MECHANICSBURG, Pa., Dec. 15, 2011 /PRNewswire/ -- The widespread adoption of mobile devices, proliferation of applications and growth of cloud computing are helping accelerate business innovation and social benefits. However, today's always-on world brings with it a new and ever-changing set of security challenges.
According to the Verizon "2011 Data Breach Investigations Report," the number of data attacks has tripled in the past five years, making the need to balance security with risk an even greater priority for businesses and consumers.
With this trend in mind, Verizon's ICSA Labs division recommends that businesses and consumers guard against the following 13 security threats in 2012:
Mobile Malware Is on the Rise. Malware targeting mobile devices will continue to increase, and enterprises will wrestle with how to protect users. Obvious targets will be smartphones and tablets, with the hardest hit likely to be Android-based devices, given that operating system's large market share and open innovation platform. All mobile platforms will experience an increase in mobile attacks. Criminals Target and Infect App Stores. Infected applications, rather than browser-based downloads, will be the main sources of attack. Because they are not policed well, unauthorized application stores will be the predominant source of mobile malware. Cybercriminals will post their infected applications here to attempt to lure trusting users into downloading rogue applications. Cybercriminals also will find ways to get their applications posted into authorized application stores. And infections can easily spread beyond the smartphone and into a corporate network, upping the ante on risk. Application Scoring Systems Will Be Developed and Implemented. To reassure users, organizations will want to have their application source code reviewed by third parties. Similarly, organizations will want to be sure that the applications approved for use on workers' devices meet a certain standard. It is anticipated that the industry will develop a scoring system that helps ensure that users only download appropriate, corporate-sanctioned applications to business devices. Emergence of Bank-Friendly Applications With Built-In Security. Mobile devices will increasingly be used to view banking information, transfer money, donate to charities, and make payments for goods and services, presenting an opportunity for cybercriminals, who will find ways to circumvent protections. To help ensure the security of online banking, the banking industry is likely to begin to offer applications that have strong, built-in security layers. Hyper-connectivity Leads to Growing Identity and Privacy Challenges. In today's business environment, more users need to legitimately access more data from more places. This requires the protection of data at every access point by using stronger credentials, deploying more secure, partner-accessible systems, and improving log management and analysis. Compounding the issue are a new age of cross-platform malicious code, aimed at sabotage, and mounting concerns about privacy. Enterprises will no longer be able to ignore this problem in 2012, and will have to make some hard choices. New Risks Accompany Move to Digitized Health Records. In the U.S., health care reform and stimulus funding will continue to accelerate the adoption of electronic health records and related technologies throughout the industry. The American Recovery and Reinvestment Act calls for all medical records to be electronic by 2014, meaning that much work must be done in 2012 and 2013 to prepare. New devices will be introduced that send sensitive information beyond the traditional boundaries of health care providers, and more and more health care providers are using mobile devices. Along with the need to secure newly implemented EHR systems, securing mobile devices and managing mobile clinical applications will continue to be an ever-increasing focus in the health care industry. Mobile and Medical Devices Will Begin to Merge. Mobile devices and health care apps will proliferate, making it easier, for example, to transform a smartphone into a heart monitor or diabetes tester. As a result, some experts believe that industry health care groups will declare mobile devices to be medical devices in order to control and regulate them. As interoperability standards mature, more mobile devices and traditional medical devices will become nodes on an organization's network. These devices also will share data with other devices and users and, as a result, be susceptible to the same threats and vulnerabilities that computers and other network-attached peripherals, such as printers and faxes, are susceptible to today. Smart Grid Security Standards Will Keep Evolving. In the U.S., public utility commissions, along with the National Institute of Standards and Technology, will continue to develop smart-grid standards. State PUCs will begin to agree on a standard in the coming year. The government will increasingly require utilities to demonstrate that their smart grid and advanced metering infrastructure solutions protect not only the privacy of consumers and consumer usage data but also the security of the AMI infrastructure. At some point, a single federal framework will supersede state regulations and requirements. New Concerns Will Surface About IPv6. The federal government is still struggling with the rollout of IPv6-enabled devices as organizations migrate from IPv4. This will be an ongoing concern, and IPv6 specific vulnerabilities and threats will continue to cause trouble during 2012. In addition, the other two fundamental mechanisms of the Internet -- Border Gateway Protocol and Domain Name System – also now offer a next-generation version. In 2012, many will start migrating to these newer versions, generating a