What's in store for security in 2013?
1. Mainstream Cloud and Mobile Adoption Seeks Security
In 2013 more businesses than ever will look to cloud and mobile computing while also seeking security checks and balances to protect corporate data. "'Cloud' is finally getting over its hype curve," said Steve Robinson, vice president of security development, product management, and strategy at IBM, speaking by phone. "In the beginning of 2012, we were hearing more discussions about if the cloud is safe."
Going into 2013, however, more firms are now setting deployment timetables and talking security practicalities. "I've had a few CISOs tell me that the two platforms they're planning the most for now, looking five years out, are cloud and mobile," Robinson said. On the cloud front, he continued, "We're seeing cloud security being discussed in much more practical terms: what workloads do we put out there, and how do we protect it?"
For mobile devices, on the bring-your-own-device (BYOD) tip, many businesses are asking how to best mix corporate and personal information on smartphones. Interestingly, such questions were hardly ever asked about corporate-owned laptops or desktops, according to Robinson. As a result, he said, by 2014 "we think mobile is going to be as secure, or more secure, than many desktop environments."
2. Businesses Begin Sandboxing Smartphone Apps
One tool that could see widespread adoption in 2013 will be mobile app sandboxing. Indeed, as more employees examine how corporate data gets stored on myriad employee-owned devices, Jim Butterworth, CSO of security software and consulting firm HBGary, predicts that more businesses will turn to sandboxing technology on mobile devices to protect their data. Using a sandbox application to access corporate emails, for example, "that application is only resident on the machine while you're receiving emails -- but you can't copy out or in any attachments," said Butterworth, speaking by phone.
3. Cloud Offers Unprecedented Attack Strength
Just as there's a productivity upside to new technology or trends such as BYOD, so often there can be a potential security downside. In the case of cloud computing, notably, some security researchers have been warning that the sheer scale of the recent DDoS attacks against U.S. banks presages a future of Armageddon-style attacks in which hackers can overwhelm not just targeted websites with high-bandwidth attacks, but every intervening service provider.
In 2013, expect to see even bigger attacks launched from the cloud. "It used to be, to launch a massive denial of service attack, you had to build up your botnets so criminals would slowly and surely build up their army of hundreds of thousands of drones," said Harry Sverdlove, chief technology officer of security software vendor, speaking by phone. "Now, they can rent the equivalent of 100,000 processors. ... So just as legitimate companies are using the cloud to do great things, of course cyber attackers are taking notice as well -- and they can cause significant damage."
4. Post-Flashback, Cross-Platform Attacks Increase
Write once, infect anywhere? That's no doubt the attack goal of many a malware writer. But until recently the relatively scant install base of every operating system -- bar Windows -- led most malware writers to avoid bothering with Mac, Linux, Unix, Android, or other operating systems.
In 2012, however, malware authors altered their approach with the Flashback malware. "With the Flashback Trojan earlier this year, we saw estimates of over 600,000 Mac computers were infected," said Sverdlove, and it apparently earned attackers big bucks via click fraud. Since Flashback, more than one attack has targeted multiple operating systems via cross-platform vulnerabilities present in Java and Flash, and no doubt that targeting those plug-ins for financial gain in 2013 will continue. "With the prevalence of Macs in the workplace and the number of mobile devices, this is becoming a much more lucrative target," he said.
5. Destructive Malware Targets Critical Infrastructure
In 2012, the Shamoon malware was notable for what it apparently wasn't, which was a state-sponsored attack. Instead, Middle Eastern hacktivists have taken credit for disrupting Saudi Aramco -- the state-owned national oil company of Saudi Arabia and the world's largest exporter of crude oil. To do this, they didn't build a Stuxnet-style cyber-weapons factory, but rather gleaned some tricks from previously launched attack code, such as the U.S. government-created Flame malware. The result was Shamoon, which infected and begin erasing the hard drives of 30,000 Saudi Aramco workstations.
