Search This Blog

Showing posts with label Cybersecurity. Show all posts
Showing posts with label Cybersecurity. Show all posts

Friday, March 4, 2016

Are Your Kids The Latest Target Of Hackers?

The short answer is yes. V-Tech and Hello Kitty join the depressingly long list of companies to have been hacked in 2015. This time, however, the data taken were overwhelmingly about children – their usernames, passwords, addresses, birthdays, photos, and other personal information.
At first glance, you may be wondering why hackers would bother, but there are three major reasons for targeting toy companies. First, they are an easy target. V-tech representatives admit that the company’s security was subpar. Second, children tend to reuse passwords just like adults do, so getting a password for one site may unlock most, if not all the sites that child uses, and of course, some sites require payment for various features to be unlocked, or are purchasing portals, so the child’s information may inadvertently expose a parent’s credit or debit card information.
Third, and perhaps most chillingly, it could well be about the long game. A hacker need only wait until the child is old enough to get a credit card and then steal his or her identity. It’s not like it costs anything to store the data and wait, and given how easy it was to breach V-Tech and Hello Kitty’s security, that’s as good as being handed free money.
There are two tragedies rolled into one here. The first and most obvious is that not even our kids are safe from hackers, and nothing seems sacred to them. The second is that the breach could have been avoided. It’s not like V-Tech or Hello Kitty didn’t have ample warning or ample opportunity to protect themselves against such things. Online tech portals have been screaming from the rooftops all year about the dangers, and outlining the steps companies need to take if they want to be secure. V-Tech and Hello Kitty simply opted to do nothing with the information. That makes it somewhat difficult to feel sorry for them. They got lucky for a while, skating by with minimal security. Looks like their luck ran out. How’s security at your company? If you are unsure, a network audit is probably your best first course of action.

Thursday, March 3, 2016

Meet the Man Who Keeps Microsoft Safe and Secure

As the chief security officer for Microsoft, Mike Howard has more than a passing interest in the things he sees on the nightly news. Whether it's an uprising in the Middle East, the ongoing threat of terrorism or a natural disaster somewhere in the world, the former CIA officer is prepared for the impact various events could have on his company and its employees.
"Cybersecurity is a big issue on everyone's mind as we've become more globalized as a society and businesses have expanded their footprints and everything is digital," Howard said. "But, traditional security issues of theft, violence against employees, terrorism and natural disasters are all still paramount in terms of being the big security challenges for businesses."
This is especially true when your company is so large and so much in the public eye. Howard's security team is ultimately responsible for the safety and security of Microsoft's entire executive team, its 90,000 employees, roughly 90,000 contractors, 700 facilities in more than 100 countries worldwide and all of the visitors to those facilities. He's also responsible, of course, for all of their computers and hardware and the information it they contain.
The Microsoft security teams deals with threats of violence against executives and employees, employee violence, kidnapping threats, terrorism, natural disasters, property theft and, peripherally, intellectualproperty protection (which also falls under the purview of a separate, cybersecurity group at Microsoft).
Security "evangelist"
In Howard's time at the company, the security team has had to evacuate employees from Beirut and the Ivory Coast, has contracted forensic psychologists to examine threatening letters and regularly provides emailed safety information and warnings to all employees who travel overseas.
But it may be his role as an "evangelist" for the company's physical security business group that looms the largest in Howard's job description. Finding ways to communicate and demonstrate the importance of security — both physical and cyber — to the company's executives is the linchpin of developing a security program that manages to keep such a large and public company running smoothly, he said.
"A lot of [Microsoft's commitment to security] has to do with the evangelizing of security on several fronts within the last decade," Howard said. "My IT securitycounterpart and I have worked diligently to really get the movers and shakers, the decision makers here to understand security and to support those security efforts and the pushing down of that message throughout the enterprise."
Howard believes that his work driving home the importance of both physical and cybersecurity is part of the reason that Microsoft's company culture has come to reflect those values.
"We brief all new corporate vice presidents on security, we bring senior executives to the Global Security Operations Center in Redmond, [Wash.] and show them what technologies we employ to keep the company safe," Howard said. "We're not just guys checking doors and responding to emergencies."
Howard believes that Microsoft has come to understand what many companies never do: That cyber and physical security is integral to the company's overall business, and even its marketing plan.
"Security is important to the entire company," he said. "Intellectual property could be compromised and it can affect the company's brand reputation or lead to lawsuits," Howard said. "This realization led to cultural shift with company becoming more security conscious."
Employee assistance
To facilitate the rollout of solid security plans throughout the company, Howard's team has had to essentially deputize every employee to be the eyes and the ears of the company. Microsoft does that with a formal training program.
"Having a training program in place is essential to any security program," Howard said. "Without it, you don’t have a well-rounded security program. We have a certain amount of full-time employees and vendors to cover Microsoft globally; we could never cover the world adequately without educating and creating awareness programs that teach people what to look for."
Today, regular Microsoft employees are instructed to stop a stranger entering a building and ask to see their badge.
"That never would have happened ten years ago," Howard said.
Howard said that good security also involves working with the company's human resources department, which offers employee assistance programs that can help workers in difficult times and potentially prevent an employee problem from becoming a security threat.
"A robust employee assistance program is very important to security issues," he said. A bad economy, problems at home, even dealing with a sick relative can be things that can trigger security issues at work and having a team in place to help solve those problems can prevent them from ever turning into an incident of violence or theft, he said.


