New variant of Zeus banking Trojan concealed in JPG images 

Researchers identified a new variant of the Zeus banking trojan, ZeusVM, that is concealed in a JPG image file to avoid detection by security software. The JPG image files contain the malware configuration files that are needed to launch man-in-the-middle and man-in-the-brrowser attacks and allow attackers to collect personal information and perform online transactions. 

Full Story: http://www.scmagazine.com/new-variant-of-zeus-banking-trojan-concealed-in-jpg-images/article/334477/ 

External reviews

Our company has multiple external exams, reviews and tests throughout the year.
PCI, OCC, SSAE16 Internal and External penetration tests. Are these all necessary? Do these really help the overall security posture of an organization. The short answer is, it depends. If management buys into the overall security program then it will certainly benefit and correlate what these exams find. If management does not have a vision and sees these audits as just something that needs to be done then you turn into what Target and Neiman Marcus currently are. Companies in trouble.

I want to get your take on this. Drop me a comment, email and lets see how people think about this subject.

2014 Predictions

I am a bit late with this but please read through my predictions for 2014.

So what will 2014 hold for cyber security professionals? Will it be something new or more of the old? The answer is bit of both. We have all reached a crossroads in the way we manage security. Some CSOs will soldier on ahead - with diminishing effectiveness - while others will others will benefit from taking a fresh direction. Here are my forecasts for the state of security in 2014.   

Escape from monoculture

New security technologies will provide a greater choice of defensive options. I've reported before on the danger of security 'monoculture', i.e. we have all been implementing identical security defences, providing attackers with a simple testing platform for attacks. New products that detect malware through behaviour and characteristics other than traditional signature scanning will present a new challenge for attackers.  

A new generation of attacks

Forward-looking security professionals have been wondering what comes next afterStuxnet et al. That code was developed many years ago. The next generation of attacks will inevitably be richer, more sophisticated and even stealthier. There are enough political, commercial and criminal motives to encourage further attacks, so we can expect to see some spectacular threats - if we can detect them. They may already be amongst us.

A backlash against security standards

Wherever I go in the world I find a huge percentage of security managers who believe that security has failed, and the major culprit is compliance along with the bureaucratic standards it promotes. I've been saying this for years but lately I detect that governments and regulators are beginning to see the light. Compliance cannot go away. In fact it's likely to become even stronger. There will however be a rethink of the standards we need to achieve effective security. But don't expect an early solution.   

Improving strategic crisis response

Crisis management has been a long-standing weakness in all enterprises, for both business and security crises, especially at the strategic level which aims to safeguard the intellectual assets of the organisation. The growth in major incidents, CERTs, SOCs and SIEM tools has all helped to raise awareness of the need for better crisis management. It will be a long journey. But it's a healthy sign that enterprises are finally looking beyond simple incident management processes and business continuity plans.

Cyber skills gap grows

We all know there's a shortage of high-end cyber skills. Ask anyone that runs a security testing company. It's because skills such as high-speed reverse-engineering require a special kind of person. Training courses can't fix this problem, especially those that teach ancient security rituals. People with special skills can't be mass produced. They have to be sought out. And that's a more difficult challenge.

No change at NSA    

Don't expect any major changes in the operations at NSA, despite continuing Snowden revelations. The weakness is primarily with visible oversight and public presentation of policy, rather than day-to-day operations. The reality is that you we have to gather large amounts of intelligence to prevent terrorist incidents. And that threat has not diminished. There is no evidence of widespread misuse of the data gathered. Admittedly there is a theoretical possibility of a future dictator abusing the power. But that's arguably a lower risk than the threat of terrorists gaining access to weapons of mass destruction.

And on that controversial note I'll wish everybody Seasons Greeting.  

PCI 3.0 What is the Impact on Your Security Operations

Last month, the PCI Security Standards Council (PCI SSC) released its proposed changes for the Payment Card Industry Data Security Standard (PCI DSS) version 3.0. For security professionals it means that PCI compliance will become more of an everyday business practice, rather than an annual checklist obligation. Looking ahead, here’s what you can expect from 3.0’s impact on your operations – and the steps you’ll need to take to stay compliant.

