Business travelers putting organizations cyber-security at risk


Business travelers are more likely to be targeted for their access to private and corporate data than be mugged, according to a new report.

A survey by Kaspersky Lab of 11,850 people from across Europe, Russia, Latin America, Asia Pacific and the US found that the pressure from work to get online is clouding the judgment of business travelers when connecting to the internet.

It said that three in five (59 percent) of people in senior roles say they try to log on as quickly as possible upon arrival abroad because there is an expectation at work that they will stay connected. The research also found that 47 percent think that employers, if they send staff overseas, must accept any security risks that go with it.

Almost half (48 percent) of senior managers and more than two in five (43 percent) of mid-level managers use unsecure public access Wi-Fi networks to connect their work devices when abroad. At least two in five (44 percent and 40 percent, respectively) use Wi-Fi to transmit work emails with sensitive or confidential attachments.

One of the main reasons for business travelers acting the way they do on business is down to a widely held assumption that their work devices are inherently more secure than private communications tools, regardless of their connectivity. Two in five (41 percent) expect their employers to have set strong security measures. This is most pronounced among business leaders (53 percent) and mid-level executives (46 percent).

One in five (20 percent) senior executives admit to using work devices to access websites of a sensitive nature via Wi-Fi – compared to an average 12 percent. One in four (27 percent) have done the same for online banking – compared to an average 16 percent.

Konstantin Voronkov, head of endpoint product management at Kaspersky Lab, said that the report showed that cyber-crime is a real hazard while traveling and employees are putting confidential business information at risk.

“The insight provided by the report should be a red flag for corporate information security specialists, as the business travel behavior we have unearthed here presents a significant corporate data protection challenge. It’s now up to businesses to respond with appropriate security solutions, if they wish to protect themselves,” he said.

Carl Herberger, vice president of security solutions at Radware, told that many public Wi-Fi and internet connections can also be leveraged to ‘sniff’ out passwords and user IDs.

“Anyone using these connections must consider them a ‘man in the middle’ of a conversation. All of your user IDs and passwords should be cycled if you want to maintain a low data breach,” he said.

“Not using a VPN or better technology while browsing makes your entire session visible to the providers you are transmitting your web connection through.”

Mato Petrusic, vice president of sales at EMEA and APAC at iPass, told SC that it’s important to use a password manager.

“These tools generate a new, completely random access credential each time you log in, so that even if your passwords are compromised, they won’t work again for the hacker. Corporate network administrators would also do well to mitigate risk by rolling out strict authentication and authorization policies to manage who gets on the internal network,” he said.



IT Skills Gap Hurts Enterprise Security: Survey


When the subject is security, the conversation tends to center on spending. But, according to the results of a new survey sponsored by cloud security vendor SkyHigh Networks and conducted by the Cloud Security Alliance, budget is only one of the issues concerning IT executives when it comes to protecting data and networks in the age of the cloud and mobility.

That’s not to say budget isn’t a factor. In fact, more than half of the survey’s 228 respondents (53.7%) said they expect their organization’s IT security budget to increase in the next 12 months. Survey respondents were professionals working in IT or IT security around the globe. Fewer than half of the survey respondents (43%) had the title of manager and above, while the rest of the respondents held various hands-on staff roles in IT or IT security.

But focusing on budget only tells part of the story. In a telephone interview with InformationWeek, Kamal Shah, senior vice president product and marketing at SkyHigh Networks, highlighted several additional points from the survey that could deeply affect IT security.

One item Shah focused on was the skills gap many IT departments face. Incident response management was cited by 80.4% of respondents as one of the most important IT skills in the next five years. Experience with large datasets was cited by 74.7% of respondents, and 66.4% said communication with non-IT departments is essential.

As Shah said, “You can’t be operating in a silo. You have to be able to talk to users to help reduce the risk to the enterprise.”

Experience with large data sets is a desired employee trait not limited to the security group. Within security, though, it’s tied to two other factors that directly affect security. “When you get an alert, what do you do with it? What we find is there is a little bit of alert fatigue going on,” Shah said. The sheer volume of alerts in an enterprise system pairs with complaints echoed in the survey results.

Four in ten respondents (40.4%) said alerts don’t carry information that can be acted upon. In addition, 31% of respondents said they have ignored alerts because of the number of false positives they see on an ongoing basis. Some 27% said they have experienced incidents requiring action for which they received no alerts from their security tools.