Small Business Cyberattacks Getting More Creative

CREDIT: Cyber attack image via Shutterstock 
Small businesses, government organizations and even online gamers were targeted last month by cybercriminals, new data shows.
Conducted by GFI Software, the study examined the most prevalent threat detections encountered in January, which included phishing emailsaimed at small business owners. The emails posed as notices from the Better Business Bureau and claimed a customer had filed a complaint against the recipient, but the notes actually contained links to malware created with the Blackhole exploit kit.
A number of government organizations were targeted by spoofed messages from the United States Computer Emergency Readiness Team, while gamers looking to score pirated release games [TK – What are release games? Do we mean access to these games before they are released?] fell victim to several different attacks that offered bogus beta invites in return for filling out surveys and recommending links on Facebook and Google+.
Chris Boyd, senior threat researcher at GFI Software, said anyone on the Internet is a potential target for cybercriminals looking to infect systems and scam users.
"They purposefully cast a wide net when picking their methods of attack in order to reach as many targets as possible," Boyd said. "Whether you are a young gamer, a successful business owner or a government employee, you need to be wary when clicking on links that appear to pertain to your interests, especially when asked to submit personal information online."
Malware writers and Internet scammers also sought to attack a wider cross-section of the population by creatively piggybacking on hot news topics and highly trafficked websites. An example is the shutdown of the file-hosting website Megaupload, which led to a domain typo scam targeting both regular users of the website and visitors interested in seeing the FBI notice posted on the site. Once victims reached the misspelled URL, they were redirected to various sites promising fake prizes and seeking personal information.
"While cybercriminals may not be picky about their choice of victims, their choice of tactics is anything but haphazard," Boyd said. "Cybercrime campaigns are designed to cripple systems and steal personal information."


