Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for May 2016

Americans Trade Privacy for Speed at Public Wi-Fi Hotspots

Americans Trade Privacy for Speed at Public Wi-Fi Hotspots

Most Americans, if given the choice, would rather improve personal online security (57%) over internet speed (43%), new research has revealed. But public Wi-Fi practices turn that on its ear.

The survey, by SecureAuth in conjunction with Wakefield, shows that plenty of us are eschewing privacy for speed. The survey indicates that Americans as a whole are still disclosing personally identifiable information (PII) to use public hotspots, such as:

·         Their address (44%)

·         Their credit card number (32%)

·         Their account passwords (29%)

·         Their Social Security number (16%)

·         Their driver’s license number (15%)

“There are a couple of theories that may explain the discrepancy between millennials and older respondents,” the report noted. “Most millennials, who have grown up with continued technological advancement, are accustomed to fast and efficient technology. Concurrently, millennials, many of whom are active on a myriad of social media sites, have less qualms overall about disclosing personal information.”

The results are concerning given that the inherently open nature of public Wi-Fi means users are at greater risk of data theft, and therefore stolen identities, damage to one’s personal financial posture (owing to incidents such as the opening of credit cards in one’s name) and data being held for ransom.

The survey also shows a complicated picture once the results are segmented by demographics. For instance: More than half of millennials (54%) would rather improve their Internet speed than their personal online security. But when it comes to public Wi-Fi, most Americans (57%) have given some sort of personal information online over public Wi-Fi—but that number jumps to 78% among millennials.

Other demographic splits are interesting. For instance, while men are split fairly evenly between personal online security (51%) and speed (49%), significantly more women care about online security (62%) vs. speed (38%).

Education matters too: 63% of college graduates care about security, vs. 47% of high school graduates.

“I can speak from the experience of someone who has dealt with the ramifications of a massive, high profile PII data breach,” said Craig Lund, SecureAuth CEO. “The hacker pulled the ‘Craig Lund’ information from the trough of 70 million stolen IDs, created a false credit card and started charging me. In that case, there was nothing I could have done to prevent the attack. In this case, individuals have agency in the matter: they can choose not to disclose PII over public Wi-Fi. This is especially important as we go into the summer travel season, when online behavior tends to be less business-focused.”

Photo © DeiMosz

Source: Information Security Magazine

Ransomware Targets Millions by Spoofing Nordic Telco Telia

Ransomware Targets Millions by Spoofing Nordic Telco Telia

A new ransomware campaign is being mounted by cyber-criminals impersonating Telia, the Nordic telecom giant with operations in Europe and Asia.

Telia has hundreds of millions of customers who could all become targets for the attack, which, according to Heimdal Security, is a highly targeted campaign using a mix of attack vectors.

Victims are first baited with a link to an invoice which appears to come from Telia, a trusted telecom company. The primary target for the attack is Sweden, but additional campaigns may follow, replicating the same model.

Once the victim triggers the infection, the attack unfolds. When the victim clicks the link, he/she will be redirected to the webpage where a Captcha code is displayed. When the victim fills out the code, the TorrentLocker payload will be downloaded.

“The Torrentlocker family is well known for its highly targeted spam email campaigns,” said Heimdal Security researcher Andra Zaharia, in an analysis. “Attackers carefully localize the emails, ransom notes and other elements tied to the campaign. The more targeted the attack, the higher the chances for it to be effective.”

Interestingly, the payload is only downloaded if the victim’s IP is from Sweden. If an IP from another country is used, the victim will be redirected to Google.

The moment the malicious code is run, it will connect to a central C & C server and register the infected computer and the data harvested from it, which includes certificates from the infected device. Available contact details on the device will also be collected and sent to the aforementioned C&C server, certainly to be used in future spam campaigns.

The next step is for TorrentLocker to encrypt all the data files available on the local drive and on connected network drives, if there are any. Victims are extorted to pay approximately 1.15 Bitcoins, which is worth around 4099 SEK (441 EUR). There’s a time limit for the payment, which, if surpassed, will double the ransom value.

“We can’t emphasize this enough: a backup is the best protection for your data in case of a ransomware attack,” said Zaharia. “Actually, you should have multiple backups. We have a long road ahead when it comes to minimizing the impact of ransomware, which is one more reason to push for basic cybersecurity education and proactive protection.”

She added, “Spoofing the identities of big, respected companies is a key tactic that cyber criminals use to trick their victims. We’ve seen it happen with IKEA and especially Post Denmark and Portnord. And we’ve seen not once, not twice, but tens of times in the past year alone.”

