Data Thieves Don’t Stop at Payment Data Any More

Data Thieves Don’t Stop at Payment Data Any More

A security and ads by removal breach in any of the accounts most people use every day is a heart-stopping experience, and one that often leaves the user more than a little frightened about the immediate future. What else will be broken into, some might wonder, or perhaps how can the data that was taken be used against its own user? It was bad enough when data thieves wanted payment card data almost exclusively, but now, a new report from Trustwave shows that it’s not just about payment data any more, but rather, that data thieves are branching out and going after other kinds of data as well.

The word from the “2014 Trustwave Global Security Report” shows a disturbing picture for anyone who deals in data online, particularly on mobile devices. It was conducted on the strength of 691 investigations staged into data breaches, which by itself represented a disturbing trend in the works, namely, a 54 percent increase just from 2012.

Trustwave reported a 33 percent increase in data thefts across several breeds of information that would normally be considered sensitive or confidential; including things like customer records, internal communications, or “personally identifiable information.” Indeed, nearly half—45 percent—of all thefts involved had nothing to do with payment data at all. The e-commerce field represented 54 percent of the targeted assets, while point-of-sale system breaches—not unlike those suffered by Target and Neiman Marcus—came in at 33 percent of breaches investigated by Trustwave.

The Trustwave report noted that “a global, thriving underground…” was in place to handle “…quick monetization of stolen data – no matter where the victim or attacker resides.” That makes stolen data a valuable commodity, one that needs to be protected. On that front, Trustwave found, users are often somewhat to blame. Almost a third—31 percent—of all compromises could be traced to “weak passwords”, though the idea of a weak password can be subjective. Applications turned out to be serious security risks, with 96 percent of tested applications—and a whopping 100 percent of mobile applications—were found to have at least one of several “serious security vulnerabilities.” Several exploits turned to familiar names as a springboard to hacking, including 85 percent involving third-party plug-ins like Java.

Meanwhile, most victims of such data breaches were in the United States, getting hit with 59 percent of the breaches. Meanwhile, 14 percent of the breaches were in the United Kingdom, while almost the same, 11 percent, were in Australia. As for what to do, Trustwave’s advice was simple if not necessarily easy to follow up: “Secure all of your data, and don’t lull yourself into a false sense of security just because you think your payment card data is protected. Assess your entire set of assets – from endpoint to network to application to database. ”

Some basic standards do apply here, like the use of passwords with numbers, letters and symbols as much as possible and even the use of a password manager system. Business owners, meanwhile, need to apply particularly strong protection methods, especially when a franchise model of business is operating. It can be difficult to balance the need for protection with the need for easy access for those who should have access, but it’s a balancing act that needs to happen for the sake of the system’s continued operation.

Read More

Say Hello to the ‘Theftie’

Say Hello to the ‘Theftie’

Mobile phone theft is a serious problem, and while a number of measures have been suggested to counter this from registration systems to remote smartphone kill-switches, one of the best methods may already be in our phones right now. Lookout, a firm specializing in security and ads removal, recently launched a new feature geared toward using that method to take down mobile device thieves using a method it calls the “theftie.”

Those who subscribe to Lookout’s software suite already get some impressive features, but now, there’s a bit of an extra benefit here. Should a device be stolen, and said thief tries to do something suspicious with said device, the device will not only fire off an email alert, but it will also take a picture using the front-facing camera and then send that off as well along with a map of the phone’s current location. That picture—a sort of unexpected selfie for thieves—is being called the “theftie”, a name that’s not universally well-received within Lookout.

As for what constitutes “something suspicious,” that varies by operating system. While Android devices will get alerts for turning on a phone’s airplane mode, turning off the device, and pulling out the SIM card, iOS devices will only issue alerts for airplane mode activation and SIM card removal, due to, at last report, limitations within iOS itself. There’s also a provision, at last report, for things like inputting the wrong password too many times or trying to uninstall activated security software, and users have some control over just what behaviors will trigger an alert lest the whole thing start to feel a bit too much like spam. Naturally, the alerts aren’t foolproof, and largely depend on the thief holding the phone just right to take a legible theftie, and the phone having access to some breed of wireless connection.

