Monthly Archives: November 2013

Best practices for safely moving data in and out of the cloud

As everyone knows, cloud provider Nirvanix recently fell apart, declaring bankruptcy and leaving its customers in the lurch.   Nirvanix gave enterprises less than a month to move their data to a new home. To avoid the fate of those customers, follow   these best practices for safely moving data in and out of the cloud.

Due diligence: financials first

The Cloud Security Alliance’s February 2013 report, “The Notorious Nine: Cloud Computing Top Threats in 2013” has identified   a lack of due diligence as a continuing threat to cloud computing. When enterprises do look into cloud providers, their view   of things is a bit lopsided. “Cloud consumers place too much emphasis on information assurance and privacy, or focus on cost   reduction and savings at the expense of investigating the financial health of candidate providers,” says John Howie, COO,   the Cloud Security Alliance.


Retrieved from NetworkWorld

Banking malware infections rise to highest level since 2002

Malicious software aimed at stealing online banking credentials surged in the third quarter of this year to a level not seen since 2002, according to a new report from Trend Micro.

The security vendor said it counted more than 200,000 new infections from July through September, the highest number it has recorded in a three-month period in 11 years. Between April and June, Trend counted 146,000 infections.

The infections were less concentrated in Europe and the Americas and were more distributed throughout the globe, indicating that cybercriminals are diversifying the banking customers they target.

The most affected countries were the U.S., which made up 23 percent of the new infections, followed by Brazil at 16 percent and Japan at 12 percent.

Other top countries affected included India, Australia, France, Germany, Vietnam, Taiwan and Mexico, Trend Micro’s report said.

The malware found was usually ZeuS, also known as Zbot, which dates back to 2006.

Cybercriminals plant ZeuS on websites that will then attack visitors and install the malware if the computer has a software vulnerability. It can then steal online banking credentials and send the details to a remote server, among many other malicious functions.

Trend Micro noted that it also saw KINS, a malicious software program modeled after ZeuS, along with Citadel, a banking credential stealer widely seen in Japan and elsewhere.

Retrieved from ComptuterWorld

IBM’s government cloud gets FedRAMP approval

IBM’s SmartCloud for Government now has the U.S. government-sanctioned FedRAMP approval that should make it easier for IBM to sell cloud technologies into multiple government agencies.

All cloud providers wanting to provide IT infrastructure under government contracts must get “Federal Risk and Authorization Management Program” certified by June 2014. Amazon Web Services, which is increasingly seen as a big rival to IBM — especially after beating IBM to win the CIA cloud contract – got its approval in May. Microsoft Windows Azure got its accreditation in September.

The SmartCloud for Government does not yet incorporate technology from SoftLayer, the cloud provider IBM bought for about $2 billion in June. An IBM spokesman said the company is preparing a SoftLayer government cloud which should be available early next year will “achieve all the necessary security requirements as well.” IBM recently notified users of its SmartCloud Enterprise product that they will be transitioned over to SoftLayer, according to a VentureBeat report.

Other accredited providers are Akamai, AT&T, Autonomic Resources, CGI Federal, Hewlett-Packard and Lockheed Martin.

The stakes are huge. The U.S. government’s Cloud First initiative is pushing agencies to deploy more IT on cloud as a cost-saving and efficiency-boosting measure. That means tens of billions in spending over the next few years. After next year’s deadline, vendors have to be approved to compete for those jobs.

Retrieved from GIGAOM

5 disturbing BYOD lessons from the FAA’s in-flight electronics announcement

Last week, the Federal Aviation Administration (FAA) moved to let passengers use their smartphones and tablets during airline take-offs and landings. At first glance, this seems like a victory for reasonableness, productivity, and looking out for the rights of technology end users. Even The New York Times said “the  agency won unusually broad praise from pilots, flight attendants and members of Congress, along with passengers.”

But a closer look reveals that the FAA has in fact unwittingly written a guide of what NOT to do when creating a Bring Your Own Device (BYOD) policy – which is essentially what this is. The FAA’s policy may be a step in the right direction for fliers, but it remains plagued with vague instructions, unsupported reasoning, and painfully convoluted processes. Smart IT departments can learn some useful lessons about as they wrestle managing how their users are supposed to work with various devices and access corporate networks.

