19.8 C
London
Sunday, September 24, 2017
Home Tags Removable Media

Tag: Removable Media

Barry Mattacott, marketing director at security specialist Wick Hill Group, looks at the security risks of linking more and more smart devices to our networks.

Are we just creating ever more vulnerable endpoints in today’s world of the Internet of Things?Back in the good old days, we nailed the front door up tight with a firewall and we knew, that with good security on our gateway, our network was safe from the nasties of the outside world.

But those pesky kids in their bedrooms, not to mention state sponsored cybercriminals, worked out that they could circumnavigate our state-of- the-art firewall by looking for a way in at the opposite end of our network - the endpoint. Barry Mattacott, marketing director Wick Hill So now we all agree that securing the endpoint is essential, but just where is it and what does it look like?Since those early days, there has been a massive proliferation of endpoints and security issues have grown alongside them. You can't go anywhere or do anything without risking an infection. A recent survey found that almost two thirds of USB sticks that were lost/found on public transport were infected with malware.
I guess this raises several issues.

Definitely, don't plug any old USB stick you find into your computer - that's how Stuxnet got its start in life after all.

The survey also begs the question, of why so many of these USB sticks are infected.

Could it be that people are deliberately infecting USBs and "losing" them? Infected USBs can today be considered a fairly traditional attack vector, along with code attached to downloaded files and drive-bys leaping out of infected websites to get you.

The security industry has made a pile of cash developing products to protect us and it's all fairly much in hand. But now we have a game changer because endpoints aren’t the same as they were.

Firstly, we had the revolution that was the mobile endpoint. Mobile phones and tablets are now huge players on our networks.

They have effectively put network endpoints in our pockets and allowed us to take them down the pub and lose them. The technology to protect them has been available for some time, but the adoption has been woefully slow. You would have thought US Federal Agencies would be right on top of it, but a 2015 survey found 61 percent of agencies do not apply their network security policies to mobile devices! So what does the future hold for the endpoint? Without doubt, the Internet of Things (IoT) means they are going to be everywhere! Network attached security systems that give you video pictures of your front door and allow callers to leave recorded messages, are essentially connecting your door bell to your main processor (home PC). Your Hive controlled heating system is connecting you to the Internet. Despite these being serious systems, many have arrived on our networks and in our homes with gaping holes in their security.

British Gas took a thrashing in the national press when their control system was found to be a burglar's dream, easily allowing access to the heating schedule, which could tell them if the owner was at home, or even if they were away for an extended period of time. Even cars have become endpoints. Until recently they were fairly much self-contained. Yes, they communicated with the Internet and manufacturers’ control networks and as such they were hackable. We saw hackers demonstrate that they could take control of a Jeep and run it off the road.

This triggered a recall of 1.4 million cars by Chrysler in order to patch the operating system.

But they were somebody else's problem in that they didn't communicate with your network, so were not one of your endpoints. But car manufacturers, including Ford, are developing on-board systems to allow you to carry out vital activities like turning on your smart kettle whilst on the road.

This requires them to connect via the Internet to your own network. On the one hand, that kettle might be ever so smart in that it carries significantly more processing power than the 64 Kb memory operating at 0.043 MHz in the Apollo guidance system that put man on the moon. On the other hand, it's not smart enough to be fully secured against man-in-the-middle attacks that will allow a hacker to penetrate your network.

And once they are in, will they be able to access your car sitting in the driveway and steal it? It doesn't really matter how secure Ford makes your car, if your kettle is going to leave the door open. Why? Why is it that the Internet of Things is so woefully behind the curve regarding security?To start with, your average kettle manufacturer doesn't have a great pedigree in network security.

They might make an awesomely efficient kettle but in the current climate they will find it difficult to find and employ a suitable security expert.

They are also in a rush.

They have just come up with the world saving idea of adding internet connectivity to your kettle, so obviously they are in a huge rush to get it to market before everyone else thinks of it and beats them to it.

And of course, functionality will always beat security. No one wants to go through multi-factor authentication every time they want a cup of tea. So what can you do about it? Purchase (and attach to your network) with care. When it comes to the Internet of Things, you are putting your trust in the hands of others.

There is little that you personally can do to ensure that your TV, kettle, car, fridge, etc., etc. is secure. One piece of advice is to look out for names that you feel you can trust with security. Manufacturers are starting to come up with solutions for these gaping security holes.

Gemalto, for example, is emerging as a front runner in the field of IoT security.

They have hardware modules, platforms and service solutions that allow you to connect and protect any machine-to-machine or electronic consumer device.

They are currently working with all sorts of OEMs, mobile network operators and industrial manufacturers in various markets. http://www.gemalto.com/iot Barracuda Networks felt the need to bring out a brand new range of products designed to protect the Internet of Things and Machine to Machine connectivity.

Their S Series currently includes Barracuda NextGen Firewall Secure Connector 1 (SC1) and the Barracuda NextGen Secure Access Concentrator (SAC).

These two appliances will make it a lot easier and infinitely more secure for enterprises to benefit from and roll-out largescale deployments of devices like Automated Teller Machines (ATMs), point-of-sale kiosks, wind power stations and networked industrial machines in remote locations. https://www.barracuda.com/products/nextgenfirewall-s Another well-known name in security, Kaspersky Lab, is making a move in the automotive space and is currently in talks with most of the world’s car manufacturers, particularly around the area of securing self-driving cars.

They are looking to secure not only the industrial controls of the production process but also the connected car. Kaspersky Lab is coming at this from a great place as they are already involved in protecting Ferrari.

Aside from the usual endpoint protection they also integrate with existing complex infrastructure, including industrial technologies and mobile devices.
In future, if your car is protected by Kaspersky, then you can probably be pretty sure your kettle can’t steal it! http://www.techworld.com/news/startups/kaspersky-looks-secure-self-driving-cars-factories-theyre-made-in-3615206/ You can also do some research on good old Google.

Thinking about stuffing a EZCast Streamer in your TV’s USB port? A quick check online will find a recent report from Check Point which revealed that the wi-fi network the EZCast sets up, can easily be breached, allowing the attacker access to your main network, where they can wreak havoc or steal confidential data.
So don't be in a rush to buy.

And check it out before you do. http://blog.checkpoint.com/wp-content/uploads/2015/12/EZCast_Report_Check_Point.pdf One important thing to check is whether the firmware on the product you are buying can be updated. Users of SimpliSafe wireless home alarm systems recently found out that the system is stupidly easy to hack with basic sniffing equipment, allowing its PIN to be grabbed from 30 metres away.

But to really rub salt into the wounds, the hardware apparently cannot be patched or updated to overcome the vulnerability, which leaves owners with no choice but to junk their system. http://thehackernews.com/2016/02/hack-home-security-alarm.html So what’s the best tactic if you don’t want to fall victim to security weaknesses in your clever consumer devices, intelligent cars and machine-to-machine equipment which makeup the Internet of Things? The best advice would be to try and resist the frivolous items like kettles and door bells and stick to things made by reputable manufacturers, preferably ones that have some sort of pedigree in networking. ENDS About the authorBarry Mattacott is marketing director of Wick Hill Group, which is based in Woking, Surrey and Hamburg Germany. Wick Hill Group is part of Rigby Private Equity (RPE), a subsidiary of Rigby Group Investments, an independent company within Rigby Group plc.
Specialist distributor Zycko is also part of RPE, and in co-operation with Zycko, Wick Hill can offer a pan-European service which provides a common proposition and consistent delivery for vendor and reseller partners covering 13 countries. Users of products sourced through Wick Hill include most of the Times Top 1000 companies, in addition to many non-commercial organisations, government departments and SMEs across all business sectors.

Through its channel partners, the company has delivered IT solutions to more than a million users world-wide. Wick Hill currently has offices in Woking, Surrey, with sister offices in Hamburg. ENDS For further press information, please contact Annabelle Brown on 01326 318212, email pr@wickhill.com, Wick Hill https://www.wickhill.com or www.twitter.com/wickhill.

For pic of Barry Mattacott please go to https://www.wickhill.com/company/press/pictures or contact Annabelle Brown.
So update your software – now! Patch Tuesday Microsoft has published the March edition of its monthly security updates, addressing security flaws in Internet Explorer, Edge and Windows, while Adobe has issued updates for Digital Editions, Acrobat and Reader. Microsoft posted 13 bulletins this month: MS16-023 A cumulative update for Internet Explorer addressing 13 CVE-listed vulnerabilities, including remote code execution flaws.
Visiting a booby-trapped webpage using IE can trigger the execution of malicious code and malware on the system. MS16-024 A cumulative update for Microsoft Edge that addresses 10 CVE-listed memory corruption vulnerabilities and one information disclosure flaw. MS16-025 An update for a single remote code execution vulnerability in Windows.