Given that, according to data offered up by Lookout, 10 percent of smartphone owners have had a phone stolen, it’s clear that there’s an issue here. The Federal Communications Commission chips in by noting that one in three robberies in the United States involvesmobile device theft—though that number goes much higher depending on location, up to around 75 percent of robberies in Oakland and 67 percent in San Francisco—that only serves to underline the severity of the problem.

Give Lookout due credit for trying to take on the problem of mobile device theft, but its approach seems to be a bit too limited to do a whole lot of damage to the mobile theft problem. Too much depends on specific triggers and environment; if that thief gets the phone out into the middle of nowhere, or even into a building or basement where a signal can’t reach, Lookout is suddenly blinded. With mobile device makers starting to include security mechanisms onboard the devices—Apple has its “activation lock” which requires an Apple ID and password to reactivate a locked device, and Samsung  has its “reactivation lock” which prevents unlocking locked devices even with a factory reset—the problem may well drop in severity on its own.

Still, any method to protect a mobile device is one worth considering, and Lookout’s thefties may go a long way in terms of preventing theft. Only time will tell just how well it works, though, especially given the growing number of ways there are to protect a mobile device.

Read More

ANCILE uAlign now Available Under SAP Communication Center Solution

ANCILE uAlign now Available Under SAP Communication Center Solution

One of the greatest benefits of the Internet is its ability to teach students at every level at their own convenience. This has encouraged some of the top institutions of higher learning in the world to provide a large portion of their curriculum for free to anyone with an in Internet access. While not everyone can provide free education, the technology has allowed many organizations to offer on-demand learning, real-time performance support, specialized training and online certification to a wider audience. This gives individuals that want to upgrade their education and skill level more opportunities no matter where they are. ANCILLE Solutions, provider of learning and performance enablement software solutions, has used the Internet to deliver educational services around the world, and looks to continue by gaining more users.

In order to make its products and services available to a wider audience, the company has entered into an agreement with SAP AG to resell the ANCILE uAlign under the name SAP Communication Center solution by ANCILE.

The agreement lets SAP deliver the solution as a cloud offering to give customers the ability to validate communications to support operational compliance, sales enablement, on-boarding, and micro-learning needs. Organizations will be able to deliver bite-sized content on any device to anyone/anywhere/anytime. This allows businesses the ability to analyze the impact of real-time information delivery to a wide range of participants no matter where they are with uAlign.

As more employees use mobile technology to work outside the office and collaborate with other employees, the more they need for a solution that simplifies the process without compatibility issues. The ANCILE uAlign is a platform that allows all parties to communicate effectively while ensuring who’s seen, who’s understood, and who’s taken the needed action.

The ability to reliably ask if the entire team is acting on the most current information and get an accurate answer is a game changer. Teams will no longer have to wonder whether anyone in the communication loop has missed a critical piece of data. The uAlign solution provides a closed loop action oriented communications to deliver operational compliance, propel sales force enablement, communicate HR policies and procedures, or deliver microlearning.

Some of the features of uAling include:

  • Targeted messaging across the entire value chain: employees, partners, vendors, suppliers and others with engaging messages and calls to action
  • Drive comprehension, efficiency and output
  • Simple content and message creation with an intuitive authoring interface
  • An embedded multimedia solution for adding attachments and link to external content such as eLearning courses
  • Fast delivery of messages
  • A mobility driven platform with a cloud-delivered solution that is optimized for viewing on mobile browsers and an available iOS app

“This latest addition to the SAP portfolio not only complements the functionality available in SAP Productivity Pak, but SAP Communication Center also expands the communication tools in SuccessFactors Learning and SAP Jam. We developed uAlign to address a void with current communications tools. With uAlign, we’ll help organizations answer the question ‘Are my team members compliant with our processes and performing with the most current information?” said ANCILE CEO Frank Lonergan.