Photo © Carlos Amarillo

Source: Information Security Magazine

Level 3 Offers Managed Security Service ESG

Level 3 Offers Managed Security Service ESG

Managed services provider Level 3 Communications has launched a cloud-based network security solution to offer anti-malware with sandboxing, data loss protection, application awareness and enforcement and next-generation firewall.

Available globally starting 30 June, ESG will allow users to move the security perimeter from their enterprise or data center to the Level 3 network, with traffic routed to one of Level 3’s globally dispersed gateways, where a collection of security services can be accessed. Also via Level 3’s customer portal, users can view their entire ESG ecosystem, enabling access to a multitude of reports and gateway performance metrics.

Speaking to Infosecurity, Level 3 regional president EMEA Andrew Crouch explained that the challenge for businesses is with keeping network-based solutions up-to-date, and ESG is about providing enterprises at the site or branch office level.

“It has next generation technology within it, and we focus on application awareness and control, as we know malware is deposited on the web so we give users the ability to look at applications and filter as necessary,” he said.

“This is about helping with a lack of skilled people, also performance and bandwidth and capital expenditure, as we offer the service to offer hardware and consistency with the CIO who is accountable for dealing with threats. This is about enforced security policy within a cloud-based environment.”

ESG uses Level 3’s network to provide carrier agnostic, network-based security protection, so that data on any device at any location through any connection or carrier can be secure. From anywhere in the world, customers can leverage Level 3’s global IP backbone capacity, more than 42 Terabits per second, and rich interconnection agreements to access security tools hosted in gateways.

Crouch said: “We use best of breed technology and develop in a service model which gives flexibility with new technology. Demand from customers drove this so we delivered this for service needs.”

Frank Dickson, security analyst at Frost & Sullivan, said: “By redefining the security perimeter, customers have the ability to apply and leverage an integrated collection of security tools and professionals within the Level 3 network, removing the need for constant on-premise hardware updates while controlling IT budgets. The future is in the cloud; ESG provides a solution for enterprises to strategically leverage the cloud to simplify their security architecture while improving efficacy in the process.”

Source: Information Security Magazine

ICSA Labs Launches New IoT Certification Program

ICSA Labs Launches New IoT Certification Program

ICSA Labs has launched a new certification and testing program specifically for IoT devices and sensors, in a bid to improve overall standards of security in embedded computing devices.

The Verizon subsidiary will test six elements in its new IoT Security Testing and Certification Program: alert/logging, cryptography, authentication, communications, physical security, and platform security.

It’s being recommended for firms that develop, manufacture and resell IoT kit and those looking to buy devices and sensors to use inside their business.

Products that pass the test will receive the ICSA Labs badge of approval, which the firm hopes will become a standard of excellence in the industry.

As such, in developing the standard, ICSA Labs looked to other emerging guidelines such as the OWASP Internet of Things Top 10, the Industrial Internet Consortium Reference Architecture and the Online Trust Alliance’s IoT Trust Framework.

ICSA Labs managing director, George Japak, argued that the sheer size of the IoT industry already makes it difficult for firms to find the most secure products.

“Currently very little exists in the form of organized testing and/or standards to ensure IoT devices and the data exchanged is protected,” he added. “This program is aimed at filling that gap especially as more companies embrace the Internet of Things to streamline business and provide higher levels of customer service.”

Adam Philpott, director of cyber security for Cisco EMEAR, argued that as barriers to entry for IoT products are low there can often be associated risks, and as IoT endpoints expand so the risk increases.

“Companies can no longer rely upon labor-intensive systems for identifying and remediating breaches in a timely manner. To establish the security posture of endpoints, organizations must consider how they implement the systems that can identify and remediate cyber threats at digital pace and scale,” he told Infosecurity by email.

“It is therefore vital that organizations adopt a holistic and integrated approach to threat defense to mitigate risk, simplify compliance and build trust. By doing so, organizations can enable a faster threat response and increase the potential of keeping pace with increasingly bold, innovative and persistent hackers.”

Numerous reports over the past few years have highlighted security and privacy issues in IoT products.

Most recently, over half (53%) of IT professionals surveyed by Spiceworks claimed that wearables are the most likely source of any IoT-related internal security breach.

Consumers are concerned too. A report from global trade body the Mobile Ecosystem Forum (MEF) last month found that 62% are concerned about privacy and 54% said they were worried about home security as a result of the IoT.

Source: Information Security Magazine

Health Secretary: ‘NHS Still Not Trusted on Data Security’

Health Secretary: ‘NHS Still Not Trusted on Data Security’

The NHS has been told that it needs to improve data security from a tech, governance and training perspective ahead of two new reviews set to land in the coming year.

