Happy Veterans Day Weekend!
It is not all about cookouts & parties…please remember that!
To all my brothers & sisters who have served..I thank you!
Researchers find Outlook.com emails unprotected by default on SD cards.
A Microsoft Outlook client app for Android devices stores, by default, email messages unencrypted on the device’s SD cards, researchers say.
Erik Cabetas, managing director of Include Security, says the Outlook.com mobile client, which was developed by third-party app firm Seven Networks, leaves email messages in the clear on the removable SD cards. “Anyone can grab that and walk away,” Cabetas says.
Android users must set up the device to encrypt the file system, something most consumers are likely unaware of, he says, noting that it’s not a feature that’s integrated with the Outlook.com service or app. “Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that… but it’s a [multi-click] setting and most don’t know how to do that.”
Outlook.com does have a PIN feature, but it only protects the user interface to the app, not the stored data on the file system, he says. “I could lock my phone with the PIN, but if someone gets the SD card, they still have all the data.”
Other apps on the phone also could access the emails. “Any app on the phone can read that” information on the SD card. They don’t need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails.”
Cabetas and his team contacted Microsoft’s Security Response Center about the security weakness in the app, but Cabetas says Microsoft’s response was that this was an issue with the device itself and outside the scope of the app and Microsoft’s own security model.
A Microsoft spokesperson provided this statement in response to a press inquiry about the research:
Include’s Cabetas says that, ideally, the app should alert users that it stores emails to the local file system. “As part of the app installation, it should alert the user that ‘We store emails to your local file system. Would you like to encrypt it? Yes or no.’ Even if a software vendor doesn’t feel directly responsible for worrying about the local file system encryption, at least it should inform the user.”
He recommends that users use full disk encryption for Android and SD card file systems, and the USB debugging (under the Developer Options setting) should be turned off.
Include says in a blog post that will be posted today:
Alternatively, Outlook.com for Android could use third-party addons (such as SQLcipher) to encrypt the SQLite database in tandem with transmitting the attachments as opaque binary blobs to ensure that the attachments can only be read by the Outlook.com app (perhaps using the JOBB tool). These methods would be useful for older devices (such as devices that run Android 4.0 and earlier) that do not support full disk encryption.
Kelly Jackson Higgins is Senior Editor at DarkReading.com.
Indictments open the door for more aggressive US litigation of intellectual property theft by China — but with possible costs to US businesses.
Call it a calculated risk: The US Department of Justice conducted an unprecedented naming and shaming yesterday of five members of an infamous Chinese military unit known for spying on US companies for intellectual property and other valuable commercial intelligence.
A day after pictures of the men (two in military uniform) were plastered on the FBI’s Most Wanted posters, the fallout already has begun. No one expects China to extradite the defendants to the US, to fess up to stealing corporate secrets from US firms to assist its state-owned businesses, or to promise to curtail that activity. The hope is that the aggressive US strategy of taking very public legal action against China’s cyberespionage activity at the least will send a chill among China’s advanced persistent threat operatives.
As expected, China has strongly denied the charges, which cite specific incidents of cybertheft from major US corporations by the five defendants: Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui of Unit 61398 of the Third Department of China’s People’s Liberation Army in Shanghai. Chinese officials confronted the US ambassador to China, Max Baucus, about the indictment and warned that it would have consequences. Today officials released data from the nation’s CERT that they say shows US botnet servers controlling 1.18 million host machines in China.
“This is the first salvo in a tit-for-tat that is going to go on. China is going to retaliate,” says Timothy Ryan, a managing director with Kroll Advisory Solutions’ cyber investigations practice and a former FBI official who headed its cybersquad.
That may mean an escalation of targeted hacking, experts say. But retaliatory hacking could backfire on China, which is now under criminal scrutiny by the US and could face further exposure and indictments of its hackers. Robert Anderson, executive assistant director of the FBI, said yesterday that criminal charges for such activity by China or other nations would be “the new normal,” and that the indictment opens the floodgates for other charges.
“The United States has chosen the old stick and carrot approach — rewards and punishments — when it comes to conducting cyber diplomacy with China. What we are seeing now with the announcement yesterday is the stick, a shot across the bow, and it should be taken seriously by the Chinese. In the past few weeks, the US was primarily using the carrot as an incentive,” says Franz-Stefan Gady, senior fellow with the EastWest Institute. “It is now China’s turn to remove some of the veils covering its activities in cyberspace in order to de-escalate tensions.”
Though China quit the new China-US working group on cyber security yesterday in protest of the latest developments, Gady says China isn’t likely to make any moves to derail the recent military dialogue between US Secretary of Defense Chuck Hagel and General Chang Wanquan.
Also, Gady doesn’t expect the indictment controversy to hurt the US-China anti-spam collaboration effort, which the EastWest Institute helped establish in February 2011. “I do think that cooperation on the technical level will continue unhindered. The great thing, but also the downside, of tech-tech cooperation is that it is inherently apolitical and not subject to temporary political ill winds.”
