On 12. March 2015 I gave a live webinar on achieving resilience against modern cyberthreats. This is part of a security webinar series of Microsoft Switzerland where I will cover also aspects of cloud resilience a week later. The webinar is in German and if you are interested you can get access to the recording
If you are interested in other security webinars send me a message and we will look into it!
I am quite a fan of Lenovo devices mostly still from the time where they were IBM ThinkPads. However, when the discussion started on the “Superfish” adware they put onto some Lenovo devices I took a mental step back and asked myself how a company that develops and sells plenty of business devices could make such a bad decision.
There are some good descriptions on what “Superfish” does so I will not repeat that in detail. In the end it seems that the adware hijacks encrypted web sessions and it seems that it may make users vulnerable to https man -in-the-middle attacks that are simple for attackers to exploit. If you are interested in knowing more I recommend that you read the Arstechnica article on that topic.
Lenovo was slow to pick-up on this topic although by now they reacted and the Lenovo CTO said in an interview with the Wall Street Journal that “we didn’t do enough” due diligence before installing Superfish, but that the company doesn’t believe laptop owners were harmed by the app”. You can read here the full article on the WSJ blog.
Another interesting question on why Lenovo pre-loads any software and here is his response: “Hortensius: In general, we get pretty good feedback from users on what software we pre-install on computers. What we’re going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers’ computers. The outcome could be a clearer description of what software is on a user’s machine, and why it’s there.” It seems that I am clearly not their targeted audience if they say such things. When I get a new computer the first thing I do is to newly install Windows from scratch and with that get rid of any bloatware and adware that might be on there. Then install the necessary drivers (not many any more – Windows 8.1 or 10 is in the majority of cases (if not all) taking care of that) and apply all updates and the computer is running faster, more stable and the disk has quite some more space in most cases than before.
So what to do now if you have a Lenovo computer and are not sure if Superfish runs on there or you know and want to remove it? One way to address this is to run Microsoft’s security software which will detect and remove the Superfish software from the Lenovo device. If you have Windowws 8 or 8.1 on your computer Windows Defender is installed by default so you only need to let it update itself. If you have an older version of Windows you might already have the Security Essentials installed where the same applies to. And if you are not sure check out the website on our free security software that you can download and that will take care of Superfish.
The security snippets series highlights some articles that I read recently. I hope they help in keeping up with the raise of security incidents and trends which becomes more and more difficult with the increasing professionalism of cyber attacks.
Bank Hackers Steal Millions via Malware
as read in the New York Times
The New York Times writes based on Kaperski information that a group of attackers impersonated bank officers and took over cash machines and transferred millions of dollars from more than 100 banks in Russia, Japan, Switzerland, the United States, and the Netherlands into fake accounts set up in other countries. This brings a new scale to Cybercrime.
Evolution and Adaptation in the Security Jungle
as read in Threatpost
Enterprise security teams need to catch up on understanding the methods that modern attackers use. The article on Threatpost does a good job at giving an overview. Active defense is crucial in that aspect and I described that with the protect, detect, response framework also in my whitepaper on achieving resilience against modern cyberthreats.
Visa Wants to Track Your Smartphone to Prevent Credit Card Fraud
as read in the Hacker News
It seems that Visa plans to release a new location-based feature that will help cardholders update their location via smartphone. With credit card fraud still on the raise that could be a good way to fight that. I just hope that it will be clear to the user that another service performs location tracking.
PlugX Is RAT of Choice for Nation States
as read in eSecurity Planet
The “2014 CrowdStrike Global Threat Intel” report finds that the PlugX Remote Access Tool (RAT) is the most observed malware variant used by nation-state backed threat adversaries. I don’t think that this is necessarily so clear as in my view many nation states have more customized and elaborate capabilities but it shows how far such tools have come.
One Billion Data Records Compromised in 2014 Worldwide
as read in Softpedia
The article writes about a report from the Breach Level Index (BLI) which finds a 49 percent increase in data breaches and a 78 percent increase in number of records that were stolen or lost in 2014. While the absolute number might be even higher the massive increase is something that we observe as well.
