Ping! Zine Issue 80 - One, Two, Three Hacks—You’re Out!

Page 1

瀀椀渀最℀ 稀椀渀攀

圀圀圀⸀倀䤀一䜀娀䤀一䔀⸀䌀伀䴀

眀攀戀   栀漀猀琀椀渀最 洀愀最

伀一䔀Ⰰ  吀圀伀Ⰰ 吀䠀刀䔀䔀  䠀䄀䌀䬀匀 夀伀唀ᤠ刀䔀  伀唀吀

䘀䤀嘀䔀  圀䄀夀匀 吀伀  䌀䄀吀䌀䠀 䄀  䠀䄀䌀䬀䔀刀

倀刀伀吀䔀匀吀匀  伀刀  倀刀伀䘀䤀吀䔀䔀刀䤀一䜀 吀䠀䔀  䠀䄀䌀䬀  刀䔀䴀䄀䤀一匀  吀䠀䔀  匀䄀䴀䔀 吀䠀䔀  䘀䤀一䄀一䌀䤀䄀䰀  䤀一䐀唀匀吀刀夀ᤠ匀  䈀䤀䜀䜀䔀匀吀  吀䠀刀䔀䄀吀




PINGZINE

TABLE OF CONTENTS

PING! ZINE

080

012

IN THIS ISSUE... nine

FIVE PLACES TO NEVER USE A BANK OR CREDIT CARD ten

FIVE WAYS TO CATCH A HACKER sixteen

IS YOUR COMPANY’S MOBILE APP PUTTING YOUR CUSTOMERS AT RISK FOR FRAUD? eighteen

PROTESTS OR PROFITEERING - THE HACK REMAINS THE SAME ONE, TWO, THREE HACKS—YOU’RE OUT! FOUR LESSONS ALL COMPANIES CAN LEARN FROM BASEBALL’S ASTROS HACKING SCANDAL

twenty

THE FINANCIAL INDUSTRY’S BIGGEST THREAT twenty four

DON’T MISS AN ISSUE! SUBSCRIBE NOW WWW.PINGZINE.COM/SUBSCRIBE

DIGITAL EDITIONS...FREE!

04

CITIZENS DEMAND ‘UBER’ PRIVACY twenty six

INTELAND MICRON PRODUCE BREAKTHROUGH MEMORY TECHNOLOGY



PINGZINE

OUR TEAM

OUR SPONSORS

PING! ZINE

080

EXECUTIVE STAFF Publisher Keith Duncan Production Manager Lois Clark-Mayer Marketing Director Zachary McClung Executive Editor Dave Young Senior Online Editor Robert Lang

EDITORIAL STAFF Technical Editor Frank Feingold Associate Editor Peter Burns Headlines Editor Derek Vaughan

CONTRIBUTING WRITERS Shaun Murphy SRV Network, Inc James Pooley Gary Miliefsky Stephen Coty

zero two

BLACK LOTUS zero five

WEB HOST DIRECTORY zero seven

1&1 INTERNET fourteen

RACKMOUNTS ETC twenty one

HOSTINGCON twenty six

TIER.NET

Deborah Galea

ADDRESS

twenty seven

KAJE

Ping! Zine, LLC Post Office Box 516 Denham Springs, LA 70726 Ping! Zine Web Hosting Magazine Š 2015, Ping! Zine Web Hosting Magazine, Published and Copyrighted 2015 by PINGZINE, LLC, P.O. Box 516, Denham Springs, LA 70726. All rights reserved. Permission to reproduce part or all of this issue must be secured in writing from the publisher. Complementary subscriptions are at the discretion of the publisher and may be cancelled or modified at any time. Unsolicited submissions are welcome. We assume no liability for lost or damage of submissions. We assume no liability for the content of this issue and all points and ideas are strictly that of the writers involved and not that of the publisher, publishing company, printing company or editors.

06

twenty eight

HOST4YOURSELF


DOMAINS | MAIL | HOSTING | eCOMMERCE | SERVERS

NEXT GENERATION

1&1 CLOUD

SERVER TRY IT FOR 1 MONTH - FREE! Then starting at $9.99 per month*

Top performer

EASY TO USE – READY TO GO The new 1&1 Cloud Server offers all the advantages of dedicated hardware performance combined with the flexibility of the cloud!

