With the news that a couple of Android apps have been pulled as they misrepresented their purpose (they were used as research – duping users into downloading and installing them – to see if people would), it raises an(other) interesting question for IT departments around applications, mobile devices and keeping up with the user.
While companies have been getting stricter at what can and cannot be installed on corporate laptops, the same is not true of smartphones. There are now tens of thousands of apps for phones like the iPhone and Android, and while they do have to go through an approval purpose, it won’t be your corporate one.
I have recently been involved in writing security policies for a number of companies and it becomes very apparent as to the need for up-to-date polices coupled with a suitable education programme. Technology is moving rapidly and care needs to be taken to protect corporate data wherever it is and however it is accessed. Updates to policies are worthless if they are not effectively communicated – this is a case in point – updating the policy on downloading apps won’t stop people from doing it if they don’t know about it. If you have technology to prevent inappropriate apps from being installed on smartphones, great – if not, then you need to remind staff of some of the dangers of just downloading and installing apps from the web.
Cyber criminals go after the low hanging fruit and the smartphone is just that – a simple way into a person’s life and potentially the corporate network.
InfoSec closed yesterday and it has been an interesting show. There were as predicted quite a few iPads being given away as prizes – I didn’t manage to win one… next time maybe?
Mobile was the hot topic, lots of products out there to deal with the issues around securing these pesky devices which are as powerful as laptops but easier to lose than a wallet. I have a feeling that it will take a specific breach event to drive the buying cycle – time will tell.
Also there was a whole load of disk crunchers, a couple of years ago I wrote of one company Secure I.T. Disposals Limited who crunched disks, it was good to see them still there – but there were a whole load or others as well. From ones that crunch out the centre spindle to degaussing systems. ‘Hard’ data disposal is a big issue – and there are an increasing number of solutions to hand.
It was also good to see that ‘security’ now means more things to more people – smaller network companies were there along with large numbers of secure storage vendors intermingled with the security vendors. Universities seemed to be back to having a bigger presence as well as a number of small innovative companies displaying their new ideas and products. The one thing that seems to have taken a bit of a back seat was ‘the cloud’. Last year you couldn’t move for cloud stuff, this year, while it was around, the emphasis had changed and so mobile dominated.
I wonder what the buzz will be next year…
The 5th International Cloud Expo is happening at the Jacob Javits Convention Center, New York (April 19-21) and as a reader of this blog you can get a discounted ticket!
The procedure is:
1. Go to the special registration page for this offer: https://www3.sys-con.com/cloud0410/registernew.cfm?a1=gold
2. Enter the coupon code VIPBloggerGuest [case sensitive]
3. The price will re-set from $1950 to $300 and they can then complete the brief registration process for full access to all sessions, all days, all tracks (Luncheon is NOT included.)
So, there you go – a bargain, especially if you happen to be in New York! Please note, lunch isn’t included in the offer… but there looks to be lots of great sessions to get your teeth into.
But while it seems that David Beckham is increasingly likely to miss the World Cup due to injury, the cybercrime underworld are certain to be gathering their cohorts to spam and scam the unwary out of their hard earned cash. This is not anything new of course; cybercriminals regularly hide behind major news events like disasters and sporting events to spread their malicious activities. Whether it be phishing, spam, malicious downloads, poisoned searches, or anything else, they are trying to get hold of one thing – money!
Symantec recently launched a new website – www.2010netthreat.com – which will host up-to-date data and information specific to security threats and scams around the world cup in South Africa. Now we’ve developed a new video in the popular series ‘Symantec Guide to Scary Internet Stuff’ called Net Threats which seeks to educate users to the potential scams and threats cybercriminals use to hide behind major sporting events like the world cup. Please take a look and tell us what you think?
The new report from CWE and the SANS Institute on programming errors has now been released. It is based on the combined thinking of experts across the globe and a number of other sources. It should be made compulsory reading for all software engineers… whether developing internal applications or global products!
The report is relatively reader friendly – so you can skip to the good bits if you are an experienced programmer, or just the bits relevant to testers, mangers etc.
