| 08.07.14 | Attack method used by Russians to harvest more than 1B credentials is gaining popularity

If you are unable to see the message below, click here to view.

What's New: 1. Attack method used by Russians to harvest more than 1B credentials is gaining popularity 2. Lack of adequate control system security is 'shocking' and 'insane' 3. Advanced persistent threat? Not so much, says researcher 4. Insecure APIs leave enterprise websites, networks vulnerable 5. Mandatory reporting of cybersecurity incidents needed for health of Internet, says Geer Spotlight: DHS contractor that performs background checks suffers breach Also Noted: Home routers are clear and present danger; Erosion of privacy a tragedy; Much more... News From The Fierce Network: 1. BYOD benefits: Industry experts weigh in 2. Mobile cloud security firm Bitglass pockets $25M in VC funding 3. Business units are wagging the enterprise mobility dog August 7, 2014 Subscribe | Website Refer FierceITSecurity to a Colleague This week's sponsors: PGi Dell GLOBO  Follow @fierceitsec on Twitter This week's sponsor is PGi. Webinar: IT and Marketing: Extreme Collaboration Tuesday, August 26th, 2pm ET / 11am PT | New Editorial Event! Media outlets love to focus on the tension between IT and marketing. But if it's a war, both sides lose. Instead, CIOs have to partner with CMOs to help deliver on aggressive business goals in an ever-changing landscape. Register Today! Sponsor: GLOBO Webinars > IT and Marketing: Extreme Collaboration - Tuesday, August 26th / 2pm ET / 11am PT > Advancing the federal cybersecurity workforce - Wednesday, September 10th | 2pmET/11amPT Marketplace > Whitepaper: ESG Solution Brief > Whitepaper: Supporting VDIs and Thin Clients > eBook: eBrief | Making BYOD Work: 4 Critical Strategies for Midmarket and SMB Companies This week's sponsor is Dell. Webinar: Advancing the federal cybersecurity workforce Wednesday, September 10th, 2pm ET/ 11am PT Join NIST and NICE leaders as they explore The National Cybersecurity Workforce Framework, innovative spproaches to cybersecurity training and workforce improvement, the broader focus of NICE in advancing cybersecurity awareness nationawide, and more! Register Today! What's New 1. Attack method used by Russians to harvest more than 1B credentials is gaining popularity By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn LAS VEGAS--The attack method used by a Russian crime syndicate to steal more than 1 billion user credentials is gaining popularity among cybercriminals, warns Marc Gaffan, co-founder and chief business officer with Incapsula.   Earlier this week, The New York Times reported that a Russian crime syndicate had stolen 1.2 billion username and password combinations and more than 500 million email addresses. The newspaper said that Hold Security uncovered the data treasure trove. "Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable," Alex Holden, the founder and chief information security officer of Hold Security, tells the newspaper. The Russian syndicate used botnets--networks of infected computers--and SQL injection attacks to collect the massive amounts of data discovered by Hold Security. The use of botnets by cybercriminals to steal credentials is on the rise, Gaffan tells FierceITSecurity. A disturbing 61.5 percent of all web traffic now comes from bots, and botnet activity has soared 240 percent in the last year, according to Incapsula data. Search engine bots are being used by cybercriminals to carry out web attacks. "Criminals are disguising themselves as Googlebot, so you presume it's a legitimate search of your site to index it. But it turns out the attackers are posing as Googlebot, and they are using this as a technique to get into sites. Web masters are terrified of blocking Googlebot because their rankings will plummet," Gaffan says. Once the attackers get into sites, they launch SQL injection attacks, cross-site scripting attacks, or insert malware through backdoors. They can then carry out distributed denial of service (DDoS) attacks, send spam, steal content and engage in other nefarious activities. The report about the Russian crime syndicate "looks a lot like that, where thieves are increasingly automating their attacks using bots," Gaffan says. Incapsula recently conducted a study that found around 4 percent of bots using the Googlebot's user agent, or ID, are fake. A whopping 66 percent of fake Googlebots are used to carry out DDoS attacks. Attackers will go after "anybody and everybody ... The thing about using bots is the whole thing is automated, so they don't care who they're going after," Gaffan concludes. For more: - check out the New York Times story - read the Incapsula blog Related Articles: Spotlight: Hackers exploit elasticsearch hole to launch cloud-based DDoS attacks Majority of malicious bot traffic made in the USA 7 deadly sins: The most dangerous new attack techniques for 2014 Read more about: SQL Injection Attacks, botnet back to top This week's sponsor is GLOBO. eBrief | Making BYOD Work: 4 Critical Strategies for Midmarket and SMB Companies Bring-your-own-device (BYOD) can be a blessing for mid-size and small businesses. But getting the real payoff requires some attention to details that may differ from those at large enterprises. This FierceMobileIT eBrief provides practical advice for making BYOD work. Download today. 