New FFIEC Guidance will help to reduce the increasing security threats?

Final FFIEC Authentication Guidance Issued

The Federal Financial Institutions Examination Council has formally released the long-awaited supplement to its "Authentication in an Internet Banking Environment" guidance, which was first issued by the FFIEC in October 2005.

Formal assessments for compliance with the new guidance will begin in January 2012.

The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.

The official supplement highlights the need for:

• Better risk assessments;
• Effective strategies for mitigating known online risks;
• Improved customer and employee fraud awareness.

In a news release about the official update, the FFIEC says growing sophistication of online threats have increased risks for financial institutions and their customers. "Customers and financial institutions have experienced substantial losses from online account takeovers," the FFIEC states. "Effective security is essential for financial institutions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer information, and promote the legal enforceability of financial institutions' electronic agreements and transactions."

The FFIEC says it will continue to work closely with financial institutions to promote security in electronic banking. Examiners have been directed to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012.

The FFIEC is made up of the following regulatory agencies: the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision.

Please refer here to read the changes in the new FFIEC guidance.

Ten Rules for Cyber Security

Is these Ten Rules should be addressed in a comprehensive legal approach to cyber security?

Before the Estonian incident, organisations tended to treat their risks and arrangements in isolation. Cyber security was merely the sum of individual contingency plans having little to do with more temic risks.

The spectrum of cyber conflict ranges from breaches of internal policy or regulations (not patching software, for example) to breaches of legal obligations (such as not reporting illegal activity) to crime to national-security threats to outright cyber warfare ("cyber armed attack").

Ten rules focused on issues and working solutions arising from discussions among experts or in the course of cyber-incident handling can be identified:

1. The Territoriality Rule
2. The Responsibility Rule
3. The Cooperation Rule
4. The Self-Defence Rule
5. The Data Protection Rule
6. The Duty of Care Rule
7. The Early Warning Rule
8. The Access to Information Rule
9. The Criminality Rule
10. The Mandate Rule

In this paper, the Author analyses these ten rules that outline key concepts and areas that must be included or addressed in a comprehensive legal approach to cyber security. They are intended to raise awareness about existing legal complications involving cyber security and the ways to overcome them, to serve as a focus for debate and coordination within and across disciplines, and to inform wellgrounded proposals for additional legislation on the international level.

Logical Security offering 10 Free On-Line Videos

Discussing Security Topics Now Available!

Logical Security is providing free videos that discuss various security topics. Some of these topics are: Block Ciphers, Digital Certificates, ITIL Problem Management, and Wireless Security.

The videos can be found at http://www.logicalsecurity.com/resources/resources_videos.html

Facebook - New Facial Recognition Feature Raises Significant Trust Concerns

Facebook, Privacy and You

Facebook recently announced plans to roll out a new facial-recognition feature across its entire social network of more than 500 million worldwide users. This feature will allow users to identify their friends automatically in photos without their permission.

This move clearly has an impact on the privacy profession and workplace by creating new challenges and raising significant concerns about trust.

In the workplace, social networking is very complicated, as the intersection of personal and working lives creates real challenges for these practitioners. Facial recognition only opens more avenues to create identity issues, as a person tagged to a photo may not be the right individual.

Also, privacy in the workplace is largely driven by information controlled outside the organization, so the other concern is the identity and photo database of 500 million users that Facebook has. Who will have access to this critical information? How will the data be protected? What privacy standards and laws will be applicable to ensure effective database security measures are practiced?

Facebook has clearly not created this database to just please the users, and that bothers me being in the privacy profession. There is a trend in what Facebook is doing. They keep invading people's privacy. It's OK to make mistakes occasionally, but what Facebook is doing is not making mistakes, but breaching trust.

In this case, Facebook is changing the privacy settings of individuals without letting them know. People are on Facebook because they want to communicate with their friends and community, but they may have been careful not to put their pictures online. Now if they are at a party and someone takes their picture and tags them, that picture will go in the Facebook database with the person's name and identity.

The question of trust in the case of facial recognition will have a much broader impact on the profession. The level of trust and reliance that can be placed on the company, its application and its usage will ultimately define our future.

Also, such concerns for data privacy and protection and more are resulting in enforcement of new privacy standards globally.