This flaw only affects Windows Vista, Server 2008 and Server Core. "A remote code execution vulnerability exists when Microsoft Windows fails to properly validate input before loading certain libraries," says Redmond. "An attacker who successfully exploited this vulnerability could take complete control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." MS16-026 Two CVE-listed vulnerabilities in Windows, one causing denial of service and another allowing remote code execution.
If an attacker convinces "a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts," then malicious code will execute on their system. MS16-027 Two CVE-listed vulnerabilities in Windows Media Parsing, both potentially allowing remote code execution.
Visiting a webpage with a booby-trapped video embedded in it can exploit the bug to hijack the PC. MS16-028 Two flaws in the Windows PDF Library that allow for remote code execution if you open a maliciously crafted document. MS16-029 An update for Office addressing two memory corruption flaws and one security feature bypass vulnerability. Opening a document laced with bad code will trigger the bugs. MS16-030 An update for two remote code execution vulnerabilities in Windows OLE. "An attacker must convince a user to open either a specially crafted file or a program from either a webpage or an email message," noted Microsoft.

After that, code execution is possible. MS16-031 An elevation of privilege vulnerability in Windows: applications can abuse handles in memory to gain administrator-level access. MS16-032 An elevation of privilege vulnerability in the Windows Secondary Logon Service: again, applications can abuse handles in memory to gain administrator-level access. MS16-033 An update to address a flaw in the Windows USB Mass Storage Class Driver that could allow attackers to gain elevation of privilege with a specially-crafted USB drive. MS16-034 A collection of four elevation of privilege flaws in the Windows Kernel-Mode Drivers: applications can exploit these to execute malicious code at the kernel level. MS16-035 A fix for one security feature bypass flaw in the .NET framework. Adobe, meanwhile, has issued two updates for its products: Digital Editions for Windows, OS X, iOS and Android has been updated to patch a remote code execution vulnerability. Acrobat and Reader for Windows and OS X have been updated to address three CVE-listed remote code execution flaws. Users should also expect an update for unspecified vulnerabilities in Flash Player "in the coming days." ® Sponsored: 2016 global cybersecurity assurance report card
A dozen facilities fall as humble dropped USB sticks lead to network ruin. Security researchers have exploited notoriously porous hospital networks to gain access to, and tamper with, critical medical equipment in attacks they say could put lives in danger. In tests, hospital hackers from the Independent Security Evaluators research team popped patient monitors, making them display false readings which could result in medical responses that injury or kill patients. They say other critical medical equipment could be accessed using the same attacks. The team examined 12 healthcare facilities, two data centres, a pair of live medical devices, and a couple of web applications open to deeply compromising remote attacks. The research, led by healthcare head Geoff Gentry, is documented in this paper Securing Hospitals [PDF]. "On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks, such as sounding false alarms, displaying incorrect patient vitals, and disabling the alarm," the team says in the paper. "This attack would have been possible against all medical devices … likely preventing assistance and resulting in the death or serious injury patients. "The attack scenario is harrowing: Diligently executed, many human lives could be at stake, and extrapolating this problem to other hospitals is even more worrisome." They say it is "very clear" that random attacks of that nature are viable. The 71-page document is the latest and one of the most comprehensive research efforts in the field of medical hacking, and paints what many in the hacking community know is a bleak picture of the state of security in hospitals. Possibly the first detailed public attack model for patient health care.
Image: Independent Security Evaluators . Electronic health records can be stolen through basic cross-site scripting attacks, with a payload targeted at unprivileged nurses or physicians that if executed would grant attackers god-mode admin access. The perennial lure of USB as bait works too.

The team dropped 18 sticks around hospitals loaded with malware that executed on nursing stations - terminals that are something of a gold mine for attackers because they retain harvestable credentials for nurses and physicians who log in. From a humble USB stick, the hackers say they busted in to hospital drug dispensary service.

That work-in-progress could grant the team the ability to manipulate inventory. "If this medication were then given to a patient, it would likely harm or kill the patient," they say. For the physical on-site attacker, exposed hardware device ports and open computers operating in patient rooms are nothing less than a candy shop of sweet attack surfaces. Many of these security failures come down to lax or absent business processes. "The findings show an industry in turmoil: lack of executive support; insufficient talent; improper implementations of technology; outdated understanding of adversaries; lack of leadership, and a misguided reliance upon compliance," the team says. "[It] illustrates our greatest fear: patient health remains extremely vulnerable. "One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective." Hospital information security is "drastically" underfunded, training flawed at all levels, networks are insecure, and policy and audits largely absent and at best flawed when it does exist. The facilities had vendor security kit that is not only inappropriate but poorly implemented, the researchers said, and was rife with vulnerabilities, or operating alongside in-house technology peppered with flaws. This insecurity "fog" makes it hard to pinpoint the root cause or amplifying factor of any given problem. "We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more," researcher Ted Harrington says. "These vulnerabilities are a result of systemic business failures." The team offers detailed advice for remediating identified problems. It comes six months after hospital hacking duo Scott Erven and Mark Collao found exposed online thousands of critical medical systems, including Magnetic Resonance Imaging machines and nuclear medicine devices. In that work one "very large" unnamed US healthcare organisation exposed some 68,000 medical systems including 21 anaesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear. ® Sponsored: Building secure multi-factor authentication
In a cryptic message posted on its website, SlySoft, a company that made several applications devoted to defeating DRM schemes, announced that it has shut down. “Due to recent regulatory requirements we have had to cease all activities relating to SlySoft Inc.,” reads the brief message. “We wish to thank our loyal customers/clients for their patronage over the years.”SlySoft made its name by creating software capable of defeating the Content Scrambling System used by DVDs and later by defeating the Advanced Access Content System and BD+ DRM used by Blu-ray and HD DVD. In 2016, a time when digital distribution is ubiquitous, the landscape of a decade ago seems almost quaint.

Content creators were just as determined to keep video as locked down as they are today, but the battle was waged with DRMed optical discs on one side and decryption software on the other.

And SlySoft’s AnyDVD and AnyDVD HD were favored weapons of Windows users who wanted to copy DRMed movies to their hard drives for personal use (and for uploading to P2P sites).

Even if you didn't care too much about format-shifting, AnyDVD made it possible to skip past trailers users were forced to watch on DVD players. Unlike CSS, which was easily defeated, AACS used encryption keys that could be modified after the fact.
In addition, Blu-ray used an additional layer of protection called BD+.

That led to a cat-and-mouse game where SlySoft would announce it had cracked discs protected by BD+, only to have the movie studios and the Blue-ray Disc Association update the encryption keys. The reason for SlySoft’s sudden shutdown aren’t known. Headquartered in the Caribbean nation of Antigua, the software firm had been the target of vitriol and legal threats from the film industry throughout the years. Myce, which was first to report SlySoft’s shutdown, notes that the company had been found liable of copyright infringement by an Antiguan court in 2014 and fined $11,000. Myce speculates that AACS-LA and other licensing bodies may have used the adverse judgment to pressure other firms to stop doing business with SlySoft.
The agreement, which includes 20 years of supervision of Asus security efforts, sends a message as more devices and systems become connected. U.S. regulators are putting the tech industry on notice that security in the age of the Internet of things needs to be a priority.The Federal Trade Commission (FTC) has settled charges with Asus around complaints of critical security flaws in its wireless routers, issues that regulators said put hundreds of thousands of consumers at risk. Part of that settlement includes Asus agreeing to maintain a comprehensive security program that includes its wireless routers and associated firmware being independently audited every two years for the next 20 years. At a time when billions of devices and systems—including home appliances and home security systems—are being connected to the Internet and increasing the attack surface for hackers, security needs to be a priority, including in the wireless routers that will be crucial for connecting these devices, according to Jessica Rich, director of the FTC's Bureau of Consumer Protection."The Internet of things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," Rich said in a statement. "Routers play a key role in securing those home networks, so it's critical that companies like Asus put reasonable security in place to protect consumers and their personal information." The number of connected devices worldwide is expected to skyrocket over the next several years, from home systems and connected cars to medical devices and industrial systems.

