3.1 C
London
Sunday, November 19, 2017
Home Tags Cyber

Tag: Cyber

The government's "digital by default" agenda should be accompanied by one of "security by default" if public sector organisations are to truly protect themselves against cyber security threats and avoid a cyber security skills crisis.  That's according to Graeme Stewart, director for UK public sector strategy at security software vendor McAfee. "There is no bigger indicator of a cyber security skills crisis than the world's most prestigious security agencies struggling to compete for staff," he said. "With the UK government driving its own digital transformation agenda, and cyber security being reclassified to a tier-one national security threat, never has there been more pressure for the public sector to rectify a very real cyber security skills gap." Stewart argued that the government needs to do more to ensure that service providers at every level of the "public sector supply chain" are educated about the need for proper cyber security.  "With the UK government opening doors for more and more small and medium-sized businesses to become suppliers to the G-Cloud, and an influx of international players, it is critical that every level of the supply chain, not just the top tier, must be approached with the utmost seriousness.  "Ultimately, governments must take responsibility for the security of the supply chain but, in part, this should be about educating and supporting the full ecosystem of businesses involved," he said. "Security by default should be embedded alongside ‘digital be default' as a cornerstone of our public services, rather than the afterthought it has often been in the past," Stewart added. Last month, Shadow Cabinet Office minister Chi Onwurah MP told Computing that the government isn't spending enough on raising cyber security awareness. "There needs to be a greater profile of cyber security in a positive way and I don't believe the balance of spend right now is right. In terms of priority, it is giving it to national cyber security over the awareness more generally among the UK population," she said.
Many firms are at risk of cyber attacks exploiting an unpatched security flaw in Java 6, warns security firm Qualys. Oracle released a critical patch update for vulnerability CVE-2013-2463 in Java 7, but there is no patch available for Java 6 as reached end-of-life in April 2013. “It is, in essence, an implicit zero-day vulnerability as we know about its existence, but do not have a patch at hand,” said Wolfgang Kandek, CTO of Qualys. Although this happens each time a software package loses support, he said what makes this a particular concern is that F-Secure has seen exploits in Java 6 in the wild. Researchers have also seen the vulnerability included in the Neutrino exploit kit, which Kandek said guarantees that it will find widespread adoption. “We still see very high rates of Java 6 installed, accounting for just over half of Java users, which means many organisations are vulnerable,” he said. Kandek attributes this high level of use to the lock-in that organisations experience when they run software applications that require the use of Java 6. “Organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their suppliers if an upgrade path exists,” he said. However, many organisations are unable to update or disable Java because it would affect business critical applications. “So in essence they accept the risk of outdated Java in order to be able to continue to do business,” said Kandek. For users of Java 6, he said it might be useful to look into the whitelisting of Java applets. “Internet Explorer supports this out of the box through its concept of 'Zones' and while it is not a perfect solution, it should deal with the most common attack vector - an applet embedded in a webpage,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More
Many government leaders are not informed and familiar with technology, according to Scott Borg, director and chief economist at the US Cyber Consequences Unit, an independent research institute. “This leads to wrong decisions, such as investing in technology solutions that are useless, or financing research that will never produce results,” he told FutureGov. According to Borg, leaders also often confuse the main cyber security roles government has to fulfil by having the same people or organisations perform all the roles at the same time. These roles include helping critical infrastructure industries defend themselves against cyber attacks, protecting citizens from cyber attacks, and protecting government itself to ensure continuity and trust. Graeme Stewart, director of UK public sector strategy at security firm McAfee, said Borg’s comments highlight a worrying lack of cyber security skills among government leaders. “There is no bigger indicator of a cyber security skills crisis than the world’s most prestigious security agencies struggling to compete for staff,” he said. According to Stewart, there has never been more pressure to address the cyber security skills gap, with the UK government driving its own digital transformation agenda and cyber security being reclassified to a tier-one national security threat. Borg also pointed out how crucial it is to secure the supply chain for critical national infrastructure. “With the UK government opening doors for more small and medium-sized enterprises to become suppliers to the G-Cloud, and an influx of international players, it is critical that security is applied at every level of the supply chain,” said Stewart. “Ultimately, governments must take responsibility for the security of the supply chain, but in part this should be about educating and supporting the full ecosystem of businesses involved,” he said. Stewart believes the principle of “security by default” should be embedded alongside “digital by default” as a cornerstone of UK public services, rather than the afterthought it has often been in the past. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Stratfor hacker Jeremy Hammond has claimed that the "handlers" behind convicted hacker Hector Monsegur, better known as Sabu, used him to coordinate attacks against foreign governments. In a statement written in prison while awaiting trial, Hammond claimed: "It is widely known that Sabu was used to build cases against a number of hackers, including myself. What many do not know is that Sabu was also used by his handlers to facilitate the hacking of targets of the government's choosing - including numerous websites belonging to foreign governments. "What the US could not accomplish legally, it used Sabu, and by extension, me and my co-defendants, to accomplish illegally.

