Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2017

PCI Council Updates E-Commerce Guidance for Firms

PCI Council Updates E-Commerce Guidance for Firms

Industry body the Payment Card Industry Security Standards Council (PCI SSC) has updated its best practice guidelines for securing e-commerce transactions, as more fraud migrates online.

The Best Practices for Securing E-commerce guidance replaces the previous PCI DSS E-commerce Guidelines, published back in 2013.

As such, there’s new info in there for online merchants explaining SSL/TLS, how to select a certificate authority (CA), the different types of certificates out there and a list of questions merchants can ask service providers on digital certificates and encryption.

The PCI SSC has mandated, for example, that all online merchants use TLS 1.1 encryption or higher by June 2018.

There’s plenty of information on how to achieve PCI DSS validation and a chart showing the level of complexity for different types of implementation.

“Securing the e-commerce environment continues to be critically important. According to several sources, e-commerce sales almost hit $2 trillion globally in 2016 with double-digit growth forecasted for several years to come,” explained PCI CTO Troy Leach.

“We also know that fraud is moving to card-not-present (CNP) environments with the implementation and acceptance of EMV chip, making e-commerce merchants a prime target for criminal hackers. The Council is uniquely positioned to help merchants since we are aware of the changing threat landscape of e-commerce environments.”

Best practice tips from the PCI SSC include gaining visibility into the location of all data; eliminating any data that’s not needed; and security training for all staff.

Many smaller businesses will outsource payment acceptance to a third party, Leach claimed.

“Still, those merchants should be aware of how their e-commerce solution accepts payments, specific risks to their customer’s cardholder data and best practices that they or their service providers should be following to mitigate those risks,” he added. “That is what is intended by this guidance.”

Source: Information Security Magazine

Dutch Minister Ditches Election Software Over Hacking Fears

Dutch Minister Ditches Election Software Over Hacking Fears

The Dutch government has decided to revert to manual vote counting and processing in the upcoming March parliamentary elections, in a bid to thwart any potential attempts by hackers to influence the result.

Interior minister Ronald Plasterk announced the decision on Wednesday after local reports claimed the software used for the past eight years is riddled with security holes.

RTL Nieuws enlisted the help of security expert Sijmen Ruwhof to analyze the voting system.

Voting machines have been banned in the Netherlands since 2009, with votes now cast on paper and counted by hand. However, the result was then typically entered into a computer program – Ondersteunende Software Verkiezingen (OSV) – which generated files containing the total votes cast in each district.

“If nobody questions the (digital) results of the election, no final paper audit is performed to see if the analog and digital vote count is the same,” explained Ruwhof.

“I immediately realized that this optional final paper audit forms a critical weakness in our current voting system (risk #1 critical). It means that our pencil-and-paper voting is basically security theater in its current implementation. Because when analog voting results are inserted into computers, which subsequently calculate the results, we are still, effectively, using electronic voting.”

After just a cursory inspection, the researcher was able to find out more vulnerabilities in the system, including the fact that OSV can be installed on any machine – even ones running outdated OSes like Windows XP.

OSV stores results in an unencrypted XML file, and voting results are transferred via unencrypted USB sticks or unencrypted email over the internet.

In total, Ruwhof highlighted 25 potential vulnerabilities in the Dutch voting system, but there could be many more.

Like many European countries, the Netherlands is fearful of attempts to influence the outcome of its elections by the Russian government.

However, despite some reports, the Kremlin was actually focused not on hacking US election systems but on releasing sensitive political information in the run up to the presidential election, in a bid to change voting behavior and undermine the democratic process.

That’s not to say Kremlin agents wouldn’t try to hack voting machines in country with a more homogeneous election system than the United States.

Source: Information Security Magazine

Cisco: UK Least "Security Mature" Nation

Cisco: UK Least "Security Mature" Nation

The UK is at the 'bottom of the pile' when it comes to security maturity, according to new findings from Cisco.

