Tuesday 24 April 2012

Hack for Cash: Google boosts monetary prize for security exploits

Are you in need of a quick $20,000? Hack Google and you just might get that bounty. Earlier this week, Google announced a substantial increase in the top prize rewarded for hacking their products as part of its Vulnerability Reward Program.

Google uses the program as a relatively inexpensive way to utilize independent programmers and hackers to debug their products.

The new program looks something like this:

While the update substantially increases rewards in some areas (the previous top prize was only $3,133.7), in others, the prize was substantially reduced. According to Google, the redistribution of prizes is aimed at focusing efforts on areas that have the most potential to harm users.

To help focus the research on bringing the greatest benefit to our users, the new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues. For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller.

So far, Google has doled out around $460,000 to about 200 individuals and says the program has “beyond any doubt” made their products safer.

Saturday 21 April 2012

The Doctor is in, but your medical records are out.

Been to the doctor lately? If so, you may have noticed that your medical records are no longer filed away in a dusty drawer, but electronically accessed through computer stations. The initiative to digitize patient records has been going on for the past few years and works – quite effectively – to ensure that all healthcare providers have identical and accurate information. A new survey, however, shows that that information may not be totally safe.

According to the survey, commissioned by Kroll Advisory Solutions, security breaches pertaining to digital medical records are increasing in number every year.

The survey found 27% of the respondents had at least one security breach over the past year, up from 19% in 2010 and 13% in 2008. The survey found 79% were attributed to employees, while most others were chalked up to actions from outsourced or contract employees. Over half of the problems were identified as "unauthorized access to information," typically the patient's name and birth date, by an individual.

The report says 31% of respondents indicated that information available on a portable device was among the factors most likely to contribute to the risk of a breach, up from 20% that said that in 2010 and 4% in 2008. Twenty-two percent of the respondents reporting a breach said the data was compromised when a laptop, handheld device or computer hard drive was lost or stolen, which is double the number who said this in 2010. [PCWorld]

While the vast majority of these breaches seem to be pretty harmless, as electronic medical records become ubiquitous, the potential for malicious breaches will increase.

-       In 2009, 8 Million pharmacy patient records were stolen from a state-run database in Virginia. Hackers wiped the database and held the records ransom for $10 million.

-       In 2011, 2,021 patient medical records were hacked at Beth Israel Deaconess Medical Center in Massachusetts after an IT professional failed to properly install security measures.

-       In April 2012, around 200,000 patient medical records were stolen from the Utah Department of Health’s state computer system.

Everything you need to know about Flashback

Unless you’ve been living under a rock for the past month, odds are you’ve heard about the Flashback Trojan that’s reported to have, at its peak, infected around 600,000 Macintosh OS X systems. In PC virus terms, of course, 600,000 is a very small portion, but in Apple’s world, this translates to over one percent of all Macintosh computers. So what exactly is this virus? Why is it groundbreaking? And what can you do to protect your computer? Read on to find out.

What is Flashback?

Flashback, or more accurately “Backdoor.Flashback” is a Trojan horse that exploits a vulnerability in Java for Mac OS X. Flashback was originally detected by security firm Intego in September of 2011. In its early versions, the malware masqueraded as an installation program for Adobe Flash. Users, under the impression they were downloading and installing a legitimate copy of Flash, would manually install Flashback – unwittingly infecting their own computer. But it was the later versions that made headlines.

In early 2012, a new version of Flashback hit the web that employed a technique called “drive-by download”. In this new iteration, a java applet on a malicious or infected website would prompt users to enter their password in a fake software update window. At this point, it didn’t matter if a password was entered or not, you were infected either way. If a password is provided by the user, Flashback would install itself in the Applications folder. If no password is provided, then Flashback would install in the user account. Once installed, the malware will install bits of code in various programs – particularly web browsers – and will monitor user activity and attempt to record passwords and personal information.

The major take-away here is that even if you didn’t enter your password or consciously download anything, you can still have Flashback on your system. It took literally no input from users to become infected.

Russian anti-virus vendor Dr. Web estimates that of the approximately 600,000 infected systems, just over half reside in the United States, about 20 percent in Canada, and about 13% in the United Kingdom.

How do I find out if I have Flashback?

Fortunately, finding out if you’re infected and eliminating the Flashback Trojan is pretty easy. Security company F-Secure released detection and elimination software as well as a guide on their website.

Didn’t Apple put out a fix?
Yes, but it took about two months from detection to fix so there was substantial time for infection. Fortunately, the latest OS X and Java update removes the most common variants of Flashback. Unfortunately, there is substantial evidence that the malware authors are currently working on new versions of Flashback in attempts to prolong infection and experts estimate that there are still about 140,000 infected machines out there.

What does this mean for the future of my Mac?

It means it’s time to use protection. For a long time, few Mac users worried about anti-virus software because, frankly, there weren’t very many people writing malicious code for the Mac operating system. That era is over. While Flashback may be the first drive-by malware to affect Macs, it will hardly be the last. You can be sure there are new threats on the way.