Hackers Can't Be Stopped, But They Can be Contained

4 key Tips to avoid breaches

A big part of the problem is that employees have too much access to internal information. The best thing companies can do is the same stuff we've been talking about for years: make sure the core assets aren't treated with the same priority as some of the lesser systems. It all has to be protected.

If nothing else, the Lulzsec hacks have shown a light on security vulnerabilities that should have addressed years if not decades ago. These attacks are going to escalate. But organizations can implement basic steps to make the hacker's job harder.

Top 4 Recommendations

Limit access: The best thing to do is disconnect people from things they don't need to be connected to. Why would they need access to everything?

Pile on layers of security, and get up-to-date: A lot of these attacks were exploiting fairly easy techniques, like default passwords or out-of-date Apache [software] or Web servers. People were not patching or updating. They were not doing the basics.

Include breach response in disaster-recovery plans: You have scenarios in your recovery for a chaotic storm versus a physical storm. Can you shut down some of your systems without completely going offline?

Shutting certain systems down makes it harder for hackers to find their way through the network infrastructure; and the more they have to work, the more cyber crumbs they leave behind. You can't fight them off forever, but if you delay them long enough, they will leave evidence behind and may give you time to get law enforcement involved.

Admit fault and negotiate: Eventually, hackers will get in. That's why you need a diplomatic approach, to address the hackers after a breach. When you find yourself in the midst of a hack, you can try countermeasures, but you also need social techniques to diffuse the issue and come to agreement. In the case of Sony, they kept trying technical solutions for an interpersonal problem.

Webinar: Effective Information Security Risk Assessments

Align Practices with Business Strategy

From payment card fraud to skimming attacks and corporate account takeover, we've seen a wide variety of threats to banking institutions and their customers.
And with the advent of the ID Theft Red Flags Rule, and in the aftermath of the economic upheaval, we know banking regulators are paying closer attention to institutions' information security practices.

So, in light of increased threats and greater regulatory scrutiny, how should a banking institution approach one of its most critical undertakings - the information security risk assessment?

Learn how in this exclusive new webinar on 30th June 2011 and 18th July 2011. Guided by an experienced banking/security leader, you will receive timely, hands-on advice and new risk assessment tools regarding:

• How to build process and strategies to identify and manage risks;
• Risk assessment techniques that work - and those that don't;
• How to satisfy your regulators' and customers' security and privacy needs and requirements.

Refer here for further details and to register for the event.

Security of Transport Contactless Smart Cards

It is possible to sniff data but what can thieves do with it?

Contactless smart cards have been touted for their speed and convenience. But does the technology make it easier for pickpockets to be contactless, too?

Experts say that although it’s possible for a fraudster to buy a card reader on eBay and use it to scan people’s pockets on a subway, there are numerous protection mechanisms in place to keep stolen data from being used as well as new, emerging encryption standards that will further limit such threats.

The pickpocket issue garnered media attention in December, when a CBS affiliate in Memphis, Tenn., followed a man who was able to swipe credit card information from unsuspecting passers-by. Using an off-the-shelf card reader that he bought online for less than $100 and a mini laptop, the man was able to obtain credit card numbers, expiration dates and some cardholder names.

But that is likely as far as a thief will get, experts say. It is possible to use a contactless reader to pick up information from a card on the subway or in an elevator, but it is unlikely that he could use the information to go on a shopping spree.

That is because the account number and other information obtained from a contactless card is not enough to complete a financial transaction. Unlike magnetic stripe cards, most contactless payment cards use a dynamic element to authenticate each transaction.

Things to look out for:

• Transaction security - MAC across the transaction and on data (digitally signed)
• Internal abuse and insider job/attacks
• Mixed modes (used for many things, loyalty, credit card, door access, etc.)
• Design issues e.g. key mgt (not public key) and weak crypto

Encryption levels can also dictate a card’s vulnerability. If a card’s encryption uses a weak algorithm or no encryption at all, the information may be easily read.

Advanced techniques for extracting a card’s encryption key are possible, but they typically require the physical possession of the card and access to highly specialized equipment.

For unencrypted air interfaces, data can be read by off-the-shelf readers and then programmed into a different physical card. Then an attacker could use the stolen card information to perform transactions that are identical to those performed by the legitimate card. In the case of payment cards, however, this process is complicated by the use of additional security mechanisms such as dCVCs.