It is highly unlikely that the five indicted members of Unit 61398 will ever be tried for these crimes, but they now have some significant travel restrictions. “If they have kids in school in other countries,” the members won’t necessarily be free to travel there, says Michael Quinn, associate managing director with Kroll’s Cyber Investigations Practice and a former FBI supervisory special agent in the Cyber Division. “If they want to see their kid graduate” from a US college, “they may not travel there now, because they’re going to get arrested.” They also could be taken into custody “if they are IDed outside the country somewhere friendly to the US.”
Quinn says the indictment handed down yesterday had been in the works for a long time. “What we saw yesterday was the outcome of a very long process.”
And experts say there are plenty more in the pipeline.
The indictment also may have some unintended consequences for the victim organizations named in the case, which include Alcoa, US Steel, and Westinghouse. “It could go from the criminal realm to the civil realm,” Ryan says. “Now that these very persistent breaches were made public, you’re going to have shareholders asking you: What did you do? When did you know it? How many times were you breached? Was this in the prospectus?”
Kristen Verderame, CEO of Pondera International, says the DOJ move should be a wakeup call for US companies doing business in China and with Chinese companies. “It will open the eyes of US companies to the dangers. If you are doing joint ventures, you need to have your cyber security [strategy] up front and be very careful” sharing information electronically, for example. “If you deal with China, you have to do so with your eyes open.”
That level of scrutiny could make it more difficult for China to steal intellectual property from its corporate US partners without the threat of exposure by US law enforcement, experts say. China culturally is loath to such public embarrassment, they say.
“The US is looking to get some sort of agreement from China… that moderates their behavior,” Ryan says. “I don’t think anyone would fault China for spying to protect its political and economic security… but you can’t have it both ways. You can’t be a capitalist nation but use a state-sponsored apparatus to create this uneven playing field. That’s no different than China subsidizing all exports so no one [from other countries] can compete in China.”
This new pressure on China to dial back its cyberspying for commercial profit is unlikely to yield major results anytime soon. “I wouldn’t think these allegations will stop the Chinese in stealing trade secrets, as I’m sure they will change their TTPs [tactics, techniques, and procedures] and will likely start looking for a mole or any internal leaks,” says John Pirc, CTO of NSS Labs and a former CIA agent.
By Kelly Jackson Higgins
Senior Editor at DarkReading.com.
Malware is a menace, and it’s gaining prominence with each day.
Tuesday, May 13, 2014: Hackers today are not only becoming increasingly successful in finding new ways to break into computers, but achieving a one hundred per cent success rate at the same time. Cybersecurity firms are witnessing a rampant multiplication of cyberattacks categories that now range from malware and spyware to highly sophisticated breaches directed towards large businesses/enterprises. Today we bring you a list of 8 free tools to get rid of malware.
Anti-spyware and anti-virus program developed by Lavasoft that detects and removes malware, spyware and adware on a user’s computer.
2.Emsisoft Emergency Kit
The Emsisoft Emergency Kit contains a collection of programs that can be used without software installation to scan for malware and clean infected computers.
3.Norman Malware Cleaner
This simple and user friendly tool not only detects malicious software but also removes them from your computer. By downloading and running the program it will clean an infected system completely.
Shareware which can detect and remove spyware, adware, trojan horses, rogue security software, computer worms, rootkits, parasites and other potentially harmful software applications. Although it can detect malware, SUPERAntiSpyware is not designed to replace antivirus software.
Spybot Search & Destroy is a set of tools for finding and removing malicious software. The immunisation feature preemptively protects the browser against threats. System scans and file scans detect spyware and other malicious software and eradicates it.
Executable software, intended for users with advanced computer skills to run it only on occasions where a regular antivirus would not detect certain malware, or where an antivirus cannot update or otherwise function.
7.Microsoft Security Scanner
Free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.
Made by Malwarebytes Corporation, it was first released in January 2008 and is available in a free version, which scans for and removes malware when started manually.
Saurabh Singh, EFYTIMES News Network
Cyber Security: CTU Threat Intelligence Services
The Dell SecureWorks Counter Threat UnitSM (CTUSM) research team is a distinguished group of security researchers and experts who analyze data from across thousands of global networks, comb the cyber underground for intelligence and leverage relationships throughout the security community to identify emerging threats, develop countermeasures against new malware and exploits, and protect our customers.
For Dell SecureWorks, research represents the nucleus of our company and operations. Research is breaking down and reverse engineering malware to understand what makes it tick. Research is seeing how disparate events are connected. Research is determining how an exploit is communicating with its Command and Control. Research is identifying who is behind the threat. Research is infused into our managed security services and security consulting practices.
