Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for August 2016

ICO Fines Nursing Home Over Data Breach

ICO Fines Nursing Home Over Data Breach

The Information Commissioner’s Office (ICO) has fined a Northern Irish nursing home £15,000 for failing to adequately protect sensitive data.

The ICO’s report found “widespread systemic failings in data protection” at the time the breach took place at the Whitehead Nursing Group, based in County Antrim.

The breach occurred in August 2014 when an employee took home an unencrypted laptop belonging to the nursing home, which was subsequently stolen during a burglary. The theft was reported to police but the laptop has yet to be recovered.

The laptop contained personal details relating to 46 members of staff, including reasons for sickness absence, medical certificates and information about disciplinary matters. Sensitive personal information relating to 29 residents of the nursing home was also exposed, including name, date of birth, mental and physical health information and ‘do not attempt to resuscitate’ status.

The nursing home had no policies in place governing the use of encryption, and provided no guidance or training regarding security awareness for homeworkers or for using mobile devices such as laptops, the ICO’s report said.

Ken Macdonald, Head of ICO Regions, said: “This nursing home put its employees and residents at risk by failing to follow basic procedures to properly manage and look after the personal information in its care.”

"Our investigation revealed major flaws in the nursing home’s approach to data protection. Employees would have expected any details about disciplinary matters or their state of health to have been kept safe,” he added. “Likewise, residents would not have expected their confidential information to have been stored on an unprotected laptop and taken to an employee’s home. Whitehead Nursing Home had totally inadequate provisions for IT security and procedure and poor data protection training.”

The ICO added that a larger organization would expect to receive a bigger fine than Whitehead Nursing Home.

“Today’s fine shows we can and will act against any organisation we feel is not taking seriously its duty to look after the personal details it has been entrusted with. In a world where personal information is increasingly valuable, it is even more important to ensure the security of data is not overlooked,” Macdonald added.

Photo © Photographee.eu

Source: Information Security Magazine

Silicon Valley Giants Hit Back at MPs in Extremism Row

Silicon Valley Giants Hit Back at MPs in Extremism Row

The technology industry has hit back at claims made by an influential parliamentary committee that it's failing to combat extremism propagated via online services.

The Home Affairs Select Committee said firms like Google, Facebook and Twitter must take more responsibility for policing their social networks.

"Networks like Facebook, Twitter and YouTube are the vehicle of choice in spreading propaganda and they have become the recruiting platforms for terrorism,” the committee concluded, according to the BBC.

"They must accept that the hundreds of millions in revenues generated from billions of people using their products needs to be accompanied by a greater sense of responsibility and ownership for the impact that extremist material on their sites is having.”

However, Charlotte Holloway, policy director at tech industry trade association techUK, argued that the report is innacurate.

“As a number of companies made clear in their evidence to the committee, responsibilities to tackle online extremism are a serious and ongoing priority, backed by significant resources, a zero-tolerance approach, and decisive and fast action when needed,” she added.

“Tech companies work proactively to deal with online extremism daily, in constructive and proven partnerships with a wide range of policy-makers, the police and security agencies, and wider civil society bodies. Indeed, the vast majority of counter-terrorist operations would not succeed without the assistance and support of tech companies.”

In fact, Twitter claims to have shut down over 360,000 extremist accounts over the past year.

Also, Google’s most recent Transparency Report reveals the firm handed over data on users to the authorities in nearly two-thirds of cases in the second half of 2015.

It produced “some data” when requested in 72% of cases in the UK, far higher than the global average of 64% – hinting of a decent working relationship with the authorities.

Source: Information Security Magazine

Blizzard DDoS Blows World of Warcraft Dev Away

Blizzard DDoS Blows World of Warcraft Dev Away

World of Warcraft developer Blizzard appears to have been hit by multiple DDoS attacks over the past couple of days, affecting its gaming customers.

The firm, which also produces first-person shooter game Overwatch, notified users via its Twitter feed of the DDoS blitz on Tuesday:

“We continue to actively monitor an ongoing DDOS attack against network providers, affecting latency/connections to our games.”

Several times over the succeeding day the firm posted updates claiming “the technical issues we were experiencing earlier have been resolved,” but then followed them with a new warning that it was monitoring an ongoing DDoS attack.

