Home Tags Data Storage

Tag: Data Storage

eWEEKchat March 9: Is Data-Centric Security the Future?

This will be a particularly timely eWEEKchat conversation on how security is moving ahead in the nascent IoT age. On Wednesday, March 9, at 11 a.m. PST/2 p.m.

EST/7 p.m.

GMT, @eWEEKNews will host its 41st monthly #eWEEKChat.

The topic will be "Is Data-Centric Security the Future?" It will be moderated by Chris Preimesberger, who serves as eWEEK's editor of features and analysis.Some quick facts:Topic: "Is Data-Centric Security the Future?"Date/time: March 9, 2016 @11 a.m. PST/2 p.m.

EST/7 p.m.

GMT Moderator: Chris Preimesberger: @editingwhiz Tweetchat handle: Use #eWEEKChat to follow/participate, but it's easier and more efficient to use real-time chatroom links.Chatroom real-time links: We have two: http://tweetchat.com/room/eweekchat or http://www.tchat.io/rooms/eweekchat.

Both work well.
Sign in via Twitter and use #eweekchat for the identifier."Is Data-Centric Security the Future?"Data-centric security is designed to protect data at all times while allowing it to flow freely and securely anywhere, without the need for plug-ins, proxies, gateways or changes in user behavior.This defines a large trend in IT in which the primary function is the management and manipulation of data itself, rather than security focused primarily on the application, networking or storage.

This type of security follows the data item or store around wherever it travels—on-premises or off.This is as close to airtight a concept as there can be when it comes to securing the Internet of things, many industry observers say.With the advent of virtualized IT systems, the worldwide explosion in the use of cloud and managed services, and the increasing usage of data storage and big data analytics inside clouds, data is often separated in so-called "chunks" for security purposes and spread in various locations. Later, when the entire file is needed, systems reassemble these chunks—usually with a just-in-time methodology.All this movement has made conventional security a central problem, and data-centric security—centered around government-level encryption—may have come to the rescue as the only way to handle all this travel in a reliable fashion.Some of the leading innovators in this space include Thales Security, which recently bought Vormetric for this purpose; IONU, whose data isolation platform creates a separate and secure zone where data is insulated from the outside world; Dataguise, which specializes in data-centric security for NoSQL server shops; and Vera, which does both file-centric and data-centric security.These are just a few of the data points we'll talk about on March 9. We also will pose questions such as:--What do you personally see as the No. 1 advantage of using data-centric security?--What other companies do you know will become data-centric security players in 2016?--Do you see, or do you not see, data-centric security becoming mainstream in 2016?Join us March 9 at 11 a.m. Pacific/2 p.m.

Eastern/7 p.m.

GMT for an hour.

Chances are good that you'll learn something valuable.

Hackers Nab Seagate Employee W-2s Via Phishing Scam

Score one more for online miscreants as another tech company falls victim to a tax-related phishing scam. Hackers have been out in full force this tax season, and Seagate is the latest major tech company to fall victim to a targeted phishing scam. The Cupertino, Calif. data storage company revealed to security researcher Brian Krebs that online miscreants last week tricked one of its employees into handing over W-2 forms for all its current and past employees.

The W-2 documents, of course, contained employee Social Security numbers, salaries, addresses, and other personal information. The incident occurred on March 2, when phishers sent a Seagate employee what appeared to be a legitimate internal company note requesting the W-2 forms.

The employee obliged, inadvertently sending the information to hackers. Seagate notified federal authorities about the phishing attack, and is now offering affected employees a two-year membership for credit monitoring services, though as Krebs pointed out, that will not protect them from tax refund fraud. "We deeply regret this mistake and we offer our sincerest apologies to everyone affected," the company said. "Seagate is aggressively analyzing where process changes are needed and we will implement those changes as quickly as we can." The news comes as Snapchat just last week issued a mea culpa to its employees after revealing that one of its staffers also fell for a phishing scam and "revealed some payroll information" to hackers. Word has it Fast Company is also a victim. Meanwhile, the IRS has temporarily suspended its Identity Protection PIN tool, which allows taxpayers to retrieve their IP PINs online, and is "looking at further strengthening its security features." An IP PIN is a "six-digit number that provides an additional layer of protection for taxpayers who have been or could become victims of tax-related identity theft," the IRS explained.

Taxpayers using an IP PIN can find more information about the change here. The move comes after the IRS last month announced that hackers attempted to use some 464,000 stolen Social Security numbers and an automated bot to generate E-file PINs, which can be used to electronically file a tax return.

