Cybercriminals are on the attack as they have set their sights on a new target: cloud-based payroll service providers.
According to the security firm Trusteer, they have come across a Zeus malware configuration that targets Ceridian, a payroll service provider.
Trusteer’s chief technology officer Amit Klien explains in a blog post how the Trojan is attacking these cloud service providers.
“Zeus captures a screenshot of a Ceridian payroll services webpage when a corporate user whose machine is infected with the Trojan visits this site. This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system,” he said.
“These attacks are designed to route funds to criminals, and bypass industrial strength security controls maintained by larger businesses,” Klien said.
Ceridian released a statement emphasizing that no security breach on its own servers had occurred and that the vulnerability targets customers’ computers and targets a wide range of SaaS services.
“Ceridian has not experienced a security breach as implied by this article,” Donna Teggart, Ceridian’s director of communications wrote in a statement. “A Zeus infection happens at the customer computer location and will capture all the user’s keystrokes, regardless of the application they are logging into. Ceridian encourages all individuals and organizations to ensure they are protecting their computers and networks from all threats and virus attacks such as this.”
This could only be the beginning as Trusteer reports cybercriminals are attacking small cloud-based providers to create easier ways to attack larger businesses. Continued »
Taking cracks at bad business software design is beyond beating a dead horse (although I still love the famous tree swing comic), but Microsoft looks like their trying really, really hard to turn that around. Leading the charge: Microsoft’s ERP package, Microsoft Dynamics GP. A beta Metro-ized version of it was shown off recently, and design is gorgeous to look at. Let’s play a quick game of before and after:
GP 2010 R2, the most recent version
The Metro-ized UI, demoed recently
My first reaction: Microsoft, the same company inflicting us with the Office Ribbon, made this?
My second reaction: But will it blend?
Well, Windows 8 is now officially slated for an October released and the earlier reviews are positive (I’ve downloaded the release candidate but haven’t installed it yet). Already, Mr. Denny is putting together excellent troubleshooting tutorials and IE10 is getting excellent marks from Ed Tittel.I don’t think a Windows release has garnered so much excitement and enthusiasm since WindowsXP, released 10 years ago. And for good reason:Windows 8‘s “Metro” Interface represents the biggest departure from the traditional windowing paradigm since Windows launched, and WindowsPhone 7 has proven that Microsoft is capable of making a well-designed OS with it, even if it’s not a complete market success yet.
But that excitement and those revisions comes at a cost: Radically different means what has worked for years is heading the way of the Dodo, and retraining, rebuilding and restructuring are all going to become part of the upgrade, especially difficult for the OS ecosystem that has bent over backwards for backwards compatibility. Yes, a more traditionalWindows 7-ish interface lies just beneath Metro, but that’s a bandaid, or as Tony Bradley snarked, “Windows 8 feels like Windows 7 with Metro added as an additional, frustrating layer I have to work through to get to the features and capabilities I actually want to use.”
I bet that will be a common thread among two groups in particular: Power users and computer novices used to things exactly the same as they’ve been (See viral video for demonstration). Change is inevitable and I think Microsoft is making the right strategic choice, but it’s also a good opportunity for enterprises to ask themselves which platform will they embrace for the future: Windows 8‘s bold but uncertain moves? Apple’s polished, pricey and enterprise-indifferent strategy? A web application suite that they can better deploy – but at the cost of endpoint control?
I’d love to hear your thoughts, since the only thing I know for certain is that there are no easy answers. E-mail me at Michael@ITKnowledgeExchange.com, and if we like your response we’ll even try and select a great book or other swag to send you.
Recently I spoke with John Horn, president of RACO Wireless, about the past, present and future of wireless connectivity.
RACO, a T-Mobile partner, specializes in wireless data solutions for machine-to-machine (M2M) industries, which allows wireless systems to connect with other devices. John explains how M2M is now being used all across the world.
“Each industry has become integrated with M2M technology. From the insurance industry which uses it for monitoring discounts to even the ice industry monitoring their inventory. It’s important to show that M2M has become mainstream,” he said.
As Brad Pitt said in Inglorious Basterds, ‘Business is a boomin’. Raco has seen a 300% growth in 2011 and has provided new solutions for providers in less than a day.
How has RACO been able to perform and grow at such a high level? John explained the keys to his success came down changing the way he looked at wireless altogether.
“The team has been together for over 9 years and has 200+ years of M2M experience. This translates into a wealth of knowledge to help our customers build successful business models. We have seen what works and what doesn’t and know what trouble spots to look out for,” Horn said.
The keys, Horn said, are flexibility and the ability to quickly turn around a solution that’s right for the business.
“The old business model was to have companies go through long certification processes in order to put a new device or product on the carrier network,” he said. “This takes thousands of dollars and many weeks. Then you have to buy a rate plan that exists from a carrier or wait for weeks for them to build a new one. Then it takes weeks to connect into whatever management platform they are using and tie up IT resources to get it accomplished.”
Now, it takes John and Raco only a few short hours to complete the process.
“We created a whole new business model which allows us complete flexibility and shortens the business model to one day. We have eliminated or simplified these steps”
With all the company’s growth, it still faces challenges. While M2M is growing, its still a niche many people don’t know about, and RACO is struggling to become a household name.
“The biggest problem we have right now is marketing, getting our name out there,” he said. “We print ads and appear at trade shows but we’re also looking into other avenues to explore.”
However, Horn sees a bright future for the M2M industry. “We have seen massive growth. It comes down to if you support it or not. If you support it, you will come out a winner.”
One story in particular drifting out of South By Southwest caught my attention: The outrage and indignity over a trial/marketing stunt program which gave Austin-area homeless individuals a 4G “hotspot” that nearby techies could log in to and browse the web, while introducing the wireless vendor and asking users for a small PayPal or cash donation.
The reaction was as swift as it was predictable. Wired’s excellent Tim Carmody blasted the Damning Backstory Behind ‘Homeless Hotspots’ at SXSW, while others took the initiative as another sign of the tech conferences jumping the shark – or worse, how out of touch the digerati are with real world problems.
To quote Carmody:
It sounds like something out of a darkly satirical science-fiction dystopia. But it’s absolutely real — and a completely problematic treatment of a problem that otherwise probably wouldn’t be mentioned in any of the panels at South by Southwest Interactive.
This program and the immediate media backlash reminded me of why so many promising, innovative projects inevitably sputter out, whether its in the world of startups, social work or plain vanilla corporate IT.
RSA 2012 has come and gone from the caverns of Moscone, and I’ve had a (short) chance to digest this year’s event, leaving a little more educated and a lot more wary about the risks facing modern IT when it comes to security.
The biggest wake up call? Security expert Bruce Schneier’s timely reminder that outsourcing, whether to India or the Amazon Cloud, has ripple effects on security and privacy, and that right now the trend is to cut costs and complexity – in exchange for control. That’s not necessarily a mistake, particularly for businesses that are rapidly expanding, businesses that were hit hard by the recession, businesses that need to quickly adapt to a mobile landscape, or pretty much any other business that can benefit from the agility the cloud offers. In other words, the cloud offers a little of something to everyone.
But the allure of the Google way, or even the Microsoft Azure or Amazon S3 way, costs something, whether it’s an increased chance a competitor can sneak a peak at your proprietary data, that a government can subpoena your records or simply that you can’t control when and where outages hit home.
The biggest threat to Internet freedom isn’t traditional “bad guys” like cyberterrorists and hacking groups, says Bruce Schneier, security researcher and author, but the slow, creeping advances of Big Data companies like Google and Amazon that are quietly rewriting the fundamentals of how security is managed.
Schneier explained his fears to a packed room at RSA 2012, outlining how he saw individuals, companies and governments effectively outsourcing security to cloud providers, abdicating ultimate control in exchange for convenience and cost savings.
The result is a state of “security serfdom” where fealty is pledged to one of a few centralized data gatekeepers who promise and deliver great benefits – but upon whom the user becomes completely reliant for basic security. Apple’s legion of adoring gadget geeks and people who live the “Google lifestyle” through GMail, Google Voice and more now rely on those companies to make critical security decisions for them.
