Privacy , Risk Management , Technology

Ransomware, Privacy and Apple vs. FBI - Let the Conference Begin! Information Security Media Group • March 2, 2016    

As the first day of RSA Conference 2016 sessions was set to start, ISMG's editorial team sat down to discuss the event and what to expect from it. Editors Tom Field, Tracy Kitten and Mathew Schwartz offer an RSA preview.

See Also: Rethinking Endpoint Security

In a video interview recorded at RSA Conference 2016, the editors discuss:

Early topics of conversations from the show floor; Sessions they look forward to attending; Video interviews they will conduct at the event.

The ISMG editorial team is posting articles and blogs as well as audio and video interviews from this event. Check back regularly for updates.

The "industrialization" of cybercrime, remote-access attacks and mobile-banking application and online-browser overlay attacks are trends the financial industry should monitor this year, says George Tubin, program director at IBM Security Trusteer.

Industrialization of cybercrime refers to "more private cybercrime gangs that are operating independently," Tubin says. "For a while, we saw the proliferation of the cybercrime underground with a lot of different groups specializing in different areas, whether it's writing malware itself or writing various injections or mule activity ... and putting this out on the black market for anybody to be able to access. And we saw a lot of so-called amateur cybercriminals getting into cybercrime by just going out and learning how to use these tools and learning how to access experts in cybercrime out on the Web. But now, we actually see a rise in very private, tight cybercrime gangs operating around the world."

Banking Trojans, including Dyre and Dridex, have been driven by these cybercrime groups, Tubin adds.

During an interview at RSA Conference 2016, Tubin also discusses:

Why mobile banking app and browser overlay attacks that bypass banking malware detection mechanisms are so concerning; How remote-access attacks continue to increase; and Why information sharing to fight cybercrime is more critical than ever.

Tubin served as the senior security strategist for Trusteer before it was acquired by IBM . Earlier, Tubin served as an industry consultant, specializing in financial fraud. With more than 25 years in the banking and high-technology industries, his areas of expertise include consumer online and mobile banking, online fraud and identity theft prevention and enterprise fraud-management strategies.

Debit fraud losses in Canada hit an all-time low in 2015, mainly because of Canada's nearly complete migration to EMV and its real-time settlement of debit payments, says Mark Sullivan, who heads fraud management for Interac, Canada's payment network .

Canadian debit fraud dropped 27 percent in 2015, compared with the previous year, and accounted for the lowest fraud losses linked to debit compromises in six years, according to a new debit fraud update that Interac recently released.

Sullivan says the U.S. will likely see similar fraud-reduction patterns once its migration to EMV nears completion. But some unique fraud-fighting characteristics of the Canadian market, most notably its real-time settlement of debit transactions, may offer additional lessons from which the U.S. could learn, he says.

"With Interac Debit, we do not have offline transactions; every transaction is an online transaction," conducted in real time, Sullivan explains during this interview with Information Security Media Group. "So a data breach becomes non-existent for the debit cardholder. There is no information stored about the consumer, the individual, [nor] identifying features in the transaction that has just taken place; it's not stored anywhere within the data of the posting merchant. And that data is a one-time transactional code ... that will never be repeated."

EMV chip payments are significantly more secure than magnetic-stripe payments because they cannot be skimmed; however, they are not foolproof. After the Target breach , security experts repeatedly have warned that EMV alone would not have prevented card data from being compromised in that attack.

Real-time payments - which the Federal Reserve has been pushing for in the United States - offer a huge advantage over current methods. For example, because Interac's transactions are conducted in real time using dynamic EMV data, fraudsters can't intercept usable transmitted or stored payment card data. Interac transactions even are protected in a card-not-present environment and are not susceptible to CNP debit fraud, Sullivan says.

Fraud Intelligence

Sullivan recommends that U.S. organizations take advantage of the fraud intelligence that can be gleaned during this time of transition to EMV when fraudsters will be working overtime to exploit lingering mag-stripe vulnerabilities before that opportunity dies out.

