Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Tom Kellermann (Chief Cybersecurity Officer)

    Up to now, there have been relatively few laws or regulations from government agencies that mandate just how companies should protect their data. In the United States, however, that may be about to change.

    Earlier this week, the United States Court of Appeals for the Third Circuit decided in FTC v. Wyndham Worldwide Corp. that the Federal Trade Commission (FTC) had the authority under existing law to regulate the cybersecurity practices of businesses. This sets a precedent that could change how and why companies protect the information of their users. In the long term, it also sends a message: the FTC is keeping an eye on how companies secure their data, and will punish those who fail to do so.

    To recap, the FTC is a body of the United States government that is mandated to enforce consumer protection laws via voluntary consent decrees, administrative complaints, or federal lawsuits. Historically, the FTC has concentrated what it considers to be unfair or deceptive business practices.

    The FTC has been battling Wyndham (a global hotel conglomerate) since 2012, when the latter suffered a breach that led to the personal details of more than 600,000 guests being stolen. Wyndham alleged that the FTC’s authority did not extend to punishing the hotel chain for the breach. The court, however, disagreed.

    In a very real way, this decision modernizes the authority of the FTC. It’s become clear that  multiple large-scale breaches are as large a threat to consumers as the more pedestrian issues the FTC has handled in the past. However, this is not as unprecedented as one may think: the FTC has kept an eye on how tech companies implement security and privacy policies. For example, the FTC pointed out at this year’s Black Hat convention that they’d settled with Snapchat over how the latter handled messages and photos.

    What does this mean for companies? Simply put, it means that promises of “security” and “privacy” can no longer can be glib phrases that, legally speaking, mean nothing. Instead, companies will actually have to make these promises happen, lest they be subject to an enforcement action that could cost millions. This raises proper cybersecurity from a nice to have thing (which, in many organizations, is still the case) to a must have item, in order to comply with the requirements of regulations. The FTC is watching for gross violations of cybersecurity and will punish those accordingly to set an example to others.

    The US is not alone in this. European regulators have also been moving to impose regulations, albeit from a slightly different approach (data protection versus business practices). In the end, whatever the approach may be, this is welcome news that should help keep the personal data of consumers safe and secure.


    Posted in Bad Sites |

    There is one thing stronger than all the armies in the world, and that is an idea whose time has come.” – Victor Hugo

    The world has reached a point of inflection in cybercrime. As cyberspace abounds with cyber privateers, and many nations of the world become havens for these modern-day pirates, it appears that 2013 is the year of hacking for criminal gain.

    In our recently released predictions for 2013, our CTO Raimund Genes illustrated his strategic vision per the future of cybercrime. The predictions highlight improvements in threats we will encounter in 2013, more specifically on the attack vectors used by cybercriminals. Raimund predicts that attackers will shift their strategy from developing sophisticated malware to focusing on the means to infiltrate networks and evade detection.

    As we move to Web 3.0, it is important for us to acknowledge the risk we will face when it comes to our business and digital lifestyles in general. It is also fundamental that we begin to increase our situational awareness per the tactics employed by these actors so as to sustain commerce and finance.

    Read the rest of this entry »

    Posted in Bad Sites, Malware, Mobile, Targeted Attacks | Comments Off on Observations on the Evolution of Cyber Tactics in 2013

    Mainstream media have repeatedly described the threat landscape as constantly evolving, that attacks are becoming more sophisticated and the people behind these are more equipped. This assertion, though certainly true, elicits questions on how sophisticated these targeted attacks are, how a digital insider stays hidden, and how to mitigate these threats.

    By now, we are all aware that traditional defences are no longer effective in addressing these threats. In fact, based on a Trend Micro research, over 90 per cent of enterprise networks contain malware with one new threat created every second. Enterprises are also besieged by other challenges such as:

    • Increasing cloud-based IT environments hounded by the increase use of employee-owned mobile devices in the workplace.
    • Availability of cybercrime tools on the Internet, in turn making the accessible to any potential attacker.
    • Cyber attacks initiated by organized crime gangs are also becoming more sophisticated and precise than ever before.

    The big problem, however, is not just that a digital intruder will attempt to control the network, but that it will propagate, exfiltrate data and maintain its activities hidden. Its ability to evade detection, ultimately, is what makes these targeted attacks more problematic.

    Digital Insiders: One Step Ahead of IT Admins

    Digital insiders are aware on how IT administrators would respond to a possible data breach. Typically, they scout for possible exploitable vulnerabilities and signs of communication with an unknown IP address. To circumvent their efforts, attackers may patch vulnerabilities. This serves another purpose: patching vulnerabilities prevents other hackers to piggy back on their efforts.

    Digital insiders also moves their communication and control inside the ecosystem and impose a ‘sleep cycle’ to avoid easily detectable communication. They may attempt to reach out to an outside IP address once in a while such as with the recent Ixeshe campaign. In the case of the recent Flashback Mac malware, the bad guys may use specialized technique that prevents security researchers from doing malware analysis.

    Thwarting Digital Insiders

    This is a new breed of sophisticated threats that require an advanced persistent response from organizations. To gain an upper hand, firms must be able to spot the unwanted intruder and constantly foil their efforts through:

    1. Correlating and associating cybercrime activities in the wild with what is happening on an enterprise’ network using big data analytics. This enables organizations to spot possible correlations between the two and giving them the needed information to create a concrete action plan.
    2. Multi-level rule-based event correlation such as featured in Trend Micro’s Deep Discovery. Given that these guys are experts in keeping their activities hidden, this is a useful tool to identify any dubious activity inside an organization’s network and point out possible threat actors and monitor their activities.

    In other words, this may require organization to increase their awareness of the activities on their networks and the ability to correlate events to thwart the digital insider’s malicious activities.

    Read the full report How to Thwart the Digital Insider – an Advanced Persistent Response to Targeted Attacks.

    Posted in Targeted Attacks | Comments Off on Advanced Persistent Response Thwarts Malicious Digital Insider

    We often debate who the most sophisticated hackers in the world are. I firmly believe that there is a direct correlation between the chess-playing community and hacking. To this point, I would tip my hat to the Eastern European hacker crews of 2011 and 2012.

    There are three historical factors that distinguish Eastern Europe hackers from those in the rest of the world:

    • An educational culture which has long emphasized mathematics and chess
    • A robust underground economy
    • A well-developed “tradecraft’’ of criminal activity that has adapted well to the Internet age

    The obfuscation techniques and nano-malware we have seen deposited in the financial sector illustrate the evolution of capabilities which are being sold in the arms bazaar of Eastern Europe. In today’s era of professional cyber hacker crews, we must acknowledge that the APT has been privatized and that spinning the cyber chess board is an imperative. Beyond a healthy respect for the stratagems utilized by our adversary, we must move away from over-reliance on perimeter defenses.

    As we spin the chess board within our networks, let us acknowledge that a “knights folk” in cyber security begins with situational awareness and ends with hindering exfiltration. Thus, the fundamentals of cybersecurity in 2012 are: specialized threat detection, threat intelligence, file integrity monitoring, and virtual shielding.

    More on my thoughts regarding Eastern European cyber hacker crews are published in this paper.

    Posted in Targeted Attacks | Comments Off on Spinning The Chessboard


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice