Fraud News
Within the next five to 10 years, quantum computing will get so powerful that it could be used to break encryption on the fly, predicts Steve Marshall, CISO at U.K.-based Bytes Software Services.
"We rely on cryptography to prevent people from decoding our credit cards and to protect highly sensitive data that we share. Quantum computing is going to have a major influence on all of these things," Marshall says in an interview with Information Security Media Group.
"At the moment, quantum computers have about 72 qubits of quantum information. ... In order to crack things like RSA 2048 public key cryptography, you require about 400 qubits of power. So it's only a matter of time before quantum computers get to the point where they have got enough power in order to be able to crack RSA and other asymmetric cryptography."
In this interview (see audio link below image), Marshall also discusses:
Categories of post-quantum cryptography; The state of research on quantum-resistant cryptography; How quantum computing impacts information security.Marshall, who is based in the U.K., is CISO at Bytes Software Services, a computer support and services firm. He specializes in business consulting, payments, compliance, breach clean-up, enterprise architecture validation, assurance, corporate/information security, security restructures and risk across many business verticals and markets.
Threat intelligence sharing is all about trust, speed and context. And yet many enterprise intel programs lack one or more of those qualities. Jon Clay of Trend Micro discusses what it takes to stand up a customized threat intelligence program.
"We did a study about this, and only about 5 percent [of respondents] were willing to share their indicators of compromise with their community," says Clay, director of Global Threat Communications at Trend Micro. "Yet, 95 percent of them wanted to obtain those same IOCs from their fellow members. Obviously, that shows a lack of trust."
In an interview about setting up a customized threat intelligence program, Clay discusses:
Where the gaps are in many of today's programs; How to create an industry-centric program; Questions to ask when re-evaluating a program.Clay is responsible for managing marketing messages and external publication of all the threat research and intelligence within Trend Micro as well different core technologies. As an accomplished public speaker with hundreds of speaking sessions around the globe, he focuses on the threat landscape and the use of AI/machine learning and big data in protecting against today's sophisticated threats. He has held roles within Trend Micro as a Sales Engineer, Sales Engineering Manager, Training Manager and Product Marketing Manager for SMB prior to taking over as Director of Global Threat Communications.
US authorities have charged two Ukrainian men with hacking into the US Securities and Exchange Commission's computer networks to steal and profit from nonpublic earnings reports of publicly traded companies.
The indictment, filed Tuesday by the US Justice Department, accuses the pair of hacking into EDGAR, the SEC's corporate filing system used by public companies, in 2016. The hack, which went undetected for more than five months, netted the defendants and conspirators more than $4.1 million in illegal profits after they placed trades based on the stolen information, authorities said
The defendants' hacking and insider trading scheme cheated the securities markets and the investing public, US Attorney Craig Carpenito said in a statement.
"They targeted the Securities and Exchange Commission with a series of sophisticated and relentless cyber-attacks, stealing thousands of confidential EDGAR filings from the commission's servers and then trading on the inside information in those filings before it was known to the market, all at the expense of the average investor," Carpenito said.
SEC Chairman John Clayton revealed the hack in September 2017. At the time, Clayton said nonpublic information was transmitted through nonsecured personal email accounts.
On Tuesday, authorities accused Artem Radchenko, 27, and Oleksandr Ieremenko, 26, of conspiring to commit securities fraud, computer fraud and wire fraud in their alleged hack of Edgar. The pair used targeted cyberattacks, including phishing attacks and planted malware, to gain access to the SEC's computer networks, authorities said.
They then used a server in Lithuania to obtain thousands of "test filings," filings companies make in advance of public release and that often contain information that's similar or identical to that found in the official filing.
Related civil charges were also filed against nine individuals accused of conspiring with Ieremenko to profit from trades placed on information contained in the stolen filings. Two traders in Los Angeles, Sungjin Cho and David Kwon, were named as defendants in the SEC lawsuit.