1. It’s confusing. Any techie worth his pocket protector knows that workable policies have to be clear to everyone. How can users do what they’re supposed to do if they can’t even figure out what they’re supposed to do? And the FAA’s policy has so many caveats, exceptions, and implementation variables that even flight attendants don’t have a clue about what’s acceptable – much less passengers.

2. It’s unenforceable. Say what you will about the old rules, at least you could tell from the aisle whether someone was using a banned device. But you can’t tell if a device is in airplane mode without making the user hand it over – which isn’t supposed to be part of the new rules. A good thing, too: Can you imagine a corporate BYOD policy that let IT folks demand execs hand over their smartphone like policemen asking for your papers?

3. Its logical underpinnings are suspect. Banning the use of portable electronics during take off and landing was based on the possibility that they could cause interference with airplane navigation systems. It turned out there was little evidence of that. But the FAA still says cellphone calls could disrupt radio communications, and the new approach actually makes it more likely for that to happen. If these things really are dangerous – and all the exceptions seem to indicate that they could be in certain cases – then why are we so eager to let people do this?

4. It throws ultimate responsibility on to the users. Instead of setting a single policy, the FAA is now requiring every airline to get an individual safety certification for each type of airplane it flies. Planes that may be more vulnerable to radio interference may have different rules. Oh, and if there’s bad weather and low visibility (estimated to be about 1% of the time), the airlines may be required to make passengers shut down their devices. That’s right?

5. It undermines respect for other rules. This whole thing is a complete debacle, from the patently ridiculous old rules to the confusing, illogical, and unenforceable new ones that airlines are required to interpret on the fly. It all adds up to making the FAA and the airlines look stupid and out of touch, and erodes passengers willingness to follow other – presumably more important – regulations. And that could have truly disastrous consequences.


Retrieved from NetworkWorld

‘Operation Hangover’ hackers exploit latest Windows zero-day

The unpatched vulnerability in Windows that Microsoft acknowledged on Tuesday has been used by a known Indian hacker group responsible for earlier “Operation Hangover” attacks, security company Symantec said yesterday.

The gang behind Operation Hangover is believed to be based in India, and the bulk of the first round of cyber-espionage attacks, which were discovered in May, were aimed at its neighbor and long-time adversary Pakistan.

“After analyzing the payloads being used in this attack, we have identified that the targeted emails are part of an attack campaign known as Operation Hangover,” Symantec said in a blog, referring to the newest campaign that relies on the Microsoft zero-day vulnerability to hijack and infect Windows PCs.

Microsoft issued a security alert Tuesday, saying that a vulnerability in the TIFF image-format parsing component of Windows was being exploited in attacks aimed at targets in the Middle East and South Asia, the latter region representing countries like India and Pakistan.

The attacks Symantec captured used malicious Word documents attached to emails with subject headings such as “Illegal Authorization for Funds Transfer” and “Problem with Credit September 26th 2013.”

It was the first time that the Hangover group has used a zero-day vulnerability in its attacks, Symantec said.

Researcher Haifei Li of security company McAfee was the first to find and report the unpatched bug to Microsoft. The Redmond, Wash., company’s security team was alerted of the vulnerability Oct. 31.

According to Li, the exploit uses multiple XML objects to “spray the heap memory,” a decade-and-more technique to uncover sections of memory suitable for use by the actual attack code.

“It is worth [noting] that this heap-spraying in Office via ActiveX objects is a new exploitation trick which we [haven’t] seen before,” Li wrote earlier this week.

Microsoft’s own researchers confirmed the ActiveX-based head-spray tactic in a detailed description published on its Security Research & Defense blog Tuesday.

Retrieved from ComputerWorld

‘War Room’ notes describe IT chaos at

WASHINGTON — On the morning of Oct. 1 in Washington, temperatures in the low 80s were expected, the Republican-engineered federal shutdown was in its first day, and a “War Room” team gathered for a meeting. They kept notes.

