Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for November 2017

DDoS Attacks Nearly Double Since January

DDoS Attacks Nearly Double Since January

Organizations experienced an average of 237 DDoS attack attempts per month during the third quarter (equivalent to eight DDoS attack attempts every day), which represents a 35% increase in monthly attempts compared to the previous quarter, and a 91% increase in monthly attack attempts compared to Q1.

That’s according to the latest DDoS Trends and Analysis report from Corero Network Security, which found that the rate of attacks, which is based on DDoS attack attempts against Corero customers, is being spurred along by the growing availability of DDoS-for-hire services, and the proliferation of unsecured internet of things (IoT) devices.

For example, the Reaper botnet is known to have already infected thousands of devices, and is believed to be particularly dangerous due to its ability to utilize known security flaws in the code of those insecure machines. Like a computer worm, it hacks into IoT devices and then hunts for new devices to infect in order to spread itself further.

 “The growing availability of DDoS-for-hire services is causing an explosion of attacks, and puts anyone and everyone into the crosshairs,” said Ashley Stephenson, CEO at Corero. “These services have lowered the barriers to entry in terms of both technical competence and price, allowing anyone to systematically attack and attempt to take down a company for less than $100. Alongside this trend is an attacker arms race to infect vulnerable devices, effectively thwarting other attackers from commandeering the device.  Cyber-criminals try to harness more and more internet-connected devices to build ever larger botnets.  The potential scale and power of IoT botnets has the ability to create internet chaos and dire results for target victims.”

In addition to the frequency of attacks, the Corero data reveals that hackers are using sophisticated, quick-fire, multi-vector attacks against an organization’s security. A fifth of the DDoS attack attempts recorded by Corero during Q2 2017 used multiple attack vectors. These attacks utilize several techniques in the hope that one, or the combination of a few, can penetrate the target network’s security defenses.

Stephenson added, “Despite the industry fascination with large-scale, internet-crippling DDoS attacks, the reality is that they don’t represent the biggest threat posed by DDoS attacks today. Cyber-criminals have evolved their techniques from simple volumetric attacks to sophisticated multi-vector DDoS attacks. Often lasting just a few minutes, these quick-fire attacks evade security teams and can sometimes be accompanied by malware and other data exfiltration threats. We believe they are often used in conjunction with other cyber-attacks, and organizations that miss them do so at their peril.”

Corero also observed a return of ransom denial of service, or RDoS, in the third quarter. A widespread wave of ransom DDoS threats from hacker group Phantom Squad started in September, targeting companies throughout the US, Europe and Asia. The extortion campaign spanned a variety of industries—from banking and financial institutions, to hosting providers, online gaming services and SaaS organizations—and threatened to launch attacks unless a Bitcoin payment was made.

 “Ransom is one of the oldest tricks in the cyber-criminal’s book, and with cryptocurrency, is an anonymous way for them to turn a profit,” said Stephenson. “As IoT botnets continue to rise, we may soon see hackers put on more dramatic RDoS displays to demonstrate the strength of their cyber firepower, so that their future demands for ransom will have to be taken more seriously. Paying the ransom is rarely the best defense, as it just encourages these demands to spread like wildfire. It is proven that with proper protection in place to automatically eliminate the DDoS threat, organizations will be in a much stronger position.”

Source: Information Security Magazine

GitHub Rolls Out Security Alerts for Developers

GitHub Rolls Out Security Alerts for Developers

Popular software development platform GitHub made it easier last week for users to spot security issues with their code, by including a new vulnerability alerts feature.

The launch comes after an update last month which allows developers to track projects their code depends on via a “dependency graph”, currently supported for Javascript and Ruby.

“Today, for the over 75% of GitHub projects that have dependencies, we’re helping you do more than see those important projects,” announced GitHub director of product, Miju Han, in a blog post. “With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.”

The alerts will work whether the project is public or private, although for the latter, users will need to opt-in via repository settings or by allowing access in the dependency graph section of their repository’s Insights tab.

Following that, administrators will receive the security alerts by default, and can add other members of the team if desired.

