The mandatory disclosure plans are designed to cover organisations that run “critical national infrastructure”, the definition of which will impact firms such as Apple, Facebook and Google.
“Operators of critical infrastructures in some sectors, enablers of information society services and public administrations must adopt risk management practices and report major security incidents on their core services,” the EC said.
The EC defines information society services as “app stores, e-commerce platforms, internet payment, cloud computing, search engines, social networks”.
This would means huge firms like Apple, Facebook, Google, Microsoft, Amazon and Twitter would have to publicise breaches, which could cause major security and trust concerns among consumers.
Various agencies contacted these firms for comment on the proposals but had received no reply at time of publication.
The plans were originally unveiled in December 2012, when the EC promised to instigate new laws forcing businesses to disclose data on significant incidents within 24 hours.
Lawyer Stewart Room from Field Fisher Waterhouse said the proposals could have a huge impact on the technology world.
“Essentially, the internet as a whole has now been recognised as part of critical infrastructure, just like utilities. Until now, cyber security law has focused on telcos and ISPs, the trunk and access layers of e-comms if you like, but the change brings in ‘over the top providers’,” he said.
“No doubt the EU will play down the cost of implementing the law, but such claims should be resisted – the cost will be massive to the internet economy.”
In the past the security community has been hostile to the idea of forced disclosure. When the policy was announced in 2012 many security researchers claimed the policy would do more harm than good, warning the strategy’s 24-hour disclosure deadline was too short.
But passwords played a part in the perfect storm of users, service providers and technology failures that can result in epic network disasters. Password-based security mechanisms — which can be cracked, reset and socially engineered — no longer suffice in the era of cloud computing.
The problem is this: The more complex a password is, the harder it is to guess and the more secure it is. But the more complex a password is, the more likely it is to be written down or otherwise stored in an easily accessible location, and therefore the less secure it is. And the killer corollary: If a password is stolen, its relative simplicity or complexity becomes irrelevant.
Password security is the common cold of our technological age, a persistent problem that we can’t seem to solve. The technologies that promised to reduce our dependence on passwords — biometrics, smart cards, key fobs, tokens — have all thus far fallen short in terms of cost, reliability or other attributes. And yet, as ongoing news reports about password breaches show, password management is now more important than ever.
All of which makes password management a nightmare for IT shops. “IT faces competing interests,” says Forrester analyst Eve Maler. “They want to be compliant and secure, but they also want to be fast and expedient when it comes to synchronizing user accounts.”
Is there a way out of this scenario? The answer, surprisingly, may be yes. There’s little consensus on what the best solution will be, but consultants and IT executives express optimism about the future. They cite technologies such as single sign-on, two-factor authentication, machine-to-machine authentication and better biometrics as ways to strengthen security — eventually. For now, each still has its drawbacks.
A freshly discovered Linux rootkit could give researchers insight into evolving malware techniques.
Security researchers have started issuing reports on an unnamed and previously unknown Linux rootkit posted earlier this month to a security mailing list.
While early analysis found that the attack is relatively crude and insecure by Windows rootkit standards, the attack has caught the eye of security vendors because it appears to be a commercially designed sample rather than a targeted attack.
Researchers believe that the rootkit is intended to attack web servers, infecting 64-bit Linux kernels and then injecting further attack code into web pages.
The discovery of the rootkit could indicate that cyber criminals are increasingly looking to infect Linux systems with sophisticated attacks. Rootkits, which run at the operating system kernel level of a system, have emerged as a favourite means for avoiding detection by conventional anti-virus software.
“Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction,” security firm Crowdstrike wrote in its analysis of the malware sample.
“The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack.”
Crowdstrike researchers went on to suggest that the attack is likely the work of a contracted malware developer and has since been modified by the buyer.
Marta Janus, a researcher with Kaspersky Lab, suggested that the attack could also signal a shift away from high-level attacks on HTTP servers to more sophisticated methods that infect the server itself and poison hosted web pages.
“This rootkit, though it’s still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future,” Janus wrote.
Kaspersky Lab has confirmed that it is working on developing an industrial control system (ICS), claiming it can create one that is more secure than Apple, Microsoft or distributions from the open source community.
Rumors have been flying that Kaspersky Lab has been working on an operating system and Eugene Kaspersky confirmed that the firm has been working on a ICS operating system that he claims will be more secure than efforts by Apple, Microsoft and the open source community. According to Kaspersky, the firm’s efforts will be “highly tailored” rather than a general purpose operating system and will not allow background activity by processes.
