Network World review: Microsoft Windows Defender comes up short

Microsoft’s latest version of its anti-malware tool, Windows Defender, is a frustrating product to evaluate. Once you examine the product in more detail, you will see why we cannot recommend it for enterprise use. And that is the frustration of this product: Microsoft is trying to do the right thing and offers a tempting feast, but ultimately offers an incomplete meal that is tough to digest. It is hard to track, hard to configure, hard to remove and hard to manage in a typical enterprise environment.

It might be all the antivirus that a home user needs, but when it comes to the business world, you are better off with something else.

You can read the full review in Network World here.


My top security threats of 2016 in review

Since I began writing a series of newsletters for Inside Security in June, I have covered some of the most important data leaks or security threats each week. Here are my favorites:

Yahoo for the Big Kahuna award: Billions of emails served, thanks to Yahoo. The gift that keeps on giving, and also taking shareholder value too. My analysis and lots o’ links here.

In a class by itself is the Mirai botnet. Dyn’s analysis of the Krebs’ attack is here. Then more than 900,000 customers of German ISP Deutsche Telekom were knocked offline with new variant. It didn’t help matters that DT allowed the rest of the world to remotely manage these devices.

Schneider Electric gets the two times the charm award. Both Unity Pro and PanelShock utility software programs of theirs were compromised in a matter of days; both were attacks that could harm industrial control networks. This could be the return of Stuxnet. The published advisory is here.

The Australian Red Cross receives the bloodbath award. A million or so medical records of blood donors have, ahem, leaked. Gotta love those Aussies: “This is a seriously egregious cock-up,” said one researcher.

Three Mobile (UK) receives the can you hear me now award. Contact details of six million of its customers has been exposed, which are about two-thirds of their total. Hackers used an employee’s login credentials to gain entry.

The friends with benefits award goes to, naturally, the Friend Finder Network. They exposed more than 412 million accounts, including millions of supposedly deleted accounts, thanks to a local file inclusion flaw. Actually, this is their second such award: they were also breached in 2015.

DailyMotion and Weebly both share the password is ‘password’ award. DailyMotion had more than 80 million of their account IDs and passwords exposed. Only a fifth of these accounts had passwords and they were fortunately encrypted. The company admitted the breach in a blog post. Leaked Source obtained the data file. As for Weebly, they had more than 40 million accounts compromised earlier this year. Fortunately, their stolen passwords were stored using the strong hashing function BCrypt, making it difficult for hackers to initially obtain users’ actual passwords.

Payday awards. Criminals continue to figure out ways to make ATMs spit out their cash drawers. Two this year are notable: Alice (discovered recently by Trend Micro researchers) and Cobalt, where Group IB has named the organization behind the thefts. Both are very sophisticated attacks, and we should expect more in 2017.

The pixel perfect award goes to an attack called Steganos. Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in individual pixels of the banners. This exploit has been around for several years. Its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. It hides parts of its code in the parameters that control the pixel colors used to display banner ads.

Vera Bradley stores receive the attention shoppers award. They notified customers of a credit card exploit, which affects customers paying by credit cards in their stores from July and September of this year. Card numbers and names were captured by malware found running in their data center. The company has 150 stores selling fashion merchandise.

Oops mom, no firewall award goes to a Finnish facilities manager. Thanks to no firewall and a DDoS-based DNS attack.  At least two housing blocks in the city of Lappeenranta were affected and confirmed by the facilities management company. Hackers gained remote access to the HVAC systems. Luckily, outdoor temperatures weren’t critical.

The award for security starts in the home goes to so many companies it is hard to pick just one, but let’s give the honor to the Ameriprise employee who had a home-based network storage device with no password whatsoever. The drive was synchronized with one in his office, allowing anyone to view sensitive client data. Expect more of these sorts of attacks as the line between home and work continues to disappear.

And the most zero days reported in the past year: Adobe Flash, of course. No week would be complete without one!

What were your favorite breaches of the past year?

SecurityIntelligence blog: Avoiding Threat Management Rookie Mistakes

What do a Finnish HVAC company and a set of American car dealerships have in common? Both have been doing a poor job running their computer systems and, as a result, both experienced a series of four embarrassing threat management blunders.

In my latest post for IBM’s SecurityIntelligence blog, I describe these two incidents in more detail. They point out easily fixable threat management mistakes. As a result of weak security, several apartment buildings went without heat and millions of customers and employees of car dealerships had their data stolen. But both consequences are preventable, especially with the benefit of hindsight.