FLEXIBLE & AFFORDABLE

EASY & SECURE

Customized configuration

1&1 Cloud Panel

■ SSD,

RAM and CPU can be adjusted independently, flexibly and precisely

Innovative, user-friendly interface with smart administration

Security

NEW: Pre-configured packages available

Transparent costs ■ Billing

by the minute ■ Clearly structured cost overview enables efficient planning and management ■ No minimum contract term

Built-in firewall to protect your server from online threats

Backups and snapshots to prevent accidental data loss

High-performance 1&1 Data Centers are among the safest in the US

ALL-INCLUSIVE Best performance Unlimited traffic Premium SSD with the highest performance ■ Private networks, professional API, load balancers, firewalls and moreall easy to configure ■ Ready-to-use applications including WordPress, DrupalTM and Magento® ■ Powered by Intel® Xeon® Processor E52683 V3 (35M Cache, 2.00 Ghz) ■ ■

®

1

TRIAL TRY FOR 30 DAYS

1

MONTH

FLEXIBLE PAYMENT OPTIONS

1

CALL

SPEAK WITH AN EXPERT 24/7

1 (877) 461-2631 *1&1 Cloud Server is available free for one month, after which regular price of $9.99/month applies. No setup fee is required. Visit 1and1.com for full offer details, terms and conditions. Intel, the Intel Logo, Intel Inside, the Intel Inside logo, Intel. Experience What‘s Inside are trademarks of Intel Corporation in the U.S. and/or other countries. 1&1 and the 1&1 logo are trademarks of 1&1 Internet, all other trademarks are property of their respective owners. ©2015 1&1 Internet. All rights reserved.

1and1.com


PINGZINE

BITS & BYTES

According to ConsumerCredit.com, 80% of consumers use their debit cards for everyday purchases like gas, meals and groceries instead of cash. While a card is more convenient to simply swipe through a machine versus counting out change and worrying if you have enough cash on hand to make a purchase, it is not always the safest way to pay. Cash cannot be traced to a bank account or to other personal financial information like a bank or credit card can. Privacy and security expert Shaun Murphy, founder of Private Giant, has identified five places consumers should never use their bank or credit card in order to help prevent their identity from being stolen and to protect their personal information.

5 Places to Never Use a Bank or Credit Card

1.) Online shopping sites that are not secure. Before you enter your credit or bank card information, look for the lock icon without any overlays. While you are checking out, you should see this icon in your web browser:

Not either of these: Some sites, Amazon included, will not show you a lock icon until you login to your account or begin the check out process. This means anyone can see what you are shopping for while you are browsing.

2.) Hidden / out of view terminals. A hidden terminal could be as simple as the gas pump furthest away from the center or an unattended station for automatic checkouts at the grocery store. These are sweet targets for credit card skimming devices that can sit there for months without anyone noticing.


BITS & BYTES

PINGZINE

3.) Cell phone charging stations. While it may sound convenient to swipe your card to charge your phone for free when the battery is nearly dead, but you should think again. Despite being ripe for credit card skimming or nefarious credit card information storage, these devices can also dump the information from your cell phone while charging! This attack method even has a cool name: Juice Jacking! 4.) Apps (desktop or mobile) that ask you for your credit card information outside of the normal app store. Chances are this is not a legit application, especially if it is threatening you (you have a virus, please deposit $10... or I’ve encrypted all of your files and I’ll unlock them for a price.)

5.) Services that claim to be free or a free trial but still need you to input a credit card before you can start using it. It is almost guaranteed that service is either going to scam you or sign you up for some paid service that will be impossible to cancel. Now, if you are wondering how exactly you are supposed to pay for the services you need in situations like those listed above there are a few options. One of the easiest is to use your bank or credit card to buy one-time use/ reloadable cards that do not have ties to your personal information. Just make sure when you are checking out at the store that you go to a clerk, not a self-checkout lane. P! By: Shaun Murphy, CEO Private Giant


PINGZINE

BITS & BYTES

Tech Expert Explains How To Nab A Hacker Data breaches are disturbingly common these days. Luckily, the authorities have many resources at their disposal when it comes to catching these criminals. Tech expert Karl Volkman explains, “Federal authorities are getting very close to catching the criminals who were behind the infamous JP Morgan Chase hacking last year. When it comes to huge cases such as this, there is a big opportunity to really make an example of these hackers, and that is exactly what the authorities have in mind. Small-time hackers will see that even the most proficient and expert hackers are not able to escape unscathed, so it will certainly be a lesson for everyone.�

10

FIVE Ways to Catch a Hacker


BITS & BYTES

PINGZINE

Here are the top five ways to catch a hacker, according to Volkman: 1. Be observant. “The best offense is a good defense,” says Volkman, “To that end, observation is key. Look out for certain things such as whether or not your hard drive activity has recently increased. This could be a sign of an online intruder.” 2. Know the clues. “Look in your temp folder. Are there numerous new files in there? Is your computer suddenly running slower than normal? These are not good signs.” 3. Don’t ignore repeat evidence. “If you continually have someone from the same IP address trying to get past your firewall, then you know that there is something hugely awry.” 4. Be proactive. “When you think you are being hacked, you should watch and wait in case the attack occurs again. Try to have some networking monitoring software in place. Take note of the time and day of the hacks if possible.” 5. Contact the police. “Don’t sit and wait too long. Get the police involved right away and take measures to protect all of your personal data. It’s always better to be safe than sorry.”

About SRV Network, Inc. SRV Network, Inc. is Microsoft Gold Certified partner that offers a variety of IT services, including a variety of flexible service packages that meet any client requirement, from as-needed technical help to intensive, regular on-site work. They work with all technology platforms and have a broad expertise in a wide variety of technology solutions. They specialize in Network Design and Implementation, Network Maintenance and Monitoring, Disaster Recovery and Prevention and IP Telephony.

11


Most of us assume that corporate espionage and digital theft of trade secrets rarely occur outside of technology, retail, and finance. But as the recent hacking of the Houston Astros’ internal computer network—allegedly by St. Louis Cardinals employees—proves, every company in every industry is vulnerable.

As cybersecurity breaches become increasingly common, says James Pooley, companies need to take steps to protect their information assets. If it can happen in baseball, it can happen anywhere.

“Clearly, just hitting the ball well isn’t enough: Competition these days is all about information—who has it and who can get it,” says Pooley, author of Secrets: Managing Information Assets in the Age of Cyberespionage (Verus Press, 2015, ISBN: 978-0-9963910-0-9, $24.97). “We’ll be hearing about stories like this more frequently as we expand our use of technology and hackers get more sophisticated.” Having recently completed a five-year term as deputy director general at the World Intellectual Property Organization in Geneva, where he was responsible for management of the international patent system (PCT), Pooley is an expert in the fields of intellectual property, trade secrets, and data security. Secrets, which thoroughly explains how to recognize and mitigate the risk of information loss in today’s electronic business landscape, is a must-have guide for executives and managers, knowledge workers, consultants, security professionals, entrepreneurs, investors, lawyers, and accountants—anyone and everyone who works with information. Here, Pooley spotlights four questions to consider if you’re serious about protecting your company’s secrets from being hacked:

What information do you have that could give your competition an edge? Don’t underestimate the value of your company’s information. Cyberhacking isn’t just a threat for big organizations with complicated technology. In the hands of the competition, a wide variety of information about your company’s products, processes, strategies, and client base can be used against you.

12

“The Astros’ database contained private statistics, scouting reports, and information about players,” Pooley comments. “Most companies collect and store similar data about their performance, strategies, customers, and employees. The competition would love to know all


One, Two, Three Hacks— You’re Out! Four Lessons All Companies Can Learn from Baseball’s Astros Hacking Scandal this, and sometimes people step over ethical and legal lines to get it. Remember, in order to protect your information assets, you must first know what you have.”

What are you doing about your passwords? In the Astros’ case, it appears that the hackers were able to access the team’s internal network simply by trying some passwords that had been used by a former manager of the Cardinals before he went to the Astros. “In our personal lives, we often reuse the same passwords because they’re hard to remember,” Pooley acknowledges. “But in business, you can’t afford that kind of convenience. Especially if you rely only on passwords to protect information, you need to change them frequently—and especially after key personnel leave your company. Use very ‘strong’ combinations of characters. And if possible, consider adding extra layers of protection, like call-back requirements or biometrics such as fingerprints.”

What procedures are in place to prevent employees from taking valuable information with them when they leave? When employees leave your company, you reclaim their keys, laptops, and ID cards—but do you worry about the knowledge they carry in their heads? Companies need to mitigate the risk from the “insider threat,” since most information is lost this way. “Even when you have the right contracts in place and have done all appropriate training, you should conduct a thorough exit interview, learning as much as you can about the employee’s next job and emphasizing the importance of your secret information and your determination to protect your rights,” Pooley advises.