Many federal offices were empty that day due to the shutdown-caused furloughs of federal employees. But Oct. 1 was also the day of the launch of the Affordable Care Act’s Website, the main portal to sign up for insurance under the new law. Trouble tickets quickly piled up, and wait times for help desk responses grew to as much as five hours.

At some points in the days immediately following the launch, there were 40,000 people in virtual “waiting rooms” because capacity had been reached. Some were waiting 15 to 20 minutes in these rooms.

The War Room notes, 175 pages in all, were released Monday by U.S. Rep. Darrell Issa (R-Calif.), who chairs the House Oversight and Government Reform Committee. (PDF War Room notes) Issa, a critic of the health care law, is using the notes to draw attention to the limited number of insurance sign-ups so far. Just six people signed up on the first day.

The War Room notes also catalog IT problems — dashboards weren’t showing data, servers didn’t have the right production data, third party systems weren’t connecting to verify data, a key contractor had trouble logging on, and there wasn’t enough server capacity to handle the traffic, or enough people on the help desks to answer calls. To top it off, some personnel needed for the effort were furloughed because of the shutdown.

One note posed this question: “Given the computer system issues, should we be saying that paper is better for now?” That course was never taken.

The War Room notes don’t reflect any of the frustration, worry or anger that might have been present. They simply lay out the plan’s action items, issues and challenges concisely.

There’s no reaction, for instance, to President Obama’s criticism on Oct. 21 when he said that the website “has been too slow, people have been getting stuck during the application process.”

At the onset, the federal officials were searching for a root cause of the capacity issues, and seemed to fix much blame on the enterprise identity management system, which they described as a choke point. There are also multiple references to increasing server capacity.

The team did decide to add “consumer-friendly” messages for customers caught up in the online crush.

As the extent of the availability and performance problems became ever clearer, managers were lining up volunteers for weekend work. Many federal employees, even though they were deemed essential, weren’t being paid during the shutdown. But there were bureaucratic complications. For instance, according to one note: “Donna’s comp time approver is furloughed.”

Another note also addressed the furlough: “Casework team was furloughed yesterday, but called back in today.”

In the initial rollout, a needed service from the Dept. of Veterans Affairs site was down, and another system used for income verification, was “creating confusion with credit check information.” Help desks assigned to various issues were quickly expanded.

By week two of the rollout, “about 60% of applicants are getting into without sitting in the waiting room, up from 5-10% earlier last week,” the notes said. Capacity improvements were working. “Additional servers are making it easier to get in,” according to the notes. Federal officials say they will have all problems resolved by the end of this month.

Retrieved from ComputerWorld

When will cybersecurity become a major campaign issue?

Cyber incidents continue to rise.

The number of confirmed cyber attacks reported by federal agencies has skyrocketed over the past six years, from 5,503 in 2006 to 48,562 in 2012. The U.S. Defense Department claims there are 10 million attempted cyber intrusion attempts made against it every single day, as does the National Nuclear Security Administration. The Chinese have hacked the Romney campaign and the Syrians have hacked the Obama campaign. Just about everybody agrees that the cyber threat is going to get worse before it gets better.

So why isn’t cybersecurity a major campaign issue these days for our nation’s politicians?

If you ask politicians, they’ll tell you that cybersecurity doesn’t resonate with voters the way the economy, jobs and controversial social issues do. People will get a lot more worked up about abortion, guns or manufacturing jobs than hackers who take down a government Web site for a few hours. If you ask voters, they’ll tell you that only a handful of Internet-savvy politicians – people such as U.S. Senator Cory Booker – have the right background to understand a wonky topic like cybersecurity and its implications for national security, and that they themselves don’t really understand the topic. Right now, cybersecurity is one of those issues that’s still in the “awareness” phase.

