week 7

according to survey respondents. As business usage of mobile devices, the Internet of Things and other mobile applications accelerates, Verizon’s inaugural Mobile Security Index 2018 seeks to raise awareness of the current mobile security landscape, including growing threats, and offer recommendations for protecting the mobile enterprise.

“As mobility becomes more integral to business operations in today’s digital economy – from supply chain management to IoT-enabled sensors to customer-facing mobile apps – protecting mobile platforms is critical,” said Thomas J. Fox, senior vice president with Verizon. “Securing the multitude of mobile devices that connect to public and private networks and platforms is paramount for protecting corporate assets and brand integrity.”

Key findings include:

Nearly a third (32%) of organizations surveyed admitted to sacrificing mobile security to improve business performance.    

93% of organizations agreed that mobile devices present a serious and growing threat. Also, 20% of surveyed organizations that use IoT devices cite these as their most significant concern.  

79% said that disruption of their business operations is an even greater threat than the theft of data.  

79% of the organizations fear that employee misuse, either accidentally or intentionally, is a significant concern. And 39% of organizations that allow employees to use their own devices for business purposes (known as BYOD) ranked this as their top concern.  

A majority of organizations (62%) feel that a lack of understanding of threats and solutions are a barrier to mobile security. Less than 1/3 of organizations (33%) use mobile endpoint security and less than half (47%) said they use device encryption. Only 31% are using Mobile Device Management (MDM) or Enterprise Mobility Management (EMM).  

Only one in seven organizations surveyed (14%) had implemented the most basic cybersecurity practices. Less than two fifths (39%) change all default passwords; only 38% use strong two-factor authentication on their mobile devices; and, only 59% restrict which apps employees can download from the Internet to their mobile devices.  

Though a number of vertical industries are represented in the study, healthcare and the public sector were hit especially hard. More than a third of healthcare organizations (35%) and 33% of public sector entities said they had suffered data loss or downtime due to a mobile device security incident.   

The Index offers a comprehensive set of recommendations for protecting the mobile enterprise. Some of these include:

Reduce the risk of malicious applications: Implement policies that govern which apps can be downloaded by employees and create a custom app store to build a more secure environment. Also, deploy application management software that scans apps for vulnerabilities.  

Improve device management:  Ensure that all default passwords are changed; deploy mobile endpoint security and threat detection to all devices; and, implement Mobile Device Management (MDM) and Enterprise Mobility Management (EMM).  

Increase user/employee awareness: Implement a strong password policy and ensure adherence, provide regular security training and test employee awareness annually; regularly review employee access to systems and data; and, create an incident response plan to help reduce

Week 7

new report from Verizon found that organizations across numerous industries compromised mobile data security because of speed to market priorities and a lack of threat awareness

Week 6

Cybercrime Cost $600 Billion and Targets Banks First

A new report says that cybercrime costs businesses close to $600 billion, or 0.8 percent of global GDP, which is up from a 2014 study that put global losses at about $445 billion.  

The Economic Impact of Cybercrime – No Slowing Down report from McAfee in partnership with the Center for Strategic and International Studies (CSIS), attributes the growth over three years to cybercriminals quickly adopting new technologies, the ease of engaging in cybercrime – including an expanding number of cybercrime centers – and the growing financial sophistication of top-tier cybercriminals.

“The digital world has transformed almost every aspect of our lives, including risk and crime, so that crime is more efficient, less risky, more profitable and has never been easier to execute,” said Steve Grobman, Chief Technology Officer for McAfee. “Consider the use of ransomware, where criminals can outsource much of their work to skilled contractors. Ransomware-as-a-service cloud providers efficiently scale attacks to target millions of systems, and attacks are automated to require minimal human involvement. Add to these factors cryptocurrencies that ease rapid monetization, while minimizing the risk of arrest, and you must sadly conclude that the $600 billion cybercrime figure reflects the extent to which our technological accomplishments have transformed the criminal economy as dramatically as they have every other portion of our economy.”