"In [countries] where EMV is in the process of being adopted and where specific timelines have been published, there is also an appropriate and enlisted response from the criminal community, who realize that the window of opportunity is starting to narrow," Sullivan says. "We've ... seen an increase in the amount of attacks on the system, which is generally the sign of a dying opportunity."

Watching transactions and sharing information with law enforcement through a central source could help the U.S. bring some of the cyber gangs that have been attacking the payments infrastructure to justice, Sullivan says.

During this interview, Sullivan also discusses:

Canada's EMV migration and how it was rolled out; Why the U.S. market's migration to EMV won't have an adverse fraud effect on Canada; and How real-time payments can significantly reduce fraud across numerous payments channels.

In addition to overseeing fraud market management for Interac, Sullivan also heads up fraud market management for Acxsys Corp., which specializes in the development and operation of payment innovation, including Interac e-Transfer, Interac Online and Cross Border Debit. Sullivan joined Interac Assoc./Acxsys Corp. in 2010 and is responsible for providing fraud risk mitigation programs. He is the central point of contact for global risk professionals and international law enforcement, and is the co-chair of the Private Sector Liaison Committee, which is affiliated with the Canadian Association of Chiefs of Police.

Biometrics , Risk Management , Technology

Gartner's Avivah Litan on How Biometrics Can Help Fight Fraud Tracy Kitten (FraudBlogger) • March 2, 2016    

Just back from a trip to Israel, where she spoke with leading security researchers about such topics as the Internet of Things, cyberterrorism and banking malware, Gartner analyst Avivah Litan says 2016 will be a turning point for adoption of biometrics in identity proofing.

See Also: CISO Discussion: Secure Code

In a video interview at RSA Conference 2016, Litan discusses:

New tactics being used by cyberterrorist groups such as ISIS to move money and enhance cyberattacks; Why banking malware is evading detection and impacting banks worldwide; and How biometrics could help to curb fraud losses linked to business email compromises.

Litan, a vice president at Gartner Research, is an authority on financial fraud. She has more than 30 years of experience in the IT industry. Her areas of expertise include financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention, and other areas of information security and risk management. She also covers security issues related to payment systems and PCI compliance.

Too many companies that provide cybersecurity solutions are failing to focus on helping organizations control risk at a reasonable cost, argues Malcolm Harkins, CISO at Cylance.

"In many ways, most ... of the organizations in the security industry profit from the insecurity of computing. So economically, they have no incentive to fundamentally address the issues," Harkins contends in an interview at the RSA Conference 2016 in San Francisco.

"We should be trying to figure out the economic equilibrium so that the cost [of security] is essentially flattened or held steady relative to the growth of computing. I've always been trying to think about it in the context of having ... solutions that create a demonstrable and sustainable bend in my curve of risk, something that allows me to lower or maintain or flatten my total cost of controls."

In this exclusive interview (see audio link below photo), Harkins also discusses:

Why the security industry needs to re-imagine its mission; Ransomware and how to defeat cyber-extortion; How Cylance distinguishes itself in a crowded anti-malware marketplace.

As the global CISO at Cylance, Harkins is responsible for all aspects of information risk and security, security and privacy policy, and for peer outreach activities to drive improvement across the world in the understanding of cyber risks and best practices to manage and mitigate those risks. Previously, he was vice president and chief security and privacy officer at Intel Corp. In that role, Harkins was responsible for managing the risk, controls, privacy, security and other related compliance activities for all of Intel's information assets, products and services.

Anti-Malware , Fraud , Phishing

5 Cybersecurity Trends at RSA Conference Experts Issue Warnings Over Facebook Fakery, Targeted Ransomware Mathew J. Schwartz (euroinfosec) • March 2, 2016     Loretta E. Lynch, Attorney General of the United States. (Photo: Schwartz/ISMG)

It's springtime in San Francisco: cue the annual RSA Conference at the Moscone Center.