Known cases and attacks:

• HK Octopus cards
• NETS CashCard

Past demos: Examples

• Virtual pick-pocketing on contactless cards in Paris, on Cartes exhibition in 2005
• Youtube movies
• ePassport attack demos

Interesting countermeasures

There is actually one way to protect against undesired interrogation of a RFID card. Cardlab has a patented RFID jam switch which distort the RFID signal when interrogated. The owner simply taps or bend the card to turn off the jammer and the card is able to communicate. It is effective it's cheap and it gives the consumer just that real feel of security he needs in order for him to trust the technology.

• Response from PayPass
• Protection sleeves e.g. from Identity Stronghold
• PIV cards

If it’s a dual-interface government PIV card, the thief could obtain the cardholder’s unique identifier, or CHUID, a number that uniquely identifies an individual within the PIV system, according to experts with Exponent, a Menlo Park, Calif.-based engineering and scientific consulting firm. The remaining chip information would only be accessible via the contact interface so it is not at risk from such attacks.

Refer here or here to read relevant / further details.

Index of Cybersecurity

New Index Measures Cyberspace Safety

Quantifying the safety or danger of cyberspace is tough. But a highly respected IT security practitioner and an experienced risk management consultant have teamed to develop an index they contend reflects the relative security of cyberspace by aggregating the views of information security industry professionals.

"We don't have much to compare to in this field because hard numbers are very hard to get", advised by Mukul Pareek developed the Index of Cybersecurity, a sentiment-based measure of the risk to the corporate, industrial and governmental information infrastructure from a range of cyberthreats.

The index of Cybersecurity launched in April, and in an interview with Information Security Media Group's GovInfoSecurity.com say it could be months before its value to government and private-sector information security officers will be known.

The developer of the index "Mukul Pareek" suspects the index will serve as a baseline for information security officers to compare their organizations' performance against the general state of IT security. "An information security officer has among other questions the perpetual one of: Am I being targeted, am I different, what are other people seeing, is there a baseline I can compare myself to?". "And, it's a constant problem. In fact, unless you do some sort of information sharing, there is little way to tell whether your observations are unique or typical or altogether ordinary except for one feature or the like."

The cybersecurity index features 15 sub-indices that measure malware threats, intrusion pressures, insider threat, industrial espionage, information sharing and media and public perception, to name a few.

In the interview, Geer and Pareek also explain how the index works and ways it could be employed, such as a metric to assess cybersecurity insurance policies.

How to define and secure Mobile Devices?

Mobile Computing: 10 key security tips

If you do not have a portable device management plan in place, now is the time to act. Don't wait until an incident occurs to develop a plan of action.

But keep in mind that reducing the risks of exposure from portable devices and media requires much more work and planning than a simple laptop encryption program.

Here are some suggested steps:

• Inventory the use of portable devices and media across ALL areas of the organization. This is a difficult, but critical task. If you do not know the size and scope of the problem, how can you expect to manage it?

• Examine ALL avenues of product acquisition, use and disposal. Does your organization have purchasing contracts in place for certain types of devices? Will your suppliers help you enforce your encryption policies? How about medical product vendors?

• Understand the data flow on and off each device type. What is the data content being stored on the drives? Determine the sensitivity of the data and the amount being transported. How are the devices being used relative to employee workflow? Don't leave CD/DVDs out of the equation. Often, radiology departments will use CD and DVD devices to record patient diagnostics for use in referrals.

• Develop an audit plan and gather statistics on the amount and type of data and devices being used within your organization. Conduct a thorough risk assessment for the use of portable computing and storage devices. Present your findings to senior management. Demonstrate ROI based on the costs associated with a breach. Solicit their buy-in for a holistic, problem-based approach. Once senior management support is obtained, educate the organization on the related issues. Provide real-life examples of recent breaches.

• If your organization doesn't have a portable media/device policy, develop one. Don't forget to address device ownership; data ownership; rules of behavior; contractors and temporary employees; media destruction or sanitization; appropriate identification of what constitutes sensitive information; and when it is appropriate to use a portable device. The policy should specify who may use portable devices under what conditions as well as the process to gain appropriate management approval.

