A recent StorefrontBacktalk article spoke to the disproportionately high rates of data breaches that occur in the United States and offered some possible explanations for this disturbing phenomenon.

Columnists Frank Hayes and Evan Schuman cited statistics gathered in a recent interview with Visa payment system security director Jennifer Fischer. Her research team discovered that, in 2011, 67 percent of all global data breaches could be traced back to U.S.-based businesses. This figure is a striking reversal from 2009, when American firms accounted for only 38 percent of data breaches. However, traces of the trend could be seen in 2010 when 61 percent of such incidents occurred in the U.S.

Hayes and Schulman noted that this transformation may have been triggered by the lack of differentiation between corporate data security measures. The ubiquity of certain systems – particularly among franchised businesses – creates an opportunity for successful exploits to be replicated many times over. During a period of economic uncertainty, store managers may forego necessary improvements to their cybersecurity stances.  Yet as these investments are postponed, more security gaps are created for attackers to exploit.

The columnists also noted the starring role being played by organized gangs of cybercriminals. From the breach of home goods retailer Michaels in 2011 to the more recent incidents affecting Barnes and Noble, franchises of all size are seeing their data protection loopholes exploited by opportunistic hackers. 

But whereas technical resources may be limited, human resources could be a much more scalable asset.

In a recent survey of 1,015 U.S.-based small and medium sized businesses, researchers from the National Cyber Security Alliance and Symantec found that more than half of responding firms are prioritizing the possession of strong cybersecurity fundamentals when it comes to assessing the viability of job candidates.

“According to Symantec’s research, SMBs have become a key target for cybercriminals and that trend is bound to continue," Michael Kaiser, executive director of the National Cyber Security Alliance said. "Small business owners and employees must do a better job not only becoming better educated on cybersecurity, but also better at implementing technologies to protect themselves and the information that fuels their businesses.”

Responding recruiters suggested that the safe and ethical use of email and social networks were the top digital literacy skills they were looking for in a new hire. However, a working knowledge of how to identify and protecting sensitive assets such as corporate intellectual property, followed closely behind on the list of attractive employee attributes.

Knowing your adversary's next move is an invaluable advantage when it comes to securing corporate networks. And although hackers are a notoriously unpredictable lot, researchers from Imperva recently gathered some insider intelligence that suggests which threat vectors cybercriminals are most likely to explore.

Imperva security researchers recently replicated a unique task they attempted for the first time last year: posing as a fly on the wall in underground hacking forums. This year they listened in on discussions across 18 different platforms, including one that boasted 250,000 members. While the talking points were as various as they were colorful, a number of common themes emerged.

According to the Imperva report, distributed-denial-of-service (DDoS) attacks and SQL injections continue to be the most popular topics of discussions – respectively attracting approximately 20 percent of all forum threads.

DDoS attacks have dominated the headlines in recent weeks as several big-name U.S. financial institutions have been afflicted. While some see these as relatively harmless – albeit annoying – distractions, several experts insist that they are being used as a smokescreen to cover more elaborate attacks targeting sensitive assets.

SQL injections have also returned to prominence in recent times, according to InformationWeek. The data security breach that may have compromised as many as 3.6 million Social Security numbers and 387,000 credit card accounts in South Carolina has been widely attributed to this database exploitation technique.

This mode of attack could also be particularly damaging considering the relative lack of dedicated defenses in place to stop it. Citing Gartner statistics, Imperva analysts suggested that just 5 percent of IT budgets are allocated toward investment on data center security solutions.

"By examining what information hackers seek out or share in these forums, we can better understand where they are focusing their efforts," explained Imperva CTO Amichai Shulman. "If organizations neglect SQL injection security, we believe that hackers will place more focus on those attacks."

Finally, it is important to note that these underground hacking forums are populated with much more than idle banter. According to Imperva, approximately one-third of all content can be classified as cybercriminal education – from tips for beginners to comprehensive walkthroughs and tutorials.

What's more, some are treating these platforms as a marketplace for illicit services. Whether it's an exploit kit for a credit card scam or 5,000 fraudulent Facebook likes for a burgeoning brand, all manner of black market amenity seems to be within a few mouse clicks.

Data Security News from SimplySecurity.com by Trend Micro

The seemingly limitless computational power of cloud computing is among the technology's most attractive value propositions, but placed in the wrong hands, it could fuel untold danger. According to a new proof-of-concept exploit engineered by computer scientists at North Carolina State University and the University of Oregon, hackers could anonymously siphon some of this strength to amplify the impact of their malicious plots.

According to Ars Technica, the inspiration for this demonstration comes from the Puffin mobile web browser. The cloud-based utility serves as an intermediary of sorts, rendering JavaScript, images and text from disparate sources on a single server before delivering it to a mobile device. This innovation has allowed for exponentially faster page loads on smartphones and tablets that have only a limited reserve of standalone computing power to draw upon.

But as researchers hypothesized, this blessing could become a curse if programmers are able to trick the browser into performing tasks that the actual cloud service was never designed to execute.

"By rendering web pages in the cloud, the providers of cloud browsers can become open computation centers, much in the same way that poorly configured mail servers become open relays," scientists wrote in their research brief. "There is great potential to abuse these services for other purposes."

Silent assassins
Ahead of this month's Computer Security Applications Conference, the research team built it's own customized Puffin replica for experimentation. According to Ars Technica, engineers discovered a method by which the cloud-based servers the browser relies on could be commanded to count words, search text and execute a variety of processes outside the scope of their original design.

Although the proof-of-concept-attack was of limited scope and benign motives, it confirmed the researcher's ability to discretely redirect the power of public cloud servers for covert activities. In addition to the Puffin browser which facilitates activity on Android and iOS devices, it is assumed that similar manipulations could be made to Amazon's Silk browser, AlwaysOn's Cloud Browse and Opera Mini.

If these capabilities were bent to a hacker's will, they could generate as many as 24,000 cryptographic hashes per second for password-cracking purposes or significantly expand the attack radius for denial-of-service attacks.

Similar brands of so-called "parasitic computing" have paved the way for notable breaches such as Sony's 2011 data security troubles. But as research coordinator William Enck told Dark Reading, this fresh approach could be much faster and simpler than renting cloud space with stolen or fraudulent payment credentials.

Cloud Security News from SimplySecurity.com by Trend Micro

We have entered a brave new world in cyberspace where we are ever more dependent upon cyberspace and our electrical grid.  At the same time, the energy sector is becoming more vulnerable to cyber-attack.

The energy sector’s history of vulnerability began with the Blackout of August 2003.  The sector responded to that blackout by following the financial sector’s resiliency model to ensure business continuity.  In their effort to defend against kinetic events like blackouts they exacerbated their cybersecurity posture.  The increase of remote access and Internet facing SCADA/ICS systems opened up a proverbial “Pandora’s box” of increased risks and threats to these systems.