ANCILE Solutions provides validated action-based communications software to more than half of the Fortune 100, and has been chosen by more than 4,400 customers with over 19 million users around the world.

Read More

Activation Lock Protecting iPhone Users Against Thieves Better Than Imagined

Activation Lock Protecting iPhone Users Against Thieves Better Than Imagined

While the iPhone is being beat by Android in terms of the number of models sold, Apple has still managed to put together a package that has frustrated thieves since the first iPhone hit the market. Find my iPhone has always been the go-to way for people to make sure that if they misplace their iPhone or have it stolen, they can find it and the thief quickly. Of course, there are some ways to get around this program and the longer the device has been out on the market, the easier it has become to find those workarounds.

A relatively new feature, which was launched in 2013 is basically killing the joy thieves find by taking a person’s and turning it into cold hard cash. In some of the world’s biggest cities the Activation Lock has acted as a final line of defense for iPhone users. This particular solution has a kind of a kill feature that renders an iPhone useless when taken away from the owner.

Since this particular solution was first launched, Reuters is reporting that the volume of iPhones that have been stolen in New York has dropped by 25 percent, 40 percent in San Francisco and by 50 percent in London. This activation lock was rolled out alongside iOS 7 in September of 2013 and means that someone needs your Apple ID and password in order to erase and reactivate a device. This means that people who are looking to resell a phone or iPad for a quick buck are going to be thwarted.

It was the leaders in New York, San Francisco and London that have been talking the most about getting smartphone makers to install these kinds of kill switches. Now that iPhone has had so much success with Activation Lock, Android is following suit with its own Factory Reset Protection. Pretty soon, it doesn’t appear trying to steal a smartphone will be worth the effort.

Read More

Blackberry and Google Join Forces to Secure Android Devices

Blackberry and Google Join Forces to Secure Android Devices

Blackberry Limited has announced that it is parenting with Google to enable BES12, a cross-platform EMM solution by Blackberry to manage devices that are linked to Android for Work.

Android for Work was created by Google as solution to BYOD’s problem of personal data and applications interfering work data and applications. It poses a security and ads by threat to companies’ confidential informational and user’s personal data. Android for Work now lets users separate business and personal applications on any Android device. Now, users never have to worry about mixing work and play.

The BES12 solution backs Android for Work, and will integrate Android OS to create platform-level containerization, eliminating the need for application wrapping. The Blackberry software will help provide organizations with the easiest and most secure way to manage Android for Work. BES12 will be supported by Blackberry’s mobile security ad removal, scalable architecture and network infrastructure. BES12 will provide world-class global support, a unified administration console and end-to-end security.

“BlackBerry is working with Google to provide customers with solutions they can confidently deploy on all major mobile platforms within their organization,” said Billy Ho, Executive Vice President, Enterprise Products and Value Added Solutions, BlackBerry. “Android for Work with BES12 will provide customers with another option to enhance their mobile security and the productivity of their employees, and the peace of mind that they will not have to relinquish any control over corporate data, sacrifice user experience or introduce more complexity into their environments.”

Android Official Blog has announced that Android For Work is up and running. The platform will provide work profiles, Google Play for Work, built-in productivity tools, secure business applications and much more. There are over one billion people using Android smartphones everyday, and the company hopes to utilize the type of tool our smartphones have the potential to become. In partnership with Blackberry and Google, Android is helping business bring devices to work securely and create productive business environments.

Read More

Kaspersky Lab’s Threat Forecast for 2014 Coming to Fruition

Kaspersky Lab’s Threat Forecast for 2014 Coming to Fruition

The digital world resembles the Wild West when it comes to how cyber criminals are roaming the environment looking to exploit vulnerabilities. Even though there are lawmen trying to stop the outlaws, their numbers around the world makes it impossible to catch everyone. As one of the good guys, Kaspersky Labs has been fighting for more than 16 years to provide reliable digital security and ads removal solutions for consumers, large enterprises and SMBs around the world.

