Aunt Sally Returns to Finovate Tomorrow!

For those of you who have wondered what has happened to our favorite fraud victim, fictional Aunt Sally, I am happy to say that she will be making an appearance tomorrow at the Finovate Spring 2012 conference. If you’ve missed hearing about how the criminals have targeted Aunt Sally, tomorrow is your chance to hear about the newest threat that is live in the wild: malware that performs parameter injection.

It’s guaranteed to be fascinating to see the latest way the criminals are targeting banking users. If you’re going to be at Finovate, it would be great to get together, so please come find me!

May 7, 2012 Posted by Laura Mather | risk management | Finovate, malware, security | Leave a Comment

The 99% Goes Cyber

A group calling themselves L0NGWave99 has threatened a denial of service attack against the externally facing NYSE website. This attack is in support of the “great and rooted 99% movement,” and will include attacks against other exchanges’ externally facing websites as well.

Two thoughts on this. First, is it that big of a deal to DDoS the externally facing NYSE site? While having that site unavailable (in the worst case) would be bad publicity, it doesn’t actually disrupt any markets. Second, the fact that the 99% movement has gone cyber is quite interesting to me. I’m not very political at all, but I’ve been watching with interest the 99% movement. While I understand the frustration these people have, I am struggling to understand their path to solving the problems.

There may have been some other cyber attacks associated with the 99% movement. For example, the attack against the BART system in response to removing wireless access on the train line. But that was in August. At the time I thought we’d see a lot more from Anonymous and other 99%ers. Maybe there were things I missed when I was on maternity leave?

May 2, 2012 Posted by Laura Mather | information security, risk management | information security, online security | Leave a Comment

Cybersecurity in the Public Sector

Gartner analyst Steve Hawald noted in recent research that “With daily cyberattacks and new hacker groups being created constantly, cyberspace is a huge challenge for the DoD as well other government organizations and private companies around the world. Cyberattacks are becoming more sophisticated, more random and more targeted.”

He also noted that “To meet the mission need for more-agile collaboration while still maintaining high levels of security, older cyberdefenses need to be upgraded or replaced to be more effective and efficient. The ability to continuously monitor and regularly evolve security controls is critical.”

Federal organizations, like in every other sector, are embracing the web as never before to share information, collaborate and conduct business. We are even seeing the government leap into the adoption technologies like Cloud with the FedRAMP program, where others in the private sector have been much slower to jump on board. This shows that the public sector is working to keep up with new technologies and even set the bar in some instances.

With this growth in technology adoption, particularly as it relates to web-based activity, comes an added opportunity for global cyber espionage, cybercrime, and targeted attacks that could inflict harm on government systems, and in turn, the country.

We see a true need for government organizations to take an additional step in their defense of web-based activity. Traditional security and fraud prevention is no longer enough, and as Gartner’s Steve Hawald mentioned – continuous monitoring and evolution of security controls is critical.

Silver Tail Systems is taking steps to help federal and government agencies better protect their Internet resources with real-time monitoring of web session behavior by: opening an office in the Washington D.C. area; partnering with Carahsoft – a trusted government IT solutions provider. These are exciting strides in our continued expansion, and our team is already working tirelessly in the new space. Make sure to take a look at our website for more details!

April 18, 2012 Posted by timothyeades | information security, Prevention, risk management | Carahsoft, Department of Defense, federal, government | Leave a Comment

Anonymous: A Modern Day Robin Hood?

According to SC Magazine’s Dan Raywood, the “hacktivist group Anonymous has announced its intention to steal from banks and ‘bring happiness and gratitude to families around the globe’ with a new campaign called ‘DestructiveSec.’”

This is a classic Robin Hood scenario – stealing from the rich and giving to the poor – but the fact that this campaign is being called ‘DestructiveSec’ is a clear indication that this isn’t a heroic action by any means. As we’ve seen from the data breaches in 2011, it’s apparent that attacks will become more prevalent as time goes on and organizations need a better way to protect themselves and their counterparts. Various hacking groups around the world are infiltrating computer networks and web properties to expose data, which is ultimately a sign of poor security compliance. This is quite scary and even unacceptable for any institution, particularly as many attacks have not been all that sophisticated – they were easily preventable.

With hacking and malware acknowledged as the most prominent types of data security attacks, no longer are all web-based attacks targeting sign-on and transactions. Instead, we’re seeing attacks against almost every website function. The only way to stop the impact of cyber criminals is to know immediately that abnormal behavior is occurring, and web session intelligence is key to doing just that.