The majority of those responding to the survey, regardless of their position, felt that the security budget will increase during the next year. (Image: SkyHigh Networks)

The majority of those responding to the survey, regardless of their position, felt that the security budget will increase during the next year.

All of this indicates that a lack of information is not what respondents view as their primary security problem. Rather, it’s lack of the knowledge and lack of ability to do anything with the information they’re given.

In our interview, Shah said one of the things he took away from the survey is that a company can’t simply spend its way out of an enterprise security deficit. “It’s not just about buying new tools and new toys, but making sure that the employees are trained and have the skills to take advantage of those technologies in the most effective way,” he said.

A wide range of skills are seen as important for infosec workers in the coming years. (Image: SkyHigh Networks)

A wide range of skills are seen as important for infosec workers in the coming years.

Executives and staff members responding to the survey differed regarding how to best address the employee skills deficit. “Employees feel that the best answer is training existing teams, while executives looked at hiring and training new people,” Shah said.

More than a third of respondents in hands-on staff roles (38.1%) said better training for existing IT employees was the best way for a company to respond to the skills deficit. Conversely, 46% of senior executives and 36.7% of manager-level professionals said increasing the hiring and training of junior IT professionals was the best way to respond to the skills deficit.

Practically no one thinks that outsourcing security is the right answer. The only disagreements are about who, precisely, should get the new training. (Image: SkyHigh Networks)

Practically no one thinks that outsourcing security is the right answer. The only disagreements are about who, precisely, should get the new training.

The takeaway from all the surveyed job functions is that people skills are more important than technology innovation for improving enterprise technology. If only those skills could be purchased as easily as new technology, the impression is that CISOs, CIOs, managers, and technical workers would all sleep better at night.

By Curtis Franklin Jr


EU to invest €450 million in cyber-security research

EU cybersecurity investment

According to a recent survey, at least 80% of European companies have experienced at least one cybersecurity incident over the last year and the number of security incidents across all industries worldwide rose by 38% in 2015.

This damages European companies, whether they are big or small, and threats to undermine trust in the digital economy. As part of its Digital Single Market strategy the Commission wants to reinforce cooperation across borders, and between all actors and sectors active in cybersecurity, and to help develop innovative and secure technologies, products and services throughout the EU.

Andrus Ansip, Vice-President for the Digital Single Market, said: “Without trust and security, there can be no Digital Single Market. Europe has to be ready to tackle cyber-threats that are increasingly sophisticated and do not recognize borders. Today, we are proposing concrete measures to strengthen Europe’s resilience against such attacks and secure the capacity needed for building and expanding our digital economy.”

Today’s action plan includes the launch of the first European public private partnership on cybersecurity. The EU will invest €450 million in this partnership, under its research and innovation programme Horizon 2020. Cybersecurity market players, represented by the European Cyber Security Organisation (ECSO), are expected to invest three times more.

This partnership will also include members from national, regional and local public administrations, research centers and academia. The aim of the partnership is to foster cooperation at early stages of the research and innovation process and to build cybersecurity solutions for various sectors, such as energy, health, transport and finance.

The Commission also sets out different measures to tackle the fragmentation of the EU cybersecurity market. Currently an ICT company might need to undergo different certification processes to sell its products and services in several Member States. The Commission will therefore look into a possible European certification framework for ICT security products.

A myriad of innovative European SMEs have emerged in niche markets (e.g. cryptography) and in well-established markets with new business models (e.g. antivirus software), but they are often unable to scale up their operations. The Commission wants to ease access to finance for smaller businesses working in the field of cybersecurity and will explore different options under the EU investment plan.

The Network and Information Security Directive, which is expected to be adopted by the European Parliament on Wednesday, already creates a network of Computer Security Incident Response Teams across the EU in order to rapidly react to cyber threats and incidents. It also establishes a ‘Cooperation Group’ between Member States, to support and facilitate strategic cooperation as well as the exchange of information, and to develop trust and confidence.

The Commission calls on Member States to make the most of these new mechanisms and to strengthen coordination when and where possible. The Commission will propose how to enhance cross-border cooperation in case of a major cyber-incident.

