New INTERPOL Global Complex for Innovation (IGCI), pictured in Singapore, on September 30, 2014

New Interpol complex in Singapore to boost fight against cyber crime

A new Interpol centre to be opened in Singapore next year will strengthen global efforts to fight increasingly tech-savvy international criminals, officials said on Tuesday.

The Interpol Global Complex for Innovation (IGCI) will be “dedicated to fighting cyber crime”, the global police organisation’s secretary general Ronald Noble said in a speech at the centre’s new building.

Noble and other senior Interpol officials attended the handover ceremony of the building from Singapore to the organisation, based in the French city of Lyon.

“We also believe that providing training to our member countries’ police forces in the face of new age criminalities must constitute a core component of the IGCI,” Noble said.

The Singapore complex will be officially opened in April next year and will complement the agency’s headquarters.

A digital crimes centre will “support member countries’ operations by providing law enforcement agencies with advanced tools and techniques to counter the latest cybercrime trends,” said S. Iswaran, Singapore’s second minister for home affairs.

“It will also facilitate information-sharing with the private sector, which could have critical information that can strengthen efforts and actions against cybercrime,” he added.

Singapore, Southeast Asia’s financial capital, last month announced new measures to strengthen cyber security to prevent a recurrence of attacks on government websites including those of its president and prime minister.

Globally, insidious email scams known as phishing cost organisations $5.9 billion in losses in 2013, according to a report by US-based computer security firm RSA.

Malicious mobile apps, money-laundering through virtual currencies and malware attacks are the three top cybercrime trends, RSA said.

An illustration picture shows projection of binary code on man holding aptop computer in Warsaw

Europe’s police need data law changes to fight cybercrime: Europol

LONDON (Reuters) – Law enforcers in Europe need greater powers to retain data for longer in order to catch cybercriminals selling discrete services that police cannot trace under existing regulations, according to a Europol report published on Monday.

Cybercrime is increasingly conducted by a highly specialized chain of software break-in experts, underground market-makers and buy-side fraudsters who convert stolen passwords and identities into financial gains. Criminals can keep data for months or even years before using it to defraud victims.

The study, entitled “The Internet Organised Crime Threat Assessment” by the EU’s criminal intelligence agency, says because laws limit how much data can be held and for how long, police cannot effectively trace and prosecute criminals.

Tougher laws for investigating and prosecuting cybercrime also need to be harmonized across the bloc, the report said.

“The majority of intelligence and evidence for cyber investigations comes from private industry. With no data retention, there can be no attribution and therefore no prosecutions,” says Europol of criminals who often operate beyond EU borders in Eastern Europe and beyond.

Europol also says the pool of cyberfraudsters is growing.

“Entry barriers into cybercrime are being lowered, allowing those lacking technical expertise — including traditional organized crime groups — to venture into cybercrime by purchasing the skills and tools they lack,” it said.

While providing no specific numbers, the agency says that the scale of financial losses due to online fraud has surpassed damages to payment from physical credit and other payment cards. Losses are huge, not just for card issuers but also for airlines, hotels and online retailers, the report states.

In other recommendations, it also warns about the abuse of anonymous virtual currency schemes such as bitcoin, pointing to a “considerable challenge in tracking such transactions or even identifying activities such as money laundering”.

The agency highlights the role of anonymous, private networks, known as Darknets, in enabling a vast underground trade in drugs, weapons, stolen goods, stolen personal and payment card data, forged documents and child pornography.

Europol’s report capitalizes on a growing body of literature from academic and private sector cyber threat researchers that have traced the rise of such online criminal marketplaces trading in billions of personal financial details.

“THE FUTURE IS ALREADY HERE”

Cybercriminals are cashing in on the latest Internet trends such as Big Data, Cloud Computing and The Internet of Things, allowing them to rent massive computing power to analyze vast troves of data gathered from the ever-expanding range of connected devices in homes, cars and on consumers themselves.

For example, the report finds that “Big Data” predictive software is now used by criminals to identify the most lucrative targets for credit card fraud and to improve methods of tricking consumers into divulging more personal data for later attacks.

“The future is already here,” the Europol study states.