In its 2017 Annual Cybersecurity Report the firm quizzed 3000 chief security officers (CSOs) and security operations leaders from 13 countries, highlighting the difficulties that security leaders face as they attempt to match gains in the depth of their security infrastructure with the evolution of cybercrime, shifting breach modes and the increasing attack surface. Worryingly, Cisco ranked the UK lowest in terms of countries that are successfully finding this balance, given the strength of its digital infrastructure, with just 28% of companies judged to have ‘high’ security maturity.

CSOs polled in the report cited budget constraints, poor compatibility of systems and a lack of trained talent as the biggest barriers to advancing their security postures. What’s more, leaders also admitted that their security departments are increasingly complex environments with 65% of organizations using from six to more than 50 security products, increasing the potential for security effectiveness gaps.

These findings are particularly concerning when you take into consideration the business costs of suffering a cyber-incident; more than 50% of organizations said they faced public scrutiny after a breach, with 22% of companies losing customers, 29% losing revenue and 23% losing business opportunities as a result.

“This report offers ultimate proof that cybersecurity is a business concern, not an IT issue,” argued Duncan Tait, CEO Fujitsu EMEIA and Americas. “Breaches hit the bottom line and that should make security a C-suite topic.

“Moreover, despite the UK having a digitally diverse economy, the country has the lowest level of security maturity. This is a critical threat to businesses’ futures and I speak as a CEO when I say that, when it comes to prioritizing cybersecurity and putting in place the processes and plans to manage it, responsibility lies with the board. Businesses absolutely must shore up their cyber-defenses or risk becoming the latest high profile disaster.”

There were sentiments echoed by Darren Anstee, chief security technologist at Arbor Networks, who added that the goal of security is to reduce business risk, and that is where value can be demonstrated.

“To do this organizations need to implement metrics that allow them to quantify whether investments have a positive or negative effect on overall risk. Getting this part right can make it easier to get investment, and can help business to move the security of their organisations in the right direction.”

Source: Information Security Magazine

Dark Web Recruiters Target Insiders and Employees

Dark Web Recruiters Target Insiders and Employees

The cyber-risk from insiders — employees and contractors who have valid access to enterprise networks, a la Edward Snowden—is on the rise, in part due to cybercriminals recruiting them to help steal data, make illegal trades or otherwise profit.

According to a report from RedOwl and IntSights, the recruitment of insiders within the Dark Web is active and growing, with forum discussions and insider outreach nearly doubling from 2015 to 2016.

Sophisticated threat actors use the Dark Web to find and engage insiders to help place malware behind an organization’s perimeter security. Insiders then use these underground forums to “cash out” on their services through insider trading and payment for stolen credit card information.

The puppet-masters are also able to arm insiders with the tools and knowledge necessary to help steal data and commit fraud, among other acts, and also to cover any tracks. In one instance, a hacker solicited bank insiders to plant malware directly onto the bank’s network. This approach significantly reduces the cost of action as the hacker doesn’t have to conduct phishing exercises and can raise success rates by bypassing many of the organization’s technical defenses (e.g. anti-virus or sandboxing).

The lures are significant. On one forum, the attacker explained the approach to a potential collaborator, indicating that he needs direct access to computers that access accounts and handle wire transfers, and that he offers to pay “7 figures on a weekly basis” for continued access.

What is means for businesses is that any insider with access to the internal network, regardless of technical capability or seniority, presents a risk. The report recommends that risk management teams should join the growing number of organizations that are actively building insider threat programs. Ironically, 80% of security initiatives today focus on perimeter defenses, while fewer than half of organizations budget for insider threat programs.

Another powerful lever that organizations have to mitigate the threat from insiders is culture.

“Enterprises should create, train and enforce consistent corporate security policies while protecting employee privacy,” the report recommends. “Ensuring that employees and contractors understand the rules—and penalties—of engaging in insider behavior carries tremendous impact.”

Also, treating insiders as a technology problem ignores the human aspects of motivation and behavior.