The questions that should be asked today go way beyond what an appropriate sentence for Sabu might be: "Why was the US using us to infiltrate the private networks of foreign governments? What are they doing with the information we stole? And will anyone in our government ever be held accountable for these crimes?" Hammond, a long-time political activist, was behind an attack against intelligence consultancy Stratfor, releasing some 200 gigabytes of documents to Wikileaks.  Hammond's statement came just before US law enforcement agency, the FBI, claimed "victory" over the hacking group Anonymous after three years of arrests culminating in the apprehension of five members of Lulz Security (LulzSec) last year. "All of these guys [arrested] were major players in the Anonymous movement, and a lot of people looked to them just because of what they did," Austin Berglas, assistant special agent in charge of the FBI's cyber division in New York, told the Huffington Post. The arrests have been attributed to information supplied by Sabu, which have also sown distrustin the hacking community among groups and individuals that might affiliate under the Anonymous moniker, reducing their effectiveness, according to Berglas. "The movement is still there, and they're still yacking on Twitter and posting things, but you don't hear about these guys coming forward with those large breaches," he said. "It's just not happening, and that's because of the dismantlement of the largest players." In the meantime, the sentencing of hacker Sabu has been delayed for the second time this year. Facing up to 124 years in prison, he is expected to receive a lighter sentence as a result of his cooperation with the FBI. He will now be sentenced on 25 October.
The arrest of a man believed to have collected more than £100,000 in fraudulent UK tax rebates shows that security needs to be built into the design of each digital reform, says security firm Thales. The man is one of five arrested in connection with an HM Revenue & Customs (HMRC) investigation into a gang of cyber attackers suspected of identity theft from 700 UK citizens to commit tax fraud. If citizens and government are to get the most out of migrating interactions online, such as collecting welfare benefits via Universal Credit, there is an overriding need for some form of secure identification credentials, according to Ross Parsell, director of cyber security at Thales UK. “Being able to verify, manage and protect the identity of claimants will be central to the success of the programme,” he said. Parsell said MPs are correct to warn that the Universal Credit system presents a serious fraud risk. “Although the Public Sector Network (PSN) will provide a secure back-end communications infrastructure, a question mark still remains over whether the government will be able to verify, manage and protect the identity of claimants,” he said.  With 1.56 million people claiming Jobseeker’s Allowance at a minimum of £56.25 a week, just that element of welfare presents a £4.56bn fraud risk over the course of a year, said Parsell.   “Piggybacking on a bank’s identification system could be a low-cost solution for the government in using two-factor authentication with chip and pin,” he said. In January 2013, UK fraud prevention service Cifas said the fraudulent use of stolen or fictitious identity details is the biggest fraud threat. Analysis of fraud trends in 2012 revealed 50% of all frauds identified during the year related to the impersonation of an innocent victim or the use of completely false identities. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More
It was announced in the press recently that a well-known multinational consumer electronics company had just filed for Chapter 11 Bankruptcy – all down to a competitor in China stealing its latest designs. That announcement is fiction, but companies have gone bankrupt over competitors stealing their intellectual property (IP) – it is not new and it is probably happening in your organisation right now. MI5's head of cyber told the BBC in his first public, yet anonymous interview: “There are now three certainties in life: there's death, there's taxes and there's a foreign intelligence service on your system." The rapid rise in cyber espionage should be a wake-up call for organisations to rethink their data security strategies to improve protection of their IP. There are also a large majority of organisations that believe their IP is adequately protected by current security controls, and also believe that they are not a target; either because they are not a financial institution, or involved in the defence industry.  Most of them say, “We are in the soup and soap business”, or “We just sell boxes”. That may be right, but where is their biggest market share – China or other emerging markets? The rapid rise in cyber espionage should be a wake-up call for organisations to rethink their data security strategies to improve protection of their IP Kevin Wharram, Isaca Various attack vectors are used to steal an origination’s IP, but the biggest and far easiest is a spear phishing attack, whereby a miscreant sends a specially crafted email to an employee in an organisation getting them to open a compromised document, or directs them to a compromised website which takes advantage of an unpatched vulnerability, thereby compromising the employee’s computer. There are a various steps an organisation can take to help protect itself from cyber espionage.

