Malware
Everywhere you turn, someone is using his or her smartphone. Whether you’re addicted to your BlackBerry or you can’t live without your iPhone, smartphones are taking over the mobile world. Browsing through mobile applications has become part of the smartphone culture; we look for an app that will make doing XYZ a little easier in our lives. However, unsuspecting consumers need to realize that mobile applications are one of the greatest threat vectors for smartphones.
“Smartphones are appealing to cybercriminals because they contain vast amounts of data and are always connected to the Internet,” said RSA panelist Joseph Opacki during one of the conference's Wednesday discussions on mobile security. While the smartphone works to make our lives easier, it’s also coincidentally making the life of a hacker easier, too. Mobile devices are garnering momentous attention from the cybercriminal community and now security experts understand why.
A director of cyber security intelligence at an IT services and solutions consulting firm, Adam Meyers, agreed that mobile web browsers and operating systems contain vulnerabilities that could be exploited for malicious purposes. Users may begin to encounter malware that exploits these weaknesses via drive-by-download on mobile web sites.
Among other things, one of the main reasons consumers are so addicted to their smartphones is unlimited accessibility to email. This is certainly something to think about the next time you’re scrolling through your inbox and see an email from an unknown sender. During a cyber espionage session at RSA on Thursday, Mikko Hypponen told audience members that, “Almost all targeted attacks happen via email, though some occur during the use of online chat services or web-based exploits. These emails are actually created and sent by attacks; they contain code to trigger exploits that open backdoors on affected systems.”
McAfee CTO George Kurtz made a valid point during his keynote while discussing malicious codes and whether security checkpoints will always stop them before any real damage is made. “If you download something from an app store, are you assuming it is okay? When do Apple or Google have time to go over three million apps with a fine tooth comb?” Based on these ideas, can we start see the world of mobile app scanning take off? Is this really the next step in the fight against targeted attacks?
Tags:
cybercriminals,
cyberthreat,
malware,
mobile apps,
mobile device,
mobile security,
security,
smartphone,
vulnerabilities
Posted by Katerina Korfias on February 18, 2011 at 12:59 PM
| TrackBack (0)
Yesterday there was a lot of interest in the Cloud Security Alliance Summit, especially since cloud security is still an unresolved security topic. Just take a look at this line waiting to get in!
The big news that came from this session surrounded the government’s plans to spend $20 billion on cloud security, at least according to the 2012 budget. Also from this discussion, there were four key areas identified as lacking in clarity when it comes to cloud adoption:
- Security
- Standards
- Procurement
- Governance
With these four areas in mind, cloud security has the appearance of remaining a consistent concern, especially when companies consider moving mission-critical applications to the cloud. To try to ease this fear, RSA announced that its Cloud Trust Authority would launch the beta of a cloud security platform later this year. The beta will offer combined identity management and compliance offerings, with the goal of providing a single, comprehensive set of protections for multiple cloud computing services.
Based on all the news we’ve heard surrounding the cloud, some key terms you will most definitely hear in presentations this week addressing this topic include:
- Government
- Trust
- Risk
- Security
- Concern
- Compliance
- Regulation
- Hesitation
- Privacy
- Data security
- Mission-critical applications
- Delivery methods
- Confusion
- Hack
- Forensics
- Malware
Cyber war is another hot topic and one with many concerns, especially since WikiLeaks and Stuxnet are fresh in our minds. There is a seemingly continuous stream of potential cyber war threats, though many people are unaware of how to define this phrase. To illustrate just how serious this concern is, RSA has attracted a number of high-level government representatives to speak. This year, Deputy Defense Secretary William Lynn III is presenting an opening-day keynote on the Pentagon’s cyber strategy.
Taking a quick look at new products, something to keep our eye on is the MasterCard “Display Card.” Although it looks and works the same as any other credit card, it is described as having a built-in display to enable cardholders to create a one-time password to enhance authentication. So we have to ask: is this going to protect cardholders from having their credit card information stolen when shopping online?
With keynotes and panel sessions ramping up today, be sure to check back here tomorrow for a recap on some of the hot discussion topics.
Tags:
authentication,
cloud security,
Cloud Security Alliance,
cyber war,
government security,
Pentagon,
RSA,
RSA 2011,
Stuxnet,
WikiLeaks
Posted by Kristin Forte Allaben on February 15, 2011 at 10:00 AM
| TrackBack (0)
Today is the first day of the 2010 Black Hat Conference speaking sessions. Among the line-up of anticipated talks surrounding wireless security (specifically that of WPA2), mobile device security and ATM vulnerabilities, there is a slew of additional sessions that are bound to make some noise.
One of the noise makers is likely to be the session exploring how to intercept cell phone calls. Some interesting rumors of lawsuits caused eyes and ears to turn toward AT&T, but the company cleared the air, saying it will not interfere with the demonstration.
Although often passed up for obtaining credit card information, counterfeit checks are not a thing of the past. Although you may find yourself having flashbacks to the movie “Catch Me If You Can,” a discussion on how Russian hackers obtained images of checks from a number of retailers and other businesses is a high-tech version of the old story. A quick summary: Russian hackers found a way to utilize technology to make this low-tech crime even more dangerous. They have not yet been caught.
There will also be exploration into weaknesses of SSL, used by websites to protect data. One session on this topic will explore how to attack storage mechanisms to tamper with a SSL session. Another SSL presentation will focus on results of a study that analyzed SSL use to document configuration errors, which weakened thousands of websites.
There will also be discussion surrounding web application security, particularly as it applies third-party code, which includes such items as widgets, applications and advertising modules, all of which are very popular on web applications. These applications are meant to provide additional functionality for the user, but security implications across a variety of industries—including healthcare and finance—could result in infected users.
