Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for November 2015

Data Breach Trends to Evolve in 2016

Data Breach Trends to Evolve in 2016

Cybercrime is no longer the only concern when it comes to data breaches, and as the landscape continues to evolve, companies must try to stay ahead of the curve and be prepared to respond to any type of security incident.

Experian Data Breach Resolution has released its third annual Data Breach Industry Forecast white paper, showing that while some current issues remain relevant, there are a few emerging areas that warrant attention.

“We saw different types of breaches this year, and one of the major mistakes companies often make is taking a one-size-fits-all approach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Unfortunately, the reality is that no data breach is the same, and a wide variety of unique circumstances need to be considered in a data breach response plan. It is challenging to keep up so we are releasing this white paper to provide organizations with insight that will help them better strategize their incident response.”

For one, Experian predicts that consumers and businesses will be collateral damage in cyber-conflicts among countries. As nation-states continue to move their conflicts and espionage efforts to the digital world, we likely will see more incidents aimed at stealing corporate and government secrets or disrupting military operations. Such attacks can cause collateral damage in the form of exposed information for millions of individuals or stolen business IP addresses. There could also be an increase in large public-sector data breaches that expose millions of personal records.

 “This is new-age warfare and, as individuals, we need to pick up the pieces if we have been affected and our personal information has been exposed,” said Bruemmer. “The public should not be complacent about identity protection. It’s important to practice good security habits on an ongoing basis and monitor accounts frequently to catch fraud early.”

Also in the coming year, the firm predicts a resurgence in hacktivist activities, motivated by the desire to effect reputational damage on a company or a cause. No longer motivated merely by financial gain, criminals steal data to glean information that can be used for blackmail or extortion. This changes the response plan, and companies must consider all possible scenarios.

“This was the new twist to the data breach landscape in 2015, with thieves leveraging stolen data to embarrass or harm companies,” said Bruemmer. “Unfortunately, consumers are the pawns in the game, and they are victimized in the process. By association with the attacked organization, they also can suffer personal harm or embarrassment if their information is exposed. If an organization has a polarizing or controversial mission, it should consider this scenario and how it will take care of its constituency should a breach occur.”

Experian also expects that: EMV chip and PIN liability shift will not stop payment breaches; big healthcare hacks will make the headlines, but small breaches will cause the most damage; and, the 2016 US presidential candidates and campaigns will be attractive hacking targets. That could be one of the presidential candidates, their campaigns and/or major donor bases. As campaigns today are won and lost online and driven by Big Data analytics, the potential for a politically motivated attack is significant.

“We would be remiss if we did not mention this national occurrence as a possible target,” said Bruemmer. “For a fame-hungry criminal or motivated detractor, this is an attractive platform. It could happen with any activity on a national or global stage so leaders involved must ensure they are securing their systems and have incident response plans in place.”

Photo © frank_peters

Source: Information Security Magazine

Microsoft to Block Unwanted Apps in Windows

Microsoft to Block Unwanted Apps in Windows

Microsoft has turned up the heat on makers of potentially unwanted applications (PUAs) with a new opt-in feature for enterprise Windows users.

The OS giant claimed in a blog post late last week that the new capabilities built into System Center Endpoint Protection (SCEP) and Forefront Endpoint Protection (FEP) will stop PUAs at download and install time.

“These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications,” the blog post explained.

“Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.”

PUAs are associated with ad-injection, software bundling and “persistent solicitation for payment for services based on fraudulent claims.”

Microsoft explained that system administrators can enable the PUA protection feature via a Group Policy setting, with the tool kicking in after the next signature update or computer restart.

The firm advised IT staff to plan ahead for their PUA protection deployment.

This includes ensuring that any corporate guidelines or policies are updated to make it clear PUAs will be blocked, and that IT helpdesk and users are made aware of this.

“Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection,” Microsoft added.

“In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you'd want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported—file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines.”

