Microsoft claims to have "freed" at least 4.7 million Windows PCs from the control of hackers and identified a further 4.7 million, following an operation last week by the company's Digital Crimes Unit. According to Microsoft, the PCs are overwhelmingly based in India, followed by Pakistan, Egypt, Brazil, Algeria and Mexico. The malware Microsoft targetted is known as Bladabindi and Jenxcus and was written and distributed by a network of developers based in Kuwait and Algeria. However, the operation disrupted services at Reno, Nevada-based internet company Vitalwerks Internet, which Microsoft claims was being used by the cyber criminals to communicate with their network of compromised computers, using free accounts on the company's No-IP.com service. The operation began on 30 June after the company obtained a federal court order enabling it to pursue the operation. Assistant general counsel of the unit, Richard Domingues Boscovich, claimed it was the most successful of the 10 it has launched to date. "There are nearly 400 million victims of cyber crime each year. And cyber crime costs consumers $113bn per year," says David Finn, associate general counsel for Microsoft's Digital Crimes Unit. "We understand that there's no one single country, business or organisation that can tackle cyber security and cyber crime threats alone. That's why we invest in bringing partners – law enforcement agencies, partners and customers – into this centre to work right alongside us," he adds. Microsoft's Digital Crimes Unit claims a high correlation between counterfeit or pirated software and malware, not least because knock-off software is invariably bundled with malware by the people who crack and distribute the software. At the same time, evidence is emerging that the cyber criminals behind the Gameover ZeuS banking Trojan have started to reassemble the botnets that were taken down in a global operation last month. Researchers at Malcovery claim to have noticed spam-bearing malware that shares about 90 per cent of its code base with the original Gameover ZeuS Trojan. What made that malware particularly potent was its use of a peer-to-peer mechanism for its authors to control their malware network. The latest varient doesn't contain this P2P element. Instead, it uses "fast-flux hosting", an always-changing network of compromised systems that act as proxies. Should a Trojan on a PC fail to communicate with any of the controllers in the network, it falls back to a built-in domain name-generation algorithm, which the authors of the Trojan will register should their network get busted. "Gameover is based on code from the ZeuS Trojan, an infamous family of malware that has been used in countless online banking heists," wrote computer security specialist Brian Krebs. He continued: "Unlike ZeuS – which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend – Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine. "Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service attacks intended to distract victims from immediately noticing the thefts."
A new report claims that hackers were able to infiltrate government employee records. Hackers from China are no strangers to American IT infrastructure. According to a New York Times report published on July 9, Chinese hackers were able to infiltrate the Office of Personnel Management, which is the U.S. government agency that houses information on federal government employees. According to the report, the attack occurred in March of this year and was subsequently detected and blocked by federal authorities. It is not clear how long the Chinese hackers had access, or how much information they might have obtained. While the report cites China as the source of the attack, it is not clear if the attack is directly connected to or sponsored by the government of China. The New York Times itself is no stranger to hackers from China. Back in January 2013, Chinese hackers infiltrated the networks of the New York Times and The Wall Street Journal. There are also multiple known and attributed attacks from China that were sponsored and performed by members of the Chinese Army. In February 2013, security firm Mandiant first disclosed the activities of Chinese People's Liberation Army (PLA) Unit 61398, which was attacking the United States. The U.S government itself is well aware of attacks from China that are sponsored by the PLA and has aimed to take legal action against those responsible. On May 19, U.S. Attorney General Eric Holder announced an indictment naming Chinese military officers attached to the Chinese PLA Unit 61398 as being allegedly responsible for attacking U.S. companies. The May indictment specifically identifies an eight-year period from 2006-2014 during which attacks took place against multiple American companies. Even more recently—on June 9—security firm CrowdStrike revealed yet another campaign coming from China targeting the United States. CrowdStrike called the new effort "Putter Panda" and identified the group as being part of the PLA. In regard to the newly reported Chinese campaign against the U.S. Office of Personnel Management, Adam Meyers, vice president of intelligence at CrowdStrike, wasn't too surprised at the disclosure. "I was more alarmed than surprised; the Chinese threat actors are aggressive and numerous," Meyers told eWEEK. From what Meyers can tell at this point, the newly reported Chinese attack is not directly related to the CrowdStrike-discovered Putter Panda campaign. "This would not be consistent with Putter Panda tasking," Meyers said. "This would be more consistent with other adversaries out of China. We track over 10 different Chinese adversary groups who target various Western governments." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Ed Summers’ robo-tweet software aims to increase transparency.
