Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for June 2016

CEO Pay Should Be Linked to Cyber Defenses, Say UK MPs

CEO Pay Should Be Linked to Cyber Defenses, Say UK MPs

MPs have recommended sweeping changes to the way the UK deals with cybercrime, from defenses to punishment.

Among the changes suggested in the Culture, Media and Sport select committee report are two-year custodial sentences for anyone convicted of cyber offences, fines for businesses that fail to adequately defend themselves from cyber-attacks, and CEO pay that is linked to the quality of the organization’s cyber defenses.

The report has emerged as a result of the inquiry into the October 2015 hack of mobile company TalkTalk, which exposed personal information relating to over 150,000 customers. However, the report makes clear the scope is far wider than that one incident.

“Although the TalkTalk cyber-attack in October 2015 was the trigger for this inquiry, it is essential to put this attack in context. Cybercrime is a significant and growing problem and affects all sectors with an online platform or service,” the report said.

Perhaps one of the largest and most significant recommendations is that every company that handles large amounts of personal data, whether it’s staff or customers, should report annually to the ICO on: “Staff cyber-awareness training; when their security processes were last audited, by whom and to what standard(s); whether they have an incident management plan in place and when it was last tested; what guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine; the number of enquiries they process from customers to verify authenticity of communications; and the number of attacks of which they are aware and whether any were successful (i.e. actual breaches).”

Additionally, escalating fines should be introduced for delays or failures to report a breach, MPs said. Escalating fines could also be introduced, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.

So, “a data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine,” the report said.

While ultimately a CEO is responsible in the event of a significant cyber-attack, the report recommends that organizations have someone in place who is responsible for cybersecurity on a day to day basis, who can be sanctioned if cyber defenses are deemed too weak.

Interestingly, the report also recommends that, “a portion of CEO compensation should be linked to effective cyber security.” This will hopefully mean CEOs pay attention to cyber risks before any potential crisis occurs.

Other improvements recommended in the report include making it easier for victims to claim compensation. This means the likes of Citizens Advice Bureau, ICO and police victim support units helping customers with the process of claiming compensation.

“It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach. The ICO should assess if adequate redress is being provided by the small claims process,” the report added.

Finally, the report suggested that current ICO fines of £500,000 may not be a significant deterrent to big organizations, but the incoming European General Data Protection Regulation should change that.

Source: Information Security Magazine

GoToMyPC Confirms Password Attack

GoToMyPC Confirms Password Attack

Remote desktop app GoToMyPC has confirmed that it was targeted by what it calls a “very sophisticated password attack,” and has reset all customer passwords.

The incident first came to light on June 18, when the company announced on its Status page that some users were having trouble logging in. The following day the incident had been upgraded to a cyber-attack, GoToMyPC said.

“Unfortunately, the GoToMYPC service has been targeted by a very sophisticated password attack,” the statement said. “To protect you, the security team recommended that we reset all customer passwords immediately. Effective immediately, you will be required to reset your GoToMYPC password before you can login again.”

Beyond this, Citrix, which owns the GoToMyPC service, is revealing very little about the attack, such as whether any accounts were breached, or if any customer information was accessed.

Infosecurity Magazine has reached out to Citrix for more details but has yet to receive a reply.

Depending on the full extent of this attack, it could prove to be a very serious breach. GoToMyPC offers remote access to desktops from other computers and mobile devices. It is very popular with workers who are away from the office and need full access to all their applications and documents. If the attackers were able to breach user accounts they could have accessed sensitive corporate information.

GoToMyPC did provide users with guidelines on how to pick a strong replacement password, such as not using words from the dictionary and mixing in random punctuation, numbers and capital letters. Although GoToMyPC doesn’t mention this, it’s also vital that anyone who may have used the same password on a different site change that password immediately.

It also encouraged users to adopt two-factor authentication for an added layer of security.

Source: Information Security Magazine

Online Marketplace Offers Access to 70K Hacked Servers

Online Marketplace Offers Access to 70K Hacked Servers

An online marketplace has been discovered hawking access to more than 70,000 hacked corporate and government servers.

Kaspersky Lab discovered the forum after a tip from a European ISP. The market, called xDedic, is operated by hackers who earn a commission from each transaction. Victim companies include an aerospace company from the US, oil firms from China and the United Arab Emirates, a chemical company from Singapore and banks from several different countries.

“It’s a marketplace similar to eBay where people can trade information about cracked servers,” said Costin Raiu, head of global research at Kaspersky Lab, speaking to Bloomberg. “The forum owners verify the quality of the hacked data and charge a commission of 5% for transactions.”