Microsoft Achieves Globally Recognized ISO/IEC 27018 Privacy Standard
as read in the Microsoft Cyber Trust Blog
This more on privacy and trust than security although that also plays an important aspect. Microsoft on February 16, 2015, obtained the ISO/IEC 27018 privacy standard for Microsoft Azure, Office 365, and Dynamics CRM Online. Brad Smith’s blog has more information on that and is worthwhile reading in my view.
How to Keep Your Webcam Safe from Hackers [Video]
as read in We Live Security
If you follow the link you will see a video that covers five tips to prevent someone from spying on you through your webcam. Something becoming more important after an anonymous website began posting live streams of the world’s unprotected webcams.
I have written the whitepaper “Achieving resilience against modern cyberthreats” and looking at how the intensity of cyberattacks is again on the raise it is getting more important to implement a dynamic security framework.
As our use of mobile computing and social media technologies grows, so does our exposure to risk. On the one hand, the widespread adoption of new mobile, social media, cloud services and big data technologies creates unprecedented opportunities for productivity and flexibility. Yet without the right defenses in place, they can also open us to new kinds of vulnerabilities, as attacks that target devices operating outside the enterprise perimeter are quickly growing in volume and sophistication.
Passive protection is no longer sufficient for ensuring the security of information and IT infrastructures. My new Microsoft white paper, Achieving resilience against modern cyberthreats, explores the ways that governments and enterprises can protect their valuable information by creating a holistic security strategy, built on risk management, to achieve resilience against in an era of constant targeted attacks and determined adversaries.
The paper explores Microsoft’s holistic “Protect, Detect and Respond” approach to security strategy, including key principles for organizations, the importance of trustworthy cloud services, and the steps to take for securing an IT infrastructure in today’s threat landscape. This proactive strategy requires that an organization understand its assets and its exposure, and apply appropriate protection throughout the entire IT ecosystem in a continuous process. It also recognizes that enterprises must manage their inevitable risk – absolute security is not possible, so organizations must go beyond just protecting resources and also establish processes for detecting, responding and recovering from incidents when they occur.
If you are interested see my complet blog post, Achieving resilience against modern cyberthreats at Microsoft on Safety and Defense.
It has been a few weeks since I have flown to Atlanta for work and I was lucky to have had smooth travels. If you know the Atlanta airport however that isn’t necessarely a given. On one hand it is the worlds busiest airport serving close to 30 million passengers every year and then it is in a location that has frequent tunderstorms. When I now stumbled over a video that shows what happens when thunderstorms occur over the area I was amazed by the resulting images. While not as nicely presented as the pictures in my earlier post on the beauty of airtravel it shows the beauty of technology being able to adapt and overcome obstacles.
From now on I will be blogging about topics that I have read somewhere else and that I find noteworthy. You will find them in my new “snipplets” category. Today I am starting with the keypoints of a WIRED Magazine Threat Level article by Kim Zetter. Here are the keypoints:
In a study spanning two years they found severe security issues with common medical equipment used across a large chain of Midwest health care facilities including:
Many hospitals are unaware of the high risk associated with these devices. A wide cross-section of devices shared a handful of common security holes, including:
There are very few devices that are firewalled off from the rest of the organization, once you get a foothold into the network, you can scan and find almost all of these devices.
This reflects unfortunately the discussions that I am having with healthcare Providers across Western Europe. Considering that Cybercrime is only starting to become “mature” (not happy to use this word in a criminal context but it describes it best) then the risks need to be mitigated and hospitals have an important aspect by insisting on secured systems and investing overall into their own IT hygiene.
I travel a lot for work and it brings me in touch with many different people and cultures. Sometimes when I am sitting in a busy airport I look up from my screen and am watching the planes come and go. My thoughts might then trail towards the security discussions that we need to increase with critical infrastructure, the complexity of the logistics behind such an airport or that it is just beautiful to watch a plane take-off.
I found by coincidence a visualization of air traffic over Europe that sheds a new scale on the points above. It emphasizes the need to be able to protect our digital command, control and communication systems involved with managing something as complex as airtravel but at this point I suggest you just click on the movie and enjoy the beauty of it.
The video was created from real flight data, using UK radar data from June 21 and European flight plan information from July 28. If you want to know more check out the original blogpost by Paul Beachamp.