Cisco Systems officials are predicting there will be more than 50 billion connected devices, systems and sensors, double the 25 billion in 2014. Cyber-security experts have expressed concerns that device makers are spending more of their attention and money on features for their products and less on the security, opting instead to just bolt on security after the device has been built. Regulators are hoping that more of an emphasis is put on security.The FTC found that part of Asus' marketing pitch for its routers was that they offered multiple security features that protected users' computers and networks from hacking, intrusion and virus attacks. However, the regulators found that the Taiwanese device maker didn't take the steps necessary to make the software on its routers secure.The commission said in its complaint that there were pervasive security bugs in the router's Web-based control panel that could be exploited by hackers who wanted to change the device's security settings.

A malware researcher in 2015 uncovered a campaign by hackers that took advantage of the vulnerabilities to reconfigure routers and take control of users' Web traffic.
In addition, various design flaws in the router made these vulnerabilities worse, the regulators said.Asus features connected to the routers—AiCloud and AiDisk—also had security flaws, the FTC found.

AiCloud enables users to plug a USB hard drive into the router to create personal cloud storage that could be accessible from their devices, and AiDisk let users connect to the USB drives through File Transfer Protocol (FTP).

These also were advertised as secure, and yet hackers were able to exploit a vulnerability in AiCloud to bypass its log-in screen and access the connected storage device without credentials through a specific URL, regulators said.AiDisk did not encrypt consumer files that were in transit, while the default privacy setting offered public access to the storage device to anyone on the Internet.
In 2014, hackers located vulnerable routers and exploited these flaws, gaining access to more than 12,900 connected storage devices, the FTC found.Asus often did not address the security issues in a timely manner and failed to notify customers of the security flaws, the commission said.

Along with the comprehensive security program and auditing mandate, the FTC's consent order also will require the device maker to notify customers of software updates or other steps that they can take to protect themselves, including an option to register for direct security notices through email, text message or push notification.Regulators said the mandates on Asus are part of a larger effort by the FTC to push companies to ensure the software and devices they sell to consumers are secure.
The BlackBerry is all but dead, with the company having abandoned its own operating system in favor of an older version of Android.

Even if BlackBerry keeps investing in deep Android security integration, as it has done in the BlackBerry Priv, it's clear BlackBerry's limited resources will keep it lagging the pace of change in mobile. That's been a major concern for high-security businesses, which really depend on the all-stack security model BlackBerry has long delivered, interlocking the hardware and OS to ensure tampering is detected and thwarted. Samsung wants to fill that vacuum, and later this year it'll take a significant step to do so.

The company has been moving in this direction for several years, through its Knox efforts.

The first version of Knox wasn't all it was cracked up to be, but the company has made significant progress since then and has been rewarded with a growing clientele in the defense and financial sectors. Samsung's variant of Android 6.0 Marshmallow will debut in the new Galaxy S7 lineup and be available, along with the required Marshmallow upgrades, for the older Galaxy Note 5 and Galaxy S6 lineups, as well as for its premium Galaxy Tab S tablet series.  All versions of Knox already tie the Samsung hardware to the security system running on the device -- at a layer below the operating system.

As the developer of both the hardware and security system, Samsung has the same advantage that BlackBerry has long enjoyed in such integration. (Apple's iOS devices also have vertically integrated security, but Apple severely restricts access to that stack, so government agencies and others can't customize it in the way that Samsung allows.) On flagship devices such as the Galaxy S7, the new Knox-enabled hardware integration in Samsung's Marshmallow version will also support Android for Work, Google's managed-container technology, which debuted a year ago.

Thus, companies that standardize on the recent Samsung mobile devices can choose either Android for Work or Knox as their security systems -- or both. Other manufacturers' devices that run Android for Work won't get that hardware integration, of course, but IT would have a common console for all devices.

The approach would work well for a company that issues Samsung devices for high-security users and lets other users choose their own Android device. Samsung's security efforts go beyond supporting Android for Work.

The new Galaxy S7 and S7 Edge smartphones bring back the SD card removed a year ago in the S6 lineup, a decision that had dismayed many users. Samsung smartly put the SD card in the same tray that holds the SIM card, minimizing the structural work needed within the phone bezel and the number of holes in the device. Users can enable or disable encryption on the cards, and IT can force the SD card to be encrypted using standard mobile management policies.

That's par for the course these days. Where Samsung goes a step further is in its support for layered encryption for the SD card. Samsung has APIs that let companies develop finer-grained control of card encryption, such as allowing IT access to wipe it while only letting the authorized user -- or even specific apps -- work on the contents. Whether the encryption is all-or-nothing or layered, the SD card itself can only be decrypted on the device where its was encrypted, so encrypted SD cards cannot be swapped with other devices, including computers, for content sharing.

And there is no backdoor for decryption by others, Samsung notes. Apple uses the same approach to keep users' encrypted contents fully secured. That layered approach to SD card encryption should appeal to security-conscious organizations that have long favored the BlackBerry.

But they'll need to do custom development to use that layering -- so far no commercial tools are available. Maybe one of the mobile management vendors will get into this action. Mobile devices are very secure; too many IT organizations have unjustified fears around mobile security -- but there is a class of user that needs more than the very good security that Apple's iOS and the latest versions of Google's Android provide.

For them, Samsung increasingly looks like the new gold standard to replace BlackBerry.
By Barry Mattacott, marketing director, Wick Hill Group Are industrial control and SCADA (Supervisory Control and Data Acquisition) systems the new frontier, not just for cyber-crime but also for cyberwar? Until recently, when you were at war with a country, you sent in your bombers. First they hit the military targets. Once they had finished those off, they would hit infrastructure, with attacks designed to destroy industry and demoralise the civilian population. Electricity production, oil and gas, even water and waste services would all be targeted. However, nowadays, you don't need brute force to turn the lights off. This was recently demonstrated by hackers attacking The Ukraine, who succeeded in knocking out power supplies to up to 1.4 million residents through the social engineering attack known as spear phishing. An infected Word document was used to introduce BlackEnergy malware into critical systems. http://www.bankinfosecurity.com/ukrainian-power-grid-hacked-a-8779/op-1 It was also social engineering which introduced that classic piece of industrial control malware, Stuxnet. It is now widely believed that Stuxnet was originally developed by an American/Israeli alliance, specifically to attack the control systems within Iran's nuclear industry. It eventually destroyed around 20% of Iran's centrifuges. The belief is that it was introduced into their system via an infected USB stick. Statistically, 60% of found USB sticks get plugged straight in, with this rising to 90% if the USB stick has a recognizable logo on it. https://en.m.wikipedia.org/wiki/Stuxnet More recently, researchers revealed a vulnerability in the Chrysler Jeep which caused the virtual recall of 1.4 million vehicles. It was demonstrated that a hacker could wirelessly access the control systems of the Jeep with the potential to disable the brakes and steering. Although a recall notice was issued, owners were sent a USB stick that allowed them to apply an update themselves without the need to take the vehicles back to a dealer. Chrysler also implemented network level security protection to block the exploit on the Sprint cellular network that connects their cars to the Internet. http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/ Let's not stop at cars, let's think big - The Great Train Robbery 21st Century style. Now they can steal the whole train! A hacking team has discovered vulnerabilities within the control systems used in train networks worldwide that could allow attackers to cause derailments and even steal a whole train. https://www.rt.com/usa/327514-absolutely-easy-hacking-train-systems/ Other worrying hacking incidents include The Slammer Worm, which affected critical infrastructure as diverse as emergency services, air traffic control, water systems, ATMs, electrical companies, and a nuclear power plant’s process computers and safety display systems. So why are these systems all so vulnerable? It’s probably due to a number of widely held misconceptions which were highlighted in research by Kaspersky Lab entitled ‘Five Myths of Industrial Control Systems Security.’ http://media.kaspersky.com/pdf/DataSheet_KESB_5Myths-ICSS_Eng_WEB.pdf Myth Industrial control systems are not connected to the outside world. Fact: Most industrial control systems have eleven connections to the Internet. Myth We are safe because we have a firewall. Fact Most firewalls allow "any" service on inbound rules. Myth Hackers don't understand SCADA. Fact More and more hackers are specifically investigating this area. Myth We are not a target. Fact Stuxnet showed us that just because you weren't the intended target of industrial hacking, doesn't mean you won't become a victim. Myth Our safety system will protect us. Fact The chances are that your safety and control is using the same operating system with the same vulnerabilities. ConclusionLittle recognised, dangerous, seriously disruptive, disabling, potentially lethal, and not widely defended against, industrial control and SCADA systems have the potential to be the new front line in modern warfare. Instead of brute force, countries can be softened up by the loss of essential infrastructure and services. Infrastructure providers, utility companies, transport companies and any organisation whose disruption could cause serious problems, as well as governments themselves, need to look much more seriously at how to defend against such cyber- attacks. Or there could be serious consequences for national security. About the author Barry Mattacott is marketing director of Wick Hill Group, which is based in Woking, Surrey and Hamburg Germany. Wick Hill Group is part of Rigby Private Equity (RPE), a subsidiary of Rigby Group Investments, an independent company within Rigby Group plc. Specialist distributor Zycko is also part of RPE, and in co-operation with Zycko, Wick Hill can offer a pan-European service which provides a common proposition and consistent delivery for vendor and reseller partners covering 13 countries. Users of products sourced through Wick Hill include most of the Times Top 1000 companies, in addition to many non-commercial organisations, government departments and SMEs across all business sectors. Through its channel partners, the company has delivered IT solutions to more than a million users world-wide. Wick Hill currently has offices in Woking, Surrey, with sister offices in Hamburg. ENDS For further press information, please contact Annabelle Brown on 01326 318212, email pr@wickhill.com, Wick Hill https://www.wickhill.com Source: RealWire
That shiny Internet of Things thermostat might look oh-so cool on the wall, but new research from Cisco shows it could be harboring a whole host of ugly malware. Back in April 2014, the Cisco Talos security team alerted Trane that its Wi-Fi-connected ComfortLink II thermostat had some serious security flaws. The most egregious was the hardcoding of SSH passwords in the device. The SSH service is exposed to the network, meaning a nearby hacker who can get onto the gadget's Wi-Fi can use the credentials to login and execute code remotely. This design flaw is particularly bad news for you if the thermostat is facing the public internet, allowing anyone on the planet to potentially infiltrate the gizmo. The other two flaws were buffer overflow vulnerabilities that could be used to gain access by sending unreasonably long data requests to the device. With trial and error, an attacker could overwrite sections of the device's memory and perform remote code execution. Once inside the ComfortLink II, the assailant would have the ability to turn the device into a little malware store that could be used to infect other devices using the same wireless network as the so-called "smart" thermostat. It's a serious issue and you'd think Trane would want to fix it. Not so, it seems. The Talos team sent Trane a warning in April, then another in June, and yet again in August and September. Nothing was heard from the firm. In April 2015, one year after the first alert, Trane fixed the hardcoded password issue with a new release of the ComfortLink's firmware. Cisco then tipped off US CERT about the remaining issues. Trane eventually addressed the flaws in its code in January 2016, but didn't tell its customers that new firmware is available. The security fixes aren't installed automatically, either: you need to download the update to an SD card, and then plug said card into the thermostat to perform the installation. "The unfortunate truth is that few people think 'Hey! It's the first Monday of the month! I should check and see if my TV needs to be patched!'" said Alex Chiu, a threat researcher at Cisco Talos. "As a result, IoT devices that do not have an easy-to-use notification and updating mechanism are prone to being left alone, out of date, and vulnerable to compromise. This is similar to the fact that there are unpatched systems on the internet that are still vulnerable to Shellshock and Heartbleed and will remain vulnerable for the foreseeable future." He raises a fair point – while everyone is cock-a-hoop these days for shiny IoT devices, almost no one is updating their operating systems. Even IT managers seldom give thought to updating the office thermostat when there 101 other things requiring urgent attention on the network. ® Sponsored: Building secure multi-factor authentication