Moving into 2013, said Sverdlove, "the trend of hacktivists, combined with a rise in sophistication, will lead to much more destructive attacks on infrastructure." Already, Shamoon has shown that the barrier to entry for launching malware attacks against critical infrastructure systems continues to decrease and that attackers no longer have to be malware experts. Accordingly, people with a grudge may add them to their attack toolkit, next to website defacements, Twitter account takeovers, and DDoS attacks.
"Hacktivists represent the unpredictable factor," said Sverdlove. "All it takes is a few individuals with an agenda or an ax to grind, and they now have the tools to launch distributed denial-of-service attacks or attacks to wipe out data. It makes for a much more dangerous combination."
6. Hackers Target QR Codes, TecTiles
One of the more innovative -- as well as simple and inexpensive -- attacks to emerge over the past year involves fake QR codes, which attackers have printed out and used to cover up real QR codes on advertisements -- especially for financial services firms. "Banks have been battling fake QR codes as a method of doing cross-site scripting attacks on mobile phones," said HBGary's Butterworth. "It's scary: [attackers] use open-source QR generators, then they put these things on billboards or ATM machines, promising $100 if you open a new account -- and it's all just to exploit [consumers]." Alternately, attackers could use fake QR codes on bank advertisements to send consumers to fake versions of their bank's website, then steal their access credentials.
Banks are now also exploring Samsung TecTiles, which are Android apps that let you read and write near field communication (NFC) tags, as a way to let people make payments. But according to Butterworth, with near field communications comes a huge amount of risk. Enterprising attackers could create their own TecTiles that redirect to malicious websites, or even launch phishing attacks.
Attacks using QR and TecTiles target consumers. "It's a problem more, I think, for personal banking and the threat of people getting their money stolen than for some state-sponsored entity trying to find their way in," said Butterworth.
7. Digital Wallets Become Cybercrime Targets
Expect any combination of smartphones, payment capabilities, or credit card data to draw attackers' interest. On a related note, Google, Apple, Verizon, T-Mobile, AT&T and others are now moving into the electronic wallet and digital wallet space. But storing gifts cards and credit cards on a smartphone and allowing consumers to make payments via NFC -- simply waving a smartphone near a payment terminal to begin a transaction -- will make digital wallets a big target for criminals, said Bit9's Sverdlove.
It's virtually guaranteed, furthermore, that every last potential attack vector or exploitable vulnerability hasn't yet been worked out of such systems. "Like any new technology, convenience always precedes security ... and we'll see some elevation in the number of attacks on e-wallets or digital wallets," Sverdlove said. "It will serve in the long run to strengthen security."
But in the short term: come 2013, watch your digital wallet.
It is that time of year which everybody loves. It is the holiday season and you will start to see a lot more people express good attitudes and wish everyone else a happy new year. As a matter of fact it may be hard to think that with all of this much goodwill in the air there is someone out there who is trying to take advantage of that. But the fact is no matter what time of year it is there are always going to be bad guys around every corner and they will try to stalk their prey at anytime. It does not matter what time of year it is, the bad guys like to work all year round and you always have to be on the lookout for them.As a matter of fact this time of year is a very good time when it comes to black hat hackers. This is because there are so many people online around this time and they are looking for a bunch of deals for their Christmas shopping. The retailers really go full throttle around this time of year and they want to be able to make as much money as they can. This time of year may be known as the holidays to most people but to people in the financial industry it is known as the fourth quarter and it is the most important quarter of the year. They want to be able to make as much money as they can throughout this time period so they will offer deep discounts wherever they can.And since you have so many people online trying to advantage of these deep discounts that are being offered, it is the perfect time for a black hat hacker to try and strike. With so many emails and so much different types of information being sent back and forth it is hard for the average person to be able to discern what is real and what is not. They do not know which emails are really offering a real deal and which ones are fake and trying to get something out of you. Normally you would tell a person that if a deal seems to be too good to be true that it probably is and there are some bad guys behind the offer. But at this time of year all of the deals seem too good to be true and it is hard to tell which one is a bad deal and which on is a good deal.That is why as a consumer, you have to keep a more vigilant eye out than you normally would. Yes, the bad guys are going to be out there in full force and you have to make sure you are more prepared than ever. When you go to visit websites you have to make sure that the domain is correct and that it matches the website that you thought you were going to. If it does not match the domain that you thought you were going to then you should leave right away without clicking on anything. And if you get an offer in your email account then you should not click the link in the email. What you should do is type the website in directly and go to it that way. You never know where a link in your email account is going to take you. So make sure that you do it the right way so that you know where you are going.