This hints that Blizzard suffered several waves of DDoS attacks – a common strategy to maximize impact.

A final update 11 hours ago at the time of writing claimed:

“We apologize once again for the inconvenience caused by today's outages, we're working to resolve this ASAP.”

The attacks came during the firm’s Overwatch Summer Games event, suggesting that it may have been the work of a rival looking to disrupt operations and damage Blizzard’s reputation, although that’s conjecture at this stage.

Ofer Gayer, senior security researcher at Imperva, explained that gaming businesses are a top target for DDoS-ers, having suffered some of the biggest and longest attacks on record.

“Mitigating DDoS on game servers is a particularly complex task,” he added.

“Gamers are very sensitive to the impact on latency, so what may be considered negligible for most services, can be very frustrating for the gaming community. This can be affected by multiple factors, most prominently the distribution of scrubbing locations and time-to-mitigate.”

Imperva research revealed a 100% increase in DDoS attacks between last year and this.

“In just the past three years, 45% of gaming sites were attacked, and 75% of them will get attacked again, as we’re seeing today,” argued Gayer.

Source: Information Security Magazine

Massive Data Leak Hits French Submarine Firm

Massive Data Leak Hits French Submarine Firm

Authorities in India are investigating a massive data leak that has exposed sensitive information relating to a fleet of new submarines being built for its navy by French company DCNS.

First revealed by The Australian, the leak exposed 22,000 pages detailing the secret capabilities of six Scorpene-class vessels currently in production. There is currently no confirmation about how the documents were exposed, whether it was a hack or an insider who leaked the information.

According to the Financial Times, DCNS confirmed the leak, calling it “a serious matter pertaining to the Indian Scorpene programme. French national authorities for defence security will formally investigate and determine the exact nature of the leaked documents.”

Information included in the leaked documents cover sensitive details such as specifications relating to the submarine’s combat and stealth capabilities, and magnetic, electromagnetic and infrared data.

Indian authorities are also investigating the issue. The Hindu newspaper said Indian Defence Minister Manohar Parrikar has called for an investigation, and blamed the incident on hackers. “I have asked the Navy Chief to investigate the matter and find what has been leaked and how much of it is about us,” he is quoted as saying. “What I understand is that there is hacking.”

The Indian Navy, meanwhile, has denied the leak came from within its own country. “A case of suspected leak of documents related to Scorpene submarines has been reported by a foreign media house,” its statement said. “The available information is being examined at Integrated Headquarters, Ministry of Defence (Navy) and an analysis is being carried out by the concerned specialists. It appears that the source of leak is from overseas and not in India.”

Australian interest in this case is understandably high, as the country recently awarded a contract to DCNS to build a new fleet of submarines. However, DCNS said its contract with Australia was for a different class of submarine, and any technical specifications contained in this leak do not relate to those vessels.

“The matters in connection to India have no bearing on the Australian submarine programme, which operates under the Australian government’s arrangements for the protection of sensitive data,” the DCNS statement said.

Speaking to Australian TV, prime minister Malcolm Turnbull added: “The submarine that we will be building with the French is called the Barracuda. It is a completely different submarine to the Scorpion they are building for India. But clearly, it is a reminder that, particularly in this digital world, cybersecurity is of critical importance.”

Photo © ymgerman

Source: Information Security Magazine

New York Times Targeted in Hack Attack

New York Times Targeted in Hack Attack

The Moscow branch of The New York Times was targeted in an attempted cyber attack, the newspaper has announced.

So far, however, there is no evidence that the hackers—thought to be working on behalf of Russian intelligence agencies —succeeded in accessing NYT’s systems, according to the newspaper's statement.

“We are constantly monitoring our systems with the latest available intelligence and tools,” said Eileen Murphy, a spokeswoman for The Times. “We have seen no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised.”

According to CNN the hackers targeted reporters at the NYT and other publications over recent months. The FBI is now investigating the attacks and believe they were carried out by Russian hackers, or hackers working on behalf of Russian intelligence agencies. The motive behind the attack is not yet clear, nor is how many reporters were targeted.

This latest incident joins a long list of hacks thought to have been carried out by Russian intelligence agencies. CNN said this attack is part of, “a wave of cyber attacks, including against think-tanks in Washington, to gather intelligence from a broad array of non-governmental organizations with windows into the US political system.”