Carbonite

Carbonite is one of the most recognizable names in online backup. It's also one of the easiest-to-use online backup services around, its mobile apps are well done, and it presents a good value for your money. Carbonite is still weak on sharing features, however, and limits you to a single PC, with external and network drives off-limits for backup. Recent news for the service is that it's discontinued the Sync & Share feature, so, unlike competitors such as IDrive and SpiderOakONE, Carbonite no longer has folder-syncing capability. Price Plans Carbonite's pricing plans are pretty straightforward: For $59.99 per year, the Basic plan gets you unlimited backup space for one PC or Mac computer. The Plus upgrade option ($99.99) adds the ability to back up external drives and create a mirror image of your entire disk for full system backup. The Prime plan ($149.99) adds automatic video backup (included in the base plan of Editors' Choice service SOS Online Backup) and a courier recovery service, which sends your data to you on a disk. The last will be of interest to SOHO users who may not have time to download hundreds of gigabytes of restored files. The fact that Carbonite's base price only covers one PC is not uncommon. But Editors' Choice IDrive offers 1TB that you can use on as many computers as you like for about the same price as Carbonite's one-PC-unlimited plan. A free 15-day trial Carbonite account is available (with no credit card needed), but there's no permanent, low-storage free plan like those offered by OpenDrive and IDrive.  Interface: Choosing What to Back UpAfter downloading Carbonite's PC software, you're taken through a clear wizard-driven process to select what's backed up and when. First you choose a nickname for the computer. That way, if you add other computers to your account, you know which one has the files you want. Next comes a big help for those who aren't sure exactly which files to back up: The wizard offers to automatically choose what to include (documents, photos, email, and music) and when to upload the files. There's also an Advanced option that lets you decide on the backup set and schedule the backup for yourself. You can use Advanced either to fine-tune Carbonite's default selections or to start completely from scratch. If you spring for the Plus plan, you can have the service back up your entire drive, system files and all, as well as connected external drives. The higher-level plans also let you create a duplicate backup to local storage, so that you can recover files without an Internet connection. Backup Scheduling and SecurityNext it's time to choose when backups should occur. I really like the default option, Continuous. You can also simply tell the software to back up once a day. If your Internet connection isn't the strongest, you may prefer that, though you can also tell Carbonite not to upload during your busy hours. The Continuous option only uploads file changes and new files, however, so it shouldn't overly tax your connection. Once you know what you're backing up and when, you need to decide on a security level. Carbonite encrypts your data before sending it to its servers. By default, Carbonite manages your encryption key, but those who want to really lock down their data can choose to manage their own key. This means no one at Carbonite has the means to access to your files even if compelled to by a search warrant, but also that they won't be able to recover your files if you lose the key. It means, furthermore, that you don't get Web access to your files; Mozy, by contrast, allows Web access for accounts using private keys. If you pick Carbonite, I recommend the still-secure but less-restrictive managed-key option. Your final options before Carbonite actually starts processing and uploading your data are to have the service prevent your PC from sleeping and to add any files not covered automatically—videos, program files, and files larger than 4GB. A wizard page explains that the initial upload could take a couple days. It also explains Carbonite's helpful File Explorer dots. The software adds a red dot if a file's waiting to be backed up, and green if it's all set. You can right click on any allowable file to add it to the backup set. If you update a file, the right-click context menu offers a "back up as soon as possible" choice, something I appreciate. If this functionality is very important to you, then Carbonite is a better choice for you than SOS Online Backup. CrashPlan, IDrive, and SpiderOakONE offer similar Explorer integration, though. During upload, Carbonite's clear InfoCenter window shows you exactly which file is currently being worked on, along with an overall progress bar. A system tray icon lets you launch the InfoCenter, freeze your backup, or pause uploads. Clicking a linked number of pending backup files opens an Explorer window that mirrors your drive structure, though it's populated only by backup files. InfoCenter's Settings tab lets you turn off the Explorer dots, change the backup set and schedule, and reduce bandwidth usage. Backup SpeedFor performance and bandwidth testing, I timed the Carbonite's backup upload speeds on two 100MB sets of mixed file types and sizes. I used PCMag's superfast 177Mbps (upload speed) corporate Internet connection so that bandwidth wouldn't be the limiting speed factor. At 3 minutes and 10 seconds Carbonite was among the slower services, only besting the very slow Backblaze. This compared with SOS Online's 52 seconds and CrashPlan's 59 seconds. Carbonite used to throttle throughput speed for personal accounts after 200GB was uploaded, but the company has since ended that unpopular policy. Restoring FilesCarbonite's InfoCenter is also your friend when it comes time to restore files. When you search for files to restore, you can either replace them in their original location or restore to a desktop folder. One problem I have with Carbonite is that if you delete a file on the backed-up PC, only to later realize you really wanted it, the service only keeps the file for 30 days. SOS keeps those files forever. Carbonite saves multiple versions of files as you edit and save them. They're kept for a bit longer than deleted files—3 months. But you're limited to 12 versions, compared with SOS's unlimited versions. In my tests of a document I updated several times, Carbonite correctly saved all versions. When you need to restore your entire PC backup to a new machine, Carbonite can recreate the lost PC's Windows user account on the new PC. You can also create a new user account for the backup. Note that when you do a full restore to a new machine, you lose the ability to back up the original PC, since the service only covers one PC per account. Otherwise, you can just save all the files to a separate folder. A nice option in the Restore window lets you use a search box to specify particular folders and files you need first. Carbonite estimates tells you how long the restore will take, and you can access already-processed files any time during the restoration. Web InterfaceAs with the desktop interface, Carbonite's Web interface is clear and well designed. It offers a folder view along with a quick search box, and all you have to do is double-click on a filename to start downloading it. One thing missing from the Web interface, however, is file-version choice. A Facebook button lets you send photos from your backed-up collection directly to the leading social network, but aside from this, there isn't much in the way of sharing features from the Web client. I am surprised that you can't even create a direct link to a file or extend editing access, as you can in several online backup services. Nor can you play music or videos from the Web UI. Mobile AppsCarbonite offers mobile apps for Android and iOS (missing is Windows Phone, for which IDrive has an excellent app). Oddly, you won't find links to the apps on Carbonite's site; you just have to search for Carbonite Mobile in the device's store. Large button tiles in the app offer access to Pictures, Documents, Music, and Desktop, or you can just view all your folders. I was able to view photos and documents, and even to play uploaded music right inside the app. File sharing is accomplished via iOS's built-in email sharing, which attaches files to an email message. The app was recently updated to support TouchID for easy access to protected files. Easy, Unlimited Online BackupIf you just want to back up your PC files to prepare for the occasional crisis, Carbonite is a fine choice. It stands out in the crowded online backup space with its ease of use, unlimited storage, and continuous backup. Against these strengths, however, you have to weigh its lack of support for external disks, limited sharing features, and the short period deleted files are saved. If those are concerns, you're better off with one of the PCMag Editors' Choice online backup services: CrashPlan for its innovations, SOS Online Backup for its super speed and powerful features, or IDrive for its wealth of features at a low cost.

