A photo of little Etan, taken by his father, circulated worldwide in the search that ensued. It was Etan’s photo – the image of an innocent little boy – that caught the attention of the nation and helped raise awareness of the issue of missing children. His disappearance, along with a number of other high-profile cases of missing children in the late 70′s and early 80′s, including Adam Walsh, showed us how ill-prepared we were as a nation to quickly identify and assemble resources in an effort to locate a missing child. These cases became a catalyst for change that brought about a national commitment to help locate and recover missing children. This commitment can be seen most notably today through the work of the National Center for Missing and Exploited Children.

National Missing Children’s Day serves as a reminder of our continued commitment, including our role in making child safety a priority.

A Time to Take 25

In honor of National Missing Children’s Day, the National Center for Missing and Exploited Children recognizes Take 25, an annual campaign designed to raise awareness of of children’s personal safety issues. Take 25 encourages parents, guardians, caregivers and others to spend time talking to kids about their personal safety at home, school, online or when they are just out and about.

I encourage you to Take 25 with your children today!

Resources:
Take 25
Safety Tips
Discussion Guidelines

View the original article here

Some clumsy coding discovered during an analysis of the Shamoon malware has led researchers to conclude that it is probably not related to the Wiper malware that hit some Iranian networks recently and likely isn’t the work of serious programmers.

A prime error appears to come from the main executable — the dropper — which in some systems is launched as a service to create a scheduled task, only the programming works incorrectly due to the date August 15, 2012 being hard-coded into the malware. Thus, if the current year is 2013 or later but the month is earlier than August, the malware reads the date as arriving before the August 2012 checkpoint value.

“This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems,” wrote Kaspersky Lab researcher Dmitry Tarakanov in a Securelist post. “Wiper is presumed to be a cyber-weapon and, if so, it should have been developed by a team of professionals. But experienced programmers would hardly be expected to mess up a date comparison routine.”

“Wiper” was the name researchers gave to malware that was discovered earlier this summer on some networks in Iran erasing data from infected machines. Like that malware, Shamoon steals data from infected computers before overwriting the master boot record, rendering compromised machines unbootable. But upon further analysis, researchers realized the two pieces of malware differed.

In an earlier post by another Kaspersky Lab expert, Shamoon was considered an imitation of the earlier malware tied to energy systems. “It is more likely that this is a copycat, the work of a script kiddies inspired by the story. Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.”

Tarakanov outlined evidence for such a conclusion by examining how the program runs in a typical 32-bit operating system. For instance, the program expects arguments that work like a list of IP addresses linked to computers targeted for infection. When the program runs without such arguments, it must rely on a service it installs locally, called a distributed link tracking server, to ensure the malware reboots and changes workstation configurations whenever the operating system loads.

“There is an easier way to force the OS to run a service at startup – just set up the appropriate option of a particular service,” Tarakanov wrote. “Moreover, ‘TrkSvr’ gets created by malware with that option adjusted to start automatically. Why the author followed this method, with dependencies, is difficult to understand.”

View the original article here

 LAS VEGAS—There is a lot private sector companies can learn from the Federal Bureau of Investigation when it comes to beefing up their security defenses, a former official told attendees at Black Hat security conference.

The private sector has to accept that companies can’t keep focusing on protecting the network perimeter but acknowledge the adversaries are already inside, Shawn Henry, director of the FBI and currently a president of CrowdStrike Services, a division of security startup CrowdStrike, told attendees at the Black Hat security conference. The private sector should bear the responsibility for defending their networks from criminals, lone-wolf attackers, nation states, and corporate espionage, Henry said, calling it a matter of “life and death” if the companies failed to step up.

The FBI had to change their approach and tactics after 9/11, because it was clear terrorists were already inside the country. The best way to catch them once they were in was to work with other intelligence agencies to gather and share better intelligence, Henry said. The private sector has to shift the “paradigm” and approach security as a strategic exercice, collecting and analyzing intelligence before taking concrete steps before the attackers can cause damage.

In his keynote speech on the first day of Black Hat in Las Vegas, Henry laid out five lessons the FBI and other intelligence agencies learned from when dealing with hostage situations in the return world.

The actual tactics used to launch the attacks may be different, but the theory is the same, he said.

Assume you’ve been breached.
Companies are accepting they can’t keep out intruders, so they are shifting their focus on minimizing the amount of time the adversary spends in the network. The goal is to quickly spot intrusions and quickly respond, Henry said.

“I can’t tell you how many times FBI agents are deployed onsite, saying they found data that was breached, because we found all of this company data outside of the network,” Henry said. “We sit down with the CISO or COO, and they said it couldn’t have happened.”