• Educate ALL users on the content of the portable media/device policy and the organization's expectations of appropriate device handling and use. This is a great opportunity to remind your staff of the risks involved. Education should include training on how to properly transport the device, use it and safely remove sensitive information when it is no longer needed. A policy alone does not constitute an adequate control, nor is it effective in reducing risk. And you should be able to provide documentation validating the training of all staff members.

• Develop sound layered security controls to reduce risk. Consider the different types of devices and the encryption technologies available for each platform. For example, with laptops, are you encrypting the entire hard disk? If not, can you demonstrate that the individual properly placed a sensitive file within the encrypted container? Are you using hardware-based encryption or software-based tools? Software-based USB drives often require the user to have administrative rights on the computer they are using to mount the drive. Even if the individual has these rights on their office computer (not a good idea), would they expect to have them at a shared computer in a hotel or coffee shop?

• Investigate end-point security controls. While examining the different devices you need to legitimately service, examine methods and products that will enforce the use of appropriate devices. This will involve controls that can restrict computer USB ports to appropriate white-listed devices. Without such an end-point tool, policy cannot be enforced.

• Educate the workforce on how to acquire appropriate secure devices and how compliance will be enforced.

• If your end-point controls support operating in an audit mode, deploy it to monitor USB device activity. This will help fill in areas of device usage you may have missed, such as biomedical devices and dictation equipment.

Finally, deploy your endpoint controls SLOWLY. Allow areas to become comfortable with the controls and adequate time to purchase the appropriate tools. After sufficient roll out, routinely audit compliance and continue to educate the workforce. The success of your program will depend on your educational efforts and the availability of support staff to address issues promptly as they occur.

Microsoft Security Essentials

Doesn’t get in the way of PC performance

As a Information Security professional, I often get this question: Which is the good anti-virus? Which one i should use?

Here is my pick out of the bunch of anti-viruses software available in the market.

Microsoft Security Essentials doesn’t carry the weight of suite products and has a much smaller download size. Scans and updates are scheduled to run when the PC is idle and use a low-priority thread. CPU throttling ensures that no more than 50 percent of the CPU is utilized by Microsoft Security Essentials activity, so that your system continues to perform those tasks you are likely to be performing, such as opening files or browser windows, saving files, and using cut, copy, and paste.

Microsoft Security Essentials uses smart caching and active memory swapping so signatures that are not in use are not taking up space, thus limiting the amount of memory used even as the volume of known malware continues to increase. This makes Microsoft Security Essentials friendlier toward older PCs, as well as today’s smaller, less powerful form factors such as netbooks.

Please refer here for further details.

New PCI standard version 2.0 has been finalized

Changes Minor, But Non-Compliant Merchants Won't Get Leniency

Merchants and service provider validation requirements are the still the same. In fact, if you were compliant in the past, there was nothing terribly new. But if you had once sought shortcuts or attempted granular inferences, 2.0 may indeed prove discomforting.

Clarifications in 2.0

First and foremost, the new standard clearly spells out that the cardholder data environment includes "people, processes and technology" that touch the payments chain in any way. That means any entity that stores card data, processes or transmits card data, or touches authentication data must comply with the PCI-DSS.

If your organization ever sought to escape the stringency of the DSS by theorizing that it was only applicable to electronic cardholder data, the new guidance should clarify that even you must comply.

If your organization ever sought to escape the stringency of the DSS by theorizing that it was only applicable to electronic cardholder data, the new guidance should clarify that even you must comply.

Secondly, the standard's use of "system components" was given a more inclusive definition. System components include all virtualization components, such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops and hypervisors. Virtualization was further integrated into requirement 2.2.1's limitation to one primary function per virtual server or device, though whether or not DMZ-based and internal network zone devices could be virtualized within the same physical hardware was not clarified.

