Join Ars’ Sean Gallagher in Manhattan for the 2014 Security Threatdown

Back in the days when I worked in the computer security business, I always used to say that the one thing I could always be thankful for was that there'd be no lack of work. Today, I'm thankful that all I have to do is write about security, considering the target-rich environments that information security professionals have to deal with.

This past year has been a banner year for threats. Over the last year we've reported on the growing threat of state-sponsored hackers hunting for industrial data, spying on company e-mail, and even hijacking whole Web domains.  And we've also reported on how organized cybercrime syndicates and even small-time cybercriminals have found ways to steal  from both businesses and their customers, with everything from point-of-sale hacks to  "ransomware." And that's just the most obvious set of concerns that security pros have had this year, what with hackable toiletsdetstructuve attacks on facilities' boilers, and other cyber attacks that can do physical damage.

On Tuesday, December 3, I'll be in New York City at the Harvard Club to moderate a panel hosted by the Information Security Forum, discussing the top six reasons why infosec professionals will continue to collect a paycheck in the new year. The panelists for the half-day executive seminar on the 2014 "Threat Landscape"—including ISF Global Vice President Steve Durbin and Garcia Cyber Partners principal Greg Garcia—and I will discuss ISF's forecasted top six security threats to business in 2014 and what to do about them.

Read 2 remaining paragraphs | Comments


Bitcoin’s skyrocketing value ushers in era of $1 million hacker heists

A company billing itself as one of Europe's biggest Bitcoin exchanges said it suffered a coordinated attack that succeeded in stealing almost $1 million worth of the digital currency, marking the latest in a string of high-stakes heists hitting companies that hold large sums online.

Kris Henriksen, CEO of Denmark-based Bitcoin Internet Payment Services (BIPS), made that claim last week in a Web post that said the attack began as a distributed denial-of-service (DDoS) attack. Two days later, Henriksen said, the same attackers targeted the BIPS network again and managed to use the damage they previously inflicted to somehow tamper with the channel that connects BIPS data storage systems to company servers.

"On November 15, BIPS was the target of a massive DDoS attack, which is now believed to have been the initial preparation for a subsequent attack on November 17 that overloaded our managed switches and disconnected the iSCSI connection to the SAN on BIPS servers," the CEO wrote. "Regrettably, despite several layers of protection, the attack caused vulnerability to the system, which has then enabled the attacker/s to gain access and compromise several wallets."

Read 4 remaining paragraphs | Comments


Cyber Monday Shoppers and Retailers Beware of Scams and Attacks

Contributor: Vivek Krishnamurthi
December 2, 2013 marks Cyber Monday, the day when Internet retailers expect to experience a major surge in traffic thanks to people shopping online for the holiday season. The concept of Cyber Monday, or Mega Monday as it’s known in Europe, was introduced back in 2005. It takes place after the Thanksgiving holiday weekend, when people return to the office and buy Christmas presents from their work computers, according to retailers. Some dismissed Cyber Monday as marketing hype but over time, the day has grown in significance, thanks to competitive deals on offer from many major retailers. In 2012, the 500 biggest retailers in the US took more than US$206.8 million on Cyber Monday while in Europe, approximately €565 million was spent on this day. This year, experts believe that Cyber Monday sales will grow by 13.1 percent as consumers increasingly move from buying presents in bricks-and-mortar stores to shopping online.
However, considering the hype surrounding Cyber Monday and the expected traffic on ecommerce sites on this date, there could be a chance that attackers will take advantage of the day to target both consumers and retailers. According to a recent study from RSA Security and the Ponemon Institute, 64 percent of retail-focused IT professionals have seen an increase in attacks and fraud attempts during high traffic days such as Cyber Monday. But just one third of these IT professionals take special precautions to ensure high availability and integrity of websites on these days. Worse still, the estimated direct cost of a cyberattack around the holiday season is believed to be US$8,000 a minute. 
Attacks against retailers
There are several ways that attackers could target retailers and consumers during Cyber Monday. Identity theft is one possible threat and it has plagued many stores and customers in recent years. The increased traffic on Cyber Monday could entice attackers to target vulnerabilities in retailers’ infrastructure in order to plant malware that could steal consumers’ information. Our recent research found that 53 percent of the websites scanned by Symantec contained unpatched and potentially exploitable vulnerabilities
Another possible threat to businesses on Cyber Monday could be distributed denial-of-service (DDoS) attacks. Many retailers have already experienced the effects of such attacks. In 2012, among the UK firms that were hit with DDoS attacks, 43 percent were in the retail sector. Cyber Monday could prove to be an attractive date for attackers targeting retailers with DDoS attacks. Attackers have been known to undertake DDoS attacks on dates of significance, as they are aware that their efforts will get noticed if they attack on high traffic days such as Cyber Monday. Attackers could also use DDoS attacks to distract Web administrators from other malicious activities that they could be carrying out elsewhere. DDoS attacks have been occurring more frequently, as there has been a reported 54 percent increase in attacks in the second quarter of the year. 
End users
Of course, retailers aren’t the only ones who should protect themselves this Cyber Monday. Consumers should also make sure that they shop safely online. This year, analysts expect that more consumers than ever will be searching for deals through their mobile device. Marketing research firm eMarketer believes that mobile commerce will generate US$41.68 billion of the total US$262.3 billion in ecommerce sales for the year, representing a 68.2 percent increase in mobile commerce sales from 2012. However, the recent 2013 Norton report showed that while 38 percent of smartphone users experienced mobile cybercrime in the past 12 months, almost half of mobile device owners didn’t implement basic protections such as passwords, security software or data backups. Even though some consumers may opt to shop on their mobile device rather than their computer, they could still be vulnerable to the threat of cybercrime.
Scammers will still be relying on more well established techniques to target both businesses and consumers this Cyber Monday. Symantec has found a recent spam campaign that tells the email’s recipient that they need to prepare for Cyber Monday if they want to make money from it. The email also includes two links claiming to offer advice on how to take advantage of the day. These links redirect users to a spam Web page that includes a video to trick users into thinking the page is genuine.
Figure. Spam email claiming that the message’s recipient can make money from Cyber Monday
Stay protected
Consumers and retailers should heed the following advice to stay safe this Cyber Monday.
  • Web administrators should ensure that any potential infrastructure vulnerabilities are plugged before Cyber Monday in order to prevent attackers from taking advantage of these flaws. They should also monitor network traffic for any suspicious activity.
  • Retailers should ensure that their employees are trained to understand the risks associated with social engineering attacks that are designed to breach their companies’ systems, which could affect consumers. Similarly, other companies should also train their staff to be aware of phishing scams around this day, in case employees decide to shop online from their work computers. 
  • Consumers should use the latest version of their Internet browsers to shop online and should ensure that their software, including antivirus software, is up-to-date. Symantec offers consumers the latest Norton solutions for both computers and mobile devices.
  • Customers should only purchase goods through reputable online retailers and should check if the website that they’re shopping on is secured through Secure Sockets Layer (SSL). They can tell if the site is secured in this way if the URL includes “https” rather than just “http”. Consumers should avoid inputting financial information on sites without this protection.
  • Users should always avoid clicking on links in unsolicited emails, especially if they offer deals that seem too good to be true. They should always check legitimate retailers’ official websites to see what deals are on offer. Users should also never send sensitive financial information through email.
  • Consumers should monitor their bank or credit card activity over the holiday season and report any suspicious purchases or unauthorized money transfers.