Given the speed with which the cybersecurity landscape is evolving, the Commission will also bring forward its evaluation of the European Union Agency for Network and Information Security (ENISA). This evaluation will assess whether ENISA’s mandate and capabilities remain adequate to achieve its mission of supporting EU Member States in boosting their own cyber resilience.

The Commission also examines how to strengthen and streamline cybersecurity cooperation across different sectors of the economy, including in cybersecurity training and education.


Microsoft Proposes Independent Body to Attribute Cyber Attacks

Cyber Attack Attribution Body Proposed by Microsoft

Microsoft has published a paper that proposes a series of recommended ‘norms’ of good industry behavior in cyberspace, and also a route towards implementing and achieving those norms.

Most of the norms are uncontentious and self-evident – but one in particular (which is a form of ‘responsible disclosure’) is less so. Furthermore, the key feature in implementing these norms (the attribution of attacks to attackers) is particularly troublesome.

Responsible Disclosure

From Articulation to Implementation: Enabling progress on cybersecurity norms wasdeveloped by a team led by Scott Charney, Microsoft’s Corporate Vice President for Trustworthy Computing. To be fair, this paper nowhere uses the term ‘responsible disclosure’; instead referring to ‘coordinated disclosure’ – a term Microsoft introduced  in 2010. Nevertheless, the security industry will see this as a variant of ‘responsible disclosure’ as opposed to ‘full disclosure’.

Responsible versus Full has been a thorny issue since the beginning of connected computing. Advocates of responsible disclosure (which involves disclosing to the vendor only) argue that immediate and full disclosure gives attackers the ability to develop successful exploits before the vendor has a chance to fix the flaw. Full disclosure therefore exposes the user.

Defenders of full disclosure respond that this is the only way to force vendors to provide a fix in a timely manner. They claim that if researchers can find the flaw, so can criminals — and until the vendor patches the flaw, all users are potentially exposed.

Microsoft’s coordinated disclosure is a form of responsible disclosure that also allows disclosure to CERTs as well as the vendor. The bottom line remains that public disclosure should only happen after a patch has been issued. In the paper, Microsoft suggests that this should be a cyber security norm.

“Nation-state activity in cyberspace often depends upon exploitation of vulnerabilities in ICT products and services. One of the best mitigations against this risk is coordinated vulnerability disclosure… international standards driven by industry leaders set forth appropriate practices, including a five-step process that guides vendors through initial receipt and verification of the vulnerability, developing a resolution, releasing the final fix, and communication with ICT users after the fix is released.”

This does not address the argument for full disclosure. Indeed, if a nation-state has knowledge of a zero-day vulnerability, it has free use of that vulnerability until a patch is published. Full disclosure proponents will still argue that it is therefore their duty, if necessary, to force the vendor to fix the flaw as rapidly as is realistically possible.

David Harley, senior research fellow with ESET, supports the concept of responsible disclosure but has some doubts over its practicality. “I think we can assume that it will have no impact on those looking for vulnerabilities to exploit in the pursuit of criminal aims,” he said. He also doubts whether nation-states would wish or even be able to control the activities of their own intelligence agencies who actively seek out vulnerabilities — such agencies are unlikely to ‘disclose’ at all . “But,” he added, “we shouldn’t give up on proposing ethical and moral guidelines just because not everyone will choose to go along with them.”

Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab, takes a similar view. “It’s a great idea to have some semblance of guiding principles,” he told SecurityWeek, “but the whole concept of ‘norms’ assumes that they relate to some homogeneous body guided by the same basic principles. That clearly isn’t so in cyber space.”


The Microsoft paper accepts that the disparate nature of cyber operators is a problem.

“The impact of cybersecurity norms depends on whether they are implemented faithfully and whether violators are held accountable.” This accountability provides the second major thrust of Charney’s argument: that serious cyber attacks must be publicly attributable to specific cyber attackers, whether they be straightforward criminal gangs, or nation-states or their proxies.

Attribution is difficult. Charney’s suggestion is that an independent, international body of public and private sector experts be given the task.

“We propose a public-private forum to address attribution of severe cyber attacks that would involve a globally-diverse group of technical experts, subject to peer review,” Charney wrote in a blog post.

“In sum,” says the paper, “having a public/private international body might be a highly constructive way to validate whether norms are being adhered to and may help create a more stable cyberspace in the future.”

But many in the security industry have their doubts.

