Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2016

HSBC Banking Customers Vent Anger After DDoS Scuppers Service

HSBC Banking Customers Vent Anger After DDoS Scuppers Service

HSBC has been forced to apologize to customers after a DDoS attack disrupted key online systems, meaning many users couldn’t log-in to their internet banking portals.

A statement from the bank claimed this morning’s denial of service attack affected “personal banking websites in the UK.”

It continued:

“HSBC has successfully defended against the attack, and customer transactions were not affected. We are working hard to restore services, and normal service is now being resumed. We apologise for any inconvenience this incident may have caused."

The outage persists for many customers as of the time of writing, with countless HSBC online banking users taking to social media to vent their anger.

The attack comes at a particularly sensitive time given there are only a couple of days left before UK taxpayers can file their returns without being charged interest on late payments.

As the last working day of the month, it’s also pay day for many people – a fact the DDoS-ers may well have had in mind when timing the attack.

A new report from security firm Imperva released yesterday showed that attacks on UK websites soared by over 20% in Q4 2015, placing the country as the second most targeted in the world behind the US.

Justin Harvey, CSO at Fidelis Cybersecurity, had advice for firms caught in the same situation as HSBC.

“Strong external network-facing access control lists (ACLs) should be instituted to keep out-of-profile traffic off services, robust monitoring should be put in place to identify these types of attacks in their early stages, and high-risk organizations should oversubscribe their network bandwidth to better absorb the brunt of inbound DDoS attacks,” he said.

“The upstream ISP should also be notified to place mitigations on their connected devices to protect networks.”

However, Lee Munson, security researcher for Comparitech, urged commentators not to blow things out of proportion.

“The bank’s systems have not been breached. No bank accounts have been raided and no personal information has been stolen,” he argued.

“The UK financial sector remains resilient to cyber-attack thanks to operations such as Wire Shark and Resilient Shield which have encouraged sharing of threat intelligence and greater communication between both British and US banks.”

The bank also said it was "working closely with law enforcement authorities to pursue the criminals responsible.”

However, Ryan O’Leary, senior director of WhiteHat Security’s Threat Research Centre argued that its time could be better spent on preventative measures, especially given that finding and prosecuting attackers can be a challenge.

“Those who can pull off a DDoS attack are extremely prevalent; if one individual or group were able to execute a DDoS attack, it is very likely many others could do the same,” he added. “The company's issue is not the attacker, it’s the system that is susceptible to the attack. Fix the issue and your attacker problem goes away.”

Source: Information Security Magazine

UK Sites Pummelled by DDoS Storm in Q4

UK Sites Pummelled by DDoS Storm in Q4

UK websites suffered a sharp increase in DDoS attacks of over 20% quarter-on-quarter to become the second most targeted country in the world after the US, according to the latest stats from Imperva.

The security firm compiled itsDDoS Threat Landscape Report using data from 3,997 network layer and 5,443 application layer DDoS attacks it stopped for customers during the fourth quarter of 2015.

It found the number of attacks against UK sites rose from just 2.5% of the global total in Q3 to 23.2% in Q4, propelling the country to second overall behind the US (47.6%).

Japan also suffered more heavily than before, with DDoS attacks increasing from 1.2% to 8.6% over the same period, pushing it into third place.

China (39.8%), South Korea (12.6%), the US (11.7%) and Vietnam (5.8%) remained the top countries in terms of attack traffic origin, the report revealed.

Nitol (33.3%) and PCRat (32.8%) accounted for the majority of botnet activity.

Imperva claimed that the second half of 2015 saw a spike in the number of DDoS-as-a-service attacks, with more customers subjected to high-volume network layer DDoS bursts as opposed to the long—sometimes weeks long—campaigns seen at the start of the year.

The firm revealed an increase in high volume attacks using smaller-sized network packets, which apparently force victim organizations to think about processing capacity (Mpps), rather than network bandwidth (Gbps) to protect their assets.

For example, the biggest network layer attack mitigated by Imperva during the period was an SYN flood that peaked at 325 Gbps and 115 Mpps but lasted just 40 minutes.

Over 80% of network layer attacks lasted less than 30 minutes, while 58% of application layer attacks lasted just an hour or less.

However, almost half (44.7%) of the victims of application layer attacks are hit more than once, according to the report.

Imperva CTO, Amichai Shulman warned that DDoS attacks can’t be stopped at the network perimeter.

“DDoS attacks must be mitigated as far from the target network as possible and as close to the source of the attack traffic as possible,” he told Infosecurity.

“For that end, organizations who need to defend themselves against such attacks must resort to using a cloud-based DDoS mitigation service. These services have scrubbing centers distributed all around the world and are inspecting and cleaning the traffic closer to its origin, before it aggregates to a critical mass that take down the target network or even its ISP.”

Photo © Profit_Image

Source: Information Security Magazine

TalkTalk on Ropes Again After Indian Call Centre Staff Arrested

TalkTalk on Ropes Again After Indian Call Centre Staff Arrested

UK ISP TalkTalk is reeling once again after it emerged that three call centre workers in India were arrested on suspicion of using customer data to commit fraud.

TalkTalk claimed in a statement on Wednesday that it has been working with outsourcer Wipro and local police in Kolkata following a “forensic review” it launched after the October 2015 data breach.

It continued:

“Acting on information supplied by TalkTalk, the local Police have arrested three individuals who have breached our policies and the terms of our contract with Wipro. We are also reviewing our relationship with Wipro.

We are determined to identify and deal effectively with these issues and we will continue to devote significant resource to keeping our customers’ data safe. Data theft and scams are a growing issue affecting all businesses and they are notoriously difficult to investigate and prosecute. We are pleased that our investigations have yielded results, and will continue to do everything we can to tackle these crimes.”

According to Channel 4, the follow-up scams defrauded customers to the tune of thousands of pounds.

Eset security specialist Mark James warned that an element of third party risk is an unavoidable consequence of outsourcing.

“Some are good of course, some work out, but let’s be honest, far too many get a bad name and actually damage our relationship with the supplier,” he told Infosecurity.

“All you can do is set your expectations, lay your ground rules and hope they abide by them. Sadly when things go wrong we don’t look and blame the call centre, it’s the first line supplier that takes the blunt end of the blame stick, and rightly so.”

It’s not just Indian outsourcing firms that can present a risk to their client companies.

In March last year Natwest employee Matthew Parkhouse was jailed after tricking customers into divulging their card details over the phone and then making tens of thousands of pounds worth of payments into his account.

Photo © tantrik71/

Source: Information Security Magazine

Exclusive: School Websites Contain Pornographic and Gambling Links

Exclusive: School Websites Contain Pornographic and Gambling Links

A number of school websites contain pages which feature links to gambling, counterfeit goods and pornographic material.

In research revealed exclusively to Infosecurity, researcher Terence Eden found a number of academy, secondary and primary school websites which had pages with rogue text and links to suspicious pages.

Eden previously discovered government websites which had been ‘abandoned’ and left to be compromised by spammers and scammers. He said this was part of an ongoing project he is working on regarding the security of government websites.

Eden said: “Finding these was as simple as a Google search. The people running these sites really ought to be closely monitoring them.”

Several schools have been hacked to hide pornographic content on their websites. The Churchfield CE Primary School website contains hidden pages directing users to extreme content, while Portal House School is a small Special School for pupils who experience Social, Emotional and Behavioural Difficulties. Hidden within its pages are reams of sexually explicit content.

Eden explained that hackers link to externally hosted sites which then receive an SEO boost when search engines crawl a "trusted" sch(dot)uk domain.

Bishop Challoner is a Catholic Federation of Schools, and several pages on their website have been redirected to online pharmacies.

“Spam filters are reluctant to block messages which seem to link to legitimate pages” Eden said. “These hacked school sites are an unwitting pawn in the war between pill-pushers and spam software.”