Ieremenko was charged in 2015 with the theft of 150,000 press releases from services like PR Newswire, Business Wire and Marketwired. Iermolovych allegedly made tens of thousands of dollars by selling the releases online and many millions more by making trading decisions based on the non-yet-public information contained within.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.
Healthcare organizations and their business associates must be careful to avoid making mistakes with their HIPAA security risk analysis in case they ever undergo a compliance review or breach investigation by federal regulators, says privacy attorney Adam Greene.
"What I see a lot of - and it's both sad and frustrating - is that a covered entity or business associate might hire an outside security consultant to do a security risk assessment ... but what they end up getting is a gap analysis against the HIPAA Security Rule or another set of controls," he says in an interview with Information Security Media Group.
While a gap analysis can be helpful, "it's not the sort of risk assessment that the Department of Health and Human Services' Office for Civil Rights is looking for ... if there's an investigation, audit or breach," he stresses.
What OCR is looking for in a HIPAA security risk analysis "is threat/vulnerability pairings" involving protected health information, he explains.
"But what we sometimes see instead is a checklist approach of the different security rule requirements ... sometimes without even mention of 'threat,' 'vulnerability,' 'likelihood' and 'impact' - the terms that OCR guidance says must be part of any risk analysis."
Documentation Issues
Providing security risk analysis documentation to OCR when faced with a compliance review or investigation can also prove tricky, Greene notes.
For instance, a list of recommendations that grow out of security risk analysis aren't necessarily what an entity should turn over to OCR, he says.
"[Legal] counsel can play an important role in making sure you end up with deliverables that can be delivered to OCR while having a claim of privilege with respect to initial recommendations that may not have been ready for prime time and required some level of legal review and counsel," he says.
In this interview, (see audio link below photo), Greene also discusses:
Who should lead a security risk assessment; When an attorney should be part of a HIPAA security risk analysis; Other advice to improve security risk analysis practices.As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at OCR, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.
Application Security , DevSecOps , Governance
Recent Breach at Singapore Airlines Reveals Lack of Attention to Security at Development Stage(gsuparna) • January 15, 2019
The recent exposure of customer data on the website of Singapore Airlines as a result of a software bug is further evidence of the persistent challenge of adequately addressing security during the development stage.
See Also: Key Drivers to Enable Digital Transformation in Financial Services
The airlines recently revealed that a software glitch led to the exposure of data on 285 frequent flier accounts, including passport number as well as travel and flight details.
The software bug surfaced after changes were made to the carrier's website on Jan. 4. The bug enabled some frequent flyer members to view information belonging to other travelers, the company said in a statement.
Singapore Airlines apparently launched its new website without completing the entire development cycle properly - a common mistake at companies worldwide.
"The airlines is practicing some new software development methodology. I guess it updated the system live while the development is still ongoing, and with it came errors," says Aloysius Cheang, executive vice president for Asia Pacific at the Center for Strategic Cyberspace + Security Science. "The chosen programming framework may have some inherent bugs or may have created this issue due to various reasons."
Lack of Incentives?
Companies worldwide don't have enough incentives to follow secure software development.
"There are many reasons that software bugs exist, and these range from poor standards and simple mistakes right through to the ethics and morals behind software development," Steve Marshall, CISO at U.K.-based Bytes Software Services, tells me. "However, in most commercial organizations there is no reason, either by incentive or by regulation, to develop quality code that does not contain bugs."
For far too many companies, pressure to hit deadlines means taking adequate security steps during software development takes a back seat.
"The market dictates that software is developed quickly, cheaply and is feature rich for the end user," Marshall says. "There is little requirement that the code is secure or that there is any longevity to it. This means that in a lot of instances, the commercial pressure that is felt by organizations to get software and features out to market before the competition is too great."
Practicing Security by Design
Although there's widespread agreement that addressing security early in the software development cycle is an essential component to any breach prevention strategy, practicing "security by design," unfortunately, is not yet common.