The agency describes the rise of what it labels “Crime-as-a-Service”, running illicit activities via a network of independent suppliers, mimicking parts of the “Software as a Service” playbook that drives top Web companies, including Salesforce, Amazon.com and Google.

Crime-as-a-Service offerings include:

* Data as a service collects huge volumes of compromised financial data such as credit cards and bank account details and bundles it with standard personal ID info. Such specialization allows the massive automation of both online and offline fraud.

* Pay-per-install, another service, is a means of distributing malware to comprised computers, by country or demographic, expediting both online and offline fraud because it frees fraudsters from having to steal personal data themselves.

* Translation services, in which native speakers are hired to convert phishing or spam attacks written in one language into convincing, grammatically correct scripts in other tongues.

* Money laundering services act as bridges to cash out from digital or physical world financial systems, often using money mules as go-betweens.

(Editing by Louise Ireland)

Cybersecurity Is A Severe And Growing Challenge For Government Contractors

Security Breach Puts Altegrity’s Integrity And Liquidity On The Line

By Kate Marino

Hackers have claimed some high-profile corporate victims over the last year, with household names like Target and Home Depot typically reaping the lion’s share of media attention. Cyber attacks represent a growing threat to the business world, and their fallout could cost the global economy as much as $3 trillion by 2020, according to a McKinsey & Co. report.

While the two retail giants may have the wherewithal to absorb the earnings hiccups that invariably accompany a security breach, smaller and more highly levered companies won’t always be so fortunate. Take Altegrity, the government contractor owned by Providence Equity Partners that’s now dealing with the blowback of a cyber-attack in one of its units, US Investigations Services (USIS).

A month after the early August announcement of the attack, one of Altegrity’s major customers, the government’s Office of Personnel Management (OPM) announced it would not extend its contracts with USIS past their current September 30 expirations. The OPM contracts represent about 10 percent of Altegrity’s annual EBITDA, lending sources tell Debtwire. And besides the obvious negative of the earnings loss, the hefty cancellation also raises the prospect that other customers will follow suit.

The cyber-attack wasn’t the company’s first setback in its dealings with OPM. Altegrity gained notoriety earlier this year when the USIS segment was revealed as the company that performed the government’s background checks on Edward Snowden, the infamous National Security Agency leaker, as well as Aaron Alexis, the gunman responsible for opening fire in the Washington Navy Yard in September 2013. In January, the US Department of Justice joined a lawsuit against USIS claiming the company skimped on background checks.

The September 9 announcement of OPM’s cancellation caused trading levels in Altegrity’s $1.7 billion in debt to collapse. Its $280 million 13 percent second lien notes due 2020 now trade at around 48 cents on the dollar, compared with trades at 75 in early September, sources said.

USIS competes for taxpayer-funded business against firms like the listed CACI International, KeyPoint Government Solutions and publicly traded government contractor ManTech International, which has also faced complaints about deficient background checks.

Meanwhile, USIS’ disastrous security breach came just a month after highly levered Altegrity ostensibly got its house in order, with a multi-pronged balance sheet restructuring that extended near-term maturities and swapped unsecured debt for new debt with stronger collateral packages. Prior to the transaction, the company was facing the prospect of defaulting on covenants in its bank debt, and the complex deal was meant to give it a new lease on life in the form of additional time to improve operations and evaluate asset sales.

At the close of the recapitalization, the company’s debt load amounted to more than nine times its EBITDA.

Going forward, Altegrity’s options are quickly diminishing. The company last year tried to sell its crown jewel business, HireRight, but bids came in far below the 10x-11x EBITDA multiple that its private equity owners had targeted, Debtwire sources say. It will also have to deal with a dwindling cash position amid earnings declines and costs to wind down its OPM business.

Kate Marino is Deputy Editor of Debtwire North America. Kate’s expertise spans the leveraged finance market, with a specialty in loans. She can be reached at Kate.Marino@debtwire.com.