Photo © Adriano Castelli/Shutterstock.com

Source: Information Security Magazine

NSA Bulk Phone Surveillance Finally Shut Down

NSA Bulk Phone Surveillance Finally Shut Down

US spy agency the NSA has now officially shut down a controversial dragnet surveillance program first revealed by whistleblower Edward Snowden, it is believed.

A US appeals court ruled back in May that the Patriot Act didn’t authorize the bulk collection of citizens’ phone call data.

A month later Congress passed the USA Freedom Act, which gave the NSA the power to continue snooping, although with the caveats that agents now have to get a court order and can only request one for accounts relevant to specific investigations.

These court orders will last six months.

That’s a far cry from the blanket surveillance of everyone’s phone records which according to the Freedom Act was due to come to a close on midnight Sunday (EST).

The NSA is apparently hanging on to the metadata it has collected thus far while it tackles legal action brought against it.

It has also been granted an extra three months to access historical metadata “solely for data integrity purposes.”

Edward Snowden first laid bare the mass surveillance programs carried out by the NSA back in 2013 to a shocked global news audience.

The NSA contractor, working in Hawaii as a systems administrator for Booz Allen Hamilton, fled to Hong Kong with thousands of top secret documents referencing surveillance operations by the NSA and Britain’s GCHQ.

A month later he flew to Moscow with the aim of seeking asylum elsewhere. However, the US cancelled his passport, stranding him in the airport of the Russian capital.

The Kremlin granted him a one year temporary asylum, extended to three years, although it’s not known where in Russia he’s currently living.

The new legal framework applies to NSA operatives snooping on US citizens. Foreign targets are still theoretically exposed to bulk collection attempts by America's intelligence services.

Photo © 360b/Shutterstock.com

Source: Information Security Magazine

Kids and Parents Caught Out as Toymaker VTech is Breached

Kids and Parents Caught Out as Toymaker VTech is Breached

A Hong Kong-based maker of children’s educational toys has suffered a data breach, exposing the details of potentially millions of children and their parents.

VTech, which builds “electronic learning toys,” revealed in a statement on Friday that an “unauthorized party” accessed customer data held in its Learning Lodge app store database on 14 November.

It continued:

“Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.

Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.”

The firm stressed that the database in question doesn’t store credit card information as Learning Lodge payments are processed by a third party provider.

Also missing from the heist will be personally identifiable information (PII) such as ID card numbers, Social Security numbers or driving license numbers, VTech claimed.

The firm didn’t reveal how many customers could be affected, but some reports put the figure at close to five million adults and the first names, genders and birthdays of as many as 200,000 children.

Those kids could theoretically be linked to their breached parents, exposing their full identities, it is feared.

James Romer, chief security architect at SecureAuth, argued that children can be a valuable target for hackers as they potentially won’t know their identity has been compromised until they’re much older.

“This kind of breach is simply not acceptable,” he added.

“Organizations, particularly those who hold this kind of information, must invest in advanced security systems alongside adaptive authentication for their users to mitigate the chances of this happening and render any stolen assets worthless.”

Check Point’s UK regional director, Simon Moor, argued that the information stolen is likely to be used in follow-on phishing attacks.

“There’s enough detailed personal information in the stolen records to make those people targets for identity theft and fraud. Hackers are likely to trade the stolen data as well as trying to trick customers into revealing further personal details using targeted phishing emails,” he explained.

“Customers affected should be suspicious of any emails or even phone calls that relate to the breach, no matter how plausible, and should not give away more personal information.”

Photo © Matthias Pahl

Source: Information Security Magazine

WordPress Flaw Leads Readers Digest Fans to Angler EK

WordPress Flaw Leads Readers Digest Fans to Angler EK

Security researchers are warning of a spike in WordPress compromises designed to load the notorious Angler Exploit Kit.

Malwarebytes senior security researcher, Jérôme Segura, explained in a blog post that Readers Digest is one of the high profile victims of the attack campaign.

“The attack consists of a malicious script injected within compromised WordPress sites that launches another URL whose final purpose is to load the Angler exploit kit,” he continued.