Vulnerabilities that have been assigned a CVE number will be included, although Han pointed out that not all bugs do — even publicly disclosed ones.

“When we notify you about a potential vulnerability, we’ll highlight any dependencies that we recommend updating. If a known safe version exists, we’ll select one using machine learning and publicly available data, and include it in our suggestion”, she explained.

Security alerts currently work for Ruby and Javascript projects, with Python support coming next year.

Back in September, malware was found in PyPI — the official repository for the popular programming language — and subsequently made its way into multiple software packages. This kind of supply chain attack is becoming increasingly popular and takes advantage of the fact that many developers fail to include security early on enough in the application life-cycle.

Source: Information Security Magazine

Mayor Urged to Halt “Intrusive” Met Facial Recognition Trials

Mayor Urged to Halt “Intrusive” Met Facial Recognition Trials

The Greater London Authority (GLA) has expressed “significant concerns” about the use of facial recognition technology by the Metropolitan Police, calling on the London mayor to push for greater transparency and engagement.

GLA Oversight Committee chair, Len Duvall, wrote a lengthy letter to mayor Sadiq Khan last week around the handling of personal data.

In it, he complained that there had been little, if any, consultation with the public or relevant stakeholders before the Met used facial recognition tools during trials at events including the Notting Hill Carnival.

He had the following:

“We agree with the UK Biometrics Commissioner that the Met ‘must carry out a proper evaluation and publish the results’. You, as Mayor, and [Mayor’s Office for Policing and Crime] MOPAC, through its oversight role, need to push the Met to improve its engagement and transparency on issues such as facial recognition. This is a hugely controversial topic and it is extremely disappointing that trials have been conducted at the Notting Hill Carnival with so little public engagement. Simply putting out press releases is not enough: the Met must engage with the public and with stakeholders in a much more meaningful way before going any further.”

Part of the problem is that the Met is conducting its trials in the absence of a legal framework, argued Duvall — who called on Khan to lobby the government to publish its long-delayed biometrics strategy.

He said there’s a strong case for the trials to be halted until such a framework is developed, either nationally or by the MOPAC.

“The concept of policing by consent is potentially at risk if the Met deploys such intrusive technology without proper debate and in the absence of any clear legal guideline,” he said.

He also argued that the GLA should make it easier for the public to find out how long their personal data is retained for, because different bodies — including TfL and the Met — hold data for different periods of time.

Duvall warned that the biggest threat to Londoners’ data comes from internal risks.

“It is vital that appropriate training is in place across the GLA Group, and that staff carry out this training regularly to minimize the risk of an accidental data breach occurring”, he concluded.

The GLA includes the mayor and a group of 25 officials elected to hold the executive to account.

Source: Information Security Magazine

Skip Black Friday for a Safer Shopping Day: Gray Saturday

Skip Black Friday for a Safer Shopping Day: Gray Saturday

Annual sales on Black Friday and Cyber Monday offer incredible savings opportunities for consumers, but according to Kaspersky Lab these are also peak days for financial phishing attacks. Kaspersky Lab’s annual review of phishing attacks during the holiday sales season found that consumers are significantly safer on Gray Saturday, when the number of such attacks can decrease by as much as 33%, despite it being a top shopping day.

With US consumers expected to spend an average of $967.13 during the holiday season this year, cyber-criminals will be looking for ways to divert some of that money into their own wallets. Impersonating a retail brand through phishing attacks is one way that cyber-criminals can effectively target consumers during the holiday shopping season. Traditionally distributed by email, phishing attacks can also lure consumers through web links, ad banners, social media and more. These attacks aim to persuade people to provide their personal financial data, such as bank account information, credit card details or account passwords, under the assumption that they are dealing with the actual, reputable brand.

The day after Black Friday represents a rare moment of respite from cyber-criminals in an increasingly busy holiday shopping season. Kaspersky Lab research found evidence of a dip in financial phishing attacks on Gray Saturday in both 2015 and 2016. In 2016, there was a decline of 33% in the number of attacks mimicking popular online retail and payment brands on this day (from around 770,000 to 510,000 detections), despite it being the second biggest shopping day of the holiday season.

