Home Tags Security
A report suggests smartphones and tablets taken in as evidence are being remotely wiped. By Steve McCaskill Some smartphones and tablets seized as evidence by police are being remotely wiped, according to a rep...
NEWS ANALYSIS: Tyupkin requires physical access to an ATM, highlighting serious challenges to physically securing cash machines. A new form of malware dubbed "Tyupkin' has been infecting automated teller machines (ATMs) in Europe, Asia and Latin America. The attack, which was first reported by security firm Kaspersky Lab, requires physical access to an ATM for the malware to be loaded. The idea that malware can be loaded onto a vulnerable ATM is not a new one. Mike Park, managing consultant at Trustwave, told eWEEK that the same technique is what the late infamous hacker Barnaby Jack used in his ATM hacking talk at the Black Hat security conference in 2010. "What is new is that it's being used in the wild more," Park said. "Previously, it was easier to use card skimmers and well-placed cameras to steal account data or to simply grab the ATM with a pickup truck." The Tyupkin malware clearly demonstrates an uncommon level of sophistication for criminal activities, according to Daniel Petro, senior security analyst at Bishop Fox. "Tyupkin takes effort into concealing its tracks so as much money can be extracted as possible," Petro said. "In the past, ATM attacks have not necessarily been concerned with remaining stealthy, as much as simply being able to get to the cash and get away." At the heart of the Tyupkin exploitation of ATMs is the simple fact that it requires physical access to an ATM. Because of this, physical security elements, including proper locks and security monitoring, should be in place to limit access. Gregory Wasson, malicious code program manager at ICSA Labs, told eWEEK that when it comes to exploitation, in his view, physical access almost always wins. "There is no difference whether it is a skimmer that was installed or malware, as both require physical access," Wasson said. "If a system can't prevent someone from accessing it, then it is practically impossible to protect." Petro echoed that same sentiment, noting that once the attacker has physical access to a computer system, all bets are off. That said, ATMs have some specific physical security challenges, such as the fact that they are intended to be used by the unattended public. "Buying better locks can help, but there's also a long list of hardening techniques that can be applied to ATMs to improve their security," Petro said. "Replacing outdated Windows XP operating systems, removing unnecessary IO ports like CD-ROM drives and application whitelisting are some of the techniques on this list." Trustwave's Park added that from the physical security perspective, unless the ATM is one that is built into the wall of a bank, getting physical access is pretty straightforward, as locks are easily picked or access can be obtained by removing screws from air vents. "Some ATMs we've tested actually had cable holes large enough to simply reach up and gain access," he said. For various reasons, many ATM deployments have not implemented some obvious security controls, including the use of antivirus (AV), system BIOS passwords and secure configurations, according to Park. "Some businesses have indicated AV would cause the process of withdrawing cash or doing other transactions to become so slow that it would be unusable," he said. The lack of a BIOS password and secure configuration means that the BIOS on the ATM does not have a password to prevent tampering on startup and the default configuration of the BIOS is such that it can allow an attack. "For instance, on the last two ATM tests we have done, we discovered the BIOS was configured to look for boot media in the USB, then the CD, then the hard drive," Park said. "This means if we put in a bootable USB or CDDVD with another operating system, the ATM will boot into our operating system without needing to change the BIOS." Another physical challenge that faces ATMs is the actual lock that is in place on an ATM cabinet. Park noted that in many instances, most ATMs from a single manufacturer, or even just a single bank, share the same key. "Once an attacker can obtain one of these keys via theft or other means [buying them in underground markets, on the Internet, making copies, etc.], they can get into any ATM of the same bank or even manufacturer," Park said. "Businesses have said this is necessary because otherwise field technicians would have giant, unmanageable key chains." As an additional step, Trustwave has recommended that businesses also use full disk encryption so that when an ATM is rebooted or shut down, the operating system and the data on the disk are encrypted and unreadable, Park added. "This would prevent the criminals from being able to boot into an alternate operating system to install malware or alter the operating system settings of the ATM," he said. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