The situational awareness of our cyber adversaries has been greatly enhanced sometime using nothing more than publicly available tools.   Now targeting of exposed SCADA systems can be achieved via Google-fu  to identify embedded systems that are exposed to the Internet.   In addition there a disturbing trend that is starting to pop up on Pastebin whose posts expose SCADA/ICS devices, their IP addresses, and other identifying information for sale. Not only are these systems increasingly connected and accessible: it’s increasingly easy to find them.

The risks of accessibility and discoverability are exacerbated by the advent of Stuxnet and Flame.   Stuxnet ushered in a new era of weaponized code. (See: http://blog.trendmicro.com/trendlabs-security-intelligence/stuxnet-used-in-blackhat-seo-campaign/ ). But governments no longer have a monopoly on cyber weapons of war: in some cases they’ve lost control of the weapons they built only to see them fall into the hands of criminals and others.  The arms bazaars of Eastern Europe and South America have now distributed asymmetric capabilities like DuQu to non-state actors.   In 2013- the non-state actor community will begin to attack the energy sector for political, theological and financial purposes.

It is imperative that the energy sector learn from the gaps in cybersecurity which exist in the financial and government sectors. An over-reliance on perimeter defenses and encryption will not manage the exposures or the targeted attacks employed by our adversaries.

I believe the SANS and the NSA Twenty Critical Security Controls represent a good starting point to begin to allow offense to inform defense.  (See:  http://www.sans.org/critical-security-controls ).

The energy sector is embracing SCADA/ICS and smart grid technologies. These technologies allow for greater resiliency and efficiency but they do manifest greater operational and systemic risk of integrity attacks.   This added risk must be managed thoughtfully.  In order to close Pandora’s Box we must move beyond the energy sector’s use of the North American Electric Reliability Corporation’s (NECR) Critical Infrastructure Protection (CIP) security standards (See: http://www.nerc.com/files/CIP-002-4.pdf ) and embrace advanced threat protection technologies, virtual patching and file integrity monitoring.

Have you ever almost been hit by a car crossing the street staring at your mobile?

Have you ever spoken to someone without them ever looking you in the eye as they stare incessantly at their mobile?

Do you feel as if you spend more time in cyberspace than in the real world?

Then you are not alone.

Our lack of being “present” is detracting from our real world situational awareness.

The great irony of the Internet is that as we become dependent on the information – 90% of which was developed in the past 5 years – the paucity of good/clean data is showing.  The Internet is a hostile environment.  The true danger of our lack being present is our faith that we can control our consumption of data.

The Web 3.0 environment is one wherein you need not show intention to receive data.

We no longer must click on links or type in searches to acquire the data we need as our devices implicitly know where we are; who we are; what we like and need and thus provide it to us as a glove fits a hand.  This would be wonderful if we could guarantee the security of that glove.   The hacker community well understands that true power comes from not just transparency but from telepathy.   Hacker crime kits like Citadel, SpyEye, Poisonivy and the BlackHole Exploit kit allow for our virtual persona’s to be hunted.

Being present is now paramount.  The first stage of regaining our situational awareness begins with putting our devices down.  The second is to challenge our corporations, partners, and governments to stop treating Cybersecurity as an expense.  It is a function of business and life in 2013 an inelastic good.  Be present today my friend because there is a car coming.

The recent attacks on the New York Times; Washington Post and Federal Reserve illustrate a dangerous trend in cyber tactics.  All of these institutions became victims of Island Hopping.  Island Hopping has become the tactic of choice for elite hacker crews.  As an information security specialist your organization is being targeted by nation states; criminals and activists alike.  The recent attack on the Fed demonstrates the evolution of hacker tactics to island hop from your networks into your constituencies systems.   The evolution of lateral movement and the automation of privilege escalation; local information gathering and exfiltration of data all harken a serious paradigm shift of our adversaries to colonize our ecosystems.   The hacker community is targeted trusted third parties to bypass the perimeter defenses of the intended targets.   As illustrated by the recent ISACA Survey on APTs more than 80% of respondents had yet to alter the terms of their SLAs to manage the system risks posed by island hopping.

 
Ensuring the cybersecurity of the trusted third parties whom you conduct business with is imperative.   I recommend you alter your SLA’s to include the mandate of  greater security controls like; network traffic analysis; file integrity monitoring; virtual patching and custom sandboxing as requirements for the managed service providers and business partner networks.    Managing the systemic risk posed by these trusted external networks will be your true challenge of 2013.  The cybersecurity of your network now is paramount to managing the infestation of your trusted user and customer accounts.   Help thwart  island hoping by embracing the tactical shifts of the underground.

The emerging Internet of Everything is set to heighten the security burden for device makers, software vendors and the numerous organizations that will rely on an interconnected network of smart devices to support operations and serve customers. While tablets and smartphones rule the roost for now in terms of consumer and business attention, new technological frontiers are already being opened up by devices such as wristband trackers and networked thermostats and automobiles.

This proliferation of Internet-enabled endpoints means that cybercriminals will gain access to many new attack surfaces. Hacking a heads-up display, security camera or refrigerator, while a seemingly outlandish prospect at the moment, ultimately could have much more immediate, tangible consequences than breaching a PC, since users interact with these newly networked assets in highly personal ways and often in their own homes.

However, the broader risk emanates from the vast amounts of personal data that IoE devices are collecting and storing. For example, current gadgets such as the Jawbone Up already collect personal information about sleep patterns, health activity and dietary regimens and synchronize it with the cloud.

As more devices follow in this mold, users and security professionals must be conscious of how deeply the Internet is becoming intertwined with their lives and how the IoE promises a different, more intimate computing experience. Threats once confined to mainframes, PCs and smartphones will evolve to persist within the new connected landscape, and the security community must be ready to guide users and companies as they consider how to address these risks.

Number of networked devices could top 50 billion by the end of the decade
How big will the IoE become? The number of connected devices had already exceeded the human population as of 2012, but it is set to surge by 2020.

Cisco estimated that by that time, there will be more than 50 billion networked devices, with most of them coming online during the last three years of the decade.  Morgan Stanley was even more bullish on IoE growth, projecting 75 billion connected devices in 2020, or 9.4 for each of the 8 billion people alive at that time.

Most immediately, the emergence of the IoE will fuel growth in networking and surveillance equipment, as well as new sensors optimized for verticals such as healthcare, retail and transportation. Hospitals may be able to better track patient conditions, while businesses can keep tabs on inventory and vehicles.

However, IoE is already becoming consumerized with items such as Sony’s proposed SmartWig, which vividly displays the benefits and potential security perils of the IoE. This networked wig contains GPS, as well as tactile sensors, capable of gathering sensitive information about the wearer’s location or vital signs such as pulse and blood pressure. Still, it may also have the ability to guide a user through dark areas, interact with smartphones and enable wireless gestures such as moving one’s eyebrows to control a TV or slide projection.

