Inside Security - July 1st, 2016

Inside Security (Jul 1st, 2016)

David’s Take
Malware is getting more dangerous with a combination of SMS and phishing called smishing, airgapped computers are no guarantee of safety, and common sense can avoid DNS exfiltration. Plus a new Amazon Web Services offering and more on selfie photo authentication.

We'd love to hear from you – which MFA tools have you had success with?

-- David Strom, editor of Inside Security
New and noteworthy products
Using selfie photos is becoming popular as an authentication factor (the link goes to a previously announced feature by MasterCard). Another vendor, who also sells a password management tool, has its own photo-based solution and tries to improve multi-factor authentication by taking a photo at a particular moment in time. Wired magazine has this scare story last week about not using SMS texts as the additional factor because of man-in-the-middle attacks. The vendor claims several hundred apps are already supported with the process. -- LOGMEONCE

Amazon’s Elastic File System goes into production this week after an extended beta. This means customers can put up a complete file system that has literally no upper bound for capacity. EFS can handle a wide variety of use cases, and makes it easier to attach a file system to your EC2 cloud instances via NFS. You don’t have to pre-provision your storage or worry about bandwidth.  Like other Amazon Web Services, you pay by usage only. – AMAZON WEB SERVICES
Threats and attacks
New research-only malware dubbed Fansmitter developed by Israeli cyber researchers can take control of your computer’s fan speed and transmit data acoustically. The fans in your computer and graphics cars vary their speed and create subtle sounds that can be picked up by nearby microphones in mobile devices. This gives a whole new meaning to airgaps!  -- BOINGBOING
Some great analysis on detecting DNS data exfiltration and how malware can work to manipulate DNS requests. Just because a subdomain is long (several hundred characters) doesn’t necessarily mean it is from a bad actor. The analysts spend some time showing how you too can get smarter about finding the fingerprints from these attacks just by monitoring your logs and some simple techniques. – TALOS BLOG

Have you seen any DNS exploits across your network, and how did you find them?
Here are five things to consider when implementing a threat hunting program across your enterprise, including a new mindset to rely on a combination of automatic and human hunches, removing your focus from being just about the malware, and making the right data available and examining it through the right set of filters. – DARK READING
What happens when you combine SMS attacks with phishing? It is called smishing, and a new Danish and Italian attacks that target Android users to try to steal their banking credentials. The malware tracks what particular app is being run in the foreground, then launches a phishing screen with a similar UI on top and obtains a user’s credentials. The researchers go into a great amount of detail on the mechanics and how clever this kind of malware has become. – FIREEYE BLOG
Reports and evaluations
Boards of directors are turning up the heat on CISOs, with a new Osterman Research report that says a majority of IT executives will lose their jobs if they don’t provide actionable security info. There is now a massive focus on security and a quarter of board members see this risk as their highest priority. Most, according to this survey, are very involved in making cybersecurity decisions. – BAYDYNAMICS
An academic study shows that the ability to process a large amount of data after a natural disaster using a visually based cloud computing cluster can be literally the difference between life and death for first responders.  Mobile devices are linked to a cloud service to process the images taken and special optimization algorithms developed for this important application.  -- UNIVERSITY OF MISSOURI
Self Serving Dep't
A good treatment of the origin and importance of random number generation and their role in providing secure systems from a working group of the Cloud Security Alliance and shows a more advanced approach, using “more” random numbers that can withstand attacks from quantum computers, and how they can protect your data transmissions. Of course, the report comes from several vendors of such devices, including QuintessenceLabs, IDQuantique and Whitewood Encryption.  – CLOUD SECURITY ALLIANCE

Is this a concern for you or over-rated?

Some 84 percent of U.S. and U.K. information technology executives at firms that had not faced ransom attacks said they would never pay a ransom. But among firms that have been attacked, 43 percent paid, according to a new survey. Companies that paid ransoms reported an average of $7,500 in the U.S. and £22,000 in the U.K. – RADWARE
Say “Hello” to Windows 10 Anniversary edition, refreshed and ready to deal with multi-factor authentication built-in. The new version of Hello, what Microsoft calls this feature, supports more devices, PINs, and biometrics as authentication factor options. Hello will be secured with hardware Trusted Platform modules (if present) or software encryption (if not). Hello has been used across Microsoft’s own employees to shake it down for public consumption and expanded from the initial version. – MICROSOFT

Have you implemented anything significant with Hello yet?
Here are some interesting results of tracking online fraud and the seven characteristics of the endpoint devices that initiate these fraudulent transactions. A new SaaS-based online fraud prevention tool combines advanced machine learning and data visualization technology with a customizable rules engine, and their beta customers have seen a 50%-300% reduction in fraudulent transactions.  -- SIMILITY

Any other suggestions on locating compromised machines that you have had success with?
Just for fun
It is summer and what better things can you do with your kids than some backyard science experiments? – GAME MOM

The folks at Blendtec have been putting gadgets into blenders for years. Is the iPhone SE any different from the iPhone 5 when it comes to blending? Find out here.  --BLENDTEC

Not happy with your existing home theater system? Time to consider a personal IMAX setup. The entry level is about $400,000 and has dual 4K 2D/3D projectors, a proprietary IMAX sound system, and a media playback system that will dazzle your friends with at least a ten foot tall projection screen. Two screening rooms have been built in China and others are planned for the US. – ARS TECHNICA
How likely are you to recommend Inside Security to a friend or colleague?

More from Inside
Inside Security is just one of Inside's network of newsletters. Here are some others you might like:

Inside VR & AR: Diving deep into the virtual/augmented reality products, companies, communities, and news. (2x/week)

Inside Electric Vehicles: From Tesla to Faraday Future to the big car manufacturers, we're tracking everything in the EV industry. (2x/week)

Inside Daily Brief: A roundup of all the most interesting news, across verticals. (2x/day)

ReadThisThing: One link to a fascinating piece of journalism, daily.
Copyright © 2016 Inside, All rights reserved.

You're receiving this email because you are subscribed to Inside Security. If you don't want to receive it anymore, go ahead and unsubscribe – or just hit reply and tell us how to make it better.

Subscribe to Inside Security