Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.

The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products through their hotel Internet connection. Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack. The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor’s website if updates are necessary while abroad.

Anyone who believes they have been a target of this type of attack should immediately contact their local FBI office and promptly report it to the IC3’s website at www.IC3.gov. The IC3’s complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration. The complaint information is also used to identify emerging trends and patterns.

Source: www.fbi.gov

That’s the gist of a new report from the Information Security Forum entitled Threat Horizon 2014: Managing Riskes When Threats Collide.

“While individual threats will continue to pose a risk, there is even more danger when they combine, such as when organized criminals adopt techniques developed by online activists,” Steve Durbin, global vice president of the Information Security Forum, said in announcing the report. “Traditional risk management is insufficiently agile to deal with the potential impacts from activity in cyberspace.”

The report categorizes 10 threats in three basic areas: external, regulatory and internal, including:

External Threats

1. Cyber criminality increases as the malware space matures: The sophistication and scale of the global industry that has evolved to commit cybercrime, espionage and other malevolent activity will grow and develop.

2. The cyber arms race leads to a cyber cold war: Nations developing more sophisticated ways to attack via cyberspace will get better at it, those who haven’t will start, and organizations will suffer collateral damage. Targets for espionage will include anyone whose intellectual property can turn a profit or confer an advantage.

3. More causes come online; activists get more active: Anyone not using the Internet to advance their cause will start: customer affinity groups, community associations, terrorists, dictators, political parties, urban gangs – the list is endless. Online organizing will become easier and protest channels will be available to greater numbers.

4. Cyberspace gets physical: The increasing convergence of cyber and physical worlds will bring more attacks on physical systems, from attempts to turn out lights or climate control systems to disrupting manufacturing systems. Whether attacks are successful or not, credible publicised threats will cause disruption and panic.

Regulatory Threats

5. New requirements shine a light in dark corners exposing weaknesses: Further movement toward increasingly transparent security disclosures will publicize weaknesses, making organizations more vulnerable to attack. Organizations forced to report security risks may have as much to fear from customers and business partners as they do from hackers and regulators.

6. A focus on privacy distracts from other security efforts: New privacy requirements from consumers, business customers and regulators impose a heavy compliance burden. Organizations will need to decide whether to invest in the necessary security and legal controls, outsource to someone who can or exit certain markets. They will also need to consider the message their actions send to their customers.

Internal Threats

7. Cost pressures stifle critical investment: An undervalued function can’t keep up. It would be normal to see investment increase after the prolonged downturn, but some economies are still struggling. Even organizations that are increasing security spending have a legacy of under-investment that can’t be corrected overnight. But cyber criminals have been investing, and it will become easier and less expensive to buy criminal technology and services.

8. A clouded understanding leads to an outsourced mess. Continued cost pressure will lead to a new form of digital divide: between organizations that understand the marriage between IT and information security – and everyone else. Leading organizations will appreciate the strategic value of channels, systems and information and will invest; the others will suffer competitive disadvantage and heightened risk of damaging incidents.

9. New technologies overwhelm: Organizations are unlikely to slow their adoption of new technology or decrease their participation in cyberspace. Along with business benefits come potential vulnerabilities and methods for attack, and organizations will continue to be hit. Organizations that don’t understand their dependence on technology may have a nasty surprise if it leads them astray or suddenly goes offline.

10. The supply chain springs a leak as the insider threat comes from outside: A modern organization’s data are spread across many parties, and more organizations will fall victim to incidents at suppliers. This will increase as organizations further digitize supply chains, outsource functions and rely on external advisers. 3D printers create three-dimensional products from digital blueprints – increasing the theft of intellectual property, the frequency of attacks and the amount of counterfeit product on the market.

Durbin says organizations are being left behind, with some seeing their finances and reputations damaged because of the speed and complexity of the threat landscape. “They need to take stock now to ensure they are fully prepared and engaged,” he says.

The Information Security Forum is global, independent, industry-supported, not-for-profit association that investigates, clarifies and resolves issues in cyber, information security and risk management and develops best practice methodologies, processes and solutions.