While the SmartWig is still a prototype, it demonstrates that we may not be far from a world in which billions of devices monitor user behavior, producing practical benefits while simultaneously generating massive amounts of sensitive data. Moreover, the intimacy of many IoE devices means that they produce data types that cybercriminals may find attractive and profitable. For example, there have already been several instances of researchers and hackers taking over wireless IP cameras and posting their video feeds to the Internet.

Wireless IP camera hacking incidents illustrates stakes of protecting the IoE
In early 2012, security researchers at the Hack in a Box conference in the Netherlands demonstrated that many wireless IP cameras are vulnerable to remote hacking. At the same time, their efforts illustrated how data from hundreds of millions of connected devices is already readily available on the controversial Shodan search engine, which collected information even on obscure devices like smartphone-controlled door locks.

The Qualsys researchers stated that, via Shodan, they had discovered more than 100,000 IP camera feeds that were unrelated to security surveillance operations. Twenty percent of all IP cameras that they found would authenticate a user with nothing more than “admin” as the username. Even devices that were password-protected had weak firmware that was vulnerable to brute force attacks and path transversal. Since these cameras relay network information and authentication credentials to a Web-based interface, they are putting many users’ sensitive data out in the open.

“The web based administration interfaces can be considered as a textbook example of an insecure web application and easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye to an inside of your house,” stated the abstract of the Qualys researchers’ report.  “Apart from the flaws in the web interface, the cameras also use questionable security practices when it comes to securing the firmware, which leads to even more interesting attack vectors.”

In a separate incident from early 2012, a hacker compromised the software that runs SecurView IP cameras. With the number and variety of networked devices growing, and with networks like Shodan providing insight into their data, device makers and the security community must step to the plate and ensure that data privacy is respected and risks to virtual and physical assets are mitigated..

Securing the IoE against tomorrow’s threats
Securing something as vast as the IoE seems a like a daunting task. However, there’s still much that can be done to improve basic security – professionals should start with enforcing better encryption on Web apps, using stronger passwords and keeping operating systems and anti-malware solutions up-to-date. For example, 99 percent of the IP cameras that were exploitable via Shodan had not been updated with new firmware that protects against password attacks.

At a broader level, the IoE will demand well-designed network infrastructure that protects users while not reducing the utility of their devices. Credit card systems offer a blueprint for how to achieve this goal, since they utilize multiple layers of local and remote security to ensure that the payment experience is both safe and easy. Securing the IoE may take some creative thinking – especially in light of devices like the SmartWig – but the foundations for comprehensive security are already there and just require more diligence.

The Pentagon’s Defense Advanced Research Projects Agency is legendary for its secretive, bleeding-edge research projects. DARPA is most famous for creating the world’s first hypertext system and, as such, laying the groundwork for the rise of advanced computer networking and the Internet. Can the organization remake cybersecurity for the coming age of the Internet of Everything and harden a wide range of infrastructure against advanced cloud-supported threats?

DARPA, the Internet of Everything and cybersecurity
In recent years, DARPA has turned its attention to moonshot projects such as terahertz frequency electronics, a replacement for GPS and, perhaps most notably, several broad cybersecurity initiatives. On the incredibly ambitious side, there’s DARPA’s plan for an antivirus shield, called High Assurance Cyber Military Systems, that would cover the IoE. With Cisco Systems projecting that the IoE could encompass more than 50 billion IP-enabled endpoints by 2020, such an undertaking would, by definition, have to revolutionize how cybersecurity is delivered, greatly extending its presence throughout the enterprise.

Securing the IoE is certainly a mission-critical task for governments, businesses and network security providers, all of whom have growing stakes in interconnected webs of sensors, devices and other infrastructure. McKinsey has estimated that IoE business could bring in more than $6 trillion in revenue by 2025. However, realizing such value requires a combination of streamlined cybersecurity processes (such as risk management frameworks), highly capable personnel and top-flight software that covers all bases from mobile to cloud.

In that regard, IoE protection doesn’t seem all that different from standard cybersecurity practices that have been popular for decades. Still, it isn’t exactly a matter of cutting and pasting current procedures. Many recent major security incidents have been marred by slow detection and response times, which organizations will be increasingly unable to afford as their networks add new endpoints and cloud services that become attack surfaces. A 2013 Trustwave assessment of 450 data breach investigations found that the average intrusion remained undetected for 210 days.

Why does it take so long? Part of the issue may be that organizations assume that traditional risk mitigation tools, such as antivirus software, alone are enough to protect their data, despite these solutions being less than ideal for functions such as monitoring network traffic. The days of standalone antivirus, declared dead by Symantec earlier this year, may be numbered. Speaking to ZDNet in 2008, Trend Micro malware CTO Raimund Genes explained that on a strictly technical basis, typical antivirus won’t keep pace.

“Two years from now, you will not be able to store the [signature] files on a computer any more … you will not have enough memory space,” Genes said. “Some people are saying that antivirus is dead, and I have to agree the traditional methods to combat malware have no future.”

What could be next: DARPA’s goal of fully automated security systems
The security community is already looking beyond antivirus and setting its sights on the IoE. In 2016, DARPA intends to hold its Cyber Grand Challenge competition in conjunction with the prominent security conference DEF CON.

Until then, the agency is encouraging would-be competitors – 35 teams had registered by early June -  to work on systems capable of dealing with threats automatically and in real-time. The best fully automated solution will be awarded a $2 million prize, underscoring the seriousness of DARPA’s search for a new breed of cyberdefense. DEF CON is a common venue for such challenges, but this one is unique, stipulating that projects be “human-free.”

Putting the onus on machines and algorithms has its advantages. For years, cybercriminals have always had the upper hand in cyberattacks, since they only have to find a single vulnerability to take advantage of. Accordingly, incidents such as the Target breach – caused by a flaw in an HVAC provider’s systems – and the regular targeting of obscure Adobe Flash exploits are painful for human security teams to address. They’re often playing catch-up, trying to understand how the network was breached and determine the best course of action, but an automated system could give their organizations much firmer defensive postures.

“Today’s security methods involve experts working with computerized systems to identify attacks, craft corrective patches and signatures and distribute those correctives to users everywhere – a process that can take months from the time an attack is first launched,” stated Mike Walker, program manager at DARPA, according to ZDNet. “The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly.”

If the Cyber Grand Challenge participants can indeed come up with a working human-free system, it may relieve the pressure and high price tag of having to constantly play traditional defense. While defenders have to account for a dizzying array of attack surfaces, perpetrators can focus on just a single novel one. Hardening all infrastructure against potential threats is expensive, and it may not even cover the one that ends up being exploited.

Cybercriminals have more options than ever – so security teams should, too
Meanwhile, attackers have more resources – many of them extremely cost-effective – than ever for probing for weaknesses in the network, as demonstrated by Trend Micro’s recent discovery of hackers using consumer cloud service Dropbox to host command-and-control infrastructure. The instructions hosted in Dropbox can be sent to malware and botnets.

