Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Raimund Genes (Chief Technology Officer)




    Whenever I hear about the Internet of Everything, I find myself somewhat conflicted. There’s no doubt that it is the new “mega trend” in technology, but at the same time I wonder how secure it is. Let me explain.

    When a company creates a smart device, they not only need to create the hardware for the device, they also need to write the software for it. This is not a simple task, particularly for complex items. Take, for example, a modern car. Think of all the features it has: distance assistance, lane assistance, and even notification of emergency services if I crash. It can even compile various statistics about how I drive and compare it to other drivers of that model.

    All this results in a very large amount of software that needs to be written. A modern car has more than 100 million lines of code. This is more than double that of an office suite like Microsoft Office (45 million); or seven times more than that of a Boeing 787 Dreamliner (14 million). More code not only means more features, but also more opportunities for various security flaws and vulnerabilities.

    Software vulnerabilities are something that, unfortunately, we’ve learned how to deal with. Software vendors all over the world regularly send updates to their customers; smart devices should be no different. All of my cars in the past decade have received regular updates, including changes in their steering. Given how on the autobahn, 140 miles per hour (or 225 kilometers per hour) is normal cruising speed, it’s rather important that there be no blue screens of death in these situations.

    We already know that vulnerable devices are under attack by cybercriminals. For example, routers are under attack all the time, and can be quite easily compromised. We need the vendors of smart devices to realize that their products, too, can become targets. Security vendors like Trend Micro will do what we can to protect users, but it’s better for all parties that smart devices be as secure as possible in the first place. Not only must the vendors of these devices try to develop their products in line with sound security practices; they must also test these devices so that they stay safe in the face of new threats.

    More of my thoughts on the Internet of Everything are in the video below:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

     
    Posted in CTO Insights |



    Last month, there was a very interesting decision out of the European Court of Justice. The decision established what can be called the “right to be forgotten“. People can now ask search engines like Google to remove links from search results about them.

    So, for example, say you are now a successful businessman. However, the first search results for your name is a slightly embarrassing incident that took place in your youth. Now, you can ask Google to “forget” about that incident so it won’t show up first when someone searches for your name.

    You can debate whether this is a good idea or not. Europeans like myself tend to think this is a good idea – after all, who else should control your data but you, right? Americans tend to look at it as a free speech issue. There is a cultural divide here that will not be easy to resolve.

    What it does teach us, though, is how much data there is out there about all of us. Our web browsing, our purchases, our personal information – it’s all out there in the hands of various companies. And what are they doing with it? There’s an adage that says that if you’re not paying for the product, you are the product. The real customers are advertisers who want to sell you whatever it is they’re selling.

    Now, some will say that this isn’t all bad. After all, don’t you get free services and more relevant advertising? How can this be a bad thing?

    It’s not necessarily a bad thing either. What it has to be is an informed decision by users – that they give up some of their data in exchange for some service of value to them. Today, it’s hard to say that is the case - too often, the allure of “free” trumps everything else, and people will give up data about themselves without being completely aware.

    Privacy is ultimately defined by what people decide to share or not. It remains to be seen what people decide should be made public and what remains “forgotten”, as it were.

    More of my thoughts on privacy can be found in the following video:

     
    Posted in CTO Insights, Data |



    Today’s technology is becoming better and better at an exponential clip. It was only a few decades ago that we had cellphones the size of bricks and Internet the speed of which is only a fraction of a single percent of today’s connections. Now we carry powerful computers in our pockets as well as wear them for watches, and we can download entire libraries in less than a couple of moments.

    But with all benefits there are prices to pay for such convenience. One of them is how the companies behind such conveniences use them to collect data from their customers – how they use the service, when and where and who and why. The fact is, these companies never reveal the fact that they do so readily – more often than not, it is discovered by someone who bothers to look, and whenever they do there’s always a furor surrounding it, to the point of a scandal.

    Is data gathering really something to be upset about? Every company does it. Amazon, for example, takes note of what you buy or prefer or look for, and brings up suggestions for you every time you log in so that you save time and energy. Even coffeeshops take note of what regulars order, and cheerfully suggest someone’s ‘usual’ whenever they walk in. If the information they gather helps improve their services instead of some other clandestine and probably illegal purpose, then can data gathering really hurt?

    To be honest, I don’t think so – so long as the right conditions are met. Watch my video as I tackle this sensitive issue.

     
    Posted in CTO Insights, Data | Comments Off



    It is an interesting time to be in IT security today. PRISM and Edward Snowden taught many lessons about how companies should secure their data. There’s been a lot of discussion about the surveillance aspect of this, but consider this whole affair from the side of the NSA.

    To the NSA, this was a data breach of unprecedented proportions. All indications are that Snowden was able to exfiltrate a significant amount of classified data; what has been published so far represents a relatively small portion of what he was able to access. Consider that Snowden technically wasn’t even an employee – he was a contractor. How did he do this? How could a contractor access this much information?

    Some companies may think – “if it can happen to a spy agency, there’s nothing we could do. We should just give up and not protect our data anymore.” Others may say: “let’s build a bigger wall around our data.” Both approaches are incorrect. Obviously, you have to protect your data. However, neither can enterprises just try and protect everything with the same rigor. A truly determined attacker can get in if he wants to get in.

    What an enterprise needs to focus on is what really needs to be protected. Which sets of data, if stolen, can ruin a business? Are they the trade secrets? Or maybe customer data? This will differ for each company – what may be vital for one organization may be trivial for another. Each organization has to decide for itself. Some examples of what a company can consider core data would be: trade secrets, research and development documents, and partner information. Each of these would represent millions of dollars in losses, not just in monetary terms, but in trust and confidence as well.

    Once these core data have been selected and identified, the next step is: defend these strongly. How? That would depend on what the data is, how it is stored, and who needs to access it. Is it something that can be locked in a vault and kept offline for years on end, or is it something that needs to be accessed on a daily basis? For each organization, the challenges will be different, and so will the solutions.

    We must not forget one other component of security: end users. Difficult as it is, end users should be educated to not fall for simple scams. Examples include, “If the administrator asks you for your user credential and password, maybe you should ask another one instead. If you receive an email, which sounds too good to be true, don’t click on it.”

    All in all, it’s a combination of identifying what’s most important, deploying the right technologies, and educating users. It is everybody’s job – not just those of IT professionals – to ensure that the company’s core data stays safe.

     
    Posted in CTO Insights, Data, Targeted Attacks | Comments Off



    There is no doubt that mobile banking is going to become very significant in 2014, if it isn’t already. In the United States, a quarter of all people selecting a bank say mobile banking is a “must-have”. In parts of the developing world, mobile banking is even the dominant form of banking. There is no doubt anymore that mobile banking is a big part of the banking landscape – which means, of course, that it is bound to become a big part of the threat landscape as well.

    In the past, smartphones were generally used to help protect normal online banking transactions. Banks would send users a Transaction Authorization Number (TAN) via SMS that they would have to enter on their PCs to verify that a transaction was valid. It’s essentially a form of two-factor authorization that improves security by providing a second means of authentication for users.

    However, in mobile banking, this second form of authentication is usually not present. This leaves users just as open to banking threats as they were elsewhere without a TAN in use: malware on the mobile device can act as a man-in-the-middle Trojan and carry out information theft as easily as they would on other platforms. This is something we explicitly talked about in our predictions for 2014.

    So, what can you do to help protect yourself? I discuss that topic in the video below.

     
    Posted in CTO Insights, Mobile | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice