Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for March 2017

Three-Quarters of Orgs Fear Insider Threats

Three-Quarters of Orgs Fear Insider Threats

Despite spending increases and investments in deterrence tactics and detection tools, nearly three-quarters (74%) of organizations feel vulnerable to insider threats, a significant 7% increase over last year.

“Ask any cybersecurity specialist to name the biggest security threat to an organization and they’ll tell you it’s people,” said Bryan Ware CEO at Haystax Technology, which conducted the survey. Yet despite increased funding on insider threat programs, he added, the problem shows no signs of abating. He added, “Training programs and network controls are important, but without analytics that produce actionable intelligence, organizations are often left in the dark until after an insider does damage.”

Mark James, security specialist at ESET, told Infosecurity in an interview that this is a critical point, given that insider threats can be very difficult to detect based on ordinary human observation.

“It’s very easy in the digital world to be duped, mislead or just plain and simply scammed,” he said. “When someone stands in front of you and asks for something they know they are not entitled to or should not be asking for, their body language will often give that very fact away. It might be a slightly red face or tell-tale sign or just the uneasy way they ask but put a keyboard between you and them and all that disappears. If two people send the same email, one authorized and one not, asking for information in an email, you would be hard pressed to tell the difference based on letters and text. But we are expected to make those decisions often on a daily basis, most times we get it right but sometimes we don’t. Sadly it’s the latter that can make a difference, it’s something we have to do 100% of the time and the bad guys only need to be successful once.”

Nevertheless, Haystax found that although funding is increasing in tools to aid this process, inadequate resources are being allocated to some key components of insider threat mitigation, such as predictive risk analytics. Of the organizations that are investing in insider threat mitigation, 61% are focusing mostly on deterrence (e.g., access controls, encryption, policies, etc.) and 49% on detection (e.g., monitoring, intrusion detection systems, etc.)—while 35% employ forensics and analysis systems like security information and event management (SIEM) tools.

Most survey respondents (67%) indicate that because insiders already have credentialed access to their networks and services, they are much more difficult to detect and deter than external threats. But only 42% of organizations say they are regularly monitoring user behavior, while 21% do none at all.

The good news is that insider threat detection has improved, with 46% of respondents believing they could detect an attack within a day at most. What’s more, 68% are confident in their ability to recover from an attack in a week or less, up 20% over last year’s survey. However, three-fourths estimate remediation costs could be up to $500,000, with the other 25% believing costs could exceed that amount—and perhaps reach into the millions of dollars.

Source: Information Security Magazine

4bn Leaked Records, 10K New Vulns: 2016 Was a Massive Year for Cybercrime

4bn Leaked Records, 10K New Vulns: 2016 Was a Massive Year for Cybercrime

2016: ‘Twas a banner year for cybercrime, as records breached increased 556% from 2015, with more than 4 billion records leaked in 2016. There were just 600 million compromised the year before.

That’s according to IBM’s 2017 X-Force Threat Intelligence Index, which also documented more than 10,000 software vulnerabilities in 2016—the highest single-year number in IBM X-Force’s 20-year history.  

The report also uncovered several macro-trends, including, notably, the rise of ransomware spread through spam. Spam was up 400% in 2016, with 44% of spam containing malicious attachments. A full 85% of these malicious attachments contained malicious ransomware.  

In a separate study last year, IBM Security found 70% of businesses impacted by ransomware paid over $10,000 to regain access to business data and systems. In the first three months of 2016, the FBI estimated cyber-criminals were paid a reported $209 million via ransomware. This would put criminals on pace to make nearly $1 billion from their use of the malware just last year.

Also, 2016 saw attackers targeting unstructured data. In past years, data breaches focused on fixed set of structured information such as credit card data, passwords, national ID numbers, personal health information (PHI) data or key documents. In 2016, IBM saw a shift towards unstructured data—such as hundreds of gigabytes of email archives, documents, intellectual property and source code, companies’ complete digital footprints, etc.—were exposed along with the traditional structured data. 

“Cyber-criminals continued to innovate in 2016 as we saw techniques like ransomware move from a nuisance to an epidemic,” said Caleb Barlow, vice president of threat intelligence, IBM Security. “While the volume of records compromised last year reached historic highs, we see this shift to unstructured data as a seminal moment. The value of structured data to cyber-criminals is beginning to wane as the supply outstrips the demand. Unstructured data is big-game hunting for hackers and we expect to see them monetize it this year in new ways.”

As far as the targets, these shifted a bit last year: Healthcare gave up the No 1 seed, losing out to financial services in terms of who was targeted the most. The healthcare industry continued to be beleaguered by a high number of incidents, although attackers focused on smaller targets resulting in a lower number of leaked records. In 2016, only 12 million records were compromised in healthcare—keeping it out of the top five most-breached industries. For perspective, nearly 100 million healthcare records were compromised in 2015, resulting in an 88% drop in 2016.

Interestingly though, data from the X-Force report shows financial services came in only third in compromised records. Top distinctions here went to information and communication services companies, which had 3.4 billion compromised records and 85 breaches/incidents. No 2 was government, which saw 398 million compromised records and 39 breaches/incidents—making these two segments the most vulnerable as they experienced the highest number of incidents and records breached in 2016. 

Source: Information Security Magazine

40% of ICS, Critical Infrastructure Targeted by Cyberattacks

40% of ICS, Critical Infrastructure Targeted by Cyberattacks

Industrial control systems (ICS) and critical infrastructure are common targets for cybercrime, with almost 40% of them facing a cyber-attack at some point in the second half of last year.

According to Kaspersky Lab ICS research, the percentage of industrial computers under attack grew from 17% in July 2016 to more than 24% in December 2016. Every fourth targeted-attack detected by Kaspersky Lab in 2016 was aimed at industrial targets.

The top three sources of infection were the internet, removable storage devices, and malicious email attachments and scripts embedded in the body of emails. The top three countries with attacked industrial computers: Vietnam (more than 66%), Algeria (over 65%) and Morocco (60%).

As the technology and corporate networks of industrial enterprises become increasingly integrated, more and more cyber-criminals are turning their attention to industrial enterprises as potential targets. By exploiting vulnerabilities in the networks and software used by these enterprises, attackers could steal information related to the production process or even bring down manufacturing operations, leading to technogenic disaster. About 75 vulnerabilities were revealed by Kaspersky Lab in 2016, and 58 of them were marked as maximum critical vulnerabilities.

“Our analysis shows us that blind faith in technology networks’ isolation from the Internet doesn’t work anymore,” said Evgeny Goncharov, head of Critical Infrastructure Defense Department, Kaspersky Lab. “The rise of cyber-threats to critical infrastructure indicates that ICS should be properly secured from malware both inside and outside the perimeter. It is also important to note that according to our observations, the attacks almost always start with the weakest link in any protection—people.”

Kaspersky Lab ICS CERT specialists looked into the cyber-threat landscape faced by ICS systems, and discovered that in the second half of 2016 malware downloads and access to phishing web-pages were blocked on more than 22% of industrial computers. This means that almost every fifth machine at least once faced the risk of infection or credential compromise via the internet.

The desktop computers of engineers and operators working directly with ICS do not usually have direct access to the internet due to the limitations of the technology network in which they are located. However, there are other users that have simultaneous access to the internet and ICS. According to Kaspersky Lab research, these computers—presumably used by system and network administrators, developers and integrators of industrial automation systems and third party contractors who connect to technology networks directly or remotely—can freely connect to the internet because they are not tied to only one industrial network with its inherent limitations.

Yet the internet is not the only thing that threatens the cybersecurity of ICS systems. The danger of infected removable storage devices was another threat spotted by the company’s researchers. During the period of research, 10.9% of computers with ICS software installed (or connected to those that have this software) showed traces of malware when a removable device was connected to them.

Malicious email attachments and scripts embedded in the body of emails were blocked on 8.1% of industrial computers, taking third place. In most cases, attackers use phishing emails to attract the user's attention and disguise malicious files. Malware was most often distributed in the format of office documents such as MS Office and PDF files. Using various techniques, the criminals made sure that people downloaded and ran malware on the industrial organization’s computers.

The research also found that malware, which poses a significant threat to companies around the world, is also dangerous to industrial enterprises. This includes spyware, backdoors, keyloggers, financial malware, ransomware, and wipers. These can completely paralyze the organization’s control over its ICS or can be used for targeted attacks respectively. The latter is possible because of inherent functions that provide an attacker with lots of possibilities for remote control. About 20,000 different malware samples were revealed in industrial automation systems belonging to over 2,000 different malware families.

Source: Information Security Magazine

Russian Hacker Pleads Guilty to Ebury Botnet Role

Russian Hacker Pleads Guilty to Ebury Botnet Role

A Russian hacker has pleaded guilty to playing a major role in building the infamous Ebury botnet, which helped to fraudulently generate millions of dollars.

Maxim Senakh, 41, of Velikii Novgorod, pleaded guilty on Tuesday to conspiracy to violate the Computer Fraud and Abuse Act and to commit wire fraud.

Along with co-conspirators, Senakh is said to have helped develop the Ebury malware, which targeted the log-ins of servers running Solaris, Linux and similar Unix-like operating systems.

It’s a rootkit/backdoor Trojan designed to steal SSH log-in credentials from incoming and outgoing SSH connections.

They then combined these remotely controlled servers into a botnet, monetizing it via click fraud and spam campaigns, according to the Department of Justice.

The scams apparently compromised tens of thousands of servers around the world and earned Senakh and his co-conspirators millions of dollars in the process.

“As part of the plea, Senakh admitted that he supported the criminal enterprise by creating accounts with domain registrars which helped build the Ebury botnet infrastructure and personally profited from traffic generated by the Ebury botnet,” noted the DoJ.

The Ebury malware leaped to notoriety in 2011 when it was used to hack the Linux Kernel Organization and Linux Foundation.

Last year, a Florida computer programmer was arrested on suspicion of the crime. He’s said to have used the Ebury malware to harvest the credentials of administrators responsible for four targeted servers used to maintain and distribute the Linux operating system.

Senakh was indicted on 13 January 2015 and subsequently arrested by Finnish law enforcers, who agreed to extradite him to the United States. His sentencing is expected on 3 August.

The DoJ is lucky to have gotten hold of its man, given the breakdown in co-operation between US and Russian law enforcers and cybersecurity experts of late.

Reports have claimed that the recent arrests for treason of current and former FSB operatives – one of whom is a Kaspersky Lab research boss – were intended in part to send a clear message to those thinking of sharing sensitive information with the West.

Source: Information Security Magazine

Hong Kong’s 3.7 Million Voters Exposed in Massive Breach

Hong Kong’s 3.7 Million Voters Exposed in Massive Breach

Hong Kong might just have experienced its biggest ever data breach after the personal details of the Special Administrative Region (SAR)’s 3.7 million voters were stolen on two laptops.

The details are said to have included ID card numbers, addresses and mobile phone numbers.

They were stored on two laptops in a locked room at the AsiaWorld-Expo conference center near the airport.

The center is said to be the “back-up venue” for the region’s chief executive elections, which took place over the weekend.

The Registration and Electoral Office has reported the theft to police and told the South China Morning Post that the details of voters were encrypted – although it’s unclear how strong that encryption is.

It’s also unclear why the details of 3.7m voters were stored on the laptops when only an Election Committee of 1194 specially chosen business and political leaders is allowed to pick Hong Kong’s CEO.

The SAR’s privacy watchdog said in a statement that it is launching an investigation into the matter.

Over a three-year period from 2013 to 2016, the privacy commissioner’s office is said to have received 253 data breach notifications.

Eduard Meelhuysen, EMEA boss at Bitglass, argued that public sector breaches stand out as particularly concerning.

"Whether it’s the NHS or the Hong Kong Registration and Electoral Office, these organizations need to remember their duty of care, not to mention legal obligations, to protect citizens' and employees' data,” he said.

