New Focus On Risk, Threat Intelligence Breathes New Life Into GRC Strategies
Security is a central driver in enterprise Governance, Risk and Compliance initiatives, experts say.
By Tim Wilson, Dark Reading
A growing need for security discipline and the availability of better threat data are changing the old, monolithic Governance, Risk and Compliance concept into a near-term enterprise risk management project, experts say.
GRC, a methodology for building global IT policies, priorities and practices around key risk and compliance factors, has long been viewed as a framework that was too complex and resource-intensive for all but the largest enterprises. But driven by a need to improve security and add some means of measuring risk, many businesses are pushing past these old perceptions and implementing elements of the technology, without necessarily tagging their efforts with the GRC name.
"The market for [GRC] management is growing, as more companies recognize the value in safeguarding their business practices -- not just because doing so is good for business, but because it's necessary for protection against specific economic and market conditions," says William Jan, vice president and practice leader at research firm Outsell, in the company's 2013 GRC market assessment.
Chris Caldwell, CEO and founder of GRC firm LockPath, agrees. "Security and risk are driving enterprises to contact us, even if they don't necessarily call what they are doing GRC," he says. "What they are really looking for is business visibility – a clear way to show what assets are at risk, what needs to be patched, and how to get more budget [for security]. Every IT department is overwhelmed right now. They need a structure for prioritizing remediation."
GRC vendor Agiliance reported last month that its revenues grew 65% between Q1 2012 and Q1 2013, with more than 415% growth in the financial services sector. But like LockPath, Agiliance is increasingly stepping away from calling its technology GRC.
"GRC is not a good term for this market," says Torsten George, chief product strategist at GRC vendor Agiliance. "GRC is an internal process, and an internal process shouldn't drive a software category. We have been calling what we do 'integrated risk management,' because we're tying together IT operations and security risk management.
Gartner analyst Paul Proctor concurred in a blog earlier this month entitled Why I Hate the Term GRC. "GRC is the most worthless term in the vendor lexicon," Proctor writes. "Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. For seven years I have battled this monolithic term and I fear I'm losing the battle."
Whether they call it GRC or not, however, enterprises are investing more in the concept of adding structure and metrics to the assessment of risk and the IT security choices they make.
"The early implementations of GRC were mainly built around compliance and checking off the boxes for the auditors," says Steve Schlarman, eGRC Solution Manager at RSA Archer, the oldest and largest of the GRC technology vendors. "Today, companies are getting beyond the crust of compliance and getting into deeper inspection of the infrastructure – they want a broader sampling of data so that they can get a more accurate measure of risk."
One of the most significant recent shifts in GRC is the addition of threat intelligence as a variable in the calculation of risk and the subsequent decisions on what steps to take, experts say. In the past, most GRC initiatives calculated threats only internally to the enterprise, but the emergence of new threat intelligence data feeds and services means that businesses can now add factors such as growing Internet threats – and the likelihood that they will strike a particular enterprise – into the risk management equation.
LockPath, for example, recently added a new module called Threat Manager, which integrates internal security information with a variety of data feeds, recording key information about secured assets and creating an audit history. Agiliance is also feeding a variety of data into its Threat and Vulnerability Manager module.
"Tying threat data to vulnerability data and overlaying risk and business-criticality is the trend," says Vivek Shivananda, CEO of GRC technology vendor Rsam." As we see it, risk-driven compliance management is the future model of GRC. "Security Risk Intelligence is the answer -- creating an architecture and a process that ties threat data to vulnerability/incident data and overlays risk and business-criticality is the answer to intelligently allocating resources against appropriate threats/incidents."
Experts also generally agree that while compliance initiatives provide most of the funding behind GRC, it is IT security issues that create the most variables in the risk equation – and keep both IT and business executives awake at night. "Companies are now looking at legal defensibility when a compromise or a compliance failure occurs," says Caldwell. "They want to be sure that they are doing all they can to prove that they doing their due diligence – they don't want to be asking, 'Could I have done more?'"
Schlarman agrees. "Security is playing a bigger role in the [GRC] picture," he says. "Enterprises are still looking at the criticality of their information assets – putting them in business context – but they also want to take that data and push it down to security operations and security analytics, so that they can filter out asset data and figure out whether a particular infection has touched a particular group of assets."
But for GRC to help with the management of current threats and new security risks, Caldwell says, its implementation and adaptation will need to become much faster. "Some of the early [GRC] products had a ramp-up time that was completely insane – it could take six, 12, 18 months just to stand up the product and get a viable report. That's one of the reasons why GRC got a bad name. But now we're making that quicker. We're making separating the products from the program, and making the products more immediately useful."