School websites were found to contain gambling, essay writing services and counterfeit goods links. Infosecurity contacted all of the schools detected by Eden, and one who responded was Bristol Metropolitan Academy, who found that the page containing counterfit goods had been taken down.

Eden said: “The Department for Education is particularly inept when it comes to technology which – given that our country's future relies on technological progress – is more than a little depressing.

“The Department for Education have a database called EduBase which lists details about every school under its purview. In a wonderful display of Open Data, anyone can download the database (a 36MB CSV) to investigate.”

He explained that of 43,866 schools with 25,251 websites, only 11,249 using are using the domain, and said that it is simply not possible for any individual to monitor all those domains.

“Indeed, schools quite often don't have the requisite skills to maintain and protect their websites,” Eden says. “The majority of broken sites I've checked have been run by the private sector – who are apparently not paid enough to secure the sites.”

He stressed the need for central handling of web security, saying it should be the job of the Local Education Authority to set minimum standards for website security (and usability, reliability.

“If individual schools are unable to meet those standards, then the LEA must intervene and directly manage the website,” he said. “If the LEA is incapable or underfunded, the DfE should be ensuring that UK schools' websites are not a total embarrassment.”

In an email to Infosecurity, Wolfgang Kandek, CTO of Qualys, said that school websites are easy targets for exploitation due to the lack of maintenance that many sites exhibit.

He said: “There are problems with vulnerable components at all levels of the website stack: in the Content Management Systems, in the web server software and at the OS level. Most schools do not have the manpower to track updates in the software that they use and so it is easy for them to fall behind.”

He agreed with Eden that a solution is to outsource the running of the website to a known responsible provider which specialises in running the CMS platform and shows an SLA for updates.

He said: “In addition, I would still suggest to monitor the site for new vulnerabilities that can show up at any time. It makes sense to get alerted and follow up with the provider.

“In addition, malware monitoring would make sense, especially if the content on the site is user generated – malware monitoring means that one browses the site with an outdated and vulnerable browser that can detect that the site is serving malware to its users, plus the site is checked against the main malware registries (Google Safebrowsing and others). That way, the site administrators is alert before or at least at the same time that the users are seeing bad behaviour from the site that is being managed.”

Source: Information Security Magazine

Government Start-up Support Creates a "Very Exciting Time"

Government Start-up Support Creates a "Very Exciting Time"

Government plans to support UK security start-ups have been welcomed as a crucial support mechanism for UK industry.

In an email to Infosecurity, James Chappell CTO and co-founder of UK security firm Digital Shadows, who formed in 2011, called the move “another important support mechanism to help develop early stage companies.”

He said: “It is valuable in that it creates an environment via the Cyber London accelerator to bring good ideas closer to the VCs that would fund them. Counsel via CSIT will provide impartial advice and technical rigour to ideas which will help shape ideas before they come to market and are put in front of the VCs.

“More broadly it’s another example of the UK government getting behind cybersecurity start-ups, this in combination with measures announced in George Osborne’s speech before Christmas, makes this a very exciting time for UK cybersecurity start-ups.”

This week, the UK government announced a £250,000 Early Stage Accelerator Programme to help start-ups in the space get advice, support and funding to develop their products and services and bring them to market. It will be run by Cyber London—described as “Europe's first cybersecurity accelerator and incubator space”—and the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.

Chappell claimed that the UK has a brilliant culture of curious minds and some of the best academic talent in the world in this topic area, and with the right environment with the right support and motivation, there is a real opportunity to build the next generation of cyber start-ups.

“For companies that have genuinely great ideas, the VC funding is there to support them,” he said. “In our experience, whilst the finance from VCs is of course vital, what is just as invaluable is the contacts, counsel and strategic guidance they provide to help us grow our business. We see the government’s role as to provide the right regulatory and business environment to help early stage companies grow and flourish rather than to provide funding.”

Source: Information Security Magazine

Panda Security Spotted Over 80 Million New Malware Samples in 2015

Panda Security Spotted Over 80 Million New Malware Samples in 2015

Over a quarter of all the malware ever recorded appeared in 2015, according to startling new statistics from Panda Security.