"We all know that we should create secure code, and we need to think about this critically as attackers don't care about laws, so they will always have an advantage over defenders," Marshall says. Companies that focus exclusively on short-term profitability will be reluctant to enhance software security efforts unless "there is a government-backed incentive or they are made to do it," he argues.
Dinesh O. Bareja, COO at Open Security Alliance, tells me: "I interact with many companies who do not want to spend money on things they can later accept and issue apology. They would rather keep aside a certain amount for fines than delay they product in the market because of a small bug."
Marshall argues that governments should create incentives, such as tax breaks, for companies that invest adequate time and resources in security by design. This needs to be coupled with stiffer penalties for companies that fail to meet software coding standards, he asserts.
Do you think that approach would work? Share your views in the space below.
The NanoCore Remote Access Trojan (RAT) is being spread through malicious documents and uses an interesting technique to keep its process running and prevent victims from manually killing the system, researchers say.
The cybersecurity team from Fortinet recently captured a sample relating to the spread of NanoCore RAT in the form of a malicious Microsoft Word document.
Developed in the .Net framework under an author known as "Taylor Huddleston," the Trojan has landed its operator in jail for peddling the malware on underground forums.
While the Arkansas man is due to serve close to three years in prison, his legacy continues on in the wild without his influence.
The malicious document, "eml_-_PO20180921.doc," is spread via phishing campaigns and contains auto-executable malicious, obfuscated VBA code which initiates the Trojan.
If opened, the document contains a security warning at the top informing the would-be victim that macros have been disabled, but should that individual click "enable content," the infection process begins.
According to Fortinet, the NanoCore Trojan, in its latest 1.2.2.0 version, is downloaded from the wwpdubai.com domain as part of an .exe file which is then saved in a Windows temporary folder.
See also: Police can't force you to unlock your phone by iris, face or finger
The file, CUVJN.exe, calls a daemon process. However, before this process begins, the executable will check to see if the process already exists and whether or not Avast antivirus software is running.
If the infected system passes these checks, the code will then extract an archive within the executable and retrieve a PE file which is the actual NanoCore RAT.
Two processes will be running at this stage; Netprotocol.exe, which is a copy of CUVJN.exe and is the daemon designed to unzip NanoCore, alongside dll.exe, which is a very interesting daemon process in itself.
Dll.exe is designed to keep the Trojan running. The process starts netprotocol.exe, injects NanoCore into memory, and runs the code. One of the process' classes is called "ProtectMe" with a function "ProtectMe.Protect()" which prevents the process from being killed off by the victim.
CNET: FCC's Ajit Pai won't meet Congress about phone-tracking scandal
During testing, Fortinet researchers could not kill the netprotocol.exe process at all -- despite it not being a system service or containing higher privileges than the user.
It turns out that the process uses a function called ZwSetInformationProcess, from NTDLL.dll, is able to modify the state of the process and prevent it from being disabled.
"There is a function named "RunPE.doIt()" that is used to run and protect the NanoCore RAT client. It calls the API CreateProcessA to start a new "netprotocol.exe" and then suspends it," the researchers say. "Next, it allocates memory in the new "netprotocol.exe" and puts the entire NanoCore into the newly allocated memory using the API WriteProcessMemory. Finally, it modifies the entry point of the thread context to NanoCore's entry point and resumes NanoCore running inside the second "netprotocol.exe" by calling the API ResumeThread."
TechRepublic: Smart building security flaws leave schools, hospitals at risk
First discovered in 2013, NanoCore is a rather nasty piece of malware which is able to perform a variety of functions. These include a keylogger, a password stealer which can remotely pass along data to the malware's operator, the ability to tamper with and view footage from webcams, screen locking, the download and theft of files, and more.
The latest version of the Trojan was released in 2015 with premium plugins included, before the arrest of the operator in 2016.