“Security teams must monitor employee behavior across a broad array of channels that identify suspicious employee activity, but also help understand negative employee sentiment,” the report added. “Building an effective insider threat program requires a robust security ecosystem built on a foundational capability to see across all employee activity and spotlight unwanted behavior while respecting employee privacy.”

Source: Information Security Magazine

'Password Reset with Facebook' Enters the Account Recovery Mix

'Password Reset with Facebook' Enters the Account Recovery Mix

Facebook has taken yet another step to make itself indispensable: It will now start to let its 1.79 billion users reset passwords for other websites using its platform. The option is available starting with Github.

The technology, which the social network calls “delegated account recovery,” functions much like the increasingly prevalent “login with Facebook” plugin now seen across websites as an alternative to creating site-specific credentials. In this case, if a user loses access to the phone number or security keys she uses at a third-party website, she can use her Facebook account to provide additional authentication as part of the recovery process.

Users will need to set up this method in advance by saving a recovery token with the Facebook account, which is encrypted so Facebook can't read personal information. If users need to recover their participating third-party accounts, they can re-authenticate to Facebook, which will then send the token back to the third party with a time-stamped counter-signature. It’s Facebook's assertion that the person recovering the account is the same who saved the token, which can be done without revealing who the user is.

“This is part of a larger story of industry investment and innovation around improving, and perhaps even replacing, the password,” said Brad Hill, security engineer at Facebook, in a post. “The truth is, technologies for login authentication like FIDO are only half of the story needed to keep accounts secure. The other half is account recovery—specifically, how do you regain access to your account if you lose your password, phone or security key? An email address alone can't provide the same level of two-factor authentication to recover access.”

The first site to sign onto the scheme is GitHub, a collaborative software development platform that hosts some of the most popular software in the world, including Facebook's own open source projects like React and osquery. GitHub maintains direct control of how it authenticates its users, how it assesses password strength and other risk signals, and how it deploys a diverse set of two-factor authentication methods.

“We're releasing this feature in a limited fashion with GitHub so we can get feedback from the security community, including participants in our bug bounty programs,” said Hill. “Not only will our implementation be immediately in-scope for our bounty programs, but Facebook and GitHub will jointly reward security issues reported against the specification itself, according to our impact criteria.”

Facebook would like to see more services adopt this account recovery design, and has published the protocol behind the feature on its open source site at GitHub. Both Facebook and GitHub plan to publish open source reference implementations of the protocol in various programming languages as well.

This is the latest in security moves for the internet giant. Last week, Facebook announced support for U2F Security Keys, to help keep accounts secure with a second-factor authentication feature called login approvals.

Source: Information Security Magazine

Crooks Raked in $16B via Identity Fraud Last Year

Crooks Raked in $16B via Identity Fraud Last Year

Identity theft and fraud has reached a new record, with the amount fraudsters took rising to $16 billion.

Javelin Strategy & Research’s 2017 Identity Fraud Study shows a significant increase in the number of people who fell victim to identity theft in 2016—a 16% year-over-year increase to 15.4 million victims, up from from 13.1 million in 2015. This number, representing 6.15% of all consumers, is a record high since Javelin Strategy & Research began tracking identity fraud in 2003.

This translated into $1 billion more in fraudulent takings by the criminals as well.

The study found that despite the efforts of the industry, fraudsters successfully adapted to net two million more victims this year thanks to a resurgence in existing card fraud. That included an increase of 40% in card-not-present (CNP) fraud.

Driven by closing opportunities for point-of-sale fraud and the growth of e- and m-commerce, fraudsters are increasingly moving online, dramatically increasing the prevalence of CNP fraud by 40%. Meanwhile incidence of fraud at the point-of-sale (POS) remained essentially unchanged from 2014 and 2015 levels.

Account takeover bounced back too. After reaching a low point in 2014, both account takeover incidence and losses rose notably in 2016. Total ATO losses reached $2.3 billion, a 61% increase from 2015, while incidence rose 31%. Account takeover continues to be one of the most challenging fraud types for consumers with victims paying an average of $263 out-of-pocket costs and spending a total of 20.7 million hours to resolve it in 2016—that’s 6 million more than in 2015.

