Five reasons why big companies are finding it hard to beat cyber criminals

Cyber criminals have become stealthier and more intelligent, and as a result big companies are becoming increasingly susceptible to malicious online threats. In an effort to enhance their operations, businesses are adopting the latest technologies, and more of them – but this also means more vulnerabilities and points of entry for attack. Ultimately, these organisations are becoming highly attractive and viable prospects for criminals.

Knowingly or not, large enterprises have thrust themselves into an IT security war and the bad guys are gaining the upper edge. So – sticking with the language of warfare – would counterattack measures be a sensible option at this stage? Below are five reasons why they might not.

Zero-day exploits

Companies often invest in one anti-virus software solution under the impression that it will address all security needs that occur, naively and recklessly putting all their eggs in one basket. This is a misconception that is not only dangerous but keeps companies at perpetual risk.

The reality is that cyber criminals innovate at a faster pace than security firms, and many anti-virus programs only detect threats that have already been discovered as opposed to zero-day exploits, attacks that target previously unknown vulnerabilities, have no signature written for them and pose the most danger. Organisations won’t truly be safe from cybercrime if their primary barrier allows the most nefarious tools to slip through the net.

Weak cross-border legislation

New cyber crime laws and the specialist police divisions that enforce them have been rendered mostly redundant. Due to the global nature of cybercrime, these laws are often stretched beyond their geographical jurisdiction, thus significantly undermining their ability to protect businesses against threats that often originate abroad.

Cybercrime legislation differs nationally and even regionally in some cases – what might be illegal in the victim’s location might be legal in the culprit’s location, and this lack of seamless cross-border legislation significantly benefits the criminals.

The fact that top governments struggle to convict cyber criminals means there is even less of a deterrent to cease their illicit activity. A universal agreement between governments about how to convict cyber criminals is a long way off, and the upper hand remains with them until this is achieved.

Black market resources

Cyber criminals have evolved into sophisticated planners and slick executors; the malicious processes that they deploy are supported by a wealth of easily accessed tools on the black market, making these individuals shockingly well-resourced to target businesses. For malware-authors, the emphasis is shifting from quantity to quality of infection.

One of the many ways the black market sustains this new ethos is by supplying exploit testing services. These quality assurance measures guarantee new malware will bypass popular anti-virus software by pre-scanning it against all of the most up-to-date malware signature databases. Cyber criminals are able to be strategic and efficient with the black market propping up their activity; it is one of the reasons why they are regularly a step ahead of large organisations.

Cyber criminals are faster than big companies

The defining characteristics of cybercrime are robustness and agility, whereas big companies with vast and complex hierarchical structures can be inert and sluggish in terms of decision making. Multiple layers of management delay how reactive firms can be during an attack on IT infrastructure, putting the loose and nimble criminal networks in a more advantageous position. To protect themselves at even half the speed that criminals move, corporations must re-arrange rigid internal arrangements to be more flexible.

Lack of collaboration

Companies tend to operate in isolation when it comes to cyber security. A problem shared is usually a problem halved – however, the business community still fails to properly collaborate in order to unite against its common enemy.

The benefits of collaboration can be gleaned from the financial sector, which in recent years implemented several simulated “cyber-drills” to bolster industry-wide safeguarding against what it acknowledges as one of its greatest dangers. The latest effort, Operation Waking Shark II, took place in mid-November 2013 when high street banks, financial institutions and regulators, the Bank of England and the Financial Conduct Authority came together to assess their collective security measures in a practical way.

Collaboration on this scale would equate to an overall higher standard of protection for commercial industries, yet the reluctance to share best practice will keep companies at the mercy of cybercrime.

Marcin Kleczynski is CEO of Malwarebytes

Get more articles like this sent direct to your inbox by signing up for free membership to the Guardian Media Network – this content is brought to you by Guardian Professional.

Electronics in Flight: How Harmful are Mobile Devices to Your Aircraft?

We all know the drill: before takeoff and landing the flight attendants do a final safety inspection, walking up and down the aisle to ensure everyone has their seat backs and tray tables up, seatbelts fastened and all electronic devices powered down. While this exercise has become second nature for most fliers, new policy changes could make mandatory shutting down of devices a thing of the past.

In October, the Federal Aviation Administration (FAA) lifted its ban on airline passengers using their smartphones, tablets, e-readers and other electronic gadgets below 10,000 feet, although downloading data, web searches and calls during takeoff are still prohibited. But mobile service may not be far behind. On December 12th, the Federal Communications Commission (FCC) will meet to review and decide whether or not to end restrictions on phone calls during flights. While none of the approved or pending changes will happen immediately, it is important to assess how they might impact users in flight, especially considering comfort, security, and other key factors.

From checking a bank account balance to finding a nearby Thai restaurant, mobile devices have permeated almost every aspect of our lives. Given the ubiquitous nature of mobile usage today, it’s no surprise that the governing bodies overseeing air travel are suddenly changing their tune with regards to electronics on airplanes. In 2003, 70% of passengers carried electronic devices with them on planes, and currently that number has jumped to an astounding 99% according to a survey by the Consumer Electronics Association. Aside from consumer pressure, lawmakers and even large companies like Amazon have been pushing the FAA to ease mobile device restrictions for years.