The Spanish security vendor’s PandaLabs researchers claimed to have seen a staggering 84 million new malware samples last year, which equates to a daily average of 230,000 and marks an increase of nine million from 2014.

The total number of malware samples discovered by the firm is 304 million, putting last year's batch at 28% of all the malware it has ever recorded, and it’s only going to grow even higher, according to PandaLabs technical director, Luis Corrons.

He told Infosecurity via email it was time for IT teams to adopt a “change of mentality” and advised firms to invest in endpoint detection and response (EDR) technologies.

“As Gartner said in its recent report EDR ‘has emerged to augment security and more rapidly respond to inevitable advanced attacks that evade existing antivirus solutions’,” he added.

“As a CISO, having the ability to know what processes are running in each endpoint/server, if their behavior is proper, with forensic capabilities in case a breach happens, is a game changer. It will give you the knowledge and facts to act fast and prevent/mitigate new threats in your organization.”

Trojans were once again the main source of malware (52%), well ahead of viruses (23%), worms (13%), PUPs (11%), and spyware (2%).

However, it was infamous ransomware Cryptolocker that appeared most often in cyber attacks, the firm claimed.

Once again, China was pegged as the most infected country in the world, with 57% of computers in the Middle Kingdom carrying some kind of malicious code—up nearly a third since 2014.

Next came Taiwan (49%) and Turkey (43%), with Colombia (33%), Uruguay (33%), and Spain (32%) also above the global average.

At the other end of the scale, the Nordics once again proved they are the most secure nations on the planet.

Finland came top with an infection rate of just 20%, followed by Norway (21%) and Sweden (21%). However, there was good news for the UK, which came in fourth place with a rate of just 21.3%.

Photo © Hung Chung Chih

Source: Information Security Magazine

Large-Scale Hacks Cause 98% of Leaked Healthcare Records

Large-Scale Hacks Cause 98% of Leaked Healthcare Records

In 2015, one in three Americans were victims of healthcare data breaches, attributed to a series of large-scale attacks that each affected more than 10 million individuals. The result is that more than 111 million individuals’ data was lost due to hacking or IT incidents in the US alone.

According to Bitglass’ 2016 Healthcare Breach Report, 98% of record leaks were due to large-scale breaches targeting the healthcare industry. These high-profile attacks were the largest source of healthcare data loss and indicate that cyber-attackers are increasingly targeting medical data. They include the widely publicized Premera Blue Cross hack, involving 11 million customers, and the Anthem hack, which resulted in 78.8 million leaked customer records.

The findings come from analyzing data on the United States Department of Health and Human Services’ “Wall of Shame,” a database of breach disclosures required as part of the Health Insurance Portability and Accountability Act (HIPAA).

“The  80% increase in data breach hacks in 2015 makes it clear that hackers are targeting healthcare with large-scale attacks affecting one in three Americans,” said Nat Kausik, CEO, Bitglass. “As the [internet of things] revolution compounds the problem with real-time patient data, healthcare organizations must embrace innovative data security technologies to meet security and compliance requirements.”

In 2015, there were 56 breaches due to hacking or IT incidents, up from 31 in 2014. Only 97 breaches were due to loss or theft last year, down from 140 in 2014.

“Protected health information (PHI) — which includes sensitive information such as Social Security numbers, medical record data, and date of birth — has incredible value on the black market,” the report noted. “A recent Ponemon Institute report on the cost of breaches found the average cost per lost or stolen record to be $154. That number skyrockets to $363 on average for healthcare organizations.”

Bitglass also pointed out the costs to consumers: When credit card breaches occur, issuers can simply terminate all transactions and individuals benefit from laws that limit their liability. However, victims have little recourse when subjected to identity theft via PHI leaks, and many are not promptly informed that their data has been compromised. While criminals often leverage healthcare data for the purposes of identity theft, they can also leverage it to access medical care in the victim’s name or to conduct corporate extortion.