new round of vulnerabilities and exploits. Social-Engineering Threats Resurface. More targeted spear-phishing -- an email-fraud attempt that targets a specific organization, seeking unauthorized access to confidential data – will be the major social-engineering threat of 2012. Efforts to educate user communities about safe computing practices will continue to be a challenge as the user base of smart devices increases dramatically. Social networking sites will continue to implement protection for users from malware, spam and phishing, but sophisticated threats will continue to seduce users to visit a rogue Website or reveal personally identifiable information online. Security Certification Programs Will Increase in Popularity. Certifications will continue to increase, especially as the government accelerates IT mandates for its agencies in the areas of cloud and identity; and in turn, the private sector will follow suit. Internet threats will continue to affect business, government and user confidence and wreak havoc on computing devices in the office and at home. The challenge for all testing bodies will be to stay ahead of the ever-changing threat landscape and to evolve testing accordingly. Some testing bodies may suggest certifying the security of companies as a whole, not just their products or services, as a way to build trust online. 'Big Data' Will Get Bigger, and so Will Security Needs. "Big data" -- large data sets that can now be managed with the right tools -- will be popular in 2012 as more companies derive greater value through analytics. Companies will use the data to create new business opportunities while empowering evidence-based decision making for greater success. However, companies will need to secure this data in order to achieve the gains they seek. Safeguarding Online Identities Will no Longer be Optional. With the rampant growth of online identity theft, consumers, businesses and government agencies are seeking ways to better protect their identities. These groups will look to the private sector to provide a cost-effective solution that helps to safeguard their identities and create greater online trust."The proliferation of Internet connectivity, mobile devices and Web applications are helping to enrich lives and advance global business opportunity in new meaningful ways," said Roger Thompson, emerging threats researcher, ICSA Labs. "But in this new era of hyper-connectivity, which is compounded by the blurring of lines between our professional and personal lives, it's everyone's responsibility -- whether as a business user or a consumer -- to safeguard our online activities and interact with technology responsibly to protect our assets, identity and privacy."
About ICSA Labs
ICSA Labs, an independent division of Verizon, offers third-party testing and certification of security and health IT products, as well as network-connected devices, to measure product compliance, reliability and performance for many of the world's top security vendors. ICSA Labs is an ISO/IEC 17025 accredited and 9001 registered organization. Visit http://www.icsalabs.com and http://www.icsalabs.com/blogs for more information.
About Verizon
Verizon Communications Inc. (NYSE, Nasdaq: VZ), headquartered in New York, is a global leader in delivering broadband and other wireless and wireline communications services to consumer, business, government and wholesale customers. Verizon Wireless operates America's most reliable wireless network, with more than 107 million total connections nationwide. Verizon also provides converged communications, information and entertainment services over America's most advanced fiber-optic network, and delivers integrated business solutions to customers in more than 150 countries, including all of the Fortune 500. A Dow 30 company with $106.6 billion in 2010 revenues, Verizon employs a diverse workforce of more than 195,000. For more information, visit www.verizon.com.
VERIZON'S ONLINE NEWS CENTER: Verizon news releases, executive speeches and biographies, media contacts, high-quality video and images, and other information are available at Verizon's News Center on the World Wide Web at www.verizon.com/news. To receive news releases by email, visit the News Center and register for customized automatic delivery of Verizon news releases.
SOURCE Verizon
Back to topRELATED LINKS
http://www.verizon.com
November 21st 2011 – Researchers at Context Information Security are playing down the level of risk to businesses and government organisations posed by BEAST, or Browser Exploit Against SSL/TLS. Recently disclosed by Thai Duong and Juliano Rizzo, the SSL vulnerability allows an attack on a browser to decrypt cookies and compromise HTTPS, giving access to encrypted website log-on credentials. But Context believes that hackers are very unlikely to use this complex attack and also provides some advice on how to further reduce the risks.
“In effect, BEAST is simply a practical way to exploit an existing theoretical vulnerability in older versions of TLS/SSL (TLSv1.0, SSLv3.0 and lower), commonly used for HTTPS connections,” said Michael Jordon, research and development manager at Context. “For an attack to be effective, a vulnerable version of SSL using a block cipher must be used; network sniffing of the connection must be possible; and there also has to be a successful Java applet injection into the same origin of the web site.”
Developers can already increase the complexity and mitigate the risk of malicious content being injected within the same origin through actions such as setting the HTTPOnly property that prevents applets or JavaScript to gain access to the cookie and prevent session hijacking. Therefore, in terms of risk, the BEAST attack is akin to not setting the HTTPOnly property on cookies that is not unusual among websites.
“If people are concerned about the BEAST attack, we suggest they first look to see if their HTTPOnly property is set properly. If it is not, then a BEAST attack would not be needed to deliver the same opportunities to hackers,” says Jordon.
The major vendors of both browsers and server-side technologies have also announced that they are working on patches for TLS1.0. Within a controlled environment such as an internal network, it may be possible to upgrade all users and servers to products that support TLS 1.1/1.2. However, this could mean that some users may have difficulties accessing older web servers.
There are also a number of other areas in which the use of session hijacking can be reduced or made more complex, including transferrable session prevention; the use of effective logout and session timeout functions; regeneration of a new and unique cookie value per session; and adoption of one-time passwords.
“The BEAST vulnerability exists but there are simple steps that developers and security managers can take to mitigate the risks and with the number and complexity of mechanisms needed by an attacker, plus the number of greater value attacks that could take place in the same circumstances, we believe that it is unlikely that BEAST will be seen in the wild,” concludes Jordon.
Details of Context’s research into BEAST can be seen at: www.contextis.co.uk/research/blog/beast/
About Context
Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. Founded in 1998, the company’s client base has grown steadily based on the value of its product-agnostic, holistic approach and tailored services combined with the independence, integrity and technical skills of its consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. As best security experts need to bring a broad portfolio of skills to the job, Context staff offer extensive business experience as well as technical expertise to deliver effective and practical solutions, advice and support. Context reports always communicate findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report.
For more information for editors, please contact:
Peter Rennison / Allie Andrews
PRPR, Tel + 44 (0)1442 245030 / 07831 208109
pr[at]prpr[dot]co.uk / allie[at]prpr[dot]co.uk
Distributed on behalf of PRPR by NeonDrum news distribution service (http://www.neondrum.com)
Related posts: Context warns of new reverse web proxy bypass vulnerabilityMore security problems for WebGLSecurity flaws in new WebGL technology put PCs and data at riskProfessionalism in information security key for success in challenging technological environmentWhat is todayĆ¢€™s biggest IT security threat?ISF helps SMEs reduce information security risk
Related posts brought to you by Yet Another Related Posts Plugin.
Tags: BEAST, Computer hacking, Context IS, cyber-security, Internet security
WebGL is currently supported on Linux, OSX and Windows operating systems, using Firefox 4, Safari and Google Chrome browsers. In addition to desktops and notebooks, WebGL is also being adopted for use in other devices including smart phones and is rapidly increasing in popularity.
“The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted,” says Michael Jordon, Research and Development Manager at Context. “While this may be true for local applications, the use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial of service attacks, potentially leading to full exploitation of a user’s machine.”
“We think it is important to raise awareness of this issue before WebGL becomes more widely adopted because this is not an implementation problem, but is down largely to the WebGL specification, which is inherently insecure,” adds Jordon. “In the short term, individual end users or IT departments can avoid potential problems by simply disabling WebGL within their browsers; but the only long term solution is for the developers of WebGL itself to ensure that the specification is designed and tested to prevent these types of risks.”
WebGL 1.0 was officially released in March this year by The Khronos Group, a non-profit consortium of companies including Google, Apple, Intel and Mozilla working to create open standard APIs to display digital interactive media across all platforms and devices. It is essentially a graphics library that extends the functionality of JavaScript to allow it to create interactive 3D graphics within a browser without using plug-ins.
For more information on the security implications of the emerging WebGL technology, Context has published a blog detailing the design level security issues within WebGL along with some examples of proof of concepts.
http://www.contextis.com/resources/blog/webgl/
View the original article here
More likely in the workplace most employees set password to protect their privacy. Unfortunately if they forget to delete that password and left the company then the new employee might face some problem. Even when we buy any 2nd hand computers sometimes it could be protected by password and you don’t know. You cannot simply reinstall the windows as there might be some important files you need to save. Don’t worry; there is a way to fix it. The latest software called WINDOWS PASSWORD RECOVERY TOOL 3.0 is available now. Windows password recovery tool is an efficient utility to help you recover Windows password when you forgot Windows 7/Vista/XP passwords. It can be a hoarder when you are locked out of computer. Besides, if you have bought a used PC with password protected, this tool can help you stay out of troubles and get the valuable data on the computer safely.
What can Windows password recovery tool 3.0 do for you?
