Mobile Security: iOS Jailbreaks Pose Risks

*** UPDATE 9/1/2015: KeyRaider Compromises 225K (jailbroken) Apple Logins ***

http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/

 

Mobile Security: iOS Jailbreaks Pose RisksJailbreaking is happening in the millions: don’t turn a blind eye.



The latest jailbreak for iOS 6.1, released on 4 February, was downloaded by a whopping 5 million users in the first 48 hours alone, according to the website stats posted by Cyril (a.k.a. pod2g), the developer of the latest hack published on evasi0n.com. During these first two days, the websites served 40 million page views of which a good 50 per cent to 2.5 million unique visitors from the U.S.

Read more of this post

The Data Breach Pandemic: Information Security is Broken

Verizon Data Breach Report 2015Have enterprises basically just given up on IT security? Global budgets fell by 4% in 2014 over the previous year and as a percentage of total IT budget they’ve remained at 4% or less for the past five years. The picture is even starker for firms with revenues of less than $100m, who claim to have reduced security budgets 20% since 2013.

Yet the threats keep on escalating. When it comes to information security, there are really only two situations out there: companies that have been breached, and companies that still don’t know it.

If 2014 was the “Year of the Data Breach” then 2015 is proving to be at least its equal. This month alone we’ve seen TV stations shunted off air by pro-jihadi cyber terrorists; the discovery of major new state-backed attack groups; and another massive data breach at a US healthcare provider.

We talk today about managing risk, rather than providing 100% security – because there’s no such thing. The conclusion I have reached is that the traditional information security model is broken. But why? And how can we fix it?

The New Normal

Today’s threat landscape is virtually unrecognizable from that of a decade ago. It’s populated by well resourced, highly determined and sophisticated actors, who could be motivated by ideology (hacktivists and cyber terrorists), geopolitical gain (state-sponsored hackers) or, more usually, plain old money. While you’ll still see the worms and viruses of old circulating the internet today, most cyber criminals have all but abandoned these vectors in favor of something far more targeted, more covert and more successful.

Targeted attacks and Advanced Persistent Threats (APTs) first broke into the public awareness in around 2010, when the so-called Operation Aurora attacks on Google and others presaged the firm’s exit from China. Stuxnet followed that same year and suddenly the floodgates had been opened: there was a new threat in town. It typically begins with a “spear phishing” email or social media message using social engineering techniques to encourage the user to open a malicious attachment or click on a malicious link, triggering a malware download.

The malware will load in the background without the user’s knowledge, evade detection by traditional tools and escalate privileges inside the network until it finds the data it’s looking for.

Attackers spend time researching their targets on the internet to hone their phishing lures, and increasingly are taking extra time again to zero in on IT administrators, whose privileged accounts will give them the keys to the kingdom straight off the bat. They also spend time researching where vulnerabilities lie on the target systems so that the malware can do its job, bypassing existing defenses.

The cybercriminal underground that sits beneath all of this on the non-indexed “Dark Web” of anonymization networks like Tor and I2P and private forums is a vast, unknowable beast. Best estimates have put its size as 4-500 times the size of the “surface” web. Cybercriminals buy and sell stolen credit cards, identities, and exploit kits and other attack tools which have democratized the ability to launch sophisticated targeted campaigns.

The fact that enterprises are now hugely more exposed to such threats through a tsunami of new vulnerabilities appearing every month, and through a proliferation of new cloud services and applications, makes the bad guys’ job even easier. That they have to secure these increasingly complex physical-virtual-cloud environments with minimal budget is just the icing on the cake.

Yet the stakes are higher than ever. The average cost of a data breach stood at $3.5m last year, up 15% on 2013. The repercussions are vast: loss of brand and shareholder value, damage to customer loyalty, legal costs, financial penalties and remediation and clean-up costs, to name but a few. Target claimed in Q2 2014 alone that losses related to its massive breach totaled $148m. Sony Pictures’ losses are almost unquantifiable, given that now a huge treasure trove of valuable IP and internal emails have been made publicly available by Wikileaks.

A losing battle?

Given the size, scale and sheer organization of the cybercrime underground – notwithstanding the threat from state-sponsored attackers targeting your IP or hacktivists looking to take you down – it’s not surprising that the security industry is constantly on the back foot. Its adversaries are more agile, and have the element of surprise and the cloak of anonymity on their side.

Slowly the security industry has adapted – building new solutions which moved away from the old static AV signature-based paradigm. First it developed heuristics detection – which spotted malware based on characteristics in its code – and behavioral-based techniques. There’s also been a shift to cloud-based threat prevention systems which stop or block threats before they hit the network.

The new generation of tools pioneered by the likes of FireEye is designed to stop those all-important zero-day threats often used in targeted attacks – that is, those which exploit as-yet-unseen flaws. Sandboxing executes an unknown threat in a virtual environment in near-realtime to see if it’s dangerous or not. Security vendors have also been developing tools which leverage big data analysis of customer data and threats in the wild to identify and correlate new malware. Such is the sheer volume of threats that these companies need vast data centers and computing power to even stay on a par with the cybercriminals.

