BankInfoSecurity Executive Editor Tracy Kitten analyzing the financial services industry reaction to the latest state banking cybersecurity regulations leads this edition of the ISMG Security Report.

Also in this report, you'll hear (click on player beneath image to listen):

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Oct. 11 and Oct. 14 reports, which respectively analyze Hillary Clinton's and Donald Trump's head-to-head clash over purported Russian hacks and President Obama's thoughts on the intersection of artificial intelligence and cybersecurity. The next ISMG Security Report will be posted on Friday, Oct. 21.

Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.

The internet of things universe lacks standards, with devices running mostly on proprietary operating systems and codebases, making the potential surface area of attack a lot larger, says Thilak Ramanna, head of APAC field engineering operations at Wind River, a unit of Intel.

The development of standards for IoT devices would help ensure that the right amount of security is baked into both hardware and software, Ramanna contends.

A "bottom-up" approach to IoT security is essential, starting with the hardware as the "root of trust" and then addressing the operating systems and applications, Ramanna says in an interview with Information Security Media Group.

"Security cannot be an afterthought," he stresses. "You cannot build your systems and your network topology and then start thinking about security. Security has to be designed in right from the beginning."

Re-Engineering Controls

Any security strategy in the IoT space needs to be relevant to all form factors of devices and have the ability to scale, he says. "Whatever controls and measures have evolved in the IT space over the last 25 years, we need to take those and re-engineer them to the complexities of the device side of the world," he says. "This is going to be one of the bigger challenges, especially since there is no standardization available on the IoT side of the world and the device market is too fragmented."

In this exclusive interview (see audio player below image), Ramanna also discusses:

Ramanna, who heads field engineering operations for the APAC region at Wind River, an Intel company, has more than 15 years of experience in design, engineering, project management, product management, sales and marketing. He's a frequent speaker on IoT at industry events, and holds a master's degree in software systems from BITS, Pilani.

Anti-Malware , Business Continuity/Disaster Recovery , Data Loss

Have you heard of BadBlock, Bart and Booyah? What about VenusLocker, WonderCrypter and Zyklon?

See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics

Those are just some of the many different ransomware families that have been cataloged by the ID Ransomware service, launched in March by the security researchers known as MalwareHunterTeam. The researchers' site allows victims to upload ransom notes or encrypted files to help them identify the ransomware that's encrypted their data.

This week, in an unfortunate cybercrime milestone, the number of ransomware families counted by the service reached 200.

The increasing number of ransomware families - and their virulence - shows attackers are continuing to refine their art. Similarly, the emergence of what almost seem like joke strains of ransomware - named after horror films or given the Pokémon treatment, for example - demonstrates the increasing commoditization of crypto-locking attack tools and the need for developers to attempt to differentiate their wares in what's become an increasingly crowded marketplace.

Whew! ID #Ransomware can now identify 200 ransomware families. :) Sad such a milestone was hit so quickly... pic.twitter.com/c4jynvMbpI

Disruption Efforts Continue

The increasing number of ransomware families - to say nothing of what can be many different variants or strains of each, evolving over time - also complicates attempts to disrupt these attacks. Indeed, security firm Kaspersky Lab estimates that between April 2015 and March 2016, there were more than 715,000 ransomware victims worldwide, or an increase of 5.5 times over the preceding 12-month period.

Disruption efforts, however, are ongoing. The public-private No More Ransom project, which launched in July, reports this week that at least 2,500 ransomware victims were able to download the portal's free decryptor tools - mainly for CoinVault, WildFire and Shade - and recover their data, avoiding paying more than $1 million in ransoms, project organizers say. But that amounts to just 0.35 percent of the total number of ransomware victims seen from April 2015 to March of this year.

No More Ransom launched as a joint venture between the Dutch National Police and Europol, as well as security firms Kaspersky Lab and Intel Security, a.k.a. McAfee. Since then, law enforcement agencies from these 13 countries have also signed up: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom.

Police Response

From a law enforcement standpoint, more is more, says Steven Wilson, head of Europol's European Cybercrime Center. "Europol is fully committed to supporting the enlargement of the No More Ransom project within the EU and internationally to respond to ransomware in an effective and concerted manner," Wilson says in a statement. "Despite the increasing challenges, the initiative has demonstrated that a coordinated approach by EU law enforcement that includes all relevant partners can result in significant successes in fighting this type of crime, focusing on the important areas of prevention and awareness."

https://t.co/3HIV2MNttQ was launched by @Europol +Dutch @politie+@IntelSecurity+@kaspersky to help victims of #ransomware in July 2016 pic.twitter.com/sTf2rhB2XG

Focus: Prevention, Awareness

The focus on prevention and awareness is also the strategy that's been adopted by the FBI, which urges organizations to create "a solid business continuity plan" that includes the ability to restore backups in the event that systems get infected by crypto-locking malware.

That's because neither technology nor law enforcement - and arrests - will stop ransomware. The malware is easy to create and distribute, and it succeeds whenever it encounters a PC that a user has failed to prepare. The "skyrocketing" of ransomware attacks, as Kaspersky Lab CEO Eugene Kaspersky puts it, illustrates attackers' success.

Furthermore, criminals continue to refine their campaigns. Some attacks - often utilizing Locky - are being highly targeted, and they crypto-lock time-sensitive records inside organizations, leaving them with little choice but to pay.