“The rise in people using online payments, banking and shopping means that financial phishing attacks are now consistently high all year round, but the holiday season makes it so much easier to hide in the noise,” said Nadezhda Demidova, lead web-content analyst, Kaspersky Lab. “At this time of year, marketing and advertising levels go through the roof, and with consumers increasingly making their transactions on mobile devices—often while out and about and in a hurry—almost everyone is more exposed and has less time to think and check. On Gray Saturday, we have seen the number of phishing attacks drop significantly. Weekends generally see lower numbers of attacks and fewer people online, but on this big shopping day that’s an extra advantage. We expect this trend from 2016 to continue in 2017, so if you plan on shopping online these holidays, choose the day wisely.”

Source: Information Security Magazine

Poor Security Habits Plague Large Enterprises

Poor Security Habits Plague Large Enterprises

Despite being ripe targets for cybercriminals, most large enterprises lack control over employee data access and follow weak password practices. 

According to Preempt’s survey of 200 management-level professionals at organizations with 1,000 employees, employees have more access than they should. A quarter (25%) of employees have tried to access data at work that they weren’t supposed to. Of those 25%, nearly 60% were successful at accessing that data.

“The prevalence of successful attempts to access off-limits data and resources is startling and should be a major concern for IT security teams,” the firm said in the report. “The data exposed can put a company and its employees at significant risk of damage to business operations and reputations. Businesses should be able to better assess employee risk factors which can change over the course of their employment. For IT security these results point to a growing need for being able to better understand how to assess trust and risk of employees.”

Also, a large majority of workers have poor security habits as well. One out of every three employees admits to having bent the rules or found a security workaround in order to get something done for work—with more than 10% of respondents having done so regularly or on multiple occasions.

In addition, nearly 41% of employees use the same password for both personal and work accounts, and 20% of employees are aware that their passwords were compromised in a breach. Even so, 56% claim they only changed their passwords for the account that was breached.

Meanwhile, more than a third of employees had no clue if their username or password was exposed in a public breach or not.

“This shows that many people either don’t care or don’t know how to find out if their username and passwords were compromised in a breach,” the report said. “If an employee is using the same password for personal and business accounts and it was exposed in a breach, the organization is at risk. The password is listed in a database known to hackers and could be used in a breach attempt. The 'weak' password puts the enterprise at risk until it is changed.”

Despite the bad behavior, when asked how they rate their personal IT security health awareness and maintenance compared to the rest of their colleagues, 41% rated themselves in the top 25% of their organization, and half rated themselves as in the 25-75% range. Only 9% admitted they were below average, in the bottom 25% of their organization.

“The results of the survey clearly show that employees don’t completely understand their work habits and decisions put their organization (and themselves) at risk,” Preempt said. “Having overconfidence can lead to greater risks. When employees don’t understand that their behaviors and habits are risky, they aren’t likely to change them. This leaves the burden on IT security to pick up the slack. Gaining a better understanding of identity, behavior, and risk, can help IT be more proactive at preventing threats, enforcing policies, securing access and finding areas to reduce risk.”

Source: Information Security Magazine

100% of Businesses Have Faced a Mobile Cyberattack

100% of Businesses Have Faced a Mobile Cyberattack

Mobile cyberattacks are hitting nearly every company, whether it’s mobile remote access trojans, data mining trojans, mobile adware or premium dialers.

According to Check Point’s survey of 850 organizations internationally, 100% of all businesses surveyed had experienced a mobile malware attack. The average number of mobile malware attacks experienced per company stands at 54, and 89% of enterprises also experienced at least one man-in-the-middle attack over a Wi-Fi network.

Also, enterprise mobility is susceptible to attack on both major mobile platforms, Android and iOS; yet, three-quarters (75%) of the organizations surveyed had at least one jailbroken iOS device or rooted Android device connected to their corporate networks, with the average number of rooted or jailbroken devices being 35 per company.

Threats to mobile users are capable of compromising any device and accessing sensitive data at any time. These threats impact every type of business from financial services to government to manufacturing.