They are: Educate employees about security, with a big emphasis on social engineering attacks, such as spear phishing.

As we all know, people are the weakest link. Understand what IP you have.

This can be achieved by carrying out a data classification exercise, which will allow you to assess the sensitivity of the data you hold and what data could be valuable to your competitors or anyone else. Make sure systems are patched regularly and not just with Microsoft-related patches, but Java, Adobe and other application patches. Most of the attacks are using Java, Adobe or other application vulnerabilities. Make sure that antivirus (AV) is updated on all systems used by employees within the organisation, and run monthly reports to identify systems that are not compliant with regard to AV. Monitor for unusual behaviour.

This is probably the most difficult without a security information and event management (Siem) system or other monitoring devices as organisations may not know what to look for. These are some of the steps IT security professionals can take to protect their organisation from cyber espionage; hopefully your organisation will be in the news for all the right reasons. Kevin Wharram is a member of the Isaca Security Advisory Group Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com This was first published in August 2013
Five men have been arrested in connection with an HM Revenue and Customs (HMRC) investigation into cyber attackers suspected of identity theft and tax fraud. The men are part of a group believed to have stolen personal data from 700 UK citizens to set up false self-assessment accounts with HMRC in an attempt to steal tax rebates worth up £500,000. At the weekend, police arrested and charged a 35-year-old man from Bologna with cheating HMRC when he landed at Stansted airport. UK and Italian officials have searched his home in Bologna and seized computers. Four others were arrested at Stansted, London, and Chatham in Kent.

They have been released on bail, pending further investigation. Italian police said the men were of Nigerian origin, according to the Guardian. HMRC investigators contacted Italian police after tracing the fraudulent rebate applications to Italy. Italian cyber crime police said the man from Bologna had applied for £500,000 in rebates and had collected more than £100,000 since stealing the identity of 700 UK citizens over a year ago. But HMRC claims that its online systems proved extremely resilient, identifying and preventing most false repayment claims, the paper said. Andrew Sackey, assistant director of criminal investigation at HMRC said: "These arrests clearly demonstrate that we can, and will, apprehend those suspected of attempting to cheat UK taxpayers by defrauding HMRC, with international assistance if necessary." In January, UK fraud prevention service Cifas said the fraudulent use of stolen or fictitious identity details is the biggest fraud threat. Analysis of fraud trends in 2012 revealed 50% of all frauds identified during the year relate to the impersonation of an innocent victim or the use of completely false identities. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More
In our modern world, where we're all hyper-sensitive to the relentless onslaught of cyber-attacks, any time a major site, service or piece of infrastructure stops working properly, the immediate speculation is that hackers are to blame. On the afternoon of Thursday, Aug. 22, the NASDAQ exchange halted trading for nearly 4 hours.