Dashlane 4

When your password manager is famed for its slick interface and ease of use, finding ways to improve can be tough. But don't worry, the folks at Dashlane are up to the challenge. Dashlane 4 is even slicker, more attractive, and easier to use. But that's not all. Its automated password changer now handles more than twice as many popular sites, and advanced features like emergency access and secure sharing keep Dashlane at the top of the heap. And despite these enhancements, the price is the same, $39 per year. You access Dashlane in two distinct ways. Most of the time the small menu that you pull down from the browser toolbar button is sufficient, but for some activities you need to open the full user interface. And, of course, it captures credentials as you log in and replays them when you revisit sites without any need for either the pull-down menu or the full interface. Dashlane is free to use, with one condition: You can only use it on a single device, without the ability to sync with your smartphone, tablet, and so forth. That's a pretty strong limitation, enough that I don't review Dashlane as a free product. With the free LastPass 4.0 you can sync any number of desktops, any number of smartphones, or any number of tablets, as long as you stick to one of those three categories. LogMeOnce Password Management Suite Premium is free without any similar limitation. User Interface EnhancementsDashlane has always displayed your saved logins as tiles, with large or small icons representing the site in question. New in this edition, you can choose to view them as a list instead. Interestingly, LastPass 4.0 Premium, which used to only offer a list view, has added a Dashlane-style tile view. I do wish Dashlane had gone for smaller icons in the list view. As it is, switching to list view doesn't let you see significantly more items at once. If you've got a ton of saved passwords, you may find it handy to view them by category. Switch to that view, collapse all categories, and open just the one you want for easy access. Of course, the simplest way to access your passwords is to type in the search box at top left. As you type, a list of found items narrows to show just the items that match. New in this edition, you can launch a site directly from the list of found items, or open a full menu of actions for an item. This menu lets you edit the saved info, see password history, share the item (more about sharing later), and more.  The interface also rearranges the options in the left-rail menu for better consistency. The Wallet category still includes payment-method data for form filling and the receipts Dashlane has collected for you. Personal Info and IDs (also used for form filling) are now under Wallet as well. Previously, Dashlane fully supported English and Spanish, both localizing the user interface and optimizing program actions for the locale. Version 4 adds similar full support for Spanish, Portuguese, German, Italian, and Japanese. Basic FeaturesThe folks at Dashlane want to make it easy for you to get started. You can import passwords stored (insecurely) in Chrome, Firefox, and Internet Explore. Jumping ship from another product? You can import data exported by LastPass, RoboForm Everywhere 7, and several other competitors. LastPass is even more welcoming, with the ability to import from several dozen competitors. As noted earlier, Dashlane automates the process of capturing login credentials as you type and playing them back when you revisit a website for which you've saved data. If multiple logins are available, it displays them as a menu. And of course you can launch a saved site from the browser menu or from the full UI. You may occasionally run across a site whose login screen is weird enough that Dashlane doesn't recognize it. LastPass, RoboForm, and Sticky Password Premium handle this problem by letting you manual ask to save all data fields. Dashlane doesn't include this rarely-needed manual capture feature. Protect Those PasswordsAs always, it's important to use a strong password as your master password. Dashlane requires at least eight characters, including at least one digit, one lowercase letter, and one uppercase letter. That bar is set pretty low. I would strongly advise at least 12 characters, using all character sets. For added security, you'd be well advised to enable two-factor authentication. You can choose whether Dashlane will require the second factor on every login, or just when you (or someone else!) attempts to log in from a new device. Dashlane specifically supports Google Authenticator and work-alikes such as the free Duo Mobile and Twilio Authy. Just snap the QR code displayed by Dashlane with your authenticator app to make the connection. You can also set Dashlane to authenticate using Touch ID on iOS devices that support it. LastPass's free edition supports smartphone-based authentication, like Dashlane, and even includes the option to authenticate using a printed wallet-sized grid. LastPass Premium adds authentication by YubiKey, fingerprint reader, or a specially-configured USB drive. Sticky Password and RoboForm support fingerprint authentication. True Key's core functionality centers on multi-factor authentication. Factors include possession of a trusted device, fingerprint authentication, and facial recognition. In fact, with sufficient second-factor authentication, True Key lets you reset your master password, something few others do. Password GeneratorAny time you click in a password field to create a new account or change an old password, Dashlane pops up an offer to generate a secure password for you. On the plus side, this offer pops up right below the password field, so it's easy to click. On the minus, you don't get an opportunity to configure the password manager at this point. If you want more control over how the password manager works, click the browser toolbar button and click the password generator button. Here you can set the generated password length and choose from three character sets, digits, letters, and symbols. Dashlane doesn't distinguish between uppercase and lowercase letters. Like LastPass, Dashlane defaults to a 12-character password using just letters and digits. That's up from a default of 8 characters in the previous edition, but I suggest you raise the length to 16 characters and check the box to use symbols as well, then click the Use as Defaults button. Note that 16 characters using all character sets is the default for True Key by Intel Security. Security DashboardGetting all of your passwords into Dashlane is a great first step, but you can't stop there. You need to clean up your passwords, fixing any that are weak and replacing any that you've used on multiple sites. Don't worry; Dashlane makes this process extremely simple. Click the Security Dashboard item on Dashlane's left-rail menu for a quick percentage rating of your security level, much like what you get with LastPass's Security Challenge. I like the fact that Dashlane always offers a couple of "quick wins" to increase your score. It might identify a specific weak password and point out that you could gain three percent by fixing it. The real action takes place when you click to view the detailed password analysis. Here you can view a list of all passwords, or limit it to weak, reused, or compromised passwords. Now Dashlane, like LastPass, also lets you list old passwords, meaning ones you haven't changed in a long time. Do note that the measurement of "old" starts when you add the password to Dashlane; new users won't see any old passwords for a while. Probably the most useful view comes when you sort the list by safety level. For each password, Dashlane displays a safety percentage as well as a color coded description: very unsafe, unsafe, not so safe, safe, and super safe. You can point to any item for details on how it got that rating. For example, a perfectly complex password may be on the unsafe list because you've used it on several different sites. Fixing the weak and reused passwords can be a tough slog, but don't let that stop you. Pick the worst five or six and click the Replace now button for