Banks remain the favorite target of cybercriminals, and nation states are the most dangerous source of cybercrime, the report finds. Russia, North Korea and Iran are the most active in hacking financial institutions, while China is the most active in cyber espionage.

“Our research bore out the fact that Russia is the leader in cybercrime, reflecting the skill of its hacker community and its disdain for western law enforcement,” said James Lewis, senior vice president at CSIS. “North Korea is second in line, as the nation uses cryptocurrency theft to help fund its regime, and we’re now seeing an expanding number of cybercrime centers, including not only North Korea but also Brazil, India and Vietnam.”

The report measures cybercrime in North America, Europe and Central Asia, East Asia and the Pacific, South Asia, Latin America and the Caribbean, Sub-Saharan Africa, and the Middle East and North Africa. Not surprisingly, cybercrime losses are greater in richer countries. However, the countries with the greatest losses (as a percentage of national income) are mid-tier nations that are digitized but not yet fully capable in cybersecurity.

The report did not attempt to measure the cost of all malicious activity on the internet, focusing instead on criminals gaining illicit access to a victim’s computer or network. The elements of cybercrime the authors identify include:

The loss of IP and business-confidential information

Online fraud and financial crimes, often the result of stolen personally identifiable information

Financial manipulation directed toward publicly-traded companies

Opportunity costs, including disruption in production or services and reduced trust in online activities

The cost of securing networks, purchasing cyber insurance and paying for recovery from cyber-attacks

Reputational damage and liability risk for the affected company and its brand

To help scope the cost of malicious cyber-activity, the authors looked at other types of crime for which there are estimates, including maritime piracy, pilferage and transnational crime. They note that data on cybercrime remains poor because of underreporting and a laxness in most governments around the world to collect data on cybercrime.

The report also includes some recommendations on how to deal with cybercrime, including:

Uniform implementation of basic security measures and investment in defensive

Week 5

People are very predictable when it comes to designing phishing attacks that appeal to a potential victims with people most likely to click on messages concerning money.

A recent KnowBe4 study sent phishing test emails to roughly 6 million and found users were most likely to click on the mock phishing emails when they promised money or threatened the loss of money. People were also likely to fall for phishing attacks appealing to their appetite offering free food or drinks, emails that evoked the fear of missing out on non-monetary opportunities and attacks that appealed to basic curiosity such as new contact requests or photo tags.

Researchers also saw an increased click rate with certain email subjects as well with missed deliveries and false security notifications gaining the most clicks. The top subject lines of included “A Delivery Attempt Was Made” with an 18 percent click rate, “UPS Label Delivery 1ZBE312TNY00015011” with a 16 percent click rate, “Change of Password Required Immediately” with a 15 percent click rate, “Unusual sign-in activity” with a 9 percent click rate, and “Happy Holidays! Have a drink on us.” With an 8 percent click rate.

“Email is an effective way to phish users when disguised as legitimate email,” the report said. “These methods allow attackers to craft and distribute enticing material for both random (general phish) and targeted (spear-phish) means, leveraging multiple psychological triggers and engaging in what amounts to a continuous maturity cycle.”

Researchers were more convincing when targeting users via social media themed email phishing attacks. LinkedIn notifications were by far the most convincing with requests to add people, join networks, reset passwords, and new messages convincing 53 percent of test subjects to click.

week 4

EM firmware built into WiFi routers use open source components that contain numerous known security vulnerabilities that can be exploited by hackers, it notes.

Insignary, a startup security firm based in South Korea, conducted comprehensive binary code scans for known security vulnerabilities in WiFi routers. The company conducted scans across a spectrum of the firmware used by the most popular home, small and mid-sized business and enterprise-class WiFi routers.

Although KRACK may be the newest and potentially most harmful WPA2 security vulnerability, router firmware vulnerabilities are far more extensive and dangerous, based on the firm's findings.

"While KRACK WPA2 is the latest WiFi security vulnerability, it appears to be just the tip of the iceberg, compared to what currently exists in router firmware," said Tae-Jin Kang, CEO of Insignary.

The company has been monitoring WiFi router issues since the infamous botnet attack in the fall of 2015 brought down the Internet for a couple of days. Many of the vulnerabilities Insignary found in 2016 were present in scans performed last year.

