Tag Archives: SPWNR

How to Keep Malware in Check

Firewalls are superb at deflecting obvious network attacks. And intrusion detection systems continue to make remarkable advances. So why are network breaches continuing at an unprecedented scale?

One reason is the bad guys are adept at leveraging a work tool we all use intensively every day: the Web browser. Microsoft Explorer, Mozilla Firefox, Google Chrome and Apple Safari by design execute myriad tiny programs over which network administrators have zero control. Most of this code execution occurs with no action required by the user. That’s what makes browsers so nifty.

A blessing and a curse

But that architecture is also what makes browsers a godsend for intruders. All a criminal hacker has to do is slip malicious code into the mix of legit browser executable code. And, as bad guys are fully aware, there are endless ways to do that.

Stay informed with a free subscription to SPWNR

The result: The majority of malware seeping into company networks today arrives via infectious code lurking on legit, high-traffic websites. The hackers’ game often boils down to luring victims to click to an infected site, or simply just waiting to see who shows up and gets infected.

So if browsers represent a wide open sieve to company networks, could inoculating browsers be something of a security silver bullet? A cadre of security start-ups laser-focused on boosting browser security is testing that notion. The trick, of course, is to do it without undermining usability.

spike

Branden Spikes, Spikes Security founder and CEO

ThirdCertainty recently sat down with one of these security innovators, Branden Spikes, to discuss the progress and promise of improving Web browser security. Spikes left his job as CIO of SpaceX, where he was responsible for securing the browsers of company owner Elon Musk’s team of rocket scientists, to launch an eponymous start-up, Spikes Security. (Answers edited for clarity and length.)

3C: The idea of making Web browsing more secure certainly isn’t new.

Spikes: Let me break it down by drawing a line between detection and isolation. Browser security has been attempted with detection for many, many years, and it’s proven to not work. McAfee, Symantec, Sophos, Kaspersky and all the anti-virus applications that might run on your computer became Web-aware a while back. They all try to use detection mechanisms to prevent you from going to bad places on the Web.

Then you have detection that takes place at secure Web gateways. Websense, Ironport (now part of Cisco), Blue Coat, Zscaler and numerous Web proxies out there have security features based on the concept of preventing you from going to places that look malicious or that are known to be bad. Well, hackers have figured out how to evade detection, so that battle has been lost.

3C: Okay, so you and other start-ups are waging the browser battle on a different front?

Spikes: When you realize that detection doesn’t work, now you have to isolate. You have to say, :You know, I don’t trust browsers anymore. Therefore, I’m not going to let my stuff interact with the Web directly.” In the past five years, newer products have started to offer browser isolation technology. We’ve taken a very no-compromise approach to isolation technology.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

3C: So instead of detecting and blocking you’re isolating, and sort of cleansing, browser interactions?

Spikes: Yes, and much like with detection technology, isolation can exist in either the endpoint or on the network. Some examples of endpoint isolation might be Invincea or Bromium, where you’ve got your sandboxes that do isolation on the endpoint. I applaud all the efforts out there. It spreads the whole gamut from minimal amount of isolation to sandbox technologies built into browsers. There’s quite a bit of investment going into this.

3C: Your approach is to intercept browser activity before it can execute on the worker’s computer.

Spikes: If you come at the problem from the assumption that all Web browsers are fundamentally malware, you can understand our technology. We essentially take the malware off the endpoint entirely, and we isolate the execution of Web pages on a purpose-built appliance. What goes to the end user is a very benign stream of images and sound. There’s really no way for malware to get across that channel.

3C: If browser security gets much better, at least in the workplace, how much will that help?

Spikes: If we successfully solve the browser malware problem, we could, I think, allow for more strategically important things to occur in cybersecurity. We could watch the other entry points that are less obvious. This sort of rampant problem with the browser may have taken some very important attention away from other entry points into the network: physical entry points, social engineering and some of the more dynamic and challenging types of attacks.

Phishers’ New Ruse: Trusted Tech Brands

Most of us don’t think twice about opening and maintaining multiple free email accounts where we live out our digital lives. And we’re getting more and more comfortable by the day at downloading and using mobile apps.

Yet those behaviors can harm us. ThirdCertainty sat down with David Duncan, chief marketing officer for threat intelligence and security company Webroot, to discuss how cyber criminals are hustling to take advantage of our love of free Web mail services and nifty mobile apps.

Infographic: Where malicious phishers lurk

3C: Phishing attacks leveraging our love of Google, Apple, Yahoo, Facebook and Dropbox are skyrocketing. How come?

dd

David Duncan, Webroot chief marketing officer

Duncan: There are 10 times more phishing attacks based on emulating tech companies than financial firms. You’d think it would be the other way around, but it’s not. The focus is on stealing information from your various email accounts because it’s easier to spoof people into acting on something that appears to come from Google or Apple than from Bank of America or Citibank.

Free resource: Stay informed with a free subscription to SPWNR

3C: Because we’re less suspicious of Google and Apple than big banks?

Duncan: Yes. Phishers prey on the fact that we see those brands as trustworthy brands.