The original motivation behind the FAA’s restriction on the use of electronic devices below 10,000 feet stemmed from concerns around interference with aircraft systems during vulnerable periods like takeoff and landing. But, as aircrafts have become more advanced, the possibility of interference from a wayward smartphone or tablet have become much less of a reality. The risk is in fact quite low, and researchers come up short when looking for instances when “electromagnetic interference from a portable electronic device brought down a commercial plane or was a contributing factor in an accident,” nor has the National Transportation Safety Board ever issued a recommendation about the safety issues of using mobile devices in non-transmitting modes during takeoff. Additionally, an FAA panel last year called to study just this issue concluded that most commercial airplanes are equipped to deal with radio signals.

However, some pilots continue to report cases of suspected interference, and electronic devices can still cause more work for the crew during flight aside from safety concerns. On top of having to badger passengers to power down their devices, they have the potential to be disruptive to everyone around them—even without the noise of people on calls in such a confined space.

Although the fate of phone calls on U.S. airlines is still up in the air, the reaction to the possibility has been anything but positive, with petitions being created and grumblings heard almost immediately after the announcement. In today’s mobile world, airplanes are one of the few places free from mobile call chatter and many people are not excited about losing that time of relative silence, especially considering the already stressful nature of air travel. The Association of Flight Attendants are among those voicing concern for this possible rule change and some airlines like Delta, will stand staunchly behind the no mobile phone policy regardless of the FCC’s decision.

On top of passenger discomfort, there could also be some serious mobile security risks associated with mobile device calls on planes. Earlier this year at the Hack In The Box conference in Amsterdam, security consultant Hugo Teso demonstrated how to hack an airplane using an Android app he created called PlaneSploit. With the app, he claimed to be able to take control of certain aircraft systems and cause them to change direction and even crash into the ground, revealing some unsettling weaknesses in onboard flight systems. Despite the FAA’s assurances that the hacking technique used at the conference does not pose a real threat to flight safety, possible security risks from mobile devices should not be ignored. There are new threats targeting all kinds of “smart” devices today, from TVs to cars, and an aircraft’s autopilot system or other controls are no different.

Hundreds of thousands of passengers each day use their favorite mobile gadgets aboard airplanes, meaning any risks to aviation safety must be assessed in advance. Besides the attack demonstrated by Hugo Teso, Wi-Fi hacking and other cybercrimes previously restricted to the ground could now affect passengers thousands of feet in the air. Currently, companies like Gogo Inc. and Row 44 provide Internet access on some major airlines, and pending the FCC’s decision, will soon offer services for sending and receiving text messages or making phone calls using Wi-Fi. Downloading content on mobile devices accounts for a major part of their usage, and without the proper precautions, users could pick up unwanted malware or be tricked into paying for and using spoofed networks mid-flight.

While in-flight mobile phone calls are still out of reach, seamless device usage on airplanes could happen as early as January 2014. In the meantime, users should already be practicing safe mobile habits, especially when traveling.

How do you feel about allowing mobile users to make calls during flights? Tell us below:

Loading…

And stay up to date on the latest mobile security threats, by following our team on Twitter at @McAfeeConsumer or Like us on Facebook.

lianne-caetano

The post Electronics in Flight: How Harmful are Mobile Devices to Your Aircraft? appeared first on McAfee Blogs.

How to Protect Yourself from Social Spam

Social networking sites like Facebook and Twitter allow us to communicate with friends and family, network with colleagues, and become connected to people who share a hobby or interest. But they also allow online scammers and spammers to get closer to us by utilizing the web of friendships and connections they create.

In fact, the popularity of social networks has given rise to new form of spam—this new type of spam is called “social spam,” and while you may not see it every day, you have probably seen it in posts such as this one: “Hey check out this link—FREE IPAD.” Social spam has grown quickly, impacting over 4 million[1] users every day on Facebook alone. And it’s much more alluring for hackers, since social spam is distributed through our network of “friends” that as users we are much more likely to trust.

Social spam works like this: The hacker creates a phony profile on a site like Facebook. They then “friend” people they don’t know, and post tempting links, such as the one for the free iPad. When their friends click on the links, or click on an image that looks like their friend has “liked” something, the spam starts spreading across the social sites.

These links can lead to malicious software being downloaded on your computer or mobile device or hijacking your contacts and spamming them with other “offers” to continue propagating. It can even gather your personal information and then use this to steal your identity. Or they could take your money if you click on a link and enter your credit card on a fake site.