“It’s a bit naive,” suggests Kaspersky’s Guerrero-Saade. “Consider false flags,” he said. “There are many indicators that can be faked; there are many that are being faked — it is easy to replicate a lot of the data that is being put out there. For example, one team could use the same infrastructure as another team, which would allow one nation-state to pretend to be a different one specifically to cause an international incident.”

The problem for Guerrero-Saade and many other security researchers is that while the advantages of accurate attribution are clear, the ability to accurately attribute is not. In 2013 Mandiant (now part of FireEye) famously attributed the gang known as APT1 and its attacks to the Chinese military — but still declined to comment on Charney’s paper.

“Attribution is more art than science,” F-Secure’s Sean Sullivan told SecurityWeek. “So there should always be doubt about such analysis. But it doesn’t mean it isn’t correct.”

Harley points out, “Many of the researchers who are best qualified to consider attribution are all too aware of the difficulties and pitfalls of establishing correct attribution in cases where an attacker has expended as much effort into misdirection as he has into developing the core attack technology. As the Microsoft paper acknowledges, there may be compelling reasons for not talking about attribution even when it’s considered ‘proven’.”

Although there is some common concern over the disclosure and attribution parts of this paper, it would be wrong to say that the security industry rejects Microsoft’s ‘norms’ completely. Andy Patel, security advisor at F-Secure, suggests, “It would definitely make sense for the community to work together on attribution. Not only would it allow for better sharing by TTPs, it would likely lead to more accurate results.”

Jiri Setjko, Director of Threat Lab Operations at Avast, commented: “The main benefit I see is the norm which states that global ICT companies should not allow backdoors or leave vulnerabilities unpatched for nation-states to abuse. Avast is a global company and we do not condone backdoors.”

By Kevin Townsend


Most Post-Intrusion Cyber Attacks Involve Everyday Admin Tools


Think hackers use advanced malware and mysterious tools once they have infiltrated a network? According to security startup LightCyber, most attackers use the same mainstream security tools the good guys use, only for lateral movement, network mapping and remote control of endpoints.

Of course, tactics for penetrating the network include tried-and-true techniques such as malware, spear phishing and exploit kits, but once inside, the best way to go unnoticed is to blend in. According to a LightCyber 2016 Cyber Weapons Report, 99 percent of post-intrusion cyberattack activities did not employ malware, but rather admin, networking and remote access tools. Related Posts Threatpost News Wrap, June 3, 2016 June 3, 2016 , 12:24 pm TeamViewer Denies Hack, Blames Password Reuse for Compromises June 2, 2016 , 11:49 am Google Pulls App Exploiting Certifi-Gate Vulnerability August 25, 2015 , 2:55 pm “The most mundane applications, in the wrong hands, can be used for malicious purposes,” according to LightCyber’s report. Once behind the firewall, attackers use admin software tools such as Angry IP Scanner, Nmap and SecureCRT.

Together these three programs represent 28.5 percent of tools employed in post-penetration attacks. Other tools, such as TeamViewer, WinVNC and Radmin are popular with intruders. “Attackers use them to gain access to new hosts, to move laterally within the internal network, or to remotely control compromised devices from the internet,” according to LightCyber. Typically, attackers target previously installed versions of software.

In the case of TeamViewer, LightCyber reports, attackers have seen the remote desktop software as a particularly soft target given a recent rash of password reuse incidents. Additionally, attackers take advantage of ordinary end-user programs such as web browsers, file-transfer clients and native system tools for command and control and data exfiltration activity, according to LightCyber’s report. “Web browsers as well as FTP, WinSCP, file sharing apps, and even email, were all associated with data exfiltration,” the report claims.

By hiding in plain sight hackers are able to go months without detection, affording them the option of taking a “low and slow” approach to network infiltration. “Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware,” said Jason Matlof, executive vice president at LightCyber in the report. He argues malware-focused security infrastructure is insufficient, and that security professionals need to be on the lookout for attacks that “land and expand” using admin and remote access tools allowing hackers to traverse across a network, take over more machines and obtain sensitive data. The most common hacker objective related to attacks were an attempt to scout out a company’s network, followed by lateral movement and then command-and-control communication. “By using these tools, attackers can remain undetected for months and quickly regain access even if the malware used to enter the network is identified and removed,” according to the report.