ABC News, meanwhile, said that the NYT attack was “probably” carried out by the same group that recently hit the Democratic National Committee (DNC), accessing information the organization had gathered on opposition presidential candidate Donald Trump. Also leaked were damaging emails which showed Democratic officials favoring Hillary Clinton over Bernie Sanders in the race for the DNC presidential nomination.

The emails were released by WikiLeaks, although the whistleblowing website refused to say whether Russia had provided the emails. US officials said there was “strong evidence” that Russia was behind the DNC hack, according to CNN.

Photo © Katya Liland

Source: Information Security Magazine

Ransomware, BEC Threats Surge in 2016

Ransomware, BEC Threats Surge in 2016

The first half of 2016 has seen a huge rise in ransomware and business email compromise (BEC) attacks, according to new figures from Trend Micro.

Trend Micro’s TrendLabs report into cybersecurity threats revealed that the number of new ransomware families detected in the first half of 2016 has already eclipsed the total 2015 volume by 172%. This makes ransomware a “prevalent and pervasive threat,” the report said.

Some of the new ransomware families picked up by Trend Micro featured new propagation and extortion techniques. One, called Jigsaw, deleted files if the ransom hadn’t been paid by the deadline, while another, called Surprise, increased the ransom when the deadline was missed. Ransomware called Powerware was designed to encrypt tax return files, according to Trend Micro.

In total, Trend Micro said it identified 79 new ransomware families during the first half of 2016. Ransomware cost enterprises $209 million (£160 million) across that six-month period.

“Ransomware is capable of crippling organizations who face it, and the cyber-criminals spearheading these attacks are creatively evolving on a continuous basis to keep enterprises guessing,” said Raimund Genes, chief technology officer for Trend Micro. “It has dominated the threat landscape so far in 2016, causing immense losses to businesses across multiple industries.

Another rising threat to enterprises is business email compromise (BEC), which is also known as whaling. This is when criminals send socially-engineered emails to employees at target organizations often imitating legitimate email contacts such as that of the CEO. The unsuspecting employee then authorizes a payment as requested.

Trend Micro has detected BEC attacks in the US, the UK, Hong Kong, Japan, and Brazil, which the FBI says has caused losses of $3 billion (£2.3 billion). During the first half of 2016 BEC attacks targeted CFOs more than any other position, Trend Micro said.

Adobe’s Flash continues to be a nightmare for security teams and a paradise for cyber-criminals—Trend Micro found 28 new vulnerabilities in Flash. The IoT is also proving to be a security headache as 108 vulnerabilities were discovered in Advantech’s Web Access.

“While it’s unfortunate for us, cybercriminals are resilient and flexible when it comes to altering an attack method each time we find a patch or solution,” said Ed Cabrera, chief cybersecurity officer for Trend Micro.

“This creates massive problems for enterprises and individuals alike since the threats change as often as solutions are provided. It bodes well for businesses to anticipate being targeted and to prepare accordingly, implementing the latest security solutions, virtual patching and employee education to mitigate risks from all angles,” Cabrera added.

Photo © Nicescene

Source: Information Security Magazine

Ashley Madison Failed on Authentication and Data Security

Ashley Madison Failed on Authentication and Data Security

Ashley Madison failed to deliver security measures on user details and featured a phoney security certification on its homepage.

An investigation into the dating website has found that it had a fabricated security trustmark and its parent Avid Life Media (ALM) also had inadequate security safeguards and policies. As a result, privacy laws in Canada and Australia were violated, whose commissioners have issued a number of recommendations aimed at bringing the company into compliance with privacy laws.

The investigation was conducted jointly by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner, and examined compliance with both the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law and Australia’s Privacy Act.

It found that there were inadequate authentication processes for employees accessing the company’s system remotely, that encryption keys were stored as plain, clearly identifiable text and the ‘shared secret’ for its remote access server was available on the ALM Google drive; meaning anyone with access to any ALM employee’s drive on any computer could have potentially discovered it. Also, instances of storage of passwords as plain, clearly identifiable text in emails and text files were found on the company’s systems.

The company was also “inappropriately” retaining some personal information after profiles had been deactivated or deleted by users, the investigation found, while the company also failed to adequately ensure the accuracy of customer email addresses it held, which resulted in the email addresses of people who had never actually signed up for Ashley Madison being included in the databases published online following the breach.