Among the 314 other clarifications included in the new version and guidance, several other points are worthy of mention:

• The standard applies to issuers and recognition was given to their need to securely store any retained sensitive authentication data.
• Requirement 3.6 allows the use of cryptoperiods, rather than solely annual key rotation. If the impact of annual rotation has proven burdensome and the risk posed by less frequent key rotation is low, this should be a welcomed change. [See NIST Special Publicaiton 800-57 for more information about the standard cryptoperiod.]
• Requirement 3.6.6 was clarified as requiring split knowledge and dual control for manual clear-text cryptographic key management operations only. For those using dynamic key management appliances, this should already be a native function.
• Requirement 6.2 included the use of risk rankings for identified vulnerabilities as a best practice until June 30, 2012, after which it becomes a requirement. To accomplish this, NIST Special Publication 800-30 are suggested resources. Further, most organizations will likely find that documenting all operating system related critical patches as being "high" risk easier than ranking each individual patch.
• Requirement 12.3.10 added the ability to copy, move or store cardholder data on local hard drives and removable electronic media for authorized individuals; presumably, however, many will be challenged by scope implications.

It may sound counter-intuitive, but 53 testing procedures were added to simplify assessment and compliance management. Most of these are breakouts of the requirement verbiage. For instance, what had been listed as bullets under 4.1.a is now broken out into 4.1.a-4.1.e.

Redundancies also found in v1.2.1, which related to internal and Web-based application requirements 6.3 and 6.5, have been consolidated. Now, 6.5 includes the SANS CWE Top 25 and CERT Secure Coding best practice references.

Nevertheless, many hot button items, such as tokenization, remain open to interpretation. Questions surrounding tokenization, virtualization and physical hardware remain unanswered?

For now, and potentially until 2013 when release version 3.0 is expected, we may be left to wonder. In the meantime, for those looking to adopt 2.0, take a look at the PCI Council's tips for understanding the guidance: Navigating PCI DSS: Understanding the Intent of the Requirements.

Join the Cloud Security Summit

Free Online Event on June 16

The adoption of cloud computing is no luxury, and compliance and privacy concerns are now more pertinent than ever. Attend this summit to hear from key thought leaders and end users as they provide an in-depth look into the new world for cloud security and privacy.

Presenters will discuss ways to fully classify, analyze and mitigate both the legal and compliance risks associated.

Sign up to attend the live interactive webcasts on June 16, 2011, or view them afterward on demand here: http://www.brighttalk.com/r/mxX .

Presentations include:

‘Getting PCI to the Cloud: Amazon Web Services and SafeNet’
Mr. Dean Ocampo, CISSP, Dir. of Product Marketing, SafeNet, & Mr. Tom Stickle, Sr. Solution Architect, Amazon Web Services

‘Audit Considerations in a Cloud Computing Environment’
Jason Wood, Assistant Professor, Jack Welch Management Institute & Chancellor University and President of WoodCPA Plus P.C.

‘Trusting Cloud Services with Intel® Trusted Execution Technology’
Iddo Kadim, Director of Data Center Virtualization Technologies, Intel

‘Storm Clouds on the Horizon: Can I Trust My Data in the Cloud?’
Michael Sutton, Zscaler; Randy Barr, ServiceSource; Eran Feigenbaum, Google Apps; Matt Broda, Microsoft

‘The Evolution of IAM to Enable Security in The Cloud’
Tim Dunn, Vice President of Strategy, CA Technologies Security Europe

‘Cloud Computing & the Law: How to Protect Your Data’
Jonathan Armstrong, Technology Lawyer Partner, Duane Morris LLP

‘Vetting a Cloud Service Provider’
Emma Webb-Hobson, Information Assurance Consultant, QinetiQ

‘Cloudonomics or Risky Business? How to Architect your Services’
Gregor Petri ; Advisor on Lean IT and Cloud Computing, CA Technologies

‘Cloud Storage Security Introduction’
Glyn Bowden, SNIA & Storage Infrastructure Architect

‘Update: Cloud Computing and Data Protection’
Ibrahim Hasan, Director and Solicitor, Act Now Training LTD

You can view the full lineup and sign up to attend any or all presentations at http://www.brighttalk.com/r/mxX .

This summit is part of the ongoing series of thought leadership events presented on BrightTALKTM. I hope you are able to attend.

Kaspersky KryptoStorage

Personal Digital Vault

Kaspersky KryptoStorage securely protects your personal files against unauthorized access and data theft using cutting-edge transparent encryption technology and allows deleted files to be permanently erased from your computer.