Of course, after some analysis, the same “couldn’t have happened” official realizes the perimeter had been breached months before. In some cases, the breach may have happened years ago, and the organization just didn’t notice, Henry said.

Be Proactive.
Once the organization has accepted that someone has breached the network, the logical next step is to look for them, Henry said. IT administrators and security teams have to constantly be looking for traces of malicious, unexplained activity. He did not advocate hacking back at the adversaries, noting that was illegal. However, he did encourage leaving behind fake files and information as decoys to trick adversaries looking for certain types of information. If the company was engaged in sensitive negotiations over a merger, that is what the thief is most likely looking for, so leaving fake data out for them to find is a way to foil their attempts, Henry said.

Not Everything Has to be on the Network.
Organizations are putting a lot of information on the network, without thinking about what really has to be there, Henry said. If the super-sensitive data is not on the network, adversaries can’t steal it. The FBI doesn’t put certain information, such as transcripts from court-ordered intercepts and documents detailing sensitive investigative techniques, on the network, Henry said.

“I don’t understand why more companies aren’t compartmentalizing their data,” Henry said.

Change How You Measure Success.
For a while, the FBI focused on how many arrests and indictments they made, Henry said. That wasn’t a good metric because it didn’t give any insight into whether they were going after the big threats or impacting the landscape. Private sector should also change their metrics, and instead of worrying about keeping out intruders, focus on reponse speed, Henry said.

“How long after the adversary gets access to my network will I be able to identify and mitigate the threat?” Henry said.

Share Notes.
Information-sharing is the katest buzzword in security circles, and in a good way. Businesses should be sharing with each other and with the government information about security threats they are seeing, Henry said. Granual intelligence gives the security teams the necessary intelligence to figure out where the attacks are coming from, what the motivations are, and what form the attacks may take, Henry said.

“We need to understand who the adversary is, because if we understand who they are, we can take proactive measures,” Henry said.

Scammers have already begun to take advantage of Adobe’s recent decision to remove its Flash Player from Android’s Google Play marketplace. Last week’s removal has prompted scammers to start promoting fake versions of the software to unsuspecting smartphone owners. While researching the scamware, security firm GFI Labs uncovered a separate fake version of the Flash Player that’s not only bogus but an SMS Trojan that comes bundled with adware.

According to a post on the company’s blog, the app named ‘adobeflashinstaller.apk’ comes replete with adware from the mobile ad network AirPush. Once installed, the app tricks users into following a series of steps to root their phone before downloading another .APK file. This file, hosted on a XDA-Developers forum post, is a hacked version of Adobe’s Flash Player app. While the app isn’t necessarily malicious, it’s not authorized by the company, meaning it’s possible the app could grant or install permissions without the users’ knowledge further down the line.

Meanwhile, the app’s adware leads to the installation of advertisements on the phone. If the user tries to deletes them, the adware will simply add more of them. The adware also will change the users’ home page; send pop-up ads to the phone’s status bar every fifteen minutes and even read and send the users’ phonebook contacts to advertisers.

Adobe ceased development on Flash Player for Android on August 15 after announcing it was shifting its focus to AIR, a runtime environment that allows apps that utilize Flash to run on devices natively. Adobe added that the current version of Flash Player as it stands may exhibit “unpredictable behavior” when the next version of Android, Jelly Bean, is further rolled out.

View the original article here

LAS VEGAS—Imagine a game that is easy to play, fun, and teaches you about computer security. Attendees at the Black Hat security conference in Las Vegas got to watch a sample play session of one such game, dubbed Control-Alt-Hack.

A tabletop card game about white hat hacking, Control-Alt-Hack was developed by Yoshi Kohno, an associate professor of computer science and engineering at the University of Washington Computer Security and Privacy Research Lab, and Tamara Denning, a doctoral student in the department. Players are professional hackers hired by “Hackers, Inc.” to break into supposedly secure systems as part of a security audit.

Kohno incorporated real-life scenarios and threats in the game, including spam-spewing botnets, data breaches of patient medical records, and hacking SCADA devices. Players can exploit weak passwords and unpatched software in their penetration tests.

“We went out of our way to incorporate humor,” Denning said, before adding, “We wanted it to be based in reality, but more importantly, we want it to be fun for the players.”

Game Mechanics
Control-Alt-Hack is based on Steve Jackson Games’ Ninja Burger (now out-of-print but quite popular back in the day). There are 156 game cards in the deck, including 16 hacker characters cards, 56 “mission” cards, 72 “entropy” cards, and 12 attendance cards. The kit also includes 58 hacker cred tokens, to symbolize how cool the player is in the hacking world, and 42 money tokens.