each. That will log you in to the site. From there, go to the change password dialog and let Dashlane create and save a new, strong password for you. Password ChangerYou may notice that the button next to some weak passwords is titled Auto-replace now, rather than just Replace now. Clicking that button invokes Dashlane's automatic Password Changer. For the full automated experience, though, you're better off clicking the Password Changer link at the top of the main password list. Tech experts at Dashlane have analyzed hundreds of popular sites in order to devise scripts that automate the password change process. That lets Dashlane perform a hands-off password update for any supported site, and with Version 4 the list of supported sites jumps from 200 to 500. In the Password Changer window, you can check off any or all of the supported sites and click one button to have Dashlane change them all. You'll see a progress indicator by each item, advancing as Dashlane logs into the site, navigates to the password-change screen, and updates the password. LastPass's similar feature supports about 80 sites, but it need to launch a browser tab for each site, and warns you strongly to leave those tabs alone. If you've enabled two-factor authentication for any of your secure sites, Dashlane may need your help. When possible, it pops up a notification ask you to enter the verification code for that site. You do need to pay attention—if you wait too long and the verification code expires, Dashlane isn't equipped to request a new code. But no worries; if that happens, just try again. I'm a huge fan of automatic password updates. Since Dashlane remembers all your passwords, there's no real reason for you to be involved at all. There are a few exceptions, though. Some passwords you just have to type yourself, like the Microsoft ID that you use to log in to modern Windows versions. And some sites have password-format requirements that Dashlane's automatic password generator can't meet. But for most sites, it's fantastic. Secure SharingWhen a buddy asks for your password to some website "so I can check something," you know the answer. Just Say No! But sometimes you really need to share credentials with a colleague or partner. Dashlane has you covered. Just point to the item, click the menu icon, and select Share item. Enter the email address of the recipient, and specify how much access you're offering. If you choose to limit access, the recipient can use the shared item but can't view, edit, or share it. A recipient with full rights to the shared item can view, edit, and share it, or revoke access by others who share it—even you! You can enter a personal message before sending the request. As with the similar feature in LastPass, the recipient will both receive an email and get a notification in Dashlane's Sharing Center. A recipient who doesn't yet use Dashlane will need to set up a free account, of course. Once the recipient accepts, the item in your own Sharing Center will change from Pending to Full Rights or Limited Rights, depending on your choice. You can click the wrench icon to switch between full and limited, or click the minus icon to revoke the share. Emergency ContactsWhat happens if you get hit by a meteor tomorrow? Will your heirs tear their hair out, trying to figure out how to access your accounts? Dashlane's emergency contact feature ensures that you can pass along your digital legacy after your demise, and it doesn't even require probate. Setting up an emergency contact to inherit your passwords is just as simple as sharing one password, with one important difference. You can set a waiting period for full access. If your supposedly-trusted contact tries to get your credentials while you're still around, you can respond to the notification email to deny access. And they look for a more-trustworthy contact. LastPass's latest version includes a similar feature, but Dashlane takes it a step further. In addition to defining an heir for your entire stash of passwords, you can also give access to a subset of those passwords. For example, you could make your boss the recipient of only your work-specific passwords. Advanced Form-FillingLike many password managers, Dashlane also has the ability to help you with filling personal data in Web forms. But Dashlane takes the concept farther than many. RoboForm is the most flexible in this area, which is no surprise given that it started life as a form-filler. It lets you record a wide variety of personal data, names, email addresses, bank accounts, and more. And it supports multiple entries for every field. With LastPass, you can declare any number of full personal profiles or credit-card-only profiles. Dashlane divides personal info into name, email, phone, (snail-mail) address, company, and website. You can add any number of each type. When Dashlane detects a Web form, it puts a tiny impala icon in each entry field. You click in any field and select the desired entry from the popup menu. At that point Dashlane fills all the fields using the first available entry, but you can change any of those with another click. For example, you might fill the phone number first, then click in one of the address fields to select a different address. Payment information is handles separately, and gorgeously. In the main Dashlane interface, you enter as many credit cards, bank accounts, or PayPal accounts as you need. For each credit card, you specify the color and the issuing bank—Version 4 adds support for many more banks. When you click the credit card field on a Web form, you'll see images of your cards, each with the proper color and logo. It's especially great for those with a more visual orientation. Dashlane handles passports, driver's licenses, and other IDs in a similar fashion. Your passport displays using the color and style of the country you selected, and your driver's license looks like an actual license, with the state clearly displayed. Receipt CaptureOn shopping sites, Dashlane's help with Web forms doesn't end when you've filled in all your personal data. Dashlane offers to capture its own receipt for the transaction, with the full amount and, when possible, a list of purchased items. It even snaps a screenshot or two, in case you have trouble with the merchant and need to show some added proof. In the event Dashlane doesn't capture the item name, you can edit that before saving. From the main Dashlane interface, you can view your list of receipts, dig in for details, and view the associated screenshot for each. It's a handy record of your online shopping. Mobile FeaturesPart of the user interface update in Dashlane 4 involved making the Android and iOS editions as identical to the Widows edition as possible. There are a few differences. For example, the mobile editions don't capture receipts for your purchases. Dashlane can manage app passwords, but only for apps that support the Dashlane App Extension. This feature has been around for a while, but it's now gaining traction. More than 180 apps support it, including some big names like eBay, Flipboard, Tumblr, Twitter, and Uber. The Android edition also supports auto-login for apps. Once you give it a few Accesibility permissions, it can log in to any app, with no special app extension required. Both mobile editions include their own browser which can automatically fill passwords and Web forms. And both can be configured to fill passwords in the default browser. More Capable Than EverDashlane 4's user interface is even slicker and easier to use than before, and you can now use it natively in seven languages. It offers uncommon features like secure sharing and password inheritance, as well as a unique receipt-capture feature for your online shopping. And you can use it on all your Windows, Mac, iOS, and Android devices. It's still a winner. LastPass Premium 4 goes a bit beyond Dashlane in some technical areas such as two-factor authentication, and it now includes password inheritance. Sticky Password Premium does an especially good job with off-the-wall login pages and application passwords. These two, along with Dashlane, are our Editors' Choice password managers.