Traditional infosec is broken

Yet after all that investment … software security vendors still admit that the best security stance for a CSO today is to accept he or she has already been breached. If a hacker is determined enough they will get into your organization. The best the industry can do is to provide systems which try to spot as soon as possible when this has happened, to minimize the risk of data loss.

So, I say today that security as we know it is broken. We need to find a new way, and that way requires us to look at hardware-based solutions.

If you don’t believe me, take a look at the below and answer truthfully….

Did You Know?

  • Your PC/mobile device can be compromised just by visiting a malicious webpage?
  • Targeted attacks go undetected for months or even years. The recently discovered Equation Group had been operating for at least 14 years under cover.
  • Around 4% of malicious messages are clicked on, irrespective of volume. Every organization can be phished/breached.
  • Just opening a malicious PDF or Word attachment could lead to a covert, multi-year data breach?
  • 5,435 new vulnerabilities were discovered in 3,870 products from 500 vendors in 2014. That’s an increase of 18% over 2013 and up 55% from five years ago.
  • Apple products are not immune. Its latest iOS update patched a staggering 39 vulnerabilities.
  • Nearly one million new pieces of mobile malware were discovered last year – that’s a jump of almost 400%.
  • There were 200,000 new malware strains discovered every day in 2014.
  • The pace of malware creation is increasing all the time: the volume of malware found last year accounts for one third of all malware ever written.

***

Now do you believe me? Traditional information security has reached its limits: it’s time for stronger, more resilient hardware-based solutions to complement traditional network / software stacks. As always, I’d love to hear from you …

 

Google Vault Makes Play for Mobile Security Hardware Space

Google Project VaultLast week Google made a splash with its latest futuristic tech offering: Project Vault. In essence, this mini-computer on an SD card is designed to enable secure authentication, communications and data storage on your smartphone or laptop. So what exactly is going on here? After years experimenting with Android, has one of the world’s biggest software companies finally admitted hardware level security is the way forward? And if so, what are the implications for enterprise and consumers? Read more of this post

Cesare Garlati Joins prpl Foundation as Chief Security Strategist

prpl FoundationSANTA CLARA, CA–(Marketwired – April 07, 2015) – Well-known information security expert Cesare Garlati today joins the prpl Foundation as Chief Security Strategist. Garlati will assist the Foundation with security strategy in the newly formed Security PEG (prpl Engineering Group), a working group dedicated to creating an open standard framework that addresses next-generation security requirements for connected devices.

“Cesare Garlati is an internationally renowned leader in the mobile security space,” said prpl Foundation president Art Swift. “We all look forward to his contributions in security strategy and his participation in the ground-breaking Security PEG.”

Read more of this post

The GitHub attack – is the worst still to come?

What we can learn from the recent cyber attack to the popular website GitHub and why we should worry about what is likely to come next.

 

TTL analysis performed by Netresec in SwedenOver the last few days the popular website GitHub has been the target of a massive Distributed Denial Of Service attack – DDoS, apparently originated from China. As I write this note, the GitHub status webpage now indicates “Everything operating normally” and “All systems reporting at 100%”. However, I am afraid the story is far from over and the worst may still be to come.

GitHub is the largest and most popular repository of open source projects and a key infrastructure website for the Internet. Among other, GitHub hosts the Linux project – arguably the world’s most widespread open source software. Various flavors of Linux power most of the Internet servers and an ever-increasing number of consumer devices across the globe.

Read more of this post

European Data Protection Reform – How to minimize impact and costs

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

Read more of this post

European Data Protection Reform – How to prepare for what is coming

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

How to prepare for what is coming

U.S. companies who market goods and services to European consumers should not wait for the regulation to enter into force. You should act promptly to avoid the disruptions and the liability resulting from an untimely implementation of these new rules.

At a minimum, your checklist should include: Read more of this post

European Data Protection Reform – Should you worry yet?

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

Should you worry yet?

According to Viviane Reding, EU Justice Commissioner, there is a full commitment of the European bodies to pass this legislation by the end of the year. However, the experts are skeptical with regard to a swift approval by the council of ministers of the EU member states. Read more of this post

European Data Protection Reform – The Enforced Data Privacy Officer

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

The enforced Data Privacy Officer – revenue generation for lawyers?

For private legal entities, the obligation set forth in Art. 35 of the regulation to designate a Data Privacy Officer (DPO) only applies to the processing of personal data that affects large amounts of individuals (≥ 5000 data subjects in 12 months) or regular and systematic monitoring of data subjects or the processing of special categories of data, location data or children´s data in large scale filing systems. Read more of this post

Follow

Get every new post delivered to your Inbox.

Join 27 other followers