“The financial value and frequency of attacks on mobile devices exceeded that for PCs in 2017, which help explain the findings of the report,” said Michael Shaulov, head of products for mobile and cloud security at Check Point. “Mobile devices are essentially the new ‘backdoor’ for cyber-criminals.”

Source: Information Security Magazine

Aussie Broadcaster Left Two Years of Back-ups Exposed

Aussie Broadcaster Left Two Years of Back-ups Exposed

Australian broadcaster ABC has become the latest in a long line of companies to publicly expose highly sensitive corporate data because of misconfigured Amazon cloud databases.

Kromtech Security Center found at least two unsecured S3 buckets linked to ABC Commercial, containing 1800 daily MySQL backups dating back two years.

Also publicly exposed were several thousand emails, alongside logins and hashed passwords for ABC Commercial users.

The security firm also claimed it had access to “secret access key and login details for another repository, with advance video content”, as well as requests for licensed content sent by producers from across the globe to use ABC’s content and pay royalties.

“The publicly accessible Amazon S3 buckets was indexed by Censys (a public search engine that enables researchers to ask questions about the hosts and networks that compose the Internet) and identified during a regular security audit of misconfigured S3 environment on November 14,” explained Kromtech’s Bob Diachenko.

“It is unclear who else may have had access to ABC’s data or content. A majority of what would be considered sensitive or identifiable data came from the daily backups of ABC Commercial’s MySQL database.”

The incident should be seen as yet another cautionary tale for firms using Amazon S3. Kromtech and other security firms have discovered a large number of organizations from across the globe making the same mistakes.

In fact, just last week Kromtech Security Center discovered US ride-hailing service fasten had accidentally exposed details on one million customers for 48 hours.

Other organizations recently found wanting include Verizon, Time Warner, WWE, Dow Jones, the US Department of Defense and Tarte Cosmetics.

The latter was particularly dangerous, as cybercrime group CRU3LTY managed to get hold of the personal information on two million customers that was exposed through a database misconfiguration.

The group is said to have left a ransom note of 0.2 Bitcoins ($1193) to regain access to the data.

Source: Information Security Magazine

Fake Black Friday Apps Set to Cause Consumer Chaos

Fake Black Friday Apps Set to Cause Consumer Chaos

Security experts have discovered over 32,000 malicious 'Black Friday' themed apps spoofing the branding of the top five US online retailers in an attempt to harvest lucrative customer data and spread malware.

RiskIQ technology analyzed two billion daily HTTP requests, 20 million mobile apps and 300 million domain records to compile its Black Friday E-commerce Blacklist report.

It revealed that one in 25 Black Friday apps are fake, with at least 15 malicious Black Friday apps for each of the top five American e-commerce brands. The brands were anonymized in the report but a spokesperson confirmed to Infosecurity that they have a global reach.

With UK consumers alone set to spend £10bn this year during the Black Friday period next week, it’s no surprise that cyber-criminals have jumped on the busy time to drive revenue of their own.

The apps are said to trick shoppers into entering credit card information or Facebook and Gmail log-in details, or even to download information-stealing malware and ransomware.

RiskIQ claimed the malicious applications can even be found on official marketplaces such as Google Play and the Apple App Store.

The top-five e-commerce brands studied in the report have had more than 1450 Black Friday-related URLs blacklisted because they are linked to spam, malware, or phishing campaigns, according to RiskIQ.

The news comes in the same week experts warned retailers to be prepared for a spike in attempts to hide fraudulent transactions during the busy shopping period.

ThreatMetrix claimed there would be at least 50 million fraud attempts next week, with scammers looking to use identity data harvested from the steady stream of recent major breaches.

Domain Tools has also been warning UK consumers about potential scams ahead, with a third (29%) planning to shop during the Cyber Monday sales bonanza following Black Friday.

In a recent survey it revealed that one in five UK consumers had been caught out by an online scam.

Among the brands it claimed were most likely to be spoofed are Amazon (87%), Argos (46%) and Tesco (35%).

Source: Information Security Magazine

UK Faces Most Fraudulent Christmas Ever, Barclays Warns

UK Faces Most Fraudulent Christmas Ever, Barclays Warns

Record levels of cybercrime coupled with the growth of festive e-commerce will result in the most fraudulent Christmas ever for online shoppers, according to new data from Barclays.