ESET NOD32 Antivirus 9

The vast majority of popular antivirus products get their names from the publishing company's name, or from a security-related acronym. ESET marches to a different drummer—the company is named after the Egyptian goddess of health, fertility, and protection against disease. ESET NOD32 Antivirus 9 is the company's latest standalone antivirus product, and it proves quite effective in testing. A one-year subscription costs $39.99, roughly the same as Emsisoft Anti-Malware 10.0, F-Secure Anti-Virus 2016, and several other competing products. You can freely tweak your subscription to select the desired number of licenses and years. For example, a one-year three-license subscription costs $59.99. This edition has a brand-new user interface, strongly influenced by ESET's extensive usability testing. The familiar blue and silver ESET robot gazes intently from the main window, just to the right of a status banner that normally displays "You are protected" on a green background. If there's any problem with security configuration, the banner changes to a red Security alert, and a panel below both explains the problem and, when possible, offers a quick fix. Installation is a multistep process that includes downloading the latest program code at the start and downloading the most current malware definitions at the end. In between you have a couple of decisions to make. You can choose whether or not share nonpersonal program activity with the company via its LiveGrid system. And you must choose what to do about Potentially Unwanted Applications, or PUAs. PUAs aren't actively malicious, but they may use up system resources, display annoying ads, or otherwise cause trouble. Most antivirus programs include the ability to detect and remove PUAs, though not all of them enable this feature. ESET insists that you make the choice. You can't complete the installation without choosing whether or not to detect PUAs. Mostly Excellent Lab ResultsFor the most part, ESET's technology gets very good ratings from the independent testing labs. To get a VB100 rating from Virus Bulletin, a product has to detect 100 percent of the malware samples without wrongly identifying a single valid file as malicious. ESET participated in all 12 of the latest 12 Virus Bulletin tests and earned VB100 every time. Bitdefender Antivirus Plus 2016 is the only other product that matched this feat. I follow five of the many tests performed by AV-Comparatives, including a couple simple file detection tests, a whole-product dynamic test, and a test that measures how well antivirus products remove malware infestations. ESET earned Advanced+, the best rating, in four of the five tests. In the malware removal test, it still managed an Advanced rating. Results weren't as uniformly impressive in AV-Test Institute's three-part test. ESET managed 5.5 of 6 possible points for protection against malware, and the maximum 6 points for usability (meaning that it didn't screw up by identifying valid programs and sites as malicious). However, it only earned 3 of 6 possible points for performance, for a total of 14.5 points. Kaspersky Anti-Virus (2016) and Symantec Norton Security Premium managed a perfect 18 points in the same test, as did Bitdefender and Avira. Bitdefender and Kaspersky in particular take top scores across the board in independent lab tests. See How We Interpret Antivirus Lab Tests Malware Scanning ChoicesESET's full scan on my standard clean test system took 28 minutes, a good bit below the current average of 40 minutes. Some products optimize their scanning during that first scan, taking repeat scans from fast to super-fast. For example, both AVG AntiVirus (2016) and Total Defense Anti-Virus (2015) managed a repeat scan in barely one minute. A repeat scan with ESET took just three minutes, so it clearly performs a similar scan optimization. In addition to the ordinary on-demand and scheduled scans, ESET has a few other scanning tricks up its sleeve. From the Help and Support page, you can launch the ESET Specialized Cleaner, which aims to remove complex and persistent malware. For malware that interferes with booting Windows, or with running ESET, you can scan from an alternate operating system. Clicking SysRescue Live on the Tools page gets you the option of downloading a bootable ISO image of the SysRescue antivirus scanner or a program that can create a bootable CD or USB drive containing the scanner. In addition to a malware scanner that sidesteps all Windows-centric malware, the SysRescue environment includes a browser and live chat support tool, a PDF viewer, a number of system tools, and even a partition manager. Hands-On Malware Blocking TestsIn my own hands-on malware blocking test, ESET did a decent job, but not an outstanding one. When I initiated the test by opening a folder full of malware samples, its real-time malware scanner eliminated 36 percent on sight. Many competitors wipes out way more at this point. AVG, McAfee AntiVirus Plus (2016), and Panda Antivirus Pro 2016 all creamed 86 percent of the samples as soon as I opened the folder. I launched the surviving samples one by one and recorded how ESET handled them. It made a clear distinction between definite malware and PUAs. It immediately quarantined the former, displaying a transient popup reporting that a threat was found. For PUAs, it popped up a query explaining the situation and asking whether to let the program execute. I always chose to block PUAs. Overall, ESET detected 89 percent of the samples, and scored 8.6 of 10 possible points. That score puts it in the lower half of products tested with this same sample set. Bitdefender and Avast Pro Antivirus 2016 share the top score in this group, 9.3 points, and Webroot SecureAnywhere Antivirus (2015) managed a perfect 10 when tested against my previous collection. As I've mentioned, I refresh my static set of malware samples about once a year, so this simple malware-blocking test doesn't reflect the latest malware. My malicious URL blocking test, on the other hand, uses malware-hosting URLs no more than a day or two old, from a feed generously supplied by London-based MRG-Effitas. In this test, I launch nasty URLs one after another and note whether the antivirus blocks access to the URL completely, wipes out the malicious payload, or sits idly doing nothing. I continue until I've recorded the results for at least 100 URLs. ESET earned an 84 percent blocking rate, evenly divided between blocking URL access and wiping out downloads. That's better than almost all the competition, though Norton and McAfee both managed 91 percent in this test. Interestingly, ESET distinguished between known malware-hosting websites and sites whose content is uncertain, or potentially unwanted. It blocked the known bad sites outright, displaying a warning in the browser as well as a red transient warning. As with PUAs, it used a yellow-framed dialog box to ask whether it should block the potentially dangerous sites. See How We Test Malware Blocking Impressive Phishing ProtectionYou'd think that a strong ability to block malicious websites would translate into an equally strong ability to protect users from phishing sites—fraudulent sites that try to steal your security credentials. I frequently find, though, that these two don't correlate. ESET, thankfully, performs well in both areas. To test an antivirus product's ability to protect against phishing, I use the most recent fraudulent sites I can get. As much as possible, I use sites that have been reported as possible fakes but not yet analyzed and blacklisted. The products that do best in my phishing protection test actually analyze page content, so they can detect frauds with or without help from the blacklist. Once I've collected my samples, I launch them one at a time in five browsers, one protected by Norton (which consistently does a great job against phishing sites, one by the product under testing, and one apiece by the phishing protection built into Chrome, Firefox, and Internet Explorer. Few products come close to Norton's detection rate; many can't even beat the protection built into popular browsers. ESET's detection rate came in just 8 percentage points behind Norton's, and it beat out all three of the browsers. That's pretty good. Just a handful of competitors tracked Norton's detection rate more closely than ESET. Of recent products, only Bitdefender has scored better than Norton. See How We Test Antiphishing Host Intrusion Prevention SystemWhile it doesn't actively offer firewall protection, ESET's antivirus does include a Host Intrusion Prevention System (HIPS). After confirming with my ESET contacts that this feature should kick in to block exploit attacks, I ran the exploit test that I usually reserve for products that include a firewall. Specifically, I hit the test system with about 30 exploits generated by the CORE Impact penetration tool. I found that ESET detected and blocked about 43 percent of the attacks, identifying the majority of them using the official CVE name. That's actually a better score than achieved by many products that specifically offer firewall protection, though it doesn't come close to Norton's 100 percent detection rate. Other Bonus ToolsIf you allow it to access your system, ESET's LiveGrid system communicates nonpersonal data to ESET central. This includes information about what programs are installed. Whether you participate or not, you can get the benefit of LiveGrid by clicking Running Processes from the Tools page. In addition to listing all processes running on your system, this tool displays the prevalence of the process among ESET users by filling in 10 little person icons. On my test system, even the most common processes only got seven icons filled in. It also reports how long the process has been in ESET's database. A very new process with very few users is naturally suspect. Another tool lets you watch file system activity, reporting the amount of data read and written over recent seconds, minutes, or hours. There's also an option to compare the hourly read/write rates with rates from previous months. The average user probably won't use this tool. The SysInspector tool gathers detailed information about your system's hardware and software. This is most likely to be used by ESET tech support. In testing, I found it took a very long time to generate a log report. A Good ChoiceESET NOD32 Antivirus 9 is visibly improved over version 8, which scored poorly in our antiphishing and malicious URL blocking tests. It earned excellent scores in most (but not all) of the independent lab tests that I follow. You won't go wrong choosing ESET for protection. Even so, you'll get even better protection from our Editors' Choice picks. Bitdefender Antivirus Plus and Kaspersky Anti-Virus routinely ace independent lab tests. McAfee AntiVirus Plus protects all of your devices for a single subscription price. And the unusual detection system used by Webroot SecureAnywhere AntiVirus makes it by far the tiniest antivirus around.