See Also: Former NSA Technical Director on Threat Intelligence

This year is notable on multiple fronts: It's the conference's 25th anniversary, parts of the Moscone Center are being demolished and rebuilt - thus displacing some of the conference - while attendance is on track to reach peak levels. Indeed, the organizers predict that they will see more than 40,000 attendees this year.

Here are just some of the highlights and notable trends from the conference, thus far.

1. NSA Director Doesn't Say 'Snowden'

On March 1, Adm. Michael Rogers, the director of the National Security Agency and U.S. Cyber Command, addressed the RSA conference. By doing so, he followed in the footsteps of former NSA Director Keith Alexander, who delivered a keynote speech at Black Hat USA in July 2013, following the Edward Snowden revelations.

Rogers outlined not just the future of his agency, but also the challenges he faces in trying to hire enough new personnel with cybersecurity skills. And while Rogers talked about other challenges his agency faces, not least in preventing insider attacks, he avoided mentioning former contractor Snowden by name.

2. Attorney General Talks Apple

The case of the FBI versus Apple involves the bureau attempting to compel the technology provider into unlocking an iPhone 5C used by one of the now-dead shooters behind the San Bernardino attacks that left 14 people dead last year. Apple, however, has dug in its heels, with CEO Tim Cook saying it will fight the court order, which it sees as being tantamount to requiring Apple to build a backdoor for iPhones.

But Loretta E. Lynch, Attorney General of the United States, told a conference hall filled close to overflowing that she sees a middle ground in the case of the Department of Justice versus Apple (see Apple Wins Legal Round Over Unlocking a 2nd iPhone ).

"For me, the middle ground is to devolve to what the law requires," Lynch said during a heavily scripted "sit-down chat" with a reporter. Lynch also attempted to paint Apple as an ill-mannered upstart, suggesting that the company should do what it's told, unless Congress tells it otherwise. "Do we let one company - no matter how great the company, no matter how beautiful its devices - decide this issue for all of us?" she asked.

3. Ransomware Ascendant

Multiple researchers at RSA have continued to highlight how ransomware attacks are becoming more complex. Researchers from Intel Security, for example, have just discovered a new type of targeted ransomware that encrypts every file on a computer using a different key, thus complicating remediation efforts.

There are also now more ransomware variants at large today than ever before. Some types get spread via increasingly convincing phishing campaigns, which are designed to fool users and bypass spam filters, says Pierluigi Stella, chief technology officer of Network Box. Today's ransomware phishing campaigns are redirecting unsuspecting users to malicious sites owned by the criminals with URLs that vary with every campaign, he says. "It's never the same URL, so there are no rules, no antivirus that is going to pick these emails up and block them."

4. Facebook Faces Fakery

Watch what you "like" - about 10 percent of current Facebook profiles are fake. So says financial fraud expert Avivah Litan of Gartner Research, who notes that cybercriminals are increasingly tapping Facebook and other social media sites to lure unsuspecting victims into their scams. Sometimes, this involves tricking people into parting with their Facebook credentials or personal information, especially relating to family and friends. Other times, scammers are simply marketing their goods and services.

Look for more on this topic in an upcoming video interview with Litan, conducted by my colleague Tracy Kitten.

5. Hackers Crave Publicity

Another interesting trend, highlighted by both Litan and RSA threat researcher Daniel Cohen, is that many cybercriminals want to cultivate a public profile. That's so their talents, supplies and services can be easily found - via Web searches and social media - by prospective customers. Even underground forums are becoming more open, Litan says. Meanwhile, Rick Holland, vice president of strategy for threat intelligence firm Digital Shadows, notes that many online attack groups now openly advertise for new employees on both public and darknet sites.

Even hackers, it seems, face a cybersecurity skills shortage.

Executive Editor Tracy Kitten also contributed to this story.