Here are five helpful tips from the IRS:

1. The IRS never asks for detailed, personal or financial information like PIN numbers, passwords or similar secret access information for credit card, bank or other financial accounts.
2. The IRS does not initiate contact with taxpayers by email to request personal or financial information. If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site:

• Do not reply to the message.
• Do not open any attachments. Attachments may contain malicious code that will infect your computer.
• Do not click on any links. If you clicked on links in a suspicious e-mail or phishing website and entered confidential information, visit the IRS website and enter the search term ‘identity theft’ for more information and helpful resources.

1. The address of the official IRS website is www.irs.gov. Do not be confused or misled by those sites claiming to be the IRS with web addresses ending in .com, .net, .org or other designations instead of .gov. If you discover a website claiming to be the IRS but it seems suspicious, do not provide any personal information on the site and report it to the IRS.
2. If you receive a phone call, fax or letter in the mail from an individual claiming to be from the IRS but you suspect they are not an IRS employee, contact the IRS at 1-800-829-1040 to determine if the IRS has a legitimate need to contact you. Report any bogus correspondence. You can forward suspicious emails to phishing@irs.gov.
3. You can help shut down these schemes and prevent others from being victimized. Details on how to report specific types of scams and what to do if you’ve been victimized are available at www.irs.gov. Click on “phishing” on the home page.

Source: IRS.gov

Click here to view the guide.

Click on this link to read the latest FDIC Consumer Newsletter.

To protect the confidentiality of your personal account information contained in future electronic mail, Parkside Financial Bank & Trust will be sending emails that contain protected client information through Parkside’s secure email system.  This system uses encryption to protect your information from being viewed by someone else as it is transmitted across the Internet. 

Here’s how the secure email system works:

1.  The first time you receive a secure email, you will be invited to register with the secure email system by creating a password that you will use each time you view a secure email.  You will also enter three security questions that will help you reset your password if you forget it.

2.  When we send you secure emails in the future, you will receive a secure email notification.

3.  To read the message, simply open the attachment and enter your password.  You will then be able to view the message and any attachments.

4.  Once you have registered, you will only need to click to open the attachment and enter your password to view future secure messages.

Below is a link to instructions for enrolling and opening secure email from Parkside.  Please contact us should you have any questions.

Receiving Secure Email from Parkside

Thank you.



Source: SECURITYWEEK

Europe has quickly caught on to the perceived invasion of privacy that location services pose on mobile device users. The U.K,’s Data Protection Act sets limits on location data collection. A person’s location in the U.K. can only be traced to the physical address of their Internet service provider. Many European Union countries have privacy laws in place regulating how Google, Yahoo and other tech firms can tag the location of individuals to provide relevant location-based content.

Many people believe the data could be abused. A device user’s location can be an extremely valuable piece of data for marketers. It also can add important and valuable functionality for certain applications. In April, Apple came under fire when a researcher discovered a file on the iPhone that contained a record of everywhere a user had been. Apple said it had never tracked users locations and it quickly updated its firmware to eliminate the data leakage.

Andrew Jaquith, CTO of Perimeter E-Security predicts the U.S. will follow Europe with a new privacy protection law in 2012. Privacy protection legislation will mostly address location-based services, but look for loopholes put in place for mobile carriers and other entities, Jaquith said.

“We’re going to see indiscriminant use of location-based information become a crime,” Jaquith said.

Other experts predict cybercriminals could eventually latch onto this location-based services trend with malware and other tricks that take advantage of location data to trick users into giving up more sensitive information about themselves, including account credentials.

2. Excessive permissions

Application permission requests were built into mobile platforms as a way to improve security, but those notifications, which require the end user to confirm an application’s breadth on a device, are being largely disregarded by device users. People are quick to choose functionality over security and privacy, said James Lyne, senior technologist at U.K.-based Sophos. Most device owners continue to give applications elevated privileges and that means the latest game they downloaded may have the functionality to tap into the device’s messaging app or location data.

“We don’t yet have the same security concerns and paranoia on the mobile device,” Lyne said. “As long as users think these devices are magically secure, they’re much more likely to fall for basic attacks.”

The permissions model isn’t perfect, but it does increase transparency, Lyne said. In November a researcher discovered a rogue mobile carrier diagnostics application running stealthily on some mobile devices. Carrier IQ software was placed on some devices by mobile carriers, but the software was not always optional, and in many cases users didn’t even know it was on their devices. Security and privacy advocates were outraged because the software could report GPS location data, record which dialer buttons were being pressed and the URLs being visited by device owners.