GRC technology is also moving down market and becoming available for smaller companies that don't have huge IT organizations, says Agiliance's George. "We are working with [managed security services providers] to provide a managed services offering that's accessible to businesses that are smaller, but still need some of these functions," he says. "Again, they might not necessarily call it GRC, but these are functions – things like measuring compliance posture and security posture -- that are important no matter what the size of your organization."
But for GRC technology to grow faster, it will have to cast off its perception as a monolithic, expensive, and complex initiative, experts agree.
"IT pros are seeking to steer toward the same risk, compliance and security goals, but they are avoiding the use of the GRC moniker and the perception that GRC is exclusively an 'enterprise-level' project," says Rsam's Shivananda. "This perception also can make it more difficult to select and acquire the necessary tools in highly political environments, or competing departmental agendas."
Original appearance at Dark Reading.
Twitter Adds SMS As Second Factor Of Authentication
Phone will be second means of verifying user identity, Twitter says.
By Tim Wilson, Dark Reading
Twitter announced Wednesday that it will offer an SMS phone option as a second factor of user authentication.
"Every day, a growing number of people log in to Twitter," the social networking site said in a blog. "Usually these login attempts come from the genuine account owners, but we occasionally hear from people whose accounts have been compromised by email phishing schemes or a breach of password data elsewhere on the Web.
"Today we're introducing a new security feature to better protect your Twitter account: login verification," the blog states. "This is a form of two-factor authentication. When you sign in to twitter.com, there's a second check to make sure it's really you."
Twitter joins Google and other major websites in adding a second factor of authentication to their offerings this year. Google is also a member of the FIDO Alliance, which has proposed standards for replacing passwords with a more universal and secure method of authenticating users.
Observers said that Twitter's new offering will help make authentication more secure -- if users take the time to set it up.
"It's great that Twitter has released this feature, which significantly raises the bar for broad-based attacks," says Mark Risher, Yahoo's former "Spam Czar" and current CEO of security company Impermium. "As an optional feature, however, we now need to ensure that users opt-in and utilize it; two-factor does nothing if you haven't configured it in advance."
"Not all social media identities are created equal," says Entrust president and CEO Bill Conner. "Those with a material impact, such as corporate accounts, government entities, and public utilities, should be held to a higher security standard. Now that Twitter has launched an offering that account holders can opt-in to, it is the mutual responsibility of these high-profile Twitter account holders to take advantage of this security offering."
Original appearance at Dark Reading.
Federal IT Mobile Plans Slowed by Security, Budget Concerns
Ahead of the one-year anniversary of the White House's digital government strategy, a new study from the Mobile Work Exchange takes stock of how agencies are pressing ahead with mobility plans.
By Kenneth Corbin, CIO
When the White House rolled out its digital government strategy last May, it made the use of mobile technology a centerpiece, vowing to "enable the American people and an increasingly mobile workforce to access high-quality digital government information and services anywhere, anytime, on any device."
With the one-year anniversary of that plan approaching, the Mobile Work Exchange, an organization dedicated to the advancement of remote work, has polled 175 federal IT executives to get a sense of how far they have progressed in developing and implementing their mobile strategies.
The results were, in a word, mixed.
Grading Mobile Progress
"When we dig into it a little more deeply, they've clearly started to make progress on things," says Chris Roberts, vice president of the worldwide public sector business at Good Technology, which sponsored the study. "It seems like they've all started to work on this problem, and they've attacked what I call the foundational issues."
A slim majority of the respondents--52 percent--say that their agency has taken steps to "mature" their mobile strategy over the past year, though concerns over security, budget constraints and the upheaval of an election year have all slowed the advance of mobile technology in the federal government.
Asked to grade their agencies' progress on implementing the White House mobility directive, the respondents more or less line up along a bell curve, with 39 percent giving their agency a "C," 36 percent a "B," and 16 percent a "D." Just 7 percent say they would award their agency an "A," and 2 percent said "F."
Seventy-three percent of the respondents identify security as a barrier to mobility, making that consideration the leading impediment, followed by budgeting, which 60 percent of respondents cited as an obstacle.
The IT executives polled in the survey report that they have been taking several steps to address the security issues that arise with mobility, including the rollout of encryption technology, mobile device management and multi-factor authentication.