The actions that are carried out via the web server are defined as the Navigation Layer of a website. Visibility into the Navigation Layer enables organizations to determine whether or not they need to report a potential risk or attack, and ideally limit the exposure to the attack. As the availability of data and functionality continue to be moved to web servers (whether for traditional web browser use or mobile application use) it is critical to monitor this portion of the infrastructure to determine if events are occurring and where appropriate, alert as close to the first occurrence of the event as possible. Using the Navigation Layer to garner true web intelligence is the surest way to ensure you are monitoring and protecting this critical layer of your infrastructure.

Cybercrime is a growing problem that will continue to increase if organizations don’t begin to take necessary security precautions and this concept is a critical component to corporate security strategy.

December 20, 2011 Posted by Jesse McKenna | information security, Online Fraud, risk management | Fraud, information security, malware | Leave a Comment

Mobile Platform Risk on the Rise in 2012

Each year, Cisco releases a security report about some of the biggest trends of the year, and one of the key findings that most aligns with what we’ve found at Silver Tail Systems is that cybercrimes seem to be much more targeted than in years past. Cybercriminals aren’t producing mass spam nearly as much as they used to and unfortunately it’s the targeted attacks that are even more worrisome because they are much harder for traditional security solutions to detect.

One of the threat areas we (and Cisco) are seeing on the rise is mobile, and this will likely continue in 2012 – particularly as we see commerce and business soar across mobile platforms. According to another recent report, more than $1 million was stolen from Android users in 2011, the annual likelihood of an Android user encountering malware today has increased to 4% from 1% in early 2011, and Android users now have a 36% chance of clicking on an unsafe link – up 6% since July.

Last March we discussed security issues across the Android platform, and as it remains the most popular mobile operating system, it will likely continue to be the most heavily targeted by cybercriminals moving forward. As we know, bad actors are looking for the most return with the least effort, and the mobile platform presents them with a large opportunity as it simply widens the playing field. I know the industry is working toward better mobile security for 2012, and my hope is that the reports that come out a year from now reflect the efforts that so many of us are making.

December 15, 2011 Posted by Laz | risk management | Detection, malware, man-in-the-mobile, security | Leave a Comment

Protecting Internet Liberties: 2011′s Freedom Online Conference

Governments, companies and civil liberties groups vowed to work to promote online freedom during last week’s two-day Freedom Online Conference at the Foreign Ministry in The Hague. With an emphasis on helping bloggers who operate under oppressive regimes, fourteen countries including the United States were among the parties hoping to create a coalition of like-minded groups to promote Internet freedom.

Opening the Freedom Online conference on Thursday was U.S. Secretary of State Hillary Clinton with a direct call for companies not to sell surveillance tools to authoritarian regimes. Syrian blogger Amjad Baiazy was arrested and tortured in May for expressing his opinion online. Individuals should be able to exercise their human rights and express their opinions, and the Internet provides a channel for them to do just that. This conference helped stress the importance of this particular liberty, and the hope is that there were changes identified that could help protect Internet freedom and also encourage it amongst a larger audience.

While I don’t condone freedom of speech where a person can exploit government systems or individuals online, I classify myself as an advocate for free expression on the Internet, and Hillary Clinton also discussed the fact that The United Nations and the Organization for Economic Cooperation and Development have issued guidelines to advise companies on how to meet responsibilities and carry out due diligence. The new Global Network Initiative is a forum where companies can work through challenges with other industry partners, and academics, investors and activists, and this sort of collaboration is exactly what can be used to stop a number of bad actors on the Internet – cybercriminals being one of them.

December 14, 2011 Posted by Laura Mather | information security, risk management | Global Network Initiative | Leave a Comment

Hackers for Hire: The Outsourcing of Cybercrime

A recent post by Brian Krebs talks about the ability for anyone to “purchase” a denial of service (DoS) attack against any website they would like.  In the real world, I suppose this is similar to hiring someone to perform a “hit” for you, though the consequences are a bit less damaging.  While Brian talks in detail about DoS attacks, I think it warrants mentioning that there have already been other types of attacks that are suspected of being done on a for-hire basis.

The alleged infiltration of the Iranian nuclear facility was likely not carried out by a group who just wanted to cause mischief.  There was probably a group that wanted to create a very specific event and needed the appropriate tools to do so.  Whether that was “outsourced” to a hacking group or not is up for some debate, but the hypothesis is that the attackers were paid for their services has definitely been floated.

There have also been purported cases of loggers hiring hackers to help them defeat the online permitting process.

No matter your viewpoint, it’s hard to ignore that criminals are benefiting from offering their services to the highest bidder.  It’s just scary that the highest bidder can acquire these sets of skills – and lack of ethics – on demand.