2. Lack of adequate control system security is 'shocking' and 'insane' By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn LAS VEGAS--The lack of adequate security for industrial control systems (ICS) is "shocking" and "insane," asserts Stefan Luders, computer security officer at European scientific research center CERN. In a provocatively titled presentation at Black Hat--"Why control systems cybersecurity sucks"--Luders laments that security is not an integral part of most control systems. Commercial controls systems are widely deployed at CERN, particularly for its particle accelerator, the largest in the world. Based on his experience at CERN, Luders says that controls systems are good at fulfilling their use cases but fail at dealing with abuse cases. "Defense in depth involves starting with the fundamentals, which are robust devices. The devices I'm looking at are not robust," he says. There is no public security certification process for ICS devices. Vendors are unwilling to share information on security incidents. "Responsible disclosure is non-existent among control system vendors," he opines. Luders expressed his frustration by asking: Why do I have to bear the costs of security due diligence for control systems instead of the vendors who are shipping insecure applications and devices? Patching of security vulnerabilities in control systems is difficult, and many legacy control systems can't be patched. "You can't just patch a control system during a production cycle. You have to wait for a gap when your maintenance is performed," says Luders. The security foundation of control systems is flawed, judges the CERN computer security officer. "I buy devices which cannot be secured. I buy devices which are not robust. This is something we have to change," he concludes. Related Articles: Spotlight: Critical ICS still vulnerable to Heartbleed Spotlight: Dragonfly campaign compromised Western energy facilities Critical infrastructure: All together now Read more about: defense in depth, security back to top 3. Advanced persistent threat? Not so much, says researcher By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn LAS VEGAS--The term advanced persistent threat, or APT, is a misnomer because most APT attacks are anything but advanced, says John Pirc, chief technology officer at security testing firm NSS Labs. "A lot of them are not that advanced. They are using remote administrative tools. They are using legacy exploits tied together," Pirc tells FierceITSecurity. Pirc said that the majority of targeted attacks that his firm has seen are focused on the oil and gas industry. A number of these attacks come from North Africa, which is a base used by state-sponsored operations, especially Russia, because of the lax regulations in the region. To help enterprises deal with APTs as well as other cyber threats, NSS Labs launched its Cyber Resiliency Center this week, a cloud-based service that enables chief information officers (CIOs) and chief information security officers (CISOs) to continually evaluate their security posture, identify which threats target their apps, and plan responses. The center includes an advanced warning system that provides CISOs with alerts based on attacks within the organization that can bypass security products deployed on the firm's network. As part of the center initiative, NSS is providing its InSight service, which enables "enterprises to run 'what if?' scenarios that model their deployed security layers, show which threats are able to exploit their attack surface, and then virtually 'swap out' different security products and/or desktop applications to assess which technologies best suit their varying risk tolerance and cost constraints," NSS says in a statement. NSS Labs explains in a recent white paper that the biggest threat to enterprises is the 2 percent of threats that are not blocked by existing security products. A cyber resilience program focuses on that 2 percent and looks at strategies to reduce the impact of the attacks that get through. "Current