Social networking sites have anti-spam efforts in place and many of them also have staff whose jobs are dedicated to spam protection and similar user issues. But spammers remain one step ahead, so it is crucial that you protect yourself by following these social spam tips:

  • If the offer looks too good to be true, it often is—don’t click on it.
  • Use strong passwords that are different for each site and be sure to change them frequently.
  • If a friend tweets or posts something that is out of character, it may not be them writing the post. If you’re concerned it might be spam, you can verify it with them—in a private message or offline communication—or simply ignore it.
  • Don’t befriend strangers online—not everyone is who they say they are!

Of course, the best protection against social spam is to be aware and stay suspicious.   If you see a message or post that is tempting you to click on it, remember that it could be a clever cyber scam.

The post How to Protect Yourself from Social Spam appeared first on McAfee Blogs.

Social Media Manipulation Is For Real, Some Call It As Crowd-Turfing!

An Indian investigative portal Cobrapost, recently released a report on alleged online reputation smearing/management/campaigns designed to gain/destroy political capital for who ever was the highest bidder or “customer”. Online world (social media) was abuzz with political motivations, and some where perplexed if it was even possible (amazed, surprised, dismissive etc.)

Some of the bloggers/twitterati offered their own explanations, instantly building near myths and false narratives in the process. My attempt is to disabuse readers from such false narratives and myths. I would skip political aspects of this conversation and  focus on technological aspects.

Myth 1 – It is not possible to have fake followers on either Facebook or Twitter.

Fortunately, this myth has  been widely debunked. Sites like Twitter Audit or Social Bakers can be easily used to discover if a twitter user has fake followers or not. Such fake followers are largely bots or proxy accounts  run on behalf of real/fake individuals.

In fact, acquiring fake followers is not a difficult task and is actually a full-fledged online business. Take the case of twitterwind.com, a site that offers different packages for the numbers of followers a customer would like to acquire, so forth and so on.

Twitterwind Packages

There is an excellent story on this by New York times that describes buying and selling of fake twitter followers the worst kept secret in the Industry. Here is a NBC news post that questioned Mitt Romney’s sudden jump in his twitter account following by a factor of 100,000 followers last year. In may last year, NPR published a news article  on how as low as $75 one could purchase 1000 Likes

Myth – 2  Real people are running any social media campaign, there is NO concept of fake (automated bots) followers.

This is largely a defensive reaction of individuals who find themselves on the other side of the first myth. However, even this myth/narrative is false.

Automated bots or bot-nets have existed since the initial days of attacks on computers and networks by hackers and malware/computer virus authors. Bots are compromised systems/user accounts that could be used for launching a malicious digital campaign/attack on an unsuspecting user/corporation or public at large.

In the case of social media, there are three ways to create such bots.

First way is to use an automated bot (compromised system) to do key-logging of individuals to find username/password of an existing user.

Second way is to create fake accounts through auto programming. Two Italian researchers Italian security researchers Andrea Stroppa and Carlo De Micheli reported on how such fake accounts could be created using software for sale. Washington post carried this story. NewYorker magazine also has an excellent article on such twitter bots.

Third way is to launch a phishing attack on real users and harvest their Twitter/Facebook accounts. Social media phishing is a new phenomenon. Some users would recall how AP had tweeted about bombing in white house, once their account had been phished and hacked. Even the satire magazine Onion had suffered a similar phishing attack

Twitter and Facebook both have taken a lot of steps to weed out such followers. Facebook cracked down last year on both fake followers and likes.

Impact of some of the user’s friends and followers after Facebook decided to crack down on fake followers

Myth – 3 There are no companies that actually can run such reputation enhancing/smearing campaigns. 

There is actually a proper world for this activity – Crowd-Turfing!

“Crowd-Turfing” – term represents an activity of malicious crowd sourcing system that exist on social media and internet and display following behaviors – crowd sourcing and astro-turfing. University of California – Santa Barbara came out with this term in their paper “Serf and Turf: Crowdturfing for Fun and Profit

In other words, not only it is possible to manipulate social media through automated and manual means, it is very much prevalent in many countries such as US and China. Crowd-turfing is neither novel or earth shattering, however it might be a complete novelty for some Indians. However, it is largely illegal but requires extensive skill set in establishing a trail of evidence to legally nail the culprit.

This story is pretty old now from rest of the world perspective. UC Santa Barabara report on crowd-turfing mentioned such bots existing on very popular QQ services of Tencent and internet companies like Zubhajie again in China. This report documents purported activities of these companies including account creation, forum post, QQ blog post etc.

UC Santa Barbara report documents the kind of activities done by two of the crowd-turfing companies

UC Santa Barbara report documents the kind of activities done by two of the crowd-turfing companies

There is an additional story here, there is an entire business category for Online Reputation Management, that exists for improving online brands of individuals and companies. Forbes has a good article on how online reputation management companies. They also posted a follow-up article on how some of these companies seemed to be doing dirty things under the hood – blackmailing as an example.

Although, there are many more myths and narratives that could be challenged here, however if an informed spirit of enquiry could result from this, I would meet my objectives.

The post Social Media Manipulation Is For Real, Some Call It As Crowd-Turfing! appeared first on McAfee Blogs.