Tuesday, 12 January 2016

Have you heard of "Cyber Insurance"?

The Cyber Liability Insurance Cover (CLIC) or otherwise referred to as cyber insurance, is a market that grew significantly in 2015. One of the main factors that contributed significantly to this growth is the constant increase of threats in the cyber space and more specifically the high profile data breaches that took place during the past years. Due to these data breaches companies were taken to court and were forced not only to cover the losses, but to take upon the extra costs for the data breaches as well. In most cases, these additional costs included crisis management, legal costs, reputational damages, engaging in identity theft resolution, credit and fraud monitoring and further technical costs as well.
Under the potential threat of a breach and the inevitable consequences, this has established not only a need but also a demand for a cyber insurance market. This has also been highlighted by a cyber survey conducted by RIMS. The survey showed that 74 percent of the companies without Cyber insurance will be purchasing one within the next two years. Likewise, by 2025 the total annual premiums for stand-alone cyber insurance are projected to grow to $20 billion.

Wednesday, 6 January 2016

Quickly detect CMS & other technologies being used on a website

Ever wanted to uncover quickly the Content Management System (CMS) being used on a particular website? Well, if you are a developer or responsible for assessing the security of Web Applications, this might be a good tip on how to do this quickly and effectively. 

First of all, let me point out that there are several websites online that offer to analyse a given URL and then return results not only about the particular CMS being used, but on other technologies utilised in each case as well. These technologies may be the use of Apache, the presence of Google Analytics, other technologies such as jQuery, reCaptcha, etc. 

The problem with all these online services however is privacy. When checking a particular website, especially if you have been contracted to assess the security of the web application in place, you do not want this information to be shared with a third party or to be included in a publicly available "recently checked" list. 

I actually spent some time trying to locate a button or a check box on these website that would allow me to opt-out from allowing them to cache or display the information, but I couldn't. Thus, I had to find a different way that would respect my privacy and I think that I did. 

Wednesday, 23 December 2015

Biometrics: the Future of Mobile Payments?

Billions of people are now using smartphones, even in the most remote areas of the planet. Global adoption of these new mobile technologies opens up the discussion for more advanced methods of identification, authentication, and verification, especially when it comes to protecting against fraud, identity theft and financial crime. One of these promising new technologies, available to end users as a result of the acceptance of mobile devices such as mobile phones, tablets, and laptops, is biometrics.
Biometrics look promising when it comes to simplifying the processing, authentication, and confirmation of transactions in general, but more importantly when it comes to payments. Technological advances, along with pattern recognition and multi-factor biometrics, are expected to tackle cybercrime by making it very expensive and time-consuming for cybercriminals to attempt to target these systems. 

Saturday, 19 December 2015

Message Header Analyzer (Microsoft & Google)

Spear-phishing attacks still happen and are still successful. According to Symantec: “The FBI estimates that the amount lost to BEC (Business Email Compromise) between October 2013 and August 2015 was over $1.2 billion. With such huge returns, it’s unlikely that these scams will cease any time soon.”

Symantec researchers also explained that “BEC attackers target senior-level employees rather than consumers as it’s easier to scam them out of large amounts. In one incident, we observed the scammers asking the target to transfer over US$370,000. By requesting large amounts of money, the scammers only need to be successful a couple of times to make a profit,”.

Usually spear-phishing emails are used for untargeted attacks. Lately we saw spear-phishing attacks becoming more targeted. An example is the CEO fraud attacks. A cyber criminal sends an email that appears to be from an executive (usually from the CEO to the CFO) asking for a specific payment to be processed immediately. The payment may be in any currently or even BitCoin(s). 

There are a couple of tools online that you can use to check the email headers of incoming emails. The email headers allow you to check if a suspicious incoming email is actually a spoofed email as part of a spear-phishing attack campaign.

Friday, 18 December 2015

FireEye critical vulnerability

Google's team in Project Zero discovered a critical vulnerability in FireEye NX, EX, AX and FX network security devices that run on security content version 427.334 or prior versions.
An attacker could exploit this vulnerability to gain persistent access and remotely exploit code. It is good to see that FireEye focused this time towards patching the security flaw and did not try to take legal action, like previously, for the vulnerabilities discovered by the German security firm ERNW). 

FireEye responded with a support alert stating that a patch was released through automated security content updates for all of the affected devices. FireEye is making the patch available for “out-of-contract customers” and the firm warned customers who perform manual security content updates, to “update immediately”.

The flaw discovered by Project Zero follows an earlier series of vulnerabilities discovered by the German security firm ERNW. FireEye filed an injunction against ERNW in September after learning that the firm was planning to release findings on vulnerabilities that it discovered in FireEye's operating system

It was proven that it was possible for an attacker to root the FireEye's network security device by simply tricking a victim into clicking on a link contained in an email.