London-based security firm Atbash has identified a flaw in NatWest’s online banking system which could be exposing unwitting customers to cyber threats. The flaw – in the bank’s current email security system – makes it less likely that phishing emails will be identified and filtered out. Graeme Batsman, director of IT and email security firm Atbash, said: “I was handed a sample of an email from NatWest which slipped past the security system.” The sample was a phishing email that appeared to come from NatWest, yet the sender domain showed that it was sent from New Zealand. It informed the recipient that access to their account had been blocked “due to possible errors detected”. The message directed the recipient to click on a link to “restore online access” and review online accounts. The link actually redirected the user to a phishing website. “After inspecting the problem and testing the vulnerability, I identified that the problem was a missing SPF record,” Batsman said. SPF records are used as part of the Sender Policy Framework, an anti-spam approach in which the internet domain of an email sender can be authenticated for that sender. The measure is directed against spam mailers, who routinely disguise the origin of their email, a practice known as email spoofing. SPF and other anti-spoofing initiatives, such as DomainKeys, work by making it easier for a mail server to determine when a message came from a domain other than the one claimed. “To put it simply, NatWest’s email servers are based within the UK, so if someone was sending an email from New Zealand pretending to be NatWest, it should get blocked,” explained Batsman. When an email is sent using SPF, there is a simple check done in the background to see where the email should come from (in this case UK) and where is actually comes from (in this case New Zealand). “If the two do not tie up, then email servers will determine the email to be fake and it will be blocked,” he said. Batsman added that SPF is an open source method of identifying and capturing dangerous and compromised emails that costs nothing to implement and takes just 30 minutes to set up. By integrating an SPF record on the system, NatWest would have increased the chance of email spam filters detecting that the email is a fake, offering better protection to customers, he said. SPF records have been set up for the domain NatWest.com, but the critical domain nwolb.com which is used for online banking login does not, said Batsman. “This leads to cyber criminals being particularly attracted to the nwolb.com domain, which is a major concern to NatWest online banking customers,” he said. Batsman said other major banks such as Metro, Barclays, Santander and Lloyds already have SPF records set up for their domains which relate to online banking login paths. Computer Weekly contacted NatWest to find out why SPF has not been implemented across all its domains, but received only a generic response. A NatWest spokesperson said: “We take our customers’ security very seriously and we’re always looking at additional ways to protect them. “We will never ask customers to disclose security details or personal information. We urge our customers not to click on any links and attachments within suspicious emails and to report a suspicious email to us. “Customers can contact us by emailing firstname.lastname@example.org or email@example.com.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Law enforcement agencies and web security firms work together to combat notorious malware
Microsoft CEO Satya Nadella has sent a memo to all 100,000 of the company's employees, in preparation for what is rumoured to be a major reorganisation. Reports suggest Nadella wants a cultural change from the top down at Microsoft. The company will become a flatter organisation, suggesting that a chunk of middle management is set for the chop. Nadella wrote: "You can expect to have fewer processes, but more focused and measurable outcomes. You will see fewer people get involved in decisions and more emphasis on accountability." In effect, the company will change how products are released to a continuous delivery model, rather than major releases. Nadella said: "Microsoft must find ways to simplify and move faster, more efficiently. We will increase the fluidity of information and ideas by taking actions to flatten the organisation and develop leaner business processes." He said the company will use analytics to drive product development. "Data and Applied Science resources will focus on measurable outcomes for our products and predictive analysis of market trends, which will allow us to innovate more effectively," he explained. Tone down device focus The company will no longer push devices and services, but will focus instead on being a mobile and cloud platform provider. "While the devices and services description was helpful in starting our transformation, we now need to hone in on our unique strategy," said Nadella. Previously, when he became CEO in February 2014, Nadella stressed Microsoft's role in a software-powered world. "We have talked about how our strategy going forward is about devices and