Last year was one of the biggest years for retail data breaches, with credit card data from well over 106 million shoppers stolen from two of America’s largest retailers alone. The attacks shook consumer confidence, eroded brand loyalty, and cost the industry millions of dollars.
Even though the retail and security industries have been talking about compliance and security for more than a decade, breaches continue. And while research shows that compliance with PCI DSS has improved in recent years, it also shows that staying in compliance as demonstrated by passing interim assessments is another matter. Furthermore, compliance doesn’t always equal security, as it tends to focus on blocking attacks at the perimeter. Stopping attacks in the first place certainly is important, but it isn’t sufficient in an era when attackers are innovating at a pace we’ve never faced before.
Compounding the challenge is that retailers are in the midst of game-changing trends that can make or break them: creating a hyper-relevant experience for shoppers, adopting mobile Point-of-Sale (mPOS) systems, and realizing security is now a driver for consumers’ trust. Retailers who create successful strategies to innovate and embrace these trends will retain and gain more customers. But it requires a fresh approach to security.
So how should you look at and think about security differently? Read More »
Tags: point of sale, POS, retail, security, threat-centric security
Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins released which address 58 CVEs. Four bulletins are rated “Critical” this month and address vulnerabilities in Internet Explorer, Graphics Component, Office, and Edge. The other ten bulletins are rated “Important” and address vulnerabilities within Remote Desktop Protocol (RDP), Server Message Block (SMB), XML Core Services, Mount Manager, System Center Operations Manager, UDDI Services, Command Line, WebDAV, Windows, and the .NET Framework. Read More »
Tags: Microsoft, patch tuesday, Talos, Threat Research, vulnerabillity
Coding errors in software products provide easy paths of entry for online criminals, who can exploit vulnerabilities to compromise systems or launch additional attacks and malware. As reported in the Cisco 2015 Midyear Security Report, certain types of coding errors consistently appear on lists of most common vulnerabilities. This raises an important question for vendors and security professionals: If the same coding errors are identified year in and year out, why aren’t these errors being mitigated?
Buffer errors, input validation, and resource errors are usually among the most common coding errors exploited by criminals, according to the list of Common Weakness Enumeration (CWE) threat categories. As we explain in the Midyear Security Report, the likely culprit is the lack of sufficient attention paid to security during the product development lifecycle. In many cases, vendors wait until products come to market, and only then resolve vulnerabilities. However, this process should be reversed. Vendors should build security safeguards and conduct vulnerability testing during product development, in order to lessen the chance that criminals can profit – and customers can suffer.
Read More »
Tags: 2015 midyear security report, Cisco Midyear Security Report, MSR, open source, security
This post was authored by Mahdi Namazifar and Yuxi Pan
Once a piece of malware has been successfully installed on a vulnerable system one of the first orders of business is for the malware to reach out to the remote command-and-control (C&C) servers in order to receive further instructions, updates and/or to exfiltrate valuable user data. If the rendezvous points with the C&C servers are hardcoded in the malware the communication can be effectively cut off by blacklisting, which limits the malware’s further operation and the extent of their damage.
To avoid such static detection mechanisms recent attackers have been taking advantage of various Domain Generation Algorithms (DGA) in choosing and updating the domain names of their C&C servers. DGA embedded in the malware generate a large amount of pseudo-random domain names within a given period, most of which are nonexistent. With the same random seed, e.g. time of the day or most popular tweets of the day, the attackers can generate exactly the same list of domain names remotely, among which they will only register a few. The malware will contact some or all of the domains generated by the DGA, giving its opportunity to be able to connect to the C&C server. The sheer amount of nonexistent domains produced by the DGA on a daily basis presents a great burden for security specialists if blacklisting is still to be pursued.
Read More »
Tags: dga, Talos, Threat Research
If you had asked me a few years ago, I might have predicted that the rise of large scale hacking and network-based Advanced Persistent Threats (APTs) would spell the end of old-school espionage (poison-tipped umbrellas, office break-ins, dangles and the like). Those of us who fancy ourselves logical, savvy cyber security specialists can be forgiven for thinking such analog antics wouldn’t persist in a digital world.
And yet, human espionage remains a nagging issue. A Russian spy ring was disrupted in New York in January. New stories about employees stealing trade secrets from their employers regularly make headlines, such as this one in May. More than one article alleges that Vienna and Lausanne (home to recent Iranian nuclear negotiations) are swarming with spies from Tehran. And these are just the stories that get reported.
There is no question that spycraft is changing with the times. Recent, damaging breaches of US government employee information—amply documented elsewhere—provide some interesting hints as to how: Read More »
Tags: APT, cybersecurity, digital, malware, security