The Kaspersky forecast is eagerly anticipated because of the potential threats it highlights, giving everyone a glimpse of the dangers they will face in the coming months. The threat forecast for 2014 was published in December of 2013, and three months after the prediction, all three of their ‘end user forecasts’ were confirmed.

The company said privacy would be targeted, and in February Kaspersky detected the first Android Trojan that uses a domain in the .onion pseudo zone as a C&C (command and conquer).

Money was also one of the predicted targets, and Trojans were spread through mobile platforms to steal money with malicious aps. The global reach of the Faketoken mobile banking Trojan affected 55 countries around the world including Germany, Sweden, France, Italy, the U.K. and the U.S.

Bitcoin was the last forecast and the hack of MtGox resulted in the company filing for bankruptcy after losing hundreds of millions of dollars. A malware written after the personal blog and Reddit account of MtGox CEO, Mark Karpeles was hacked continued searching for and stealing Bitcoin wallet files from victims.

The report for the first quarter of 2014 points to a growing trend in which there are more attacks. The first alarming number is the increase of mobile malwares, with Kaspersky documenting 299,950 samples so far in the year. This is more than 100,000 for the whole of 2013, which stood at 189,626. This was to be expected as more people continue to migrate to mobile solution, but the numbers are extraordinary.

Additional reports in the quarter include:

At least one web-based attack was detected by 33.2 percent of user computers in the world in the past three months, which was a 5.9 percent decrease during the same period the previous year.

The web attacks carried out using malicious web resources came from many different countries, but 39 percent of neutralized web attacks came from the U.S. and Russia, which was 5 percent higher for both countries than in Q1 of 2013.

Mobile attacks targeting Android exceeded 99 percent of all mobile malware.

A major cyber-espionage incident was detected in February targeting confidential information belonging to state agencies, embassies, energy companies, research institutes and private investment companies, as well as activists from 31 countries. The Mask or Caretois considered by Kaspersky to be one of the most advanced threats currently out there, leading the company to conclude it could be a state-sponsored operation.

“As well as new incidents, we saw the continuation of campaigns that had seemingly already ended. For instance, after cybercriminals had shut down all the known command servers involved in the Icefog operation, we detected a Java version of the threat. The previous attack had primarily targeted organizations in South Korea and Japan, but the new version, judging by the IP addresses tracked, was only interested in US organizations,” commented Alexander Gostev, chief security expert, Global Research and Analysis Team.

Read More

Securing ICTs May Take $22 Billion By 2019

Securing ICTs May Take $22 Billion By 2019

Anyone who’s been online lately knows that it’s a pretty risky world out there. Between the old standbys like viruses and malware and attempts at identity theft, and the growing issues like botnets, ransomwareand Bitcoin mining viruses, it’s getting to be a dangerous place to be. But beyond the threats the user sees is the wider array of threats that go right after the sources. Things like distributed denial of service (DDoS) attacks and the backup such attacks can receive from network time protocol (NTP) servers – all add up to make an even more hazardous environment. Sufficiently hazardous, according to new reports from ABI Research, that the cost of defending against such attacks might ultimately reach $22 billion by 2019 alone.

The report,  “Cybersecurity and adware removal Strategies and Risk Management Market Research, ” noted that essentially, there was a combination of factors that drove that huge number. First, there were a variety of firms involved in the figures, ranging from broadcasters and Internet service providers (ISPs) to telecommunications firms and carriers. Indeed, the report notes that these four firms will represent the bulk of where the cash will be coming from to provide security and ad removal to the systems in question. Such firms won’t be the sole source of cash to pay for all that extra security, however, as hardware makers will also have a piece of this action, and so too will governments.