“This means not only keeping sensitive data encrypted, but also controlling where it goes using tools like access control and data leakage prevention. Is it really a business necessity to store the information of millions of citizens on a laptop?"

In a separate incident, a laptop was stolen from Queen Mary Hospital last year, containing the personal details of nearly 4000 patients.

Source: Information Security Magazine

Apple iPhone Users in Crosshairs of a Scareware Campaign

Apple iPhone Users in Crosshairs of a Scareware Campaign

A scareware attack is targeting Apple iPhone and iPad users, “locking” their browsers unless they pay a ransom.

According to Lookout Inc., “the attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying,” the firm explained in a blog.

The irony of course is that this is not an actual ransomware campaign—it’s just cleverly disguised as one.

“A knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the iOS Settings—the attack doesn’t actually encrypt any data and hold it ransom,” Lookout noted. “Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.”

As such, the attack is contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, the firm said.

As far as victim targeting, the group involved in this campaign purchased a large number of domains that try to catch users who are seeking controversial content on the internet, including pornography and some music-oriented sites. Each site would serve up a different message based on the country code identifier. Once a target is identified the pop-up messages have an email address for the target to contact, which appear to be country-specific and part of a wider phishing campaign.

Apple's iOS update yesterday addressed the issue, but users who have not yet updated their devices are still at risk. The computing giant closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app, according to Lookout. 

Source: Information Security Magazine

AI, Machine Learning: Not Ready for Prime Time

AI, Machine Learning: Not Ready for Prime Time

Artificial intelligence (AI) and machine learning (ML) have been marketed as game-changing technologies amid the climbing number of breaches, increased prevalence of non-malware attacks and the waning efficacy of legacy antivirus (AV). Yet doubts still persist, especially when they’re used in siloes. For now, it appears to be a fledgling space.

According to Carbon Black’s Behind the Hype report on the subject, nearly two-thirds (64%) of security researchers said they’ve seen an increase in non-malware attacks since the beginning of 2016; and, the vast majority (93%) of security researchers said non-malware attacks pose more of a business risk than commodity malware attacks.

This group of attacks include remote logins (55%); WMI-based attacks (41%); in-memory attacks (39%); PowerShell-based attacks (34%); and attacks leveraging Office macros (31%).

Against this backdrop, two-thirds of security researchers said they were not confident that legacy AV could protect an organization from non-malware attacks, such as those seen in the recent WikiLeaks CIA data dump—opening the door for new approaches. Yet, three-quarters (74%) of researchers said AI-driven cybersecurity solutions are still flawed and 87% of security researchers said it will be longer than three years before they trust AI to lead cybersecurity decisions.

 “AI technology can be useful in helping humans parse through significant amounts of data,” the report noted. “What once took days or weeks can be done by AI in a matter of minutes or hours. That’s certainly a good thing. A key element of AI to consider, though, is that it is programmed and trained by humans and, much like humans, can be defeated. AI-driven security will only work as well as it’s been taught to…While AI is being used to effectively highlight nonobvious relationships in data sets, it still appears to be in its nascent stages.”

As a result, only 13% of these researchers indicated they will look to implement AI-driven cybersecurity solutions at their organizations over the next three years.

On the ML front, 70% of security researchers said attackers can bypass ML-driven security technologies; and nearly one-third (30%) said it’s easy to do so.

“Any reasonable ML approach to endpoint security is going to face the problem of obtaining training data at scale. If you’re looking at files, you’ll need a lot of files,” Carbon Black noted. “If you’re looking at behavior, you’re going to need a lot of behavior. Unfortunately, obtaining many examples of real attacks as they happen isn’t always feasible.”

Carbon Black recommends that users assemble a massive body of baseline data, a torrent of detonation data, and statistics and comparisons among behaviors for validation.

“Collectively, these approaches will give you a powerful set of tools to generate patterns of malicious behavior,” the report said.