Los Angeles Mayor EricGarcetti, marks his 100th day in office with a sneak peek of his city government "performance metrics" beta website, which will be used to measure the progress and performance of city departments, during a news conference inside the Automated Traffic Surveillance and Control Center in Los Angeles Tuesday, Oct. 8, 2013. (AP Photo/Nick Ut)

Los Angeles Mayor Eric Garcetti is showcasing cybersecurity. (Nick Ut/Associated Press)

However, cybersecurity’s ability to resonate as a campaign issue at the national level could change soon as more elected officials begin to roll out their own cybersecurity initiatives at the local level. In Los Angeles, for example, newly-elected mayor Eric Garcetti is making cybersecurity a showcase of the city’s infrastructure modernization program. Los Angeles recently created the first-of-its-kind Cyber Intrusion Command Center, designed to protect the city’s public infrastructure — everything from its international airport and harbor to its water supply and grid — from hackers or foreign cyber threats. The new command center is designed to work hand in hand with the FBI and Secret Service to detect threats or possible intrusions and then respond in real-time.

In other cities across America, it’s easy to see how a tough stance on cybersecurity — especially at the mayoral level — could be folded into a candidate’s “tough on crime” platform. In this year’s New York City mayoral election, for example, the one charge against mayoral hopeful Bill de Blasio that seemed to stick was that he was somehow soft on crime and would return New York City to the scary days of the 1970s. Now imagine a few cybersecurity ads posted in the New York City subway, alongside those omnipresent “if you see something, say something” ads. That might get a few people talking about cyber threats.

But cybersecurity is not just a security issue, it’s also an economic issue. And that’s where cybersecurity really has the opportunity to raise its national profile. Economic losses from cybercrimes at top companies ultimately impact the ability of municipalities to collect taxes, and that’s especially true in regions that are dependent on the defense industry. In addition, cybersecurity is emerging as a mini-cottage industry of its own when it comes to creating new jobs. Instead of bragging about bringing manufacturing jobs to a region, candidates could be bragging about creating jobs for the next generation of cybersecurity experts.

However, until there is a large-scale cyber attack that threatens the nation’s infrastructure, there is simply not enough momentum for cybersecurity to become a major campaign issue that mobilizes the electorate. You can trot out all the statistics you want about cyber attacks, but how well is that going to play in America’s heartland? Think back to 2012 – how many times did we actually hear about cybersecurity during the presidential campaign? Until now, the topic of cybersecurity has popped up as a potential topic in a handful of debates, but that’s about it.

Cybersecurity is like global terrorism before 2001 – it’s something that percolates in the background until something tragic happens that moves the issue front and center. As voters go to the polls across America Tuesday, many will consider issues such as jobs, economic growth and a candidate’s stance on a specific social issue in deciding how to vote. Few, if any of them, will consider the candidate’s ability to deal with the world’s expanding cyber threats. Fast forward to 2016 and the presidential election, though, and it’s possible to see how cybersecurity could become an important part of a candidate’s stance on national security — especially if “the cyber Pearl Harbor” we keep hearing about actually happens.

Retrieved from WashingtonPost

Social Media Policy Offers Dos and Don’ts for Employees

Is social media part of your job? Many employees, not just those in marketing, are being asked to use their personal social   networking accounts on behalf of their companies.

Social media works best when companies target a social network — such as Facebook, Twitter, Tumblr, Instagram and Pinterest   — with their marketing message in hopes of reaching and piquing the interest of social media influencers, which, in turn,   can lead to a viral buzz with massive exposure. Nearly every employee needs to participate in order to pull it off.

Echoing this sentiment, Xerox’s social media policy succinctly states the following: “Individual interactions represent a   new model, not mass communications, but masses of communicators.”

Social Media Can Be Risky Business

For companies, there’s an element of danger in asking employees to spout off on social networks. After all, the public corporate   image is at risk. Employees also risk offending the company and losing their jobs. Social media in the enterprise is littered   with tales of employees getting sacked.

There needs to be clear communication between employer and employee on how employees should behave on social networks, in   the form of a written policy, not just for their safety but also to be more effective. We’re still in the heady days of the   social revolution where missteps happen all the time.