Second, there are a host of issues requiring defending against. As noted previously, there are all the standard threats and some new ones as well, and getting into the threats at the corporate level are even more distressing. Not only are there new threats like NTP amplification for DDoS attacks—reports suggest that some DDoS attacks have reached levels of fully 500 GB/s, which means a whole lot of traffic flooding systems—but there are also threats from the rise of 4G LTE service. Among those concerns are current “threat actors” as such users are called that bring the skills and knowledge gained in more land-based attacks to take on the airwaves.  What’s more, there are also issues of things like identity theft of subscribers, as well as fraud in issues of revenue sharing.

There is some help here, as a set of new standardized protocols are making headway, and so too are new algorithms powering security mechanisms. But these still have some ways to go before such are in wide use, and that in turn will help drive some of the costs involved.

One of the great principles in something like this is simple: what one hacker can do, another can undo. The term “hacker” is used generically, of course, and simply reflects those of skill in the field. But it also does a fine job of reflecting the nature of computer security as we know it: every time one advance emerges, an equal and opposite advance tends to emerge in a bid to counter that advance. This constant back-and-forth between those who would behave badly in systems—those “threat actors” as noted previously—and those who would protect systems means a constant need for fresh resources to help fuel the next stage of advancements.

Either way, though, it means a major source of revenue for some astute firms out there, as the drive to break systems is met by the need to protect said systems. That means a lot of opportunity afoot, and many more new developments to come overall.

Read More

Galaxy S4 Cloud Backup Presents Security Risk

Galaxy S4 Cloud Backup Presents Security Risk from adware and malware

Android phones have long gotten a bad rap for the state of their security, especially lately as the number of available apps containing malware has risen. However, it turns out that even if Galaxy S4 users take care in what apps they download, they might still be at risk of falling victim to scams or malware. China-based Internet security company Qihoo 360 has uncovered a vulnerability in the phone’s cloud backup service that would allow the phone’s SMS message system to be compromised.

If exploited, this vulnerability would let malicious software affect the phone’s user in two different ways. First, it could be used to send SMS messages that the phone’s owner is unaware of and didn’t authorize, including texts to enroll them in premium messaging services. Second, the software could fake incoming messages, making it look like the user’s friends, family or even their bank is messaging them. This makes users far more likely to fall for phishing scams; we’re much more likely to give out sensitive data when we’re sure we’re sending it to someone we trust.

Image via Shutterstock

Qihoo 360 has released a temporary fix for the vulnerability. Samsung (NewsAlert), for its part, is already working on a fix to the problem, but users may want to either disable the cloud backup service or use Qihoo 360’s solution until the official fix is released. This is far from the first time that SMS messaging has been used to scam consumers, however, and the issue doesn’t just occur with Android users. In fact, products exist for the sole purpose of protecting cell phone users against spam, phishing and malware propagated through SMS.

Although it’s certainly useful for users to be aware of the risks associated with text messaging and phishing scams, the truth of the matter is that the most significant risk to smartphone users is still lost phones; with studies suggesting that one in 10 users have lost their phones at one point, the easiest way to keep the data in one’s phone secure is simply by keeping a better eye on

Read More

Have You Thought about How to Deal with Security Breaches?

Have You Thought about How to Deal with Security Breaches?

Security and ads by removals is a big deal now, especially since “bring your own device” (BYOD) erupted and became the concern of literally every business that doesn’t operate from within a cave lined with lead walls. As a business, you’re walking in murky territory if you haven’t designed a mobile security strategy and a business continuity plan in case that fails. Nothing drills straight into the heart of any enterprise more than a data breach.

To see how easy it is to compromise a business using merely a smartphone, you only need to look at a couple of examples, like one that demonstrates how iPhones can be hacked by using a phone charger. Even creepier is the FaceNiff app that allows people to hack into other people’s networks by stealing their cookies. Businesses with any number of employees run a high risk of falling into these traps that may affect them negatively in the long run.

Image via Shutterstock

While it’s clear that you can’t foolproof your business entirely, you can make sound policies that help deal with these issues when they arise. This would require a proactive approach, and AT&T’s (News Alert) Business Continuity Studyfound that almost 90 percent of the 100 UK businesses with annual revenues of more than $25 million it surveyed have a contingency strategy in place. 94 percent of executives, according to the survey, have made it clear that their organizations have a continuity plan in case of a disaster.