The exchange publicly identified the root cause of the issue as being related to trouble with the Unlisted Trading Privileges (UTP) Securities Information Processor (SIP) quote dissemination system. What we don't know at this point is why there was trouble with the UTP SIP quote dissemination system. Was it just human or system error? Or was it the action of a malicious actor? Personally I'm not so sure. But let's explore. Chester Wisniewski, senior security adviser at Sophos, told eWEEK that anything at this point is simply speculation. "There is no reason to believe this is hacker related, particularly related to DDoS," Wisniewski said. "This doesn't mean someone hadn't infiltrated the NASDAQ's network or planted malware within critical systems, but unless NASDAQ says more, it is purely speculative and not grounded in any facts." Stock exchanges have been a target for hackers before. In a session at the RSA security conference earlier this year, Ziv Gadot, Security Operations Center (SOC) team leader at Radware, had a talk titled, "Stock Exchanges in the Line of Fire—Morphology of Cyber-Attacks." I spoke with Gadot at the time and asked him specifically about the big New York exchanges and the risk to them. In 2011, the NASDAQ Director's Desk application used by the exchange to share information was in fact hacked by attackers, who planted an eavesdropping tool. Again, no direct tie or official word here to the incident that occurred yesterday. It's also important to remember here that sometimes a technical "glitch" is just that.

The NASDAQ quote dissemination system is a highly available system with extreme levels of concurrency and throughput. Every trader and trading system wants the same data at the same time, and sub-microsecond delays are not acceptable. It's a very complex and sophisticated system. With that complexity, the risk of error (human or system) will always exist. Sometimes, "a rose is just a rose" and perhaps that's the case with the NASDAQ trading halt incident too. Time will tell. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
The time has come for service providers and consumers to move to a security model better suited to the cloud computing era, says cloud-based content management and collaboration firm Box.com.   The firm has pursued transparency or openness as a key policy to establish trust with customers concerned about security in the cloud environment. Customers are able to access all activity and transactions related to their content and even download that data to their security information and event management (Siem) systems. They also have access to SOC1, SSAE16, SOC2, ISO27001 and internal audit reports and quarterly penetration test reports.  Box.com even allows customers to perform their own penetration tests. In pursuit of greater transparency, Box.com has also achieved compliance with the US health sector HIPPA standard and is working on compliance with the US government FedRAMP cloud security assessment programme. Limitations to this approach However, this approach has its limitations, according to Justin Somaini, chief trust officer at Box.com and former chief information security officer (CISO) at two Fortune 500 companies. He is calling for a new security model that can address the security issues arising from the evolution of computing on the one side and cyber threats on the other. Somaini has begun working on a new model in consultation with the Cloud Security Alliance (CSA), which he hopes will evolve into an industry standard that will benefit cloud service providers and users alike. He believes that cloud computing is essentially a return to centralised computing, which is an opportunity to achieve the security benefits the industry has been missing out on for 40 years. “There is a lot of security value you can get when you move back into a centralised computing utility,” he told Computer Weekly. “It is only when we bring content back to a centralised model do we have the ability to apply identity, authentication and authorisation capabilities,” he said. Consumers of cloud services have a role to play in having an open mind about the possibilities of doing things better in the cloud from a security point of view. The importance of security At the same time, cloud providers must strive to make security a differentiator by building products that share the customers’ objective of fending off attackers and ensuring confidentiality, integrity and availability, said Somaini. Transparency around activity and transactions around content is a key component, he said, but many cloud providers still do not allow customers to access logs to see what is going on. Many also still do not have good security certifications or detailed audits to provide a level of transparency around how they are managing content. Without transparency there can be no trust, said Somaini, which is why he is forging a new security model that is aimed at enforcing this principle in the cloud services industry. “One of the things I am call for in the industry is a more detailed and prescriptive audit and certification specifically for cloud providers,” he said. For example, it should require cloud providers to supply all documentation on how they work instead of just a certification letter, and allow customers to view and download all transactions on their data. Other important questions would be around providers’ ability to assist in any e-discovery requirements, how they defend against advanced cyber threats, and how they deal with application security. Leagfrogging cloud specific frameworks Internally, Box.com is seeking to roll out a version by the end of the year to leapfrog cloud specific framework within the ISO model, which is expected to take years to develop. Somaini intends to update and mature the CSA’s control compliance matrix as the basis for new controls aimed at giving customers greater visibility and transparency than the SOCs, SSAE and ISO can. He hopes that once established, these controls will be rolled into the fledgling ISO cloud framework.      “My intent is to drive something new into the security industry and I believe the best place for it and the best leadership I can see doing this is the CSA,” said Somaini. He is in discussions with the CSA in the hope of being able to create a new certification that will give users of cloud services better trust in what providers do and how they do it. Somaini believes security professionals need to learn that there is a better security model than what they do today and cloud suppliers need to provide better capabilities to enable trust and transparency. “Both sides of the industry have some work to do if we are to solve some of the fundamental problems in the industry,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
A software glitch that caused the tech-heavy Nasdaq stock exchange to shutdown has raised fears over stock market stability and cyber attacks and renewed calls for greater market regulation. Trading in more than 2,000 US stocks and options was halted for more than two hours as Nasdaq hunted for the cause of the shutdown, according to the Guardian. With other exchanges depending on Nasdaq’s pricing software for accuracy, the shutdown is believed to have locked up $5.7tn of shares. The shutdown highlighted how technology failures can impact financial markets.