services," he said at the time. In the memo Nadella said: "We will obsess over reinventing productivity and platforms. We will relentlessly focus on and build great digital work and life experiences with specific focus on dual us." Enterprise push Earlier this year Nadella emphasised the company’s focus on enterprise computing and SQL Server. At the time, he said: "Ambient intelligence starts with everyone in an organisation having questions and testing out hypotheses, gaining insights and taking actions." It appears the use of analytics tools and methodologies will not only be integrated into SQL Server, but will form the basis of Microsoft decision-making. For heterogeneous computing, Nadella highlighted the new Enterprise Mobility Suite. He said: "We now enable IT organisations to manage and secure the Windows, iOS and Android devices." The company has also released Office365 natively on the Appstore for iOS. But a deeper level of heterogenous computing may be on the cards. At its Build 2014 conference in April, Xamarain, which has developed a cross-platform version of the Windows .Net framework, showed Xamarin Mobile, a library that exposes a single set of APIs for accessing common mobile device functionality across iOS, Android, and Windows platforms. Apps can be developed in Microsoft’s Visual Studio development environment. This level of integration along with Nadella’s goals for heterogeneity has fuelled rumours that Microsoft will acquire Xamarain. A threshold for Microsoft Microsoft is expected to reveal details of a new version of Windows, codenamed Threshold in the next few weeks. Rumour has it that this new operating system will offer different personalities depending on the form factor of the device: a tablet will be optimised for touch with the Windows 8 style UI, while laptops will have a more usable Start menu, as in Windows 7. Whatever Microsoft delivers in the Threshold release, it is clear is Nadella will want it to become the first major product to arise from his new strategy. As such, IT departments may have to prepare for the continuous release of Windows functionality, rather than service pack updates and monthly patch Tuesday releases, that they have become accustomed too. This is the software upgrade model used by browsers, mobile operating systems and software as a service providers. While the company plans to reverse the strategy of former CEO Steve Ballmer, who aimed to emulate Apple’s iOS ecosystem with gadgets and services, Microsoft is clearly making a u-turn. That said, Nadella emphasised the company’s new Surface Pro 3 table devices, and Microsoft’s continued support of its xBox games console business, which means, these devices will remain a part of Microsoft's future even if it no longer sees itself as a device and services company. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Amazon Web Services (AWS) has boosted the attraction of the public cloud platform for mobile developers with the launch of Amazon Cognito, Amazon Mobile Analytics and a unified mobile software development kit (SDK). Cognito offers fully managed identity and synchronisation services across devices. Mobile Analytics helps developers collect, visualise and understand app usage data at scale. And Simple Notification Service (Amazon SNS) is a push messaging service. Amazon Web Services has also updated its mobile software development kit so the new services can be included in users’ apps. The mobile SDK also provides mobile-optimised access to the cloud platform’s other services such as S3, DynamoDB and Kinesis. Apps built with the SDK can be published on the existing distribution mechanism (such as iTunes Store, Google Play and Amazon Appstore). AWS mobile facilities are platform-agnostic and designed to help developers build applications across iOS, Android and Fire OS platforms, said Marco Argenti, Amazon’s vice president for mobile services at the AWS Summit, held in New York on 10 July. While the push notification service is available for Apple, Google, Fire OS and Windows devices, Amazon did not specify whether Mobile Analytics and Cognito will work with Microsoft Windows. “User expectations are at an all-time high: they want to run your app on the device of their choice, they want it to be fast and efficient, and they want it to be secure,” said Jeff Barr, chief evangelist for AWS on the company’s official blog. According to Barr, mobile developers face challenges around storage, management, synchronisation, authentication and analytics while trying to meet enterprise users’ mobile expectations. AWS’s new mobile services will help enterprise IT to “meet these challenges” and “build sophisticated cloud-powered applications for mobile devices”, Barr said. The Mobile Analytics service is designed to deliver usage reports within 60 minutes of receiving data from an app so that developers can act on the data more quickly, said AWS. “Many mobile app analytics solutions deliver usage data several hours after the events occur,” its experts added. One of Japan’s biggest mobile phone operators NTT DoCoMo – which has 62 million subscribers – has used AWS to create a voice recognition