Unlike malware, “riskware programs, such as dual-purpose admin and hacker tools, were detected during the reconnaissance phase, they rarely appeared during the lateral movement and data exfiltration phases,” the report said. That’s not to say malware is not part of a hacker’s toolkit. The report states that the primary use of malware is still infiltration and exfiltration. “Threat actors primarily use malware as the initial exploit to compromise systems and for outbound communications between infected clients and the Internet,” the report said. The LightCyber 2016 Cyber Weapons Report gathered data during a six-month period on organizations that ranged in size from 1,000 to 50,000 endpoints, spanning industries such as finance, healthcare, transportation, government, telecommunications and technology.

See more at: Most Post-Intrusion Cyber Attacks Involve Everyday Admin Tools



Free Decrypter Available for Download for MIRCOP Ransomware


Security researcher Michael Gillespie has created a decrypter that can recover files locked by the MIRCOP ransomware, without paying the ransom fee.

The MIRCOP ransomware appeared towards the end of June and had two unique features that made it stand apart from all the ransomware variants discovered each day.

One of them is its ransom note, which uses the masked Guy Fawkes figure, usually employed by Anonymous hackers. The ransom note has a threatening tone and tells the user to return stolen money or face payback, supposedly from the robbed Anonymous hacker.

The second feature was the exorbitant amount of money asked in the ransom note, which was 48.48 Bitcoin (~$32,000).

Three days after Trend Micro and security researcher Nyxbone revealed the presence of this new family, Gillespie had already put together a decrypter for this threat.

You can download the decrypter from here. Just unzip the file and run the application. The decrypter will leave the original encrypted files in place, just in case the decryption routine fails, so you can use it without fearing you’ll lose your original files.

Once the decryption ends, you’ll receive a notification message on your screen, like the one pictured below.

If you need help with the decrypter, Gillespie provides support for needy users on this Bleeping Computer forum thread.

By Catalin Cimpanu


Ransom Note Cleaner Removes Ransomware Junk from Your PC

Ransom Note Cleaner

Security researcher Michael Gillespie, one of the people responsible for creating several free ransomware decrypters, along with the awesome ID Ransomware service, has put together a new tool that automatically scans and deletes ransom notes from your PC.

When any type of ransomware malware infects your computer, it usually leaves ransom notes in the forms of text, HTML, or image files behind.

A tool to automate the ransomware clean-up operation

While some ransomware variants leave ransom notes in just a few folders, like your Desktop, because it’s easier to spot, others are configured to spam your computer.

These latter versions will leave a copy of their ransom notes in absolutely every folder where they encrypt files. If they encrypt data in 100,000 folders, and the ransomware drops text and HTML ransom notes, then you, the lucky user, are now 200,000 useless files richer.

Removing 200,000 files by hand is probably as annoying and impossible as trying to solve the ransomware’s encryption algorithm using pen and paper.

RansomNoteCleaner works with data from the ID Ransomware service

For these cases, Gillespie has created RansomNoteCleaner, a Windows application that will search for ransom notes on your hard drives and remove any files that match against its database.

This database is created when the app launches for the first time, but also when the user pushes the “Refresh Network” button.

The app retrieves the data from the ID Ransomware service, a website that contains a database of ransom notes from most of today’s known and active ransomware families. Currently, at the time of writing, the service detects 126 different ransomware families and their ransom notes.

RansomNoteCleaner doesn’t decrypt or delete ransomware files

If users are sure with what type of ransomware they were infected, they can easily click the “Select Ransomware(s)”  button and narrow down the ransom note files RansomNoteCleaner will look for.

Additionally, users can select the hard drives or the folders where the tool will scan for the ransom notes via the “Search for Ransom Notes” button.

Once everything is identified, users can press the “Clean!” button. A log is available to make sure the app hasn’t identified and deleted the wrong files by accident, even if this seems highly unlikely.

The application is up for download from here, and a support topic is available via Bleeping Computer if users are having problems using the app or can’t delete ransom notes for a specific ransomware variant.

RansomNoteCleaner only removes the ransom note spam files. RansomNoteCleaner will not decrypt files locked by ransomware. For that, you need tools called decrypters. The app won’t delete ransomware binaries, which are left behind after the ransom note is paid or the ransomware decrypted. For these, malware clean-up tools or antivirus software can identify and clean the files from your PC.

By Catalin Cimpanu