In other cases - such as with the widespread CTB-Locker ransomware - attackers are tapping affiliate programs to distribute the malware. CTB-Locker is also part of an emerging trend; the ransomware can crypto-lock not just PCs but also web servers. Petya ransomware, meanwhile, now includes full-disk encryption - not just encrypting files - and encrypts the file system table, thus disabling a victim's ability to even boot their PC.

Prepare or Pay

The Petya ransomware lock screen. (Source: Kaspersky Lab)

Occasionally, ransomware developers feel guilty and spill their crypto schemes, or law enforcement agencies gain access to their malicious infrastructure, allowing them to crack attackers' crypto. Other times, developers fumble their crypto implementation, enabling security experts to build decryptors for victims.

No More Ransom, for example, was recently updated with a decryptor for Polyglot ransomware, a.k.a. MarsJoke, which has been designed to mimic CTB-Locker ransomware - apparently to make victims believe they were infected with an especially virulent type of ransomware, Kaspersky Lab says. But unlike CTB-Locker, Polyglot used "a weak encryption key generator," allowing its crypto to be cracked, using a standard PC, in less than 60 seconds, the security firm says.

So far, however, being able to decrypt ransomware for free remains the exception. For most ransomware victims, the paradigm remains depressingly familiar: Prepare, or be prepared to pay the consequences.

Biometrics , Mobility , Privacy

A search warrant executed earlier this year gave authorities the power to force occupants of a Los Angeles-area house to unlock devices with their fingerprints, casting doubt on biometric defenses.

See Also: Main Cyber Attack Destinations in 2016

Forbes first reported on a memorandum dated May 9 drafted by federal prosecutors in support of the search warrant. It asked a federal court for permission to allow law enforcement agents to depress the fingers of anyone in this house to unlock devices, an action that prosecutors argued does not violate the U.S. Constitution.

The warrant is significant, as there have only been a few cases that have tackled whether it is legal for the government to collect fingerprints as part of a search warrant. At issue are the Fourth Amendment, which prohibits unreasonable search and seizure, and the Fifth Amendment, which is the right against self-incrimination.

The search warrant also shows how law enforcement is trying to counter the technology industry's implementation of stronger defenses against hackers and government surveillance, which have made law enforcement investigations more difficult.

Hands Up, Show Us Your Fingers

The outcome of why the government wanted access to the house and its occupants' fingerprints is unclear. Forbes contacted someone at the house, in Lancaster, Calif., who said the warrant was indeed served, but no one at the house had been accused of a crime.

Forbes posted a redacted version of the search warrant that obscures the address to which it was served. The memorandum is available in online federal court records, but the original version does not help in figuring out whether charges were filed, and the search warrant itself is unavailable.

But that the warrant was served shows some federal judges are receptive to this way of unlocking devices, which may serve as a warning that fingerprints should not be relied upon as a foolproof security method.

Legal Arguments

The memorandum argues that the Fifth Amendment does not apply to fingerprints because it only covers "communicative evidence," such as court testimony. A 1966 Supreme Court case, Schmerber v. California, found that the compelled display of identifiable physical characteristics does not violate the law.

"The fact that a successful unlocking of the devices could also demonstrate a connection between the person and the device thus does not make the requested fingerprints testimonial, any more than does a warrant's authorization to seize a person's keys," the memorandum contends.

In regards to the Fourth Amendment, taking biological data, such as blood or fingerprints, is allowed as long as the collection is done within the scope of a warrant and that an individual has not been illegally detained, the memorandum shows.

The memorandum also cited a 2014 legal case where a Virginia circuit court judge ruled that police could force someone to unlock a phone with their fingerprint, but not turn over a passcode. A passcode is knowledge, but a fingerprint is the same as providing a DNA or a handwriting sample, The Virginian-Pilot reported.

Phone security

The U.S. government has expressed frustration with measures manufacturers such as Apple have taken to make devices more secure. The movement for stronger security largely gained steam after former National Security Agency contractor Edward Snowden leaked documents in June 2013 that showed the bulk collection of data from technology companies (see How Did Snowden Breach NSA Systems?).

Apple and applications such as Signal have sought to remove themselves as pivot points for law enforcement if users take precautions. The general idea is to not store decryption keys in centralized servers, instead leaving them in the possession of users.

While Apple must turn over information stored in its iCloud backup service if served with a valid warrant, user can elect not to store anything with Apple. In addition, Apple has sought to make its iPhone a self-contained vault. The company fiercely fought a court order earlier this year that required it to create a special version of iOS in order to access the iPhone 5c of San Bernardino shooter Syed Rizwan Farook (see FBI Versus Apple: A Lose-Lose Situation).

That forced law enforcement to look to other means to break into strongly encrypted devices. In the case of Farook, the FBI later dropped the case, saying it purchased a technological means - largely believed to be a zero-day vulnerability - so it could access his phone.

If compelling people to surrender their fingerprints withstands legal tests, it's still only a limited tool. Apple devices still require a passcode if a device has been turned off and on or if it has been idle for 48 hours. Devices that have Android 6.0 or later have similar security features, but older Android devices can vary according to manufacturer and may not have secure implementations, according to Russian password cracking specialists Elcomsoft. The best advice would be to avoid fingerprint readers if you expect the police to come knocking.