"This is distressing. Many vendors continued to ignore problems that could easily be fixed. These are devices that we use on a daily basis," Kang told LinuxInsider.

Time to Raise Awareness

The 2015 attack was carried out not by zombie PCs but by 300,000 compromised IoT devices. People had theorized about the possibility of such an attack, and that incident proved it could be done, said Kang.

"So we decided it was time to raise awareness. This is a serious problem. We are talking about well-known security issues that still exist in the routers. These devices can be compromised in many ways. WiFi devices are pervasive," he warned.

The threat is specific to IoT devices rather than to computers and other mobile devices. However, the Linux operating system also may be in the crosshairs because so many variations of Linux distributions prevent a centralized patch deployment solution, Kang explained.

Windows 10 and the macOS have addressed the security issues to neutralize the router vulnerabilities. An important factor in their doing so is that those OSes are not open source, he said.

"I'm not saying that open source itself is inherently less secure, Kang emphasized. "The Linux community has done a very good job of responding to security issues. The problem is that even with rapid updating of patches, the distribution process is decentralized and fragmented with the Linux OS."

About the Study

Insignary conducted the scans during the last two weeks of November 2017. Its research and development team scanned 32 pieces of WiFi router firmware offered in the U.S., Europe and Asia by more than 10 of the most popular home, SMB and enterprise-class WiFi router manufacturers: Asus, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link.

The researchers used a specialized tool Insignary developed to scan the firmware. They also leveraged Clarity, a security solution that enables proactive scanning of software binaries for known, preventable security vulnerabilities, and identifies license compliance issues.

Clarity uses a unique fingerprint-based technology. It works on the binary-level without the need for source code or reverse engineering. Clarity compares the scan results against more than 180,000 known vulnerabilities based on the fingerprints collected from open source components in numerous open source repositories.

Once a component and its version are identified through Clarity's fingerprint-based matching using numerous databases such as NVD and VulnDB. Clarity adds enterprise support, "fuzzy matching" of binary code, and support for automation servers like Jenkins.

Key Findings

The WiFi router firmware sold by the top manufacturers contained versions of open source components with security vulnerabilities, the binary scans indicated. Most models' firmware contained "Severity High" and "Severity Middle" security vulnerabilities. This means that the deployed products and firmware updates remained vulnerable to potential security threats.

A majority of the models' firmware made use of open source components with more than 10 "Severity High" security vulnerabilities, based on the examination.

Half of the firmware used open source components containing "Severity Critical" security vulnerabilities, according to researchers.

The report lists the following "Severity Critical" security vulnerabilities found in open source firmware components:

WPA2 (KRACK) -- Key reinstallation attack;

ffmpeg -- Denial of Service;

openssl -- DoS, buffer overflow and remote code execution;

Samba -- Remote code execution.

In many cases, router vendors evidently have not made use of the correct, up-to-date versions of the affected software components, the researchers concluded.

Serious Concerns

"Vendors rarely support and update routers after the first two years at most," noted Brian Knopf, senior director of security research and IoT architect atNeustar.

Two more reasons make the reports finding noteworthy, he told LinuxInsider. One, router manufacturers spend very little money on security because they tend to dislike cutting into their already-slim margins

Week 3

Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger. Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency. Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions. Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network management and cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, it has been given this name. The malware was updated in November to include a keylogger. The keylogger behaves the same way as in previous campaigns and can steal both the site's administrator login page and the website's public facing frontend.

Week 2

Eavesdropper Vulnerability Exposes Hundreds of Mobile Apps

Appthority on Thursday warned that up to 700 apps in the enterprise mobile environment, including more than 170 that were live in official app stores, could be at risk to due to the Eavesdropper vulnerability.

Affected Android apps already may have been downloaded up to 180 million times, the firm said, based on its recent research.

The vulnerability has resulted in large-scale data exposure, Appthority said.