Moscow Raids Could Signal End Of Dyre Bank Trojan

Police keep mum as malware activity flatlines One of the worst examples of financial malware appears to have fallen silent after operators were reportedly arrested in Moscow after a rare raid by the Federal Security Service of the Russian Federation (FSB). Reuters reports Russian police raided Moscow film studio 25th Floor and a neighbouring office in November. Western law enforcement authorities are apparently aware of the incident but Moscow has kept mum with requests to the FSB for comment unanswered at the time of writing. The Register has inquired with police and threat intelligence sources previously tracking the malware group. Little is known about the gang behind the Dyre malware.
It is understood to have links to the FBI's most wanted cyber criminal Evgeniy Mikhailovich Bogachev aka Slavik ,who switched over to the crimeware after his pet project Gameover was take down in raids by authorities. The malware is an advanced trojan capable of evading white hat analysis tools and antivirus products and was spreading rapidly last year.

But Dyre became less so as 2015 wore on, then fell silent in November. It is known to be responsible for inflicting tens of millions of dollars in damages to Western banks and businesses in the US, the UK, and Australia, spreading through dozens of separate spam and phishing campaigns since June 2014. In May Dyre was fingered for stealing some US$5.5 million from budget carrier RyanAir and has fleeced individual businesses of up to $1.5 million each in large scale wire transfers using stolen online banking credentials. Dyre flatlines.
Image: IBM. IBM analysis shows the Dyre activity flatlined in November after a steady decline since October. Sudden silence from malware operators is generally a hallmark of arrests in the cybercrime world but an intentional hiatus it is not without precedent. Researchers from Russia's Kaspersky Labs reported the Carbanak gang had resumed campaigns with renewed gusto after falling silent for five months last year during which time analysts assumed the gang had disbanded. Dyre's domination.
Image: IBM. IBM security expert Limor Kessem suggests the death in activity gives credibility to the possible arrests. "It has been close to three months now since Dyre went silent," Kessem says. "This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time. "But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble." Kessem says the arrests if confirmed would be one of the most significant in Russia's history. "A world without Dyre would definitely be safer for the financial sector in just about every country where the malware regularly attacked banks," she says. "But Dyre’s absence will also give a bigger market share to other malware." ® Sponsored: Building secure multi-factor authentication

Moscow raids could signal end of global Dyre bank trojan menace

One of the worst examples of financial malware appears to have fallen silent after operators were reportedly arrested in Moscow after a rare raid by the Federal Security Service of the Russian Federation (FSB). Reuters reports Russian police raided Moscow film studio 25th Floor and a neighbouring office in November. Western law enforcement authorities are apparently aware of the incident but Moscow has kept mum with requests to the FSB for comment unanswered at the time of writing. The Register has inquired with police and threat intelligence sources previously tracking the malware group. Little is known about the gang behind the Dyre malware. It is understood to have links to the FBI's most wanted cyber criminal Evgeniy Mikhailovich Bogachev aka Slavik ,who switched over to the crimeware after his pet project Gameover was take down in raids by authorities. The malware is an advanced trojan capable of evading white hat analysis tools and antivirus products and was spreading rapidly last year. But Dyre became less so as 2015 wore on, then fell silent in November. It is known to be responsible for inflicting tens of millions of dollars in damages to Western banks and businesses in the US, the UK, and Australia, spreading through dozens of separate spam and phishing campaigns since June 2014. In May Dyre was fingered for stealing some US$5.5 million from budget carrier RyanAir and has fleeced individual businesses of up to $1.5 million each in large scale wire transfers using stolen online banking credentials. Dyre flatlines. Image: IBM. IBM analysis shows the Dyre activity flatlined in November after a steady decline since October. Sudden silence from malware operators is generally a hallmark of arrests in the cybercrime world but an intentional hiatus it is not without precedent. Researchers from Russia's Kaspersky Labs reported the Carbanak gang had resumed campaigns with renewed gusto after falling silent for five months last year during which time analysts assumed the gang had disbanded. Dyre's domination. Image: IBM. IBM security expert Limor Kessem suggests the death in activity gives credibility to the possible arrests. "It has been close to three months now since Dyre went silent," Kessem says. "This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time. "But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble." Kessem says the arrests if confirmed would be one of the most significant in Russia's history. "A world without Dyre would definitely be safer for the financial sector in just about every country where the malware regularly attacked banks," she says. "But Dyre’s absence will also give a bigger market share to other malware." ® Sponsored: Building secure multi-factor authentication

Did a hacker really pwn the FBI, US Homeland Security and...