Kaspersky KryptoStorage ensures that your encrypted data stays confidential in the event of malware attacks, unsecure WiFi connections and even if your laptop or storage device is lost or stolen. The encrypted data is only accessible via a strong password that is highly resistant to brute force attacks.

Product Highlights

• Encrypts folders and disk partitions to prevent data theft
• New files can be added to encrypted folders or containers at any time
• Containers can be transferred to other storage media and computers
• Encrypts data "on the fly" with full access to the encrypted information
• Limits access to data to prevent unauthorized modification or removal
• Uses AES-128 algorithm for strong encryption
• Allows data to be permanently deleted
• Fully Compatible with Microsoft's new operating system, Windows 7

Refer here for further details.

Security update available for Adobe Flash Player

Hackers exploiting Flash Player XSS vulnerability

Adobe has released another Flash Player update to fix a serious security vulnerability that could expose Windows, Mac OS X, Linux and Solaris users to cross-site scripting attacks.

“This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website,” Adobe warned in an advisory.

The release of this Flash Player patch follows reports that the vulnerability is being exploited in the wild in active targeted attacks.

In the targeted attacks, Adobe said users are being tricked into clicking on a malicious link delivered in an email message.

Adobe recommends users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX). Adobe expects to make available an update for Flash Player 10.3.185.22 for Android during the week of June 6, 2011.

The company said it is still investigating the impact to the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Macintosh operating systems.

Refer here for further details.

Hacker breaches the security of Australian Tax Office, Defence and Banks

Cyber Security has been classified as Australian top priority

The security of hundreds of thousands of security tokens (SecurID) used by Australian banks and their customers, the Defence Force and organisations such as the Tax Office to access computer systems is in doubt after a cyber attack.

RSA said yesterday it would reissue an unknown number of the estimated 40 million RSA SecurID fobs used worldwide. SecurID fobs are small, portable devices that generate a digital security code that changes every 60 seconds. They are most commonly used with a static PIN or password to access a computer system.

In March RSA customers were told the company had been the victim of "an extremely sophisticated cyber attack". But it was not until recently that full details were known. RSA's admission follows an attack on the defence contractor Lockheed Martin. The contractor said an attacker had tried to access its network using information about the fobs stolen from RSA in the March attack. But it had stopped the attacker stealing information.

Certain characteristics of the attack on RSA indicated the perpetrator's most likely motive was to obtain an element of security information that could be used to target defence secrets and related intellectual property.

David Kenny, the deputy secretary of the Department of Parliamentary Services, said the department had 1800 of the SecurID tokens used by staff and MPs. The department was arranging replacement.

The Department of Veterans' Affairs was considering RSA's offer to replace SecurID tokens at no cost. Westpac bank confirmed that it did not see an immediate need to replace its customer fobs as it had not been compromised. The Tax Office was arranging replacements.

The attack meant many organisations would see a need to beef up their security. To be successful an attacker would need certain information from the SecurID token, such as the username and PIN or password.

This can often be swiped by a user handling over their details in an email to a hacker pretending to be from the organisation that issued the fob. Without some of these details it would be difficult for a hacker to gain entry to a network.

Refer here for further details.

Google E-mail Hacked by China?

China denies any role in an alleged hack

Google on June 1 alleged that Chinese hackers attacked the Gmail accounts of several hundred U.S. officials, including military personnel, in an effort to obtain passwords and monitor the accounts.

Google says it detected and stopped the phishing campaign, which aimed to take users' passwords and monitor their e-mail activity. The White House's National Security Council is looking into Google's allegations and says it's working with the FBI to investigate the situation.

Google, meanwhile, offers these tips to its customers:

• Enable two-step user verification.
• Use a strong password for Google that you do not use on any other site.
• Enter your password only into a proper sign-in prompt on a https://www.google.com domain.
• Check your Gmail settings for suspicious forwarding addresses or delegated accounts.
• Watch for the red warnings about suspicious account activity that may appear on top of your Gmail inbox.
• Review the security features offered by the Chrome browser.

Please refer here for further details.

Android app can 'hack' Facebook and Twitter account

FaceNiff enables an Android smartphone to detect unsecured Facebook or Twitter login

Facebook and Twitter users face a new security headache from an Android app that allows anyone to hack social media accounts at public WiFi spots.