Additionally, federal agencies have begun to develop training programs to educate employees about mobile security issues. Sixty-five percent of the survey respondents report that their agency has such a program in place, and 68 percent say that employees in their agency receive written information about mobile device security.
"That's an excellent step that they've taken," says Roberts. "A lot of the hacks, a lot of the breaches come from social engineering--social kinds of things you want to make sure employees are aware of."
The security issues agencies have been dealing with in assessing their mobility plans received a new wrinkle in February, when President Obama issued an executive order on cybersecurity that tasked the agencies with developing a framework for sharing threat information and better coordinating with private-sector technology providers, among other areas of focus.
Mobile All About the Money
As significant as the concerns over mobile security are, they are not insurmountable, according to Roberts. Budget considerations, particularly the across-the-board federal spending cuts known as sequestration, were another major impediment to the deployment of mobile technology in the government. Budgets, along with the "customary shuffling of chairs in an election year," have proven a drag on agencies' mobility plans, Roberts explains.
"The progress that they've made has been slowed in large part by sequestration," Roberts says. "If it had been a non-election year, had we not faced sequestration, I think cybersecurity alone would not have derailed a lot of initiatives."
Agencies are taking steps to trim costs associated with mobility, with 59 percent of the respondents saying that they have been conducting agency-wide inventories of their devices and wireless contracts, one of the milestones included in the digital government strategy. Another 50 percent say that their agency is developing a cost-cutting plan related to the mobile devices that they issue to employees.
Even if budget pressures have put some mobility projects on hold in the near term, over time the increased efficiencies from a mobilized workforce and novel apps could more than recoup an agency's initial expenditure, according to Roberts.
"I do think that there's a huge opportunity for government to save money and improve efficiency through mobile application," he says. "I actually suspect that there's an opportunity to do more with mobility going forward given the budget constraints."
Roberts suggests that the next phase in the evolution of the government's mobility plans could focus on producing deliverables in the form of apps as agencies navigate through the process of establishing policies for security, device management and access.
Mobile Apps Next Step
Around three-quarters of the respondents say that they using, developing or evaluating options for mobile apps, but just 9 percent say that their agency has set up an app store. Further, just 39 percent of respondents say that their agency has optimized at least two citizen-facing applications for mobile devices, another milestone in the digital government strategy.
"I would have assumed at this stage we would be farther with a bigger portfolio of applications," Roberts says, offering the hope that the coming year will see a sharp uptick in the production of public-facing apps. "The number that's going to be the most telling for me is if 65 percent of the federal agencies out there have applications for citizen and applications they use to drive efficiencies."
"I would say that getting applications out ... that would be my barometer," he adds. "I want to see that 39 percent turn into something in the high 60s."
Original appearance at CIO.
Opinion Varies On Action Against Chinese Cyberattacks
New cyberespionage attack by People's Liberation Army prompts calls for action such as sanctions, but experts are mixed on best response.
By Antone Gonsalves, CSO
Security experts agree that the U.S. government should take stronger action against Chinese cyberattacks, but exactly what those measures should be varies widely.
The issue of cyberespionage on the part of China made headlines once again on Sunday, with The New York Times reporting that a cyberunit of China's People's Liberation Army resumed stealing data from U.S. companies and government agencies after a three-month hiatus.
Called Unit 61398, the group of hackers headquartered on the edges of Shanghai has stolen product blueprints, manufacturing plans, clinical trial results, pricing documents, negotiation strategies and other proprietary information, The Times reports.
The group ceased operation for three months following a previous expose, but has returned at a level between 60% and 70% of its previous operation.
President Barack Obama is scheduled to receive on Wednesday recommendations from a private task force on actions the administration and Congress can take to battle China's apparent unwillingness to curtail its cyberespionage campaign. Obama's former director of national intelligence, Dennis C. Blair, and his former ambassador to China, Jon M. Huntsman Jr., are leading the task force, The Times said.
On Monday, there was little consensus among experts on the options available to the administration and Congress. Richard Bejtlich, chief security officer for Mandiant, a security firm monitoring the return of Unit 61398, favored economic sanctions against China, saying the government had to do "something to let the Chinese know we're serious about this."
"The fact that we saw that one unit take a break and then come back shows that no amount of talk or naming and shaming appears to really make a difference at the strategic level," Bejtlich said.
Mandiant tracks about two-dozen groups it has traced to either China or Eastern Europe. During Unit 61398's break, none of the other Chinese groups curtailed activity, Bejtlich said. Now that Unit 61398 is back, it is attacking the same industries, and in some cases, the same companies.