And analysts believe it will refocus attention on regulatory efforts to strengthen the technology behind major stock exchanges. US regulators are considering making reviews of backup plans mandatory to ensure they keep up with technological changes and cyber threats. The Nasdaq shutdown is the latest of several high-profile glitches to hit US markets that have undermined market confidence. While the shutdown could have been the result of sloppy programming or some other technical fault, it is also possible that malicious hackers were involved, independent computer security expert Graham Cluley wrote in a blog post. It would not be the first time hackers have turned their attention to exchanges, he said, citing the 2011 suspension of the Hong Kong Stock Exchange after the news portion of its website was hit by hackers. Cluley said hackers have an interest in manipulating stock prices for financial gain or disrupting and sabotaging the US economy. “Strong security systems and safeguards need to be in place to ensure that the possibility of such attacks being successful is kept to a minimum,” he said. In June, Andrew Haldane, director of financial stability at the Bank of England, told parliament’s Treasury Select Committee that cyber attacks are the top risk for UK banks. Concerns over cyber attacks top even those around the eurozone crisis and the UK’s banks must do more to protect themselves, he said. Earlier this week, a report by business consultancy KPMG said cyber attack or disruption could cause the next systemic shock to the UK banking industry rather than a liquidity crunch. While the banking industry has addressed many of the problems that led to the financial crisis in 2008, the KPMG report said cyber attacks or massive systems outages represented new threats. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Professional services firm PriceWaterhouseCoopers (PwC) has hired the former head of the central e-crime unit at the Metropolitan Police, Charlie McMurdie, to advise businesses on cyber crime. McMurdie spent more than 30 years at the Metropolitan Police, where she set up and led the e-crime unit.  PwC's cyber security practice advises organisations on issues such as intelligence, detection and prevention of cyber threats in addition to regulation around cybercrime and the overall impact cyber attacks can have on a business. McMurdie will now take up a role across PwC's Forensics, Risk Assurance and Legal Services cyber security teams, while also lecturing on cyber security matters at numerous UK universities.  She said: "I am delighted to be working alongside the skilled professionals in PwC's cyber security practice. PwC has a proven track record helping organisations to tackle the complex and sophisticated threats posed by cyber criminals. "Operating securely in the cyber environment is an urgent issue facing business leaders today.

If organisations are going to combat the incredible resourcefulness and ability of the attackers, they must understand the risks they face and put into place the necessary processes and policies to respond adequately," she added. John Berriman, chairman of the cyber security practice at PwC, said he was "very pleased" that McMurdie had joined the firm. "Charlie is an internationally recognised cyber crime and security expert with extensive experience in the industry, making her a great addition to the team. "Through continually strengthening our cyber security practice, we can better help our clients to recognise and address their cyber vulnerabilities," he said. 
This update adds RAW image compatibility for the following cameras to Aperture 3 and iPhoto '11:   Canon EOS 70D Fujifilm X-M1 Leica M Leica M Monochrom Nikon COOLPIX P330 Pentax 645D Sony Cyber-shot DSC-RX1R Sony Cyber-shot DSC-RX100...