So, what was #1… well, it is all about web page structure – getting it wrong, opens the door to Cross Site Scripting, which we have heard about for several years now – so there is very little excuse for not getting it right. SQL injection problems come in at #2 and #3 is the classic buffer overflow problem (which was a problem I ran into when I first started using ‘C’ back in the late eighties!)
#10 “Missing encryption of sensitive data” is one that strikes a chord with me – from a Data Leaks perspective. It’s one of the first things I look for when evaluating security in an application. Finally, #16 “Information Exposure through an error message” is good to see highlighted, as it really is becoming a problem – especially in internal apps. Programmers want / need as much information as possible in the event of an error – and so tend to put everything they know about the data record, for which the error has occurred, onto the screen… fine in the old days, but now a lot of that information constitutes a data-leak.
So… a quick email out to developers to take a look at the list – and perhaps a prize for those who find one or two examples in their current projects! (Especially if they then fix them in time for the next release…)
Two months into the New Year and we’re already starting to see a number of our 2010 cyber security predictions come true. At the start of the new decade, cybercriminals continue to be relentless in their pursuit of new and sophisticated attacks against consumers and enterprises.
Here are 10 serious facts about security that cannot be ignored in 2010:
- Cyber Attacks Hurt Businesses: 75 percent of enterprises have suffered a cyber attack in the past 12 months, losing an average of USD $2 million annually.
- Global Spam Shift: Asia Pacific and Japan and South America are taking spam share away from the traditional leaders of North America and EMEA.
- Malicious Activity Chart Topper: China is the top country for malicious activity, accounting for 25 percent of the global total.
- Credit Cards Are Number One Item for Sale: Credit Card information is the most commonly advertised item for sale on the underground economy, accounting for 18 percent of all goods and services.
- Banks Get Phished: 76 percent of brands used in phishing attacks in 2010 were in the financial sector.
- Out with Traditional Spam, in with Targeted Scams: The total number of scam and phishing messages came in at 21 percent of all spam, which is the highest level recorded since 2007.
- News Agenda Drives Attacks: The earthquake in Haiti sadly drove up the volume of scam and phishing messages as spammers used the tragic event for their benefit.
- Cybercriminals Follow the Masses: In Asia Pacific and Japan, the top web-based attack for Oct – Dec 2009 was related to the Microsoft® Internet Explorer® ADODB.Stream Object File Installation Weakness, which accounted for 41 percent of the total.
- Increasing Popularity of New Platforms will Drive New Attacks: Whilst an increase in iPad related search terms for SEO attacks and phishing attacks were observed during the Apple iPad launch.
- Cybercriminals After Information Rather than Infrastructures: Theft of intellectual property was reported as the top cyber loss for Singapore businesses.
Further details on the above statistics can be found in the below Symantec reports:
It is certainly powerful stuff to see on national TV the perpetrator of a diabolical scam running in terror when confronted by a BBC camera crew – http://news.bbc.co.uk/1/hi/uk/8517243.stm after they traced him to Spain.
Allegedly, according to the BBC, this ‘gentleman’ was involved in yet another of the numerous scams and hoaxes trying to get well intentioned people to give their hard earned money to what they think it a worthy charity – in this case to support the needy in Haiti following the disastrous earthquake last month – but actually it is going to criminals.
But as we have warned repeatedly, this sort of scam is all too common. Whether it be the death of a well-known celebrity, like Michael Jackson last year; or rumours of the death or injury of a star like Johnny Depp earlier this year; or indeed the outpouring of support when the poorest in the world suffer disasters like in Haiti; criminals are all to quick to capitalise and scam or con the unwary.
Indeed just this week, in the latest Symantec Spam and Phishing Report, we highlighted that spammers were using the Haiti disaster to scam people within 24hours of the news breaking. They started with ’419 type spam’, asking users to donate money to a charity. When users send their donation, the money disappears into an offshore bank account.
Then we saw spammers taking advantage of this tragedy to deliver malware. They sent out links to apparent video footage regarding the tragedy to lure people in, but when the user clicks on the link to view the video, a Trojan is downloaded instead.