It’s been a great and interesting year so far. A year filled with many happy moments, not also forgetting the sad moments. A year with several ups and downs.We’ve witnessed several Organization and Government bodies around the globe punished and suffered under the hands of some powerful hackers. We’ve witnessed good and bad times this 2012, and so, it’s a mix of sweet & sour, combo of smooth and rough.But all in all, we are alive today, healthy and hearty, though, some of us might complain of the lack of funds to celebrate during this festive season; but you should know that as long as we are alive and breathing, there is hope, hope for a better tomorrow, hope for a beautiful future.Look back from January till date, count your blessings one by one, there are numerous reasons to be happy, excited and thankful to God.Christmas is about love, redemption, a raising of one’s spirit and reconciliation. It should be about love and how much of it we can all share; it should be about redeeming those values that might have been lost in the course of the year; it should be about reminding ourselves of what Jesus Christ really stands for, came to do on earth and commanded us to do, and not just some celebration whose meaning is lost on a huge majority of the celebrants.So today, be happy regardless of your state of mind, health or finance. Show some love, to your family; friends, neighbors, strangers and every living creature around you. Let them know how much you appreciate them.Smoke less, drink little (alcohol), act reasonably, drive safe, eat more, laugh and dance a lot, with plenty of hugs and kisses. Merry it up!Happy Christmas to everyone, and a prosperous 2013 in advance.Wishing you all a smooth sailing into the New Year.Cheers………..
Cloud: security threat or solution?
- Cloud-based intelligence databases
- Customised risk tolerance
- Signature approach combined with local behavioral analysis
- Protecting systems offline
- File-scanning misses the big picture
- Read more about cloud and security
Security continues to hinder organisations in adopting cloud computing, at least for mission-critical or sensitive data applications. Concerns about sensitive data sitting on infrastructure shared with competitors continue to linger, but the power of cloud computing is now being put forward as an effective way of dealing with increasingly dynamic and advanced threats.
Some security suppliers are even looking at cloud computing to give them the competitive edge in detecting and mitigating previously unknown threats in near real time.
For quite some time security researchers have been saying signature-based technologies can no longer cope with the latest threats. Because attacks are so frequently updated, by the time something is recognised as a threat, a new variant has been released rendering any signature-based security systems impotent.
Research by security firm Imperva has shown that less than 5% of the top 40 anti-virus systems are able to detect previously non-catalogued viruses initially.
The research, which used more than 80 previously non-catalogued viruses, also showed many systems took up to a month or longer, following the initial scan, to update their signatures.
“Enterprise security has drawn an imaginary line with its antivirus solutions, but the reality is that every single newly created virus may subvert these solutions,” said Amichai Shulman, CTO, Imperva.
“We do not believe enterprises are achieving the value of the investment of billions of dollars in anti-virus solutions, especially when certain freeware solutions in our study outperformed paid solutions,” Shulman said.
At the very least, Security firm Webroot believes cloud computing is key to the future of defences against malware.
Only by using cloud infrastructure is it possible to scan, analyse and compare unknown software with a variety of malware databases, according to George Anderson, Webroot’s senior enterprise product marketing manager.
Rather than put a comprehensive malware signature file on each endpoint, malware intelligence and assessments are conducted in Webroot’s cloud environment.
Because the software client does not have to receive and process signature files, the software client has a much smaller footprint than traditional software clients.