This is why we hire only the best and brightest security researchers from private industry, military and intelligence communities – Researchers with proven track records and first-hand technical experience dealing with cyber threats and protecting some of the most sensitive public and private systems and data resources in the world.
The Dell SecureWorks Counter Threat Unit research team’s work underpins the success of our Managed Security Services and Security Operations Centers, and is shared widely with our security consulting teams. In addition, our researchers share pertinent information with our customers and the public at large. Their primary role is understanding the nature of threats our customers face, and creating strategies and countermeasures to address those threats and protect our customers.
Target data breach highlighted risks in corporate supply chains, and companies are looking to government guidelines for ways to shore up cyber defense, says White House.
Last year’s massive Target data breach, in which hackers infiltrated the retailer’s point-of-sale system by exploiting a vendor’s IT system, has prompted corporate executives to take a deeper look at the security posture of companies in their supply chains. It’s also brought greater attention to recommendations released in February by the Obama administration, outlining voluntary national cyber security practices, a White House aide said this week.
The recommendations are part of a cyber security framework developed by the National Institute of Standards and Technology, together with private industry. The framework was originally aimed at critical infrastructure owners in 16 industries, including banks, utilities, and communications. But the document has caught the attention of executives in many fields, because it provides, for the first time, a common template for assessing corporate security practices across entire industries.
“One of the areas that we’ve seen companies… start to use the [cyber security] framework is in vendor management,” as a tool for assessing cyber security risks in their supply chains, said Ari Schwartz, a cyber security advisor on the White House National Security Council.
[NIST wants your comments on cradle-to-grave IT development recommendations. Find out more: NIST Proposes Guidelines For More Secure IT Systems.]
Finding the weak security links in corporate supply chains has taken on greater urgency for top executives after investigators reported that hackers had gained access to Target’s network using credentials obtained from a heating, ventilation, and air-conditioning (HVAC) vendor. The attackers ultimately made off with as many as 40 million credit and debit card numbers and personal information on 70 million customers. The breach also resulted in the March resignation of Target CIO Beth Jacobs and the departure of Target CEO Gregg Steinhafel earlier this month.
“The key to the cyber security framework is it allows a baseline across different sectors,” said Schwartz. It allows banks, for instance, which have their own set of security practices, a way to better gauge the security practices of their suppliers and discuss that information with their boards of directors.
The framework has already fostered a new market for products that incorporate the cyber security standards outlined in the NIST framework, according to Schwartz.
PwC, for instance, offers a four-step process to implement the cyber security framework that emphasizes collaborative intelligence sharing, according to David Burg, PwC’s global cyber security leader, who pointed to a PwC survey, which found that 82% of companies with high-performing security practices collaborate with others to achieve those goals.
“We feel federal agencies can use these [practices] as well,” Schwartz said. He added that the administration’s “goal is to take the language of the cyber security framework and make it the language of FISMA and the continuous diagnostics and mitigation process,” referring to the federal law guiding agency security practices and to plans for protecting government IT systems.
The cyber security framework was a response to one of five primary areas of cyber security concerns at the White House, Schwartz said at a forum Tuesday at FOSE, a government technology tradeshow.
In addition to protecting the nation’s critical infrastructure, Schwartz said the administration is also concentrating on securing federal networks, developing clearer thresholds for responding to cyberthreats, and working with allies and non-allies on international rules of engagement in dealing with cyber attacks.
Officials are also looking at research and development initiatives to try to get “ahead of the threats,” and in particular, are looking for better identity management and credentialing systems. The user name and password system “is broken, and has been for many years,” he said.
Getting agencies to identify and fix common vulnerabilities, using continuous diagnostics and monitoring (CDM) techniques, is a chief priority for the administration and US deputy CIO Lisa Schlosser.
“Ninety percent of cyber attacks are using common vulnerabilities,” such as phishing and failing to keep patches up to date, and “96% of breaches can be avoided by employing basic controls and hygiene on networks,” she said at the forum.
The White House Office of Management and Budget, the National Security Council, and the Department of Homeland Security have begun a three-phase effort to adopt CDM practices, Schlosser said. Administration officials just completed a government-wide contracting vehicle to help agencies purchase diagnostics hardware and software. Phase 2 will focus on understanding “who’s on the network, where, and why,” and Phase 3 will attempt to provide “real-time visibility, to see what threats are affecting one agency” and use that information to guard against attacks on other agencies, said Schlosser.
NIST’s cyber security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.
Wyatt Kash is Editor of InformationWeek Government. He has been covering government IT and technology trends since 2004. He served as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post Co. and subsequently 1105 Media), where he directed editorial strategy and content operations. He also was part of a startup venture at AOL, where he helped launch AOL Government and led its content and social media operations. His editorial teams have earned numerous national journalism awards. He is the 2011 recipient of the G.D. Crain Award, bestowed annually on one individual nationally for outstanding career contributions to editorial excellence in American business media.