This tactic illustrates the complex, hard to interpret risks that security teams now have to account for. Dropbox traffic will usually look normal to them, even if it is masking the machinations of C&C malware. On top of that, the popularity of services such as Dropbox means that a variety of endpoints, especially PCs, smartphones and tablets, could be serving as gateways to cybercriminal operations. With the IoE coming to the fore, risks may become even more dispersed and difficult to distinguish from legitimate activity.

In the next part of this series, we’ll look at one of the specific areas in which the IoE is making itself felt, bringing new possibilities along with fresh security risks: the automated home. We’ll look at the developments in that space and how new age security mechanisms can help shield assets from harm.

SEE PART 2 of this Cyber Security series!

In the first half of our series about the cybersecurity community’s move toward fully automated defensive systems, we examined how the emerging Internet of Everything is upping the ante for solutions that can identify and mitigate risks in real-time. Traditional measures such as antivirus, while still important for curbing certain classes of threat, are increasingly unsuited to fend off advanced attacks without assistance from network security monitoring tools and other modern utilities. Full automation is the logical next step in cybersecurity.

The Pentagon’s Defense Advanced Research Project Agency has been notably keen to cultivate such human-free infrastructure. The reasoning is persuasive: Security teams often have to go to great lengths, at tremendous expense, to account for scores of potential vulnerabilities (even more so given how many endpoints could partake in the IoE), while attackers only have to succeed in exploiting a single one. Automated systems could finally tip the scales in the favor of defense.

The automated home of tomorrow: A microcosm of IoE security issues
It won’t be easy to get there, however. The IoE is widely perceived by both security professionals and the public to be inadequately secured, and its sheer scope – possibly 50 billion connected devices, according to Cisco’s predictions – definitely necessitates a new breed of cyber security, yet makes such a leap forward difficult to realize.

The smart home, a dream since at least the 1950s that may only now be getting the necessary technological underpinnings, illustrates the challenge that consumers, businesses and cyber security providers face in protecting growing amounts of data and infrastructure from sophisticated threats. DARPA has cited the rise of the IoE as an impetus for automated security; the home is likely the place where many individuals will first experience the benefits and pitfalls of the IoE. A 2014 study conducted by Fortinet and GMI, “Internet of Things: Connected Home,” surveyed 1,800 consumers and discovered that while many individuals felt that IP-enabled devices would continue to become more embedded in everyday life, security would lag general functionality:

• More than half (61 percent) of respondents in the U.S. and a solid majority (84 percent) in China believed that the IoE – more specifically the networked home – would become a reality within the next 5 years
• Fifty percent stated that they were likely to seek better Internet service to accommodate IoE functionalities, which can range from smart thermostats to refrigerators equipped with Wi-Fi.
• Seven in 10 were concerned about data breaches of IoE infrastructure that could compromise their personal data
• Almost 60 percent did not trust how data collected from IoE endpoints may be used. Certainly, with Google’s acquisition of Nest, there have been concerns elsewhere about information on users’ homes being used to refine advertising targeting.

Home automation is an old idea, but making house appliances and communications systems Internet-facing is novel, and it creates many potential new attack surfaces. A 2013 Trend Micro research paper, “Home Automation and Cybercrime,” advised against deep in-home Internet integration. However, seeming to realize that many users will do so anyway, the paper’s authors recommended using strong, unique passwords for each device and isolating them from the rest of the home network if possible.

What could go wrong with home automation?
Devices such as TVs, smoke detectors and thermostats have only recently been IP-enabled, and just a small subset of them at that. Accordingly, connectivity is usually straightforward, while overall design is geared for simplicity of operation rather than security. As more of these networked appliances and gadgets enter the home, people may be opening up their data, identities and financial assets to attack.

“What makes [theft of data and money] more alarming is that these Internet-enabled gadgets only have a basic IP configuration with few or no security options, making them very vulnerable,” explained Ranieri Romera, senior threat researcher at Trend Micro, in a blog post. “Also, people are unaware of the devices’ vulnerabilities, that they use these devices as they would their computers and put in information that can be considered critical. At this point, we’re talking no longer just the risk of unauthorized access, but information theft as well.”

Indeed, many of tomorrow’s IoE endpoints are, in a technical sense, just smartphones by other names, replete with high-speed connectivity and built-in software updating systems. Tech Insider editor Sam Volkering likened connected cars to “smartphones on wheels,” and similar comparisons can be made for home security cameras and LCD-equipped refrigerators, as demonstrated in the Trend Micro infographic “The Automated Home of Tomorrow: How Vulnerable is it to Cybercrime?” As such, these devices are open to attack, with serious consequences:

• Hijacked security cameras would let attackers know when someone was out of the house.
• Compromised cameras, along with smart TVs, could secretly record and post video to the public Internet.
• A connected car infected with malware would obviously be a safety hazard.

Moreover, there’s the issue of how device manufacturers and Web companies handle the massive amounts of data collected by sensors and endpoints. Writing for Wired, Cade Metz examined the case of Dropcam – recently snatched up by Nest – and argued that by getting into the IoE business, leading technology firms such as Google could turn into honey pots, from which government surveillance and cybercriminals could easily scrape sensitive information.

Securing the automated home with automated security systems
The sophistication of the connected home requires new approaches to cybersecurity. No longer are only a few discrete gadgets – a PC here, a smartphone there – connected to the Internet; instead, wide sections of infrastructure are linked by a common network.

Ensuring that an intruder doesn’t gain control over an in-home camera system or kitchen appliance will likely require measures different than just installing antivirus software on each endpoint. Trend Micro malware CTO Raimund Genes told ZDNet in 2008 that standalone blacklist-based malware was already nearing end of life on PCs, which he predicted wouldn’t have the space to store all the myriad threat signatures that security solutions were routinely identifying during scans. What more for tiny CCTV cameras and thermostats?

Fully automated security systems are a good bet for workable IoE security. While DARPA’s competition for a truly human-free solution is still two years away, organizations can already get started with endpoint and network security tools that keep tabs on activity and screen out threats.

Over the past few years, IT teams across nearly every industry have undergone a significant shift. The consumerization of technology is a trend that has deeply impacted how companies deal with their employees’ devices, as well as how they govern these endpoints and their sensitive data. IT consumerization has created several challenges that enterprises must deal with head-on in order to make the most of advanced systems while also ensuring the protection of company-owned information.

What is IT consumerization?
According to a CA Technologies whitepaper, IT consumerization came as the result of several different factors, including the significant uptick in the use of consumer devices for company use. BYOD programs have taken the corporate world by storm, as a rising number of employees bring their personal smartphones, tablets and laptops to work for enterprise purposes.

“[U]sers are now demanding access to corporate information and applications on the devices that they use heavily in their personal life,” the whitepaper stated. “Many IT organizations initially resisted, but soon realized that the trend was inexorable, so they learned to adapt their IT processes to accommodate these new devices.”

Furthermore, the considerable growth of cloud services and social media sites have also impacted businesses. CA Technologies noted that the rise of platforms like Facebook, Twitter and LinkedIn have made it possible for users to share information and better communicate, improving the connection between businesses and their customers.

Benefits of IT consumerization
Leveraging this type of approach comes with its share of benefits, including increased flexibility and productivity among staff members. BYOD initiatives enable workers to utilize devices that they have become familiar with in their personal lives for corporate pursuits as well. Due to this boosted mobility, employees can remain connected with their colleagues and with the information and resources they need to do their jobs from any location - even those outside of the office. In this way, workers have the freedom and flexibility to access mission-critical content from their preferred endpoints, and their company benefits from the resulting rise in production and collaboration. In fact, a recent Forrester study found that 12 percent of organizations saw a rise in productivity levels after deploying a BYOD initiative, Trend Micro reported.

IT consumerization challenges
However, in order to best leverage the IT consumerization trend, there are several challenges that companies must prepare for. TechTarget contributor Lisa Phifer noted that one of the main issues here is that oftentimes the consumer-level devices being utilized by staffers do not include the staunch security requirements needed in a business setting. This can create issues when it comes to current IT policies in place within an organization, as these endpoints may not align with these processes. However, Phifer pointed out that administrators can put extra security measures in place to better protect these devices, or block access to certain resources.

“IT can establish acceptance criteria and embrace personal devices that meet requirements for business use,” Phifer wrote. “Not comfortable with devices running Android 4.1 or older? Block network, system and data access for those devices. Or, better yet, establish a policy that gives higher-risk devices limited access, such as virtualized interaction with corporate email.”

Another challenge to tackle is that of data loss, which can occur when employees’ smartphones or tablets are lost or stolen. A McAfee survey recently found that lost or stolen devices are one of the top concerns business leaders have about IT consumerization, with 58 percent noting worries connected with this issue, according to InfoSecurity.

If a device is misplaced or taken by a malicious individual, it puts company-owned intellectual property at risk. Phifer pointed out, however, that through encryption of sensitive materials and the use of tools like remote device wiping, administrators can effectively mitigate this threat.

Trend Micro also noted that hackers have caught on to the IT consumerization trend, and are leveraging several techniques to steal corporate data through employee devices. One such approach is through phishing emails, which entice users into opening malware-laced messages that can steal information. Furthermore, when staff members use certain consumer websites, it can also put their device at risk of being compromised. Educating employees on these issues can help prevent these threats.

Know what to protect
Overall, companies can be ready for IT consumerization if they plan effectively. Administrators should have a full understanding of the sensitive data their employees store and access on their BYOD-supported devices so that they know what needs to be protected. For example, Trend Micro noted that the additional operating systems on these endpoints, as well as data sharing over applications and cloud systems must be safeguarded.

“Ultimately, you will need to device how much control you need for your particular environment,” Trend Micro stated. “Regardless of the approach that you take, you can achieve complete end-user protection by gaining visibility across user activities and device usage.”

Here you will find the latest blogs from Trend Micro’s experts along with a comprehensive look at the latest zero-day exploit affecting all versions of Adobe Flash Player. We encourage you to scroll through the various blogs, provide comments and enjoy the in-depth knowledge that Trend Micro has to offer.

Please add your thoughts in the comments below and follow us on Twitter at @TrendMicro for real time updates.

July 15, 2015

ZD Net: Hacking Team stealthy spyware rootkit stays entrenched through hard disk removal

Softpedia: Hacking Team Malware Hides in UEFI BIOS to Survive PC Reinstalls

ZD Net: FBI used Hacking Team services to unmask Tor user

Computer World: Oracle fixes zero-day Java flaw and over 190 other vulnerabilities

Softpedia: Microsoft Fixes Critical Internet Explorer Security Flaw Found in Hacking Team Leak

KDrama Stars: Google And Mozilla Disable Flash In Browsers As Leaked Documents Reveal Program Has Serious Flaw!

July 14, 2015

CSO: Mozilla blocks Flash on Firefox due to Hacking Team exploits

The Hacker News: Hacking Team Spyware preloaded with UEFI BIOS Rootkit to Hide Itself

Yahoo News: Adobe promises fix for new Hacking Team zero-day exploits

CIO: Hacking Team’s malware uses UEFI rootkit to survive OS reinstalls

IT World: Hacking Team’s malware uses UEFI rootkit to survive OS reinstalls

Syracuse News: Firefox, Google Chrome block Adobe Flash over ‘critical’ zero-day security flaws

Tech News Today: Adobe Flash Gets Temporarily Killed Off By Mozilla Firefox

Softpedia: Adobe Updates Flash to 18.0.0.209 After Mozilla Blocks All Versions in Firefox

IDigital Times:  How To Update Adobe Flash Player: New Patch Released To Fix Problems After Mozilla Blocks Flash And Facebook Calls For Its Death

July 13, 2015

ZD Net: Adobe promises patch for latest wave of critical Hacking Team zero-day exploits

Sentinel Republic: Adobe to patch Flash Player zero-day abused by

ZD Net: Two further critical Flash zero-days appear from Hacking Team breach

July 12, 2015

IT World: Second Flash Player zero-day exploit found in Hacking Team’s data

Network World:  Second Flash Player zero-day exploit found in Hacking Team’s data

CIO Magazine: Second Flash Player zero-day exploit found in Hacking Team’s data

PC World: Second Flash Player zero-day exploit found in Hacking Team’s data

The huge cache of files recently leaked from Italian surveillance software maker Hacking Team is the gift that keeps on giving for attackers. Researchers sifting through the data found a new exploit for a previously unknown vulnerability in Adobe’s Flash Player.

July 10, 2015

Security Week: The Adobe Flash Player exploit stolen by hackers from spyware maker Hacking Team has been leveraged by advanced persistent threat (APT) groups, according to security solutions provider Volexity.

Tech Times:  Hacking Team Warns Hacked Data And Codes Can Be Used By Cybercriminals And Terrorists

Cyber Defense Magazine: Security experts at Trend Micro revealed that one of the exploits discovered in the Hacking Team package tied to Attacks In Korea and Japan.

Following the recent hack of the popular surveillance firm Hacking Team, the experts started the analysis of the material leaked online by the attackers. The package leaked online include also a number of exploits used by the company to compromise targeted systems by exploiting flaws in Adobe Flash ad Internet Explorer applications.

July 8th, 2015

Business Insider: A hacker cartel is using a mysterious Flash vulnerability to steal sensitive business data

VentureBeat: Adobe confirms Flash vulnerability found via Hacking Team leak, issues patch for Windows, Mac, and Linux (Updated)

In the past fortnight a wave of vulnerabilities have been uncovered in Adobe Flash. Researchers at Trend Micro uncovered a Flash flaw being used by hackers to run an online blackmail scam earlier today.