The announcement comes days after Hewlett-Packard said it also was breaking into two new companies. Symantec is joining the growing ranks of large tech vendors that are breaking apart in hopes that creating two more narrowly focused companies will lead to greater success in their respective markets. Symantec executives on Oct. 9 confirmed reports this week that the company will split into two publically-traded companies, one concentrating on security software and the other focused on data storage and information management. The announcement comes three days after Hewlett-Packard CEO Meg Whitman said the tech giant will become two—HP Inc., which will sell printers and PCs, and Hewlett-Packard Enterprise, which will focus on IT solutions and services. eBay officials on Sept. 30 said the giant online auction site will shed its PayPal online payment processing system, creating two companies. Some industry observers have noted that the recent announcements and the pressure on other companies—including data storage giant EMC—to split off some businesses is an indication that it's becoming increasingly difficult for such large and diverse vendors to adapt and react in a fast-changing industry. It also is a product of growing pressures on public companies from Wall Street and shareholders to show strong financial results every three months. That said, other companies—including Cisco Systems, Oracle and Dell (now a private company)—continue to broaden their portfolios and grow through acquisitions. In Symantec's case, the company had built its reputation on its security software, then extended its reach into data storage and information management by buying Veritas for $10.2 billion in 2005. Symantec executives and directors in the past reportedly had considered breaking the company apart, but previous CEOs were against the idea. Michael Brown, who was named permanent president and CEO in September after serving in the positions in an interim capacity since March—has favored a breakup. Splitting the company in two will give each business a better chance of competing in their respective markets, Brown said in a statement. "As the security and storage industries continue to change at an accelerating pace, Symantec’s security and [information management] businesses each face unique market opportunities and challenges," the CEO said. "It has become clear that winning in both security and information management requires distinct strategies, focused investments and go-to market innovation. Separating Symantec into two, independent publicly traded companies will provide each business the flexibility and focus to drive growth and enhance shareholder value." After the split, Brown will remain president and CEO of Symantec and Thomas Seifert will continue at CFO. John Gannon, who before coming to Symantec had served as president and COO of Quantum and before that had led HP's commercial PC business, will general manager of the new information management business. Don Rath, a two-year veteran of Symantec, will be the new venture's acting CFO. Symantec's security business, which generated $4.2 billion in revenues in the company's fiscal year 2014, is competing in a market that officials said will grow to $38 billion by 2018 and offers a unified security strategy that includes a platform that integrates threat information and analyzes data from its security products and Norton endpoints
Security industry veteran Greg Hoglund now heads the startup, which launched an endpoint threat detection and response system. Greg Hoglund is no stranger to the world of security startups. Hoglund was previously a co-founder at Cenzic (which Trustwave acquired) and at HBGary (which ManTech Cyber Solutions acquired), and is now the CEO of a startup called Outlier, which launched a new-product offering on Oct. 7. At Outlier, Hoglund has developed an endpoint security technology that does not require a software agent to be installed on user machines. The Outlier platform leverages a combination of on-premises and software-as-a-service (SaaS) capabilities to help detect and analyze potential security threats. "We're not intercepting any traffic; we're in the same spot that you would find a network appliance, but instead of facing outward, we're facing inward," Hoglund told eWEEK. "So instead of sniffing packets, we're making connections to the endpoints over existing Microsoft Windows APIs." Outlier is focused on Microsoft Windows