3C: What ruses should folks watch out for?

Duncan: It’s the typical ones. You’ll get something advising you of the need to change your password or share your contacts. They’ll send you a link to click. A certain percentage of gullible users will click on the link and follow instructions to give up their credentials.

I can’t say I know of any specific new strategies other than the fact that the focus is on impersonating big domains like Google and Yahoo because people don’t think too much about something that appears to be coming from those trusted sources.

3C: Is there really a one-in-three chance the average person will fall for a phishing scam?

Duncan: Yes, there is a 30% chance of Internet users falling for a zero-day phishing attack over the course of the year. It used to be about one out of every seven phishing emails actually got through. But we’re human beings, which means we’re gullible.

3C: What about mobile apps? What’s the risk there?

Duncan: A year ago, we tracked about 8 million mobile apps, and around 75% were trustworthy and 10% were benign. So 15% were malicious or suspicious. Now we’re classifying 15 million mobile apps, and we’re finding 35% to 40% are suspicious or malicious in character.

3C: That’s a pretty significant change.

Duncan: People don’t think of installing an app on their mobile device as installing a potentially unwanted application that’s being delivered from an untrustworthy app store.

3C: So is this mostly an Android exposure?

Duncan: Probably 90% is Android, maybe 10% is iOS. Apple has a more secured kind of walled guard for verifying and authenticating the source of applications. But it also depends on what users are accustomed to. If you go over to certain geographies in the world, people may not necessarily always go to the iTunes store. There are a lot of third-party websites where even iOS apps are cheaper or they’re free.

Fraud: When Mom Is Your Worst Enemy

Mother’s Day is a special time to celebrate all those kisses and hugs, the rides to the mall, the doctors’ appointments, the countless soccer-basketball-baseball games, a special note tucked into a pocket or care package sent to camp. But remember, sometimes it’s what a person doesn’t do that matters, and some moms are just bad to the bone.

More than 30% of identity theft cases involve a family member or close friend. The reason is simple: access. Whether it’s your mother, father, foster families, siblings, close friends or your spouse—access often is the only catalyst needed to turn your credit report into a crime scene. Here are a few examples from the Mommy Dearest files.

Betz Noir

Axton Betz-Hamilton discovered she was an identity theft victim when she rented her first apartment and was told that a deposit was required to turn on the electricity because she had bad credit. She thought she had no credit at all. Her credit report said otherwise. Her assumption at the time was that whoever stole her parents’ credit a while back had hit hers, as well. Then the truth came out.

Betz-Hamilton’s mom, Pamela Betz, died in 2013. Shortly after that, Betz-Hamilton says her father discovered a box that contained credit card statements in Axton’s name, so he called to razz her about her profligate spending. He then discovered he also had some crazy spending, and so did his father, who lived with them. They all allegedly were hit by Mama Betz.

Free resource: Stay informed with a free subscription to SPWNR

No Cheers for This Mom

Some mothers have a hard time giving their kids space to grow and become their own person. Others can be smothering to the point that children can’t do anything on their own, but Wendy Brown took it to another level when she used her daughter’s identity and showed up for cheerleader tryouts at Ashwaubenon High School in Wisconsin.

With her daughter living in another state with family, Brown, 33, decided it was time to get her high school diploma—and it seems, while she was at it, get another shot at the high school experience. She was caught by truancy officers and sentenced to three years in a psychiatric hospital.

G.I. Jane Deferred

Cassidy McKenna had just graduated from high school and was excited about enlisting in the armed forces. But when she signed up, they wouldn’t take her. While it’s generally known that bad credit can affect a soldier’s security clearance, the Armed Forces also will turn down prospective recruits with unpaid debts that are overdue or in collection, until the issues are resolved.

McKenna said she didn’t know that she had bad credit. She had always lived at home and had no credit cards. The damage was caused by an outstanding electric bill for $1,755 and another $1,123 owed to a cable provider. When she confronted her mother about the bills, she said her mom went AWOL, only turning up at the Kerr County Courthouse, where she was answering McKenna’s theft charges against her.

Apple of Her Eye?

Mom and alleged fraudster Kristina Anh Giusti, 44, of Garden Grove, CA, first attracted the attention of the Chino Hills Police Department after an investigation into $800 in fraudulent credit card charges at local retailers. Investigators say the evidence they collected points to Giusti’s making the charges.

According to CBS Los Angeles, police found “altered credit cards issued in the suspect’s name, six laptops, two tablets, an embossing machine and a tip card machine used for forging credit cards. … Detectives also found a card encoder, several boxes of white stock credit cards, a money counter” and $11,000 in cash. Police allege the woman had two accomplices … one of them her daughter.

‘In the Family Way’ Fraud

Hairdresser Jennifer Perik, from DuPage County outside of Chicago, is expecting both a baby and a criminal trial in the months to come. If the charges stick, she will join the ranks of identity-thief moms.