Xerox, for instance, has a social media policy for employees with social media as part of their formal job description, but   it apparently didn’t save a call center employee who says she was fired for an Instagram posting. DeMetra “Meech” Christopher   claims she never saw the social media policy because social media wasn’t officially part of her job.

Nevertheless, Xerox’s social media policy, which supplements a general Code of Business Conduct policy, provides a starting   point for better communication between employer and employee in the social revolution. It’s also worth a closer look, because   it helps employees become better social networkers.

The 10-page social media policy opens with general ethical guidelines and goes on to cover best practices in blogging, microblogging   (e.g, Twitter), message boards, social networking and video-audio sharing.

Among the general guidelines, Xerox employees are urged to get training in search optimization principles from a local Web   expert. When discussing Xerox-related matters that might encourage someone to buy Xerox products or services, employees are   required by the Federal Trade Commission to clearly identify themselves.

If employees are publishing content outside of Xerox, they should use a disclaimer such as, “The postings on this site are   my own and don’t necessarily represent Xerox’s position, strategies or opinions.”

Employees need to write in the first person to give a sense of individual accountability. They shouldn’t become embroiled   in public disputes or use sarcasm, ethnic slurs, personal insults, obscenity, “or engage in any conduct that would not be   acceptable in Xerox’s workplace,” states the policy. “You should also show proper consideration for other’s privacy and for   topics that may be considered objectionable or very sensitive — such as politics and religion.”

Xerox serves up helpful tips for employees to become better bloggers, social networkers and contributors on messaging boards.   Writing tips read like an English 101 composition class. They range from having an objective before tapping the keyboard to   using your natural voice to always telling the truth. Employees should act professionally when confronted with inaccurate   information or negative comments. Also, don’t write when you’re unhappy, the policy advises.

Tips for Twitter, Facebook and YouTube

Micro-blogging tips are a little more straightforward, such as understanding that tweets can become part of your permanent   record and employees shouldn’t comment on every single post lest followers see them as some sort of Big Brother.

Employees should give credit to people who retweet their messages, while avoiding too much marketing hype, which will turn   off followers. “Don’t make a professional account too personal, but don’t lack personal touch either,” the policy says.

On Facebook, employees should visit other Xerox pages regularly and engage with the content. “By commenting or clicking ‘like’   on postings, your friends see your activity in their newsfeeds and, as a result, may become a fan of other Xerox-related pages,”   the policy says.

When shooting video for YouTube, employees shouldn’t post personal information about themselves or others. The videos should   have the same tone of voice, look-and-feel as other Xerox videos. Titles should have searchable keywords, and videos need   to be placed in similar categories (probably next to competitors’ videos), so that videos can be found. Videos should have   catchy descriptions, as well as a link back to the Xerox website.

Lastly, keep them short. “Be mindful of appropriate video length,” the policy says. “Effective videos can be as short as 30   seconds. The longer a video, the tougher it is to keep viewers engaged.”

What If Your Job Doesn’t Involve Social Media?

Employees who work with social media as part of their jobs can learn the basic rules from policies such as Xerox’s, but policies   need to go further both in depth and breadth. Perhaps a social media policy needs to be created for all employees regardless   of job function.

As the line between work life and social life, physical world and digital world increasingly blurs, employers and employees   need to know what they can and cannot do with social media — and, of course, how to use social media effectively.

Retrieved from NetworkWorld

New malware variant suggests cybercriminals targeting SAP users

A new variant of a Trojan program that targets online banking accounts also contains code to search if infected computers have SAP client applications installed, suggesting that attackers might target SAP systems in the future.

The malware was discovered a few weeks ago by Russian antivirus company Doctor Web, which shared it with researchers from ERPScan, a developer of security monitoring products for SAP systems.

“We’ve analyzed the malware and all it does right now is to check which systems have SAP applications installed,” said Alexander Polyakov, chief technology officer at ERPScan. “However, this might be the beginning for future attacks.”

When malware does this type of reconnaissance to see if particular software is installed, the attackers either plan to sell access to those infected computers to other cybercriminals interested in exploiting that software or they intend to exploit it themselves at a later time, the researcher said.

