Posted in: Security Awareness | Comments Off on Why Software Security for Laptops Isn’t Enough
May 5, 2016 James Martin
Laptops are typically among the weakest links in any security chain. Mobile or remote users often access sensitive data on the go at public hot spots that are, to say the least, beyond a company’s secure network perimeter.
Internet security risks to which laptop users can be especially vulnerable are growing in frequency, complexity, and sophistication. For example, data theft or loss from stolen or hacked laptops has long been a concern. But data sabotage, in which criminals hack into your system and change data to compromise its integrity, is IT’s “next nightmare,” according to an early 2016 Wired report.
Clearly, protecting endpoints, especially laptops, is vital. All too often, however, laptops are protected mostly by software security, such as firewall and anti-virus software. But software security has its limitations. Here’s why software security isn’t enough, and what you can do about it.
Security Should be a Top Priority—But it’s Not
Security is a constantly moving target, but few IT departments have the resources to do security thoroughly. PC security is something of a thankless job, to boot. Do it right, no one says a word. Do it wrong, you’re on the firing line.
Surprisingly, security isn’t always a top factor when IT looks to replace aging PCs, according to IDC. Of the top five considerations cited when making PC brand decisions, security ranked fourth below overall performance (priority no. 1), overall costs (no. 2), and overall specs (no. 3).
IT typically adds security to laptops via software such as anti-virus, anti-malware, firewalls, and intrusion detection. They’re all certainly important and should be a part of your overall security strategy.
Users Don’t Always Follow the Rules
But even the most effective aftermarket security software won’t protect laptops when users don’t follow basic security protocols. Employees who connect to insecure public hot spots, click on unauthorized or questionable email attachments, visit questionable websites, or try to “outsmart” IT by using their own devices or cloud services can make your company more vulnerable to security risks.
No surprise, then, that IDC research also shows that the top security risk identified by IT is that employees “underestimate the importance of following security policy.”
Why Hardware Security is Important
Because of these and other factors, IT should be looking at laptop security more holistically, with an eye toward securing data and devices at the hardware level as well as the software level. This trend is already well underway: IDC estimates that by next year, about 90 percent of enterprise endpoints will include some degree of hardware-based security.
Beyond the basic security software installations, IT should seriously consider encrypting the data that employees store and access on laptops. Encryption is essential to protecting that data if the laptop is lost, stolen or hacked. Every mobile device should be protected by strong passwords that are regularly changed. And the data in cloud services should be protected with two-factor verification wherever possible.
In addition, the next time you look to replace a laptop, consider enterprise-grade products offering security features built into the hardware or firmware, such as preboot authentication, self-encrypting drives, remote wiping capabilities and a self-healing BIOS. For more on hardware-based security, see “Security Features to Look for in New Laptops.”
Ultimately, a patchwork of security measures, coupled with careless mobile users and rising security threats, can be a recipe for disaster. You don’t want to become the next Target (on the hook for $10 million after a data breach), Anthem (cost of data breach: well over $100 million), or Ashley Madison (hit with about $850 million in losses).
Underwritten by HP and Microsoft
H.M. DeBardeleben MSITM @ May 9, 2016
Posted in: Security Awareness, Threats, Cybersecurity, Security Awareness, Security Awareness, Threats | Comments Off on Adobe: Software Company Issues Emergency Update for Flash Player Security Vulnerability
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities which allow ransomware to be installed on the Windows, Macintosh, Linux and Chrome OS platforms.
Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 126.96.36.1996 and earlier.
H.M. DeBardeleben MSITM @ April 8, 2016
The FBI is trying to compel Apple to create a method of cracking the security of the iPhone by invoking a ridiculous 225+ year old statute
Tech companies, like Apple and Google have security on their devices to keep everyone out: hackers, governments, even the companies themselves. But if they’re forced to open a door for police, criminal hackers and government thugs can get in too.
Bruce Schneier, one of the world’s top cryptographers, warned that criminals could also use this kind of special access to break into people’s phones to steal messages, photographs and other personal information. If Apple creates a weaker version of its operating system, others will get their hands on it. This battle over data encryption has finally reached a peak.
The FBI demonstrated epic incompetence in resetting the iCloud account.
Senior Apple execs said on Friday that were it not for the password change, the company may have been able to get at more recent backups of the information the government was after.
Apple execs told reporters that the company had proposed four different ways to recover the information the government wants, all without building a backdoor into its iOS encryption.
One method would have involved connecting the iPhone to a known Wi-Fi network and triggering an iCloud backup that might have delivered information stored on the device between 19 October and the date of the mass shooting.
The execs said that Apple had sent trusted engineers to try it.
But the engineers found that the Apple ID password associated with Farook’s iPhone had been changed sometime after his death: within 24 hours of the government having gotten their hands on it, in fact.