This post is brought to you by Debtwire, a Mergermarket company, the leading provider of real-time intelligence, analysis and data on distressed debt, leveraged finance and asset-backed markets. The team at Debtwire is comprised of financial journalists and credit analysts with considerable experience covering trading, law and investment banking. Our reach is global, with separate products covering North America, Europe, CEEMEA, Asia-Pacific, Latin America, ABS and Municipals.  For more information regarding Debtwire visit www.debtwire.com

Data Breaches Rise as Cybercriminals Continue to Outwit IT

Data Breaches Rise as Cybercriminals Continue to Outwit IT

Online criminals remain at least one step ahead of many IT groups, according to this year’s “U.S. State of Cybercrime Survey,” conducted annually by CSO magazine, the Secret Service, the Software Engineering Institute at Carnegie Mellon University, and PricewaterhouseCoopers. Deterrence and detection are both falling short of their goals: The 500 survey respondents faced an average of 135 security incidents last year, and 34 percent say that number was up compared to the previous year. Just one-third of respondents could estimate losses from their breaches; among those who could, the breaches cost $415,000, on average. Legal liabilities and lawsuits after breaches add to the costs.

Part of the problem is that only 38 percent of companies have established a way to prioritize their security investments to focus on actual risks and the repercussions they bring.

“You’ll often see organizations spend to secure [against] the current big threat but not focus on building a sustainable security program,” says John Pescatore, a director at the SANS Institute, a security training organization.

Better employee training decreases the costs associated with security problems, the survey finds. Companies without security training for new hires reported that their average annual financial losses related to cybersecurity incidents totaled $683,000, while those with training programs say they lost an average of $162,000 on security breaches.

Companies typically don’t share information about security problems with each other, but some are starting to, through Information Sharing and Analysis Centers (ISAC). In ISACs for the defense, retail, electricity, financial services and other industries, member companies share best practices and pass on warnings and advice when attacks occur.

Cloud of Hurt

Hot technologies, especially mobile and cloud, bring new security problems. The bring-your-own-device trend, for instance, presents ongoing issues. “Mobile devices and the consumer cloud services to which they connect are moving so quickly that IT security technologies can’t keep up,” says Paula Tolliver, corporate vice president of business services and information systems at Dow Chemical.

Just 38 percent of those surveyed encrypt mobile devices, while less than half (49 percent) have a plan to respond to insider breaches.

Ken Swick, technical information security officer at Citigroup, says the company takes no chances with user-owned devices, cordoning them off from the enterprise network.

Cloud computing presents hazards of its own, but while two years ago 54 percent of organizations had a process for evaluating the security of third-party partners before entering a business deal with them, last year that number dropped to 44 percent. At Dow, one approach for mitigating risk is to use “mature” providers “in a private environment to ensure this level of service and security,” Tolliver says.

Citi, meanwhile, doesn’t permit its data to be sent to cloud systems that aren’t under the bank’s control, says Swick. Not all third-party providers are thrilled with the scrutiny they face during Citi’s due diligence process. “We run into pushback when we tell them to fix what we find on our assessments,” he says.

A roundup of last week's popular and featured articles on TUAW

Last week’s popular and featured articles on TUAW you don’t want to miss

Last week was a busy one with your favorite TUAW writers posting some excellent How-To guides, commentary and other useful articles. Here’s a quick roundup of our recent feature worthy posts you may have missed:

TUAW will be back next week with another round of handy features, so be sure to drop by to see what’s new and what’s useful.

This article originally appeared on TUAW.com at http://www.tuaw.com/2014/09/28/last-weeks-popular-and-featured-articles-on-tuaw-you-dont-want/

Regulators Warn Banks: Guard Against 'Shellshock' Or Risk Huge Losses

Regulators Warn Banks: Guard Against ‘Shellshock’ Or Risk Huge Losses

RTR47BBF

Top financial regulators in the U.S. asked banks to update their software immediately to protect against the Shellshock bug, or else face untold losses due to cyber fraud. Shellshock is the most recent security hole found deeply embedded in the world’s computer systems, and experts say it could have a major impact on global cybersecurity.

Shellshock is found in a number of computer operating systems that use Bash, or the Bourne-again shell of Unix. The open-source software is the basis of innumerable computer software systems worldwide, giving it an enormous potential impact on the world’s computer systems.