Perik is accused of making $6,000 in fraudulent charges on a Discover card that belonged to her hair client, a 94-year-old woman. Investigators say that more than half that amount went to a sperm bank with offices in Virginia and Maryland that boasts high-quality donors. At a bond reduction hearing, Assistant State’s Attorney Diane Michalak said that Perik was seven weeks pregnant, but that it was not known if the pregnancy was the result of in vitro fertilization.

We’re always talking about identity theft being the third certainty in life, yet the crime almost always takes victims by surprise—all the more if the perp is Mom. It’s always a good idea to take protective measures to reduce your risk, but even then it’s impossible to entirely prevent the crime from happening. You can, however, reduce the damage from fraud by detecting it as quickly as possible. Check your financial statements—ideally online, every day—for any fraudulent charges, and dispute anything you didn’t authorize. Request your credit reports, which you can get for free once a year, to look for new accounts that you don’t recognize. And your credit scores serve as your snapshot of your credit health—by tracking them over time, you can catch any big, unexpected changes that may be a sign of a big, unexpected problem. You can get your credit scores for free from many sources, including Credit.com.

This Mother’s Day, celebrate the women who have done so much for us—and thank your lucky stars that your mom isn’t a fraudster. Or is she? … Maybe wait until Monday to investigate.

This piece was written by Adam Levin. Levin is chairman and co-founder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.

‘Smart Cities’ Are Wide Open to Hackers

A monster storm is on a collision course with New York City, and an evacuation is underway. The streets are clogged, and then it happens. Every traffic light turns red. Within minutes, the world’s largest polished diamond, the Cullinan I, on loan to the Metropolitan Museum of Art from the collection of the British crown jewels, is whisked away by helicopter.

While this may sound like the elevator pitch for an action film, the possibility of such a scenario is more fact than fiction these days.

Cesar Cerrudo is the chief technology officer at IOActive Labs, a global security firm that assesses hardware, software and wetware (that is, the human factor) for enterprises and municipalities. A year ago, Cerrudo made waves when he demonstrated how 200,000 traffic sensors located in major cities around the U/S. — including New York, Seattle, Washington, D.C., and San Francisco — as well as in the U.K., France and Australia, could be disabled or reprogrammed because the Sensys Networks sensors system that regulated them was not secure. According to ThreatPost, these sensors “accepted software modifications without double-checking the code’s integrity.” Translation: There was a vulnerability that made it possible for hackers to reprogram traffic lights and snarl traffic.

A widely reported discovery, first discussed last year at a “black hat” hacker convention in Amsterdam, highlighted a more alarming scenario than the attack of the zombie traffic lights. Researchers Javier Vazquez Vidal and Alberto Garcia Illera found that it was possible, through a simple reverse engineering approach to smart meters, for a hacker to order a citywide blackout.

The array of attacks made possible by the introduction of smart systems are many. With every innovation, a city’s attackable surface grows. The boon of smart systems brings with it the need for responsibility. It is critical for municipalities to ensure that these systems are secure. Unfortunately, there are signs out there of a responsibility gap.

According to the New York Times, Cerrudo successfully hacked the same traffic sensors that made news last year, this time in San Francisco, despite reports that the vulnerabilities had been addressed after the initial flurry of coverage when he revealed the problem a year ago. It bears saying the obvious here: Cerrudo’s findings are alarming.

The integration of smart technology into municipalities is a new thing. The same Times article notes that the market for smart city technology is expected to reach $1 trillion by 2020. As with all new technology, compromises are not only possible, but perhaps even likely, in the beginning. The problem here is that we’re talking about large, populous cities. As they become ever more wired, they become more vulnerable.

The issue is not dissimilar from the one facing private-sector leaders. Organizations must constantly defend against a barrage of advanced and persistent attacks from an ever-growing phalanx of highly sophisticated hackers. Some of them work alone. Still others are organized into squadrons recruited or sponsored by foreign powers — as we have seen with the North Korean attack on Sony Pictures and the megabreach of Anthem, suspected to be at the hand of Chinese hackers — for a variety of purposes, none of them good.

The vulnerabilities are numerous, ranging from the power grid to the water supply to the ability to transport food and other necessities to where they are needed. As Cerrudo told the Times, “The current attack surface for cities is huge and wide open to attack. This is a real and immediate danger.”

The solution, however, may not be out of reach. As with the geometric expansion of the Internet of Things market, there is a simple problem here: lack of familiarity at the user level — where human error is always a factor — with proper security protocols. Those protocols are no secret: encryption, long and strong password protection and multifactor authentication for users with security clearance.

While the protocols are not a panacea for the problems that face our incipiently smart cities, they will go a long way toward addressing security hazards and pitfalls.

Cerrudo also has advocated the creation of computer emergency response teams (CERTs) “to address security incidents, coordinate responses and share threat information with other cities.” While CERTs are crucial, the creation of a chief information security officer role in municipal government to quarterback security initiatives and direct defense in a coordinated way may be even more crucial to the problems that arise from our new smart cities. In the pioneering days of the smart city, there are steps that municipalities can take to keep their cities running like clockwork.

It starts with an active approach to security.

This article was written by ThirdCertainty contributor Adam Levin. Levin is chairman and co-founder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.