One topic has been on the top of most discussions I had during the last months – the “NSA/PRISM” data leakages. While some of the points were already known previously and were for example part of Microsoft’s transparency report there were points that were worrysome. Here especially tje recent allegations in the press on a broader and concerted effort by some governments to circumvent online security measures to collect private customer data.
As a result of these concerns were many discussions that I had over the last months where confidence in the security and privacy of online communication was questioned. As a result of these allegations Microsoft decided to take immediate and coordinated action and Brad Smith, General Counsel & Executive VP Legal and Corporate Affairs sketched out in a blog post on Microsofts actions for better protecting customer data from government snooping.
The actions are concentrating on three areas:
· We are expanding encryption across our services.
· We are reinforcing legal protections for our customers’ data.
· We are enhancing the transparency of our software code, making it easier for customers to reassure themselves that our products do not contain back doors.
Please see the original blog post from Brad Smith for more information. From a European perspective it is especially interesting to know that we will open a transparency Center in Europe so that governments have appropriate ability to review Microsoft source code, reassure themselves of ist integrity and confirm there are no back doors.
I am now working with Windows 8.1 for a while and I really like it. It enables me to have one device for two work modes. I use the modern Interface when I am more reading/consuming information and then change to the traditonal desktop when I am writing documents, presentations etc.
As a security professional I also like Windows 8.1 because it enables new scenarios in the enterprise. For accessing the most sensitive information I want to be able to know the device that is accessing it and to know the health of the device before letting it so. And with Windows 8 I can now do exactly that for a touch device.
Dustin Ingalls, our Group Program Manager for Windows Security & Identity was attending Black Hat and gave a presentation on the Windows 8.1 security functions and published a blog post about it. I summarize the most important points below and encourage you to read his full blogpost with the details:
The Windows 8.1 update offers a full spectrum of new and improved security capabilities – from features that enable devices to be fully locked down by IT, to remote security options for BYOD devices, to safeguards for personal devices that need to access business resources from home. The main Points are the follow:
#1 Trustworthy Hardware
Trusted hardware is a key investment area for Microsoft in Windows 8.1. Often in a BYOD scenario, if an employee buys a new computer, it can be hit-or-miss as to whether the device will have all the tools baked in that an IT department needs to make sure any data on that device is secure. With Windows 8.1 we take away the guesswork.
#2 Modern Access Control
With Windows 8.1, we’ve focused a lot of attention on the controls that IT departments can place on devices to restrict who can physically access a device. Key Points are here first class biometrics and multi-factor authentication for BYOD.
#3 Protecting Sensitive Data
We’ve also put a lot of thought into how businesses can protect their data even when it resides on employees’ personal devices.
Pervasive Device Encryption: With Windows 8.1, device encryption is now available on all editions of Windows for devices that support InstantGo. In addition we implemented Selective Wipe of Corporate Data: With Windows 8.1, we introduce Remote Data Removal which will allow an IT department to wipe corporate data (e.g. emails, attachments, corporate data that came from Work Folders) off a BYOD device without affecting personal data.
#4 Malware Resistance
As security threats continue to evolve, we continue to step up our built-in malware resistance measures to stay ahead of attackers by improving Windows Defender and enhancements to Internet Explorer.
The points above are only a selection of things and more is in the original post.
Cybersecurity is currently on the top of the mind of many organizations trying to protect their intellectual property, research, customer and employee databases and other valuable information. In almost every discussion that I have on cybersecurity the topic of targeted attacks is put into the center. This is now even encreasing as we see such attacks being used much more commonly than usually assumed and only a small number of organizations have the resources to limit or even detect them.
The question is then often what a targeted attack really is and to answer that we have created the Targeted Attacks Video Series on Advanced Persistent Threats (APTs), or what we at Microsoft call Targeted Attacks by Determined Human Adversaries. These five short informational videos summarizes three security whitepapers, Determined Adversaries and Targeted Attacks, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, and Best Practices for Securing Active Directory.
Take the time to look at them below – it is well worth it:
I hope this helps for the next discussion on the topic of targeted attacks – and if you work for an organization that has information with commercial value then that discussion that discussion should start sooner rather than later.