Under-fire health secretary, Jeremy Hunt, claimed the NHS hasn’t yet reassured the public it can safely handle data – since he announced the reviews last autumn, according to The Times.

The Care Quality Commission is currently reviewing data security standards across the health service, and will report in January 2017. US healthcare expert Robert Wachter is reviewing the digital future of the NHS.

NHS organizations continue to be found wanting when it comes to secure data handling.

Just this month, Blackpool Teaching Hospitals NHS Foundation Trust was hit with a £185,000 fine from the ICO after accidentally publishing highly sensitive and confidential data about its employees.

Also, Chelsea and Westminster Hospital NHS Foundation Trust received a £180,000 penalty for revealing the email addresses of hundreds of patients with HIV.

Back in 2012, Brighton and Sussex University Hospitals NHS Trust had the dubious honor of receiving the biggest ever ICO fine to date – £325,000 – after being unable to explain why hundreds of disks containing highly sensitive patient information ended up being sold on eBay.

Zak Suleman, healthcare specialist at Smoothwall, argued it is correct that the health secretary is focusing not only on technology but user education and governance.

“Ensuring a strong security culture is instilled throughout the NHS workforce is vital to ensure staff are constantly vigilant and aware of the threats. As the proliferation of cyber-attacks becomes more frequent, advanced and sophisticated, it is now not about if an attack happens, but when,” he added.

“As a result, security needs to be taken seriously at all points of the organization, to ensure that all employees understand the risks of their actions and know the security processes in place should an incident occur to mitigate the risks.”

Cris Thomas, strategist at Tenable Network Security, added that the challenges facing the NHS are “immense” thanks to rapidly evolving technology and an ever shifting threat landscape.

“To eliminate security blind spots the NHS, and all public sector departments for that matter, need to achieve continuous visibility across all systems and devices. Visibility is not just about periodic scans; it’s a full-time endeavor to provide a comprehensive, real-time view into the security posture,” he explained.

“Attackers are attempting to infiltrate networks all the time, so a complete inventory of all network devices and applications — including rogue devices, shadow IT, and virtual systems — is the first requirement for a strong enterprise security program.”

Source: Information Security Magazine

Microsoft to Ban Commonly Used Passwords for Azure

Microsoft to Ban Commonly Used Passwords for Azure

Microsoft has been detailing how it’s attempting to keep passwords safe from crackers, following the recent news that 117 million LinkedIn credentials may have been breached.

Alex Weinert, group program manager of the Azure AD Identity Protection team, explained that the system dynamically bans commonly used passwords.

“When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly,” he continued.

“Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What *we* do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work.”

Analyzing over 10 million attacked accounts each day, Microsoft continually updates this banned password list.

The feature is live in the Microsoft Account Service and will be rolled out to Azure Active Directory tenants over the next few months.

As Weinert explained, breaches like LinkedIn not only given hackers a list of emails they can use to log-in to victims’ accounts, but provide valuable information which can be used to deduce which are the most popular password combinations – making cracking attempts easier.

In fact, Weinert warned that admins should halt bad practice such as password length requirements, complexity requirements and forcing users to regular replace passwords – as they all make passwords easier to crack.

In a new paper on the subject, Redmond advises admins to eliminate the above, and educate users not to reuse corporate credentials outside of work, as well as enforcing multi-factor authentication.

Microsoft’s move to dynamically ban weak passwords was welcomed by industry experts.

Since Microsoft thinks they can defend this move with their users, hopefully it leads to organizations’ security folks getting the ammo they need to win these fights internally,” argued Jonathan Sander, VP of product strategy at Lieberman Software.

“Security pros have known for years that moves like this are a good idea – especially when coupled with multi-factor authentication as Microsoft has it. This could raise the security bar for everyone.”

However, Miracl CEO, Brian Spector, added that passwords are still fundamentally broken.

“We should activate 2-factor-authentication wherever possible and demand strong authentication options,” he said. “Service providers should move beyond the password and contribute to the restoration of trust on the internet by removing the password from their systems all together.”

Source: Information Security Magazine

PCI Standard’s Multi-factor Authentication Mandate Delayed ‘Til 2018

PCI Standard’s Multi-factor Authentication Mandate Delayed ‘Til 2018

Deadlines for compliance for two of the most important mandates in PCI DSS version 3.2 have been delayed to 2018.

The PCI Security Standards Council (PCI SSC) last month published a new version of its data security standard (DSS), used to safeguard payment data before, during and after a purchase is made. The new version features several significant changes, including adding multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data. Previously this requirement applied only to remote access from untrusted networks.