The hacker cards display various personas and characters the player can adopt during the course of the game. The characters avoid the stereotype of the unkempt researcher glued to the computer all day. Instead, players play men and women with a wide-range of interests such as martial arts and rock climbing. The mission cards and entropy cards describe the goals of the player and the various situations they find themselves in.

“Gameifying” Security
The goal was to create an environment that would get people talking about security and ask questions as they learn while playing, Adam Shostack, an honary member of the Computer Security and Privacy Research Lab, said during the presentation at Black Hat.

Neil Rubenking recently wrote about how vendors are trying to make security fun through games. An example is Stronghold of Security from Jagex, a free-to-play dungeon with a quest that can’t be completed unless the player performs various tasks to secure the user profile. The game also requires players to answer questions about ways to keep their accounts secure in order to pass from one room to another. Another example was the points and badge system built into password manager Dashlane. Users earn badges and other rewards as they select stronger passwords.

Control-Alt-Hack teaches that computer security is more than just running antivirus and goes to great lengths to portray attacker motivations and techniques.

“Go get the game, go play the game, and share the game with others,” Shostack urged the attendees. People should also “go make your own games,” Shostack said.

Availability
While it is not designed to be an educational game in the sense that it would teach specific concepts, people playing the game will be exposed to important computer security concepts, Kohno said. Control-Alt-Hack will be most useful in industry and educational settings, engaging students in a classroom or attendees at a conference.

The three-to-six-player-game is designed for a fairly broad—but young— audience, 15 to 30 years of age, with a basic working knowledge of computer science, according to Kohno and Denning. The game is expected to go on sale this fall for $30, but educators can sign up on the game website to receive a free copy while supplies last.

For more from Fahmida, follow her on Twitter @zdFYRashid.

A Pennsylvania man was arrested yesterday after a Massachusetts grand jury issued a four-count indictment alleging that he hacked into computer networks belonging to the U.S. Department of Energy (DoE) and the University of Massachusetts and tried to sell access to a DoE supercomputer for $50,000 to an undercover FBI agent. 

Andrew James Miller, a 23 year-old resident of the Philadelphia suburbs, was charged with one count of conspiracy, two counts of computer fraud and one count of access device fraud. The indictment claims that between 2008 and 2011 Miller and unnamed co-conspirators hacked into networks belonging to the DoE, U-Mass as well as private firms including RNK Telecommunications Inc. (RNK) and Colorado advertising agency Crispin Porter and Bogusky Inc. (CPB Group).

 Indictment: Andrew James Miller

After gaining unauthorized access to these systems, Miller is alleged to have installed Trojan horse programs that gave him access to the networks which he and his co-conspitrators sold online.

Miller and his co-conspirators were discovered after they attempted to sell access to the victim networks to an  undercover FBI agent. Specifically, the indictment details an IRC conversation between Miller and an undercover agent in which Miller exchanges access to RNK’s servers and a list of hundreds of user names and passwords for two payments of $500.00. Payment was to be made to Andrew Miller of Lancaster, PA, via Western Union. Miller later requested two payments of $600 via Western Union in exchange for a U-Mass database dump and $1,000.00 for access to CPB Group. At one point, Miller attempted to sell the FBI access to a supercomputer belonging to the DoE’s National Energy Research Scientific Computing Center for $50,000.

Miller could face five years in prison for the conspiracy count and one of the computer fraud counts and an additional ten years in prison for the second computer fraud count and the access device fraud count, which would then be followed by three years of supervised release and some $250,000 in restitution.

View the original article here

If you’ve been paying attention to the rash of security startups entering the market today, you will no doubt notice the theme wherein the majority of them are, from the get-go, organizing around deployment models which operate from “The Cloud.”

We can argue that “Security as a service” usually refers to security services provided by a third party using the SaaS (software as a service) model, but there’s a compelling set of capabilities that enables companies large and small to be both effective, efficient and cost-manageable as we embrace the “new” world of highly distributed applications, content and communications (cloud and mobility combined.)