While sanctions would seem like a reasonable response, many experts say they would likely lead to retaliatory economic actions by China. Given how the two country's economies are so intertwined, such measures would weaken both sides.
"Outside of pursuing trade sanctions on a domestic and international front -- neither of which are unlikely to reduce espionage in the near term -- I think the White House has very little leverage with China," said Jacob Olcott, a cybersecurity principal at consulting firm Good Harbor Security Risk Management. "Public shaming likely won't work because theft is a generally accepted business practice there."
Olcott believes that because the U.S. government has very few policy options, it has chosen to focus on bolstering corporate cybersecurity through executive orders and pending legislation mandating information sharing between private industry and government agencies. Such action would help battle Chinese attacks, others say.
"If we come to the conclusion that we can have a two-way exchange of threat information that would definitely help," said Torsten George, vice president of marketing and products at risk management company Agiliance.
Another option favored by Bejtlich would be to name the people leading the attacks from China. Pressure against these individuals could be raised through visa restrictions, preventing them from traveling to the U.S.
He suggested legislation similar to the 2012 Magnitsky Act that gave the president the authority to bar individuals from the U.S. for human rights violations.
"That sort of action is a little bit more visible and has more tangible consequences," Bejtlich said.
Original appearance at CSO Online.
Commercialized Cyberespionage Attacks Out Of India Targeting U.S., Pakistan, China, And Others
Operation Hangover signals new franchise model in cyberespionage with cyberspying services for hire.
By Kelly Jackson Higgins
No zero days, no confirmation of nation-state sponsorship, but a diverse cyberespionage campaign out of India for at least three or more years has been targeting multiple national-interest and industrial entities around the globe, mostly Pakistan and U.S. organizations, but also Norwegian telecom provider Telenor and the Chicago Mercantile Exchange.
Researchers from Norman Security today released a detailed report on the so-called Operation Hangover campaign that security experts say appears to be run by an independent cyberespionage organization-for-hire organization and demonstrates the vast and potentially lucrative nature of cyberspying in the global market. Norman Security says this is the same group of actors behind the cyberespionage attacks on Pakistan recently spotted by Eset that used Indian military "secrets" as a lure, with 80 percent of the infections in Pakistan.
The group behind Operation Hangover appears to represent a new advanced persistent threat (APT) model, or at the very least one that has been publicly uncloaked and possibly implicates a commercial Indian security firm, according to security researchers. Unlike the constant and ubiquitous wave of cyberespionage attacks against U.S. interests by China, Operation Hangover has more global and for-hire characteristics, according to Norman, which says thus far it's inconclusive whether the operation is a nation-state endeavor.
"This is a model that is different from what we've seen before ... it's a lot more difficult to track," says Snorre Fagerland, principal security researcher in the malware detection team at Norman Security's Shark team. "My concern is that this shows just how commercialized this seems to have been and how lucrative it possibly is. So you get these APTs growing up everywhere."
Hangover appears to be a more "standardized" or franchised operation, with freelancers writing code and regular patterns of establishing domains and placing images on them, he says. "It's like one of the call centers of the APT," Fagerland says. "There are indications to some extent that the attack may be contracted -- it might be a service provided to somebody."
Fagerland says it's possible the organization is actually working on a global basis. The recent hacking into an Angolan dissident's computer and dropping Mac spyware that was detailed by F-Secure, for example, was the handiwork of Operation Hangover, according to Norman.
Eset security researcher Cameron Camp concurs that while the attacks appear to be originating out of India and by "private individuals," it would be "speculative" to say it's an actual nation-state operation.
At the core of the findings is whether an Indian security firm called Appin Security Group might be linked to the operation. According to Norman, Appin Security Group is mentioned by the attackers: The word "Appin" and "AppinSecurity Group" regularly appear inside the executables, and Norman also found an alleged Hangover coder's professional profile on an online employment website for freelance programmers, which says he works for the security firm.
Norman says it's unclear just what these references to Appin really mean: "Maybe someone has tried to hurt Appin by falsifying evidence to implicate them. Maybe some rogue agent within Appin Security Group is involved, or maybe there are other explanations," Norman says in its report.
But Adam Meyers, director of intelligence at CrowdStrike, which has been studying the same attacks but under the moniker of Viceroy Tiger, says it's no accident Appin's name is implicated in the attacks. "I think it is highly unlikely Appin is not involved," Meyers says.