Bottom line? This is a nascent space. While AI and ML-driven security solutions can exist as effective components to cybersecurity programs, they should not yet be exclusively relied upon as sole protections.

“According to a majority of security researchers, cybersecurity will continue to be, at least for the next five years, a battle of human vs. human, where AI and ML can be used to augment and empower human reasoning, not replace it,” the report concluded.

Source: Information Security Magazine

Led by AdultFriendFinder, Breached Records Spike 86%

Led by AdultFriendFinder, Breached Records Spike 86%

In case anyone doubted that data breaches are in full-court press mode, research from Gemalto has revealed that a full 1,792 data breaches led to almost 1.4 billion data records being compromised worldwide during 2016. Big events like the AdultFriendFinder breach contributed significantly to the spike.

That represents a whopping increase of 86% compared to 2015, according to Gemalto’s Breach Level Index. And further, more than 7 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. That translates to over 3 million records compromised every day, or roughly 44 records every second.

Identity theft was the leading type of data breach in 2016, accounting for 59% of all data breaches and up by 5% from 2015. The second most prevalent type of breach in 2016 was account access-based breaches—these made up 54% of all breached records, which is an increase of 336% from the previous year. This highlights the cyber-criminal trend from financial information attacks to bigger databases with large volumes of personally identifiable information, Gemalto said in its report.

Another notable data point is the nuisance category, with an increase of 102% accounting for 18% of all breached records—this category is thus up 1,474% since 2015.

“The Breach Level Index highlights four major cyber-criminal trends over the past year,” said Jason Hart, vice president and CTO for data protection at Gemalto. “Hackers are casting a wider net and are using easily-attainable account and identity information as a starting point for high-value targets. Clearly, fraudsters are also shifting from attacks targeted at financial organizations to infiltrating large data bases such as entertainment and social media sites. Lastly, fraudsters have been using encryption to make breached data unreadable, then hold it for ransom and decrypting once they are paid.”

Speaking of encryption, last year 4.2% of the total number of breach incidents involved data that had been encrypted in part or in full, compared to 4% in 2015. In some of these instances, the password was encrypted, but other information was left unencrypted. However, of the almost 1.4 billion records compromised, lost or stolen in 2016, only 6% were encrypted partially or in full (compared to 2% in 2015).

"Knowing exactly where their data resides and who has access to it will help enterprises outline security strategies based on data categories that make the most sense for their organizations,” Hart said. “Encryption and authentication are no longer ‘best practices’ but necessities. This is especially true with new and updated government mandates like the upcoming General Data Protection Regulation (GDPR) in Europe, US state-based and APAC country-based breach disclosure laws. But it’s also about protecting your business’ data integrity, so the right decisions can be made based on accurate information, therefore protecting your reputation and your profits.”

The Breach Level Index also measures the severity of breaches based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful (scores run 1-10). 

Last year, the account access-based attack on AdultFriendFinder exposing 400 million records scored a 10 in terms of severity on the Breach Level Index. Other notable breaches in 2016 included Fling (BLI: 9.8), Philippines' Commission on Elections (COMELEC) (BLI: 9.8), 17 Media (BLI: 9.7) and Dailymotion (BLI: 9.6). The top 10 breaches in terms of severity accounted for over half of all compromised records.

While Yahoo! reported two major data breaches involving 1.5 billion user accounts, these were not accounted for in the BLI’s 2016 numbers, since they occurred in 2013 and 2014. Also, 52% of the data breaches in 2016 did not disclose the number of compromised records at the time they were reported.

The report also found that malicious outsiders were the leading source of data breaches, accounting for 68%, up from 13% in 2015. The number of records breached in malicious outsider attacks increased by 286% from 2015. Hacktivist data breaches also increased in 2016 by 31%, but only account for 3% of all breaches that occurred last year.

Across industries, the technology sector had the largest increase in data breaches in 2016. Breaches rose 55%, but only accounted for 11% of all breaches last year. Almost 80% of the breaches in this sector were account access and identity theft related. They also represented 28% of compromised records in 2016, an increase of 278% from 2015.