Read more: http://www.businessinsider.com/wild-neutron-facebook-and-microsoft-hackers-return-2015-7#ixzz3fKexXP9F

Adobe today released a security bulletin confirming a vulnerability in all versions of its Flash product for Windows, Mac, and Linux. The company says it is aware of reports that an exploit targeting this vulnerability has been publicly published, and it plans to release a patch on July 8, 2015.

Krebs on Security: Adobe to Patch Hacking Team’s Flash Zero-Day

Adobe Systems Inc. says its plans to issue a patch on Wednesday to fix a zero-day vulnerability in its Flash Player software that is reportedly being exploited in active attacks.

Value Walk: Adobe Closing Flash Hole After Hacking Team Leak

Three hacking kits related to the bug have already been published by cyber attackers, according to security software company Trend Micro, and it seems strange that Hacking Team would not have immediately informed Adobe about the discovery of such a flaw.

ZDNet: Adobe tackles Hacking Team zero-day vulnerability

Adobe is rapidly creating a fix for a critical vulnerability affecting Flash Player which was only discovered after a hacker broke into Hacking Team’s systems.

Business Insider: The Hacking Team leaks taught criminals a new way to hijack computers

The Adobe Flash zero day vulnerability was uncovered by researchers at security firm Trend Micro, who claimed to have found it while examining leaked documents from software company, Hacking Team.

Forbes: Hacking Team Adobe Flash Zero-Day Exploited By Money-Hungry Criminals

In recent years, crypto luminary Bruce Schneier has noted that today’s surveillance tools are tomorrow’s cybercriminal playthings. Hacking Team has offered proof of that, as one of its zero-days – unpatched and previously-unknown software vulnerabilities – is being exploited by crooks.

CNET: Adobe tackles Hacking Team zero-day vulnerability

Servers belonging to surveillance firm Hacking Team were infiltrated over the weekend. In an attack the company called “sophisticated” which “took days or weeks to accomplish,” a hacker walked away with over 400 gigabytes of corporate data.

BBC: Adobe tackles new Flash threat after Hacking Team leak

Security software company Trend Micro said the flaw had been included in at least three “exploit kits” – collections of computer code and tools that can help attackers spread malicious software.

CSO Online: Adobe to patch Flash 0-Day created by Hacking Team

There have been additional developments in the Hacking Team story, the latest being that the Adobe Flash vulnerability discovered in the 400GB cache of documents has been picked up by the Neutrino and Angler exploit kits.

Pulse Headlines: Attackers steal Hacking Team’s Flash software and posted the stolen data online

Hacking Team is an Italian firm that sells spying software to intelligence agencies everywhere in the world. But the fact that the software was stolen before being posted online indicated Hacking Team knew of a flaw in the software without telling Adobe, the original manufacturer.

Infosecurity Magazine: Adobe to Patch Hacking Team Flash Player Bug

A critical Flash Player bug used by notorious surveillance software firm Hacking Team and made available in a data dump on Sunday will be patched on Wednesday after being spotted in active exploits, Adobe has confirmed.

Betanews: Adobe recognizes major Flash vulnerability, will patch it today

The vulnerability, first spotted by security firmTrend Micro, is the aftermath of a mega security breach at Hacking Team. The infamous group that offered hacking services to spy agencies was hacked earlier this week, and most of its internal documents — consisting of 400GB of emails, source code, client lists, invoices etc — were made available to the public.

BankInfoSecurity: Hacking Team Zero-Day Attack Hits Flash

Security experts have sounded that alert in the wake of reports that at least three exploit kits – automated software built by and for cybercriminals to automatically infect PCs on an industrial scale – have already incorporated the leaked Adobe Flash zero-day flaw. Researchers are also warning that the dump contains a zero-day Windows exploit, as well as a Flash exploit for CVE-2015-0349, which was patched by Adobe in April. The exploits could have been used by Hacking Team’s customers to sneak the surveillance software vendor’s spyware onto targets’ PCs.

Crazy Engineers: Adobe Flash Player Zero-Day Vulnerability Exposed In Hacking Team Leaked Files

Hacked files from Italy-based spying software development firm, Hacking Team have exposed a critical vulnerability in the widely used browser plug-in, the Adobe Flash Player. Two days ago, unidentified hackers managed to break into the Milan-based IT firm and steal 400GB of confidential company data.

TechCrunch: Adobe Is Patching A Hole The Hacking Team Used To Exploit Flash

Many companies have best practices and the Hacking Team, the “computer security experts” who sold hacking tools to various federal and state agencies around the world, are no exception. Their database of information includes a number of interesting hacking tips, including mention of a 0-day, unpatched hole in Adobe Flash that the company is currently closing.

July 7th, 2015

ZDNet: Unpatched Flash exploits unveiled in Hacking Team data dump

A number of exploits and their coding is contained within the leaked file, according to Trend Micro researchers. In an analysis of the dump, the security team says there is “at least” three exploits, including several which target Adobe Flash Player and Microsoft’s Windows operating system.

PC World: Researchers find previously unknown exploits among Hacking Team’s leaked files

Researchers sifting through 400GB of data recently leaked from Hacking Team, an Italian company that sells computer surveillance software to government agencies from around the world, have already found an exploit for an unpatched vulnerability in Flash Player.

There has been a lot of discussion in the past few days about the successful attack against the Hacking Team in Italy and the release of their data as a result of that attack.

The most important thing that people need to be aware of is that this attack has resulted in the public disclosure of another, new, vulnerability affecting Adobe Flash. When the vulnerability was disclosed there was no patch available to fix this vulnerability making this a zero-day vulnerability.

Overnight, our researchers have found that attackers have shifted into overdrive to include this new vulnerability into exploit kits to weaponize it. The most serious risk is that this attack will be used to compromise third-party advertising servers, consistent with a trend we’ve seen in the first quarter of 2015.

Trend Micro customers have been protected against this threat three ways:

• Trend Micro™ Deep Discovery: The existing Sandbox with Script Analyzer engine can be used to detect this threat by its behavior without any engine or pattern updates.
• Trend Micro™ Security, Trend Micro™ Smart Protection Suites, and Worry-Free Business Security: The Browser Exploit Prevention feature blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.
• Trend Micro™ Deep Security and Trend Micro OfficeScan: Vulnerability Protection now provides protections against his vulnerability with the following rule:
  • 1006824  – Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability

As of July 8, Adobe has made an update available to address this vulnerability, so anyone using Flash should apply it right away.

Our researchers have also found evidence indicating that this vulnerability was being used in limited attacks against people in Korea and Japan on July 1, BEFORE the Hacking Team attack information was made public on July 4. There’s some possible indication that attacks using this vulnerability even started as early as June 22, though we can’t confirm this. While we can’t conclusively prove it, there are signs to indicate the possibility that these early, limited attacks trace back to the data theft from the Hacking Team (the attacks have a similar structure to code leaked from the Hacking Team).