Tuesday, August 30, 2011

When Hackers Become the Good Guys


At DefCon III in 1995, the young crowd of 470 spent their time jamming a local radio station broadcast and playing Hacker Jeopardy at midnight when they couldn't drink at the bar. "Free Kevin" stickers were plastered everywhere protesting the jailing of fugitive hacker Kevin Mitnick, and a 14-year-old ran away from home to attend the event. (I know because I was there.)
At DefCon 19 this year, plenty of the nearly 12,000 attendees had gray hair, most work as security professionals, and some even brought their children. Mitnick was there signing copies of his latest book, "Ghost in the Wires," and posing for photographs, before appearing as a guest on "The Colbert Report" last week.
A community is growing and growing up.
In the early years, DefCon founder Jeff Moss used to say "if you're 20 and you're working for The Man, you're a loser," Richard Thieme, author of "Mind Games" and a professional speaker, recounted in his DefCon talk this year and in an interview with CNET afterward. "Ten years ago, Moss said 'if you're 30 and you're not working for The Man, you're a loser.' And now he agreed that at 40 he is The Man.'"
Moss, aka "Dark Tangent," started DefCon in 1993 as a farewell party to a buddy, only to have it become the world's largest hacker conference. He sold off the more commercial Black Hat security conference, which frees him up for public service--he serves on the Homeland Security Advisory Council and was named the chief security officerfor the non-profit Internet Corporation for Assigned Names and Numbers (ICANN) earlier this year.
Another hacker role model who is having a very direct impact on U.S. cyber security policies and funding is Peiter Zatko, who was better known as "Mudge" when he was a member of The Cult of the Dead Cow (CDC) and L0pht hacker groups in the 1990s. He presented at a session on password cracking and holes in Microsoft software at DefCon in 1996. This year, he gave a keynote talk at Black Hat about his plans as program manager for the information innovation office at the Defense Department's DARPA (Defense Advances Research Projects Agency) to fund hacker spaces and small security start-ups.


Read more: http://news.cnet.com/8301-27080_3-20095649-245/when-hackers-become-the-man/#ixzz1WVPoCjyq

Sunday, August 28, 2011

Cybersecurity Report: 84% Believe Risk is Higher than 1 Year Ago


With the annual Black Hat (Vegas) conference providing extra focus on cybersecurity this week, but also eclipsing most other news, I want to call attention to the EastWest Institute publication of their report on the Second Worldwide Cybersecurity Summit: Mobilizing for International Action.
The EWI summit, held in London at the beginning of June, attracted more than 450 government, industry and technical leaders from 43 countries to craft new cybersecurity solutions.
CSOs, CIOs, IT professionals, academics, and international policy-makers working to maintain a healthy Internet and guarding resources against cyber threats may went to take a look at the wide range of topics covered in the the EWI summit report. Fortunately, the report is readable from the web, with a solid table of contents and lots of quotes and graphics to help you navigate through the information and find areas of special interest.
EWI held their first Cybersecurity Summit in 2010, and EWI’s cybersecurity initiative has gained participation from the United States, Chinese, Russian and Indian governments, along with other members of the Cyber40 (an informal grouping of the world’s most digitally-advanced nations), academic leaders, and industry professionals.
“The largest roadblock to cyber solutions is a lack of trust,” says John Mroz, EWI President. “EWI’s trademark for three decades has been bringing the people who need to work together into the same room to craft solutions to particular issues of common concern. Nowhere is this needed more than in the cybersecurity arena.”
To highlight how participant’s see the cybersecurity challenge, the report shares (flip to page 7) some interesting survey data from the 2010 and 2011 summits:

  • 84% think that the cybersecurity risk we face today is higher than one year ago
  • 61% doubt that their country could defend against a sophisticated Cyber attack
  • 54% doubt their <business, organization, agency> could defend against a sophisticated Cyber attack
  • 70% believe that international policy and regulations lag far behind technology advances
  • 81% agree that bold steps are needed immediately to address lack of trust in ICT development and supply chain integrity
That last point, which I sometimes refer to as “Trusted Supply Chain” issues, was also one of the key areas of focus for Microsoft participation at the summit and in the recent post by Eric T. Werner, Global Cyber Supply Chain Management a Principal Security Strategist with the Trustworthy Computing group here at Microsoft.
The 50-page report includes information from the keynote presentation on Supply Chain Risk Management delivered by Scott Charney, Corporate Vice President, Trustworthy Computing, including his observation that: “The Internet is different in the sense that you don’t have to put assets at risk to engage in espionage. Spies can sit in their home country and exfiltrate terabytes of data quickly.”