[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Open source encryption? Now Netherlands votes to help fund security projects
While November’s Paris attacks prompted US and European governments to revisit the debate over back-door policies to soften data encryption, the Netherlands lower house has voted to fund projects to strengthen it.
In total, the Dutch lower house agreed to spend €500,000 ($547,000) to support the open-source OpenSSL, LibreSSL, and PolarSSL web-security projects.
Supporting work on alternative projects, such as LibreSSL and PolarSSL, can prevent Heartbleed-like attacks by preventing developers from using a homogeneous solution for protecting data.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=28b8510e4e&e=20056c7556
Demand for new malicious programs reaches saturation point
According to Kaspersky Lab, the number of new malware files detected by its products in 2015 decreased to 310,000 a day, falling 15,000 from the 2014 number of 325,000.
However, despite the reduction in malware creation, in 2015 the number of users that were targets of attacks by cybercriminals increased by five percent.
Kaspersky Lab experts believe the demand for new malicious programs has reached a saturation point, as coding new malware has become expensive and cybercriminals have realized the benefits of using intrusive advertising programs or legitimate digital signatures in their attacks.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6733a8623c&e=20056c7556
Shared Assessments Program Publishes New Best Practices Briefing Paper to Address Serious Need for Third-Party Incident Management.
SANTA FE, N.M., Dec. 8, 2015 /PRNewswire/ — Effective third-party due diligence demands a higher level of review than is presently being performed by most organizations.
Yet, coordinated and active vendor involvement is lacking in many outsourcing organizations’ incident event management programs.
Even in the 43 percent of organizations that report a formal incident program is in place, only 9 percent of incident management professionals deem theirs to be “very effective” (SANS Institute, 2014).
A new briefing paper by the Shared Assessments Program, developed in response to the need for improved third-party incident response management, will be released on December 9, 2015 in conjunction with a complimentary webinar taking place at 8:00 a.m. (PST).
The briefing paper, titled Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program, will be made available to those individuals who attend the December 9 webinar.
Three of the paper’s co-authors, who are subject-matter experts in their respective fields, will serve as guest speakers during the 8:00 a.m. (PST) webinar.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=75160676c8&e=20056c7556
Canadian companies have a big new ally in the fight against cyber crime
Turns out a vulnerability discovered earlier this year in antivirus software from AVG also was present in AV software products from Intel McAfee and Kaspersky Lab.
The security bug — which researchers at enSilo in March reported in AVG’s Internet Security 2015 build 5736 and virus database 8919 — centers around how the AV products in question allocate memory for read, write, and execute purposes.
The AV products use “predictable” addresses that in turn could allow malware to exploit vulnerable, out-of-date third-party Windows applications for nefarious purposes.
That effectively bypasses the AV system and makes it easier for bad guys to exploit vulnerable browsers or Adobe Reader, for example, to hack a Windows machine. enSilo today disclosed that this fall, it found the flaw in Kaspersky Lab’sKaspersky Total Security 2015 – 15.0.2.361 – kts15.0.2.361en_7342 and McAfee’s Virus Scan Enterprise version 8.8, including in its Anti Malware + Add-on Modules, Scan Engine version (32 bit) 5700.7163, DAT version 7827.0000, Buffer Overflow and Access Protection DAT version 659, after building its own tool to test AV products for the flaw.
Both Kaspersky Lab and Intel McAfee have patched the flaw in their respective products — AVG fixed its bug just days after enSilo alerted the company — but enSilo says the vulnerability could well exist in other software such as data leak prevention and performance monitoring products.
The flaw can only be exploited in Windows XP, Vista, and 7 machines. “The problem exists in Windows 8, but Microsoft saves them from the vulnerability because the … address is randomized,” says Tomer Bitton, co-founder and vice president of research at enSilo.