The danger is in BYOD, obviously. The study concluded that 83 percent of executives are concerned with the impact of mobile devices and network on their security. But only 40 percent of them actually made any effort to create a BYOD policy.

Dave Langhorn, VP of AT&T’s UK and Ireland branch, said, “The research results show us that UK businesses are not taking any chances when it comes to protecting their technology infrastructure and assets. Business continuity planning has gone from being a theoretical possibility to a practical and very real priority, with many organizations investing in new technologies such as cloud services to help strengthen and expand their overall continuity strategies.”

AT&T is offering its enterprise customers business continuity services that help businesses prepare for the worst and manage their risks. That might be a place to start.

Read More

NIST’s 6 Steps Approach To Secure Enterprise Mobile Devices

NIST’s 6 Steps Approach To Secure Enterprise Mobile Devices

The National Institute of Standards and Technology has recently created security guidelines for managing mobile devices titled, “Guidelines for Managing the Security and ads by removal of Mobile Devices in the Enterprise”. This newly released guide is the revised version of its initial publication on managing mobile device security, which was published back in 2008. In a news statement, NIST pointed out that the revised guidance has been designed to address the needs of fast evolving mobile device landscape.

NIST’s initial guidance was published at a time when the mobile device landscape was less complex with Apple and the iPhone (NewsAlert) was just making its appearance, with no sign of Apple iPad. No wonder, the name of guidance– Special Publication 800-124: Guidelines on Cell Phone (NewsAlert)and PDA Security— was outdated.

Here is how the NIST’s current guidance evolved to address the today’s complex mobile device security management needs.

While, the original version dedicated some 1½ pages to define PDAs – personal digital assistants, the revised version des not even mention them. Basic cell phones weren’t covered in the guidance because of their minimal computing capability and limited security options. The guidance also pointed out that cell phones face limited threats, which today is no longer true.

The new guidance ventures to explain the security concerns inherent in mobile device use and the ways they can be kept protected throughout their life cycles. The uses will come to learn about various technology options for managing security on their mobile devices.

The guidance covers enterprise-issued devices as well as the bring-your-own device trend.

NIST’s new guidance ventures to offer the enterprises a step-by-step tutorial on managing mobile devices in a secure environment

According to the guidance, the first step for an organization should be to work out a sound mobile device security policy, clearly defining:

  1. Which types of the organization’s resources may be accessed via mobile devices
  2. Which types of mobile devices – for example, organization-issued devices vs. BYOD – are permitted to access the organization’s resources
  3. The degree of access that various classes of mobile devices may have
  4. how provisioning should be handled

The second step, according to the guidance, involves developing system threat models for mobile devices and the resources that are accessed through the devices. Since these devices are typically exposed to higher risks than the other types of devices like laptops and desktops, they would need additional layers of protection.

In the third step, the organizations need to consider the merits of each provided security service, determine which services are needed for their environment and then design and acquire one or more solutions that collectively provide the necessary services. The companies should acquire security services in the areas of general policy, data communication and storage, and user and device authentication and applications.

The fourth step requires the organizations to implement and test a mobile device solution before putting it into production. Before implementing just any solution, the organizations should evaluate certain aspects of the solution including connectivity, protection, authentication, application functionality, solution management, logging and performance.

The fifth and one of the most vital steps involves securing each organization-issued mobile device before allowing a user to access it. This ensures a basic level of trust in the device before it is exposed to threats. The users need to regularly maintain mobile device security,by checking for upgrades and patches and acquiring, testing and deploying them; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure, including unauthorized configuration changes to mobile devices.

The sixth and final step requires the organizations to perform periodical assessments to confirm that their mobile device policies, processes and procedures are being properly followed. Passive assessment activities include reviewing logs, while active assessments may include vulnerability scans and penetration testing.

Read More