Kaspersky gave two reasons why his firm’s efforts will be better than others, saying, “First: our system is highly tailored, developed for solving a specific narrow task, and not intended for playing Half-Life on, editing your vacation videos, or blathering on social media. Second: we’re working on methods of writing software which by design won’t be able to carry out any behind-the-scenes, undeclared activity. This is the important bit: the impossibility of executing third-party code, or of breaking into the system or running unauthorized applications on our OS; and this is both provable and testable.”
Kaspersky also stated the bleeding obvious when he said that existing security measures are ineffective against contemporary threats. However, given that his firm, among many other security vendors, has been happily peddling what is clearly ineffective software, it is quite a stretch to think that a Kaspersky Lab developed operating system will be any better. The firm is also taking a risk with its reputation by creating an operating system that many security researchers will see as a bullseye target at a high profile security vendor.
Kaspersky did not say when his firm expects to roll out its operating system.
Kaspersky Lab has discovered three Flame spyware related malware threats that it said use “sophisticated encryption methods”.
Kaspersky claims that it uncovered the three new hostile programs while analysing a number of Command and Control (C&C) servers used by Flame’s creators.
“Sophisticated encryption methods were utilised so that no one, but the attackers, could obtain the data uploaded from infected machines,” the firm’s statement read.
“The analysis of the scripts used to handle data transmissions to the victims revealed four communication protocols, and only one of them was compatible with Flame.
“It means that at least three other types of malware used these Command and Control servers. There is enough evidence to prove that at least one Flame-related malware is operating in the wild.”
The discovery of the three programs indicates that Flame’s Command and Control platform was being developed in 2006, four years earlier than first thought.
Flame was originally uncovered in May targeting Iranian computer systems. The malware drew widespread concerns within the security industry regarding its advanced espionage capabilities.
“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers,” said Kaspersky’s chief security expert, Alexander Gostev.
Following the discovery of the three new related programs, Kaspersky’s chief malware expert Vitaly Kamluk told The INQUIRER that Flame is not the only one in this big family.
“There are others and they aren’t just other known malwares such as Stuxnet, Gauss or Duqu,” he said. “They stay in the shadows and no one has published anything about them yet. Others were probably used for different campaigns.”
Kamluk added that it is “very possible” there are more than the three listed in Kaspersky’s report.
“They started building RedProtocol, yet another ‘language’ for unknown malware. No known client types are using that one, which means that there is even more malware out there,” he added.
Security experts have found new Zeus malware which targets Android and BlackBerry mobile phones. Kaspersky Lab said it found four new Zeus-in-the-mobile (Zitmo) samples targeting BlackBerry users in Germany, Spain, and Italy, Denis Maslennikov, a researcher at Kaspersky Lab wrote on the company’s Securelist blog that he variants were communicating with two command-and-control mobile phone numbers in Sweden.
Zitmo is a version of the Zeus malware that specifically targets mobile devices. There were three .cod files and one .jar file with a .cod file inside. The BlackBerry variants were the same as other Zitmo versions in the wild, other than grammatical corrections, Maslennikov said.
Maslennikov also found a new Zitmo variant for Android using the same command and control (C&C) numbers as the BlackBerry versions. BlackBerry has avoided being a target for malware despite its significant install base amongst enterprises and government agencies.
Dropbox, whose cloud storage service is widely used, said in a statement that “we know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.”
On the company’s user forum, an apparent Dropbox employee wrote early Wednesday morning that the company had brought in a team of outside experts but so far had no reports of unauthorized activity on accounts. A 20-minute outage on Tuesday afternoon was not connected with the spam, he wrote.
The spam appears to be linked with Dropbox since many users reported only receiving the spam on an email address used only for Dropbox. The spam, written in German, English and Dutch, advertises gambling websites, according to users on Dropbox’s forum.
The spam came fast and furious for some, with one user reporting that five spam emails arrived within 11 minutes. Forum users theorized on how the breach of the addresses may have occurred, whether through a vulnerability within Dropbox or some other compromise.
“It may very well be that the Dropbox database has been compromised externally or internally,” wrote one user. “This would be a very serious issue and we should all leave the service if this was the case, given that security is their business, but let’s give them a chance to see if it’s some external factor.”
Accusations that an Android-based botnet is churning out spam may, in fact, be false, but instead a sign that criminals are exploiting bugs in the Yahoo Mail app for Google’s mobile operating system, a security firm has said.
“There’s no smoking gun, but my guess is that it’s not malware,” said Kevin Mahaffrey, co-founder and CTO of San Francisco-based Lookout Security, essentially dismissing the botnet possibility. “It’s more likely an issue with the Yahoo Mail app.”