Source: Information Security Magazine

Employee Retention is Critical to Solving the Security Skills Shortage

Employee Retention is Critical to Solving the Security Skills Shortage

The skills shortage in IT security is a very real problem, even though companies have become more creative in how they attract talent. But there’s more to consider: A report from AlienVault argues that retaining the talent once acquired should also be a keen focus for HR departments.

“One can hypothesize that companies no longer offer ‘jobs for life,’” said AlienVault security advocate and former 451 security analyst, Javvad Malik, in the report. “Or indeed blame millennials for being self-entitled and lazy workers who need constant baby-sitting.”

But the reality is that the retention concern is common. Only about 65% of participants are happy and content in their current jobs. And even those that say they’re happy admit that the idea of challenging and exciting work would be a motivator to move somewhere else—thus setting up a competitive environment among companies looking to hone their IT security departments.

“Retaining staff can be a fine balancing act that needs the precision of a NASA engineer landing a rocket on a comet,” Malik said. “On one hand employers need to provide appropriate compensation and working environments. While on the other hand, remaining mindful that other companies will make high offers in attempts to acquire the right candidates.”

Better pay, better perks, flexible working, the promise of training and certification, more challenging and exciting work and a better work culture were all cited as reasons to go to another company. Based on the number of responses and ranking of each option, ‘more challenging and exciting work’ was the most popular reason (33.9%) to want to move jobs.

Not surprisingly, pay came in at second (23.14%) and flexible working (16.81) came in third. Training, certification or general learning was the leading reason as a second and third ranked choice.

But this is not a simple black and white case of which company can make the best offer. Not all employees have a mercenary attitude towards work, and a multitude of other factors come into play.

In order to get ahead in the game, the report showed that things like office location matter. Having offices situated outside of major cities will not only attract local talent, but the chances of retaining them increase significantly due to lack of competition.

Also, company culture is a big intangible. “Being unhappy with boss or company culture was an underlying theme across the survey,” Malik said. “Yet, several participants, particularly those in larger organizations, felt a distinction should be made between the company culture and team culture. Noting that one can be very satisfied with one's colleagues and boss but dissatisfied with the company culture.”

Employees often suffer from a “grass is always greener” problem, AlienVault director of solutions architecture Joe Schreiber told us.

“The key is maintaining a fun and rewarding environment,” he stated. “The fun part is deliberate; a lot of folks just leave because they are burned out. They think a new job will alleviate this; often it doesn't work that way. We had what I called a ‘high rate of recidivism’ in the SOC, which proves this. Operations is tough, it just is.”

Another retention tactic is providing career development opportunities.

One respondent summed up the problem and the allure of migrating to another employer: “IT is quite a movable field in my opinion. You always want to grow your skillset and it seems the best thing for that is to move after a certain amount of time and have more exposure to different areas. The technical people that I have seen go a bit stale with their knowledge are generally those that have stayed at one place for much of their career and have been happy to stay put. Nothing bad about keeping a job for a long time, but if you want to stay on top of your game, you need to be constantly studying and looking at different technology.”

Schreiber said that this issue takes personalized attention to solve.

“Knowledge is the key, generating and sharing it,” he said. “Training is the obvious, but it can also be an internal activity. A good infosec professional is insatiably curious, a job that attempts to satiate them will have the most success. There should be freedom around this acquisition too. Employers should be cognizant of cross-training, but also letting people find new areas of interest. Maybe your IDS guy turns into a pen tester? You may need that in the future, you just can't restrict them.”

Photo © Goodluz

Source: Information Security Magazine

IoT Security Challenges Still Bother Businesses

IoT Security Challenges Still Bother Businesses

IT rarely comes in on time, under budget and works first time – and the Internet of Things (IoT) will be the same.

Speaking at a roundtable at the launch of a report into the security of IoT by Telefonica, John Moor, director of the IoT Foundation said that security is often not built into projects as the cost does not support that part of the process.

He said: “No one wants to go unpatched, so think about the stage of design and how to be secure comes down to design and security.”