Water cooler My Twitter feed's blowing up! My dad's calling about it because even the New York Times is writing about it. The FBI, the US Dept of Homeland Security and the Dept of Justice all got hacked over the weekend? What the hell, man? Uh-huh. On Sunday, a mystery hacker claimed to have details on more than 29,000 employees of the Department of Homeland Security and the FBI. The data was later dumped online, exposing the names, job titles, office phone numbers, and work email addresses of the employees. That just sounds like directory information. Indeed. It seems these records, at least, are not something terribly sensitive and, in some cases, that contact info could already be available for people to look up online. The data may even have been scraped from the public unclassified web. By itself, it's not a hugely damaging collection, though the hacker claims to have a lot more data. Such as? Well, the miscreant claims to have obtained hundreds of gigabytes of data thanks to a compromised DoJ email account, although there is no hard proof an inbox was hijacked. Allegedly, someone was able to log into a DoJ staff-only portal using this account, and pull up internal information. Precisely what all those gigabytes of data cover, how sensitive it all is, and whether the hacker still has access is unknown. As we've seen in recent incidents, not all hacked info is worthy of mass hysteria. Wait, go back. This person hacked a DOJ account? That's really bad! Possibly, but here's where things get murky. The DoJ information, supposedly 200GB, was taken from a single hacked account, and it has not been released yet. We don't know what, if any, sort of clearance this account may have had to view sensitive information – or if any data was really taken. It's claimed the account was verified by sending an email from the DoJ address to a Vice reporter, although addresses can be spoofed. There's also the fact that the DoJ doesn't think anything is amiss. A spokesperson provided the following statement to El Reg: The department is looking into the unauthorized access of a system operated by one of its components containing employee contact information. This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information. So, this could be a really bad situation for Uncle Sam. Or just a pretty bad situation. Or not much of anything at all. Indeed. Should the hacker produce 200GB of internal documents, the DoJ will have a huge mess on its hands. As it stands, however, thus far the only information we have is the directory info for a lot of government employees. Well, that doesn't clear up much of anything! Glad we could help. ® Sponsored: Building secure multi-factor authentication