Lookout has discovered what Mahaffrey called “potential security issues” in Yahoo’s Android app, and reported its findings to the California search company’s security team.
“They’ve acknowledged that they’re looking into and working on these [issues], but until they complete their investigation, we are not disclosing any more information,” Mahaffrey said in an interview last Friday.
News first circulated Tuesday about a possible Android-based botnet — if accurate, a first — when Terry Zink, a program manager for Microsoft’s enterprise-grade Forefront security product team, reported that spam messages were originating from Yahoo’s servers and being sent from Android devices.
Other security researchers, including those at U.K.-based Sophos, reached the same conclusion after analyzing some of the spam messages.
Google has denied that the spam is being sent by an Android botnet.
“I’m pleased to announce that we have updated our original bug reporting process into a paid ‘bug bounty’ program,” PayPal’s Chief Information Security Officer Michael Barrett said in a recent blog post.
Cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection (SQLi) and authentication bypass vulnerabilities will qualify for bounties, the amount of which will be decided by the PayPal security team on a case-by-case basis. Researchers need to have a verified PayPal account in order to receive the monetary rewards.
PayPal follows in the footsteps of companies like Google, Mozilla and Facebook that have implemented security reward programs for their online services during the last couple of years. “While a small handful of other companies have implemented bug bounties, we believe we are the first financial services company to do so,” Barrett said.
The bug-bounty programs run by Google, Mozilla and Facebook have had positive results so far, Barrett said. “I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong — it’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues.”.
The new bug-bounty program will help PayPal reduce the number of vulnerabilities in its websites, but they won’t disappear completely, Marius Gabriel Avram, a security engineer at U.K.-based security firm RandomStorm said via email.
A previously unknown hacking group claimed responsibility for a hacking attack on a county school system in Tennessee that may have exposed the names, Social Security Numbers and other personal data belonging to about 110,000 people.
The group, which called itself Spex Security, later posted 14,500 of the compromised records online and has threatened to post more. Those affected by the breach include an unknown number of former and current students and employees of the Clarksville-Montgomery County (CMCSS) School System.
In a message on Pastebin.com, an individual who appeared to be a member of the group suggested the intrusion at CMCSS was carried out as retaliation for its “belligerence.”
“To be clear here, we gave Tennessee a chance to comply and they didn’t, therefore, this is the consequence they’ll have to swallow,” the rambling message stated.
“Our primary suspects include the U.S Government for torturous and deceptive acts on our own soil, the Educational system for exuberantly being blown-over and belligerently not patching the holes in their system, and anybody else who partook a role in the Murder of America.”
Elise Shelton, a CMCSS spokeswoman, said school system officials learned of the breach from the Clarksville Police Department, which received a tip from a caller.
The school system was able to confirm the breach on Monday and immediately took the site offline, she said. As of Wednesday afternoon, the main CMCSS.net site was still down, and there was no indication of when it will be restored, she said.
Investigators are still trying to determine what happened and it is not yet clear when the breach might have occurred or how it was done, Shelton said. It is also not immediately clear whether all the records that the hackers claimed to have accessed came from the CMCSS system, she said.
Leading cyber experts warned of a shortage of talented computer security experts in the United States, making it extremely difficult to keep corporate and government networks safe at a time when attacks are on the rise.
Symantec Corp Chief Executive Enrique Salem told the Reuters Media and Technology Summit in New York that his company was working with the U.S. military, other government agencies and universities to help develop new programs to train security professionals.
“We don’t have enough security professionals and that’s a big issue. What I would tell you is it’s going to be a bigger issue from a national security perspective than people realize,” he said on Tuesday.
Jeff Moss, a prominent hacking expert who sits on the U.S. Department of Homeland Security Advisory Council, said that it was difficult to persuade talented people with technical skills to enter the field because it can be a thankless task.
“If you really look at security, it’s like trying to prove a negative. If you do security well, nobody comes and says ‘good job.’ You only get called when things go wrong.”
The warnings come at a time when the security industry is under fire for failing to detect increasingly sophisticated pieces of malicious software designed for financial fraud and espionage and failing to prevent the theft of valuable data.
Moss, who goes by the hacker name “Dark Tangent,” said that he sees no end to the labor shortage.
“None of the projections look positive,” said Moss, who serves as chief security officer for ICANN, a group that helps run some of the Internet’s infrastructure. “The numbers I’ve seen look like shortages in the 20,000s to 40,000s for years to come.”
