Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Pornhub Deny Legitimacy of Access Sale

Pornhub Deny Legitimacy of Access Sale

Adult video sharing website Pornhub has called a sale of shell access a hoax, stating the methods described by Revolver were not possible.

According to CSOonline , an underground researcher going by the name “Revolver” offered command injection abilities and shell access to a subdomain on Pornhub for $1000.

The offer included two images in order to demonstrate access to the Pornhub server, and when asked how the shell was uploaded, 1×0123 said it was a vulnerability in the user profile script that handles images that enabled the shell’s upload and once the shell is uploaded, browsing to the proper URL will open it and enable command injection.

“Revolver” confirmed on Sunday that he had sold access to Pornhub to three people, and offered to share details and help patch the vulnerability for $5000. Pornhub launched a public bug bounty program last week.

However, Pornhub issued a statement calling the incident a hoax, stating the methods described by Revolver were not possible. At first, the company thought a test server, or a non-production server was targeted, but the website later determined that nothing at all was compromised after working with Revolver.

The statement said: “The Pornhub team investigated the claim from the hacker named 1×0123. Our investigation proved that while those screenshots might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible. This incident was merely a hoax and no Pornhub systems were breached during those recent events.

“The safety and security of our users is Pornhub’s top priority. We would like to remind everyone that Pornhub has a public bug bounty program which can be used to responsibility report any legitimate vulnerabilities in exchange for a bounty as high as $25,000.”

Pornhub did not confirm if they paid for Revolver’s assistance.

Source: Information Security Magazine

Only a Third of IT & Telco Orgs ‘Brexit Ready’

Only a Third of IT & Telco Orgs ‘Brexit Ready’

With the UK EU referendum a mere six weeks away a new survey from international law firm Pinsent Masons has revealed that only a third of IT and Telco businesses have developed a clear plan for dealing with the impact of a ‘leave vote’.

The research found more than half (57%) of the 150 decision makers polled said there had been no discussion at board level about the potential impacts of Brexit. What’s more, of the organizations that have carried out board level discussions, 11% admitted to debating the possible relocation of operations outside of the UK.

What these statistics show is that while larger businesses have begun contingency planning for Brexit, a significant proportion have failed to consider the impact a vote to leave might have.

Guy Lougher, a partner and head of the Brexit Advisory Team at Pinsent Masons, said:

“If the UK vote is in favor of leaving the EU, there will be profound implications for all businesses irrespective of whether they operate or trade in – or with – the UK.”

“A number of economists believe a vote in favor of Brexit would create a profound economic shock. Whether one accepts such predictions or not it is hard to imagine that – at the very least – exchange rates will not be impacted.”

“The uncertainties in a Brexit scenario are so great that there may be a temptation to do nothing until the referendum result emerges. However, our advice to businesses is to start taking steps now. While one cannot protect against all risks, it is possible to identify the risk areas and start thinking about how these could be mitigated.”

The firm says there are several things companies can consider to help minimize the disruption of Brexit upon business, from assessing the number of workers likely to be impacted by freedom of movement rules to reviewing how and where customer data is held.

“There are some simple things that businesses can do. Foremost among those should be identifying any business-critical contracts and considering if they are future-proof. Any agreements which specifically reference the EU as the territory governed by the contract may lack clarity. It is likely to be easier to agree amendments to those agreements now, especially where contracts have not yet been signed, rather than after a vote when the people on the other side of the table will know that the clock is ticking”, added Lougher.

“Having said that, it is encouraging that some businesses have started to consider what commercial opportunities might arise from a vote to leave. While this emerged as being one of the top two steps most likely to have been taken by businesses in France and Germany, this was not the case in the UK.”

Source: Information Security Magazine

PwC: Device-side Biometrics a Key to Personal Privacy

PwC: Device-side Biometrics a Key to Personal Privacy

For organizations considering biometrics as they move away from reliance on usernames and passwords, it’s important to remember that regulation of the personal information that such systems collect (fingerprint patterns, for instance) is becoming front and center for many governments.