Any service provider is going to want to be able to track the usage of their network and their systems to improve and diagnose failures, said Veracode’s Wysopal. “The problem is people were surprised because it wasn’t disclosed to them,” Wysopal said. “It should be really clear what it’s used for, when it is turned on and what it collects so it’s not a mystery for anybody.”

3. Mobile application vulnerabilities

Researchers have been warning that the Google Android and Apple iOS app stores have given rise to a new crop of mobile application developers. Mobile application frameworks lack maturity, and when combined with the need for speed, that has resulted in applications with shoddy code, flaws and functionality that is not needed. Some developers churn out new mobile applications too quickly, Wysopal said. “We have customers who tell us they actually built their mobile app in two weeks. … That’s an indicator that a lot of security thinking isn’t going into this kind of development.”

Researchers studying mobile applications are finding a lot of coding errors. In an analysis conducted by researchers Mike Zusman and Zach Lanier of New York-based security consultancy Intrepidus Group, many applications had hidden coding errors that could lead to data leakage or privilege-escalation vulnerabilities. Speed leads to costly mistakes, such as authentication or authorization errors, poor file-system permissions and application permissions that are too lax, Lanier told SearchSecurity.com.

4. Unsecure Wi-Fi

At the airport or the local café, most devices automatically roam for the nearest open Wi-Fi hotspot. Unfortunately, automated tools make it easy for just about anyone to snoop on people or even take over their browsing session. Researchers have demonstrated that by using basic tools of the trade they could take over a person’s unsecure webmail session, Twitter or other social media account. Many services, including Google, have responded, supporting encrypted sessions that protect users on open Wi-Fi, but the threat remains.

The fear is that websites that don’t use SSL/TLS encryption correctly could be putting smartphone users at risk to a well-known Wi-Fi hotspot attack called sidejacking, network security expert Lisa Phifer told SearchSecurity.com in August. Last year, an automated tool called Firesheep was developed as a simple Mozilla Firefox plug-in that automates session hijacking attacks over unsecured Wi-Fi networks. The packet sniffer could analyze traffic between a Wi-Fi router and a person’s laptop or smartphone. Phifer said the tool reduces sidejacking to “point-and-click” simplicity on any network where other Web user’s session cookies can be captured.

As a result of Wi-Fi insecurities, IBM researchers have developed a new Secure Open Wireless standard. The system uses a digital certificate to secure the Wi-Fi hotspot itself, preventing sidejacking or man-in-the-middle attacks. “We’re simply checking to make sure the SSID of the wireless access point is legitimate and when a client connects they establish an encrypted connection,” Tom Cross, threat intelligence manager at IBM X-Force and lead researcher behind Secure Open Wireless, told SearchSecurity.com. Until the standard is broadly adopted, many security experts warn smartphone and laptop users to limit browsing on open wireless networks.

5. Lost and stolen devices

With all the chatter from security experts about mobile malware, phishing, and other attacks that can take place remotely, the number one threat to individuals and enterprises remains lost and stolen devices. In New York City, taxi cab drivers report dozens of lost mobile phones found in the back of their cabs each week.

Four in 10 organizations have had mobile devices lost or stolen, and half of those lost or stolen devices contained business critical data, according to a smartphone security study (.pdf) issued in May. The study, undertaken by researchers at Carnegie Mellon University, and commissioned by McAfee, found that enterprises need to set appropriate policies and deploy encryption of sensitive data. “It comes down to access control, key management for collaboration and data sharing,” Chris Burchett, CTO and co-founder of Addison, Texas-based data encryption vendor Credant Technologies, told SearchSecurity.com.

Device owners rarely use a passphrase or code to protect unauthorized access to their device. That leaves the phone wide open to a thief. Contacts, email messages and data saved in some applications can be easily accessed by the average criminal. While most enterprise mobile security software suites have device location and wipe features, but a lack of security policy around personally owned devices means many employees and their organizations remain at risk. By the time a device is reported lost or stolen, a thief could have already made off with the data.

Source: www.techtarget.com