The server access goes for as little as $6 each, and can be used for everything from denial-of-service attacks to the stealing of credit-card details from retail shops. Some have used compromised servers to mine bitcoins.

“It wasn’t only government networks, but also corporations, banks, research institutions, telecommunication companies, to name a few,” Raiu said.

Photo © NAPA

Source: Information Security Magazine

Hackers Harvest Card Details from Acer for Almost a Year

Hackers Harvest Card Details from Acer for Almost a Year

Taiwanese hardware and electronics giant Acer has announced that it has suffered a data breach via its e-commerce site.

The compromise was active for almost a year, making the potential victim pool rather large. Essentially, anyone who accessed the online store between May 12, 2015 and April 28, 2016 could have had their names, addresses, payment card numbers, card expiration dates and card security codes hacked.

However, investigations by internal and external professionals have concluded that login details were not compromised.

Acer has submitted a data breach notice to the California Attorney General’s Office.

“Safeguarding your personal information is important to us,” the company said. “We took immediate steps to remediate this security issue upon identifying it, and we are being assisted by outside cybersecurity experts. We value the trust you place in us. We regret this incident occurred, and we will be working hard to enhance our security.”

“Data breaches are becoming increasingly commonplace, with Acer to be the latest to suffer, but by no means does that mean they shouldn’t be taken seriously at all times,” said David Navin, head of corporate at Smoothwall, via email. “It is now not about if a breach occurs, but when. As a result, companies need to ensure that they have a robust security system in place in order to mitigate these risks and to safeguard their data should a breach occur.”

He added, “When it comes to payment details especially, customers are incredibly sensitive and businesses can lose the trust and faith of its customers, which as we have seen can have severe repercussions for the business. It is imperative that businesses take extra care to ensure that their customers’ details are protected and encrypted. Beginning with a firewall, encryption and good security software, if companies have those measures in place and continue to layer on top of that, then it will reduce the chances of a data breach or attack.”

Also, he pointed out that given that the majority of security breaches occur due to human error, ensuring a strong security culture is instilled throughout the workforce is therefore extremely vital.

“Security needs to be taken seriously at all levels of the organization, to guarantee that all employees understand the risks of their actions and know the security processes in place should an incident occur to mitigate the risks,” he said.

Photo © wk1003mike

Source: Information Security Magazine

DMARC.org Announces Supporter Program

DMARC.org Announces Supporter Program

DMARC.org has just announced a new Supporter Program for organizations who want to become involved in DMARC’s mission to expunge phishing and fraud, and can offer technical and/or financial support to assure DMARC adoption worldwide.

The need to overcome brand hijacking, phishing and fraud compelled many leading companies to participate in creating the DMARC standards for email security and anti-spoofing.

“Members of our new Supporter program bring fresh perspectives and abundant energy to our technical projects,” said Steven Jones, executive director, DMARC.org. “Their participation reflects the effectiveness of what we’ve done so far, and the opportunity we have to improve things further for email users everywhere by effectively addressing email fraud and abuse.”

The first DMARC supporters announced are SparkPost and ValiMail.

SparkPost’s cloud-based transactional email solution is designed specifically for developers to build in the deliverability, scalability and speed as the world’s biggest senders of email.

Meanwhile, launched and funded in 2015, ValiMail offers a platform for managing the DNS records and keys that are components of email authentication.

“We applaud the efforts of the founding and Sponsor members for getting the DMARC standard to the state where widespread adoption is possible,” said Alex García-Tobar, co-founder and CEO of ValiMail. “ValiMail is proud to be joining this group of visionaries in the mission to bring about mainstream adoption of this important email authentication protocol.”

The program seeks organizations to make contributions and participate in technical projects, outreach, trainings, speaking events, media interviews and more.

“We’ve reached a point in the evolution of email and other messaging channels where the risks of not doing it ‘right’ are as great as the benefits realized when you do it right. DMARC.org and DMARC, the technology, represent a place where like-minded individuals can share ideas to make the Internet safer for everyone, and an immediate means of protecting their brands, customers, businesses and everyone in-between,” said Len Shneyder, SparkPost VP of industry relations.

Photo © Ossile

Source: Information Security Magazine

UK Councils Targeted in Ransomware Scare

UK Councils Targeted in Ransomware Scare

At least 30% of UK councils fell victim to ransomware attacks during 2015, a Freedom of Information (FoI) request has revealed.

The FoI request came from endpoint security company Avecto. It approached 46 UK councils about their experiences with ransomware. Nearly one-third (30%) said they had been a victim of ransomware in 2015. One council admitted to 13 different ransomware attacks.