August 26, 2011 Posted by Laura Mather | information security, Man-in-the-Browser, risk management | Man-in-the-Browser, online security | 1 Comment

Online Threats on the Rise in Healthcare

I came across an interesting article over the weekend about a recent data breach that exposed medical records throughout a website.  To be honest, I’m  surprised that there haven’t been more of these already.  As most of you are aware, there has been a national push to provide more access to medical data online.  Since there are many ways criminals can use medical data for profit, one would think several cases like this would have previously cropped up.

Why haven’t we seen more of these so far, you ask? It comes down to the process of getting the medical records and other medical-related functionality available online. Gaining access to these resources has taken a longer time than I expected.  As usual, I was a little optimistic about how quickly some of this could happen.  I have heard of a few start-ups working in this area a couple of years ago, and I thought this business segment would grow rapidly.

On a personal note, in the last year I’ve gotten online access to my own medical records, but it seems like my doctor (a regional conglomerate) has struggled getting people to adopt the tool.  Maybe that’s another reason why it has taken so long for a data breach along these lines  to occur.

Something else to consider is HIPAA compliance.  I’ll be keeping an eye open for how quickly these types of data breach issues make security and cybersecurity an agenda topic in moving medical information to the internet.

August 23, 2011 Posted by Laura Mather | information security, risk management | information security, online security | Leave a Comment

Gates Versus Jobs: Whose Platform is More Secure?

In the past week I’ve had two different people tell me about a security incident that happened to them. One had her email and Facebook account compromised and the other had his email account stolen. When I talked to them about the various ways this could have happened, both of them said to me, ‘But that can’t be true! I have a Mac!’

While the security community has come to understand that neither Windows nor MacOS is a bullet proof platform, it is taking the general public a lot longer to come to the same conclusions. People who purchased Apple hardware five years ago could almost always safely assume that they wouldn’t be the victim of hackers. What people didn’t understand is that their security at the time had nothing to do with the overall security of their platform versus another. Instead, it came down to one economic factor: return on investment. Simply stated, if the criminals had to choose one platform to infiltrate, which one had the highest potential for victims, and therefore financial returns?  Five years ago the answer was overwhelmingly Windows.

Fast forward to today:  Steve Jobs and Apple have done a wonderful job in both producing consumer-friendly devices and marketing those devices such that the MacOS platform is now part of a much larger percent of the population’s technology. This makes it more lucrative to the criminals to focus some efforts on that platform.

So, for those of you who are frustrated because you bought an Apple device thinking it was more secure, you can blame Steve Jobs. His success has created a market for the criminals that didn’t exist before: your hardware.

August 18, 2011 Posted by Laura Mather | Man-in-the-Browser, risk management, Trust | information security, Man-in-the-Browser, online security | Leave a Comment

Enterprise Mobile Security: How are You Enforcing it Among Employees?

A recent article in SC Magazine on risky mobile behaviors routine in business, focuses on the weakness of enterprise organizations and their policies around mobile device usage. With the rise in corporate functionality and data available online – and now through mobile devices – there is a new inherent threat that these functions will be abused through mobile devices.

It’s become apparent that today’s employees are extremely mobile, always connected and demanding 24×7 access to the corporate network, applications and data via a variety of device types—from  laptops to smartphones—irrespective of location. The problem enterprises face today is how to give their employees both flexibility and mobility, while securing the enterprise.

As the mobile device population continues to grow and with the recent rise in man-in-the-mobile attacks, retailers, banks and credit card providers all need to be aware of the potential dangers associated with making online purchases. No to mention, with the security of the Android platform coming under fire in early March, security professionals are now recognizing the iPhone as an additional concern. This concept of securing the business and freeing the user is a model that many organizations today are trying to achieve, but leaves fraud protection specialists like me extremely concerned.

My worry is that mobile technology is advancing much more quickly than any technology we’ve seen before and the security measures required to maintain a level of safety are not able to keep up with the advances. Many users, application developers and companies have yet to really understand that man-in-the-mobile is a very real security threat, as apparent from this latest report from McAfee and Carnegie Mellon University.

My recommendation is that if a company wants to enable access of corporate data from personal devices, proper security procedures are necessary to make sure that users’ sensitive information is not compromised. This includes monitoring all transactions that occur on the internal website – whether through mobile or through a web browser – and making sure any anomalous activity is identified as soon as it occurs.  With the future of computing moving at a daunting pace, and as more and more mobile devices operate on the Web, the same foundational Web security principles still apply (like monitoring, encryption, anti–virus, etc.,). My hope is that security providers can work together to educate customers and ensure they have the tools they need to ensure they are better protected.

June 1, 2011 Posted by Laura Mather | Detection, education, Prevention, risk management | Cost of fraud, Detection, Prevention | Leave a Comment