“Site owners that have been affected should keep in mind that those injected scripts/URLs will vary over time, although they are all using the same pattern (see IOCs below for some examples).”

He urged netizens who have visited the Readers Digest site recently to check that they haven’t been infected.

“The payload we observed at the time of capture was Bedep, which loaded Recurs, a backdoor Trojan, but that of course can change from day to day,” explained Segura.

Unfortunately Malwarebytes hadn’t received any feedback from the publisher, despite claiming to have contacted it several days before publishing the blog post.

The news comes around a month after the firm warned of another campaign targeted at WordPress sites linked to the Angler EK.

The blog of UK newspaper The Independent was among the sites affected.

“The attack involves conditionally embedded large snippets of code at the bottom of the sites’ source page,” wrote Segura at the time.

“It is important to stress this is a conditional injection because webmasters trying to identify the issue may not see it unless they browse from a fresh IP address and a particular user-agent (Internet Explorer being the most likely to get hit).”

The code in question loads a Flash video file designed to redirect users to Angler EK—a similar attack pattern to that apparently observed by Malwarebytes a year ago.

WordPress is frequently targeted by hackers because it provides a good RoI for attackers looking to reach as wide a group of potential victims as possible.

Photo © Rawpixel.com

Source: Information Security Magazine

Embedded Devices at Risk After Research Uncovers Industry-Wide Flaws

Embedded Devices at Risk After Research Uncovers Industry-Wide Flaws

Security researchers have uncovered industry-wide reuse of the same cryptographic keys ‘baked’ into the firmware of routers, modems and other embedded devices.

Security firm SEC Consult studied the firmware images of more than 4,000 such devices—including internet gateways, routers, modems, IP cameras, VoIP phones—and found 580 private keys distributed across them.

What’s more, around 230 of these are actively being used on the web, it said in a blog post.

“The reasons vary from shared/leaked/stolen code, white-label devices produced by different vendors (OEM, ODM products) to hardware/chipset/SoC vendor software development kits (SDKs) or board support packages firmware is based on,” the firm added.

“Just by looking at the numbers one can deduce that it is highly unlikely that each device is intentionally exposed on the web (remote management via HTTPS/SSH from WAN IP). Enabling remote management exposes an additional attack surface and enables attackers to exploit vulnerabilities in the device firmware as well as weak credentials set by the user.”

Seagate was singled out for criticism in this regard, with 80,000 Seagate GoFlex NAS devices found on the web “exposing” HTTPS and SSH.

The top three countries in terms of affected hosts were the US (26%), Mexico (16%) and Brazil (8%).

SEC Consult said the security oversight could lead to “impersonation, man-in-the-middle or passive decryption attacks” which might allow attackers to access admin credentials and other information useful for launching further attacks.

“In order to exploit this vulnerability, an attacker has to be in the position to monitor/intercept communication. This is easily feasible when the attacker is located within the same network segment (local network),” the vendor explained.

“Exploiting this vulnerability via the internet is significantly more difficult, as an attacker has to be able to get access to the data that is exchanged. Attack vectors can be BGP hijacking, an "evil ISP", or a global adversary with the capability to monitor internet traffic.”

In total, over 900 products from around 50 vendors were found to be vulnerable.

Sundaram Lakshmanan, VP of technology at CipherCloud, said the research highlights a common problem in tech “where the cryptography underneath is solid but the implementation at scale leaves the gates wide open.”

“This flaw also affects IoT devices, which presents an even bigger problem,” he added.

“Internet-enabled devices have a much smaller footprint and have to store both hardware and software, so authentication and key rotation are harder to implement. At the same time, most of these devices cannot take remote patches, which can create a nightmare scenario when it comes to fixing flaws.”

Photo © Korn

Source: Information Security Magazine

F&S: Security To Be Biggest ICT Issue in 2016

F&S: Security To Be Biggest ICT Issue in 2016

Rapid adoption of the cloud, mobility and the internet of things (IOT) will not only open up platforms, but also open up new security threats, says a new research post from Frost & Sullivan (F&S).