Of those councils that were ransomware victims, 65% said they refused to pay a ransom, while the remaining 35% refused to reveal whether they had paid up or not. Avecto says this indicates that those councils had suffered some kind of data loss as a result of the attack,

While that figure of 30% may seem high, that actual number could be far higher. Of the 46 councils Avecto approached, nine withheld information and a further 14 failed to respond at all, making a true figure difficult to arrive at.

Paul Kenyon, co-founder and co-CEO at Avecto described the statistics as “sobering.”

“Ransomware attacks are particularly attractive to cyber-criminals because they can be relatively cheap and easy to deploy, and even if a minority of targets pay up then the attack overall can be profitable. It’s estimated that 9515 users in the US alone are paying ransoms every month,” he added.

Ransomware is a growing threat to businesses across the globe. It accounted for 42% of all security incidents in 2015, and struck a wide variety of industries, from hospitals to big businesses to local councils.

In fact, Lincolnshire Council was hit with a ransomware attack in January this year that rendered its IT systems useless for several days, with staff forced to do their work with old fashioned pen and paper. The ransom demanded was thought to be around $500 in Bitcoin, but the council refused to pay.

Some victims do however pay up; The Hollywood Presbyterian Medical Center paid $17,000 after ransomware locked down its IT system and forced it to cancel patient operations. That case prompted US and Canadian authorities to issue official warnings about ransomware. This came just after the FBI issued a warning to companies to not pay any demands from ransomware.

Source: Information Security Magazine

Hackers Grab Details of 45 Million VerticalScope Forum Users

Hackers Grab Details of 45 Million VerticalScope Forum Users

Another day, another report of millions of user credentials leaked online.

This time it seems the victim is a company called VerticalScope, a Canadian media company that runs a large number of websites and forums, including those on tech and sports such as Motorcycle.com, autoguide.com and techsupportforum.com.

According to LeakedSource, VerticalScope’s database was hacked in February this year, exposing the details of 45 million users across 1100 sites.

Details leaked include email addresses, usernames, IP addresses and passwords. According to LeakedSource, many of the passwords were salted and hashed with the MD5 algorithm, which is now widely regarded as insufficient. Just a handful used encryption that can be considered difficult to crack.

“Given the massive scale of this breach, it is also likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale,” LeakedSource added.

Many of the affected websites were running vBulletin forum software that dated back to 2007 and contained known vulnerabilities that were easy to exploit, ZDNet reported.

In an email sent to ZDNet, VerticalScope said it was investigating the reports, without directly confirming that a breach had taken place. “We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies,” said Jerry Orban, vice-president of corporate development.

He added that the company is reviewing its security policies.

Farshad Ghazi, global product manager at HPE Security – Data Security, suggested that basic security measures would help companies keep their customer data secure.

“End-to-end encryption, a key data-centric security technology, protects data at rest, in use and in motion – thereby minimizing any clear data exposure and ensuring attackers get nothing of value when they do penetrate systems,” he said. “The ability to render data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure,” he added.

“As this attack points out, there is a clear need to protect personal information like name, full address, phone number and email address so that criminals can’t use the information to open bogus accounts, sell it for use in more targeted larger-scale spear-phishing, or even to steal identities,” Ghazi added.

Source: Information Security Magazine

Google Ups Android Bug Bounty Rewards

Google Ups Android Bug Bounty Rewards

To mark the first anniversary of Google’s Android Security Rewards program the company has announced an increase in how much it will pay for vulnerability reports.

For what Google calls a “high-quality vulnerability report with proof of concept,” security researchers will see payments increase 33% from $3000 (£2100, €2700) to $4000 (£2800, €3500). A high-quality vulnerability report with a proof of concept, a CTS Test, or a patch will get 50% more, Google says.

The more complex the vulnerability, the higher the rewards. A remote or proximal kernel exploit will now net $30,000 (£21,000, €26,700) instead of $20,000, and the reward for discovering a remote exploit chain or exploits leading to TrustZone or Verified Boot compromise has risen from $30,000 to $50,000 (£35,000, €44,400).

Android Security Rewards was added to Google’s Vulnerability Rewards Program to focus specifically on exploits and vulnerabilities within Google’s mobile operating system. It was launched to help secure Google’s range of Nexus devices, such as smartphones and tablets.

Since its introduction a year ago, Google says the program has received over 250 qualifying vulnerability reports, with a total of $550,000 (£384,500, €489,000) being paid out to 82 different researchers. The top researcher received $75,750 (£53,000, €67,300).