13



Do you educate employees about your trade secrets? Employees don’t naturally think about information security, and the Facebook generation in particular has been raised on the idea that sharing is good and information is free. Again, behavior that is generally acceptable in employees’ private lives can cause serious problems in a business context. That’s why employers must proactively educate their people about corporate hygiene. “Good training is the best (and most costeffective) way to avoid problems and make sure employees stay within the bounds of what’s legal, ethical, and safe,” Pooley shares. “The best training is continuous, careful, upbeat, and professional, and does not rely on threats. While stories of information breaches—like the Astros hacking scandal—provide good case studies, be sure to also highlight your company’s own initiatives, especially actions by individual employees, that may have helped avoid a problem.” “As the Astros’ misfortune has demonstrated, no industry or organization can consider its information assets safe,” Pooley concludes. “While it is impossible to guard against all information leaks, companies do have the power to strongly mitigate the risk of being hacked. What steps does your organization need to take to plug holes in its defense system?” P!

About the Author: James Pooley is the author of Secrets: Managing Information Assets in the Age of Cyberespionage. He provides international strategic and management advice in patent and trade secret matters, performs pre-litigation investigation and analysis, acts as a neutral and special master, and consults on information security programs. Mr. Pooley recently completed a five-year term as deputy director general at the World Intellectual Property Organization in Geneva, where he was responsible for management of the international patent system (PCT). Before his service at WIPO, Mr. Pooley was a successful trial lawyer in Silicon Valley for over 35 years, representing clients in patent, trade secret, and technology litigation. He has also taught trade secret law at the University of California, Berkeley, and has served as president of the American Intellectual Property Law Association and of the National Inventors Hall of Fame. Mr. Pooley is an author or coauthor of several major works in the IP field, including his treatise Trade Secrets (Law Journal Press) and the Patent Case Management Judicial Guide (Federal Judicial Center). He graduated from Columbia University Law School as a Harlan Fiske Stone Scholar in 1973 and holds a bachelor of arts, with honors, from Lafayette College. About the Book: Secrets: Managing Information Assets in the Age of Cyberespionage (Verus Press, 2015, ISBN: 978-0-9963910-0-9, $24.97) will be available June 30, 2015, at bookstores nationwide and on Amazon.

15


Is Your Company’s Mobile App Putting Your Customers At Risk For Fraud?

Mobile apps are becoming business for businesses.

big services through those apps, they may be putting their customers at risk for fraud. Many bank customers now check their account balances or transfer “Most companies don’t realize funds through an app on their cell just how vulnerable their apps phones. Savvy retail shoppers can use a favorite store’s apps to learn about are and what the potential is discounts, access coupons and find for leaking their customers’ daily deals.

personal information,” Miliefsky says.

“The apps for financial institutions and retailers are “And when that happens, it’s getting greater use and that bad for business.” can be wonderful for business,”

He suggests a few reasons why most says Gary Miliefsky, CEO of SnoopWall companies need better protection for (www.snoopwall.com), a company their mobile apps: that specializes in cyber security. • New forms of mobile malware are But as with so many things in the being widely deployed in the major cyber world, caveats are connected. app stores and can eavesdrop on a Even as companies provide additional customer through a company’s app.

16


“These new forms of malware are undetected by anti-virus engines and are able to circumvent encryption, authentication and tokenization,” Miliefsky continues.

• The FDIC requires banks that are providing an ATM-like online or mobilebanking experience to protect access to the confidential records of the consumer, the consumer’s bank account information, user name and password credentials, and bill payment and checkdeposit services. Just like with retailers, “That makes it easy for cyber it doesn’t matter that the breach criminals to exploit the personal happened on the customer’s mobile information of a company’s device, Miliefsky says. The bank’s app the problem because it allowed customers and commit fraud.” caused the eavesdropping, so “the risk and the responsibility is the bank’s not the • The PCI Data Security Standard consumer’s, he says. And, as in the case requires merchants to protect creditwith retailers, banks could face fines for card holder data. Likewise, mobilea breach. commerce providers must protect any payment card information, whether it is printed, processed, transmitted or “Businesses have become great stored. at creating useful apps that

their customers eventually feel “Even though a customer has they can’t live without,” Miliefsky the breach on their mobile says. device, the retailer is responsible because it was their app that “But the failure to secure that allowed the eavesdropping,” app is going to come back to haunt the business over the long “A breach of credit-card information haul.” P! potentially could result in fines for the retailer.”