Mobile apps are big threat to business security, researcher warns

Insecure commercial and internal mobile app coding practices leave the door wide open to cyber attackers, a security researcher has discovered. A lot emphasis is placed on the millions of mobile malware samples being detected, but insecure apps could represent an even greater threat, according to an analysis of the top 1,000 apps. “A scan of just over 600 of the top apps so far shows a very obvious and alarming trend,” said James Lyne, global head of security research at Sophos. “Programming practices are pretty bad despite there being ready-made security functionality available to consumers, but this is just not being used,” he told Computer Weekly. Although the study includes relatively few in-house mobile apps, Lyne said that so far, most are lining up with the worst of the commercial applications. The study compares the maturity of app development in the mobile and traditional desktop worlds, focusing on the use of encryption, data transmission, authentication and data storage. “It is really no surprise that these two worlds are not in alignment, but it is quite shocking how many applications, including large brands, are failing to make use of the security features available on mobile devices,” said Lyne. Despite the existence of easy-to- use application program interfaces (APIs) that will perform proper validation of the transport [layer], most app developers continue to use older, less secure methods of exchanging data.   The study shows that an alarming majority of apps are failing to do things such as certificate pinning or public key pinning to prevent man-in-the-middle attacks. “Many developers seem to be using recycled code for making connections that they have simply copied from somewhere that will accept any certificate, enabling attackers to steal data easily on open Wi-Fi connections unless a VPN [virtual private network] connection is being used, but relatively few people do,” said Lyne. Local storage of data Another area of common failings is local storage of data. Although most of the latest iOS and Android devices will do volume-based encryption by default and provide very good functionality to store “secrets” that have extra encryption applied and are unlocked only if the app is authenticated, Lyne said this functionality is used very poorly and inconsistently by most mobile apps. “Only around 3% of apps stick to an astonishing amount of best practice, like the Twitter app which has two-factor authentication, but then there is this cliff where all of the best standards and practices are not applied and all the data is put into the same unimportant bucket to be stored on the device,” he said. The result is a very weak app ecosystem, where app A can see data from app B and there is a “flat” data model on the device, similar to that which was on PCs up until a few years ago. The study also focuses on the use of credentials and authentication, and has found this to be another area of poor practice in about 90% of the apps analysed. Credentials are often sent “over the wire” using just hashing, often with outdated mechanisms such as MD5 and SHA-1, without salting instead of using standards such as OAuth and SAML.   “The majority of the authentication we have seen uses models that are abysmally poor,” said Lyne. “Loads of MD5 passwords unhashed are being sent, which requires the user to have an incredibly strong password to avoid it being cracked. Authentication poorly deployed “Authentication, which should be a very solved problem in 2016 with all the wonderful program libraries available and all the functionality built into mobiles, is very poorly deployed,” he added. In many cases, simply adding a single argument to the code would turn on the built-in functionality that would fix the problem, said Lyne. In some of the latest Android releases, he said, Google has done some “amazing work” to implement security features in the operating system. “We are seeing some really good generic exploit prevention in Android, but on top of that you have this layer of apps that are failing to do the security basics and check for basic flaws,” he added.   Lyne blames the huge focus on rapid app development over “quality solution engineering” and “almost no investment” in checking mobile apps for poor programming practices. “Any rudimentary penetration testing or quality assurance processes as part of a software development lifecycle would catch stuff like this,” said Lyne. The risk to the enterprise is that this failure to do rudimentary security controls can be picked up by attackers using any source code scanner, he said. “At the same time, businesses are putting pretty much the same sensitive company data on mobiles as they have put on PCs in the past, and tend to trust mobiles more than PCs,” he said. “But this study shows that the mobile industry does not have the same checks and balances or the same maturity.” This means the fear that mobiles will become an easy route for attackers into the enterprise is likely to be realised as the lines between PCs and mobiles continue to blur. “The lack of security basics in mobile apps and processes for checking flaws is a really bad combination now, but in one or two years’ time, when there is even more data on mobiles and they have an even greater position of trust, we are likely to end up with a really nasty mess,” said Lyne. Attackers are aware of this situation and could already be exploiting the fact that most mobile apps are “leaving the door wide open”, but it is hard to quantify that, he said. And even if it is not being exploited yet, Lyne said: “We are building an ecosystem with massive trust on one side and a provable lack of integrity on the other, which is a terrible combination that could really burn us.” We are building an ecosystem with massive trust on one side and a provable lack of integrity on the other, which is a terrible combination that could really burn us James Lyne, Sophos He believes there is an urgent need for fundamental change, but says regulation is unlikely to deliver the necessary results. “It is very difficult to create a regulatory framework that has sufficient specificity to drive the desired technical behaviours,” said Lyne. However, he said some legal action could be taken in light of the fact that some failures are so great and tantamount to releasing a car to market without testing the brakes once, that they could be classified as “negligence” and challenged legally. But even if regulators or others challenge the status quo on grounds of negligence, Lyne said it is unlikely to drive any significant change. “What is really required would be a change in consumer or end-user values to believe that mobile application security is important, but that is unlikely given the trust people have in mobiles and the fact that most are completely unaware of the flaws,” he said. “The only thing likely to break the back of it is a really, really bad or nasty series of incidents that force companies to make changes due to bad press and consumers becoming more wary and demanding in terms of security. But in the meantime, who knows how much data siphoning is occurring.”

Rigby Private Equity Opens Up New Office In Austria

Wick Hill and Zycko strengthen Austrian business with new office in ViennaLondon, Cirencester and Woking, UK: Rigby Private Equity (RPE) announces the opening of a new office in Vienna, Austria. Specialist value-added distributors Wick Hill and Zycko (both part of RPE) already have business in Austria and this move shows the commitment of both distributors and RPE to strengthen and grow activities in that territory. Paul Eccleston, head of RPE, commented: “Both Wick Hill and Zycko have traded successfully into Austria from Germany in the past and have had many requests from their vendor partners to open an office in Austria itself. We see this is as a serious commitment to the territory, with significant opportunities for the value add, capability and services that both companies represent.” The Vienna office will be staffed by a strong team of experienced people who will be supported by the core capabilities of both Wick Hill and Zycko. From day one, the Austrian office will have access to the skills of both companies, which include marketing, product and technical support, consultancy and professional services. David Galton-Fenzi, CEO of Zycko, said: “Having a local resource in Austria will allow us to further improve the focus and level of service we can offer to partners there.”Ian Kilpatrick, chairman Wick Hill Group, said: “With the continued growth of our business in Austria, it was important for us to open the Vienna office to support our partners.” Rigby Private Equity, which is building an EMEA-wide high-value, specialist distribution business, was formed in 2015 to identify established companies with both a great value proposition and plans for strong growth, to invest in these companies and to support the acceleration of their growth plans. In July 2015, RPE made a major investment in leading specialist security value-added distributor Wick Hill and in December 2015 added leading specialist services distributor Zycko.About Zycko Established in 1999, Zycko is an international, specialist distributor of innovative IT solutions including data networking, data storage, network monitoring and management, voice and video communications, virtualisation, cloud, and data centre infrastructure. The company focuses on new, best-in-class, innovative technologies, delivering first-class, sophisticated and professional services, accredited training, marketing and business development support to its customers. Through a careful selection of leading-edge strategic partners and technologies, Zycko provides the opportunity for channel customers to differentiate themselves in a crowded market. The company has 15 offices in 13 countries and serves the rest of the world from its UK headquarters. Zycko is part of Rigby Private Equity, a subsidiary of Rigby Group Investments, an independent company within Rigby Group plc. About Wick Hill Established in 1976, value added distributor Wick Hill specialises in secure IP infrastructure solutions. The company sources and delivers best-of-breed, easy-to-use solutions through its channel partners, with a portfolio that covers security, performance, access, networking, convergence, storage and hosted solutions.Wick Hill is particularly focused on providing a wide range of value added support for its channel partners. This includes a strong lead generation and conversion programme, technical and consultancy support for reseller partners in every stage of the sales process, and extensive training. Wick Hill Group is part of Rigby Private Equity, a subsidiary of Rigby Group Investments, an independent company within Rigby Group plc. As such, Wick Hill has its headquarters in the UK, an office in Germany and an office in Austria. Wick Hill is also able to offer services to channel partners in thirteen European countries and worldwide, through its association with Zycko, as part of RPE. About Rigby Private EquityRigby Private Equity is the private equity arm of Rigby Group Investments, owned by the Rigby Group plc. Rigby Private Equity was founded in 2015, with significant funding, to build a portfolio of equity investments in leading, high-growth potential companies in the technology sector.ENDSFor further press information, please contact Annabelle Brown on 01326 318212, email abpublicrelations@btinternet.com. Wick Hill https://www.wickhill.com Zycko http://www.zycko.com Source: RealWire

