process? Or will the updated software only be available in the next release of the physical product? This would mean customers would be unpatched until they bought a new toaster, baby monitor, etc. Unfortunately, one of our current challenges with IoT is that, even if a patch is issued, there is not an effective channel to reach the majority of devices in a timely fashion.

How can we do better?

There are two ways the situation can get better.

First, we need to work as consumers to alter the incentive model so manufacturers are inclined to rapidly patch vulnerabilities. This can be accomplished through the wide publication of shortcomings of IoT security via responsible disclosure. It can also be accomplished by clearinghouses of data on IoT security weaknesses. Repeat offenders should be held accountable, and consumers should vote with their wallets. We should also promote positive security approaches that can help build robust and secure Internet-enabled devices.

Second, manufacturers of IoT devices must be prepared for the inevitable security vulnerabilities in their products. They must consider security during design and implementation to avoid obvious security weaknesses. But they must also build in a usable patching model so devices can be upgraded when critical security patches are necessary. This also needs to be nearly seamless to users and an approach that can reach a very high percentage of devices.

The Internet of Things will quickly envelope our way of life. If we’ve learned anything from the last decades of the Internet and computer security it’s that we should be proactive in our security planning. We can’t plan for every new vulnerability or weakness. But we must design Internet-enabled devices with the ability to deploy new code quickly in the name of securing users, data, and the web at large. Otherwise the Internet of Things could turn into the Internet of botnets.

Michael Coates is director of product security at Shape Security and chair of open software security community OWASP.

Quatrashield Releases App for Azure Marketplace

We have released the QuatraScan on the Microsoft Azure Marketplace. For more information please refer to: http://datamarket.azure.com/application/ea5d5f86-ae12-46b5-a196-96d5fff00b75

Computer World: Ethical hacking – Getting inside the minds of cyber criminals

Just when you think you’ve got yourself all covered on the security front, an attack comes out of nowhere and bites you on the arse. You think to yourself: How did I not see that coming?

That’s where penetration testing, or ethical hacking, comes in. The idea is to get a third party to think (and act) like a hacker to test your organisation’s resilience to attack.

And the stakes are high, says Hacklabs senior consultant Jody Melbourne. “Nobody is concerned with targeting websites or going after your database – that’s old,” Melbourne says. “The real bad guys are trying to steal your IP, your business intelligence or business information. [The criminal] is going after you internal network.

“You make a lot more money if you find out that large corporation A is about to acquire large corporation B in a few months, for example. If you hack some board members of a large corporation and find out all of their secret information, read their emails, then that is far more serious than stealing credit cards.”

Melbourne has been employed by both private sector and public sector organisations to test their security, with sometimes alarming results.

He said he’s found it “frustratingly easy” to just walk into many organisations. “I just wave my hand and say ‘I’m walking in here, it’s fine’ and walk straight in,” Melbourne says. “I’m wearing the right clothes, I’m confident, and I look like I’m supposed to be there.”

All it can take then is swapping out a desk phone for a tampered-with handset of the same model. “I plug in a device behind a phone; or I swap out the phone entirely for the exact same model and say ‘I’m here to change the phone, there’s something wrong with it’ and the receptionist says ‘OK’.”

“That whole network and organisation is compromised with a spy phone that I was able to make for $50,” Melbourne says.

Melbourne gave another hypothetical scenario for compromising a network — a hacker dressed like, and acting like, a regular employee just strolls in and connects a Wi-Fi or 3G dongle to an organisation’s network.

“[Then] I’m sitting in a hotel room 500 metres away with full access to your internal network reading your executives’ emails,” Melbourne says. “That’s the landscape now.”

A network could be compromised with just $100 worth of innocuous-looking hardware that most employees wouldn’t even recognise as a threat.

Melbourne said that when engaged by a government department to test their security he was able to compromise the entire agency after gaining access to a computer on its network – with no special tools required.

“A business insider at a corporation might only have mediocre hacking skills, but might actually guess the password of the CEO and get access to all of that information,” Melbourne says.

“That’s far more devastating to an organisation than the most advanced hacker in the world sitting inside that network who has absolutely no business experience, doesn’t know anything about the corporation.

“The hacker could get access to all the corporate documentation, all of the board members, meeting minutes, all kinds of internal IP and emails. But the hacker doesn’t know how the business works so he/she doesn’t know what is valuable and what isn’t.”

Daniel Cabezas, IT security testing services leader at Macquarie Group, says that when he does test email campaigns, he still finds many users clicking on links, downloading files or installing untrusted applications.

“We are doing security awareness courses, but whenever we do testing by sending ourselves email campaigns, there’s still more percentage of our user base who click on things,” he says.