17


Protests or Profiteering Hacktivism has been around since the Cult of the Dead Cow in the 80s; only the names have changed. Where we once heard about Chaos Computer Club and the Legion of Doom, we now have high-profile examples like Anonymous, Anti-Sec, and Lul-Sec. This is not a comparison—35 years ago it was mostly demonstrations and denials of service. Now, attacks are exponentially more intrusive and destructive. With this escalation in damages comes a new name. Cyber Terrorism is a term that the media has been using quite frequently. There have been countless articles on Cyber Caliphate, Cyber Berkut, and Cyber Freedom fighters that are fighting for the rights of freedom and free information around the world. Is changing “hacktivism” to “terrorism” the media’s way of upping the ante on hacking? What is the difference between hacktivism and cyber terrorism? They both seek out the same targets. They have a singular purpose, in its simplest definition—to cause damage to an entity, organization or group. So what sets these two categories of hackers apart? Is the answer in their motivation? Is one viewed as “good,” while the other “bad”? Or is it simply in the eye of the beholder?

ANONYMOUS is a loose association of activist networks that has an informal centralized leadership structure. Beginning in 2003, on the bulletin board 4Chan, anonymous began to recruit and train young people interested in hacking for a cause. Throughout the years, they have run cyber attacks, mostly DDOS (Distributed Denial of Service), against the Financial, Healthcare, Education, Religious Organizations, Oil, Gas and Energy industries. They have also earned a spot on that distinguished list of attackers who have targeted SONY in the past. Anonymous has really changed the nature of protesting, and in 2013 Time Magazine called them one of the top 100 influential people in the world. Supporters have called the group “freedom fighters” and even compared them to a digital Robin Hood. Others consider them cyber terrorists. In the public’s eye, it depends on their motivation, following and targets. The bottom line: This could either be a case of malicious activity masked by political motivation, or pure malicious activity.

By Stephen Coty, chief security evangelist, Alert Logic 18


- The Hack Remains the Same CYBER BERKUT, a modern group of hacktivists, claims its name from the special police force “Berkut,” formed in the early 1990s. The proRussian group made a name for itself by conducting DDOS attacks against the Ukranian government and western corporate websites conducting business in the region. The group has also been known to penetrate companies and retrieve sensitive data; they would post on public-facing paste sites or their non-English website that includes a section called “BerkutLeaks.” Cyber Berkut was most recently credited for hacking attacks against the Chancellor of the German Government, NATO, Polish websites as well as the Ukrainian Ministry of Defence. The group has been compared to Anonymous based on its methods of protest and political targets. Viewed as passionate about its targets, Cyber Berkut has a clear agenda that it aims to accomplish. However, the group’s ideology in no way diminishes the amount of intended damage that might be inflicted on potential victims.

CYBER CALIPHATE, a hacker group claiming association with terrorist group ISIS, has attacked many different government and private industry entities in the name of the freedom-fighting group. Caliphate is responsible for multiple website defacements and data breaches.

Cyber Caliphate has proven itself efficient and hungry for media attention. This raises the question: Does Cyber Caliphate believe in its stated cause, or is this just opportunistic hacking under the guise of a cause for media attention? What if the group is just looking for fame and fortune?

The group has hacked various websites and social media accounts, including those of military spouses, US military command, Malaysia Airlines, Newsweek and more.

What if the group is not a group at all, but the work of one or two people collaborating with different contributors for specific targets?

MOTIVE DOESN’T MATTER

Is this cyber terrorism, hacktivism or just another set of hackers trying to get famous by jumping on the media’s hot topic of the month? We can wax poetic about standing up for a cause, but the fact remains that attacks are attacks, whether they are motivated by politics, fortune, or fame. And the key to fighting back is Threat Intelligence. Threat Intelligence gathering is key to keeping up with the actions of these groups and their potential targets. Staying ahead of future attacks requires a proper investment in intelligence groups who have the proper tools, people and processes to deliver up-to-date intelligence. Information sharing among intelligence groups from different industries and countries will help expedite the reverse engineering of malicious code and assist in the building of signature content and correlation logic that is deployed to our security technologies. So once attacks are deployed globally, defences have been created and detection logic has been integrated.

P!

19


The Financial Industry’s Biggest Threat Nearly half of financial services respondents (46%) cited cyber risk as the single biggest threat to the financial industry, and 80% listed it as one of the top five risks, according to a recent study from the Depository Trust & Clearing Corporation (DTCC). Cyber risk was listed far ahead of other concerns such as geopolitical risk, the impact of new regulations, and the US economic slowdown.

