Monday 15 April 2013

German IT Cybersecurity Proposal

As America continues to consider legislation for improving cybersecurity, the actions of other Western nations may (or may not) be of influence and interest.  I recently received a management summary of the proposed German IT security legislation being drafted by the government.  [In Germany, more so than in the US, government proposals come from the executive and are likely to be adopted by the parliament.].  Naturally, the base text is in German, but this English language summary is quite informative and reflects a much more regulatory approach than many in America are considering:
German Ministry of the Interior

 Content of Main Regulations to Improve IT Security

 Operators of critical infrastructure are required to meet minimum IT security standards:  Operators of major critical infrastructure shall take IT security measures in accordance with the state of the art and ensure compliance therewith.  Sectors may develop internal standards which the Federal Office for Information Security (BSI) recognizes as a concretization of the statutory commitment.
Operators of critical infrastructure are required to report significant IT security incidents:  Operators of major critical infrastructure shall immediately report to the BSI any IT security incidents having implications for security of supply or public safety through channels established for that purpose.  Only in this way can the Office for Information Security create a valid national situation report and support the operators in overcoming the incident.
Telecom providers are required to meet minimum IT security standards: Providers shall ensure IT security in accordance with the state of the art, not only as in the past to protect confidentiality and privacy of personal data but also to guard against unauthorized intrusions in the infrastructure, in order to improve the resilience of the networks as a whole and thus to ensure their availability.
Telecom providers are required to report significant IT security incidents:  Providers shall immediately report IT security incidents that could lead to a disruption in availability or unauthorized access to user systems.  Beyond the existing reporting requirement in case of a breach of personal data privacy, providers responsible for the backbone of the information society will thus be able to contribute to a valid and complete situation report.
Telecom providers are obligated to inform users of malware and provide technical support tools to identify and remove it:  The prescribed information shall enable the user himself to take measures against the malware.  The providers must furthermore provide users with easy-to-use security tools that can be used to prevent and eliminate disruptions emanating from the concerned user’s infected system.
Providers of telemedia services are required to meet minimum IT security standards:  To reduce the spread of malware via telemedia, providers who offer telemedia services commercially and for remuneration are obligated to implement recognized protective measures to improve IT security to a reasonable degree.
The Federal Office for Information Security is required to report annually:  The envisaged annual report and its publication are intended to further sensitize the public to the issue of IT security, which, in light of the fact that numerous successful IT intrusions could have been prevented by using standard tools, is particularly important.

Health Care Provider Gets 12 Years in Prison for Identity Theft


The FBI recently announced that Helene Michel, owner of medical equipment company Medical Solutions Management Inc. (MSM), has been sentenced to 12 years in federal prison for conspiracy to commit health care fraud, health care fraud, and HIPAA identity theft crimes. Michel was also ordered to forfeit $1.3 million that was seized by the government when she was indicted

Between April 2003 and March 2007, Michel owned and operated MSM, and apparently used her position as a medical equipment company owner to enter New York nursing homes in order to steal patient records. She also apparently posed at various times as a doctor, a nurse practitioner, and a wound care expert, and even accompanied doctors on rounds.

Michel then apparently used the stolen medical records to submit $10 million in false Medicare claims. "For example, in one instance, Michel used fraudulent drawings and measurements to support a Medicare claim for the cost of fitted boots for a legless patient. ... In the event that Medicare denied an MSM claim, Michel submitted an appeal of the denial supported by additional stolen and altered patient records," the FBI states.

According to the FBI, Michel spent the funds resulting from the Medicare claims to purchase a multi-million dollar home, luxury cars, and designer handbags. "[Michel] was a con woman, deceiving patients and administrators alike as she trolled for the information she used to submit fraudulent claims to Medicare to support her extravagant lifestyle," United States Attorney Loretta E. Lynch said in a statement. "Through her scheme she violated the privacy of over a thousand patients and stole Medicare funds dedicated to preserving the health of our seniors and other citizens."

Etienne Allonce, Michel's co-defendent and the co-owner of MSM, remains a fugitive and is believed to have fled the country.

Brute Force Attacks Build WordPress Botnet

Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.
Source: Cloudflare.com

Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress).
According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.
Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress.
Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms.
“It’s hurting the service providers the most, not just with incoming traffic,” Gaffan said. “But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.”
Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.

Source: http://krebsonsecurity.com/

Cyber attacks that may be originating in China raise awareness of the need for more people getting trained in cyber security

A recent meeting between Chinese president Xi Jinping and Jack Lew, the United States secretary of the treasury, focused in part on a number of cyber attacks on U.S. companies that apparently originated in China. The attacks are the most recent example of the worldwide rise in cyber attacks and the accompanying need for more people to handle cyber security.

American computer security experts have charged that more than 140 companies, including the New York Times, and government agencies worldwide have been hacked through attacks that originated in China. Chinese officials deny the charge.

Cyber security again reached the forefront of the news after an attack in South Korea, where computer systems at banks and television stations crashed after a cyber attack, possibly launched in North Korea.