The developer of the FaceNiff app mentioned on their website that the app is for educational purposes only, and urges users not to install it if it is illegal in their country.

FaceNiff enables an Android smartphone to detect any unsecured Facebook or Twitter login made on the same WiFi network by a desktop or laptop using a standard web browser.



The app is a major security risk as it allows hackers access to a user's private contact details and those of all their friends. Using the app, it would be possible for hackers to collect personal information needed for identity theft simply while having coffee at an internet cafe.

FaceNiff needs to be side loaded onto an Android device that allows root or superuser access to the device. While some users would not be capable of configuring "root user" access on their Android phones, many would, and a list of compatible phones is listed on the developer's website.

The developer claims the app works not only on open networks, but WiFi networks secured by WEP, WPA-PSK and WPA2-PSK network protocols.

The developer's website states the app can be used to access Facebook, Twitter, YouTube, Amazon, and Nasza-Klasa -- a Polish version of Facebook with "new coming soon".

FaceNiff however is understood not to work if social media is accessed with https secure protocol.

Facebook and Twitter by default do not automatically use https browsing and users have to activate it.

Security concern as cyber threat grows

Australian Government will soon release a white paper focusing on Cyber Security!

The Gillard government has become so concerned about attacks on the computer systems of industry and the public sector it will produce a white paper focusing largely on cyber security.

In a speech in Adelaide today, Attorney-General Robert McClelland will warn that foreign intelligence agencies, criminal gangs and commercial competitors are targeting intellectual property in Australia worth $30 billion.

Mr McClelland will say malicious activity is increasing to a point where computer systems in both the government and the private sector are under continuous threat.

"Cyber espionage is not just the purview of foreign intelligence agencies, but something undertaken by criminal organisations and commercial competitors alike," Mr McClelland says.

And Defence Minister Stephen Smith says attacks on Australia's computer systems are becoming increasingly sophisticated and targeted.

Development of the paper will be led by the Department of Prime Minister and Cabinet and extensive public consultations will begin next month with the release of a discussion paper.

It is expected the white paper will be ready in the first half of next year.

Mr McClelland says the cyber threat to Australia is real, evolving and continuing to test the nation's defences. "It comes from a wide range of sources, and from adversaries possessing a broad range of skills."

The cyber white paper will help Australians to connect to the internet with confidence. The document will provide a comprehensive review of how governments, businesses and individuals can work together to realise the full benefits of cyberspace while ensuring risks can be managed.

"The digital world is evolving rapidly. It's transforming the way governments and businesses operate and the way Australians connect to each other and the world," Mr McClelland says.

Minister for Broadband, Communications and the Digital Economy Stephen Conroy says the white paper recognises the increasingly significant role the online environment plays in the lives of Australians.

"With increased availability and use of technology, it's important that all Australians are able to go online safely and securely," he says.

Source: AustralianIT

AlienVault Releases SCADA SIEM for Critical Infrastructure

Industrial networks face increasing threat of incidents causing economic, physical and human damage

AlienVault ICS SIEM is a family of purpose-built appliances which provide a platform for security and compliance management across industrial process control networks.

"SIEM as a technology provides the dashboard for planning and implementing a complete solution. AlienVault ICS SIEM uniquely combines the necessary supporting technologies, such as vulnerability assessment and intrusion detection, in a physical and architectural format appropriate for industrial applications.”

Wirehead Security is one of the key partners working with AlienVault to bring these technologies to industrial facilities.

“We are very pleased with our choice of AlienVault ICS SIEM for a major urban water treatment customer on the East Coast,” said Wirehead’s CTO Michael Menefee.

“For this critical environment we needed a unified solution with the SCADA capabilities not found in IT-centric solutions. With AlienVault ICS SIEM we have a solution that can address the security and compliance needs of customers in process control industries including electric power utilities, public works and oil & gas. You just cannot get that level of capability, reliability and integration with legacy IT or ICS solutions alone.”

AlienVault ICS SIEM expands on this legacy of experience with rugged hardware, SCADA-specific intrusion detection signatures, tight integration with ICS equipment manufacturers and support for regulatory compliance frameworks including NERC CIP, NRC 73.54 and CFATS.

Security and Prosperity in the Information Age

America's Cyber Future!