Indeed as it looked at the industry’s prospects for 2016, the analyst predicted that security would become the single biggest issue to tackle in the ICT industry with attacks getting more sophisticated and eventually leading to costly consequences. Such things were forecast as a driver for vendors and service providers to acquire specialist security vendors or grow their own practices internally to tackle the diverse issues in security impacting organizations.

F&S regarded incidents such as Ashley Madison as a key driver in the inevitable rise of cyber-insurance. It said that the industry would see cyber-insurance policies that would offer more than just compensation and protection from liability in the event of a cyber-attack.

Looking as to where likely threats would originate, in the home environment, as smart home solutions witness greater adoption, F&S warned that the current vogue to use mobile phones and tablets to control power, cooling, heating, lighting and security would create a number of issues. It cautioned that by allowing one interface to control the various applications of the smart home, security challenges will be a big issue for the industry players to grapple with.

Perhaps more worryingly it also noted that targeted attacks on computer industrial control systems (ICS) would be the biggest threat to nations' critical infrastructure. F&S believes some of the attacks in recent years on industrial control systems —including the Stuxnet attack on an Iranian nuclear plant and the Shamoon attack on Saudi Aramco — have not been publicized.  

Source: Information Security Magazine

NCA and Trend Micro Team Up to Arrest Alleged Cybercriminals

NCA and Trend Micro Team Up to Arrest Alleged Cybercriminals

Two suspects from Essex have been arrested as part of a joint operation between Trend Micro and the National Crime Agency (NCA) designed to root out cyber-criminals.

A 22-year-old man and a 22-year-old woman from Colchester were arrested on suspicion of running a website designed to help cyber-criminals bypass traditional malware filters with their attacks.

The site in question, reFUD.me, provided various capabilities including counter anti-virus (CAV) scanning.

This will test a piece of malware against current AV tools to show the cyber-criminal how successful it would be if released in its current form. Crucially it will hide the results of these tests from the AV companies themselves.

Another service they offered is known as “crypting” and involves modifying a piece of malware until it is no longer detectable by the major AV vendors.

At that time it is known as “FUD”—fully undetectable—although modern heuristics tools can still often spot and block malware where traditional filters fail.

The “Cryptex Reborn” service allegedly run by the two suspects was labelled as “among the most sophisticated developed in recent years.”

The arrests are the first major breakthrough for the NCA and Trend Micro following a landmark MoU which was signed in July formalizing their co-operation in the form of a ‘virtual team’ comprising members of the NCA’s NCCU (National Cybercrime Unit) and Trend Micro’s Forward Looking Threat Research team (FTR).

“As such the FTR team have been involved in the whole investigation from its inception, through identifying the workings of the alleged criminal activity, and working to identify suspects behind it,” Trend Micro FTR EMEA manager, Robert McArdle told Infosecurity.

“This mirrors other investigation work we have carried out with law enforcement in other areas of the world—albeit with a stated goal from the outside to see how closely public and private partners can work together, and how successful the outcomes can be.”

However, these arrests are likely to represent only the tip of the iceberg when it comes to alleged crypting and CAV, he added.

“However, unlike a botnet takedown which at best has a temporary impact on a single criminal group's operations, our operations aim towards core parts of the overall criminal business model—such as a crypters and CAV—as this has a more lasting effect on the wider criminal activity on the internet,” McArdle argued.

“In doing so we aim to create as much of a deterrent and effect on criminal business models as possible for the resources we put into the investigation, and ultimately push Trend Micro’s mission to make the world safe for the exchange of digital information.”

Photo © Karramba Production

Source: Information Security Magazine

Networking Engineer Crowned UK Cybersecurity Champion

Networking Engineer Crowned UK Cybersecurity Champion

Peter Clarke, a 38-year-old network engineer for a high-end car dealer in Leicester, has won the 2015 Cyber Security Challenge UK competition.