Most of the reports concerned vulnerabilities within the Android Media Server; Google says it has used these reports to improve security for the upcoming Android N release. Google also points out that many of the bugs were found in code that isn’t unique to Android.

The Android mobile operating system has been repeatedly criticized for its lax security. While Google has recently taken steps to improve security by offering monthly updates, millions of users across the world remain at risk by using out of date versions of Android. A report this year put the figure at 90% of all Android users.

So while Google can find and fix vulnerabilities and push out patches to those users running the latest version on a Nexus device, many other users have to wait for their network provider and device manufacturer to push out the updates.

Source: Information Security Magazine

Anonymous Hacks ISIS Accounts to Post Gay Porn, Pro-LGBT Tweets

Anonymous Hacks ISIS Accounts to Post Gay Porn, Pro-LGBT Tweets

In the wake of the tragedy in Orlando, dozens of Twitter accounts created by Islamic State supporters have been hacked to display gay pride flags, supportive LGBT-friendly messages and even gay porn.

Replacing the violence and hate are messages like, “I’m gay and I’m proud,” which graces one pro-ISIS account.

“I did it for the lives lost in Orlando,” said one of the hackers responsible, with the handle WauchulaGhost. Affiliated with the hacktivist collective Anonymous, he or she told Newsweek: “Daesh [ISIS] have been spreading and praising the attack, so I thought I would defend those that were lost. The taking of innocent lives will not be tolerated.”

WauchulaGhost has been devoted to disrupting the hackers for months, hijacking 258 accounts and sending messages meant to confuse and worry them.

“I have actually used some of the jacked accounts to create confusion,” WauchulaGhost told The Huffington Post. “I will DM other followers and hold a conversation, then inform them I am not who they thought I was. … So now, they aren’t sure who is friend or foe.”

There are at least five other hackers focused on defacing the accounts, according to WauchulaGhost.

“Most have only done a few. I decided to take it on and hit it hard. Right now there is a friend that goes by @Yetti_001 who is taking some too,” the hacker said.

The attack in Orlando was the worst mass shooting in US history, with 49 innocent people killed and 53 wounded in a hate-fueled attack on a gay nightclub.

“If anyone is making a list of #Daesh accs that are tweeting the Orlando attack please send to me. I’m going after those accounts. ??,” WauchulaGhost tweeted.

Photo © Tinxi/Shutterstock.com

Source: Information Security Magazine

Companies Have Tweaked Security, Big IT Challenges Remain

Companies Have Tweaked Security, Big IT Challenges Remain

More and more companies have altered their security approaches based on changes in IT operations: Such as relying on more cloud-based solutions or making wider use of mobile devices and apps.

According to a survey from CompTIA, the nonprofit association for the technology industry, nine in 10 IT professionals say security is of greater importance today to their companies than it was two years ago.

“Far more than half of all companies have adopted cloud computing and mobile devices,” noted Seth Robinson, senior director, technology analysis, CompTIA. “This suggests that many companies are embracing new technology solutions without taking the corresponding actions necessary to build a proper defense. This poses huge challenges for the IT security professionals tasked with security responsibilities.”

While some improvements in security have been noted, there remains a wide swath of companies that could improve their standing, along with those that may be over-estimating their readiness.

“Simply placing a higher priority on security may not lead to improved measures,” Robinson said. “Companies may not fully understand the nature of modern threats. It’s incumbent on the IT pros to adequately communicate the requirements for modern security; the potential cost of weak defenses; and the specific actions that should be taken.”

IT professionals tasked with keeping digital assets safe face a multitude of challenges. Just under half (47%) say there’s a belief within their company that existing security is “good enough.” For 43%, other technology needs take a higher priority than security. Four in 10 cite a lack of security metrics, while a slightly smaller percentage (37%) point to a lack of budget dedicated to security.

Challenges extend to finding qualified security workers at a time when the demand for security skills is increasing. For example, job postings in the category “Information Security Analysts” rose 175% between Q1 2012 and Q1 2015, according to the Bureau of Labor Statistics.

Within the cybersecurity workforce there are skills gaps to close, too. Among companies with skills gaps, 53% want to be more informed about current threats.  About 40% feel that they need to improve their awareness of the regulatory environment.

“The use of technology has outpaced cybersecurity literacy, so there’s also a growing need for the overall workforce to improve their knowledge and awareness of security issues,” Robinson added.

Two-thirds of companies are engaged in security training for employees, making it the most popular option for building the right security skills within an organization. The study also found that 56% of firms will seek out IT security certifications for their technology staff.

Photo © arka38

Source: Information Security Magazine