With all the data breaches and cyber attacks that the financial sector has suffered recently, it is no surprise that cyber security is now seen as the top concern. Last year, the JP Morgan Chase breach compromised account information for 83 million households and small businesses. Earlier this year, Kaspersky lab uncovered a cyber attack on more than 100 banks across 30 countries that resulted in financial losses of up to one billion dollars. According to the report Threats to the Financial Sector from consultancy firm PwC, 39% of the financial services respondents had been hit by cyber attacks in 2014, compared to 17% from other industries. Many of these attacks, including the cyber attacks that Kaspersky discovered, start with a spear phishing attack. The attackers gain entry by sending out a targeted email to selected individuals with a malicious link or attachment. In the banking hack that Kaspersky uncovered, the email attachment was an infected Microsoft Word document. Once the attachment was opened the attackers were able to obtain access to the system and proceed in stealth to analyze, monitor and ultimately steal large sums from the banks they infiltrated.

Financial organizations are an especially attractive target for cyber criminals. Not only for stealing money, but also to obtain sensitive customer data that can be sold for copious amounts on the black market (according to the Ponemon Institute, on average, each data record yields $217 in the US). What should financial organizations be doing to protect themselves against these data breaches? Improve Threat Detection Financial organizations need to improve their ability to detect malware threats, both known and unknown. Many companies only use one or two antivirus engines. With the sheer number of new malware released each day, this will not provide sufficient protection. When combining the detection algorithms and heuristics of different engines, the chance of catching threats increases exponentially, including zero-day and targeted attacks. Multi-scanning with multiple anti-malware engines needs to be applied to all data workflows of the organization, including email, servers, clients, browsing, portable media and file transfer. (continued...)

20


NETWORK • LEARN • GROW

SEPT 22-23, 2015 AMSTERDAM, NETHERLANDS THE PREMIER INDUSTRY CONFERENCE AND TRADE SHOW FOR HOSTING AND CLOUD PROVIDERS.

REGISTER NOW AND SAVE WITH EARLY BIRD RATES! EUROPE.HOSTINGCON.COM


䰀䤀䴀䤀吀䔀䐀 吀䤀䴀䔀 伀一䰀夀

堀攀漀渀 䔀㌀ⴀ㄀㈀㌀ ⴀ嘀㌀ 䐀攀搀椀挀愀琀攀搀 匀攀爀瘀攀爀 ⠀㐀 挀漀爀攀猀 ⼀ 㠀 琀栀爀攀愀搀猀⤀

㄀㘀䜀䈀 刀䄀䴀 ㈀吀䈀 匀䄀吀䄀 䌀愀瘀椀愀爀 䈀氀愀挀欀 䠀䐀䐀 㔀吀䈀 倀爀攀洀椀甀洀 䈀愀渀搀眀椀搀琀栀 䤀渀挀氀甀搀攀搀 ㄀ ─ 唀瀀琀椀洀攀Ⰰ 䴀漀渀攀礀ⴀ䈀愀挀欀 䜀甀愀爀愀渀琀攀攀 ㈀㐀⼀㜀⼀㌀㘀㔀 䤀渀搀甀猀琀爀礀ⴀ䰀攀愀搀椀渀最 匀甀瀀瀀漀爀琀 㔀 䤀倀瘀㐀 䤀倀猀 䤀渀挀氀甀搀攀搀Ⰰ 唀渀氀椀洀椀琀攀搀 䤀倀瘀㘀 匀吀䄀刀吀䤀一䜀 䄀吀

␀㘀㔀

䴀伀一吀䠀

吀椀攀爀⸀一攀琀 䠀漀猀琀椀渀最㨀 匀栀愀爀攀搀Ⰰ 刀攀猀攀氀氀攀爀Ⰰ 嘀倀匀Ⰰ 䌀氀漀甀搀Ⰰ 䐀攀搀椀挀愀琀攀搀Ⰰ 䌀漀氀漀Ⰰ 䄀搀瘀愀渀挀攀搀

㠀㠀㠀ⴀ㔀㄀㠀ⴀ ㈀㠀㠀

猀愀氀攀猀䀀琀椀攀爀⸀渀攀琀


Improve Threat Prevention In the event that a threat is not detected by anti-virus engines, there are a number of additional precautions that can be taken to prevent malware infection by undetected threats. By converting files to a different format, data sanitization can ensure that any possible embedded threats are removed. For instance in the attack that Kaspersky uncovered, the spear phishing email included a malicious Word document. If data sanitization had been applied, the Word document could have been rendered harmless before it was delivered to the recipient. File type and email attachment control, such as limiting the types of email attachments that are allowed in as well as intercepting spoofed files by verifying the file format, can also help prevent any possible malicious files circumventing filters.