Regardless of who is responsible for the attacks, the need for people to handle cyber security is clear. A recent article from the Washington Post said the U.S. Department of Defense is planning on adding more than 4,000 employees to the department’s Cyber Command. Quoting an unnamed official at the Pentagon, Computerworld said the expansion is needed because America is “faced with an increasing threat of a cyber attack that could be as destructive as the terrorist attack on 9/11.”

The need is widespread. The names and specific job descriptions depend on the company or government agency offering the job, but some of the jobs in demand include:

Network security specialist. People in this position monitor computer systems to make sure there are no unauthorized users in the system or security threats. Network security specialists also must plan ahead, developing ideas of where cyber attacks might come from and developing a response plan to handle such attacks. They may also develop or test software and firewalls.

Cyber security policy analyst. Someone in this job will oversee whatever plans are in place to prevent cyber attacks, taking responsibility for the effectiveness of a company or government agency’s cyber defenses.

Software developer. This person is responsible for actually writing the computer code used in developing cyber security protection for a computer system.

Information security analyst.  The job title used by the federal Bureau of Labor Statistics (BLS), an information security analyst takes responsibility for developing a company’s security against cyber attacks. The first step is keeping up with the latest attacks and then finding ways to prevent the attacks from being successful against a specific computer system.

Pay for any of these jobs varies greatly depending on the specific company and government agency, as well as the region of the country where the job is located. The BLS combines information security analysts, web developers and computer network architects into one group, reporting the median average pay for all of them in May 2010 was $75,660.

The lowest 10% in that group earned less than $43,190, while the top 10% earned more than $119,940, according to the BLS.

The BLS furthers estimates, based on a survey by Robert Half Technology, that data security analysts made between $89,000 and $121,500 in 2012, while a network security administrator made between $85,000 and $117,750.

Education Needed for Cyber Security Workers

The level of education can vary depending on the job in the cyber security field.

However, most people who work as an information security analyst have a bachelor’s degree in computer science, programming or something related, according to the BLS. Some schools now offer undergraduate degrees in cyber security, an area that is expected to grow as the demand for cyber security grows.

Some of those working in cyber security, particularly those wishing to lead a team or department, now opt to seek a master’s degree. Specifically, according to the BLS, they seek a MBA with a concentration on information systems that includes courses in both business and computer science.

Completion of a master’s degree typically takes about two years of study after completion of an undergraduate degree.

How Antivirus Software Works: 4 Detection Techniques

An antivirus tool is an essential component of most antimalware suites. It must identify known and previously unseen malicious files with the goal of blocking them before they can cause damage. Though tools differ in the implementation of malware-detection mechanisms, they tend to incorporate the same virus detection techniques. Familiarity with these techniques can help you understand how antivirus software works.

Though endpoint antivirus tools may differ in their implementation of malware-detection approaches, the tend to incorporate the same 4 essential techniques.
  • Signature-based detection
  • Heuristics-based detection
  • Behavioral detection
  • Cloud-based detection


Virus detection techniques can be classified as follows:

  • Signature-based detection uses key aspects of an examined file to create a static fingerprint of known malware. The signature could represent a series of bytes in the file. It could also be a cryptographic hash of the file or its sections. This method of detecting malware has been an essential aspect of antivirus tools since their inception; it remains a part of many tools to date, though its importance is diminishing. A major limitation of signature-based detection is that, by itself, this method is unable to flag malicious files for which signatures have not yet been developed. With this in mind, modern attackers frequently mutate their creations to retain malicious functionality by changing the file’s signature.
  • Heuristics-based detection aims at generically detecting new malware by statically examining files for suspicious characteristics without an exact signature match. For instance, an antivirus tool might look for the presence of rare instructions or junk code in the examined file. The tool might also emulate running the file to see what it would do if executed, attempting to do this without noticeably slowing down the system. A single suspicious attribute might not be enough to flag the file as malicious. However, several such characteristics might exceed the expected risk threshold, leading the tool to classify the file as malware. The biggest downside of heuristics is it can inadvertently flag legitimate files as malicious.
  • Behavioral detection observes how the program executes, rather than merely emulating its execution. This approach attempts to identify malware by looking for suspicious behaviors, such as unpacking of malcode, modifying the hosts file or observing keystrokes. Noticing such actions allows an antivirus tool to detect the presence of previously unseen malware on the protected system. As with heuristics, each of these actions by itself might not be sufficient to classify the program as malware. However, taken together, they could be indicative of a malicious program. The use of behavioral techniques brings antivirus tools closer to the category of host intrusion prevention systems (HIPS), which have traditionally existed as a separate product category.
  • Cloud-based detection identifies malware by collecting data from protected computers while analyzing it on the provider’s infrastructure, instead of performing the analysis locally. This is usually done by capturing the relevant details about the file and the context of its execution on the endpoint, and providing them to the cloud engine for processing. The local antivirus agent only needs to perform minimal processing. Moreover, the vendor’s cloud engine can derive patterns related to malware characteristics and behavior by correlating data from multiple systems. In contrast, other antivirus components base decisions mostly on locally observed attributes and behaviors. A cloud-based engine allows individual users of the antivirus tool to benefit from the  experiences of other members of the community.
Author--- Lenny Zeltser(tech target)