Cyber Security Institute

Tuesday, April 30, 2013

Splunk Adds Statistical Analysis to Enterprise Security App

Analysis of machine-generated data can play an important role in a sophisticated layered defense for your data and systems, but getting there can be challenging even with advanced intelligence platforms. Splunk—provider of an engine that collects, indexes and analyzes massive volumes of machine-generated data—is out to change that with today’s release of version 2.4 of the Splunk App for Enterprise Security, which makes the statistical analysis tools, dashboards and visualizations available out of the box. “Statistical analysis is the new weapon of the security warrior defending against threats that bypass traditional security detection systems,” says Mark Seward, senior director of security and compliance at Splunk.


Ramnit sleeping malware targets UK financial sector

“Trusteer’s security team recently analysed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam,” said a Trusteer spokesman. The malware reportedly avoids detection by going into an idle sleep mode until its intended victim logs into their online bank account, at which point it activates and presents them with a fraudulent phishing message. “While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account,” explained a Trusteer spokesman. Once connected to the account the malware enters its final stage, presenting its victim with a second bogus message designed to dupe the user into entering a code that will let the malware bypass the system’s final defence.


DDoS used as cover fire for parallel attacks, $2.1 million unauthorized wire transfer

In Dell SecureWorks Counter Threat Unit(TM) research team 2012 Threatscape Review there is an intresting senario about Distributed denial-of-service attacks that  has been successful in draining up to $2.1 million from a bank account. The Dell SecureWorks 2012 Threatscape Review analyzes the conditions in 2012 that create threat scenarios and discusses notable trends in software vulnerabilities, global-scale threats, distributed denial of service (DDoS) attacks, Advanced Persistent Threats, and mobile threats.



Hackers hit thousands of websites with Apache backdoor attack

Security firm Eset has uncovered a malicious cyber campaign using a backdoor exploit in Apache web servers to herd web users to sites carrying Blackhole exploit packs. It will be difficult to assess the dangers and actions of specific compromised systems if only the binary is found and the active shared memory is not. Zwienenberg said the compromised servers are being used to drive web traffic to a number of malicious websites containing malware and exploits from the Blackhole exploit kit.   The campaign has already compromised hundreds of Apache servers, meaning that thousands of websites could potentially have been affected.



A New Source of Cyberthreat Updates

The FS-ISAC is now offering briefings on the latest trends and how to address them, says Bill Nelson, president. Through a new partnership with the cyber-intelligence firm iSIGHT Partners, the Financial Services Information Sharing and Analysis Center is providing its banking institution members with updates on cyber-attack trends, including data from international markets, says Nelson, FS-ISAC president. “iSIGHT is now providing briefings to our members about how these attacks can be detected and, in some cases, mitigated,” Nelson says during an interview with Information Security Media Group.



Backdoor malware hits clearing house clients

A backdoor malware is threatening to steal credit card details of clients of Automated Clearing House (ACH) by fooling them into opening an email attachment claiming to be a payment receipt. Security vendor Bitdefender said the fake payment receipts are part of what it called “a rising wave” of spam emails targeting credit card data. In November 2011, a bank refusal e-mail came loaded with a Trojan unleashed by a fake flash.exe update.   Bogus ACH failure notifications have also been used to spread a variant of the ZeuS banking Trojan,” Bitdefender said in a blog post.


Sunday, April 28, 2013

U.S. response to bank cyberattacks reflects diplomatic caution, vexes bank industry

The United States, concerned that Iran is behind a string of cyberattacks against U.S. banking sites, has considered delivering a formal warning through diplomatic channels but has not pursued the idea out of fears that doing so could escalate hostilities, according to American officials. It also reflects the pressure the administration is under from banking industry officials, who want to know what amount of pain or damage will justify a government response. “We don’t have a clear view of what are the triggers — and we’ve asked,” said one industry official who has been involved in discussions with the administration and who spoke on the condition of anonymity. Administration officials say it is difficult and unwise to be too precise about potential responses because they do not want to set red lines that, if crossed, might obligate them to act.



Friday, April 26, 2013

US banking sector vulnerable to hackers

US authorities charged with overseeing the financial sector are worried about its vulnerability to cyberattacks, they said in a report. “Security threats in cyberspace are not bound by national borders and can range widely from low to high security risks,” wrote the Financial Stability Oversight Council in its 2013 annual report published on Thursday.


Kingston adds malware scanner to its secure drives

Then there was a bit of a backlash in government circles, with some agencies gluing their USB ports closed to prevent unauthorized devices from connecting because the drives offer a window for malware to enter networks.   In recent years removable media has been at the center of major security events, as a vehicle of infection for the infamous Stuxnet worm and as a data exfiltration vector associated with the Flame virus. The combination extends ClevX DriveSecurity powered by ESET’s proactive portable anti-malware technology to Kingston’s DataTraveler 4000 and DataTraveler Vault Privacy secure USB flash drives.



Thursday, April 25, 2013

Mandiant: No Drop in Chinese Hacking Despite Talk

More than two months after computer-security firm Mandiant Corp. accused the Chinese military of using cyberattacks to target U.S. companies, a company official said there has been no change in the large number of Chinese attacks on U.S. companies it has observed.


Recently patched Java flaw already targeted in mass attacks

The vulnerability, identified as CVE-2013-2423, was one of the 42 security issues fixed in Java 7 Update 21 that was released by Oracle last week, on April 16. The company gave the flaw’s impact a 4.3 out of 10 rating using the Common Vulnerability Scoring System (CVSS) and added that “this vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets.”


Tuesday, April 23, 2013

China accounts for 41 percent of global computer attack traffic

A new security report points the finger at China as the main source of malicious computer attacks — and puts the United States in second. In a report due to be released today by Akamai Technologies, the security firm says that the Asian country is accountable for 41 percent of all global computer-attack traffic. According to the report, the U.S. comes in second as a major source of cyberattacks, and is responsible for ten percent of all global attack traffic. Turkey, although not often associated with cyberattacks, came in third in Akamai’s report, apparently 4.7 percent of all hacking traffic originating from the country.   Russia was given fourth place with 4.3 percent of cyberattack originations and Taiwan came in fifth, claiming 3.7 percent of the world’s attack traffic.



Thailand revising cybercrime law for balance, better security

According to The Nation on Friday, Surangkana Wayuparb, the Electronic Transactions Development Agency (ETDA)‘s CEO said the agency was arranging a public hearing to allow widespread participation in the law’s revision. However, since enforcement of the law five years ago, there have been requests from several sectors for a review of the Act’s principles and the addition of a number of issues not covered in the original legislation.



IT Professionals Say Employees Ignore Security Rules

There are best practices for securing access to critical systems and data that many organizations tend to ignore, the survey found. The vast majority (81.4 percent) of IT security staff think that employees tend to ignore the rules that IT departments put in place, and more than half (52.2 percent) of the same respondents said they believe that employees would not listen more even if IT directives came from executive management, rather than IT, according to a survey by identity management and security management specialist Lieberman Software. More than 70 percent of IT security professionals would not be willing to bet $100 of their own money that their companies will not suffer a data breach in the next six months.



75 percent of cyber attacks are opportunistic

Verizon’s 2013 Data Breach Investigation Report posited that 75 per cent of hackers target a website purely because its security systems are weak puts even more pressure on businesses to make sure that their defence systems and protocols are up to date and thorough. A large number of data breaches (45 per cent) came from customer service workers whose lack of security knowhow or training meant that they were often easy targets for hackers. Worryingly, two thirds (66 per cent) of all breaches took months (62 per cent) or even years (4 per cent) to discover - leaving it even harder for criminals to track.   



Malware hijacks Twitter accounts to send dangerous links

Twitter users in the Netherlands are being targeted by a piece of malware that hijacks their accounts, according to security vendor Trusteer. Once a computer is infected, the malware injects JavaScript into the victim’s browser when they’re on their Twitter account page.   The malware steals the user’s authentication token, which allows it to make calls to Twitter’s API (application programming interface) and post tweets.



Monday, April 22, 2013

BAE Systems Detica unveils CyberReveal security alert service for private firms

BAE Systems Detica has launched what it calls a defence-grade cyber security product, CyberReveal, to the commercial marketplace for the first time, targeting large financial services (FS), retail and other customers with their own internal security analysts.   It can also be used as a managed services product to alert smaller firms about impending security threats if they have the money to afford on-going fees and prefer this model to an upfront capital expenditure.


The CISO’s Guide to Advanced Attackers: Mining for Indicators

The general concept is that you want to monitor your environment, gathering key security information that can either identify typical attack patterns as they are happening (yes, a SIEM-like capability), or more likely searching for indicators identified via intelligence activities. We have been saying Monitor Everything almost as long as we have been talking about Reacting Faster, because if you fail to collect data you won’t have an opportunity to get it later.   Unfortunately most organizations don’t realize their security data collection leaves huge gaps until the high-priced forensics folks let you know they can’t truly isolate the attack, or the perpetrator, or the malware, or much of anything, because you just don’t have the data. The good news is that you have likely been collecting security data for quite some time, and your existing investment and infrastructure should be directly useful for dealing with advanced attackers.



Sunday, April 21, 2013

10 tips to secure funding for a security program

Ask any cyber security specialist what their biggest challenge is, and you will get a variety of answers — ranging from strengthening network security, to managing internal threats, to protecting against cyber espionage. But upon further investigation, you may be surprised to learn that the unanimous pick for the biggest challenge cybersecurity professionals face is simply getting the funding necessary to carry out a security program. There are a great deal of resources and technical support available on how to deal with the never-ending list of threats that arise daily; and we have plenty of opportunities to learn and digest security best practices. However, little information or guidance is available to prepare one for the dreaded budget discussion when new or continued funding is necessary to maintain a strong cyber security posture.



Cybercrime dominates federal caseload, Hickton says

Attorney David Hickton was installed as the top law enforcement official for western Pennsylvania, his reorganization of the criminal division included a new national security cyber group in addition to the traditional offices that prosecute white collar crime, violent crime and civil rights offenses. Robert Erdely, a retired state police trooper now serving as a detective in the Indiana County Court House, has an international reputation as a computer crime investigations expert, and often brings cases that end up in federal courts, Hickton said. “What takes a case federal is if our extra jurisdictional reach is helpful, or the tools we have on the federal side might be helpful, but frequently we have sentences that are more severe,” Hickton said. “So in violent crime, we have the armed career criminal sentences and some of the mandatory minimums for someone who, for a similar act (prosecuted under state laws), might get a low sentence or get probation” in a state or county court.


Hacking collective Anonymous calls for Internet blackout on April 22 to protest CISPA

Hacking collective Anonymous has called for an Internet blackout in protest of a bill, CISPA, which if signed into law, would make it legal for websites to give personal information to the US government without the user’s permission. Anonymous has called for an Internet protest on Monday, April 22, to protest the “illogical and terrorizing bill”, reports The Huffington Post. The plan doesn’t involve shutting down or attacking the Internet in any way, it just wants all websites to go dark in protest for 24 hours on Monday.


Saturday, April 20, 2013

U.S. Air Force cadets win cyber war game with NSA hackers

Air Force Academy team on Friday beat out rivals from other elite military colleges after a three-day simulated cyber “war” against hackers from the National Security Agency that is meant to teach future officers the importance of cybersecurity. Nearly 60 government experts - sitting under a black skull and crossbones flag - worked around the clock this week to break into computer networks built by students at the Air Force, Army, Navy, Coast Guard and Merchant Marine academies.


FISMA Reform Passes House on 416-0 Vote

By a vote of 416 to 0, the House passed on April 16 the Federal Information Security Amendments Act of 2013, which updates the Federal Information Security Management Act of 2002. The Federal Information Security Amendments Act, H.R. 1163, would require federal agencies to continuously monitor their IT systems for cyberthreats and implement regular threat assessments. “This bipartisan legislation will address the shortcomings of FISMA by incorporating recent technological innovations, and enhance and strengthen the current framework that protects federal information technology systems,” said the bill’s chief sponsor, Rep. Although most federal agencies have chief information security officers to coordinate IT security activities, the new FISMA legislation would require them to have CISOs to develop, implement and oversee agencywide IT security programs.