Targeted mobile implants in the age of cyber-espionage

Background When mass-produced electronic spying programs became widely known by the public, many email providers, businesses, and individuals started to use data encryption. Some of them have implemented forced encryption solutions to server connections, while others went further and implemented end-to-end encryption for data transmission as well as server storage. Unfortunately, albeit important, said measures did not solve the core problem. Well, the original architectural design used in emails allows for metadata to be read as plain text on both sent and received messages. Said metadata includes recipient, sender, sent/receipt date, subject, message size, whether there are attachments, and the email client used to send out the message, among other data. This information is enough for someone behind targeted campaigns attacks to reconstruct a time line for conversations, learn when people communicate with one another, what they talk about, and how often they communicate. Using this information to fill in the gaps, threat actors are able to learn enough about their targets. In addition to the above, technologies are evolving, so something that is encrypted today may be easily decrypted a few years later, sometimes only months later, depending on how strong the encryption key is and how fast technologies are developing. Said scenario has made people move away from email exchanges when it comes to confidential conversations. Instead, they started using secure mobile messaging applications with end-to-end encryption, no server storage and timed deletion. On the one hand, these applications manage strong data and connection encryptions. On the other hand, they manage auto deletion on cell phones and provider servers. Finally, they practically have no metadata or are impersonal, thus not allowing identifiers about targets or data correlation. This way, conversations are truly kept confidential, safe, and practical. Naturally, this scenario has made threat actors develop implants for mobile devices since, from a hacking perspective, they address all the aforementioned technical limitations―that is, the inability to intercept conversations between users who have migrated to these secure mobile messaging applications. What is an implant? This is an interesting terminology invented by the very same threat actors behind targeted attacks. We saw it for the first time during the Careto campaign we announced a few years ago. Now we will analyze some implants developed by HackingTeam to infect mobile devices running on iOS (Apple), Android, Blackberry, and Windows Mobile. HackingTeam isn’t the only group developing mobile implants. There are several campaigns with different roots, which have been investing in the development of mobile malware and used it in targeted attacks at the regional and international level. Implants for Androids Android-based phones are more affordable and, consequently, more popular worldwide. That is why threat actors responsible for targeted attacks have Android phones as their #1 priority and have developed implants for this operating system in particular. Let’s analyze what one of these implants is capable of. HEUR:Trojan-Spy.AndroidOS.Mekir.a It is well known that the encryption algorithm used in text messages is weak. It is safe to assume that practically all text messages sent are susceptible to interception. That is precisely why many users have been using instant messaging programs. In the coding fragment above, we can see how threat actors are able to obtain access to the messaging database used by WeChat, a mobile application for text message exchange. Let’s assume that the messaging application being used by the victim is really secure and has applied a strong end-to-end encryption, but all messages sent and received are stored locally. In said case, threat actors would still have the ability to decode these messages. Well, when they steal a database along with the encryption key that is stored within the victim’s device, threat actors behind these attacks can decrypt all contents. This includes all database elements, not only the text information, but also geographic locations shared, pictures, files, and other data. Besides, threat actors have the ability to manipulate the camera on the device. They can even take pictures of the victim for identity confirmation. This also correlates with other data, such as the wireless network provider that the phone is connected to. Actually, it doesn’t matter what application the victim is using. Once the mobile end point is infected, threat actors are able to read all messages sent and received by the victim. In the following code segments, we can see the instructions used to interact with messaging applications Viber and WhatsApp. If a mobile devices is compromised with an implant, the rule becomes very simple – if you read a secure text message on your screen, the threat actor behind that implant, reads it too. Implants for iOS Undoubtedly, Apple mobile devices also enjoy a large market share. In some markets, they are certainly more popular than Android devices. Apple has managed the safety architecture of its devices very well. However, it doesn’t make them completely immune to malware attacks, especially when there are high-profile threat actors involved. There are several infection vectors for these devices. Likewise, when high-profile targets are selected, threat actors behind these targeted attacks may apply infection techniques that use exploits whose costs are higher―hundreds of thousands of dollars―but highly effective, as well. When targets are of an average profile, less sophisticated, but equally effective infection techniques are used. For example, we would point to malware installations from a previously infected computer when a mobile device is connected through a USB port. What technical abilities do iOS implants have? Let’s see the following implant example: Trojan.OSX.IOSInfector.a This Trojan infects iOS devices as they are being charged by the victim of the attack by using a previous Jailbreak made to the device. In other words, if targets usually charge their cell phones using a USB cable, the pre-infected computer may force a complete Jailbreak on the device and, once the process is complete, the aforementioned implant is installed. In this code, you can see that the attacker is able to infected the device and confirm the victim’s identity. This is a crucial step during targeted attacks, since threat actors behind this kind of attacks wouldn’t want to infect the wrong victim and―worse yet―lose control of their implant and spoil the entire operation, thus exposing their attack to the public. Consequently, one of the technical abilities of these implants is to verify the phone number of their victim, along with other data to make sure they’re not targeting the wrong person. Among other preliminary surveying actions, this implant also verifies the name of the mobile device and the exact model, battery status, Wi-Fi connection data, and the IMEI number, which is unique to each device. Why would they check the battery status? Well, there are several reasons for that, the main one of them being that data can be transferred through the internet to the hacker’s server as this information is extracted from an infected device. When phones are connected to the internet, be it through a data plan or Wi-Fi connection, the battery drains faster than normal. If threat actors extract data at an unsuitable moment, the victim could easily notice that there’s something wrong with the phone, since the battery would be hot and start draining faster than normal. That is the reason why threat actors would rather extract information from victims―especially heavy data like photos or videos―at a moment when their battery is being charged and the cell phone is connected to the Wi-Fi. A key part of spying techniques is to combine a victim’s real world with the digital