Regaining Trust: What to do AFTER a Security Breach

In the past few years, it seems that large-scale data breaches have been occurring with depressing regularly. While it’s incredibly important to establish trustworthiness in any product, re-establishing trust after it has been violated is much harder to do. There is far less room for error when dealing with a customer base that already has reason for concern about an organization’s digital security.

untitledWhen breaches do occur, the best plan to regain trust is use webpages with plain language that contain plenty of specifics and constructive suggestions for issue resolution. In this article for UXPA Magazine, a professional journal for the user experience community, Danielle Cooley and I use the example of four recent breaches (Cici’s Pizza, Home Depot, Wendy’s Restaurants, and Omni Hotels) to see how each firm tried to regain its customers’ trust.

iBoss blog: DDoS for sale: what is a booter or a stressor and why you should care

DDoS attacks are on the rise, and one of the reasons is the plethora of service providers that make it easy to mount your attacks, especially if you are a lazy or inexperienced criminal. Dozens if not hundreds of these pre-packaged booter or stresser  DDoS services make it a very profitable business and can generate thousands of dollars a week for these criminal operators.

You can read more in my blog post for iBoss here.

iBoss blog: The challenges and opportunities for managing the Internet of Things

The Internet of Things (IoT) has been in the news lately for facilitating numerous DDoS exploits across the planet. A global non-profit think tank called the Online Trust Alliance (OTA) has published a paper entitled IoT, a vision for the future. It outlines how the IoT can grow and thrive, especially given that “users’ confidence that their data is secure and private is at an all-time low.”

You can read my latest post for iBoss’ blog here.

Hacking 911 systems: an update

It isn’t often that there is a very short trajectory from an academic research paper to reality, but when it comes to hacking the 911 emergency phone network this is indeed the case. The paper was written earlier this year and first given to the Department of Homeland Security before being published online this fall.

The researchers from Ben Gurion University in Israel describe how an attacker could knock a 911 service offline by launching a distributed denial of service (DDoS) attack using a collection of just 6000 smartphones. While that is a lot of phones to gather in one place, it is a relatively small number when this is compared to computer-based attacks. And you don’t really need to gather them together physically: you can infect these phones with some malware and control them all remotely.

Like other DDoS attacks, phones (rather than computers) make repeated calls to 911, thereby blocking the system from getting legit emergency calls. It is a chilling concept, because unlike other DDoS attacks, the hackers aren’t just bringing down a website with large bursts of traffic: they could prevent someone from getting life-saving assistance.

In the paper, the researchers simulated a cellular network modeled after the 911 network in North Carolina and then showed how attackers could exploit it.

Now 911 attacks aren’t new: indeed, the DHS issued this alert three years ago and mentioned that more than 600 such attacks have been observed over the years. What is new is how easily the attacks could be launched, with just a few thousand phones and some malware to make it all work. Also, these previous attacks were launched against the administrative phone numbers of the alternate 911 call center, not to the actual 911 emergency lines themselves. If you are interested in how the 911 center operates, I posted a piece many years ago about this here.

There are other stories about hospitals and other businesses that have had their phone systems flooded with calls, blocking any business calls from being connected. And where there is fire, there is at least one security vendor to put it out or protect an enterprise network from being exploited by telephone-based DDoS attacks.

The problem is in the design of the 911 call centers. These centers have no built-in way of blacklisting or blocking callers: they want to be able to answer any call from anyone who has an emergency. Therefore, in the face of a large attack, they would have no choice but to answer each and every call. But let’s say we could implement such a service: that would prevent an unintentional owner of an infected and blacklisted phone from making a legitimate emergency call.

Well, that was the theory behind the paper. It didn’t take long before someone actually did it “in the wild,” as they say when an actual attack has been observed. Last month a teen was arrested for allegedly doing such an attack and is facing three felony counts. The teen, Meetkumar Hiteshbhai Desai, discovered an iOS vulnerability that was used for launching the attack and flooding a call center in Arizona. Now his phone supposedly was the only one used and it made just 100 calls in a matter of minutes. But that was enough to get the cops on his case.

It is distressing to be sure. But whether these attacks are done by script kiddies or by professional criminals, certainly the opportunity is there and very real indeed.