“The pervasive use of Bash and the potential for this vulnerability to be automated presents a material risk,” the Federal Financial Institutions Examinations Council said, according to a Reuters report Friday. The FFIEC operates between the Federal Reserve, the Federal Deposit Insurance Corporation, and a number of other U.S. financial agencies.

The group recommended that banks should quickly identify which of their systems use Bash, and patch them to protect against security threats. They should also look into third-party software to check for security holes.

A number of major tech companies have scrambled to protect against the Shellshock bug, including Apple Inc., Google Inc. and Amazon.com Inc. Apple said a fraction of its customers are at risk, said it was working on an update to protect against any malicious code execution. The Shellshock vulnerability is reportedly worse than the Heartbleed bug that affect two-thirds of websites earlier this year.

GM Q2 Earning Report Will Spotlight Recall Costs

GM Exec Takes Aim At Car Hackers

IN image gmheadquarters

General Motors has named an executive to lead efforts to harden its increasingly computer-dependent vehicles against attacks by cybercriminals. The new and growing concern is that hackers could remotely commandeer a car or truck’s control systems to cause accidents or perpetrate some other mischief.

GM said Jeffrey Massimilla will assume the role of chief product cybersecurity officer. The University of Michigan grad was previously director of the automaker’s Global Validation group and before that was engineering group manager for its Next Gen Infotainment unit.

Automobile makers, including GM, are building more vehicles that use telemetrics sensors to collect performance data on parts and and transmit it back to the manufacturer. On board navigation and infotainment systems, like GM’s OnStar, also link cars and trucks to the Internet.

Some 2015 GM vehicles also feature embedded mobile WiFi systems that use 4G LTE technology.

While these add-ons make vehicles more reliable and convenient to operate, it also makes them, like any connected system, vulnerable to hackers. That means automakers for the first time must worry about more than just physical safety and protection when it comes to safeguarding passengers.

In a demonstration last year, security experts Charlie Miller, of Twitter, and IOActive’s Chris Valasek used a MacBook to takeover the braking system of a Ford Escape.

It’s not all bad, depending on one’s viewpoint. Lenders who make car loans to subprime borrowers have been installing so-called starter interrupt devices in vehicles. The device allows the lender to disable the vehicle over the Internet in the event a borrower falls behind on payments.

About 25 percent of vehicles sold to subprime borrowers use such devices, according to the New York Times.

Automakers are not the only manufacturers that now have to worry about cybersecurity. A wide range of industries, from appliance makers that produce smart TVs to developers of connected healthcare instruments, are producing products that are adding to the so-called Internet of Things — which comprises billions of embedded sensors.

As a result, more and more companies are creating the role of Chief Information Security Officer (CISO) to protect their systems. “The IoT is a conspicuous inflection point for IT security — and the CISO will be on the front lines of its emerging and complex governance and management,” Earl Perkins, an analyst at research company Gartner, said in a statement.

Gartner predicts that 20 percent of large companies will have an organization in place to protect IoT systems by 2017. “The requirements for securing the IoT will be complex,” said Perkins. 

Developer warns against using in-app browsers due to keylogging potential

Developer warns against using in-app browsers due to keylogging potential

in-app browser

Well-known Iconfactory developer Craig Hockenberry

is warning iOS device owners about the risks of using in-app browsers to enter sensitive information such as account login credentials. Users commonly encounter these browsers in social media apps that require them to login into a website in order to give an app permission to access their account. According to Hockenberry, these apps could be exploiting a vulnerability within the in-app browser system to eavesdrop on typing and steal sensitive username and password information.

Hockenberry demonstrates this vulnerability in the video embedded below and points out this hole is not easy to fix because it involves the interaction of web page JavaScript with UIWebview in iOS. The only practical way to protect users from this keylogging is to stop using the in-app browser for authentication and instead launch iOS mobile Safari when the entry of sensitive information is required by an app.

Unfortunately, Apple is rejecting apps that redirect users to Safari for authentication because the company believes it is too cumbersome and confusing to switch a user to Safari. Iconfactory’s own Twitterrific app was forced to removed the safer Safari authentication scheme and replace it with the in-app browser method due to Apple’s App Store review guidelines.

