Nearly half of all security breaches come from vulnerabilities that are between two and four years old, according to this year’s HP Cyber Risk Report entitled The Past Is Prologue.
The annual report found that the most prevalent problems came as a result of server misconfiguration, and that the primary causes of commonly exploited software vulnerabilities are defects, bugs and logic flaws.
But perhaps most disturbing of all was the news that Internet of Things (IoT) devices and mobile malware have introduced a significant extra security risk.
The entire top 10 vulnerabilities exposed in 2014 came from code written years, and in some cases decades, previously.
The news comes in the same week that HP took a swipe at rival Lenovo for knowingly putting Superfish adware into its machines.
“Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager for enterprise security products at HP.
“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology. Rather, organisations must employ fundamental security tactics to address known vulnerabilities and, in turn, eliminate significant amounts of risk.”
The main recommendations of report are that network administrators should employ a comprehensive and timely patching strategy, perform regular penetration testing and variation of configurations, keep equipment up to date to mitigate risk, share collaboration and threat intelligence, and use complementary protection strategies.
The threat to security from the IoT is already well documented by HP, which released a study last summer revealing that 90 percent of IoT devices take at least one item of personal data and 60 percent are vulnerable to common security breaches.
More than a week after a massive cyber attack on Sony Pictures Entertainment, the Hollywood studio isstill struggling to restore some systems as investigators searched for evidence to identify the culprit.
Some employees at the Sony Corp entertainment unit were given new computers to replace ones that had been attacked with the rare data-wiping virus, which had made their machines unable to operate, according to a person with knowledge of Sony’s operations.
In a memo to staff seen by Reuters, studio co-chiefs Michael Lynton and Amy Pascal acknowledged that “a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents.”
They are “not yet sure of the full scope of information that the attackers have or might release,” according to the memo first reported by Variety, and encouraged employees to take advantage of identity protection services being offered.
Their concern underscores the severity of the breach, which experts say is the first major attack on a U.S. company to use a highly destructive class of malicious software that is designed to make computer networks unable to operate.
Government investigators led by the FBI are considering multiple suspects in the attack, including North Korea, according to a U.S. national security official with knowledge of the investigation.
The FBI said Tuesday that it is working with its counterparts in Sony’s home country of Japan in the investigation.
That comes after it warned U.S. businesses on Monday about hackers’ use of malicioussoftware and suggested ways to defend themselves. The warning said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea.
Researchers last week warned they uncovered Heartbleed, a bug that targets the OpenSSL software commonly used to keep data secure, potentially allowing hackers to steal massive troves of information without leaving a trace.
Security experts initially told companies to focus on securing vulnerable websites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc’s Android software and Apple Inc’s iOS software.
Scott Totzke, BlackBerry senior vice president, told Reuters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.
He said they are vulnerable to attacks by hackers if they gain access to those apps through either WiFi connections or carrier networks.
Still, he said, “The level of risk here is extremely small,” because BlackBerry’s security technology would make it difficult for a hacker to succeed in gaining data through an attack.
“It’s a very complex attack that has to be timed in a very small window,” he said, adding that it was safe to continue using those apps before an update is issued.
Google spokesman Christopher Katsaros declined comment. Officials with Apple could not be reached.
Security experts say that other mobile apps are also likely vulnerable because they use OpenSSL code.
Michael Shaulov, chief executive of Lacoon Mobile Security, said he suspects that apps that compete with BlackBerry in an area known as mobile device management are also susceptible to attack because they, too, typically use OpenSSL code.
He said mobile app developers have time to figure out which products are vulnerable and fix them.
“It will take the hackers a couple of weeks or even a month to move from ‘proof of concept’ to being able to exploit devices,” said Shaulov.
Technology firms and the U.S. government are taking the threat extremely seriously. Federal officials warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the Heartbleed bug.
Companies including Cisco Systems Inc, Hewlett-Packard Co, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others, like BlackBerry, are rushing to get them ready.
The Pentagon’s top research lab Darpa is planning a new classified cyberwarfare project. However it is not just about building the next Stuxnet, “Plan X” is designed to make online strikes a more routine part of U.S. military operations.
According to Wired, the move will mean that the US will “dominate the cyber battlespace” and force other nations to become born-again Christians, drink coke, watch rubbish telly, get fat, play with Apple gear and give all their cash to the very rich and other core US values.