- Avoid clicking on suspicious links in email or instant messages as these may be links to spoofed, or fake, Web sites.
- Never fill out forms in messages that ask for personal or financial information or passwords. A reputable charitable organization is unlikely to ask for your personal details via email. When in doubt, contact the organization in question via an independent, trusted mechanism, such as a verified telephone number, or a known Inter-net address that you type into a new browser window (do not click or cut and paste from a link in the message).
Spammers have been capitalising on the shift towards online Christmas shopping, warns according to Symantec’s November State of Spam report outlines that sales of ‘luxury goods’ and counterfeit brands continue to dominate spam emails as the holiday season approaches. The top ten subject lines between October and November 2009 were:
- Sales receipt from Amazon
- Sales Order from walmart.com
- Incredible sale for luxury goods
- Re: what she wants for Christmas
- Give her luxury this holiday season
- Bling yourself up this Christmas
- Get the perfect gift for Christmas
- Impress your friends this holiday season
- Xmas on-line cookies
- Time limited Christmas promotion
In addition, fake airline ticket spam has also taken off during the holiday season with the promise of cheap deals on airfare used to attract attention from unsuspecting internet users.
British shoppers are expected to spend upwards of £6.8bn online this Christmas, and spammers are desperate to get a slice of the cake. To do this they are crafting subject lines that people are more likely to click on. The top two subject lines indicate that spammers are tricking people into believing that they have a transaction email from two well-known retailers. Although we usually see these types of subject lines associated with phishing or fraud messages, this tactic was actually re-directing users to a bogus online pharmacy site.
Other key findings from the State of Spam report, include a 9 per cent reduction in spam originating from the EMEA since June 2009 (the region now accounts for 25 per cent of all spam).
So how do you best safeguard yourself against falling victim to seasonal spam and phishing attacks:
- Use directions provided by your mail administrators to report missed spam if you have an option to do so
- Delete all spam
- Avoid clicking on suspicious links in email or IM messages as these may connect you to spoofed websites
- Type web addresses directly into the browser rather than relying upon links within your messages
- Always be sure that your operating system is up-to-date with the latest updates, and employ a comprehensive security suite
Today is apparently the busiest day of the year for online shopping. Known as Mega or Cyber Monday, apparently millions of us will be shopping online today for our Christmas bargains. But as ever, you have to be careful and extra vigilant if you do intend to be one of the millions shopping online.
Happy bargain hunting!
… Or something more disturbing? So, Wikipedia is finally closing its doors to unrestricted editing, why? Well because it was being abused – and the reputation of the site was falling. When the Internet first came on the scene, the data was ‘good’, because the people who used it, wanted to share their knowledge and so when you searched for something (hey, this was pre-Google!) then the results tended to be useful. Subsequently, the data on the web has been diluted by less good information – some of which is completely wrong (although may be an individual’s opinion), this has made it harder to use it as a research tool. Wikipedia started up with the best intentions but it has now been subverted like the rest of the web. Unfortunately, this looks to be the way of most ‘open’ collaboration in the Web 2.0 world. I have written before on the problems associated with splog (blog spam) which means that comments, the ones that make it through the initial filter, have to be checked before they are posted – just in case they are inappropriate. As we depend more and more on the web, we need to ensure the data is correct – and this isn’t just the ‘static’ data, but also the calculated data as well.
I am preparing for a podcast recording for RSA Europe this afternoon, my session is on mitigating the security risks in the cloud – and one section is on computational integrity. If the service provider’s application makes a mistake… would you know? Now the mistake may be a genuine ‘bug’ or it might be malicious – how would you know? The answer is… well, most people haven’t thought about it yet, but for those who have there are a few ways to approach the problem. Perhaps the easiest of which is to have dummy transactions for which you know the outcome. That way, periodically you can test the application is still returning what you expect. Of course, it’s not really that simple – as you potentiall need to account for the dummy transactions in other business applications, but you get the idea.
As the cloud becomes more popular, its attractiveness to cyber-criminals will increase – and while a daft middle name for the prime minister on Wikipedia isn’t going to hurt your business, there are other things that might.