Stanford Report, February 13, 2015

By Amy Adams

Businesses play an integral role in creating a secure online environment and also stand to benefit from innovations that protect transactions, according to government and business leaders who participated in a discussion on Internet security held today at Stanford University. The session was part of the White House Summit on Cybersecurity and Consumer Protection.

Maria Contreras-Sweet, administrator of the U.S. Small Business Administration SBA, opened the session by announcing a new program to help small businesses adapt to security changes in payment systems that are set to be implemented Oct. 15.

Business owners who fail to act by that date will be looking at the L-word, liability, Contreras-Sweet said. Businesses will need to update their payment technology to accept so-called EMV credit cards, which contain a computer chip, or assume liability for fraud committed. Our message is that they must take care of customers financial data as if it were their own, she said. The SBA will be working to educate small businesses and provide support for the upgrades, she added.

This focus on retail transactions reflects the volume of those transactions, according to Sarah Bloom Raskin, deputy secretary in the U.S. Department of the Treasury, who said some estimates are that 4 trillion per day transfers though our country s payment systems.

What s more, those transactions can go through credit card, debit card, prepaid card, mobile phone, PayPal, Google Wallet, Apple Pay or other payment systems. These permutations provide a variety of entry points for bad actors, Raskin said. The vulnerabilities for mischief are myriad.

Dan Schulman, president and chief executive officer of PayPal, said there is only one way to completely stop financial fraud. You do no transactions, he sad. But you have 160 million consumers and merchants counting on you, so that s not possible.

Shulman said that security measures can protect against many kinds of fraud, but with somewhere between 500 million and 5 billion identities compromised last year, many of the bad actors enter with real credentials. Most people are good guys, he said. But you have bad actors, and you want to protect those who have been compromised by shutting down their accounts. It s not just technology, but data and risk analytics that is one of our most powerful weapons.

The panelists agreed that tokens, which are a short-lived entity that temporarily carries account information for a transaction, could reduce risk. But let s think to the future, said Richard Davis, chairman and chief executive officer of US Bank. Beyond technology fixes for each transaction, he thinks financial services and government need to work more closely to monitor threats.

He described a successful collaboration that began between financial services to monitor cyber attacks, and later came to include the Treasury Department. There is a really good outcome between financial services and the treasury, he said.

The session took place a few hours after President Barack Obama signed an executive order creating a framework to create these kinds of private sector and government partnerships.

Stanford Law Professor George Triantis said bringing groups together is the only way to tackle security threats. Triantis is the chair of the steering committee for the Stanford Cyber Initiative, launched in November with a 15 million grant from the William and Flora Hewlett Foundation to bring faculty from across Stanford together around cyber issues. As President Obama observed, Stanford has been the birthplace of innovation in computer technology, he said. Now with the Cyber Initiative, those same faculty can be part of the solutions to threats that arose from those technologies.

With the growing recognition of cyber risks, some companies are beginning to use their security features as a competitive advantage. Michelle Zatlyn, co-founder of CloudFlare, said the company s primary responsibility is providing a secure web environment for clients.

Zatlyn said a challenge for companies trying to increase security is finding qualified staff. Her company currently has to look internationally to fill open positions, but she encouraged Stanford students to pursue these careers. Today, we have President Obama in California talking about the need for security at the national level, she said. That means the students on campus who came this morning might think that is a great field and will want to be part of making the Internet better.

This course is designed to provide an overview on epidemiology and the Internet for medical and health related students around the world based on the concept of.

6 Emerging Security Threats, and How to Fight Them

The week of CES saw new Windows 10 devices, connected-car advancements, and the looming end of Internet Explorer 8, 9, and 10.

Business leaders discuss future security measures at Stanford summit

Get the latest science news and technology news, read tech reviews and more at ABC News.

Should common security technologies be blended with biometrics for accuracy and reliability. For centuries, security was synonymous with secrecy.

Definition of future: adjectivereferring to time to come or to something which has not yet happenednounthe time which has not yet happened ExamplesTry.

Hackers are nothing if not creative, so it s important for enterprise security pros to educate themselves about emerging security threats like these six.

The security threat landscape changes constantly, with malicious hackers developing new ways to compromise your systems as older vulnerabilities are discovered and patched. So it s important to be aware of the threats to enterprise security that are coming over the horizon and heading this way.

It s a question the Georgia Institute of Technology addresses in its Emerging Cyber Threat Report 2013, in which researchers identify at least six threats that all security professionals should know about.

Obscuring viruses using DRM-like technology: Some music and ebooks files are protected by digital rights management DRM systems. These files are effectively locked to particular devices so that they can only be played on these devices and can t be copied and shared.

Malware can use the same technique. Essentially it locks itself to a particular system by encrypting portions of its binary using specific attributes of the infected system to generate a key. That means that once it has infected a system, the malware will only run on that machine and can t be copied and run on another.

The purpose of this is to make it much harder for anti-virus vendors to take a sample of the code from an infected machine and run it in their own systems - to analyze it and, ultimately, produce an anti-virus signature for it. Virus authors such as those behind the Gauss Trojan, which was discovered in August 2012, and the Flashback Trojan in 2011 have already used this self-defense technique, and it s one that s likely to become common in the future, the report suggests.