A cloud-based approach, Webroot claims, means there is no need for continual updates of the software client, faster scans, low impact on system resources and improved effectiveness.
Webroot backs up the low performance impact claim with benchmark tests by PassMark software in which the security supplier scored 78 out of 80 or 97.5%, compared with the 55 out of 80 or 69% scored by its closest competitor.
Security firms have realised that, by leveraging their install base, they can collect information about file behaviour and start to make trust-based decisions.
This encompasses the simple white- and black-listing of files, yet steps beyond this, allowing users to define their own level of risk tolerance for unknown files, said Andrew Rose, principal analyst in security and risk at Forrester Research.
However, he said, although the cloud-based solution has many benefits, he has some concerns.
“Relying entirely on cloud leaves the endpoint to fend for itself when it is offline. Although sandboxing may offer some assistance, I would be seeking assurances that the local security agent would be sufficiently resilient and flexible to enable sophisticated functionality and ensure protection in an operating system built for collaboration, rather than segmentation,” said Rose.
“Although a cloud-based solution has lots of value, I am still drawn to the hybrid approach, where expansive cloud intelligence networks are supplemented with local behavioural analysis of files, local file activity restrictions and resilient local sandboxing,” said Rose.
This is where Webroot seeks to differentiate itself from traditional signature-based systems as well as other security firms that have seen the potential of cloud-based security intelligence.
Webroot’s systems focus on the behaviour of files that try to execute on a system, regardless of whether or not Webroot has seen that file previously and have a cloud-based signature for it.
Any unknown file is monitored and its behaviour recorded as it tries to execute, said Webroot’s George Anderson.
“Once it is deemed malicious, it is placed in a sandbox on the client for isolated execution and deeper behaviour analysis, while any actions the file may have taken are automatically rolled back to return the system to the last known good state, reversing only the changes that the suspicious file made,” he said. This means that even while unknown malware is active, systems are protected.
The Webroot client also records changes to files, registry keys and memory locations associated with new software introduced while the device is offline. This process is beneficial if the heuristics did not trigger blocking but the new software is, in reality, malware.
Once the endpoint is back online, a threat assessment is conducted in the Webroot cloud. If the program is determined to be malware, the malicious file is removed and Webroot returns the endpoint back to its last known good state. However, this is possible only with some behavioural analysis capability.
While cloud computing does appear to have the potential to tackle new and emerging cyber threats, it also appears that this alone will not be enough and needs to be paired with a comprehensive behavioural analysis capability to deal with zero-day threats and any periods where systems are offline.
“Simply scanning a collection of files – no matter how large or how well sourced – misses the point of security software entirely; the actual file, the payload is simply one link in a long chain of events, and one that is pretty much towards the end of that chain,” said Ferguson.
The Imperva study, he contends did not expose the security products to threats in the way that they would be exposed in the wild.
According to Ferguson, to decide whether or not a threat would be blocked, it must be processed in a test in the same way it would be delivered to the victim.
“File reputation only represents one layer of security, one interlinked technology among many in any security solution worthy of the name,” he said.
First fake-installer Trojan for OS X spotted in the wild
Indeed, upon receiving the code by SMS users will be able to ‘activate’ the software and finish the installation, or in some cases the installer might not work at all. In either case what they’ll find out later is that messages will keep coming on a regular basis and a fee will be debited each time from their mobile phone accounts.
The attack in question is dubbed Trojan.SMSSend.3666 and is being distributed under a rogue affiliate program known as ZipMonster that helps fraudsters craft fake installers and monetize their attacks.
Though it may be obvious to anyone who knows its way around a computer, the best defense from these types of scams is to always download software only from trusted sources or from the developers themselves. There’s no mention of whether Lion and Mountain Lion’s Gatekeeper is able stop the installer in its tracks, though it should be the case with the default setting preventing unsigned code from being executed.