The malware business growing around Google Android — now the most popular smartphone operating system — is still in its infancy. Today, many of the apps built to steal money from Android users originate from Russia and China, so criminal gangs there have become cyber-trailblazers.
Sophos and Symantec on Wednesday released their latest Android malware discoveries written in Russian. While the language narrows the number of potential victims, the social-engineering tactics used to get Android users to install the malware is universal. The gang tracked by Sophos is using fake antivirus scanners, while Symantec is tracking cybercriminals using mobile websites to offer bogus versions of popular games.
Sophos says the criminals are like other entrepreneurs launching startups. They’re starting in Russia, but have far greater ambitions.
“I don’t think we can say that they’re necessarily using it as a testing ground — think of it more as a local business that as it grows may gain multinational ambitions,” Graham Cluley, senior technology consultant at Sophos, said in an email interview on Wednesday.
While criminals today are writing consumer-focused apps, it’s only a matter of time before the hackers go after corporate data, particularly if the number of people accessing employers’ networks with personal devices continue to grow, experts say. Android is the leading smartphone OS.
In the first quarter, 56% of the smartphones sold ran Android, compared with 23% with Apple iOS, according to the latest figures from Gartner.
It appears that more than 30,000 WordPress blogs have been infected in a new wave of attacks from a cybercriminal gang which wants to distribute rogue antivirus software.
Security outfit Websense said that more than 200,000 infected pages that redirect users to websites displaying fake antivirus scans have been created. The latest compromises are part of a rogue antivirus distribution campaign that has been going on for months, the Websense researchers said.
Cybercriminals gangs have switched to drive-by download attacks that exploit vulnerabilities in outdated browser plug-ins to automatically download and install their rogue software. The large number of infected Web pages seen in this campaign is an indication that these scams still work. Vulnerable websites are a rich source of opportunity for cybercriminals. More than 85 percent of the compromised sites were located in the US, but their visitors were geographically dispersed.
NASA said hackers stole employee credentials and used the information to gain access to mission-critical projects last year in 13 major network intrusions that could compromise U.S. national security.
National Aeronautics and Space Administration Inspector General Paul Martin testified before Congress this week on the breaches, which appear to be among the more significant in a string of security problems for federal agencies.
The space agency discovered in November that hackers working through an Internet Protocol address in China broke into the -network of NASA’s Jet Propulsion Laboratory, Martin said in testimony released on Wednesday. One of NASA’s key labs, JPL manages 23 spacecraft conducting active space missions, including missions to Jupiter, Mars and Saturn.
He said the hackers gained full system access, which allowed them to modify, copy, or delete sensitive files, create new user accounts and upload hacking tools to steal user credentials and compromise other NASA systems. They were also able to modify system logs to conceal their actions.
“Our review disclosed that the intruders had compromised the accounts of the most privileged JPL users, giving the intruders access to most of JPL’s networks,” he said.
In another attack last year, intruders stole credentials for accessing NASA systems from more than 150 employees. Martin said the his office identified thousands of computer security lapses at the agency in 2010 and 2011.
He also said NASA has moved too slowly to encrypt or scramble the data on its laptop computers to protect information from falling into the wrong hands.
Unencrypted notebook computers that have been lost or stolen include ones containing codes for controlling the International Space Station, as well as sensitive data on NASA’s Constellation and Orion programs, Martin said.
A NASA spokesman told Reuters on Friday the agency was implementing recommendations made by the Inspector General’s Office.
“NASA takes the issue of IT security very seriously, and at no point in time have operations of the International Space Station been in jeopardy due to a data breach,” said NASA spokesman Michael Cabbagehe.
In a statement provided to the Reuters news service, the security software giant acknowledged that hackers had broken into its network when they stole source code of some of the company’s software.
Previously, Symantec had denied that its own network had been breached, and instead pointed fingers at an unnamed “third party entity” as the attack’s victim. Evidence posted by a hacker nicknamed “Yama Tough” — a self-proclaimed member of a gang calling itself “Lords of Dharmaraja” — indicated that the information was obtained from a server operated by the Indian government.
Two weeks ago, Symantec spokesman Cris Paden said that the hacker made off with source code of Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, enterprise products between five and six years old.
At the time, Paden downplayed the seriousness of the theft.
Today, however, Paden said that source code of Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere, had been stolen.
Some of those — Norton Internet Security and Norton Utilities — are among Symantec’s most prominent consumer-grade products.
Paden confirmed Yama Tough’s claim when he told Reuters that pcAnywhere users face “a slightly increased security risk” because of the hacker’s activities.
“Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information,” Paden said.