world they live in. In other words, the objective is not only to steal information stored in the cell phone, but also to spy conventional conversations carried out off line. How do they do it? By enabling the front camera and microphone on hacked devices. The problem is that, if the cell phone isn’t in silent or vibrate mode, it will make a particular sound as a picture is taken with the camera. How to resolve it? Well, implants have a special setting that disables camera sounds. Once the victim is confirmed, the hacker once again starts to compile the information they are interested in. The coding below shows that threat actors are interested in the Skype conversations their victims are having. This way, threat actors have complete control over their victims’ conversations. In this example, Skype is the messaging application being used by threat actors, but it could actually be any application of their choice, including those considered very secure apps. As mentioned above, the weakest link is the mobile end point and, once it is compromised, there is no need to even crack any encryption algorithm, no matter how strong it may be. Implants for Blackberry Some targets may use Blackberry phones, which are known to be one of the most secure operating systems in the market. Even though they are safer, threat actors behind targeted attacks don’t lag behind and they have their arsenal ready. Trojan-Spy.BlackberryOS.Mekir.a This implant is characterized by a strong code obfuscation technique. Analyzing it is complex task. When we look at the code, we can clearly see that even though the implant comes from the same threat actor, the developer belongs to another developer group. It’s as if a specific group were in charge of developing implants for this operating system in particular. What actions may these implants develop in an infected Blackberry device? Well, there are several possible actions: Checking the Battery Status Tracking the victim’s geographic location Detecting when a SIM card is replaced Reading text messages stored within the device Compiling a list of calls made and received by the device. Once Blackberry phones start to use the Android operating system, threat actors will have a farther-reaching operation. Implants for Windows Mobile Windows Mobile aren’t necessarily the most popular operating system for mobile devices in the market, but it is the native OS used by Nokia devices, which are preferred by people looking for quality and a solid track history. There is a possibility that some targets may use this operating system, and that is why the development of implants for Windows Mobile devices is underway as well. Next, we will see the technical scope of implants for Windows Mobile devices. HEUR:Trojan-Spy.WinCE.Mekir.a When infecting a victim’s mobile device, this implant is hidden under a dynamic library file by the name bthclient.dll, which is supposedly a Bluetooth driver. The technical abilities of these implants are practically limitless. Threat actors may develop several actions, such as checking: A list of apps installed, The name of the Wi-Fi access point to which the victim is connected, Clipboard content that usually contains information of interest to the victim and, consequently, to the attacker. Threat actors may even be able to learn the name of the APN that victims connect to while using the data plan through their provider. Additionally, threat actors can actively monitor specific applications, such as the native email client and communications hub being used by a Windows Mobile device to process the victim’s communication data. Conclusions Considering the explanation in the introduction, it is probable that the most sensitive conversations take place in secure end-to-end mobile applications and not necessarily emails sent with PGP. Threat actors are aware of it, and that is why they have been actively working not only on developing implants for desktop computers, but also for mobile devices. We can say for sure that threat actors enjoy multiple benefits when they infect a mobile device, instead of a traditional computer. Their victims are always carrying their cell phones with them, so these devices contain information that their work computers won’t. Besides, mobile devices are usually less protected from a technological point of view, and victims oftentimes don’t believe their cell phones could ever become infected. Despite a strong data encryption, a compromised mobile end point is completely exposed to spying, since threat actors have the same ability to read messages as users themselves. Threat actors don’t need to struggle with encryption algorithms, nor intercept data at the network layer level. They simply read this information the same way, as their victim would. Mobile implants don’t belong to the group of massive attacks launched by cybercriminals; they are actually targeted attacks in which victims are carefully selected before the attack. What Makes You A Target? There are several factors involved in being a target, including whether you are a politically exposed person, have contacts of interest to threat actors, are working on a secret or sensitive project that is also of interest, among others. One thing is certain: if you’re targeted by such an attack, the probability of infection is very high. Everything we’re seeing now is a battle for numbers. You cannot decide whether you’ll become a victim, but one thing you could do is elevate the cost of such an attack to the point that threat actors might give up and move on to a less expensive target who is more tangible in terms of time invested and risk of the exploit campaign being discovered. How Can Someone Elevate the Cost of an Attack? Here is a set of best practices and habits in general. Each case is unique, but the main idea is to make threat actors lack motivation once it becomes too laborious to carry out their operation, thus increasing their risk of failure. Among the basic recommendations to improve the security of our mobile devices, we could highlight the following: Always use a VPN connection to connect to the Internet. This will help making your network traffic not easily interceptable and susceptible to malware that could be directly injected into a legitimate application being downloaded from the internet. Do not charge your mobile devices using a USB port connected to a computer. The best thing you can do is to plug your phone directly into the AC power adapter. Install an anti-malware program. It has to be the best one. It seems that the future of these solutions lies precisely in the same technologies already implemented for desktop security: Default Deny and Whitelisting. Protect your devices with a password, not a PIN. If the PIN is found, threat actors may gain physical access to your mobile device and install the implant without your knowledge. Use encryption in the data storage memories implemented by your mobile devices. This advice is especially current for devices that allow for memory disks extraction. If threat actors extract your memory by connecting it to another device, they’ll also be able to easily manipulate your operating system and your data in general. Do NOT Jailbreak your device, especially if you’re not very sure what it implies. Don’t use second-hand cell phones that may already come with pre-installed implants. This piece of advice is especially important if your cell phone comes from someone you’re not very familiar with. Always keep the operating system in your mobile device updated and install the latest upgrade as soon as it becomes available. Review all processes being executed in your device memory. Review all authorized apps in your system and disable the automatic data submission function for logs and other service data, even if the communication is between your cell phone and your provider. Finally, keep in mind that, without a doubt, conventional conversations in a natural environment are always safer than those carried out electronically.