The trustmark suggested that it had won a “trusted security award”, but ALM officials later admitted the trustmark was their own fabrication and removed it.

Daniel Therrien, Canadian privacy commissioner, said that the company’s use of a fictitious security trustmark meant individuals’ consent “was improperly obtained”.

“Where data is highly sensitive and attractive to criminals, the risk is even greater,” he said. “Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.”

Security consultant Dr Jessica Barker told Infosecurity in an email that the use of “fake icons”, which may encourage people to think a site is safe, was concerning.

She said: “Many people don't know a great deal about internet security or the legal requirements, and how to check the extent to which an organization takes cybersecurity seriously, and will put appropriate measures in place to safeguard personal and financial information."

“Although my research suggests that people are worried about cybersecurity, many people are also very trusting of websites and on seeing icons which suggest a site is safe they will, quite understandably, take that at face-value.”

Jon Christiansen, senior security consultant at Context Information Security, said that putting up fake icons to proclaim security levels that the company doesn’t possess is nothing new, as given the cost of the certification process, the low likelihood of passing first time and the seemingly limited consequences if discovered, it isn’t hard to see why businesses think they can just take the shortcut of copying the icon.

He told Infosecurity: “As there is no way to verify the legitimacy of it, normal users have no choice but to trust it. Another area where it is used is in phishing campaigns. When people are tricked into visiting a malicious website, their overall suspicion level can be lowered by plastering the site with icons showing PCI DSS compliance logos, the green SSL padlock icon or similar. People have come to expect these from the genuine sites that they visit.”

The UK Information Commissioner’s Office (ICO) announced in 2013 that it had written to eHarmony, match.com, Cupid and Global Personals and the industry trade body, the Association of British Introduction Agencies, over concerns about handling personal data. A request for comment had not been responded to at the time of publishing.

Barker added: “Although many sites, especially dating sites, can hold very personal and sensitive information on individuals, the penalties for a breach of such information have not tended to be particularly harsh. Reputational damage is the biggest concern for most organizations in relation to a data breach or cyber-attack. This may change to some extent under GDPR, with the potential for much harsher penalties."

“However, people can also have an impact by 'voting with their feet' and demanding that companies take security and privacy seriously. If a breach doesn't impact an organization's bottom line then unfortunately, many organizations will interpret that as meaning it's not a concern to their customers and so not something they need to prioritize.”

Christiansen said: “It isn’t just dating websites that need more stringent tests, though their access to personal info is of course greater than many sites. It should be a broader process, because if the icons are to mean anything at all, the issuers need to have a better way of checking if a website is – or isn’t – part of their list of compliant sites. This could potentially be implemented via a ‘Check a site’ feature on their website that people can use to verify sites before using them.”

ALM cooperated with the investigation and agreed to demonstrate its commitment to addressing privacy concerns by entering into a compliance agreement with the Canadian Commissioner and enforceable undertaking with the Australian Commissioner, making the recommendations enforceable in court. In July ALM announced that it was rebranding to be called Ruby Life.

Source: Information Security Magazine

Gamers Warned After Grand Theft Auto Forum is Hacked

Gamers Warned After Grand Theft Auto Forum is Hacked

Grand Theft Auto fans have become the latest to be targeted by hackers after the personal details of an estimated 200,000 gamers were discovered being traded online.

Fan site GTAGaming admitted in a post yesterday that its forum database had been compromised and email addresses, hashed passwords and “any other details you may have saved in your profile” could be in the hands of the hackers.

The site admin is now forcing a password reset and urged all users to change any credentials on sites which they share the same password with.

The site is just the latest compromise in recent weeks involving under fire forum software vBulletin.

In July an SQL injection flaw led to a security breach on the Ubuntu Forums site. Then just weeks ago Disney was forced to notify users of its Playdom Forum that hackers had breached the site.

What's more, this week, Epic Games revealed sensitive information on over 800,000 user accounts had been stolen after a forum breach.

Have I Been Pwned site owner Troy Hunt claimed that administrators have been slow to patch vBulletin, leading to the problems.

“When GTAGaming was hacked, they were two major releases behind the current generation and four and a half years behind in their patches for the major version they were running. And this is the real story with vBulletin – installations going unloved,” he argued in a blog post.