What you can do to mitigate the threat: Enterprises should deploy anti-virus products which offer effective alternatives to signature-based protection such as behavioral protection and file reputation based systems.

Targeting OS X: In the past most malware writers have targeted systems running Microsoft s Windows operating system. This has led many Mac users to believe falsely that OS X is a highly secure operating system that can t be compromised. As a result, most computers running the operating system have little or no anti-malware protection.

But the Flashback Trojan demonstrated that machines running Apple s OS X operating system are also now being targeted, and that they are vulnerable.

Aside from vulnerabilities in the operating system, which Apple is often slow to patch, malware writers are also exploiting vulnerabilities in software such Java, which run on these systems. Flashback infected over 600,000 systems running OS X. The report predicts that because most OS X systems have little or no protection and the user base is inexperienced with security, it will increasingly be targeted by attackers in the future.

What you can do to mitigate the threat: Devices running OS X should be protected by the same security measures as Windows machines. That means installing anti-virus software, and ensuring that the operating system and third-party software such as Java is updated with security patches as soon as they are available.

Malicious hardware/supply chain insecurities: The threat here is that networking hardware made by Chinese companies such as Huawei and ZTE, or counterfeit hardware made in China or elsewhere, may contain malicious hardware or firmware code which provides a backdoor into corporate systems. This has always been a possibility, but in October 2012 the House Select Committee on Intelligence explicitly recommended that private sector entities consider the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services.

What you can do to mitigate the threat: At the very least, limit networking hardware purchases to trusted vendors. Additional measures include carrying out network listening to detect hardware acting maliciously, and carrying out random tests on devices to look for indications that they contain extra components or malicious firmware. At the highest level, some companies may choose to assume that all hardware is compromised and continuously monitor it for unexpected behavior.

Malware for cellphones and other mobile devices: There s no doubt that mobile malware is becoming a serious threat. The number of malicious and suspicious Android apps grew to 175,000 at the end of September 2012, up from 30,000 in June, according to security firm Trend Micro.  When employees in BYOD workplaces use their mobile devices to access the corporate network, this clearly poses a serious security risk.

And it s not just Android devices that are vulnerable. Handsets from Apple and other manufacturers are not immune from malware infections, even when apps submitted to stores such as Apple s Appstore are checked before inclusion.

Mobile devices present other risks too. Many mobile device screens make it hard for users to see what site their browser is visiting, making users vulnerable to phishing attacks. And Researchers from Leibniz University of Hannover, Germany, and Philipps University of Marburg, Germany, found that 8 percent of free applications improperly implemented SSL and TLS connections, leaving users open to a man-in-the-middle attack, the report points out.

What you can do to mitigate the threat: The most practical way an organization can protect itself from malware on users mobile devices is to implement some form of mobile device management MDM. This can impose security policies and restrict application downloads to a corporate app store which contains approved applications only.

The cloud: Storing data in the cloud is probably a sensible thing for many organizations to do because most cloud providers offer better than average security, according to the report. But huge repositories of data are very attractive targets for hackers, and it s inevitable that they will come under attack increasingly often.

It s also worth mentioning that the security of cloud storage varies widely, and enterprise-class services are likely to have better encryption regimes, authorization systems and overall security than consumer-oriented services such as Dropbox and Evernote -- both of which have been successfully hacked in the past.

Because cloud services are becoming less and less expensive, they are also providing a powerful tool for hackers. That s because many hackers have access to stolen credit card numbers, making it easy to set up large clusters of malicious systems to use for password cracking or other purposes.

What you can do to mitigate the threat: The best way to protect enterprise data is to ensure that it is encrypted before it is sent to the cloud using a key which is not held by the cloud service provider. It may also be prudent to ban employees from using consumer cloud services at work -- and to back this up by blocking traffic to these services at the corporate firewall.

Search engine filter bubble poisoning: Hackers can compromise a user s system by getting them to visit a malicious site which exploits vulnerabilities in the browser or other software. The problem for hackers is getting users to visit those sites, and one way to do that is to compromise legitimate and well known sites, and then add links from those sites to the malicious destinations. These links give the malicious sites a better page ranking, making them appear earlier in search engine results.

But there s another way to manipulate search results, and that s connected to the concept of a filter bubble. Put simply, most search engines filter the results that they provide by looking at a user s search history, if it is available. The purpose is to provide results that are likely to be more relevant to the user.

Search profiles are stored online, indexed by a cookie, and in the future hackers may attempt to enumerate and modify them to change the results a given search brings up. It s already possible to do this; it has been carried out successfully by researchers, according to the report.

Manipulating search profiles in this way can make it more likely that users will be presented with -- and thus click on -- a malicious link. But it also has another implication: Since the search profile is stored online, any machine accessed by a compromised user may be vulnerable, as their search profile may follow them to any machine they use.

What you can do to mitigate the threat: Train users not to log in to their Google account or any other search engine account when they use the Internet. Clearing browser caches after each session or using Internet Explorer s InPrivate Browsing mode, Firefox s Private Browsing mode or Chrome s Incognito mode may also be helpful.

Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.