Wednesday 18 April 2012

As if your PC wasn't enough, hackers are going after your phone

Forget your PC. Hackers are going after your phone.

Who doesn’t have virus protection software on their computer? Nowadays, using anti-virus software comes as naturally as buckling your seatbelt or locking the front door. But how many people have that same attitude towards their smartphones?

According to a FishNet Security report, 35 percent of information security professionals believe attacks on mobile devices represent the single biggest threat to organizations in the coming year.

“It’s clear that mobile computing tops the list of this year’s leading security concerns with the clients we surveyed,” said Gary Fish, FishNet Security’s founder and CEO. “Our company is seeing this as a major issue because of the number of BYOD (Bring Your Own Device) instances and the vulnerabilities that can threaten mobile computing, such as unsecured Wi-Fi access, lost or stolen devices, and malware attacks on mobile operating systems.”

Furthermore, nearly a third (30 percent) of surveyed security professionals believe that data breaches on mobile devices will account for the majority of all data breaches this year. 

Cybercriminal hackers (25 percent) and accidental exposure of data (19 percent) represented the next two highest concerns. One respondent said, “Mobile technology is still openly unsecured; cybercriminal hackers/crackers are growing; and people are very unaware of minimum good security usage practices, besides being too open-minded on utilization of cyber technology.” (FishNet Security) [link http://www.fishnetsecurity.com/News-Release/Survey-Shows-Mobile-Computing-Is-Top-Security-Concern]

And don’t confuse the concerns of these security professionals with the recent “phone hacking” scandal rocking News Corp. Using the default password to listen to someone’s voicemail is one thing. The new wave of cyber criminals will be after everything from corporate executive emails to electronic medical records.

Thursday 5 April 2012

EU Cracks Down on Cybercrime

European Commissioner for Home Affairs Cecilia Malmström
Here at SumRando, we joke that internet users are like students walking into a quiz they forgot to study for. Except in our world, hackers pass out the questions and the flunkies are governments and multinational corporations.

Fortunately, the European Union has decided to start studying.

On Thursday, the European Commission announced a new Cybercrime Center that will work with Europol to address the escalating damage of cybercrime.

According to the website of Cecilia Malmström, European Commissioner for Home Affairs, who announced the Center:

The centre will be the European focal point in fighting cybercrime and will focus on illegal online activities carried out by organised crime groups, particularly those generating large criminal profits, such as online fraud involving credit cards and bank credentials. The EU experts will also work on preventing cybercrimes affecting e-banking and online booking activities, thus increasing e-consumers trust. A focus of the European Cybercrime Centre will be to protect social network profiles from e-crime infiltration and will help the fight against online identity theft. It will also focus on cybercrimes which cause serious harm to their victims, such as online child sexual exploitation and cyber-attacks affecting critical infrastructure and information systems in the Union. [EC]

As it currently stands, each EU member country has different laws pertaining to cybersecurity and cybercrime – making the process of addressing and prosecuting offenders difficult. According to Malmström, the new center will pull together experts across the EU for collaboration and a streamlined approach to prevention and enforcement.
And if you still don’t think it’s time to look at your online protection, consider these facts provided by Ms. Malmström:

  •          The total cost of cybercrime worldwide is estimated at $388 billion.
  •          Nearly 600,000 Facebook accounts are blocked daily after hacking attempts.
  •          Every day, more than 1 million people become victims of cybercrime.
  •          In 2009 over 6,700,000 bot-infected computers were detected.

Ms. Malmström's website and press conference can be found here.

Tuesday 3 April 2012

FBI’s Top Cyber Cop Says ‘We’re not winning’

Comforting news:
Shawn Henry
Shawn Henry says we're up a creek without a paddle.
In an interview appearing in Thursday’s Wall Street Journal, the FBI’s assistant executive director, Shawn Henry, said the efforts currently used by the federal government and private companies to combat hacking are “unsustainable”.
"I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,'' said Mr. Henry

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said. [WSJ]
Henry described users, including governments, businesses and individuals, as using a defensive strategy that only responds to and fails to anticipate a constantly evolving offense.
But, now that we know we know the problems, we can address them and things will get easier, right?
Not so much.
The expanding range of wireless networks and the soon-to-be-ubiquitous cloud storage servers are only leaving users more vulnerable. Remember, companies like Microsoft, Apple, and Google (who is anticipated to soon launch the cloud storage service GDrive), store not only their own information in cyberspace, but your sensitive data as well.
Or as Henry puts it on the FBI’s website:
What I call the expansion of the network is going to create challenges. As technology increases, the threat becomes greater. All our wireless networks and smart devices are network-based, and anything touching the network is potentially susceptible. As more and more information transitions across the network, more adversaries will move to get their hands on it, because that information is extraordinarily valuable. [FBI]