Meyers, whose company has studied the malware in the attacks, says it's unclear whether Appin is directing or just part of the operation. "But it would be extremely unlikely that they are innocent victims in this. The likelihood that they developed and were using the software is extremely high," he says.
But an Appin spokesperson reached by Dark Reading disputed any wrongdoing and said the company had initiated legal action against Norman for the report. "The truth as it stands is that Norman didn't verify anything. They don't have proof of anything," he said, noting that someone could have been attempting to smear Appin and that the report "was shocking" to the firm.
In a subsequent email, the spokesperson said: "The Appin Security Group is no manner connected or involved with the activities as sought to be implied in the alleged report. As is apparent from the alleged report itself, the same is only a marketing gimmick on the part of Norman AS."
Operation Hangover, meanwhile, targets various entities and industries -- mainly in Pakistan and some in the U.S., but also in Norway, Iran, China, Taiwan, Thailand, Jordan, Indonesia, the U.K., Germany, Austria, Poland, Romania, and other countries. Aside from the obvious military- and government-type espionage, the group also has targeted the mining, telecommunications, law firms (in the U.S. as well), food and restaurants, and manufacturing industries.
The targeted attacks appear to have been created starting in September 2010 and continue today, according to Norman. Last year was the most active time frame, with more malware creation and additions in targets. Researchers say it's likely the attackers were contracted by the Indian government in some of the attacks.
Meanwhile, as Eset first had noted in its report, this campaign out of India appears oddly rudimentary, with publicly available tools and basic obfuscation methods. It doesn't bother to encrypt its command-and-control communications, either. Norman pointed out that the group doesn't use zero-day vulnerabilities in its attacks, exploiting only known and fixed vulnerabilities in Java, Word documents, and Web browsers like Internet Explorer.
The attackers employ typical phishing ploys, with rigged attachments or URLs that include C++ or Visual Basic-based malware that installs downloaders, keyloggers, and data-stealing programs. "Some of the shellcode involved was quite well-made, very tight code," Norman's Fagerland says. "We documented that, in some cases, they use custom malware for their targets ... such as in the Telanor case," which is where Norman first discovered signs of Operation Hangover, he says.
There's also a worm element used in some cases to help spread within a targeted organization and designed to coexist with an information-stealer, he says.
Mobile malware may also be part of the Operation Hangover arsenal, Fagerland says, although Norman itself didn't find evidence of it. "Some of the forums posting on this indicate, they might be involved with" malware used to record background noise from calls or other information, he says.
"We think that there's more and there are aspects that have not been unmasked" yet on the hacker group's activities, he says.
Among the organizations Norman spotted as being targeted by the group: Eurasian Natural Resources Corporation (ENRC), Indonesia-based Bumi PLC, Austria-based Porsche Informatik, U.K.-based BlueBird Restaurant, and two U.S. law firms.
Still unclear is whether the phishing attack aimed at the Chicago Mercantile Exchange was about intelligence-gathering or financial theft. "We don't know what they were looking for," Fagerland says, although a WIPO complaint appears to indicate the attackers used a suspicious domain to grab investment information, he says.
The full Norman Security report is available here for download.
Original appearance at Dark Reading.
Dual-Persona Smartphones Not a BYOD Panacea
Mobile vendors are pushing technologies that split a smartphone into two separate platforms for business and personal data. Problem solved, right? Not so fast. It's still easy for employees to circumvent the two worlds.
By Tom Kaneshige, CIO
The "Bring Your Own Devices" trend has a dual-personality problem on its hands.
How can corporate data and personal data exist on a single smartphone? Companies don't want their deep secrets to get out, while employees don't want to be told how to use their precious mobile gadgets that they bought with their own money.
It's a problem that has stumped the BYOD crowd. "Companies don't trust that information is contained properly" on a BYOD smartphone, says Nanci Churchill, vice president of operations at Mobi Wireless Management, a software and services provider helping companies navigate mobile adoption.
Help, though, may be on the way.
Splitting the Phone Virtually
New solutions are bubbling up from mobile software vendors. For starters, there's the idea of a smartphone with a virtual software partition, which essentially splits the phone to create dual personalities for business and personal purposes. The business side can be remotely wiped if the phone is lost or stolen or the employee leaves the company. BlackBerry Balance does this on BlackBerrys. VMware and Verizon teamed up to create a virtual workspace on certain Android smartphones.
Mobile device management vendors such as AirWatch are also finding ways to separate personal and business data. Rather than remotely and fully wiping a compromised BYOD smartphone, MDMs can choose to selectively wipe only business apps.
In some cases, you can wipe business data.