Microsoft Has Been Watching, and It Says You’re Getting Used to Windows 8.Data collected from some users of the operating system suggest people are adjusting well to the radical departure from previous designs, says the company.
New era: Windows 8 is designed to be operated by touch as well as with a mouse and keyboard.
“So far we’re seeing very encouraging things,” Larson-Green says of the large volume of data that Microsoft receives every day from people using Windows 8 who have chosen to join the company’s “customer experience improvement program.” All users are invited to enroll in that program when they first log into the new operating system. If they do so, anonymized information about how they are using the operating system is sent to Microsoft. Referring to complaints from some quarters, Larson-Green says: “Even with the rumblings, we feel confident that it’s a moment in time more than an actual problem.”
Windows 8 is a radical departure from previous versions of the operating system now used by around 1.3 billion people. Instead of the Start button and menu in use since 1995, it features a “Start screen,” a colorful display of tiles that function as shortcuts to programs and also display notifications—an environment optimized for touch computing. There are also two versions of many software programs—one for the regular desktop interface and one for the new tile-oriented one.
Although some new users will struggle to figure out these features, Larson-Green says that 90 percent of them need just one session to discover the two that are most crucial to the interface design. Those are the Start screen and “Charms,” a menu that offers shortcuts to be summoned by a mouse or finger gestures.
The data collected by Microsoft also show that people are becoming more familiar with the new features over time, says Larson-Green. She previously led a redesign of the Microsoft Office interface that, in 2007, replaced text-based menus with a more visual “ribbon interface,” an initially controversial change that is now widely accepted as an example of good design. “Two days to two weeks is what we used to say in Office, and it’s similar in Windows 8,” she says.
The findings suggest that even those who initially stick to the parts of Windows 8 that resemble previous Windows desktops eventually loosen up, says Larson-Green: “There’s a cutover point, around six weeks in, where you start using the new things more than the things you’re familiar with.” She adds that the lack of tutorials or detailed instructions on how to adjust to Windows 8—something that has attracted complaints—is a deliberate choice. Tests have shown that although people find tutorials “comforting,” they don’t retain much information from them, she says, making them a waste of time.
Larson-Green’s claims diverge dramatically with the opinions of many technology journalists and bloggers. They also run counter to the results of a small research study conducted by the influential usability consultant Jakob Nielsen, who asked 12 people to spend an hour with Windows 8. On the basis of their experience and his own expertise, he concluded that it offers “disappointing usability to both novice and power users.”
Nielsen says that Larson-Green’s indicators may not capture the real problem with Windows 8. “It sounds plausible that people can learn to use Windows 8 to a level where they aren’t constantly stumped after two weeks,” he says. “The real question is whether they will then have reached a higher level of productivity than they had before.”
Nielsen thinks that even once Windows 8’s features become familiar, the operating system still asks more of users than previous versions did: they must remember how to operate both a familiar desktop environment and the new Start screen and related apps, which function very differently. The upshot, he says, is that home users may be tempted to switch to an alternative, such as an Apple computer, while workers will simply achieve less. “My estimate is that power users will not have higher productivity with Windows 8 than they did with Windows 7,” he says. “I fear that they will have lower productivity.”
Elizabeth Mynatt, director of the Institute for People and Technology at Georgia Tech and a researcher in human-computer interaction, says that one of the most important measures of usability in a new computing interface is how people progress over time from their first impression—something Nielsen and other independent reviewers have not yet measured.
“We look to see that people are going to stumble forward rather than end up going down the wrong track,” she says. “None of that will come out in a ‘Wow, this looks different’ review.” Making crucial features “invisible” by hiding them beneath slick design is a common pitfall that prevents progress, she adds.
Larson-Green’s data suggest that Microsoft has at least managed to make features such as the Start screen and Charms visible to most people. But as Nielsen points out, that doesn’t mean everyone will find the work involved in discovering and mastering them worth it.
The real question, Nielsen says, is “how long it takes them to make up for the two weeks spent on that initial learning curve.”