By ensuring that devices and endpoints are up to date with the latest patches and anti-virus updates, the chance that malware is able to infect the computer is decreased. In the financial breach that Kaspersky discovered, only the Word installations that were not up to date were vulnerable to the malware in the email attachment. In order to properly monitor devices, financial institutions require a central monitoring system that can detect compromised machines.

Keeping Data Secure Sensitive information must be segregated and encrypted. When sensitive data must be shared externally, a secure file transfer system must be used to ensure confidentiality and prevent data theft. For high security environments, networks containing sensitive data are even entirely disconnected from the Internet and other networks, in so called ‘air-gapped networks’. Limited connectivity is possible using a cross-domain solution or data diode that enables one-way traffic only, from the lower security network to the higher security network. This ensures that for productivity purposes it is possible to connect to the Internet from the secure network, however it is impossible for any data to leave the network. By implementing such measures, even if a cyber attack is successful, the data will always remain secure. OPSWAT provides a number of solutions to help organizations improve their security and defenses against cyber attacks, including multi anti-malware scanner Metascan, along with Policy Patrol Security for Exchange (email security for Exchange Server), Policy Patrol Secure File Transfer (secure file transfer solution), Metadefender (portable media security) and Gears (device monitoring). P!

Deborah Galea, product manager, OPSWAT (www.opswat.com) Deborah Galea heads OPSWAT’s product marketing for the Metascan and Metadefender product suite, and is dedicated to identifying solutions to help companies of all sizes ensure a secure data workflow. Prior to joining OPSWAT, she was co-founder and COO of Red Earth Software. Red Earth Software specialized in the development of email management software to help companies ensure proper usage of their corporate email systems. 23


Citizens Demand The world is waking up. Riots in France. Over Uber, you ask? Yes, the app you conveniently downloaded on your smartphone to help you get a ride from where you are to where you want to go, usually at a lower cost than a taxi and more convenient in some cities than hailing a cab, is also a brilliant piece of SPYWARE. Yes, let’s call it what it is. Just review the permissions it asks for on the Google Play store. Uber app by Uber Technologies Inc., Version 3.55.0, can access: • Identity – add or remove accounts; find accounts on the device; read your own contact card. • Contacts – read your contacts. • Location – find your approximate location (network-based); or precise location (GPS and network-based). • SMS – receive text messages (SMS). • Phone – directly call phone numbers. • Photos/Media/Files – read the contents of your USB storage; modify or delete the contents of your USB storage. • Camera – take pictures and videos. • Wi-Fi connection information – view Wi-Fi connections. • Device ID & call information – read phone status and identity. • Other – receive data from the Internet; modify system settings; use accounts on the device; view network connections; full network access; control vibration; prevent device from sleeping; read Google service configuration By Gary S. Miliefsky, CEO, SnoopWall Inc. 24

In addition, without knowing in detail what’s in them, updates to Uber may automatically add more capabilities within each group.


‘Uber’ Privacy Now, I would agree the riots in France were mostly over UberPop, their French app with more than 400,000 downloads in the country, stealing business away from the taxi industry in violation of French law. But it’s also been reported that the French are upset with Uber’s data collection and privacy policies. Like most “growing too fast to think straight” companies, Uber joins the ranks of Google, Facebook and Twitter in wanting to know everything they can about everyone. It’s a growing trend where the marketing vice president of these companies convinces the CEO that “consumer analytics” is where it’s at. Collecting as much information about everyone is just going to make the product better, they say. Without concerns for our privacy, they collect and mine data without us knowing when, how and why? Ultimately, these companies feel if we the people (or in this case “sheeple”) are willing to go along with the pack and just give away our right to privacy for convenience, well, shame on us, not them. It should be the other way around. Slowly, there is an awakening. It’s happening now in France, all over Uber. It’s happening in New York City, all over Uber. What did Uber do in NYC to spark this rebellion? Uber has been using data mining to attempt to rally public sentiment against the proposed cap on Uber’s drivers in New York. They actually send unsolicited political text messages to those in the Geolocation of NYC trying to rally support. Creepy. Very creepy. This is the tip of the iceberg of what Uber can do because of all the data it has collected. Remember last year, when Uber NYC executive Josh Mohrer tracked technology reporter Johana Bhuiyan on two occasions using a feature known as “God View?” What a great internal name for the SPYWARE dashboard of Uber. God View is available to all employees at the car-sharing service and allows them to see customer activity, such as where a person wants to be picked up.