workstations that are often the target of attacks. The connection to the Outlier platform is made over server port 445, which is typically associated with Microsoft Directory Services. Outlier has an on-premises component that it calls the Data Vault, which does all the customer data processing. The Outlier Data Vault is software that is installed on a Windows Server. The other element of the Outlier platform is the Cloud SaaS component, which is used for management and provisioning. Additionally, the SaaS component is leveraged to check suspicious files. "Statistical information is calculated, and things like hashes are uploaded to the SaaS component," Hoglund said. "But the connection over port 445 is from the on-premises component." Hoglund emphasized that the endpoint provides a wealth of information that can be analyzed by Outlier to identify any potential hacking activity that might be occurring on a system. "On the endpoint, you have all the forensic evidence available that could show the installation of a particular threat and all the user behavior patterns," Hoglund said. "What we're looking for is a pattern that shows there may have been an intrusion on a given host." The Outlier system has a scoring profile that it assigns to events to help identify possible malware and hacking attacks. Hoglund commented that the collection of data on an endpoint is essentially a big data source. The Outlier platform then automates the best practices associated with security incident response. The analysis includes looking at all of the loaded modules and auto-run functions on a given endpoint. The Outlier system also looks for evidence of memory that has been injected with unauthorized code. By comparing what is actually running on a system to a white list of safe and known applications and processes, outliers can be identified. The Outlier platform does have some limitations. For one, it's not a reverse engineering technology that can figure out which specific exploit is being used in an attack. Rather, what Outlier does is it can identify what was downloaded by a system and what that item is doing. Currently, Outlier is structured as a detection solution and does not have its own remediation capabilities. Outlier is focused on the detection problem and is not trying to build a full incident response system, Hoglund said. "We're a detection-only solution," he said. "Once we're integrated with other devices in the protection ecosystem that a customer has, those other devices would be able to take actions." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
New types of attacks, including those without human intent will emerge, according to Mark Graff
Boole Server is location agnostic and secures data, files and messages wherever they reside. It isn't all that often that the IT world in the United States gets a bright new import from Italy. This happens with cars and food, perhaps, but not with IT products. Milan-based Boole Server, a provider of enterprise file sharing and data protection in Europe, has announced the opening of its two North American offices in San Francisco and Boston, as an expansion into the U.S. market. Boole Server's on-premise-only data server provides serious security: full military-grade encryption to secure data beyond perimeter and device-centric controls and keep it from falling into unauthorized hands. There are now as many as 729 different cloud applications in use at the average company, executive consultant Laura Yecies told eWEEK, and many apps include confidential corporate data. Leading international companies, including Barilla, UnipolSai, Giorgio Armani, Tod's and Versace, are taking back control of their data by using Boole Server for collaboration, sharing and the highest level of data security in the industry (encryption keys at 2,048 bits). Boole Server is location-agnostic and secures data, files and messages wherever they reside—from messaging apps, flash drives, folders, SharePoint and mobile apps to online document editors. "We envision an end to corporate data breaches through smarter file sharing and data-centric security," said Valerio Pastore, founder and CTO of Boole Server. "Our pioneering use of the strongest available encryption is the remedy that the market needs to secure confidential information from prying eyes—whoever they may be." Boole Server encrypts everything, but data access remains flexible with granular access rights. Data is always encrypted, at rest, in transport and even when in use by the user, Yecies said. Sharing is possible with both internal and external users, yet data control remains in the hands of the file owners. Full audit trails and dynamic access policies work anywhere and everywhere, Yecies said.