Apple's native apps such as Calendar and Contacts let you tag data as personal or business. With native email, the iPhone can have separate accounts for personal email and work email. This allows MDMs to wipe only the business data (or email account) within the app itself. It should be noted that most third-party apps on the App Store don't separate data, which means MDMs must wipe the entire business app.
The Thin Line Between Business and Personal Data
You'd think with so many options, the problem of duality would be solved—but it's not. Many of Mobi's customers, as well as a large AirWatch customer, continue to fully wipe compromised BYOD smartphones, even though Mobi and AirWatch generally advise companies to embrace selective wiping.
Truth is, business data can skirt the virtual partition to the personal side of the phone or a personal cloud storage account, such as Dropbox or iCloud.
One company, for instance, said it would only access business content on a BYOD smartphone. It defined business content as email and business-related documents. Photos were excluded under the assumption that they were personal in nature.
"They came to find out that there were a lot of photographs of white boards. People had taken pictures of white boards that contained all kinds of business information," Matt Karlyn, a lawyer and partner in the technology transactions practice group at Boston law firm Cooley LLP, told me. "You can't make assumptions about what's business and what's personal."
It works in reverse, too. Personal information can find its way into a business productivity app. For instance, another company bought popular mobile note-taking app for its BYOD community. When the phone is compromised, the company reserves the right to remotely wipe it.
But employees had become so comfortable with the app that they began using it for personal stuff, too. They stored pictures, voice notes, recipes in the same app, because you can't have two versions of the app on the iPhone. When an employee leaves the company, they lose the app.
Bye-bye, personal data.
Beyond Splitting the Phone: Dual Persona Workarounds
It's this loss of personal data that has Mobi recommending customers perform select wipes over full wipes, even though select wipes may not include all corporate data. BYOD employees tend to get a bit sue-happy when their personal data is wiped, their privacy is violated or their location is being tracked via the mobile device.
"We are continuing to advise companies to go select wipe just because there's less risk in terms of personal information," Mobi's Churchill says.
There are some workarounds to the dual-persona problem. Companies can selectively wipe BYOD smartphones for some types of employees and fully wipe smartphones for others, such as a regional vice president who has access to all sorts of business data and might take pictures of whiteboards.
There are also ways to stop a BYOD smartphone camera from taking pictures of a company's intellectual property. The BYOD user policy can require employees to enable location-based services, which, in turn, can integrate into geo-fencing. If an employee is in a certain area of, say, the manufacturing plant or company campus, then the camera can be turned off.
Also, a camera can be disabled if the phone tries to get on the WiFi corporate network.
There are an equal number of ways employees can capture business data on the personal side of their BYOD smartphone. In the above scenario, an employee can put his phone in Airplane mode and be free to take pictures. From copy and paste to screen shots to emailing documents to personal accounts to tagging business contacts as personal ones, employees can and will violate BYOD user policies.
"But that's now an HR issue," says CEO John Marshall at AirWatch. "IT is only responsible for so much. If somebody is trying to do something malicious, you can't stop that."
Original appearance at CIO.
Mac Spyware Discovered on Angolan dissident's Computer at Oslo Freedom Forum
By Dan Kaplan, Executive Editor, SCMagazine.com
Security researchers are studying an apparent new strain of Mac spyware that turned up on the computer of a participant at the just-concluded Oslo Freedom Forum, an annual human rights conference.
The backdoor was discovered by noted privacy and security researcher Jacob Appelbaum, who tweeted Thursday that it targeted the machine of an Angolan dissident. Angola is a southern African nation that has faced steep criticism for human rights abuses.
Analysts at security firm F-Secure studied the virus sample and learned that it was signed with a seemingly valid Apple Developer ID, steals screen shots and communicates with two command-and-control servers. F-Secure dubbed the malware OSX/KitM.A.
The spyware was discovered during a workshop that Appelbaum ran in which he instructed audience members on how to protect themselves from government surveillance.
The Oslo Freedom Forum event brings together "Influential dissidents, innovators, journalists, philanthropists, and policymakers" from around the world, according to the event's website.
Espionage malware built to run on Mac OS X machines is becoming increasingly common as more targets use the operating system.
UPDATE: Appelbaum said in a tweet that the activist's Mac was hit with the malware via a spear phishing attack.
UPDATE TWO: The SANS Internet Storm Center explained how it's possible to "verify and extract signatures and certificates on an Apple .app" as the attacker did in this instance.
Original appearance at SCMagazine.com.