ESET Smart Security 9

It's pretty easy to define a full-blown antivirus program—it's one that removes any malware that may be present on your system and prevents any attacks going forward. The definition of a security suite isn't so simple, because different vendors choose to meld different components when creating a suite. Antivirus and firewall components are de rigueur, and many suites also include spam filtering, parental control, and protection against malicious or fraudulent websites. ESET Smart Security 9 includes all of the components I've mentioned, along with some interesting bonus features. However, it doesn't quite measure up to the very best suites. Like most security vendors, ESET will happily sell you a single license ($59.99 per year) or a three-license pack ($79.99 per year). Unlike most, ESET leaves you free to choose precisely the number of licenses you need, and the length of your subscription, all the way up to a two-year 10-license subscription for $459.90. Of course, if you really need to protect 10 computers, you might be better off with Symantec Norton Security Premium ($89.99 per year for 10 licenses) or  a business-oriented endpoint security solution. Those who've used ESET before will find that the current edition looks rather different. The company's design team did extensive research into just what users want, and came up with a new, streamlined interface. ESET's blue-eyed cyborg mascot still gazes at you from the main window, along with a large banner that reflects your current security status. A left-side menu provides access to tasks like running a scan and configuring security, while a set of button across the bottom let you log into ESET online, launch ESET's online cybersecurity training, or invoke a protected browser for banking (more about that protected browser later). Shared AntivirusAs is typical, the antivirus protection in this suite is precisely the same as what you get with ESET NOD32 Antivirus 9. You can read my review of the standalone antivirus for full details—I'll simply summarize here. ESET's technology gets some very good marks from the independent testing labs, though it stumbled a bit in the latest report from AV-Test Institute. On the plus side, Dennis Labs rated its protection AAA, the best rating. ESET also achieved VB100 certification in all of the latest 12 tests by Virus Bulletin. Bitdefender Internet Security 2016 is also 12 for 12 with Virus Bulletin. Bitdefender and Kaspersky Internet Security (2016) score at or near the top with all of the independent labs. In our own hands-on malware-blocking test, ESET didn't fare as well. Its real-time protection component wiped out barely over a third of my samples on sight, whereas some competitors instantly eliminate 80 percent or more. Its final score, 8.6 of 10 possible points, is in the bottom half of current products. Bitdefender and Avast Internet Security 2016 share the top score in this test, 9.3 points. On the plus side, ESET did very well in my malicious URL blocking test. It headed off 84 percent of the malware-hosting URLs, blocking half of those entirely and wiping out the other half during the download process. Top score in this test, 91 percent, is shared by Norton and McAfee LiveSafe (2016). ESET also did a good job of fending off fraudulent (phishing) websites. Its detection rate in testing came in just 8 percentage points below that of perennial phishing champ Norton, and it soundly drubbed the phishing protection built into Chrome, Firefox, and Internet Explorer. See How We Interpret Antivirus Lab Tests See How We Test Malware Blocking See How We Test Antiphishing The suite and antivirus share a number of other handy features. A Host Intrusion Protection System aims to block exploit attacks. The Running Processes list shows all processes running on your system, along with their prevalence in the ESET network. SysInspector gathers information to help tech support understand any problems you may have. And the bootable SysRescue antivirus handles malware that prevents booting Windows, or prevents the regular ESET antivirus from functioning. Basic FirewallESET's firewall component successfully fended off all the port scans and other Web-based attacks that I threw at it. In some cases, it popped up a transient notification specifically identifying the attack as a port scan. Preventing attack from outside is one face of firewall protection; the other is managing programs that attempt Internet access. By default, ESET's firewall runs in automatic mode, which only offers the most limited form of program control. It allows all outbound traffic, and blocks all inbound traffic that isn't specifically allowed by a firewall rule. In learning mode, the firewall allows any Internet activity a program requests and creates a rule to always allow that access. For testing, I switched the firewall to interactive mode. This is the painfully familiar mode that gave early firewalls a bad name. Every time a program attempts to access the Internet or network, ESET pops up and asks you, the user, to decide whether it should allow or block access. You can make your answer a one-time thing, or check a box to create a firewall rule. The best firewalls, like those found in Norton and Kaspersky, handle such decisions internally. Others, like Check Point ZoneAlarm Extreme Security 2016 rely on a huge database of known good programs to automatically configure almost all permissions. ESET? It will ask you what to do about every single process, including browsers, browser add-ins, and internal Windows components. Worse, when you do answer its query you'll find that you must also respond to a User Account Control popup. Other firewalls, even those that rely on popup queries, manage to avoid the UAC popup. On another system I left the firewall in its default automatic mode. It still blocked a number of connections, including Windows's own SSDP Discovery and DNS Client. Other blocked connections included a local network backup and my Plex media server. Fortunately, the firewall offers a troubleshooting page that lists recently blocked processes and lets you unblock them. If some network-connected device or service suddenly stops working, take a look at this page. I mentioned that the standalone antivirus includes a Host Intrusion Prevention System. When I hit the antivirus with about 30 exploits generated by the CORE Impact penetration tool, it foiled about 45 percent of them, identifying most by the official CVE name. Since the suite includes a full firewall, I reran that test…but the results came out just the same. Norton is the hands-down winner here, blocking 100 percent of the exploits at the network level, before they even reached the test system. As far as I can tell, malware coders won't manage to disable ESET's firewall protection. I didn't find any significant Registry settings unprotected, and when I tried to terminate its two processes, I just got Access denied. Its single Windows service is hardened—I couldn't stop it, and I couldn't set its startup mode to Disabled. ESET's firewall offers basic protection, and it doesn't seem vulnerable to direct attack. However, if you enable actual program control it will drive you batty with popup queries, and it didn't show any particular ability to detect and block exploits in my testing. Fast, Accurate AntispamESET integrates with Microsoft Outlook, Outlook Express / Windows Mail, and Windows Live Mail to eliminate infected email messages and identify spam. In the incoming POP3 or IMAP email stream, it marks spam messages by adding [SPAM] to their subject lines. If you're using a supported email client, it also moves spam messages into their own folder; if not, you can just define a message rule to do that job. When you dig into ESET's advanced settings, you'll find that there are a lot of spam configuration choices. By default, ESET whitelists contacts from your Address book, and people to whom you send email. Since my aim is to test the product's ability to distinguish good mail from spam, I didn't attempt to configure the blacklist or whitelist. As for the other settings, I left them all at their default values, just as most users will do. With ESET watching carefully, I downloaded all the messages from a real-world account that gets both spam and valid mail. I discarded anything more than 30 days old, and then sorted the Inbox into valid personal mail, valid bulk mail, and undeniable spam, discarding any messages that didn't clearly fit one of those categories. After performing the same triage on the spam folder, I ran the numbers. I also measured the time required to download 1,000 messages with no spam filter and with ESET active. It didn't put any significant drag on the download process. When I tested the previous edition, I found that downloading email took four times as long, so this is a big improvement. Missing an important meeting or failing to close a deal because your spam filter mistakenly threw away a valid message is a huge problem, much worse than forcing the user to endure a few pitches for male enhancement or Canadian pharmaceuticals. I'm pleased to say that ESET didn't misfile a single valid message. It did let 6.1 percent of undeniable spam into the Inbox, which isn't too bad. Bitdefender and Trend Micro Internet Security 2016 mistakenly discarded just 0.1 percent of valid mail and missed 1.8 percent and 3.9 percent of the spam, respectively. See How We Test Antispam Problematic Parental ControlBy default, ESET's parental control is disabled. That makes sense; many users have no need for this feature. In fact, this feature is a bit hard to find—you must click Tools, then Security Tools, in order to find it. When you turn it on, you're asked to password-protect your settings, so the kids can't just turn off parental control. Note, though, that this means you'll need to enter the password for any change to ESET's settings. ESET offers per-user configuration based on Windows user accounts. Many parental control systems offer predefined profiles, perhaps Child, Preteen, and Teen. With ESET, you set the age for each child's account, from one year to 30+. I'm not sure why settings exist for ages above 18, but they do. By choosing an age for the child, you configure ESET's multitude of website categories. It's possible to configure categories manually, but their sheer number is daunting. At the top level, they're divided into five age-based groups, ages under 5, 8, 13, 16, and 18 respectively. There's also an age-neutral group. Each group contains up to 15 subgroups for a total of more than 40 subgroups. And each subgroup contains one or more categories. As an example, the Age under 18 group includes a sub-group titled Adult Content. This in turn contains R-Rated, Dating, Abortion - Pro Choice, Abortion - Pro Life, Pornography, and several other categories. Unlike most similar products, here a checkmark next to a category means that it's allowed, not blocked. I set one of my sample user accounts to be 11 years old and tried out a bunch of inappropriate sites. It correctly blocked all of them. On some inoffensive sites, it allowed access but popped up warnings that it blocked access to one or more URLs. Many of these were related to website analytics, things like gstatic.com and googleusercontent.com. This plethora of relatively irrelevant URLs also overwhelmed the log of filtered websites, making it near-impossible to find actual inappropriate sites. I verified that the content filter worked for any browser, even one I wrote myself. It wasn't affected by the simple three-word network command that disables some less-brilliant parental control systems. It also correctly filtered secure (HTTPS) sites by category, so your brilliant preteen won't evade parental control using a secure anonymizing proxy. The system broke down when I tried some image searches. Despite the content filter, searches such as "girls with no clothes" got up to 10 results, many