“When you look at the history of vBulletin sites being hacked, it's rarely zero-day vulnerabilities so we're usually not looking at an attack and saying ‘Wow, we've never seen that before!’.”

GTAGaming has now closed the forums permanently and said it will delete any accounts not updated within the next couple of weeks from its database.

Deepak Patel, director of security strategy at Imperva, recommended firms install a web application firewall to filter out SQLi and other online threats.

“WAF typically relies on a large, and constantly updated, list of meticulously crafted signatures that allow it to surgically weed out malicious SQL queries,” he added.

“Usually, such a list holds signatures to address specific attack vectors, and is regularly patched to introduce blocking rules for newly discovered vulnerabilities.”

Source: Information Security Magazine

Q2 Global Fraud Jumps 50% From 2015

Q2 Global Fraud Jumps 50% From 2015

Fraud prevention firm ThreatMetrix claims to have stopped 112 million attacks globally in Q2 2016, a 50% increase on the same period a year ago, highlighting the industrial-scale nature of online fraud today.

The vendor’s Cybercrime Report for the period claimed the continued occurrence of major data breaches is feeding an insatiable appetite for global fraud.

These compromised identities are often tested online to ensure they still work, before being used to try and defraud companies and individuals out of money.

ThreatMetrix said that an increasingly popular way of performing this testing is to register new accounts on peer-to-peer media platforms using the stolen credentials to post fake reviews and other UGC.

“While there is no direct victim of malicious or false content, the impact is extensive,” argued Vanita Pandey, vice-president of strategy and product marketing at ThreatMetrix.

“Over the last few months we’ve seen and stopped millions of compromised identities being tested each day by cyber-criminals and bots mimicking the behavior of trusted customers.”

Nearly one in four media transactions were rejected by the vendor in Q2 ahead of the summer holiday season – a 92% increase on the 2015 figures.

In total, fraudulent new account registrations jumped 350% year-on-year in Q2, with bots increasingly used to help automate campaigns and evade traditional fraud sensors.

There was a 50% rise in bot attacks to 450 million detected and blocked by ThreatMetrix this quarter.

There’s also a trend towards mobile transactions, which can also offer the fraudsters opportunities, the firm claimed.

Mobile transactions are growing at a rate of 200% year-on-year, accounting for 58% of the total transactions in the UK – far higher than the global average of 40%.

Unsurprisingly, the UK is the top European attack destination, according to ThreatMetrix.

Source: Information Security Magazine

Malicious QuadRooter Apps Discovered in Google Play Store

Malicious QuadRooter Apps Discovered in Google Play Store

The recent disclosure of a set of vulnerabilities in the Android operating system that could potentially put over 900 million devices at risk may have been patched, but its threat remains.

The QuadRooter flaw, discovered by Check Point, could potentially give cyber attackers complete control over an Android device. The vulnerability was discovered in Qualcomm chips, which are used in smartphones and tablets made by Blackberry, LG, Google and more. This put up to 900 million devices at risk. The flaw was dubbed QuadRooter because there are four interconnected flaws which can be used to gain access to the “root” of the phone, the Guardian said.

Patches to fix the flaw were made available quickly, and Check Point released an app called QuadRooter Scanner on the Google Play store which checked whether a device was at risk.

However, new research has revealed that QuadRooter’s threat is still alive. Researchers at RiskIQ have found a number of malicious apps available for download on various app stores that claim to offer a fix for the flaw, but of course do nothing of the sort.

One of these, called Fix Patch QuadRooter by KiwiApps Ltd was found in the official Google Play store. Although it was removed from there it popped up in a number of unofficial app stores, along with a number of others. In total, 27 malicious apps related to QuadRooter have so far been found.

These have been found available for download in the official Google Play store, as well as others such as BingAPK, SameAPK, AppBrain, and AppChina. All these unofficial sources carry big risks to users and their devices.

These unofficial, third-party app stores are a dangerous place; a lack of quality control means many applications are malicious, containing malware that can steal personal data. While these app stores may seem convenient for users, especially in countries where official apps may not be available, users should stick with the official Google Play Store wherever possible.

Photo © ymgerman/Shutterstock.com

Source: Information Security Magazine