Pushdo Botnet Morphs To Elude Hunters
U.S., other national government agencies, contractors, and military networks found housing new Pushdo bots as botnet adds stealthier features to evade detection, takedown.
By Kelly Jackson Higgins, Dark Reading
A botnet of botnets that has been disrupted by researchers multiple times during the past few years has been retooled with features that make its detection more difficult and its takedown nearly impossible without legal action.
The Pushdo botnet -- which provides the infrastructure for other malware and botnets and spreads a malware downloader program that, in turn, drops Cutwail, Gameover Zeus, and BlackHole Trojans -- is now employing Domain Generation Algorithm (DGA) as a resilient backup command-and-control (C&C) infrastructure, RSA encryption to prevent researchers from taking over the botnet, and phony JPEG image files to hide C&C traffic.
Researchers with Damballa, Dell Secureworks, and Georgia Institute of Technology recently teamed to study this new variant of Pushdo, which was first spotted by Damballa and its homegrown DGA detection tool. Among the victims infected by Pushdo are several U.S. and other national government agencies, government contractors, and military networks, the researchers found.
"This is the most elaborate [move by a] botnet trying to hide its own command and communications," says Brett Stone-Gross, senior security researcher at Dell Secureworks, who helped Damballa confirm the C&C traffic it had spotted using DGA was Pushdo. "They added resiliency with the DGA, and along with that they implemented RSA encryption so researchers, law enforcement, or their rivals can't control the botnet and use it against itself. They are the only ones who can control their botnet," Stone-Gross says. All researchers can do is record IP addresses and metadata, he says.
And in the latest twist today -- possibly in response to the discovery of their new techniques features -- the Pushdo gang was spotted pushing yet another variant of the malware, one that generates .kz domains instead of .com domains, according to Seculert, which also is studying Pushdo. "It seems like they noticed that they are being probed, as the variants were uploaded to the hijacked webserver few hours before the report went public," says Aviv Raff, CTO at Seculert.
Pushdo, which is run by a well-funded Eastern European cybercrime gang, boasts anywhere from 175,000 to a half-million bots each day, and is spread mainly via the massive and prolific Cutwail spam botnet. Pushdo basically acts as the infrastructure for botnet activity -- everything from traditional spam to spreading malicious Trojan like Zeus and SpyEye that steal financial credentials. It's mostly spread via the massive Cutwail botnet and has survived four takedowns in five years.
"It shows that they probably make a good amount of money through spam email. It's like any business: It's important to maintain a resilient infrastructure, and if the infrastructure goes down, you lose money," Stone-Gross says.
The addition of DGA for its backup C&C basically allows Pushdo to prevent interference with its C&C -- think blacklisting or extracting C&C domain names -- by making the C&C domain names a moving target, dynamically generating domain names, and using just one at a time, which later gets discarded.
"They are trying to build a system that's immune to takedown," says Jeremy Demar, senior researcher at Damballa. Demar says Pushdo downloads encrypted malware payloads so researchers can't analyze them or detect them.
Researchers saw some 1.1 million unique IP addresses making Pushdo C&C requests in a two-month period, and around 35,000 unique IPs connect each day. Pushdo's DGA generates around 1,380 unique domain names daily.
India and Iran are home to the most Pushdo-infected machines, but Mexico, Thailand, Indonesia, and the U.S. also have Pushdo bots. An average of 23,000 unique hosts in the U.S. have tried connecting to Pushdo's DGA domain names. The government and military victims -- which are a small percentage of the overall bot population -- likely were inadvertent infections, Damballa's Demar says. "Someone downloaded an email," he says.
The malware also generates fake traffic to legitimate websites in an attempt to mask its C&C communications. "The C&C servers will also respond with a jpeg image with encrypted, embedded malware payloads to hide any additional files it wants to download," Demar wrote in a blog post.
Takedown of Pushdo would require legal intervention, the researchers say: VeriSign requires a court order before it takes action on its .com domain customers.
Damballa's full report on Pushdo is available here (PDF) for download, and Dell Secureworks' is here (PDF) for download.
Original appearance at Dark Reading.
How Can We Keep Infosec Pros a Step Ahead of the Bad Guys?
Attacks on digital assets are on the rise, and the black hats get more inventive every day. How should educators prepare tomorrow's information security gurus?
By Lynne Williams, Computerworld
Information security professionals have a tough time of it.