The study also found that the increase in EMV cards and terminals in the US became a catalyst for driving fraudsters to shift to fraudulently opening new accounts. At the same time, fraudsters have become better at evading detection, with new-account fraud (NAF) victims being notably more likely to discover fraud through review of their credit report (15%) or when they were contacted by a debt collector (13%).

“After five years of relatively small growth or even decreases in fraud, this year’s findings drives home that fraudsters never rest and when one area is closed, they adapt and find new approaches,” said Al Pascual, senior vice president, research director and head of fraud & security, Javelin Strategy & Research. “The rise of information available via data breaches is particularly troublesome for the industry and a boon for fraudsters. To successfully fight fraudsters, the industry needs to close security gaps and continue to improve, and consumers must be proactive too.”

On a positive note, while fraudsters are becoming better at evading detection, consumers with an online presence are getting better at detecting fraud quicker, leading to less stolen overall per attempt.

Data privacy expert Adam Levin, chairman and founder of CyberScout, told Infosecurity that the report is a “dramatic confirmation that the identity theft chickens have come home to roost.”

He noted a host of recent reports showing a spike in compromises in critical categories (ACI Worldwide shows a 31% increase in retail fraud attempts during the 2016 holiday season; Risk Based Security said there were over 4.2 billion records exposed in 2016 vs. previous record of 3.2 billion in 2013; and Identity Theft Resource Center/CyberScout found a 40% jump in number of data breaches in 2016).

“In 2017, consumers must become better informed as to the risks inherent in this dangerous digital world, be more alert to the signs of individual compromise and know what to do to contain and reverse the damage or take advantage of identity theft protection services offered by their insurers, employers or financial services firms,” Levin said.

Source: Information Security Magazine

Czech Government Emails Targeted in ‘State Sponsored’ Hack

Czech Government Emails Targeted in ‘State Sponsored’ Hack

A highly sophisticated cyber-attack likely to be state-sponsored has been discovered targeting the emails of Czech Foreign Ministry staff ahead of major elections in the country this year, it has been revealed.

Foreign minister, Lubomir Zaoralek, told the press on Tuesday that the hackers weren’t able to get hold of any classified information, although it’s believed they may have been inside the government systems for some time and he is playing down the seriousness of the attack.

Other local reports claim that the attackers managed to download emails from the minister and his deputy, in what they described as “the biggest security scandal of recent years.”

They also suggest that the hackers may have been looking for data on Czech allies – hence the focus on the Foreign Ministry.

Zaoralek said the cyber intrusion was similar to the one which compromised the Democractic National Committee (DNC) ahead of the presidential election, adding that it “was very sophisticated and probably carried out by a state-like actor,” according to the New York Times.

That attack has been linked by US intelligence agencies to the Kremlin, which will be the number one suspect in this raid, coming as it does ahead of major legislative elections in the Czech Republic in October.

It will never be clear exactly what effect on the voting intentions of the US public the damaging DNC leaks had, but it can’t have hindered president Trump’s chances of victory.

The allegations of Russian-sponsored hacking have lingered, especially after new evidence came to light that the Kremlin may have compromising information on the former reality TV star which could be used to blackmail him.

All of Europe seems to have eyes on the potential threat posed by Russian hackers ahead of big elections this year.

France will elect a new President in May, while Germany’s federal elections will be held in September and the Netherlands' in March.

A report from cyber intelligence firm ThreatConnect in December claimed president Putin has overseen a new strategy of “faketivism” – using invented hacktivist personas such as Guccifer 2.0 to leak sensitive info obtained by state hackers to the public.

James Romer, chief security architect at SecureAuth, argued that password-based authentication systems have made the job much easier for hackers.

“Organizations cannot rely on employees to remember numerous passwords in their active online lifestyles. Instead they need to be encouraging a move away from the current reliance on a single point of authentication,” he told Infosecurity.

Source: Information Security Magazine