Vulnerability management

When it comes to managing system vulnerabilities, Requirement 11 mandates a methodology for penetration testing, including verification that segmentation methods are operational and effective. The reasoning here is that segmentation creates a smaller scope for cardholder data, which shrinks the organization’s attack surface and creates fewer points of entry for attackers. The best way to get there: conducting your own assessments to augment third-party assessments and using those results to reduce the scope of your cardholder data environments.

POS Terminals

When it comes to point-of-sale (POS) terminals, you might not dwell too much on the possibility of physical compromise. Yet many are accessible to the random public and all too often have exposed connections like a keyboard or USB port. All an attacker needs is a simple hardware keylogger or an auto-run USB and boom, they’re in. This is one reason skimming and other attacks are on the rise, and the main reason POS terminals and other payment-related devices must be secured from tampering or substitution. Another mandatory step: careful inventory management, as well as checking device serial numbers and stickers to verify that no one's tampered with them. These practices might seem tedious, but they’ll go a long way to stopping any physical attacks before they escalate into serious disasters.

Strengthening Password Policies, Tokens and Certificates

Password protection is a major focus of 3.0. While the recommendations aren’t terribly new, they may still be fresh ground for some businesses. To start with, you’ll need to strengthen default passwords for application and service accounts, as well as user accounts. When it comes to user-created passwords, users must protect their credentials and change passwords upon suspicion of compromise. Again, most businesses should already be doing this.

While the minimum-criteria of alphanumeric seven-character passwords is still promoted, alternatives like longer passphrases are now permitted. This means you might consider requiring a relatively long passphrase with uppercase characters, lowercase characters, numbers and special characters. These can be especially secure and even easier to remember than traditional gibberish passwords.

Similarly, security must be tightened for physical security tokens, smart cards and certificates. If you’re not already conducting daily log reviews, now is the time to start. Also make sure that all authentic mechanisms are linked to individual accounts and then protect access to those accounts.

Defining in-scope Systems

In another move toward improved clarity, you’ll need a network diagram showing all connections to cardholder data, as well as an up-to-date diagram that details how cardholder data flows through your systems. 3.0 places more emphasis on defining the in-scope environment on a regular basis, and also emphasizes the application and data layers over the network and infrastructure layers. Ultimately these definitions benefit both auditors and the audited, by illuminating potential weaknesses in a comprehensive risk assessment.

Evolving Malware Threats

Because malware is still a major threat hovering over cloud environments, merchants must now include malware controls even on systems not commonly affected by malware. That includes systems like Linux, which you might (incorrectly) assume was safe. Malware can destroy files, servers and end users, which means that every aspect must be protected with anti-malware technology. Set up an alert system that detects the first sign of digital cancer and you’ll go a long way toward containing the damage and mitigate data loss.

Security and Compliance Responsibility

If your organization isn't exactly clear on which PCI DSS requirements your group manages and which ones your providers handle, things are about to change. You’ll need to hammer out every detail of who’s responsible for what – and that can be a tall order with the explosion and diversity of SaaS, PaaS, and MssP offerings.

All of these changes might seem like a lot to undertake, but it’s important to remember what’s at stake. Getting compliant isn't just about passing inspection; it’s about dealing as effectively as possible with the threats targeting applications every day, from XSS attacks to SQL injections.

Security teams have the next 12 months to tackle these operational changes, and whether you have considerable adjustments to make or very few, it’s a good opportunity for your security staff to analyze your programs, tighten up your processes and strengthen your provider relationship. Include compliance in your daily tasks and you’ll have less work to do in crunch time – and your critical business applications will be that much safer.

New security blog

Welcome to the intersection of Security and Privacy. This is a new blog I have started to talk about and rant about everything security related. Hopefully you will find this site informative. If you have any comments or suggestions, please e-mail me at jncsousa@outlook.com.

With all the breaches of late here is some information you may find useful. Thank you to my friends at SANS for publishing this. 

If your personal information is stolen, four steps to take

• Place a "Fraud Alert" on your credit reports, and review those reports carefully. Notifying one of the three nationwide consumer reporting companies is sufficient.

• Contact your bank or other financial institution(s) and close any accounts that have been tampered with or established fraudulently.

• File a police report with local law enforcement officials. This is an essential step for protecting your rights.

• Report your theft to the Federal Trade Commission, online, by phone, or by mail

It's important to protect your personal information, and to take certain steps quickly to minimize the potential damage from identity theft if your information is accidentally disclosed or deliberately stolen:

Have a great night..