Changing the password obviated the chance to get at a fresh copy of the device data via the known-Wi-Fi-network method Apple had planned.
On Friday, the FBI blamed the resetting on the phone’s owner, Farook’s employer, the San Bernardino Health Department. Earlier in the week the FBI had released a press statement explaining its motivation for resetting the iCloud password. It seems like a screw-up, which prevented Apple from extracting data from the phone via iCloud. However, the FBI says that the county did it, in collaboration with FBI, in order to gain access to the suspect’s iCloud account.
H.M. DeBardeleben MSITM @ February 23, 2016
Posted in: Security Awareness, Threats, Cybersecurity | Comments Off on The Password Problem
12/1/2014 by Holly Gilbert Stowell
Appears In December 2014 Print Issue of Security Management Magazine
The username and password have long been used to guard information, but cybersecurity breaches show just how vulnerable the paradigm is.
In September, attackers breached iCloud accounts belonging to celebrities such as Jennifer Lawrence and posted private photographs of the victims online. In August, news reports circulated of Russian hackers making off with 1.2 billion passwords from 420,000 websites. The Heartbleed virus, discovered in April, exposed private keys and passwords during user sessions. The list of breaches related to username and password theft goes on and on.
According to the 2014 Trustwave Global Security Report, two out of three security breaches in 2013 exploited weak or stolen passwords. Experts call for stronger, varied, and more complex passwords across different accounts, but others suggest doing away with the username password paradigm altogether.
“Usernames and passwords are basically broken from a security and a usability standpoint,” says Jeremy Grant, senior executive advisor for identity management at the National Institute of Standards and Technology (NIST). Grant is in charge of a federal program that is exploring new authentication concepts, called the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Grant says the rules for creating a strong password are too much for any one person to manage across dozens or even hundreds of accounts–using uppercase and lowercase letters, incorporating symbols, and not writing them down, just to name a few. He adds that attackers are increasingly sophisticated at stealing passwords and often use automated machines to crack credentials. “There are so many different ways to execute password-based attacks these days that the notion of such a thing as a ‘secure password’ in the year 2014 just doesn’t make sense,” he tells Security Management.
Instead, says Grant, steering people toward stronger forms of authentication that are more secure, more private, and easier to use is a key focus of the NSTIC program.
Established by a presidential initiative in April 2011, NSTIC was designed to address the problem of insecure credentials for online identification by working with the private sector to develop new standards for identity technology. The program seeks to create a marketplace of solutions for establishing one’s identity and gaining access to services without the traditional username and password, Grant says.
To work more closely with the private sector, NSTIC established the Identity Ecosystem Steering Group—industry professionals who have monthly meetings to talk about the program. Members include representatives from Citigroup, the American Civil Liberties Union, and LexisNexis.
Over the last three years, grants have been awarded to organizations that are trying different authentication methods, including biometrics, secure elements embedded in devices, and one-time-use passwords that are automatically downloaded from an app.
One such pilot program, being conducted by AARP, uses biometric authentication for an app within the company’s website. Another pilot is being conducted by ID.me, an organization that helps affinity groups, such as veterans, prove their identity online. This summer, ID.me worked with the theme park Sea World and the rock bands Kiss and Def Leppard, who all wanted to offer discounted or early ticket sales to veterans. Using grant money from NSTIC, the groups were able to ensure that all purchasers of discounted or early tickets truly were former military members. Grant says that eventually the Department of Veterans Affairs hopes to integrate the same technology within certain applications on its website.
Another pilot launching soon is with Inova Health System, the largest healthcare provider network in Northern Virginia. The company wants to offer patients the ability to access their electronic health records online, but as Grant puts it, the organization’s chief technology officer was “wise enough” to know that a username and password would not provide the necessary security. So Inova is working with the Virginia Department of Motor Vehicles to create a stronger credential that ties in with driver’s license registration. Those registered with the DMV would be able to authenticate themselves in a multistep process using a variety of secure credentials, including their driver’s license number. Grant says the Inova pilot shows potential because it’s “focused on letting citizens reuse the value” of what they went through to get a state-issued identification card.
In September, NSTIC announced the third round of pilot programs, which will award $3 million in grants. Though few details have been released, the official press release notes that the awardees, GSMA, Confym, and MorphoTrust USA, will focus on solutions that use mobile devices for authentication, minimize fraud-based loss, and improve access to state services.
Grant says the problem with online identity has less to do with building the right technology and more with addressing the overarching issues that technology doesn’t answer, such as privacy, liability, and usability. For example, how easy is the technology for consumers to use, and who is liable for a breach in the case of multiple businesses logging onto the same site? “What you’re really dealing with at the end of the day is a bunch of issues that make the technology a secondary barrier to overcome,” he notes.
He adds that NSTIC, as a government initiative, isn’t meant to be a silver bullet to solve the password problem overnight. “At the end of the day it’s a strategy,” Grant says. “It lays out a vision of what this marketplace should look like in a few years.”
Until this strategy is formulated, companies must make do with the current system. Experts advise that the best way to strengthen passwords is to make them only a part of the security solution. “Use multi-factor authentication,” advises Robert Twitchell, president and chief executive officer of Dispersive Technologies. He adds that it’s a good idea to avoid the use of public Wi-Fi hotspots to access your networks and recommends network segmentation. “Having everything the same enables a hacker to reuse techniques,” he notes.
Terrorists Finding Targets in Cyberspace
Since the 1990s, terrorist groups have used the Internet to spread their messages and gain new followers. Over time, they have only grown more sophisticated at leveraging this powerful tool. In the fall of this year, the Islamic State of Iraq and Syria (ISIS) used social media to recruit Western Muslim extremists; U.S. intelligence experts believe that at least a dozen Americans were recruited online and have joined their ranks. The group even hijacked hashtags of popular but unrelated topics on Twitter, such as an August earthquake in Northern California. Their strategy was to ensure that gruesome photos of dead American soldiers and other propaganda would pop up when people searched for “#napaquake.” This same terrorist group has posted videos of the beheadings of two American journalists and a British aid worker on YouTube to threaten and intimidate its enemies.
“They can hide in cyberspace,” said Gabriel Weimann, professor of communication at Haifa University in Israel, during a presentation at the Library of Congress in April. Weimann said terrorists can use the Internet “to reach huge audiences, especially young people…. There’s no way to block them, no way to censor them.”
Research points to the expansion of terrorism in cyberspace. The number of terrorist websites has grown dra- matically in the last decade and a half, up from 12 sites in 1998 to 9,800 sites in December 2013, according to the United States Institute of Peace.
By using the Internet, terrorists no longer need to bring recruits to one physical location. “They can actually go to virtual camps in cyberspace where they’ll find all the guidebooks, including how to prepare various poisons, how to hit planes, how to attack computer networks, how to damage a target with an explosive car, how to build a detonation device,” said Weimann. “It’s all online. They don’t need to go anywhere. They can sit at home and join the cause.”
Terrorism videos are also widely available online, and thousands of results can be found through a simple YouTube search. Hamas even launched its own versions of YouTube, including Aqsa Tube in 2009 and Pal Tube in 2011. These sites have the same look and feel as YouTube, but are strictly dedicated to the terrorists’ cause.
Weimann, who is a fellow at the Woodrow Wilson Center, pointed out that Google Earth, which offers satellite images of the world, has been leveraged to plan and execute attacks, as was the case in the 2008 Mumbai bombing attacks. In that massacre, carried out by Pakistani-based group Lashkar-e-Taiba, each of the terrorists had the distances, directions, and sites on their computers or smart devices so they could attack at the same time, knowing when and where to go.
In his presentation, Weimann also talked about the idea of narrowcasting, in which terrorists target groups based on age, education, demographic, and standard of living. “Instead of one message to all, they are moving now to a very specific and narrowcasting type of propaganda and recruitment online,” he said of the terrorists.
“One example, and perhaps the most alarming, is the targeting of children online,” said Weimann, who points out that children’s shows are often used to send the message of terrorism to a younger audience.
For example, Hamas aired an episode of Pioneers of Tomorrow on Al Asqa in May 2014, which featured a child who said she wanted to become a police officer so she could “shoot Jews.” A giant bumblebee is one of the show’s main characters.
“If you consider that your struggle is a long-term one, you are thinking about educating the next generation of terrorists,” noted Weimann.
Weimann said the lack of regulation on the Internet makes terrorism in cyberspace extremely hard to combat. However, maintaining an awareness of where the terrorists are online and who may be interacting with them is key to stopping them, and U.S. intelligence sources and others are doing this around the world.
There are also online campaigns to dissuade young people from joining the ranks of terror groups. One such video, which Weimann said is likely from a Saudi source, features a suicide bomber wreaking havoc on a busy town square. The name of the campaign is “Say No to Terrorism.”
The State Department’s Center for Strategic Counterterrorism Communication has been active lately in the fight against ISIS, posting lines such as “Think Again, Turn Away” to would-be extremist recruits on Twitter, Tumblr, YouTube, Facebook, and other social media sites.
“We may think of using the same platforms to appeal to the same targeted audiences with different narratives,” Weimann noted. “It is certainly one of the ways to counter terror issues on the Internet.”
H.M. DeBardeleben MSITM @ July 2, 2015