Eavesdropper is the result of developers hard-coding credentials into mobile applications that utilize the Twilio Rest API or SDK, according to Appthority. That goes against the best practices that Twilio recommends in its own documentation, and Twilio already has reached out to the development community, including those with affected apps, to work on securing the accounts.

Appthority's Mobile Threat Team first discovered the vulnerability back in April and notified Twilio about the exposed accounts in July.

The vulnerability reportedly exposes massive amounts of sensitive and even historic data, including call records, minutes of the calls made on mobile devices, and minutes of call audio recordings, as well as the content of SMS and MMS text messages.

Reducing the Risk

The best approach for an enterprise is to identify the Eavesdropper-vulnerable apps in its environment and determine whether the data exposed by the app is sensitive, Appthority suggested.

"Not all conversations involve confidential information, and the nature of the app's use in the enterprise may not involve data that is sensitive or of concern," noted Seth Hardy, Appthority director of security research.

"If the messages, audio content or call metadata turn out to be sensitive or proprietary, there may not be much that can be done about exposed conversations resulting from prior use of the app," he told TechNewsWorld.

"However, a lot can be done to protect future exposures, including either addressing and confirming the fix with the developer, or finding an alternate app that has the same or similar functionality without the Eavesdropper vulnerability," Hardy said. "In all cases, the enterprise should contact developers to have them delete exposed files."

Sloppy Coding

The Eavesdropper vulnerability is not limited to apps created using the Twilio Rest API or SDK, Appthority pointed out, as hard-coding of credentials is a common developer error that can increase security risks in mobile applications.

"The core problem is developer laziness, so what Appthority found isn't a particular revelation," said Steve Blum, principal analyst at Tellus Venture Associates.

"It's just one more example of bad practices leading to bad results, as it's very tempting for a coder to take shortcuts while developing an app, with the sincere intent of cleaning things up later," he told TechNewsWorld.

"With apps being developed by a single person or a small team, there are no routine quality control checks," Blum added. "Right now, it's up to the stores -- Apple and Android, primarily -- to do QC work, and I'd bet they're taking a look at this particular problem and might screen more thoroughly for hard-coded credentials in the future."

For security and privacy to come first, it may be essential for coding in general to go through a paradigm shift, suggested Roger Entner, principal analyst at Recon Analytics.

"Unfortunately, too often security is seen as a cost center, and privacy is seen as the revenue generator for the company that develops the app," he told TechNewsWorld.

"Therefore, apps are often not secure -- and privacy is nonexistent -- to minimize cost and maximize revenue," Entner explained. "The only way to combat these breaches is to actually pay full price for the apps consumers are using and to reject advertising-supported apps."

No Easy Fix

One of the most worrisome facts about this vulnerability is that Eavesdropper doesn't rely on a jailbreak or root of the device. Nor does it take advantage of other known operating system vulnerabilities.

Moreover, the vulnerability is not resolved after the affected app has been removed from a user's device. Instead, the app's data remains open to exposure until the credentials are properly updated.

"There isn't a consumer workaround other than uninstalling all affected apps and hoping that your data hasn't already been compromised," warned Paul Teich, principal analyst at Tirias Research.

Some users may purchase phones that are preloaded with apps that could compromise their personal information.

"Twilio could force developers to update their app code by invalidating or revoking all access credentials to their compromised services APIs," Teich told TechNewsWorld.

However, "the sudden impact would be that a lot of valued consumer smartphone apps and services would simply stop working all at the same time," he said.

It appears that users have few options, and it could be difficult for consumers even to have visibility into Eavesdropper-affected apps.

Those who work at a company "can ask their IT security team for a list of apps that are approved, and then delete vulnerable apps and install non-Eavesdropper affected apps instead," suggested Appthority's Hardy.

"The big challenge is how to stop the flow of information from this breach while still providing access to valued services," said Tirias' Teich.

This situation occurred in no small part because developers were sloppy. However, consumer attitudes likely played a role as well. Many people favor ease of use over mobile device security.

"Consumers are still too casual about their privacy and opt not to pay," said Recon Analytics' Entner, "instead having their privacy monetized and compromised through sloppily coded apps."