Additionally, it requires a migration away from SSL/TLS encryption, and features mandates for organizations to ensure security controls are in place following a change in their cardholder data environment, among other updates.

PCI DSS 3.2 replaces 3.1 which will expire on October 31—this means that after that, all organizations will need to validate their compliance using v3.2 instead of 3.1, just like any previous version of the DSS. However, that deadline is extended for both SSL/TLS migration (extended to July 2018) and multi-factor authentication (which must be deployed by 1 Feb. 2018).

It’s a state of affairs that could cloud things for everyone, according to Chris Scott, program director at The Bunker.

“By setting a two-year window to become compliant, the PCI SSC may have inadvertently set up a period of greater confusion for end users, who will need to take extra care to ensure that their data is adequately stored and protected, and that third-party providers guarantee a high degree of security and compliance,” said Scott. “Cloud providers that are only compliant with older PCI DSS regulations than 3.2 will be leaving their customers more vulnerable to attack, and the fact that it will take some up to two years to meet the requirements show how far behind many cloud providers are.”

Other specialists however say that concern is overblown.

“The two specific requirements mentioned above affect many organizations and are not very easy to fix, especially if you have complex legacy infrastructures,” Neira Jones, independent advisor and non-executive director at both Cognosec and Pay:Way, said in an interview. “You have to put yourself in the shoes of the SSC: they rely on feedback from their members, the participating organizations. In this instance, I believe that the participating organizations have fed back that they needed more time of those two points, and the SSC has to listen to their members, that is the nature of the beast.”

She added, “It also has to be said that whilst those deadlines are set in 2018, the SSC clearly recommends that these requirements should be complied with as soon as possible. And whilst I, like many other infosec professionals, would like to see early SSL/TLS eradicated and MFA deployed everywhere, we have to face the harsh reality of our environment, and I can’t blame the SSC for that.”

Others agreed.

“In my opinion, this situation doesn’t introduce new risk—it simply heightens awareness of an existing risk,” said Dwayne Melancon, CTO at Tripwire, speaking to Infosecurity. “I agree that the time frame for resolution is fairly long, but it can take time for organizations to implement changes in complex environments.”

He added, “In the meantime, there is a middle ground that is workable—that middle ground involves increasing the amount and rigor of monitoring around the in-scope infrastructure and storage. Understanding what ‘normal’ behavior in the environment looks like is crucial, then the intensive monitoring can more easily identify abnormal behavior, which could indicate a compromise of data. That approach will help mitigate the risk of data theft until the proposed changes are completed.”

Photo © iLight photo

Source: Information Security Magazine

Carding Site ‘Owner’ Extradited After Making Millions

Carding Site ‘Owner’ Extradited After Making Millions

A Macedonian accused of selling over 181,000 stolen credit card details on an underground website he operated has been extradited to the United States, according to a complaint unsealed in a Brooklyn federal court on Friday.

Djevair Ametovski, aka ‘codeshop,’ ‘sindrom’ and ‘sindromx,’ is accused of crimes linked to a site he created for the sale of card data and other personal information.

The charges include aggravated identity theft, access device fraud conspiracy, and wire fraud conspiracy.

He was the beneficiary of data stolen from individuals, financial institutions and other businesses via phishing attacks, according to a Department of Justice release.

Ametovski’s site, Codeshop.su, was apparently sophisticated enough to allow customers to search for specific data via bank identification number, financial institution, country, state, and card brand.

The scammers then used that stolen data typically either to make fraudulent online transactions or to produce cloned cards to withdraw money at ATMs.

To keep his activities a secret, the Macedonian apparently used a network of online money exchangers and digital currencies both to pay the hackers for their stolen data and to receive payment from fraudsters using the site.

Ametovski’s activities resulted in the loss of millions of dollars to thousands of victims around the world, according to the filing.

He was arrested in Ljubljana, Slovenia, on 22 January 2014.

“Cyber-criminals who create and operate online criminal marketplaces in which innocent victims’ financial and personal information are bought and sold erode consumer trust in modern-day payment systems and cause millions of dollars in losses to financial institutions and unsuspecting individuals,” said US attorney Robert Capers, in a statement.

“Today marks a major step in bringing the alleged operator of one such criminal marketplace to justice, and should serve as a warning to others who seek to profit from perpetuating these fraudulent schemes.”

Trend Micro VP of cybersecurity strategy and former Secret Service CISO, Ed Cabrera, claimed the arrest and extradition was a “very promising development.”