The effect of cyber crime on Canadian GDP is lower than in the U.S. (0.17 per cent versus 0.64 per cent), but the reason for this gap may be underreporting and a lack of data, according to a Fraser Institute report.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b1afb0b29f&e=20056c7556
China security chief calls for better intelligence on terrorism
BEIJING (Reuters) – China needs to improve its intelligence gathering abilities and intelligence sharing between different departments it if wants to better deal with the threat of terrorism, its domestic security chief said, in a rare admission of the problems faced.
Speaking in Xinjiang’s regional capital Urumqi, domestic security chief Meng Jianzhu said while some success had been achieved in the fight against terrorism, the situation remained serious.
Meng said intelligence gathering had to improve, in both what he called “hard and soft intelligence”, according to a government statement issued late on Friday.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3732044f0b&e=20056c7556
The role of automation in incident response
BEIJING (Reuters) – China needs to improve its intelligence gathering abilities and intelligence sharing between different departments it if wants to better deal with the threat of terrorism, its domestic security chief said, in a rare admission of the problems faced.
Speaking in Xinjiang’s regional capital Urumqi, domestic security chief Meng Jianzhu said while some success had been achieved in the fight against terrorism, the situation remained serious.
Meng said intelligence gathering had to improve, in both what he called “hard and soft intelligence”, according to a government statement issued late on Friday.
When creating IR procedures, automation is a tool.
It needs to be deployed thoughtfully and carefully to speed and enrich the human response – not replace it.
There are four components of incident response – preparation, assessment, management, and mitigation – and, when used appropriately, automation can play a critical role in each phase.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8f2067642f&e=20056c7556
Risk Management receives increased focus in the UAE
In collaboration with MENA Strategies, the RIMS Risk Forum Middle East, held on December 7 & 8 at the Conrad in Dubai attracted government officials, media representatives, and renowned risk managers from MENA based and international corporations; Associated Insurance Consultants, Control Risks, Du, Emirates Insurance Association, Emirates Nuclear Energy Corporation (ENEC), Emirates National Oil Company (ENOC), Emirates Transport, Kuwait Petroleum Corporation, MENA Strategies, Middle East Insurance Review, Nesma & Partners, New Dawn Risk Group, New York University, and Zain Group. – See more at: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=22913be714&e=20056c7556
“The UAE is ahead of other countries in the GCC area in terms of risk management understanding, and after getting encouraging feedback from attendees and speakers, MENA Strategies will continue to cooperate with key regional and international corporations in order to initiate further events that focus on risk management” remarked Melissa Aoun. – See more at: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=64c1d4de6d&e=20056c7556
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6fad2f6f8e&e=20056c7556
POS Malware and Loyalty Card Fraud Growing in Popularity
There has been a spike in POS malware over the past couple of years.
In 2014, such malware came to be associated with botnet capabilities, increasing its attraction to criminals.
Then, from the beginning of 2014 to mid-2015, 15 new families of POS malware were identified, all with more powerful capabilities than previous strains, targeting industries including retail, hospitality, food and beverage and travel.
According to Trustwave, around 40 percent of breaches in 2014 were POS-related.
ABI Research estimated that the number of POS-related security incidents with confirmed data breaches will reach 600 by the end of 2015.
There has also been an uptick in security incidents involving loyalty cards.
According to the “2015 Colloquy Loyalty Census,” there has been a 26 percent increase in loyalty card scheme memberships in the U.S. since 2013.
Additionally, the average household now belongs to 29 loyalty programs, of which 17 are inactive.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7e7d199618&e=20056c7556
Kaspersky Lab on Business Threats: 2015 Saw the Number of Cryptolocker Attacks Double
The tools used by cyber-criminals against businesses in 2015 were different to those used against consumers, according to Kaspersky Lab’s review of corporate threats in the last twelve months.
They included greater exploitation of legitimate software programs and malware being signed with valid digital signatures to keep malicious files hidden for longer.
Kaspersky Lab’s experts also observed a steady rise in the number of corporate users attacked by ransomware.