Polyakov presented the risks of such attacks and others against SAP systems at the RSA Europe security conference in Amsterdam on Thursday.

To his knowledge, this is the first piece of malware targeting SAP client software that wasn’t created as a proof-of-concept by researchers, but by real cybercriminals.

SAP client applications running on workstations have configuration files that can be easily read and contain the IP addresses of the SAP servers they connect to. Attackers can also hook into the application processes and sniff SAP user passwords, or read them from configuration files and GUI automation scripts, Polyakov said.

There’s a lot that attackers can do with access to SAP servers. Depending on what permissions the stolen credentials have, they can steal customer information and trade secrets or they can steal money from the company by setting up and approving rogue payments or changing the bank account of existing customers to redirect future payments to their account, he added.

There are efforts in some enterprise environments to limit permissions for SAP users based on their duties, but those are big and complex projects. In practice most companies allow their SAP users to do almost everything or more than what they’re supposed to, Polyakov said.

Even if some stolen user credentials don’t give attackers the access they want, there are default administrative credentials that many companies never change or forget to change on some instances of their development systems that have snapshots of the company data, the researcher said.

With access to SAP client software, attackers could steal sensitive data like financial information, corporate secrets, customer lists or human resources information and sell it to competitors. They could also launch denial-of-service attacks against a company’s SAP servers to disrupt its business operations and cause financial damage, Polyakov said.

SAP customers are usually very large enterprises. There are almost 250,000 companies using SAP products in the world, including over 80 percent of those on the Forbes 500 list, according to Polyakov.

If timed correctly, some attacks could even influence the company’s stock and would allow the attackers to profit on the stock market, according to Polyakov.

Dr. Web detects the new malware variant as part of the Trojan.Ibank family, but this is likely a generic alias, he said. “My colleagues said that this is a new modification of a known banking Trojan, but it’s not one of the very popular ones like ZeuS or SpyEye.”

However, malware is not the only threat to SAP customers. ERPScan discovered a critical unauthenticated remote code execution vulnerability in SAProuter, an application that acts as a proxy between internal SAP systems and the Internet.

A patch for this vulnerability was released six months ago, but ERPScan found that out of 5,000 SAProuters accessible from the Internet, only 15 percent currently have the patch, Polyakov said. If you get access to a company’s SAProuter, you’re inside the network and you can do the same things you can when you have access to a SAP workstation, he said.

Retrieved from ComputerWorld

British man charged with hacking NASA and US military computers

A British man has been charged with hacking into U.S. government computers and stealing personal data about thousands of employees, then bragging about it on Twitter.

Lauri Love, 28, was arrested Friday at his home in Stradishall, England, according to a statement from the New Jersey District Attorney’s Office. He is charged with one count of accessing a U.S. department or agency computer without authorization and one count of conspiracy

Over the past year, Love and three unnamed co-conspirators—two living in Australia and one in Sweden—allegedly planted malware on government computers in order to steal data, according to an indictment filed in District Court in New Jersey.

The group, which planned their attacks over IRC instant messaging, compromised agencies including NASA, the U.S. Defense Department’s Missile Defense Agency, the U.S. Army’s Network Enterprise Technology Command and the Environmental Protection Agency, among others.

They are alleged to have obtained personal information of more than 4,000 employees for the Missile Defense Agency and “numerous” NASA employees, according to the indictment. The group allegedly publicized their attacks on Twitter.

Government databases were attacked using SQL injection techniques, which involves probing back-end databases. The attackers also gained access to government computers by exploiting vulnerabilities in ColdFusion, Adobe Systems’ Web application development platform.

In an attempt to avoid detection, the group allegedly channeled its attacks through proxy servers and used TOR, a network that provides greater privacy by routing encrypted Web traffic through servers around the world.

The indictment alleges the attacks “collectively resulted in millions of dollars in damages to the government victims.”

Love could face up to five years in prison and a US$250,000 fine for the two New Jersey charges. He has also been charged in U.S. District Court for the Eastern District of Virginia for related intrusions, prosecutors said.

Retrieved from PCWorld