“Extradition and arraignment are some of the first steps in the process that have proven to be difficult historically. This case is an important step to unravel these illicit forums in hopes of establishing an effective deterrent against their ongoing establishment,” he added.

“We salute the US Secret Service and Justice Department in this accomplishment and hope to see similar take downs in the future.”

Source: Information Security Magazine

Swift CEO Promises Greater Info Sharing After Bank Cyber Heists

Swift CEO Promises Greater Info Sharing After Bank Cyber Heists

The CEO of the Swift banking network has laid out a five-point plan designed to improve the security of the global banking system following the high profile $81 million cyber heist at Bangladesh central bank and similar attacks on other financial institutions.

Delivering a keynote address at the 14th annual European Financial Services Conference in Brussels yesterday, Gottfried Leibbrandt repeated Swift’s claim that it wasn’t to blame for the incidents and that its network, software and core messaging services have not been compromised.

However, he stressed the need for greater information sharing within the industry, claiming that there have been “at least two, but possibly more,” attacks like that which resulted in the huge theft from the central bank of Bangladesh.

“Banks can learn from one another about the modus operandi and put better preventative measures in place; entities like Swift can serve as the information sharing channel, and we can develop indicators of compromise to help those banks improve their detective capabilities. We are doing so,” he explained.

“But information sharing needs to get better, much better. It is critical that the global financial community works together to bolster our mutual security.”

Swift’s plan is to ask for even more information from its customers and to share that with the banking community in a confidential manner.

The other elements of the five-point plan include hardening security requirements for “customer-managed software,” and enhancing Swift guidelines and developing audit frameworks for its customers.

“Fourth, we will look to see what we can do to support banks’ increased use of payment pattern controls to identify suspicious behavior,” Leibbrandt continued.

“And finally, we will introduce certification requirements for third party providers.”

In conclusion he called on the community to step up innovation efforts in areas like pattern recognition, monitoring, anomaly detection, authentication, and biometrics to help fortify systems against attack.

Vietnam’s Tien Phong Bank has now admitted it was the target of a failed attempt at cyber robbery by a group which seems to have used the same MO as Bangladesh Bank attackers, but the other financial institution named by Leibbrandt remains a mystery.

For its part, the Bank of England is said to have reacted quickly to the incident, ordering UK banks to perform compliance checks soon after the attack to ensure they’re following cybersecurity best practice.

Source: Information Security Magazine

UK Government Agrees to Snoopers’ Charter Review

UK Government Agrees to Snoopers’ Charter Review

Theresa May is set to establish an independent review into the proposed powers of bulk collection of data set out in the forthcoming Investigatory Powers Bill.

The home secretary offered to do so in a letter to her shadow opposite number Andy Burnham in a bid to get the Labour Party votes or abstentions the government needs to pass the bill, according to the BBC.

David Anderson, the independent Reviewer of Terrorism Legislation who originally led the Investigatory Powers Review, has been chosen to assess the powers which will allow the authorities to collect large amounts of email and communications data from the populace.

Three separate parliamentary committees picked fault with the original drafting of the bill, but the Conservative government has so far shown little desire to listen to their recommendations for a major redrafting of the legislation.

These included a Joint Committee on the Draft Investigatory Powers Bill which itself called for the government to publish a “fuller justification” for bulk interception of data; bulk acquisition of data; and bulk interference with equipment.

Burnham is set to tell the Commons that he set out seven areas where his party wants to see “significant movement.”

“Yesterday the home secretary wrote to me on two of these issues and I have to say I found her letter extremely encouraging,” he said.

“Her commitment to an independent review of the case for bulk powers is a major concession but the right thing to do and something which will build trust in this process.”

Bulk collection of data has long been criticized by intelligence experts and rights groups, who argue that it is the wrong way to approach surveillance work as it produces simply too much data to search through effectively.

Former NSA technical director, William Binney, told the Joint Committee at the beginning of the year that bulk collection is “99% useless” and “has cost lives in Britain because it inundates analysts with too much data.”

He favors a different approach which maps social networks using metadata and other rules to zero in on known and potential targets without the need to scoop up huge quantities of private data on citizens.

Jacob Ginsberg, senior director at encryption firm Echoworx, argued that there will be “very real costs” if the bill is not implemented correctly from the start.

“A review will do little to reassure the public that their government is looking out for their best interests, especially when the government’s exercise of these powers will not be subject to a meaningful judicial authorisation process,” he added.

“If this bill passes, we’re going to see a tidal wave of other European countries look to impose similar legislation as well. Aside from the short term economic costs, it would be very hard to over-estimate the damage that a bill like this could do to our society.”

The review is set to report by summer.

Source: Information Security Magazine