It’s not an all together negative trend, particularly since “average users” historically do the bare minimum of backup, encryption and other information security hygiene possible, but it does create a more monolithic landscape that is likely to get harder and harder to opt out of.
“There’s a war on general purpose computing, because companies realize they gave up too much control,” said Schneier.
What really sank (or, to be more precise, exploded) the Death Star wasn’t the usual suspects of Rebel scum, engineering incompetence or even the inevitable triumph of good over evil. Instead, explained Kellman Meghu, a series of common infosec missteps made by Darth Vader, then the acting Chief Security Officer, doomed the ultimate battle station: In an age of consistent, ongoing penetration attempts long ago and far, far away, only the eternally vigilant and over-prepared lived to fight another day.
Kellman, speaking at Security BSides San Francsico 2012, admitted that the erstwhile Anakin got a few things right, particularly when it comes to understanding the threat of data leakage.
“He knew what was important to his business, which is really quite impressive,” he said, stating that a lot of major companies he works with have no idea what is in their data inventory, nor what matters if it were to escape.
Kellman also lauded how well Darth Vader monitored, logged and actually responded to threats: When the Death Star blueprints were leaked by Bothans, he immediately assembled a tactical team to deal with the data breach. Compare that to how often data leaks out through thumbdrives or unsecured laptops and the only notification occurs when the data is posted publicly.
Vader also did an admirable job following through on the seriousness of the threat, marshaling resources to help investigate the breach and respond appropriately.
But at the end of the day, the Death Star was destroyed (twice) and Vader rather dramatically resigned, as is often the case with CSOs after a major data breach.
It didn’t have to end that way, though. Kellman offered some straightforward advice every security Padawan could take to heart and that might have helped Vader ensure a long, happy retirement on a pleasure barge instead of a tragic death at what should have been the middle of an illustrious reign.
Google is coming to the cloud storage community as the search giant prepares to launch its new service soon.
Google joins Dropbox and Apple as companies who have launched cloud storage. The Wall Street Journal reports the storage will be called Drive and your data will be saved to their servers and can be accessed by any device with a WI-FI connection.
This storage device would allow users to fully incorporate their other services, Gmail and Google Docs, and store documents, pictures, and other data on Google’s server.
According to a report from the Wall Street Journal, users would be able to store their files and share it with friends and co-workers.
“If a person wants to e-mail a video from a smartphone, for instance, he can upload it to the Web through the Drive mobile app and e-mail people a link to the video rather than a bulky file,” the Journal said.
With Google’s availability to data servers all across the world, Dropbox and Box could see a significant decrease from their users but Box’s CEO Aaron Levie praised Google’s new arrival.
“The long-awaited entry of Google Drive will create awareness and acceptance of consumer cloud storage solutions, just like Apple’s launch of iCloud put the spotlight on this space last year,” Levie said.
We can all understand Levie’s enthusiasm about the idea of cloud storage evolving but he must be aware his company is going up against Google, right?
While Dropbox offers members up to 2 GB free and $9.99 a month for 50 GB, Google could offer storage at a level their competitors won’t be able to match. Along with being able to save up to 1GB for free on Google Docs, they will offer free storage to businesses and consumers, only charging for large file sharing.
Unless competitors can evolve and maintain a storage device which is cost efficient and allows more GB, it looks like Google will reign supreme once again.
Michael Tidmarsh is the Assistant Community Editor for ITKnowledgeExchange.com. He can be reached at Mtidmarsh@techtarget.com.
Once again, the IT Watch Blog is packing up its bags and reading to San Francisco for RSA, one of the security industry’s largest conferences. This year, mobile device threats are front and center: As Rob Westervelt with SearchSecurity reported, one firm hopes to make a big splash by debuting a new Android-based attack. Mobile attacks are a continued focus this year not only because of new attacks but because of continuing trends: Knowledge workers continue to BYOD (Bring Your Own Device) leaving IT with less control and visibility even as more critical data is pushed out into more places.
Other hot topics this year are cloud security best practices and standard compliance issues. I’ll be covering the most interesting sessions and news right here, but SearchSecurity will also be providing special RSA 2012 coverage with the site’s editors out in force during the duration of the show.