Intel, Microsoft, Google Scramble for Solutions as Patches Slow Systems

Major tech companies, including Intel, Microsoft and Google, scrambled to calm the mood this week after a large number of computer users reported performance problems linked to security updates for the Spectre and Meltdown vulnerabilities.

A firestorm of criticism has erupted over the response to the chip flaws, which researchers at Google's Project Zero discovered in 2016. Months passed before the problems were disclosed to the public. Further, the security patches released in recent days have been blamed for performance problems, including slowdowns in many systems. The fixes reportedly rendered a smaller number of systems unbootable.

Intel CEO Brian Krzanich on Thursday sent an open letter to the technology industry, pledging the company would make frequent updates and be more transparent about the process, and that it would report security issues to the public in a prompt manner.

Design Flaw

Intel Executive Vice President Navin Shenoy on Wednesday issued an update on the impact of the patches on performance, saying that eighth-generation Kaby Lake and Coffee Lake platforms would see less than a 6 percent performance decrease. However, users running Web applications with complex Javascript operations might see a 10 percent reduction.

The seventh-generation Kaby Lake platforms would experience a 7 percent reduction, and the impact on the sixth-generation Skylake platforms would be slightly higher at 8 percent.

Intel released numerous statements after the vulnerabilities were made public, and it shot down reports that its chips were the only ones at risk.

However, the Rosen Law Firm on Wednesday announced that it had filed a class action suit against Intel, alleging a failure to disclose the design flaw. The complaint cited reports that Intel had been warned of the problem. An Intel spokesperson was not immediately available to comment for this story.

Project Zero researchers discovered serious security flaws caused by "speculative execution," a technique used by modern CPUs to optimize performance, Matt Linton, senior security engineer at Google Cloud, and Matthew O'Connor, office of the CTO, wrote in an online post.

G Suite and Google Cloud platforms have been updated to protect against known attacks, the company said, though it acknowledged concerns that a variant of Spectre is considered more difficult to defend against.

Microsoft and others in the industry were notified of the issue several months ago under a nondisclosure agreement, Terry Myerson, executive vice president of Microsoft's Windows and Devices group, noted earlier this week in an online post. The company immediately began engineering work on updates to mitigate the risk.

The flaw could allow a nonprivileged user to access passwords or secret keys on a computer or a multitenant cloud server, explained Stratechery analyst Ben Thompson in a post Myerson referenced.

Contrary to Intel's protests, the potential risk from Meltdown is due to a design flaw, Thompson also noted.

Users of Windows 8 or Windows 7 systems using Haswell or older CPUs and would see a decrease in system performance after patching the flaw, Myerson noted.

Apple released updates for iOS, macOS High Sierra, and Safari on Sierra and El Capitan, noting the issue relates to all modern processors and affects nearly all computers and operating systems.

However there have been no reported compromises of customer data, Apple added, and Apple Watch is not affected by Meltdown or Spectre.

Performance Over Prudence

"The Meltdown and Spectre vulnerabilities require adjustment to critical, low-level interfaces in affected operating systems," said Mark Nunnikhoven, vice president of cloud security at Trend Micro.

"Given the scale of the issue, the patches by Microsoft, Apple, Google and others have been very successful," he told TechNewsWorld.

Still, there have been problems in some cases, Nunnikhoven said, noting that Microsoft and AMD have been pointing fingers at one another following reports of computers slowing down or in some cases not booting.

Microsoft has suspended automatic updates and is working with AMD on a solution, it said in a security bulletin.

Like most organizations, chip manufacturers long have prioritized speed over security," said Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint, "and that has led to a tremendous amount of sensitive data being placed at risk of unauthorized access via Meltdown and Spectre.

The software patch required to fix Meltdown can slow computer processors down by as much as 30 percent, said Alton Kizziah, vice president of global managed services at Kudelski Security.

"Organizations need to test patches before installing them to make sure that systems that may already be pushed to their limits won't crash and cease functioning as a result of the patch," he told TechNewsWorld. Also, those using Microsoft patches may need to make adjustments to their registry keys to avoid interference with antivirus software.

Welcome to my Page