As with virtualization, when one discusses “security” and “cloud computing,” any of the three perspectives often are conflated (from my post “Security: In the Cloud, For the Cloud & By the Cloud…“):

In the same way that I differentiated “Virtualizing Security, Securing Virtualization and Security via Virtualization” in my Four Horsemen presentation, I ask people to consider these three models when discussing security and Cloud:

In the Cloud: Security (products, solutions, technology) instantiated as an operational capability deployed within Cloud Computing environments (up/down the stack.) Think virtualized firewalls, IDP, AV, DLP, DoS/DDoS, IAM, etc.For the Cloud: Security services that are specifically targeted toward securing OTHER Cloud Computing services, delivered by Cloud Computing providers (see next entry) . Think cloud-based Anti-spam, DDoS, DLP, WAF, etc.By the Cloud: Security services delivered by Cloud Computing services which are used by providers in option #2 which often rely on those features described in option #1.  Think, well…basically any service these days that brand themselves as Cloud…

What I’m talking about here is really item #3; security “by the cloud,” wherein these services utilize any cloud-based platform (SaaS, PaaS or IaaS) to delivery security capabilities on behalf of the provider or ultimate consumer of services.

For the SMB/SME/Branch, one can expect a hybrid model of on-premises physical (multi-function) devices that also incorporate some sort of redirect or offload to these cloud-based services. Frankly, the same model works for the larger enterprise but in many cases regulatory issues of privacy/IP concerns arise.  This is where the capability of both “private” (or dedicated) versions of these services are requested (either on-premises or off, but dedicated.)

Service providers see a large opportunity to finally deliver value-added, scaleable and revenue-generating security services atop what they offer today.  This is the realized vision of the long-awaited “clean pipes” and “secure hosting” capabilities.  See this post from 2007 “Clean Pipes – Less Sewerage or More Potable Water?”

If you haven’t noticed your service providers dipping their toes here, you certainly have seen startups (and larger security players) do so.  Here are just a few examples:

As many vendors “virtualize” their offers and start to realize that through basic networking, APIs, service chaining, traffic steering and security intelligence/analytics, these solutions become more scaleable, leveragable and interoperable, the services you’ll be able to consume will also increase…and they will become more application and information-centric in nature.

Again, this doesn’t mean the disappearance of on-premises or host-based security capabilities, but you should expect the cloud (and it’s derivative offshoots like Big Data) to deliver some really awesome hybrid security capabilities that make your life easier.  Rich Mogull (@rmogull) and I gave about 20 examples of this in our “Grilling Cloudicorns: Mythical CloudSec Tools You Can Use Today” at RSA last month.

Get ready because while security folks often eye “The Cloud” suspiciously, it also offers up a set of emerging solutions that will undoubtedly allow for more efficient, effective and affordable security capabilities that will allow us to focus more on the things that matter.

/Hoff

Related articles by Zemanta

View the original article here

ZERO DAY is a film about cybercrime, where a journalist Brian Krebs tracks down and takes an interview from a money mule, moves stolen money for the Russian mob. In addition, filmmakers are getting help from the Facebook’s Security Team at Menlo Park California headquarters.

This team is providing an unattended access to various criminal activities like intrusions, hacks and more. We see all the hard work of these charming personalities who solves the crimes of hackers every day. Nevertheless these hard to solve cases may lead anywhere in the world – filmmakers follow every move to catch everything on film.

ZERO DAY is co-financed by BBC Storyville, while the filmmakers are working with reporters like John Markoff (New York Times) and Joe Mell (Reuters). Author Misha Glenny takes part in this film too. 2-spyware team takes part in this project too. The filmmakers are talking with Mark Cuban and Magnolia Pictures, to be able to distribute in US TV and theatres.

2-spyware team invites everyone to support the creation of this film through Kickstarter. By donating money you become an official donor of ZERO DAY. Film is scheduled for release at September, 2013.

View the original article here

The iPhone And iPad Are Targets For Hackers because of intense online iOS browsing activity.
The popularity of APPLE mobile devices has its downside. This is appeal the iPhone and the iPad has in the eyes of cyber criminals, where studies have revealed how iOS traffic has surged lately.

A report from Zscaler shows that iOS traffic has jumped from 40 per cent at the end of last year, to 48 per cent in the first quarter of 2012. Conversely, Android mobile traffic has dropped to 37 per cent.

This is a signal for hackers to divert their attention to the market leader. Security analysts warn that iPhones and iPads could be the target of attacks. The situation is of particular concern for enterprises, who allow their employees to bring in their own devices as work tools.

Rachel Ratcliff Womack, a Vice President with the digital security firm Stroz Friedberg, believes merging the business and personal functionality is not a good idea. “It brings those two worlds together in a very convenient package for criminals to target”, she said.
Blake Turrentine, CEO of HotWAN and trainer at Black Hat, is watching closely the evolution of malware in the mobile ecosystem. When it comes to Apple devices, he advises users to upgrade to the latest iOS, which is “fairly secure.”

Source: Zscaler (registration required)

View the original article here