architecture that helps the company scale for better performance during traffic spikes. At the AWS Summit, Amazon also launched a file storage, sharing and collaboration service called Zocalo. Zocalo offers IT administrators the option of integrating with existing corporate directories, flexible sharing policies, audit logs, and control of the location where data is stored, according to AWS. “Users can comment on files, send them to others for feedback, and upload new versions without having to resort to emailing multiple versions of their files as attachments,” AWS insiders said at the summit. “AWS is really applying for one-stop-shop for all IT needs, end users will work directly on AWS infrastructure,” tweeted Henri Koppen, a cloud computing consultant from the Netherlands at the unveiling of the mobile service capabilities. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Microsoft has issued a security advisory about improperly issued SSL-encryption certificates, which could be used in attempts to spoof content, perform phishing attacks or perform man-in-the-middle attacks. The fraudulent certificates were issued by the National Informatics Centre (NIC) of India, an intermediate certificate authority that is trusted and overseen by India's Controller of Certifying Authorities (CCA). The CCA, in turn, is trusted by the Microsoft Root Store, a library that Internet Explorer and many other Windows apps rely on to process the SSL certificates that banks, email providers and other online services use to encrypt traffic and prove their authenticity. Microsoft said the issue affects all supported releases of Microsoft Windows, but said the company was not currently aware of attacks related to this issue. The subordinate CA was misused to issue SSL certificates for multiple sites, including Google and Yahoo web properties. The CCA has reportedly confirmed the bogus certificates were the result of a compromise of NIC's certificate issuance process. “These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties,” Microsoft said. The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks, it added. Windows appears to be the only operating system that will trust the fraudulent certificates, meaning apps running on Mac OS X, Linux, and other platforms are not at risk, according to ars technica. On Windows, the Firefox browser and the Thunderbird email client were not affected because they rely on a root store that is independent of the Microsoft operating system. In response to the threat, Microsoft has updated the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue. “We have been working diligently on the mis-issued third-party certificates and have untrusted the related Subordinate Certification Authority certificates to ensure our customers remain protected,” said a Microsoft statement emailed to Computer Weekly. An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, Microsoft said users do not need to take any action because the CTL will be updated automatically. Systems are also protected if they run Windows Vista, Windows 7, Windows Server 2008 or copies of Windows Server 2008 R2 that are using the automatic updater of revoked certificates. But for systems running Windows Vista, Windows 7, Windows Server 2008 or copies of Windows Server 2008 R2 that do not have the automatic updater of revoked certificates installed, this update is not available. To receive the update, users must install the automatic updater of revoked certificates. Users in disconnected environments who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive this update. “At this time, no update is available for customers running Windows Server 2003. Microsoft will update this advisory at such time as an update becomes available for Windows Server 2003 customers,” the security advisory said. Additional protection is offered by the Enhanced Mitigation Experience Toolkit (EMET) 4.1, and newer versions, said Dustin Childs, group manager, response communications at Microsoft. “EMET will help mitigate man-in-the-middle attacks by detecting untrusted or improperly issued SSL certificates through the Certificate Trust feature,” he wrote in a blog post. Security researchers said the fake certificates underscores the key risks of using public key infrastructure (PKI) to ensure the authenticity of a remote party. “The system we use for securing websites is based on the network of trusted certificate authorities and subordinate authorities,” said Craig Young, security researcher at Tripwire. “When any one of these authorities is controlled by someone with malicious intentions it is possible to impersonate services such as websites, email and file transfer. The malicious possibilities are limitless,” he said. According to Young, the problem is compounded by the fact computers and SSL systems are designed to trust a long list of authorities. “We have seen certificate authorities get compromised and used to sign counterfeit certificates several times in the recent past. This is why SSL implementations should always use revocation lists,” he said. One of the best ways to protect users from this type of threat, said Young, is through the use of pinned certificates. This is a deployment in which software is designed to require specific certificates instead of allowing any certificate signed by a 'trusted' authority. “This practice is used in the Gmail app for Android, for example, but unfortunately this approach does not scale for general web browsing,” said Young. “To protect themselves from these kinds of incidents users may want to remove trust for regional certificate authorities that aren’t needed in the user's locale,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