Kaspersky Lab’s experts found that in 2015 well over half (58 per cent) of corporate PCs were hit with at least one attempted malware infection, up three percentage points on 2014.
One in three (29 per cent) business computers were exposed at least once to an Internet-based attack; with the exploitation of standard office applications seen three times as often as in consumer attacks.
Further, 41 per cent of business computers faced local threats, such as from infected USB sticks or other compromised removable media.
The experts also noted a seven per cent increase in the share of exploits targeting the Android platform, confirming hackers’ growing interest in data stored on employees’ mobile devices.
These attacks included Carbanak, which penetrated the networks of banks, seeking out critical systems that would allow it to withdraw money.
One successful attack alone would bring in as much as £1.6 – £6.6 million.
The cyber-espionage group, Wild Neutron also spent much of 2015 hunting down investment companies as well as organisations working with the cryptocurrency Bitcoin and companies involved in mergers and acquisitions.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f7e994c9ea&e=20056c7556
Malware Hides, Except When It Shouts
Two new malware reports – one from security researchers at technology giant Cisco, another from cybersecurity firm FireEye – demonstrate how developers continue to refine their malicious code to maximize its information-stealing and extortion potential.
Malware that’s tailored to steal money has usually been designed for maximum stealth, and FireEye has just detailed a malware family called “Nemesis,” which is programmed to run when a PC starts up, before the operating system gets loaded.
That makes the malware especially difficult to either detect or eliminate, and the longer the malware stays undetected, the greater the amount of sensitive data attackers can potentially exfiltrate.
One of the most notorious types of ransomware is CryptoWall, which is used by multiple criminal groups, and which its developer continues to refine.
The new version of CryptoWall – version 4 – was first spotted Nov. 2, attached to malicious spam (see Refined Ransomware Streamlines Extortion).
By the end of November, however, security researchers were warning that multiple exploit kits that had been installing CryptoWall version 3 on victims’ computers had upgraded to CryptoWall 4.
Researchers from the Cisco Talos security intelligence and research group say in a Dec. 10 blog post that CryptoWall 4 includes several major changes:
– Streamlined crypto
– Disabling backups
– Disabling backups
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0ee8634a67&e=20056c7556
Cybercriminals will target Apple in 2016, say experts
According to security firm Symantec, the amount of malware aimed at Apple’s mobile operating system (iOS) has more than doubled this year, while threats to Mac computers also rose.
Security firm FireEye also expects 2016 to be a bumper year for Apple malware.
Last year, it was seeing a monthly average of between 10,000 and 70,000 Mac computers infected with malware.
The number of unique OS X computers infected with malware in the first nine months of 2015 was seven times higher than in all of 2014, its research found.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=51fc57c72d&e=20056c7556
Vormetric Survey: Data Breaches Threaten Americans’ Loyalty to Their Favorite Retailer
SAN JOSE, Calif., Dec. 10, 2015 /PRNewswire/ –Vormetric, a leader in enterprise data security for physical, virtual, big data and cloud environments, today announced in conjunction with Wakefield the results of its survey on how Americans’ would change their shopping behaviors if their favorite retailer was hit by a data breach.
The survey revealed that for 85% of Americans, significant personal consequences that can result from a breach would cause them to find a new place to shop.
According to the Wakefield survey, Americans would take their business elsewhere after a data breach at their favorite retailer:
– If money was taken from their checking account (67%)
– If unauthorized charges appeared on their credit card (62%)
– If personal information were leaked (57%)
– If their credit score was damaged (54%)
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3428c36c20&e=20056c7556
Piracy sites make up to ‘$70m per year by spreading malware’
“Baiting internet users, stealing their personal information, and taking control of their computers is becoming big business — an estimated $70m (£46.2m) per year just from peddling malware,” according to a study that goes by the name Digital Bait, conducted by the cybersecurity firm, RiskIQ and commissioned by non-profit organisation Digital Citizens Alliance.