Also on the roundtable was Chema Alonso, CEO of ElevenPaths, the cyber unit of Telefonica, who said that anyone with a mature level of security knows that you cannot prevent everything, and need to manage the security of the IoT in the enterprise with a persistent vision.

Moor said that the security of IoT is context dependant and the demands are different from company to domestic, so it helps to break it down to apps, connectivity, and sensors.

He said: “One of the trends is how we continue to be a big society and consume physical stuff, and IoT is about services. It is not about toothbrushes, it is about reducing energy costs. It is at a point of technology where enable and connect everybody – who pays for security and connects it?”

Alonso pointed out that in Spanish, it is the same word for security and safety. “Regulating is hard as you don’t want someone to regulate or do certification and put the product outside, you want to do it for the lifecycle. The biggest issue is managing the lifecycle of security and what is happening on day one.”

Asked by Infosecurity if vendors need to do more, Andrey Nikishin, special project director of Future Technologies at Kaspersky Lab, said that consideration needs to be on the change of the device, and data in motion and data at rest

He said: “The focus is to secure device, but for an IoT device you cannot do security on it so you need to approach from additional to built-in security so devices have security from the beginning. Think safety: but not only security and special approaches and what to minimise. 100% security is not possible, but raise the bar to make hacking difficult.”

Source: Information Security Magazine

DDoS Attacks Hit Record 500 Gbps in 2015

DDoS Attacks Hit Record 500 Gbps in 2015

Last year saw the largest ever DDoS on record at 500 Gbps, as attackers increasingly adopted multi-vector techniques to extort money from their victims, according to Arbor Networks.

The network security firm’s 11th Annual Worldwide Infrastructure Security Report (WISR) claimed DDoS attack size has grown 60 times since the survey first began, and continues to, with other victims in 2015 reporting attacks of 450 Gbps, 425 Gbps and 337 Gbps.

The complexity of attacks is also increasing, with over half (56%) reporting so-called ‘multi-vector’ attacks designed to hit infrastructure, applications and services simultaneously.

Almost all (93%) reported application layer attacks, with DNS the most commonly targeted service now, rather than HTTP.

Cloud-based services in particular are under fire. The percentage of respondents reporting outages affecting this layer has risen from 19% two years ago to a third (33%) in this report.

On the plus side, more than half of respondents (57%) said they are looking to deploy technology to speed incident response, while 52% of service providers claimed they can now spot and contain an APT within a month.

What’s more, three-quarters now say they have a formal incident response plan.

However, the insider threat is growing—up from 12% last year to 17%—and a worryingly high 40% still don’t have tools to monitor the use of BYOD on their networks.

Chief security technologist, Darren Anstee, argued that complex, stealthy threats are hard to mitigate.

“Every year, more of our survey respondents see application-layer attacks on their networks and this year we have seen a big jump in the proportion of respondents seeing multi-vector attacks. Multi-vector attacks are more complex to deal with, but the right tools make all the difference,” he said in a statement.

“On a positive note, the proportions of respondents using Intelligent DDoS Mitigation Systems (IDMS) are up for both enterprise and service provider respondents—so the right solutions are being deployed. And this is just as well, as we are also seeing attack frequencies up across the board.”

Kaspersky Lab principal security researcher, David Emm, argued that DDoS attacks are now cheap and easy to launch—giving rivals, hacktivists and those with a grudge to bear an excellent opportunity to cause maximum disruption to a target.

“In fact, although the cost to businesses from this kind of attack is on average around £291,000, the simplest DDoS attack can be acquired for only £32.30 and ordered anonymously. As a result, the volume of attacks has rapidly increased in recent years, so it’s imperative that businesses find an effective way to safeguard themselves from such attacks in 2016,” he added.

“Companies can do this by partnering an internal specialist with an internet provider, to actively filter and weed out these types of crude attacks, and decrease the cost of customer protection, as well as reduce the risk of loss to the company.”

Photo © Profit__Image

Source: Information Security Magazine