Marketing VP and developers at Uber, what were you thinking? Shame on you for building a SPYWARE network instead of a private car service. Maybe this is the beginning of a pivotal moment – when consumers start to question companies with God Views that collect data on them that violates their privacy. Maybe soon people will demand a PRIVACY ride service and even be willing to pay a slight premium per ride so that their personally identifiable information (PII) won’t be gobbled up into a corporate database that is never secure enough against the next hacker attack, and that’s managed by companies with staff willing to use that data in ways consumers would never have approved. Uber, get out of our contacts list. Stop tracking us. Anonymize and encrypt your “God View” system and rename it to what is – Consumer SPYWARE Dashboard. Your marketing VP needs to read “1984” by George Orwell and realize that “we the people” no longer are willing to become a product in your database. Do a great job. Offer a great service. Don’t steal our privacy or creep on us anymore. P! About Gary S. Miliefsky Gary S. Miliefsky is the CEO of SnoopWall Inc. and inventor of the company’s novel Counterveillance technology. He has been extremely active in the INFOSEC arena, most recently as the Editor of Cyber Defense Magazine and was a frequent contributor to Hakin9 Magazine. He also founded NetClarity Inc., an internal intrusion defense company, based on a patented technology he invented. He is a member of ISC2.org, CISSP® and Advisory Board of the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. He also advised the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace. Miliefsky is a Founding Member of the U.S. Department of Homeland Security (http://www.DHS.gov), serves on the advisory board of MITRE on the CVE Program (http://CVE.mitre.org) and is a founding Board member of the National Information Security Group (http://www.NAISG.org). Email him at: ceo@snoopwall.com.

25


PINGZINE

BITS & BYTES

Intel and Micron Produce Breakthrough Memory Technology Intel and Micron begin production on new class of non-volatile memory, creating the first new memory category in more than 25 years. Intel Corporation and Micron Technology, Inc.unveiled 3D XPoint™ technology, a non-volatile memory that has the potential to revolutionize any device, application or service that benefits from fast access to large sets of data. Now in production, 3D XPoint technology is a major breakthrough in memory process technology and the first new memory category since the introduction of NAND flash in 1989. The explosion of connected devices and digital services is generating massive amounts of new data. To make this data useful, it must be stored and analyzed very quickly, creating challenges for service providers and system builders who must balance cost, power and performance trade-offs when they design memory and storage solutions. 3D XPoint technology combines the performance, density, power, non-volatility and cost advantages of all available memory technologies on the market today. The technology is up to 1,000 times faster and has up to 1,000 times greater endurance3 than NAND, and is 10 times denser than conventional memory. “For decades, the industry has searched for ways to reduce the lag time between the processor and data to allow much faster analysis,” said Rob Crooke, senior vice president and general manager of Intel’s Non-Volatile Memory Solutions Group. “This new class of non-volatile memory achieves this goal and brings game-changing performance to memory and storage solutions.” “One of the most significant hurdles in modern computing is the time it takes the processor to reach data on longterm storage,” said Mark Adams, president of Micron. “This new class of non-volatile memory is a revolutionary technology that allows for quick access to enormous data 26

sets and enables entirely new applications.” As the digital world quickly grows – from 4.4 zettabytes of digital data created in 2013 to an expected 44 zettabytes by 20204 – 3D XPoint technology can turn this immense amount of data into valuable information in nanoseconds. For example, retailers may use 3D XPoint technology to more quickly identify fraud detection patterns in financial transactions; healthcare researchers could process and analyze larger data sets in real time, accelerating complex tasks such as genetic analysis and disease tracking. The performance benefits of 3D XPoint technology could also enhance the PC experience, allowing consumers to enjoy faster interactive social media and collaboration as well as more immersive gaming experiences. The nonvolatile nature of the technology also makes it a great choice for a variety of low-latency storage applications since data is not erased when the device is powered off. New Recipe, Architecture for Breakthrough Memory Technology Following more than a decade of research and development, 3D XPoint technology was built from the ground up to address the need for non-volatile, highperformance, high-endurance and high-capacity storage and memory at an affordable cost. It ushers in a new class of non-volatile memory that significantly reduces latencies, allowing much more data to be stored close to the processor and accessed at speeds previously impossible for non-volatile storage. The innovative, transistor-less cross point architecture creates a three-dimensional checkerboard where memory cells sit at the intersection of word lines and bit lines, allowing the cells to be addressed individually. As a result, data can be written and read in small sizes, leading to faster and more efficient read/write processes. P!




Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.