One issue that security teams have to deal with is that hackers are also not necessarily looking to directly break into a company’s systems. Cabezas says they may have more success in hacking a personal computer of an employee to find business information or a work password or account.

“If the malware is trying to target the users at their homes, the reality is that I don’t have that many security controls in my laptop at home. So [criminals] are most successful attacking the home laptop of the users to try and get information about the company they work for. They go to LinkedIn and look for potential employees from the company to attack their personal laptops.”

The rise of bring-your-own device (BYOD) schemes – under which employees can use their own smartphones, tablets and notebooks for work – and an emphasis on flexible working only further complicate the situation.

Cabezas says that there’s usually a struggle to balance user demand for new technology with security.

“We have to determine what the risk of [introducing] the new technology is, but our users are already asking us to implement it,” he says.

“You might have a very functional, well-defined application, and you might think ‘it works the way we expect it to’. But what happens when somebody finds something unexpected?

“Criminals don’t work for X hours a day and then go home. They keep working during the night, during the weekend and they just have to find one hole. So you have to think the way they do. You might say ‘this vulnerability is really difficult to exploit’, but they will take the time and whatever the means to exploit it.”

HostingCon in Miami Beach

We will be attending the 2014 HostingCon in Miami Beach in a couple of weeks and look forward to meeting up with industry colleagues.  

Critical zero-day vulnerability in Internet Explorer exposes Windows XP to risks (Re-post from TWCN Tech News)

Microsoft said that a critical zero-day vulnerability has been found in Internet Explorer, right from IE6 to IE11, that allows cyber-criminals to exploit it using Drive-by attacks.

Drive-by download attacks occur when vulnerable computers get infected by just visiting a website. It’s accepted that Drive-by download attacks continue to be many attackers’ favourite type of attack. This is because the attack can be easily launched through injection of a malicious code to legitimate websites. Once injected, malicious code may exploit vulnerabilities in operating systems, web browsers and web browser plugins such as Java, Adobe Reader and Adobe Flash. The initial code that gets downloaded is usually small. But once it lands on your computer, it will contact another computer and pull the rest of the malicious coder to your system.

Microsoft is expected to release a patch for this vulnerability very soon. But it will be available for supported operating systems. It will not be available for Windows XP as this operating system is no longer supported. This will leave Windows XP users exposed to risks.

Workarounds

Apart from following other steps to secure their Windows XP, users may do the following to mitigate this issue, till a patch to fix it is released:
1.Disable the Flash plug-in within IE
2.Do not click on any doubtful links and immediately close IE if they find something suspicious
3.Use Microsoft’s anti-exploit tool – Enhanced Mitigation Experience Toolkit
4.Unregister the vgx.dll file. Go here to read how to unregister dll files in Windows.
5.Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting
6.Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
7.Consider using an alternative browser on your Windows XP.

Rise in cyber security budgets

New data from a  BAE Systems Applied Intelligence survey indicates that about 60 percent of large companies across the U.S., Canada, Great Britain, and Australia have increased their spending on cybersecurity since last year’s Target Breach.  Industries such as banking, technology, law, and mining are now spending up to 15 percent of their entire IT budgets on security.   More than 80 percent of survey respondents expect the number of cyberattacks to rise. The loss of customer data ranked as the companies’ greatest concern, followed by the loss of trade secrets, reputational damage, and service interruption.

Nearly half of the U.S. companies in the survey said a cyberattack would cost them around $15 million, while 29 percent estimated the cost at more than $75 million. The results suggest that breaches would take an extreme financial toll on smaller companies as well.

The Target breach over the 2013 holiday season claimed 40 million customers’ credit and debit card numbers.

 

Quatrashield VP Artice on SMB Nation: SMBs Lack the Tools to Fight Cyber Attack

http://www.smbnation.com/content/news/entry/smbs-lack-the-tools-to-fight-cyber-attack

When it comes to cyber-attack, Small and Medium Businesses are at a significant disadvantage. Lacking the resources and expertise of their Enterprise counterparts, SMBs often rely on free or lightweight tools that leave their organizations exposed to attack. Instead of shoring up their cyber-defenses, many SMBs wait for a breach to occur. In some cases this can be too late.

Hacking has never been as easy as it is today. The significant information sharing between hackers has created a publicly-available knowledgebase that is easily accessible to cyber-criminals. Sites such as hackthissite.org serve as a training ground for cyber criminals, hacktivists and even government entities to gain up-to-date information on new attack vectors.