The government has promised greater transparency and oversight in a political deal to persuade MPs to pass emergency surveillance legislation that will force phone and internet firms to retain and hand over data. The emergency legislation is due to be debated on Tuesday 15 July and complete all its parliamentary stages two days later. If passed, it will reinstate powers struck down by the European Court of Justice in April. Justifying the move, David Cameron said: “I am simply not prepared to be a prime minister who has to address the people after a terrorist incident and explain that I could have done more to prevent it.” He emphasised that the data retained would not include the content of messages and phone calls, just details of when and whom the service providers’ customers had called, texted and emailed. The emergency Data Retention and Investigation Powers Bill will “clarify” the law on tapping suspects’ phones by the police and security services to ensure that service providers respect government warrants. Cameron insisted the move would not extend surveillance laws but maintain existing capabilities to protect the public from “criminals and terrorists”. To that end, the emergency legislation will force foreign-based companies to hand over data harvested in the UK. According to The Guardian newspaper, this implicitly accepts the revelations by whistleblower Edward Snowden that some of the UK governement’s surveillance activities did not have international legal authority. This issue is likely to have been highlighted in the Conservative party’s negotiations with the Liberal Democrats and Labour, leading to a deal that includes long-sought reforms to the accountability of the security services. A Privacy and Civil Liberties Oversight Board will also be created to scrutinise the impact of the law on privacy and civil liberties, and there will be annual government transparency reports on how these powers are used. The deal also provides for: the appointment of a former senior diplomat to lead discussions with the US government and internet firms to establish a new international agreement for sharing data between legal jurisdictions a termination clause that will see the powers expire at the end of 2016 a wider review of the powers needed by government during the next parliament greater flexibility in the length of time that data is retained, so it is held for no more than 12 months a two-year expert review of the relevance of the Regulation of Investigatory Powers Act 2000 a reduction in the number of public bodies that will be able to access data a new restriction that data cannot be gathered purely in the economic interest of the UK Civil liberties groups are also calling for greater transparency after figures obtained under the Freedom of Information Act showed that the government paid almost £65m to communications service providers to retain communications data over a six-year period. Emma Carr, acting director of Big Brother Watch, said: “It is clear that communications service providers are being paid with one hand and silenced with another. If the government wants to force communication service providers to retain citizens’ data, then this must go hand in hand with greater transparency.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
FireEye uncovers a botnet that is brute-forcing its way into point-of-sale systems to steal payment credentials. In a new twist on retail payment security, researchers at security firm FireEye have uncovered a botnet that is specifically trying to brute-force its way into point-of-sale (POS) systems. FireEye has named the botnet BrutPOS because it uses a brute-force technique to gain access to POS systems. In a brute-force attack, the attacker tries to enter a system by trying out a series of username/password combinations to gain access. BrutPOS leverages its botnet of compromised machines, scanning for POS servers and then brute-forcing its way in. "POS malware is something that has been around for a while," Kyle Wilhoit, threat intelligence analyst at FireEye, told eWEEK. "However, POS malware that is utilizing brute-forcing techniques is new." The FireEye investigation found that the BrutPOS botnet had in its network a total of 5,622 compromised computers, which report into command and control (C2) servers. In total, there are five C2 servers for BrutPOS, though FireEye notes that only two are currently active. "The other servers in question were taken down, likely by the actors perpetuating the attacks," Wilhoit said. The risk of retail POS data breaches has been top of mind for many in 2014 due