America’s growing dependence on cyberspace has created new vulnerabilities that are being exploited as fast as or faster than the nation can respond. Cyber attacks can cause economic damage, physical destruction, and even the loss of human life. They constitute a serious challenge to U.S. national security and demand greater attention from American leaders.

Despite productive efforts by the U.S. government and the private sector to strengthen cyber security, the increasing sophistication of cyber threats continues to outpace progress. To help U.S. policymakers address the growing danger of cyber insecurity, this two-volume report features accessible and insightful chapters on cyber security strategy, policy, and technology by some of the world’s leading experts on international relations, national security, and information technology.

Volume I

America’s Cyber Future: Security and Prosperity in the Information Age
By Kristin Lord and Travis Sharp

Volume II

Note: Chapters are bookmarked within the Table of Contents.

Chapter I: Power and National Security in Cyberspace
By Joseph S. Nye, Jr.

Chapter II: Cyber Insecurities: The 21st Century Threatscape
By Mike McConnell

Chapter III: Separating Threat from the Hype: What Washington Needs to Know about Cyber Security
By Gary McGraw and Nathaniel Fick

Chapter IV: Cyberwar and Cyber Warfare
By Thomas G. Mahnken

Chapter V: Non-State Actors and Cyber Conflict
By Gregory J. Rattray and Jason Healey

Chapter VI: Cultivating International Cyber Norms
By Martha Finnemore

Chapter VII: Cyber Security Governance: Existing Structures, International Approaches and the Private Sector
By David A. Gross, Nova J. Daly, M. Ethan Lucarelli and Roger H. Miksad

Chapter VIII: Why Privacy and Cyber Security Clash
By James A. Lewis

Chapter IX: Internet Freedom and Its Discontents: Navigating the Tensions with Cyber Security
By Richard Fontaine and Will Rogers

Chapter X: The Unprecedented Economic Risks of Network Insecurity
By Christopher M. Schroeder

Chapter XI: How Government Can Access Innovative Technology
By Daniel E. Geer, Jr.

Chapter XII: The Role of Architecture in Internet Defense
By Robert E. Kahn

Chapter XIII: Scenarios for the Future of Cyber Security
By Peter Schwartz

This study was co-chaired by Robert E. Kahn, Mike McConnell, Joseph S. Nye, Jr. and Peter Schwartz, and edited by Kristin M. Lord and Travis Sharp.

Download Volume I (PDF)
Download Volume II (PDF)

Safeguarding Personal Remote Access Against Cyber-Attacks

Personal Access … Public Attacks?

I have noticed that more staff are using personal devices and untrusted servers to access corporate networks, which is creating the ideal stalking ground for cybercriminals.

I wanted to bring your attention to 2 of SC magazine’s upcoming webcasts that may prove useful. (I have had some great feedback from members who have attended their webcasts as they are far more content than sales led).

The full list can be found at http://www.scwebcasts.tv

Details of SC’s next 2 webcasts are pasted below for you to assess their relevance for you and your team:

Safeguarding Personal Remote Access Against Cyber-Attacks
Streamed live to your desk on the 2nd June at 3.30pm.

Tune in live to hear:

• How cybercriminals are preying on those staff using personal computers or servers to access your network with a list of recent ATP attacks
• What you can do to shore up this gap in your company’s ramparts

Speakers include:

- Nick Harwood, Head of Security & Governance, Royal London
- Dave Jevans, Founder & Chairman of IronKey & APWG

Secure your free place at http://www.scwebcasts.tv

Smart Security for SMEs: The Key Threats And How To Tackle Them
Streamed live to your desk on 30th June at 3pm

Tune in to hear:

• The main ways in which SMEs’ security is being compromised
• An indispensable checklist for SME’s to ensure they have the key bases covered and stay safe online

Speakers:
Philippe Courtot, Chairman and CEO for Qualys + special guest CISO

Secure your free place at http://www.scwebcasts.tv

*ALSO WORTH MENTIONING is that SC’s sister title, Management Today, is running a webcast on Avoiding Information Overload to streamline security and productivity. It features the innovative driving forces behind pioneering companies such as Skype. It can be found at http://www.managementtodaywebcasts.com if you’re interested.

I hope that you enjoy the webcasts. As always, do feel free to contact me with any thoughts or questions.