Consider what they have to cope with in today's IT environment. You have big data meeting BYOD, a combination that's almost an invitation to cyber-espionage. The traditional method for protecting corporate networks was to create a hardened outer shell that restricted access to internal data -- the so-called M&M network that's hard on the outside but soft in the middle. That external shell is tough to crack, but attackers have found a creative way to get to the soft middle by using lost or stolen devices or employing social networks to glean usernames and passwords.
Meanwhile, attacks on individual and corporate digital assets are on the rise, and the black hats get more ingenious every day. Infosec professionals have to stay one step ahead, and that requires that they be well educated and as thoroughly trained in the dark art of network security as the bad guys. Going forward, IT security gurus will need to think analytically -- understanding not just how to set up security, but also how to craft security solutions so that the business focus is supported while at the same time protecting the business's digital assets.
Focused procedures, such as penetration testing and "ethical" hacking, can be effective at hunting out specific vulnerabilities, but a holistic approach to network security that blankets the perimeter and protects against a broad range of attacks is better able to adapt to the constant evolution of assaults of this type.
To train for this type of holistic approach, students taking information security courses must practice a variety of defensive techniques, such as configuring access control and designing comprehensive security policies. They must also learn how to properly conduct an organizational security audit to identify security breaches and other alerts.
Universities and colleges are offering courses and projects that prepare and train cybersecurity professionals, and often these courses are specialized and not part of the core curriculum. Moreover, they often remain stuck on rigid, traditional security approaches that lack the flexibility users need in a mobile world. A new approach to cybersecurity protection and related education is needed, one that blends a focus on technology and security techniques with social psychology, risk management, collaboration and overall curriculum integration. An effective educational program is one that recognizes the need for security with flexibility, as part of the entire curriculum -- from entry-level to advanced, and in all classes, whether they are focused on some aspect of technology or on developing leadership skills.
Similarly, an effective curriculum is one that helps students think like professional hackers while guiding them to develop a risk-based approach to security -- which ensures that appropriate measures are applied to protect key data. The National Security Agency is promoting this new approach to cybersecurity education with its hacking competitions, a hands-on way to showcase potential threats and countermeasures. For their part, universities are moving toward hands-on virtual labs and introducing areas ranging from ethics to social psychology.
Just as vital, though, is the need for cybersecurity education for all students, and not just those studying information technologies. In the end, every user has a role in creating a dynamic mobile environment that offers flexibility while remaining secure.
Original appearance at CIO.
Researchers Develop Industrial Systems That Watch For Breaches
With the new networking method, devices are able spot a problem unit and then isolate it from the network before it can do any damage.
By Antone Gonsalves, CSO
University researchers have developed a methodology for enabling networked devices in an industrial control system (ICS) to police each other for abnormal behavior that would indicate a compromise.
The idea is to make it possible for devices, such as machinery on a factory assembly line, to spot the problem unit and then isolate it from the network before it can do any damage, researchers from North Carolina State University said Wednesday. The security mechanism would be used in supervisory control and data acquisition (SCADA) systems and programmable logic controllers.
Mo-Yuen Chow, co-author of the research and a professor of electrical and computer engineering, said the concept was like a "community watch," where neighbors watch each others property for burglaries.
"Each device listens to its neighboring device to see if they're misbehaving," Chow said.
SCADA and PLC systems are used in industries comprising the nation's critical infrastructure (CI), which includes power generation facilities, oil and gas pipelines, electric power transmitters and defense manufacturing. The networked machinery and electronic devices in these systems are increasingly under attack by hackers, according to U.S. government officials. Much of the activity is originating from China and the Middle East.
Securing the nation's critical infrastructure is difficult because most of the electronics and machinery was built before the Internet evolved as a networking protocol in controlling systems. In tackling the problem, NCSU researchers have developed an algorithm that can be deployed in any networked device, either in software or as firmware in a microcontroller.
"We wanted to build a very simple security measure on each device, so when they work together they will bring security to the entire system," Chow said.
The algorithm would establish acceptable operational parameters, such as temperature or speed, for the networked devices. If a unit suddenly operated outside those parameters, then the other devices would stop all communications, so it could no longer operate.
The technology would augment traditional security systems used today, such as communication encryption and access controls, said Wente Zeng, a doctoral student and co-author of the research. It would also operate within SCADA and PLC systems used to monitor and manage devices.
The researchers plan to present their paper (PDF), entitled "Convergence and Recovery Analysis of the Secure Distributed Control Methodology for D-NCS," at the IEEE International Symposium on Industrial Electronics being held May 27-31 in Taipei, Taiwan.
Original appearance at CSO Online.