- Remove Windows local password - This Windows password recovery tool allows you to burn a bootable CD/DVD or USB flash drive to reset remove Windows local password, including Windows administrator, standard and guest passwords.
- Reset Windows domain password - In addition to Windows local password, it also offers you 2 methods to reset Windows domain administrator password on Windows 2008 and 2003 servers by burning a bootable CD/DVD or USB flash drive.
- Support all popular Windows OS - If you already have this tool, you can easily and safely your forgotten or unknown Windows password, no matter what Windows OS you use. It can work on all popular Windows OS, including Windows 7/Vista/XP/2000/2003(R2)/2008(R2
Step by step using windows password recovery tool 3.0
Windows password recovery tool 3.0 allows you to pass up Window password in 4 simple steps:
- Download the software and install it
- Burn a bootable CD/DVD or
- BIOS settings
- Reset forgotten Windows password
View the original article here
“Over half of the data security breaches in the UK this year will be the result of direct physical attack or theft from the data centre. The reality of our day-to-day enemy is not the international cyber terrorist gangs – it is more likely to be a disgruntled employee or petty criminal breaking in and stealing to order.”
“The lesson for data owners is clear – security needs to be professionally managed and this often means having it hosted in a specialist facility which has invested in substantial physical security. “There’s no point in investing in biometric access controls if anyone can pop around to the loading bay at the back and get to wherever they want,” says Rabbetts. “From the security hardware to the policies and procedures that govern the management of the data centre, effective data security is a speciality that often does fit easily within the normal office environment.“
This is why more companies are siting their data in specialist facilities like Sentry42’s new colocation data centre in Norwich. This centre has high perimeter fencing at least 30 metres from its main buildings, microwave intruder detection at all borders, digital CCTV covering the entire site, proximity reader access controls on all doors, biometric access control for data hall entry, proximity access control to all cabinets, and a dedicated security centre that is manned 24 hours per day, 7 days per week.
“Data security is not about one-off gestures or knee-jerk investments in the latest software,” says Rabbetts. “To be effective, security is achieved by the consistent application of quality policies and procedures supported by the well-maintained hardware and devices – at Sentry42 we believe security is part of the organisation’s culture, a 24X7 habit.”
Sentry42’s 60,000 sqft newly refurbished Gatehouse Data Centre is located close to Norwich and will open to customers on May 11th.
View the original article here
Dynamic infrastructures, as opposed to classic static ones, rise the risk of external and internal attacks and exponentially rise the cost of security administration, due to manual management of the continuously changing security perimeter of the elastic set of servers. Elastic Detector for Amazon EC2 is the answer to the increasing security risks of a continuously changing infrastructure. It relies on SecludIT Elastic Security patent pending technology which is the answer to distributed architectures, dynamic threats and an attack surface that keeps changing, automatically building and adapting security perimeters so that the infrastructure is always protected.
While IT infrastructure evolves to answer business needs, Elastic DetectorTM for Amazon EC2 automatically sets the right security checks and corresponding alerts: this is an entirely new paradigm, called Auto-Checks. Contrarily to other security and monitoring tools, where administrators have to setup checks and alerts for each server, Elastic DetectorTM for Amazon EC2 auto-detects servers and automatically sets the checks and alerts. The administrator can do fine tuning of the checks and alerts to respond to specific needs but as long as the infrastructure keeps evolving, Elastic DetectorTM for Amazon EC2 keeps up with the security through the Auto-Checks.
Delivered as SaaS and without the need to install and maintain agents on virtual machines, Elastic DetectorTM for Amazon EC2 watches the security of Amazon EC2 infrastructures, helping administrators to provide a high-quality, professional service level to their customers and users. With Elastic DetectorTM for Amazon EC2, administrators are the very first to get alerted whenever there is an important problem, even when their infrastructure evolves and without the need for further manual configuration.
The very first users of Elastic DetectorTM for Amazon EC2 are enthusiastic: “Great thanks! What you say about ports and security groups makes sense and is very powerful. This is something you should definitely highlight”. Sergio Loureiro, CEO of SecludIT comments: “We are very proud of releasing today the very first product based on our innovative Auto-Checks technology. The first feedback we got are very positive, and Elastic DetectorTM is only at the beginning of what we can do. We are working hard on our product roadmap!”.
After a successful private beta test period, Elastic DetectorTM is now available for Amazon EC2 and it will be extended to support other cloud providers. Please sign-up at the website: www.secludit.com
View the original article here