SEO has been a topic of growing importance for many companies over the past few years. With this in mind, it only makes sense that hackers want to jump on the bandwagon and will utilize SEO to push out malware. Taking a look ahead to DefCon, researchers will show just how important SEO has become to the “malware pushers.”
Check back in tomorrow for a recap of the Day 1 sessions and what we can expect for Day 2.
Tags:
ATM vulnerabilities,
Black Hat,
counterfeit checks,
DefCon,
malware,
mobile security,
SEO,
weaknesses of SSL,
web application security,
WPA2
Posted by Kristin Forte Allaben on July 28, 2010 at 9:09 AM
| TrackBack (0)
This year's Black Hat conference is considered to be the most popular to date, and tomorrow marks the first of two days of speaking sessions.
For those of you who participated in the Black Hat Challenge, you are aware that there are many sessions to choose from, and little time to see them all.
One of the most anticipated sessions is the Barnaby Jack ATM scams, which was mentioned in yesterday’s post.
But beyond ATM scams, there is a trend we’re seeing in sessions: mobile security. As I mentioned yesterday, IDC forecasted that the number of mobile workers will exceed one billion by the end of 2010. From a corporate perspective, enterprise network can be open to a number of vulnerabilities stemming from the use of a mobile device. From a consumer perspective, people can fall victim to various malware triggered by bugs in the device. For example, one of the anticipated Black Hat sessions will illustrate to attendees that the A5/1 encryption algorithm used by carriers such as T-Mobile and AT&T is weak and can be easily broken, something spies and security geeks alike have known for some time.
Jeff Moss, founder of Black Hat, explained that for many people, seeing is believing; unless people can literally see what’s possible when it comes to security threats and attacks, they won’t believe it. This specifically applies to corporate decision makers as they need to [visually] understand what is technically possible before they can make informed decisions regarding security.
But what it comes down to is this: no one can predict what the big news will be from Black Hat since there is always a wildcard, as Bob McMillan notes. With so many sessions in the queue and such an array of personalities in the same space, you can never quite tell what the news will be.
Tags:
ATM scams,
Barnaby Jack,
Black Hat,
encryption algorithm,
mobile security,
mobile workforce,
security attack,
security threat
Posted by Kristin Forte Allaben on July 27, 2010 at 11:06 AM
| TrackBack (0)
May is treating the Schwartz security team well. Last week, we were recognized with a SABRE Award in "Research for Publicity" for our work in "Research for Publicity" on behalf of Javelin Strategy & Research.
Schwartz and Javelin combined professional and social media to promote Javelin's annual identity fraud report, increasing media coverage 126 over previous years, and a whopping 97 percent of all articles emphasizing at least two key messages.
In addition to Javelin, some terrific Schwartz clients were recognized as SABRE Award finalists: antivirus and desktop security software provider ESET, medical device company Bioness and boutique healthcare investment services provider Leerink Swann. Although they didn't take home trophies, it's the first time the agency has emerged with four finalists in the SABREs.
Tags:
ESET,
Javelin Strategy & Research,
PR agencies,
SABRE Awards,
security PR,
security public relations
Posted by Laura Kempke on May 21, 2010 at 9:51 AM
| TrackBack (0)
After months of planning, Infosec is nearly here. The three-day event, taking place on 28-30 April in London, is the largest security conference in Europe and attracts more than 12,000 visitors and 300 journalists. We've seen several London-area trade shows cancelled recently in the wake of slashed marketing spend, yet Infosec organisers have moved the show to a bigger conference hall this year--Earls Court--and expect to break record numbers for attendance.
Despite new research from both Forrester and Gartner that predicts a grim year for global IT spending, the security industry shows fewer signs of stress than, say, retail tech. Infosec is still moving full steam ahead and the mood at the show is anticipated to be bouyant and focussed.
Over the next few weeks, in the Security PR blog, Schwartz London will be taking a look at some of the trends and issues we expect will be top of mind at Infosec this year, from mobile computing to cloud security to social media phishing. Then we'll give reports from the show floor on the people we meet, the sessions we watch and the parties we attend. Stay tuned!
Tags:
infosec 2009
Posted by Annie Klein on April 3, 2009 at 10:34 AM
Comments (0) | TrackBack (0)
Here at Schwartz, security PR's ground zero, we circulate a daily digest of the latest security news stories. Not surprisingly, today's news is all about the Conficker worm. The Conficker worm is either the most vicious assault in the history of cybercrime or the most well-played April Fools' Day joke. Experts suggest 15 million computers could be infected with the virus, which is predicted to strike tomorrow. In the UK, the most newsworthy case of Conficker has been the infection of Parliament.
Reminiscent of New Years' Eve pre-Y2K, we're all holding our collective breath to see what will happen tomorrow. (And, if you're a PR person, you're busily writing comment on behalf of your clients, for whom the Conficker is PR gold.) According to the BBC, "There have been some reports the worm could trigger poisoned machines to access personal files, send spam, clog networks or crash sites."
Yesterday, security experts had a breakthrough in their five-month battle against the virus, reported The Register. It was discovered that the worm leaves a fingerprint on infected computers that can be easily detected with network scanners. Yet despite this progress, doom abounds: The Conficker Working Group, a coalition of anti-virus firms, has already posted an update for April 1: "Conficker.C is Live and well. Sometime today the new version of Conficker will be awake and function. Now one is sure its purpose or mission."
Could it be a prank? A scam to distract security professionals from a much larger crime? Or truly the worst virus attack of all time? Wake up early to find out...
Tags:
conficker,
security PR
Posted by Annie Klein on March 31, 2009 at 2:29 PM
Comments (0) | TrackBack (0)