The healthcare industry accounted for 28% of data breaches, rising 11% compared to 2015. However, the number of compromised data records in healthcare decreased by 75% since 2015. Education saw a 5% decrease in data breaches between 2015 and 2016 and a drop of 78% in compromised data records. Government accounted for 15% of all data breaches in 2016. However, the number of compromised data records increased 27% from 2015. Financial services companies accounted for 12% of all data breaches, a 23% decline compared to the previous year.

Source: Information Security Magazine

Apple Dials Up Encryption as Mobile Threats Soar

Apple Dials Up Encryption as Mobile Threats Soar

The monthly smartphone infection rate in the second half of 2016 jumped 83% from the first six months, with overall infections in mobile networks reaching an all-time high in October, according to new data from Nokia.

The infection rate in mobile networks – which includes Windows/PC systems connected by dongle and mobile IoT devices – rose “steadily” during the year to hit a new high of 1.35% in October.

The vast majority of infections (85%) discovered in mobile networks belonged to smartphones, with Android (81%) the main culprit, followed by Windows/PCs (15%) and 4% linked to iPhones and other mobile devices.

Nokia explained:

“Many people are surprised to find that Windows/PCs are responsible for a large portion of the malware infections detected when analyzing mobile network traffic. These Windows/PCs are connected to the mobile network using USB dongles and mobile Wi-Fi devices or simply tethered through smartphones. They are responsible for 15% of the malware infections observed. This is because these devices are still a popular target for professional cybercriminals who have a huge investment in the Windows malware ecosystem. However, as the smart phone becomes the more preferred platform for accessing the internet, cybercrime is clearly moving in that direction.”

The news comes as Apple issued its iOS 10.3 release, designed to fix a Safari-based scareware issue and more importantly roll out a whole new file system which will make encryption an even bigger part of devices.

First announced at the Worldwide Developers’ Conference last year, the Apple File System (APFS) will replace the decades-old Hierarchical File System (HFS).

Reports suggest it could help users save some disk space and speed up performance, but perhaps most controversially will support strong full disk encryption natively.

Users will be able to choose a maximum security “multi-key encryption with per-file keys for file data, and a separate key for sensitive metadata”.

As described by Apple: “Multi-key encryption ensures the integrity of user data even when its physical security is compromised."

This is sure to raise the heckles of law enforcers and politicians on both sides of the Atlantic but will please businesses and Apple users no end. 

Only a few days ago home secretary Amber Rudd attacked tech firms like WhatsApp for allowing terrorists to hide their communications, and hinted that she would be looking to force some kind of compromise on encryption. That appears even more unlikely after this latest update.

Source: Information Security Magazine

LastPass Races to Fix Yet Another Serious Flaw

LastPass Races to Fix Yet Another Serious Flaw

LastPass engineers have Google researcher Tavis Ormandy to thank yet again for another busy few days after the British white hat found a second critical bug in the password manager.

Ormandy tweeted over the weekend that he began ‘working’ on the research in an unusual location:

“Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way.”

On Monday, LastPass responded by explaining that the Google Project Zero man had reported a new client-side vulnerability in its browser extension.

“We are now actively addressing the vulnerability. This attack is unique and highly sophisticated,” it added.

“We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”

The firm offered a few steps that users could take to protect themselves from client-side security issues.

These include: launching sites directly from the LastPass vault; switching on two-factor authentication for any site that offers it; and to be constantly on the lookout for phishing attacks.

It’s the second vulnerability in a week that Ormandy has reported to LastPass.

Last week, the password manager firm was forced to fix a critical zero day that would have allowed remote code execution, enabling an attacker to steal users’ passwords.

The prolific Ormandy also helped to make the firm more secure last year when he found “a bunch of obvious critical problems” in the service.

Yet he has also publicly appeared to query the logic of using an online service which, if breached, could give up its customers’ passwords.

One Twitter follower claimed at the time: “I'm perplexed anyone uses an online service to store passwords.” Ormandy responded: “Yeah, me too.”

Source: Information Security Magazine