Whether these early attacks trace to the Hacking Team or not, one message is clear—this situation underscores the risk from “hoarding” vulnerabilities rather than reporting them to the vendor or software development project so they can be addressed.

Our researchers are continuing to follow this situation and we will provide updates when we have more information.

At Trend Micro, we’ve always prided ourselves on being innovators in security. A few years ago, we identified cloud computing as the next big trend and started investing. We invested both in building security solutions for our customers moving to the cloud and in delivering Security as a Service solutions from the cloud. When it comes to the cloud, there’s none bigger than AWS, which is why we’re delighted to announce Trend Micro’s participation in the AWS Software as a Service (SaaS) Partner Program. Working together under a shared responsibility model, we can we can make businesses all over the world more agile, productive and secure.

The Deep Security difference

But while the cloud offers unparalleled efficiency gains, cost savings and innovation potential, there are risks. We face an online opponent more determined, better resourced and more capable than ever before. Vulnerabilities are found and exploited in ever-greater volumes, sophisticated attacks are crafted to evade traditional security tools, and resource-poor IT managers are stretched to breaking point. Virtual and cloud environments bring with them their own challenges: inter VM attacks, instant-on gaps, security “storms” and the like.

That’s why Trend Micro built Deep Security – our flagship protection platform designed to protect physical, virtual and cloud environments from a centralized, single pane of glass. Its industry-leading virtual-ready architecture features hypervisor-level scanning, virtual patching and other functionality to protect against the most advanced threats around, while accelerating cloud ROI, preventing business disruption and supporting compliance efforts.

The power of AWS

Trend Micro is proud to be an AWS SaaS Partner. The performance, cost efficiency, global reach, and reliability of its industry-leading cloud computing platforms has enabled us to build Deep Security as a Service – a SaaS solution designed to augment strong existing AWS security with highly flexible, scalable threat protection for AWS workloads. We used virtually every AWS service going to architect the offering, including Amazon EC2, Amazon EBS, Amazon S3, Route 53, AWS Trusted Advisor, Amazon RDS, Amazon Elastic Load Balancer, and AWS Premium Support.

Here are just a few of the benefits we’ve already witnessed:

• Reduced time for product updates – from weeks to 1-2 days
• Reduced time to deployment
• AWS Test Drive helped us explain the benefits of Deep Security to customers in an educational manner
• Ability to spin up new test environments with ease improved our code quality
• AWS integration into the back-end development process improved our development lifecycle
• Excellent cost savings and flexibility enabled us to move the majority of internal workloads to AWS
• Superb back-up capabilities in Amazon RDS provide high assurance levels

With AWS solutions, you get unrivalled operational performance, reliability, cost efficiency and security. We’re looking forward to continue growing this relationship and taking advantage of these and more benefits to offer industry-leading protection for our customers’ mission-critical AWS workloads.

The United States Office of Personnel Management (OPM) has just released the latest details from their ongoing investigation into the attacks against their systems. Today’s announcement represents a significant escalation in the number of people affected and the risk victims face. Everyone who works or has worked for the federal government as an employee or contractor should take immediate action to protect themselves.

OPM is reporting that “sensitive information” for 21.5 million people was stolen. This impacts 19.7 million current, former and prospective federal employees and contractors who underwent background checks since 2000. It also affects 1.8 million people who didn’t undergo clearance checks but were related or associated with those who had, such as spouses, domestic partners, etc.

The list of “sensitive information” that has been compromised includes:

• Social Security Numbers
• Residency and educational history
• Employment history
• Information about immediate family, other personal and business acquaintances
• Health, criminal and financial history
• Usernames and passwords applicants used to complete background investigation forms

OPM notes that some records also include findings from background interviews conducted by investigators as part of the clearance process. Also, approximately 1.1 million people’s fingerprints were lost.

All of this represents highly sensitive personal information that can be used to facilitate identity theft. In addition, the information found in investigators’ findings could be used for blackmail, extortion or other nefarious purposes.

It’s important to understand that this data loss is separate but related to the one affecting 4.2 million current and former federal employees. This loss is much more serious in terms of the scope of information and volume. There is overlap as well — people can potentially be victimized by both data loss events.

The federal government promises three years of aggressive credit and identity theft monitoring and protection to victims. Anyone eligible should take advantage of this as soon as possible.

The investigations into both events will continue, meaning there could be more victims identified. And unfortunately, it could be found to be worse than originally thought.

The call-to-action is clear. If you work or have worked for the United States federal government as an employee or contractor, you should take immediate action and assume the worst until you obtain credible information to the contrary. Initiate credit and identity theft monitoring now and diligently look for signs of identity theft or fraud. Be on the lookout for phishing or voice phishing attacks that are typically associated when this sort of information is released.

Finally, utilizing modern security software on all your computers and devices is critical as well to help protect against attacks trying to use this information.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

The Hacking Team Leaks Taught Criminals a New Way to Hijack Computers

Hackers are using a previously undiscovered vulnerability in Adobe’s commonly used Flash software to install blackmailing malware on victims’ machines.

NYSE ‘Glitch’ Raises Concerns About U.S. Cybersecurity

Multiple outages caused by technology glitches, including to the NYSE, caused immense cybersecurity concerns Wednesday. Crisis communications need to be defined for these inevitable attacks to limit disruption in the future.

The Latest Update on the OPM Hack Indicates 21 Million have been Affected

OPM is reporting that “sensitive information” for 21.5 million people was stolen. This impacts 19.7 million current, former and prospective federal employees and contractors who underwent background checks since 2000.

Cybersecurity is Poised to Play a Bigger Role in the 2016 US Presidential Elections

Recent statements by presidential candidates mark the growing political significance of cybersecurity, an issue that some experts say could play an important, though not yet central, role in campaign discourse leading up to the 2016 elections.

The Future of Mobile Payments Awaits Your Fingerprints

Although only 3% to 7% of consumers are using their phones for in-store purchases, that number is expected to swell by 2017 as almost half of the projected $90 billion in mobile payments is expected to come from waving a mobile device instead of swiping a credit card.

New Chinese Law Would Let Authorities Cut Internet Access During Public-Security Emergencies

China has released a draft cybersecurity law that seeks to beef up Beijing’s ability to guard against cyberthreats and protect data on Chinese users, while also tightening controls over the Internet.

Gartner Predicts the World Will Spend $101 Billion on Information Security in 2018

The worldwide cybersecurity market continues to grow and grow as defined by market sizing estimates that range from $75 billion in 2015 to $170 billion by 2020.

The University of San Diego Announced a New Cybersecurity Degree Program

The degree programs will be designed for working professionals, and will be taught by USD faculty and cyber professionals who bring decades of current and real-world experience to their students.

Please add your thoughts in the comments below or follow me on Twitter; @GavinDonovan.

On Wednesday, Adobe released a new version of Flash on Wednesday to address the zero-day vulnerability that was disclosed as part of the Hacking Team attack last weekend.