New version of Gozi financial malware bundles MBR rootkit

Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program that infects a computer’s Master Boot Record (MBR) in order to achieve persistence. Some malware authors have leveraged the MBR in order to give their malicious programs a head start over antivirus programs installed on the computer. Sophisticated malware that uses MBR rootkit components, like TDL4, also known as Alureon or TDSS, are part of the reason why Microsoft built the Secure Boot feature into Windows 8.


Friday, April 19, 2013


As a crisis manager, you are responsible for the safety and security of both your employees and your organization. And when an emergency strikes, you are expected to carry out your business continuity plan effectively while keeping the big picture in mind. Among other things, you should record and share your business continuity plan with your management team, connect with local public agencies, maintain clear goals, and be prepared to ask the right questions as an incident unfolds.   Above all, you should strive to be prepared, flexible, and compassionate in all aspects of your crisis response, knowing that employees, customers, and your community are counting on your strong leadership when crises strike.


Wednesday, April 17, 2013

Microsoft Says Worm Infections Declining, but Web Attacks Rising

Companies are rooting out Conficker and Autorun worms from their networks, but attacks through the Web are still causing problems, according to Microsoft’s latest report. In the last half of 2012, the average number of infections by the two major wormlike programs, Conficker and Autorun, declined by more than a third compared with the total in 2011, the company said. While companies are slowly tackling the threat of worms, Web-based attacks—especially those that redirect a victim’s browser to a site hosting malicious code—have taken off, accounting for seven of the 10 top threats encountered by corporate users, the report stated.


Symantec: Industrial espionage on the rise, SMBs a target

Targeted cyberattacks based on IP theft are being conducted against both the manufacturing industry and smaller businesses, which are likely to have less income to invest in shoring up their defenses against attack. Symantec says that SMBs—with fewer than 250 employees—now account for 31 percent of targeted attacks, and are often seen as a means to gain access to larger firms through “watering hole” techniques. The average number of targeted attacks has increased to an average of 116 per day, made popular by the Elderwood Gang which was able to infect 500 firms in 24 hours. An interesting point highlighted within the report is that 61 percent of malicious websites are actually legitimate; targeted by hackers who exploit vulnerabilities and create diversions or channels for malware to be installed on a victim’s PC. Business, technology and ecommerce websites are most likely to be affected due to unpatched website vulnerabilities, and once malware has been downloaded, ransomware is a popular choice for hackers to get their money’s worth—especially when they buy legitimate advertising space to hide their code.


Java 7 Update 21 to fix bugs, change applet warning messages

Oracle will release a new version of Java on Tuesday that will include 42 security fixes and will make changes to how Web-based Java content will be presented inside browsers. Thirty-nine of the vulnerabilities patched by the new Java 7 Update 21 (7u21) can be exploited remotely without authentication, Oracle said in a pre-release announcement. In addition to security fixes, the new update will also make changes to how Java applets—Web-based Java applications—are handled and presented in Web browsers that have the Java plug-in enabled.


Monday, April 15, 2013

Cloud-based security services still in high demand

“This shift in buying behavior from the more traditional on-premises equipment toward cloud-based delivery models offers good opportunities for technology and service providers with cloud delivery capabilities, but those without such capabilities need to act quickly to adapt to this competitive threat.” ... Gartner is advising value-added resellers (VARs) to supplement product implementations with cloud-based alternatives that offer large customers reduced operational cost and thereby increase the likelihood of customer retention in this market segment.


Sunday, April 14, 2013

Group of Security Experts Across Multiple Industries Discuss Practical Ways to Leverage Simulated At

Wombat Security Technologies (Wombat), a leading provider of cyber security awareness and training solutions, today released a new report from leading Chief Security Officers (CSOs) and security experts that discusses how simulated phishing attacks can be an effective security awareness and training tactic to help companies educate employees how to avoid growing cyber security threats. This report gathers and analyzes the front line observations of security leaders from the major vertical sectors—such as finance, manufacturing, health, and entertainment—who have used a relatively new approach to user awareness: simulated attack training. The report discusses how practicing CSOs from Fortune 500 companies maximize the strengths and avoid the pitfalls in what can be a controversial, but is a very effective, method of training users to avoid being phished: learning by experience.