“Plan X” will enable building tools to help warplanners assemble and launch online strikes in a hurry. It will also require software to assess the damage caused by a new piece of friendly military malware before it’s unleashed. One of the priorities is to get a map so generals to watch the fighting unfold in real time.
Darpa said that Plan X is explicitly not funding research and development efforts in vulnerability analysis or cyberweapon generation. “Plan X” aims to solve both problems simultaneously, by automatically constructing mission plans that are as easy to execute as “the auto-pilot function in modern aircraft,” but contain “formal methods to provably quantify the potential battle damage from each synthesized mission plan,” Darpa said.
Sony’s corporate credit rating has been downgraded by finance company Standard and Poor’s, with the group citing the lack of a likely recovery for the company’s core business in the near future.
The company is now rated A- for long term borrowing and A-2 for short term loans.
“The CreditWatch listing is based on our view that the likelihood of Sony’s weak earnings persisting has increased as there are no signs of a halt to the deterioration in the earnings of the company’s core flat panel TV business,” read a statement from the company.
“In addition, Sony’s financial burden is likely to increase in tandem with the company’s making Sony Ericsson a wholly owned subsidiary. Taking these factors into consideration, we have concluded that we need to review the prospects for Sony’s operating and financial performance and verify the effects on the rating.”
The area of Sony’s business which includes both flat-panel TVs and the PlayStation business registered a loss of $449 million during a recent financial report marking a third consecutive year in the red for the company as a whole. That period of losses is expected to continue next year.
“Standard & Poor’s will resolve the CreditWatch listing after meeting with Sony management and verifying the prospects for an earnings recovery in the company’s mainstay electronics business and improvement in its financial soundness for the next few years,” continued the company’s statement.
For an in-depth view on the current financial and business position which Sony occupies, read our Sony Stock Ticker piece from GamesIndustry.biz contributor Rob Fahey, published yesterday.
A mock Internet where the Pentagon can practice cyberwar games — complete with software that simulates human behavior under multiple military threat levels — is due to be up and running in a year’s time, according to a published report.
Called the National Cyber Range, the computer network mimics the architecture of the Internet so military planners can study the effects of cyberweapons by acting out attack and defense scenarios, Reuters says.
Planning for the Cyber Range was carried out by Lockheed Martin, which won a $30.8 million Defense Advanced Research Projects Agency (DARPA) grant, and Johns Hopkins University Applied Physics Laboratory, which won $24.7 million.
Cyber Range plans call for the ability to simulate offensive and defensive measures of the caliber that nations might be able to carry out. DARPA wants the range to support multiple tests and scenarios at the same time and to ensure that they don’t interfere with each other. “The Range must be capable of operating from Unclassified to Top Secret/Special Compartmentalized Information/Special Access Program with multiple simultaneous tests operating at different security levels and compartments,” according to DARPA’s announcement of the project.
In addition to the public version of the project, DARPA has issued a classified appendix that sets down more requirements.
“A goal of the NCR program is to develop a toolkit that the government may provide to any party it authorizes to conduct cyber testing at any authorized facility,” the DARPA Cyber Range document says.
According to the schedule for the project, Lockheed and Johns Hopkins should have produced a prototype Cyber Range for review by now. DARPA picks which one actually gets built.
If it weren’t so serious,it would be laughable. Hackers have once again breached Sony Corp’s computer networks and accessed the information of more than 1 million customers. This latest break in was designed to show the vulnerability of the electronic giant’s systems.
LulzSec, a group that claims attacks on U.S. PBS television and Fox.com, said it broke into servers that run Sony Pictures Entertainment websites. It published the names, birth dates, addresses, emails, phone numbers and passwords of thousands of people who had entered contests promoted by Sony.
“From a single injection, we accessed EVERYTHING,” the hacking group said in a statement. “Why do you put such faith in a company that allows itself to become open to these simple attacks?”
The security breach is the latest cyber attack against high-profile firms, including defense contractor Lockheed Martin and Google Inc.
LulzSec’s claims came as Sony executives were trying to reassure U.S. lawmakers at a hearing on data security in Washington about their efforts to safeguard the company’s computer networks, which suffered the biggest security breach in history in April.
Sony has been under fire since hackers accessed personal information on 77 million PlayStation Network and Qriocity accounts, 90 percent of which are users in North America or Europe.
Sony said it was investigating the breach claimed by LulzSec and declined to elaborate.
The latest attack, unlike that on the PlayStation Network, was not on a revenue-generating Website and was likely to have no impact on earnings, analysts said.