wildly inappropriate. Scrolling down the page showed box after box with no image, and the content filter warning messages stacked up wildly—I easily reached a count of 1,000 pending messages. Worse, the same thing happened with innocuous searches like "puppies" and "kitties." There's a real problem here. Content filtering is the enter extent of ESET's parental control. It does the job for wholly inappropriate websites, but its blocking of Web analytic sites and other less-relevant categories screws up its reporting. And in my testing, it interfered with all image searches, while passing a handful of images for any category, even porn. Don't rely on ESET for parental control. Banking and Payment ProtectionIt's always smart to stay alert when randomly surfing the Web. Even an established popular site can give you problems if it's infected by a malvertising attack. Surfing for the best cat videos is one thing; interacting with your bank online is completely different. ESET's new Banking & Payment Protection aims to ensure that your online financial transactions are completely safe. When you try to visit a known banking or financial site in your unprotected browser, ESET offers to open it in the secure browser instead. You can choose to have it always open this particular site in the secure browser. Kaspersky's similar Safe Money feature launches a secure browser to protect your transaction. Bitdefender's SafePay launches a hardened browser in a separate desktop. ESET applies its protection to the browser you already use; I tried it with Chrome, Firefox, and Internet Explorer. You can easily see when this mode is active. The browser gets a green border, and a Secured by ESET tab appears in its title bar. When you close the secured browser, all traces of your actions vanish. You can also launch this feature directly from the suite's main window. Unusual Anti-TheftAnti-theft is a common feature for mobile security products—indeed, loss or theft of a mobile device is more likely than a mobile malware attack. McAfee and Symantec offer mobile device anti-theft. ESET offers the unusual ability to track your Windows computers in the event of loss or theft. Clearly this is most useful for laptops; desktop computers are less likely to be stolen. Bitdefender Total Security 2016 offers a similar feature. It keeps track of your device's location and lets you remotely lock or wipe a missing device. The Find My Laptop feature in ZoneAlarm Extreme lets you locate the device, capture screenshots or webcam photos, and optionally back up data before wiping an unrecoverable device. In order to make use of this feature, you must first enable it on the affected device. Once Anti-Theft is enabled, you still have a couple of simple tasks to perform. ESET makes it easy. Clicking one button sets up what they call a phantom user account. If necessary, clicking another reconfigures your device so it doesn't automatically log in to your usual account. That's it! In the event your device is lost or stolen, you log into ESET's online console and click a button to report the loss. This reboots the device, blocks access to all but the phantom Windows account, and starts device monitoring, which includes location, screen captures, and webcam photos. It also presents the finder with a message containing your contact info, on the chance that the device is merely lost, not stolen. Of course, the device must be online to receive instructions from the anti-theft system. Once you've marked your device as missing, you still have to wait for the next check-in. At that point, ESET reboots the system and logs into the limited phantom account. The thief (or finder) has no access to your files, and ESET starts sending location info, screenshots, and webcam photos. If you determine that the device has been found by a nice person, you can send a message with your contact information. I ran into serious trouble getting this feature working, trouble that required live chat tech support and phone support as well. At one point, the live chat technician duplicated my problem. To summarize literally hours of tech support, it turns out that rebooting before ESET has finalized the phantom account can leave anti-theft non-functional, and this finalization can take 10 minutes or more. In fact, my test systems didn't go into anti-theft mode until more than an hour after I clicked the button to activate that mode. Device Control for ExpertsWhen you click Setup and choose Computer Protection, you'll find a choice entitled Device Control. It's disabled by default; enabling it requires a reboot. Once Device Control is enabled, you gain the ability to define specific rules about all kinds of devices that connect to your computer, USB drives, Bluetooth devices, smartcard readers, and more. For individual devices or device types you can choose whether to block all access, allow access, or allow access with a warning that this access is logged. If the device includes storage, you can choose to enable it for read-only access. Your rules can apply to all users, or to specific users or groups. However, in order to specify a list of users, you have to dig down into the awkward Windows dialog titled Select Users or Groups. Really, only the most expert users will find this feature manageable, and the average user probably doesn't have any need to set limits on attached devices. I see this feature as being much more useful in an office setting. Performance HitPerformance is as important as protection in a security suite; if the suite gets in the way, the user may get disgusted and turn it off. Vendors know this, so modern suites tend to have very little effect on performance. I was somewhat surprised to find ESET's performance hit on the high side, given that the previous edition evidenced a much smaller slowdown. But rerunning my baseline (no suite) tests and my tests with ESET installed yielded the same results. I calculate the time required to boot the test system by waiting for 10 seconds in a row with CPU usage of five percent or lower. Once the system reached this ready-to-use state, I subtract the start of the boot process, as reported by Windows. Averaging multiple runs with no suite and with ESET installed, I found boot time increased by 22 percent. That's more drag than many suites, but do note that this 22 percent represents just 12 seconds more actual time. Somewhat surprisingly, my file move/copy test took 61 percent longer with ESET installed. This test simply measures the time required to run a script that moves and copies a large collection of files between drives. A repeat of the test yielded an even bigger slowdown; I stuck with the first measurement. The related zip/unzip test, using the same file collection, took 35 percent more time under ESET's protection. ESET slowed both of the file-related tests more than almost any recent suites. Even so, I didn't observe any feeling of sluggishness while running my tests. Note, though, that some competing products display almost no impact on these simple test. Webroot SecureAnywhere Internet Security Plus hold the record here. The average of its three performance scores is just 1 percent. See How We Test Security Suites for Performance Uneven ProtectionThe antivirus component in this suite is quite good, as are the antiphishing and spam filter components. However, parental control is both limited and problematic, the firewall offers just the basics, and I ran into some serious trouble with the anti-theft component. For some business settings the Device Control may seem compelling, but the average user should stick with one of our Editors' Choice suites. The security components in Bitdefender Internet Security and Kaspersky Internet Security are all top-notch, and these two companies get excellent marks from the labs. If you need to protect many computers, McAfee Live Safe or Symantec Norton Security Premium will cost you much, much less than ESET, and will do a better job.  Sub-Ratings:Note: These sub-ratings contribute to a product's overall star rating, as do other factors, including ease of use in real-world testing, bonus features, and overall integration of features.Firewall: Antivirus: Performance: Antispam: Privacy: Parental Control:
Any discussion of ransomware should begin by reminding ourselves that the term denotes malware. The “ransom” element is a matter of impact, not a root cause. As a result, many of the strategies applied when protecting against common malware should also be applied to ransomware. Having said this, ransomware is one of the most common types of attack, given that it is easy to generate and distribute. A recent piece of research from Isaca shows that the threat is set to continue, with 20% of global IT security experts placing this type of attack in their top three threats for 2016. Once in the wild, a typical ransomware script will infect numerous environments very quickly, with the command and control structure designed to harvest small sums of money through anonymised payment mechanisms such as Bitcoin. Ransomware attackers rely on broad and indiscriminate dissemination of malware, without necessarily targeting any specific group of people or companies. Specimens such as TeslaCrypt, CryptoWall and TorrentLocker reveal a wide variety of ransomware, ranging from unsophisticated varieties embedded in Microsoft Word documents to fairly complex script-based infiltration. In this aspect, security managers should be conscious of the fact that ransomware often utilises channels that were thought to be extinct, such as macro virus infection. Steps to protect against ransomware There are a number of steps that organisations and individuals can take to increase their security and strengthen their defences: Promote awareness by communicating defensive capabilities against generic malware to users. It should be noted how phishing, social engineering attacks and suspicious websites can all pave the way for infection. Strengthen scan-and-detect defensive capabilities across the organisation. There are many tools that will identify, repel and neutralise malware, including ransomware. However, it is important not to rely on a single anti-virus or anti-malware system, but a wide range dedicated to different types of attack. Update and adjust target platforms such as Microsoft Office to include blocking mechanisms. All too often, infected Office-based documents and spreadsheets can slip through because defences have been disabled in favour of user convenience. Both organisations and individuals should consider where their data resides. Ransomware is usually restricted to local hard drives or locally available shares. Information assets should therefore be held in at least two air gapped locations, such as a portable hard disk for daily backups of important data, and an additional network-attached storage (NAS) for larger backup jobs. Even after ransomware infection, important files can then be recovered. For personal data, DVD or BluRay backups retain the advantage of read-only access. A fuller list of associated controls is available in the complimentary Threats & Controls tool from Isaca’s Cybersecurity Nexus (CSX). Attacks may lead to greater costs There is some considerable effort required to protect against ransomware, especially in complex enterprise environments. However, given the current level of helplessness – up to the point where official authorities have recommended giving in and paying the ransom – this extra work is a vital step towards saving time and money. To help your thinking as a business leader on how important it is to protect yourself against this form of attack, it is worth remembering that even one successful ransomware attack on your organisation or private IT environment is likely to be much more expensive than taking preventive measures. Rolf von Roessing is a past international vice-president of Isaca and president of Forfa. This was first published in February 2016