Hague reassures MPs on Office 365 data storage as Microsoft ordered...

As a US judge finds Microsoft in contempt of court for refusing to hand over email data stored on an Irish server, the UK government has reassured MPs that their parliamentary data is safe on Microsoft servers in Ireland. William Hague, the Leader of the House of Commons, has responded to concerns raised by an MP about the security of parliamentary data stored on Microsoft’s Cloud-based servers in Europe. “The relevant servers are situated in the Republic of Ireland and the Netherlands, both being territories covered by the EC Data Protection Directive.  Any access by US authorities to such data would have to be by way of mutual legal assistance arrangements with those countries,” he said in a letter to MP for Birmingham Yardley,  John Hemming. Hague implied that MPs’ emails and documents would be protected from US surveillance, as the American courts would be unable to override the EU data protection regulations that protect the private information. “The US authorities could not exercise any right of search and seizure on an extraterritorial basis,” he said. Microsoft in contempt However,  Hague’s assurances have been called into question after a US court today found Microsoft in contempt for refusing to hand over copies of emails stored on a server in the Republic of Ireland to the US government. US District Judge Loretta Preska, made the order after Microsoft itself requested to be found in contempt, to take advantage of the right to appeal that follows a contempt ruling. The US government believes that the emails are connected to drugs trafficking. Parliamentary correspondence at risk from US surveillance Hemming told Computer Weekly that Hague’s reassurances carry little weight in the face of aggressive legal action by the US government.  “The Microsoft case makes it clear that in the end the fact that Microsoft is a US company legally trumps the European Data Protection Directive.  And where [the letter says] the US authorities could not exercise a right of search and seizure on an extraterritorial basis, well, they are doing that, in America, today.” Whether or not the US Supreme Court will uphold the right to make extraterritorial searches remains to be seen, said Hemming.  If Microsoft is let off, there will be implications for the security of all other extraterritorially stored data.  “But,” Hemming adds, “it is a secret court.” Concerns over cloud security  “So I think the parliamentary authorities need to think very carefully about whether their chosen solution is appropriate.”  Parliament migrated MPs’ and peers’ mailboxes to Microsoft’s Office 365 cloud servers in July this year. Hague wrote to Hemming, an IT specialist, after he raised concerns about the security of parliamentary data being stored in the cloud. Hague’s letter was co-signed by Sir Alan Haselhurst, the Chair of Parliament’s Administration Committee.  Parliamentary data is exempt from scrutiny by UK intelligence Parliamentary correspondence has statutory exemption from scrutiny by the British security services.  Hemming questioned whether a situation in which American intelligence officials may access it at will is constitutionally acceptable. “The law of Parliament states that the security services are not allowed access to parliamentary emails.  I find it a bit odd that we establish a legal position where a foreign country’s security services are allowed access but ours are not.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

iCloud Photo Thefts Put Apple, Cloud Data Storage in Cross Hairs

Apple is performing damage control on one of the most embarrassing data breaches in recent memory. The personal iCloud accounts of a number of prominent movie stars and entertainers have been hacked, allowing the attackers to post nude photos of Hollyw...

Brazil caves to Google: New bill drops local data storage requirement

If bill passes, Brazil would become largest country with a net neutrality law.