Unfortunately, our researchers overnight have found another, new unpatched vulnerability affecting Adobe Flash that is a result of the Hacking Team attack.

Our researchers have notified Adobe and they are aware of the situation and are working on a new update to address this vulnerability.

At this time we’ve not seen this new vulnerability added to exploit kits like the other Hacking Team vulnerability has. We have only seen proof-of-concept (PoC) code: that’s code that shows the vulnerability exists but doesn’t actually levy an attack. PoCs are a first step in the process of seeing actual attacks, so this situation could escalate quickly in the next few days.

Until an update is released, you should consider disabling Flash. We will update this blog and our Security Intelligence blog with more information as it develops.

Trend Micro’s researchers have reported a third zero-day vulnerability (CVE-2015-5123) in Adobe Flash, a result from last week’s Hacking Team attack to the Adobe Security Team.

Similar to the second Adobe Flash vulnerability discussed on Saturday, we have identified proof of concept (PoC) code; however, it has not yet been seen in active attacks or added to exploit kits like the first Adobe zero-day vulnerability, also spawned from the Hacking Team compromise.

Adobe has updated their security advisory with this information and has begun addressing both of these vulnerabilities through updates this coming week.

Until an update is available, users should consider disabling Adobe Flash.

In light of the Java zero-day attack we also discovered and discussed, disabling both Flash and Java is advisable. Extra caution should be exercised for the foreseeable future and special attention paid for the possibility of compromised ad servers.

As we’ve outlined in our Q1 2015 Threat Report, malvertising has made a comeback recently, especially leveraging zero-day vulnerabilities in Adobe Flash. Flash and Java vulnerabilities are particularly well-suited for malvertising attacks, so we could possibly see these vulnerabilities incorporated into exploit kits that, in turn, are used to attack ad servers.

For additional information, click here.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.

Overnight, Trend Micro’s research teams identified a new attack in the ongoing Pawn Storm campaign that is focused on high-profile, sensitive targets. The Trend Micro™ Smart Protection Network™ has enabled us to identify email messages targeting a NATO member as well as a US defense organization.

This latest Pawn Storm attack is also notable because it is being carried out using a new, unpatched vulnerability against Oracle’s Java, making this the first known zero-day attack against Java since 2013. The attack leverages a three-year-old vulnerability in Microsoft Windows Common Controls CVE-2012-015 which is addressed in MS12-027.

Our researchers have reported this vulnerability to Oracle and are working with them to address it.

Until a patch is available, we recommend disabling Java. For additional information, you can also view our write-up on how to better protect yourself when using Java: How to Use Java – If You Must.

We will continue to monitor this situation and provide updates when we have them.

For additional information, click here.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.

Online crime is a big business. Various estimates put the total cost of online crime worldwide in the hundreds of billions of dollars.

At Trend Micro, we’ve analyzed different aspects of online crime in depth. We’ve looked at the cybercrime underground economies of Russian, China and Brazil. And recently we’ve completed a comprehensive census and analysis of the Deep Web.

In understanding online crime it’s easy to overlook the most critical piece that enables it in the first place. The entities that give online criminals their online presence are the linchpin: if criminals can’t get and stay online, there is no online crime. The hosting services that provide the services that online criminals use are a key part of the equation. But like the infrastructure of legitimate business of the Internet, these hosting services are often at best an afterthought.

As part of our goal of enabling a better understand the threat environment and online criminals our Forward-Looking Threat Research (FTR) team has just completed a new paper that goes into detail in understanding how these hosting services that cater to criminals operate.

These services are popularly known as “Bulletproof Hosting Services” because one of their specialty offerings is to evade and thwart attempts to bring these malicious and/or criminal sites down. And like so much else related to the cybercrime underground economy these days, these services are achieving a level of capability and professionalism that matches that of their legitimate business counterparts.

In our new paper, our researchers explain the different kinds of offerings that bulletproof hosting services provide. Whether you’re looking for someone to host your malware, your command and control (C&C) server, even child pornography, for the right price, there’s someone out there who will not only put your content online but help keep it online.

One of the most interesting things our research shows is that bulletproof hosting services aren’t completely free of rules and guidelines. Like criminals in Fritz Lang’s movie “M”, most bulletproof hosting services draw the line where children are concerned: they won’t allow customers to post content that exploits children. And bulletproof hosting services regularly prohibit their customers from attacking people or organizations in their own country: a smart tactic that makes it less likely the local law enforcement will devote time and attention to shutting them down.

These are just some of the important facts about this critical but often-overlooked criminal enterprise that our new paper details. To get a fuller picture, be sure to read the full report.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.

From fitness trackers to head-mounted displays and even connected home appliances, the Internet of Things (IoT) and smart devices are commanding serious column inches in the media these days. But the reality, according to research commissioned by Trend Micro earlier this year, is that adoption is still on the low side. Can we expect this to change? In all likelihood – yes, as the reality hits home that this proliferation of Internet-connected smart devices has the potential to make our lives richer and more productive.

But security and privacy concerns remain a major barrier for IoT manufacturers. So how exactly can they take steps to allay these concerns and drive adoption?

Adoption rising

What many don’t realize is that adoption of IoT is not as high as media reports make it out to be. In conjunction with the Ponemon Institute, we interviewed more than 700 U.S. consumers to compile our study, Privacy and Security in a Connected Life. It found that 95 percent of them had “no plans” to use Google Glass, and 94 percent had no plans to use smart security systems for their homes. The figure was similarly high when it came to smart home thermostats (91%), fitness trackers (91%) and connected kitchen appliances (83%).

However, we believe this is unlikely to remain the case for long. A recent study of 2,000 U.S. consumers by digital marketers Acquity Group found that adoption of IoT technology is “inevitable” as compelling new B2B and B2C use cases emerge. It claimed that nearly two-thirds of consumers plan to buy a connected home device in the next five years and ownership of wearables will double by next year, reaching an adoption rate of 28 percent.

Now for the barriers

Major barriers persist that continue to combat IoT acceptance. Concerns over privacy were expressed by nearly a quarter (23%) of consumers when it came to IoT devices and slightly less (19%) for wearables, according to Acquity Group. A majority of those asked by Trend Micro (54%) claimed they were either unsure (15%) or didn’t believe (39%) that the benefits of IoT outweighed their security and privacy concerns.

Part of the uncertainty stems from a lack of communication by the smart device vendors about how, where and for how long consumer data is used, which left respondents feeling confused and concerned. But there’s also a real fear that security faults in devices themselves and the ecosystems built around them could cause them to malfunction or even allow hackers to subvert the systems. As IoT assumes an increasingly central role in our lives such concerns will only grow.

Time for action

 According to the Acquity Group, incentivizing consumers with “coupons for helpful information” would make them more open to data sharing with third parties. But according to our survey, consumers are more worried about IoT security (75%) than privacy (44%).

So what can IoT manufacturers do to improve security and ease privacy concerns?