to a number of high-profile incidents. U.S retailer Target publicly admitted on Dec. 19, 2013, that it was breached, leaving 70 million customers at risk. More recently, restaurant chain P.F. Chang's admitted on June 12 that it too was the victim of a data breach, likely the result of POS insecurity. In its report, FireEye is not claiming BrutPOS is related to any publicly disclosed data breach. That said, FireEye's investigation found that BrutPOS targeted 57 IP address ranges, 32 of which are located in the United States. From a remediation perspective, there a number of things retailers and POS operators can do to protect themselves. In a brute-force attack, the first round of attack typically goes after default username/password combinations. As such, one thing that should be done by POS administrators is to change the default password. "Changing default passwords is important to ensure low-hanging fruit is not easily exposed," Wilhoit said. Going a step further, Wilhoit suggests that RDP (Remote Desktop Protocol), which runs over server Port 3389, should be locked down to trusted sources. The BrutPOS attack targets RDP specifically as a means to gain access. "Not allowing 3389 access to POS terminals from the outside world is extremely important," Wilhoit said. "Likewise, in internal networks, this access should be heavily restricted." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Utilities, industrial manufacturers and energy companies expect cyber-attacks in the next year, but these organizations continue to react to threats, rather than build up security measures, according to the latest Ponemon survey. Security teams at critical infrastructure firms have little trouble understanding that their networks are vulnerable. But the companies themselves have failed to make security a priority, according to a survey of nearly 600 security executives by the Ponemon Institute published on July 10. External attackers and malicious or negligent employees managed to compromise two-thirds of the companies' networks in the past 12 months, leading to the loss of data or a disruption in operations, according to the report, Critical Infrastructure: Security Preparedness and Maturity, which was funded by technology firm Unisys. About 57 percent of respondents believe that their industrial control systems are at risk from cyber-attacks. Despite the recognition of cyber-attacks as a threat, most critical-infrastructure firms are not focused on security, according to the survey. Only 28 percent of security practitioners stated that their firms considered security a top-five priority, the study found. "It paints a picture of organizations that feel like they are at risk, yet they are not doing anything about it," Dave Frymier, chief information security officer for Unisys, told eWEEK. "They are almost asleep at the switch, [and] they don't seem to be taking the problem seriously." In the survey of 599 information technology and IT security executives, most companies were aware of the dangers of cyber-attacks: Nearly two-thirds of organizations are committed to preventing or detecting the most sophisticated attackers, known as advanced persistent threats or APTs, according to respondents. The same number of respondents agreed that one or more serious cyber-attacks would infiltrate their infrastructure in the next year. Over the past two years, for example, a group of online hackers, whose actions bear the hallmarks of nation-state operatives, compromised hundreds of energy firms and industrial control system makers, according to the Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT) and security firms. Alternatively called "Dragonfly" and "Energetic Bear" by security firms, the attack campaign installed Remote Access Trojans (RATs) inside the networks of companies, organizations and government agencies located in Spain, the United States, Japan, France, Italy and Germany. Because control systems and monitoring networks are designed to be reliable and last for decades, dealing with legacy systems that may have significant vulnerabilities has become a major issue for utilities. Yet, most lack confidence that their organization could upgrade such systems without causing problems. More than half of security professionals interviewed by the Ponemon Institute stated that patching industrial systems with up-to-date security software either would not be cost-effective or would sacrifice mission-critical security, according to the report. Until a major event shakes critical-infrastructure firms from their malaise, the gap between security professionals understanding the theoretical threat of cyber-attacks and companies focusing on making their networks and infrastructure more secure in practice will likely remain for the foreseeable future, Frymier said. "We pretty much feel that there will have to be some precipitating event," he said. "Something will have to happen, and unfortunately, it will probably be a bad thing that has to happen to galvanize people to understand the magnitude of the problem so they do something about it."
Taxi and Limousine Commission: startup has no "license to dispatch cars."