The banking giant has warned of a ‘perfect storm’ for seasonal online theft as consumers gear up to start spending ahead of the big day with scams become increasingly more sophisticated.

Barclays said more than a quarter of online scams happen over the Christmas period and estimated that festive fraud will cost victims a total of £1.63bn (an average of £893 per individual hit). It will impact retailers too; online shops could be losing out on up to £72m worth of lost revenue.

What’s more, UK shoppers are failing to protect their data and stay safe online, with 38% of online consumers surveyed by Barclays admitting they either don’t know, or aren’t sure, how to identify a secure website when shopping online. Further, of victims who had previously fallen victim to online fraud, less than an a quarter said they checked for the padlock authentication symbol in the address bar on the payment page or that the web address started with ‘https’.

“While families across the UK are preparing to enjoy the festive season, criminals are getting ready to pounce on anyone who lets their guard down,” said Samantha White, who leads Barclays’ work to keep customers safe from fraudsters. “Buying your gifts online may be more convenient, but with Christmas 2017 set to be the most fraudulent on record, online shoppers must be more vigilant than ever.”

Speaking to Infosecurity Steve Durbin, managing director, Information Security Forum, advised consumers to “stop and think” before they press the button when shopping online, and advocated the following tips to try and be safer this holiday season:

  • Never use a debit card – this opens up your entire bank account and you could end up losing the lot; it may take several weeks for your bank to investigate the case and refund the money
  • Make sure you’ve updated your security software before you start making your purchases and make sure both your firewall and anti-virus programs are working
  • Avoid clicking on emails from companies you have never heard of offering great deals, don’t follow their links and don’t download attachments unless you are 100% certain that they’re genuine. This is a well-used path for malware
  • Consider changing your passwords – identity thieves may steal user IDs and passwords from one website and use them to log into other sites
  • Regularly review your transactions – if you do notice suspicious transactions when reviewing your account statements or online activity, immediately call the number on the back of your card

“Finally, if you receive an email from your bank warning of unusual card activity never click on the email link,” he added. “Visit your bank’s website directly by typing in the URL and using the messaging system offered on the bank’s website.”

Source: Information Security Magazine

Cash Converters Hit by Suspected Data Breach

Cash Converters Hit by Suspected Data Breach

UK pawnbroker Cash Converters believes customer data may be in the hands of a malicious third party after a suspected breach of its old website.

The firm, which also issues payday loans, has sent an email informing customers of the incident and forced a reset of their passwords. It has apparently informed the relevant authorities in the UK and Australia, where it also operates.

"The current webshop site was independently and thoroughly security tested as part of its development process,” the firm reportedly said in its email. “We have no reason to believe it has any vulnerability, however additional testing is being completed to get assurance of this.”

User names, passwords and addresses may have been stolen as part of the breach, which affected account holders on the firm’s old “webshop”, retired in September.

However, one report from Australia quoting the company says it has:

“Received an email threat from a third party claiming to have gained unauthorized access to customer data within a Cash Converters’ United Kingdom website (‘Webshop’). The unidentified third party’s threat included the widespread release of the data unless it receives a financial payment.”

Javvad Malik, security advocate at AlienVault, argued the incident highlights the importance of advanced threat detection capabilities that can spot attack attempts early on.

“The problem with this scenario is that without having reliable logs, the victim doesn’t know if the criminals actually have the data they are claiming to possess — or indeed if they will stick to their word and not release it in the event of receiving payment”, he added.

James Romer, EMEA chief security architect at SecureAuth, warned that with password reuse rife, the incident could have wider repercussions for affected users.

“Given how frequently users repurpose passwords and email addresses for other services this could have wider repercussions. Any organization relying only on passwords and usernames as an authentication protocol is being fundamentally irresponsible,” he added.

“Even two-factor authentication isn’t sufficient as malware and basic phishing attacks can readily be used to extract the one-time-passwords from users and/or devices. Modern security depends on adaptive measures that keep hackers guessing.”

Source: Information Security Magazine