Twitterrific developers said they won’t collect private information from these in-app browser session, but there is no guarantee other apps will adhere to this same policy and little chance Apple’s already overloaded review process will detect these rogue apps. Consequently, iOS users need to be aware of this vulnerability as nefarious apps potentially can gather login information for more than just authentication purposes.

This article originally appeared on TUAW.com at http://www.tuaw.com/2014/09/25/developer-warns-against-using-in-app-browsers-due-to-keylogging/

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in Paris

New ‘Bash’ software bug may pose bigger threat than ‘Heartbleed’

BOSTON (Reuters) – A newly discovered security bug in a widely used piece of Linux software, known as “Bash,” could pose a bigger threat to computer users than the “Heartbleed” bug that surfaced in April, cyber experts warned on Wednesday.

Bash is the software used to control the command prompt on many Linux computers. Hackers can exploit a bug in Bash to take complete control of a targeted system, security experts said.

The “Heartbleed” bug allowed hackers to spy on computers, but not take control of them, according to Dan Guido, chief executive of a cybersecurity firm Trail of Bits.

“The method of exploiting this issue is also far simpler. You can just cut and paste a line of code and get good results.”

Guido said he is considering taking his company’s non-essential servers offline to protect them from being attacked by the Bash bug until he can patch the software.

Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, warned that the bug was rated a “10″ for severity, meaning it has maximum impact, and rated “low” for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.

“Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera,” Beardsley said. ”Anybody with systems using Bash needs to deploy the patch immediately.” 

“Heartbleed,” discovered in April, is a bug in an open-source encryption software called OpenSSL. The bug put the data of millions of people at risk as OpenSSL is used in about two-thirds of all websites. It also forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL.

(Reporting by Jim Finkle; Editing by Tiffany Wu)

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in Paris

New ‘Bash’ software bug may pose bigger threat than ‘Heartbleed’

BOSTON (Reuters) – A newly discovered security bug in a widely used piece of Linux software, known as “Bash,” could pose a bigger threat to computer users than the “Heartbleed” bug that surfaced in April, cyber experts warned on Wednesday.

Bash is the software used to control the command prompt on many Unix computers. Hackers can exploit a bug in Bash to take complete control of a targeted system, security experts said.

The Department of Homeland Security’s United States Computer Emergency Readiness Team, or US-CERT, issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Apple Inc’s <AAPL.O> Mac OS X.

The “Heartbleed” bug allowed hackers to spy on computers but not take control of them, according to Dan Guido, chief executive of a cybersecurity firm Trail of Bits.

“The method of exploiting this issue is also far simpler. You can just cut and paste a line of code and get good results.”

Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, warned the bug was rated a “10″ for severity, meaning it has maximum impact, and rated “low” for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.

“Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera,” Beardsley said. ”Anybody with systems using Bash needs to deploy the patch immediately.” 

US-CERT advised computer users to obtain operating systems updates from software makers. It said that Linux providers including Red Hat Inc <RHT.N> had already prepared them, but it did not mention an update for OS X. Apple representatives could not be reached.

Tavis Ormandy, a Google Inc <GOOG.O> security researcher, said via Twitter that the patches seemed “incomplete.” Ormandy could not be reached to elaborate, but several security experts said a brief technical comment provided on Twitter raised concerns.

“That means some systems could be exploited even though they are patched,” said Chris Wysopal, chief technology officer with security software maker Veracode.

He said corporate security teams had spent the day combing their networks to find vulnerable machines and patch them, and they would likely be taking other precautions to mitigate the potential for attacks in case the patches proved ineffective.

“Everybody is scrambling to patch all of their Internet-facing Linux machines. That is what we did at Veracode today,” he said. “It could take a long time to get that done for very large organizations with complex networks.”

“Heartbleed,” discovered in April, is a bug in an open-source encryption software called OpenSSL. The bug put the data of millions of people at risk as OpenSSL is used in about two-thirds of all websites. It also forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL.

Bash is a shell, or command prompt software, produced by the non-profit Free Software Foundation. Officials with that group could not be reached for comment.

(Reporting by Jim Finkle; Editing by Tiffany Wu and Ken Wills)