Security experts warn that a malicious program known as Mayhem, has started using the Shellshock Bash flaw to infect Linux and Unix servers. A stealthy malicious program known as Mayhem has started spreading to Linux and Unix servers using the "Shellshock" vulnerability in the terminal shell program known as Bash, according to security experts. On Oct. 7, the anti-malware group Malware Must Die posted an analysis of the attack, which is currently using servers at 37 different Internet addresses—18 of which are in the United States—to scan for vulnerable hosts. It’s not known how many servers have been infected with the malware, but a July analysis of the pre-Shellshock version found some 1,400 servers compromised by the program. With its new ability to exploit the pervasive Bash vulnerability, Mayhem may spread much further, the group Malware Must Die stated in its analysis of the attack. "This is a very serious threat, please work and cooperate together ... to stop the source of the threat," the group stated. Mayhem, first discovered in April, stands out from other malware, because it accomplishes its tasks on Linux and Unix servers without gaining full control of the host system, according to an analysis published in July by three security researchers at Russian search giant Yandex. In the past, the malware used a PHP script to infect servers, but the latest version uploads a script in the Perl programming language via the Shellshock vulnerability. The malware makes use of a modular design, so that the software can be easily updated with new functionality. At least eight different modules exist, expanding functionality to scan for sites using the popular WordPress content management system and sites with specific vulnerabilities before attempting to use brute-force guessing to break into sites with weak passwords. Linux servers have become a popular target for cyber-criminals because, while many distributions are freely available, keeping a system up to date with security patches can be time consuming and is often neglected, according to the Yandex researchers. "Nowadays, there are millions of completely unprotected web servers with different kinds of vulnerabilities, so it is easy for attackers to upload web shells and gain access to them," they stated in their analysis. Half of all active Web sites run on Apache and Linux. Attackers who are able to compromise Web servers get a dual benefit, Chester Wisniewski, senior security advisory at Sophos, said in an email interview. Web servers typically have much higher bandwidth and can be compromised to infect visitors with drive-by downloads, he said. Whether more attackers target the Shellshock flaw depends on how easy it is to exploit compared to other vulnerabilities, he added. The sheer variety of software used on Web servers and Internet-facing Linux servers means that the number of servers with some form of vulnerability is very high, he said. "It is almost always about (finding) the cheapest, fastest way to get the job done," Wisniewski said. "If (that way) is ShellShock, then we will see plenty more."
CEO says Exabeam users can detect both insider threats and cyberattacks in real time while simultaneously optimizing their security operations. LAS VEGAS -- If you suspect someone in your organization cannot be trusted anymore, or you are worried about a potential cyber attack, there's a new security startup that may be of interest to you. Six-month-old Exabeam, which focuses on big data security analytics, launched both itself and its platform here Oct. 6 at the Splunk .conf2014 conference. The new package is designed to enable enterprises to use the full potential of their existing security information and event management (SIEM) deployments. Exabeam users will be able to detect both insider threats and cyberattacks in real time while simultaneously optimizing their security operations, co-founder and CEO Nir Polak told eWEEK. "The problem we see in the market today -- look at all the attacks on Target, Home Depot, and so on -- is that the attackers use all kinds of techniques," Polak said. "Heartbleed, malware, keyloggers in social engineering, et cetera. But what the attacker needs most to comprise systems is to get his hands on credentials. In essense, he wants to impersonate a valid employee. "When an attacker gets hold of credentials, it's game over. You're done. So the problem is: How do you find the imposter? With the tools you have today, it's very difficult." To that end, Exabeam adds a layer of user behavior intelligence on top of existing SIEM and log management repositories to give IT security teams a complete view of the full attack chain. Then it can spotlight valid attack indicators currently lost in a sea of security noise, allowing for better and more complete security response, Polak said. Attackers used authorized credentials in more than 76 percent of network intrusions in 2013, allowing them to impersonate legitimate users spanning across IT environments and conduct suspicious activities along the way. Current SIEM technologies cannot detect subtle anomalies or correlate them across the entire attack chain, forcing IT and security teams to anticipate malicious behaviors, which is nearly impossible in the current hacker climate. Exabeam removes guesswork by providing access to real-time insights that tell users which indicators to look for in order to spot malicious behaviors, Polak said. The user behavior intelligence platform provides security teams insight into which accounts are involved in attacks and provides a complete picture of user activity, greatly reducing attack detection times. "The challenge with SIEM solutions is that you can only find the threats you are actively looking for through a statistical or rule-based model," said Colin Anderson, vice president of information technology and chief information security officer at Safeway, an Exabeam beta customer. "Where Exabeam brings immense value is in identifying what we’re not looking for by understanding ‘normal’ user behavior and alerting us when network activity deviates from that baseline. Without this type of solution, businesses are blind to these threats and waste time chasing the tails of false positive alerts." Exabeam is headquartered in San Mateo, Calif. and is privately funded by Norwest Venture Partners, Aspect Ventures and Investor Shlomo Kramer.
Security specialist FireEye is turning its attention to Apple's OS X and has been testing its Mac support with beta customers. FireEye has found more than its fair share of zero-day vulnerabilities on Microsoft Windows platforms in recent years. Now, the security specialist is adding Apple's desktop operating system to its purview, in a bid to find bugs in OS X. The timing couldn't be better. As Apple's operating system adoption continues to grow, attackers are increasingly taking aim at Mac OS X. So far in October, one new malware threat dubbed "iWorm" has emerged against OS X. FireEye is adding support for Apple Mac OS X on its Network Security Prevention (NX) and Forensic Analysis (AX) platforms. How the detection engine works is not directly tied to an OS X endpoint agent, according to Ivan Oprencak, director of product marketing at FireEye. "The solution today is a network traffic approach," Oprencak told eWEEK. "So if you're browsing the Web and download something with malware inside of it, that malware will go through our MVX [Multi-Vector Virtual Execution] engine to detonate it." The FireEye Multi-Vector Virtual Execution (MVX) technology leverages a secure virtual environment to inspect and analyze code for potential malware. If code is deemed to be suspicious and potentially malicious, it can be blocked. "MVX will detonate the exploit inside of a virtual machine that is running on the NX platform," Oprencak said. That said, there is a plan on FireEye's road map to provide an endpoint product for Mac OS X machines at some point in the future, he added. Early Results FireEye has been testing its Mac support with beta customers and has seen some interesting initial results. "There was no new malware discovered, but what we have detected is an average of 385 callbacks per customer, per month," Oprencak said. "So there definitely was malware present." Callbacks are indicators of compromise, as the Macs were attempting to connect into some form of botnet command and control system, he said. For the most part, the malware that FireEye detected on its beta customers' systems were all variants of the Mac Flashback Trojan. Mac Flashback first emerged in 2012 as a Java-related exploit that at one point affected half a million Apple OS X users. With support for Mac in the FireEye technology platform, Oprencak expects that more zero-days will now be discovered in OS X. FireEye has a solid working relationship with Microsoft that it has used over the years to collaborate on issues affecting Windows users. The expectation is now to have a similar relationship with Apple. "Our plan is to do the same thing we do with Microsoft, but Microsoft is fairly used to getting these kinds of reports," Oprencak said. "It's not clear yet how Apple will react." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Twitter says its First Amendment rights are being violated by U.S. government restrictions about what it can divulge publicly about surveillance requests. Twitter has filed a lawsuit against the United States government alleging that restrictions on the details it can release about federal surveillance requests for some of its account holders are unconstitutional. Instead of having such restrictions, Twitter argues in its 19-page lawsuit, the social media company wants to provide more details to the public about the kinds of government surveillance requests it receives as part of its efforts to be open and transparent about its actions. "As part of our latest transparency report released in July, we described how we were being prohibited from reporting on the actual scope of surveillance of Twitter users by the U.S. government," wrote Ben Lee, vice president of Twitter's legal services, in an Oct. 7 post on the Twitter Blog. "Our ability to speak has been restricted by laws that prohibit and even criminalize a service provider like us from disclosing the exact number of national security letters (NSLs) and Foreign Intelligence Surveillance Act (FISA) court orders received—even if that number is zero." Instead, Twitter argues in its lawsuit that the company is "entitled under the First Amendment to respond to our users' concerns and to the statements of U.S. government officials by providing information about the scope of U.S. government surveillance—including what types of legal process have not been received," Lee wrote. "We should be free to do this in a meaningful way, rather than in broad, inexact ranges." Twitter's lawsuit, which was filed in United States District Court in the Northern District of California, asks the government to allow the company to publish its full Transparency Report and to "declare these restrictions on our ability to speak about government surveillance as unconstitutional under the First Amendment," wrote Lee. "The Ninth Circuit Court of Appeals is already considering the constitutionality of the non-disclosure provisions of the NSL law later this week." Named as defendants in Twitter's lawsuit are U.S. Attorney General Eric Holder; the U.S. Department of Justice; James Comey, the director of the Federal Bureau of Investigation; and the FBI. "We've tried to achieve the level of transparency our users deserve without litigation, but to no avail," wrote Lee. "In April, we provided a draft Transparency Report addendum to the U.S. Department of Justice and the Federal Bureau of Investigation, a report which we hoped would provide meaningful transparency for our users. After many months of discussions, we were unable to convince them to allow us to publish even a redacted version of the report." The broad topic of government surveillance and data privacy concerns has become much more public in light of allegations made in 2013 about government snooping in Google and Yahoo data centers. Those revelations from U.S. National Security Agency (NSA) whistleblower Edward Snowden allegedly included government scanning and surveillance of personal message data, which set off a firestorm of protests by privacy groups, officials, and the public. Transparency reports by companies such as Twitter, Google and Facebook detail general statistics about the numbers and kinds of government surveillance requests that are received about account holders. Twitter is certainly not the only technology company that is upset with the existing rules. In December 2013, AOL, Facebook, Google, LinkedIn, Microsoft and Yahoo joined together to create a coalition to demand government surveillance reform, according to an earlier eWEEK report. The group was formed after repeated allegations and reports emerged in 2013 about the online surveillance activities of the NSA.
Company officials may soon announce that Symantec will split in two, with security going one way and storage another, according to a report. Symantec may be the next major tech vendor to split in two, in the wake of similar moves by Hewlett-Packard and eBay. Citing unnamed people with knowledge of the matter, Bloomberg News reported Oct. 8 that Symantec officials are considering breaking the company in two, with one company focused on security and the other on data storage. One of the people said an announcement could be made in a few weeks. Symantec officials have declined to comment on the report. The report about Symantec comes two days after venerable Silicon Valley company Hewlett-Packard announced it will split in two over the next 12 months, with one—which will be named HP Inc.—selling printers and PCs, and the other—Hewlett-Packard Enterprise—concentrating on corporate IT solutions and services. Officials with eBay announced Sept. 30 that the online auction site will split off its PayPal online payment processing businesses next year, creating two companies. The recent announcements highlight a trend within the tech industry of some vendors splitting or shedding business units in an effort to become more focused and streamlined and to give a boost to their bottom lines. HP CEO Meg Whitman, in announcing the decision to split up the company after several years of pushing back at pressure to do so, said the result will be two more nimble companies that will have greater freedom to pursue their respective roadmaps and focus more narrowly on their customers. Other major tech companies are finding themselves under scrutiny. Soon after HP's announcement broke, speculation turned to Cisco Systems, a massive company that is aggressively building out its product portfolio in an effort to transform itself from a networking box maker into a major enterprise IT solutions provider. Storage giant EMC has been under pressure from an activist investor to divest itself of most or all of its 80 percent stake in VMware. Investor Elliott Management has argued that having VMware in the fold is a drag on EMC's finances, though EMC officials have argued that the company's federated corporate model that governs its relationship with subsidiaries VMware, RSA and Pivotal has been a benefit. To be sure, not all companies are taking the smaller-is-better route. Dell is looking to become a larger IT solutions vendor, leveraging in-house development and acquisitions to broaden its product lineup in such areas as networking, storage, software and the cloud. Oracle has continued to grow via acquisitions, and Lenovo—which used its 2005 purchase of IBM's PC business to become the world's top PC vendor—is hoping to see the same success in servers after buying IBM's x86 systems business and in mobile devices with the upcoming acquisition of Motorola Mobility from Google.