The net result is that SMBs are often the victim of data breaches, phishing, DDoS and watering hole attacks. A recent report commissioned by the Department for Business, Innovation and Skills (BIS) indicates that 63% of small businesses in the UK were attacked by an unauthorized outsider in the last year which is up from 41% a year ago. The research also uncovered that 17% of small businesses know their staff broke data protection regulations in the last year (up from 11% a year ago). [1]

The Enterprise/SMB Technology Model Does Not Apply to Cyber Security

Traditionally, Enterprise and SMB level technologies differ in design and capability – whether they have been built from the ground-up as unique solutions or whether the SMB module is a “light” version of the Enterprise class technology with certain features disabled. The key differentiators between Enterprise and SMB class technology are the expected level of flexibility and sophistication including configuration, deployment, management and reporting. From a scalability perspective, Enterprise level technologies are designed to be deployed in a non-disruptive way to hundreds, if not thousands, of users or access points within an organization spanning multiple offices and geographic territories. SMB level technology is designed for a small number of users or ports and is not intended to scale.

When it comes to cyber-security, the traditional Enterprise versus SMB model does not work. Pricing SMB oriented technology at a more affordable level as a trade-off for limited functionalities may be a good marketing tactic for security vendors selling into this segment, but leaves the SMB with a limited and mostly cosmetic protection against attack.

Firstly, regulatory compliance requirements such as PCI-DSS and HIPAA are applicable to both SMB and the Enterprise size organization. The onus on the part of both size organizations necessitate the implementation of systems and process to protect third party data. Therefore, companies that are mandated to protect their sensitive data may not have the flexibility to rely on basic cyber security technologies that fall short of regulatory requirements. More importantly, Small and Medium businesses are often the direct target of hacker attacks. By relying on a cheap “light” but largely ineffective software, the SMB business maker may inadvertently expose his or her organization to significant risk to cyber-attack.

The Downside to SMB Level Technologies

Many of the (inexpensive) cyber security tools in the marketplace that are targeted at the SMB segment, offer basic protection that can easily be bypassed by most hackers. For instance, the typical entry-level web application vulnerability scanners is based on open source technologies widely disseminated in the hacksphere. For the small business owner with limited staff, trying the Do-It-Yourself route can be frustrating, resource intensive and takes away from business focus.

Marketers of SMB focused cyber technologies take advantage of the overall confusion in the marketplace and overemphasize basic capabilities. For instance, the Open Web Application Security Project (OWASP) publishes a list of Top 10 application vulnerabilities. The typical Enterprise organization will purchase a tool that scans for twenty or more vulnerabilities and the better technologies are based on artificial intelligence that scan more deeply. When SMB focused tools list product specs, they often include features that are rudimentary.

In our evaluation of sample population of web application vulnerability scanners that target the SMB market, we have identified significant flaws in many of the current commercial offerings. Important capabilities – such as the ability for a scanner to drill deeply within an application layer based on dynamic parameters – are often not bundled in the basic SMB cyber security packages. Many of the tools report vast amounts of false positives, thereby requiring additional follow on investments in costly remediation. More troubling is the number of false negatives – the number of significant vulnerabilities and malware that are simply not caught by even some of the leading SMB targeted software vendors.

The Cloud Is Not a Silver Bullet

Another challenge for SMBs is the confusion about how cloud-based technologies can help them protect their businesses from attack. In many cases, the hype surrounding some cyber solutions in the marketplace may lead the SMB business owner to over-rely on technology to address the cyber threat. For instance, many cloud-based solutions advertise their end-to-end capability and falsely claim that their systems can identify and remove the threat of cyber-attack. There is huge difference between systematically identifying a vulnerability and automatically removing it. Remediation is a complex process often requiring coding or access to system configuration. The claims to the contrary are misleading and can result in an over-reliance on point solutions to address a systemic risk of attack. Furthermore, we are noticing the attack vector moving towards the Cloud as hackers have realized that the Cloud is a single point of information concentration.

Final Thoughts on Technology as a Sole Solution

Not one software solution is going to remove the threat of cyber-attack. Good cyber security practices need to be applied on a company-wide basis and are not simply restricted to the IT department. We are only as strong as our weakest link and a company’s employees, customers and partners are the first line of defense against cyber-attack. From a technology perspective one should always assume that hackers have access to the latest advances in technologies and one should constantly update one’s defense toolset in order to reflect what’s happening in the hacker-sphere. Equally important is to create policies that standardize security practices across the organization.

Although hackers are constantly changing their methods, organizations need guidelines that withstand the test of time. Business of all sizes need to plan carefully and budget wisely when to protect their data assets.

About the author: Mervin Pearce (CISSP-ISSAP) is the Vice President of Professional Services at QuatraShield, a SaaS provider of Enterprise-class cyber security technologies that include web application vulnerability scanners and malware scanners.