After probing 800 sites that distribute stolen movies and television series, the study, published in December, states one out of every three theft sites contain malware.
It poses a big threat to consumers subscribing to the content, as the malware threat is 28 times more than genuine sites.
Even their computers are at risk, as 45% of malware is delivered through “drive-by-download”, without users’ knowledge.
Xtreme Rat, Bifrost, Back Orifice, Njrat, Adwind, Darkcomet, Blackshades, SBU7, Poison Ivy and Cerberus are the top 10 RATs RiskIQ found through its scans.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dab089dabb&e=20056c7556
New Dutch Breach Notification Rules in Effect as of January 1, 2016
An update to the Dutch Data Protection Act enacted earlier this year goes into effect January 1, 2016, and extends data breach notification requirements in the Netherlands to all data controllers (as opposed to just those in the financial, healthcare, or telecom fields).
Under the new rules, such data controllers must notify the Dutch Data Protection Authority of any breach of personal data that has (or creates a significant chance of) serious adverse consequences for the protection of personal data.
Notices have to be given “without delay.” The draft implementation guidelines prepared by the Dutch Data Protection Authority suggest this means no later than two business days after the data controller becomes aware of the data breach, although commentators have noted that this may change when the Guidelines are finalized.
Affected individuals will also need to be notified if the breach is likely to have negative consequences for their privacy, unless the data was encrypted or otherwise unintelligible to third parties.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5c745b3b2b&e=20056c7556
Geneva security remains high amid terror alert
(CNN)Heavily armed guards watched over the United Nations building in Geneva and a security scare briefly shut down the international airport Friday, signs of heightened security amid a terror alert and a hunt for suspects.
The Swiss alert came after a tip from U.S. intelligence officials, who told their Swiss counterparts that they had intercepted communications among extremists discussing the idea of attacking Geneva, as well as Chicago and Toronto, a source close to the investigation told CNN.
Geneva police Chief Monica Bonfanti told radio broadcaster RTS that there is “the possibility of the presence of an Islamic State (ISIS) terror cell in Geneva.” Bonfanti said police were searching for terror suspects, but wouldn’t comment on the number of people involved in the hunt.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0a73cf3374&e=20056c7556
NIST framework update en route
FIRST IN MC: NIST EYES UPDATE — In a request for comments set for publication in the Federal Register by Friday, the National Institute of Standards and Technology is asking companies how the technology lab’s voluntary cybersecurity framework “is being used, if it’s a good time for an update, what’s working, what’s not working,” NIST senior adviser Adam Sedgewick told MC.
Some of the framework’s cybersecurity controls likely need updating, said Sedgewick.
It’ll be up to industry whether it also wants to use this opportunity to initiate a larger rewrite of the framework. “There’s a lot of discussion about how do we make sure this is keeping up with the threat space and technological innovation,” he said.
The public will have 60 days to respond to NIST, which plans to hold an April workshop to discuss next steps.
More on the framework: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dcbb6d83e4&e=20056c7556
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ef97f36313&e=20056c7556
EFF Launches Open Source Code Security Program to Improve User Privacy
The Electronic Frontier Foundation (EFF) has launched a new security initiative aimed at identifying vulnerabilities in open source code.
The move is another sign of the open source world’s increasing interest in leveraging the the community to shore up software security in the wake of embarrassments like Heartbleed, the bug found in the popular OpenSSL cryptographic software library that led to so much trouble last year.
The EFF announced the initiative, called the Security Vulnerability Disclosure Program, on Dec. 3.
The organization, which advocates for online freedom and openness, describes the program as “a set of guidelines on how to report bugs in software EFF develops,” as well as in third-party software that the EFF uses.
The EFF maintains several security tools that are popular among users interested in protecting their privacy, such as HTTPS Everywhere, a browser extension that provides SSL encryption for all Web traffic.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b850692793&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=163ff4ebd1)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)