The Challenge comprises a series of virtual and face-to-face competitions that would identify talented people for the cybersecurity industry in the UK. In it, 42 contestants used their skills to defend Church House on the Grounds of Westminster Abbey from a fictional biological cyber terror attack. Over the course of the competition, contestants had to demonstrate real life technical skills that the industry relies upon, while adhering to strict legal framework, very closely based on UK government legislation.

Now entering its sixth year the Challenge is backed by over 50 public, private and academic organizations in the UK such as QinetiQ which led and designed the program. IT was supported by experts from Bank of England, GCHQ, National Crime Agency, BT, Cisco, Falanx Group, Roke Manor Research, Simudyne, and CyberCENTS Solutions. The competition is designed to unearth hidden cyber talent in the general public, and attract them into the cybersecurity industry.

Commenting on his victory, Clarke said: “I feel like it’s been a rollercoaster ride. I only entered the Cyber Challenge eight or nine weeks ago without anything higher than a GCSE and a few Microsoft qualifications in my back pocket so to be here now is unbelievable. I’ve had an interest in cyber for several years now and keep a breadth of the current trends and tools in the industry but this is the first step towards a future career in the area. I really want this to become my profession and the Cyber Security Challenge has given me a catapult into the industry that you can’t find anywhere else.”

More than half of 2015’s finalists were gamers, suggesting, said the organizers, that the 33 million of such people in the e UK was very likely to be a strong source of future cyber-defense talent to keep our country safe online.

“We would like to encourage any individual with an inquisitive mind, a passion for problem solving and desire to learn, to sign up and have a go at some of the games on our play-on-demand gaming platform – they are ready to play now,” added Bob Nowill, Chairman of Cyber Security Challenge UK. “You could have a hidden talent for cyber and be joining us for our big finale next year. Our past winners have included postmen, car park attendants, web designers and gamers – we simply don’t know who could be next.”

Source: Information Security Magazine

TrueCrypt Gets Thumbs Up from German Auditors

TrueCrypt Gets Thumbs Up from German Auditors

A German government audit of once-famed encryption service TrueCrypt has given it a tentative thumbs up after a no-doubt exhaustive six-month process.

The audit was undertaken for the German Federal Office for Information Security (BSI) by members of the Fraunhofer Institute for Secure Information Technology and others, after TrueCrypt was abandoned by its developers in 2014.

The open source disc encryption platform had been favored by many, but doubts were cast over it after those same anonymous developers claimed in a parting shot that it “may contain unfixed security issues.”

That prompted a review led by noted cryptographic expert Matthew Green, which claimed back in April that TrueCrypt contained “no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.”

Now the German auditors are claiming that the service is actually “safer than previous examinations suggest.”

Heading up the research, Technische Universität Darmstadt professor Eric Bodden revealed in a blog post that his team found some weaknesses in the way TrueCrypt retrieves the random numbers used for encryption.

He explained:

“With a lack of randomness, an attacker can theoretically guess your encryption key more easily. This problem only occurs in non-interactive mode, though, or when using certain access-control policies on Windows. In result, it is unlikely that this problem has actually affected users in the wild. The problem is that if volumes were created with a weak key, then afterwards there is no way to tell. To be on the safe side it would therefore be advisable to re-encrypt volumes with a version of TrueCrypt in which this flaw has been fixed.”

All in all, however, the platform is described by Bodden as “probably all right for the most parts”—with the flaws uncovered minor and probably present in other encryption services.

“Code quality could be improved, though, as there are some places that call for a refactoring and certainly for better documentation,” he added. “But generally the software does what it was designed for.”

The results of the audit will be good news for firms looking for alternatives to products currently on the market.

In fact, in June 2014, a group of developers decided to make existing versions of the product available again, with servers located in Switzerland to keep them theoretically out of the reach of the NSA and its partners.

Photo © Oscity

Source: Information Security Magazine