cyber attack campaigns involve stealthy, persistent, and sophisticated activities to establish a foothold in organizational systems; maintain that foothold and extend the set of resources the adversary controls; and exfiltrate sensitive information or disrupt operations. Enterprise architecture and systems engineering must be based on cyber risk management principles in order to ensure that mission and business functions will continue to operate in the presence of compromise," the paper argues. "The main premise of cyber resilience is that security is misaligned. There is a myopic focus when it comes to the threat, the security products and the attack surface," says Pirc. The center aligns all these together--"your attack surface to your security products to the threats that are out there, the known and the unknown," he adds. For more: - check out the NSS Labs' release - read the white paper Related Articles: Chinese behind major breach at Canada's National Research Council FierceITSecurity webinar probes advanced threats Many firms in the dark and ill-prepared when it comes to APT attacks Read more about: cyber resilience, data theft back to top 4. Insecure APIs leave enterprise websites, networks vulnerable By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn LAS VEGAS--Attackers are increasingly exploiting vulnerabilities in application programming interfaces, or APIs, to gain access to enterprise websites and networks and carry out other malicious activities. For example, insecure APIs were blamed for successful attacks on Pinterest and Instagram. API vulnerability also played a role in the breach at messaging firm Snapchat, which exposed the phone numbers and users names of up to 4.6 million users.   Zane Lackey, founder and chief security officer at Signal Sciences, examined API attack methods and defense during a Black Hat session on Wednesday. Lackey laid out five major API attack vectors: bypassing authentication defenses, bypassing data validation via third party APIs, evading detection of brute force authorization, evading rate limits, and abusing content types. Lackey also laid out defensive strategies firms can use to thwart these attacks: design for APIs methods being discovered, perform certificate pinning on mobile apps to make API discovery more complex, have dedicated graphing/instrumentation of APIs, and provide the ability to enumerate and revoke API keys in use. In defending against attacks, Lackey recommends that those defending the enterprise work to increase attacker costs by reducing cheap compromise vectors, build detection methods around real attack patterns, and have necessary defensive capabilities within the security team. According to a recent survey of 180 API pros by enterprise API management firm Layer 7, security has rocketed to the top of their list of concerns, followed by usability. The survey also found that enterprises are looking more to APIs to deliver core functionality internally, according to a report at Integration Developer News. For more: - read the Integration Developer News story Related Articles: Healthcare.gov security problems not confined to public sector Most mobile banking apps have security vulnerabilities, says IOActive Labs Andromeda botnet employs AutoIT scripts to hide malware Read more about: certificates, API keys back to top 5. Mandatory reporting of cybersecurity incidents needed for health of Internet, says Geer By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn LAS VEGAS--Mandatory reporting of cybersecurity incidents is needed for the health of the Internet, Dan Geer, chief information security officer at CIA-based investment firm In-Q-Tel, told a keynote audience at the Black Hat conference being held this week in Las Vegas. Geer said he based his proposal on the Centers for Disease Control's requirement that hospitals and healthcare organizations report outbreaks of communicable diseases. "Is cybersecurity event data the kind of data around which you want to enforce mandatory reporting?" Geer asked the audience. He related that most U.S. states currently require reporting of one type of cybersecurity incidents--data breaches.   "If you discover a cyberattack, do you have an ethical obligation to report it? Should the law mandate that you fulfill such an ethical requirement?" he asked. Geer said he favors a law that would require the reporting of cybersecurity incidents above a certain severity threshold and encourage the voluntary reporting of incidents below that threshold. He said that the exact threshold should be determined through negotiation among stakeholders. As FierceITSecurity reported, the Securities and Exchange Commission (SEC) is likely to make mandatory recommendations in a 2011 staff guidance that public firms report cyber incidents in their SEC filings, according to Jason Weinstein, a partner at the law firm of Steptoe & Johnson specializing in cybersecurity. This would be a step toward the more universal reporting requirement being proposed by Geer. For more: - check out Geer's prepared remarks - check out the SEC's staff guidance Related Articles: SEC likely to issue cybersecurity disclosure rules based on 2011 guidance Target breach, Heartbleed bug cause high anxiety among IT security pros Retailers' feet-dragging underscores need for national data breach law Read more about: Dan Geer, SEC back to top Also Noted TODAY'S SPOTLIGHT... DHS contractor that performs background checks suffers breach USIS, a contractor that performs background checks for the Department of Homeland Security, or DHS, has admitted to a data breach that involved the theft of personal information on employees and some DHS personnel, the Washington Post reports. USIS blamed the breach on a "state-sponsored attack." As a result, DHS and the Office of Personnel Management have suspended all work with USIS while the FBI investigates the breach. Read more >> Security expert calls home routers a clear and present danger (Ars Technica) >> McAfee: Google and Facebook's erosion of privacy is a tragedy (Infosecurity Magazine) >> Automotive attack surface: Where cars are at risk (eWeek) >> Drupal and WordPress coordinate security updates to fix DoS flaw (SecurityWeek) >> New site recovers files locked by Cryptolocker ransomware (KrebsonSecurity) And finally…Jet fuel from tobacco? What will they think of next? (Wired) Webinars > IT and Marketing: Extreme Collaboration - Tuesday, August 26th / 2pm ET / 11am PT Media outlets love to focus on the tension between IT and marketing. But if it's a war, both sides lose. Instead, CIOs have to partner with CMOs to help deliver on aggressive business goals in an ever-changing landscape. Register Today! > Advancing the federal cybersecurity workforce - Wednesday, September 10th | 2pmET/11amPT Join NIST and NICE leaders as they explore The National Cybersecurity Workforce Framework, innovative spproaches to cybersecurity training and workforce improvement, the broader focus of NICE in advancing cybersecurity awareness nationawide, and more! Register Today! Marketplace > Whitepaper: ESG Solution Brief ESG details the current state of enterprises solving their mobility challenges and how to give users greater access to files and content from their mobile devices, maximizing employee productivity, while maintaining control over security and compliance. Download this brief today! > Whitepaper: Supporting VDIs and Thin Clients Companies have already begun deploying VDIs and thin clients (like Google's Chromebook) on a massive scale. The low-cost, easily deployed workstations present a significant cost savings for companies, but require unique tools to support them. This whitepaper, written by Proxy Networks, outlines the best way to do that. Download now. > eBook: eBrief | Making BYOD Work: 4 Critical Strategies for Midmarket and SMB Companies Bring-your-own-device (BYOD) can be a blessing for mid-size and small businesses. But getting the real payoff requires some attention to details that may differ from those at large enterprises. Download this eBrief to get more practical advice for making BYOD work. ©2014 FierceMarkets, a division of Questex Media Group LLC This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778. Refer FierceITSecurity to a Colleague Contact Us Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger. Advertise General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit. Email Management Manage your subscription Change your email address Unsubscribe from FierceITSecurity Explore Our Network You may enjoy these publications from FierceMarkets: FierceAnimalHealth FierceBigData FierceBiotech FierceBiotechIT FierceBiotech Research FierceCable FierceCIO FierceCIO:TechWatch FierceCMO FierceCFO FierceContentManagement FierceCRO FierceDeveloper FierceDiagnostics FierceDrugDelivery FierceEMR FierceEnergy FierceEnterpriseCommunications FierceFinanceIT FierceGovernment FierceGovernmentIT FierceHealthcare FierceHealthFinance FierceHealthIT FierceHealthPayer FierceHealthPayerAntiFraud FierceHomelandSecurity FierceITSecurity FierceMedicalDevices FierceMedicalImaging FierceMobileGovernment FierceMobileHealthcare FierceMobileIT FierceMobileRetail FierceOnlineVideo FiercePharma FiercePharmaManufacturing FiercePharmaMarketing FiercePracticeManagement FierceRetail FierceRetailIT FierceSmartGrid FierceTelecom FierceVaccines FierceWireless FierceWireless:Europe FierceWirelessTech Hospital Impact