Fortunately, device-side matching of biometric data is a compelling approach to satisfy key privacy requirements, according to a white paper from PwC Legal and Nok Nok Labs comparing key privacy implications of on-device and on-server matching of biometric data.

The protection of personal information like retinal scan or fingerprint identifiers becomes especially important in cross-border personal data transfers, as are the benefits of individual choice and control around such personal data.

Some jurisdictions have already specifically referenced biometrics in privacy guidance and legislation. Freely given, informed user consent is required before processing biometric data in almost every jurisdiction, for instance.

“Biometric authentication and verification can be one of the most secure ways to control access to restricted systems and information,” said Stewart Room, partner at PwC Legal. “Unlike authentication based on traditional passwords, authentication through biometric data is easier to use in practice, and can be far more secure.

“However, this is a double-edged sword, because biometric data is extremely sensitive due to its uniqueness and how intrinsic it is to a specific individual. Additional efforts must be made to keep this data secure including choosing a proper compliance system and infrastructure, training staff how to handle it and protecting it from unauthorized access or disclosure.”

The white paper noted that with centralized storage of biometric data, the potential for large-scale loss of data is significantly increased. And in fact, on-server authentication for a global network of biometric users results in international transfers of data; transfer of personal data, including biometric data, out of a jurisdiction is generally restricted. In contrast, on-device authentication will generally avoid international cross-border biometric data transfer implications.

“Biometrics are a compelling way to improve mobile application usability and avoid the security pitfalls of username/passwords, but significant privacy concerns come into play,” said Phillip Dunkelberger, president and CEO of Nok Nok Labs. “With biometrics, it is crucial to understand the difference between on-device and on-server matching, as the difference between the two approaches significantly affects the risk and exposure of data in a breach.”

Photo © Titina Ongkantong

Source: Information Security Magazine

Hackers Steal Sexual Proclivity Info from Hardcore Fetish Porn Site

Hackers Steal Sexual Proclivity Info from Hardcore Fetish Porn Site

100,000 aficionados of hardcore fetish porn have been compromised after a niche web forum was hacked.

Independent researcher Troy Hunt, who runs the Have I Been Pwned? database of stolen user accounts, told the BBC that along with the usual data hauls of email addresses, usernames, IP addresses and passwords, this breach also included information about specific sexual proclivities that can be linked to individuals. Tantalizingly for the muckrakers out there, Hunt added that government and military email addresses were found among the trove.

“This is a forum where you would think people would want to stay private, but people were using traceable emails or even corporate emails,” Hunt told the Beeb.

The site—which no one has yet named—was an easy target. It had been using unpatched software, so the thieves needed only to use a well-known exploit to download the entire database of registered accounts.

“It took advantage of a common vulnerability using an SQL injection,” Hunt said.

According to Hunt, some of the victims are repeat targets. About 37% of the accounts were already listed on Have I Been Pwned?

“This hack was the result of having an old system which did not have the appropriate security measures in place that would have protected them from such a hack,” David Navin, head of corporate at Smoothwall, said via email. “Many businesses will suffer similar issues—legacy systems are an issue in all sectors. To address this, it is essential that businesses start with the basics. Beginning with a firewall, encryption and good security software, if companies have those measures in place and continue to layer on top of that, then it will reduce the chances of a cyber-hack.”

He added, “Companies that deal in sensitive issues and collect data especially, should ensure that they have the latest technologies in place to protect their users, otherwise risk seriously harming their reputation and it could make it difficult to recover from.”

To protect one’s privacy, Hunt suggested that users “create an email account and make up a name and use something like the Tor browser so the IP address can’t be traced back to you.”

Some adult sites are taking an active role in user protection. Adult entertainment website Pornhub for instance is the latest firm to ask the white hat research community to help fortify it against attack, after launching a bug bounty program. Like many other firms, it has launched the program in partnership with the HackerOne platform, and is offering anywhere between $50 and $25,000 depending on the severity of the reported flaw.

Photo © pathdoc

Source: Information Security Magazine

Healthcare Data Breaches Cost $6.2 Billion Per Year

Healthcare Data Breaches Cost $6.2 Billion Per Year

A full 89% of healthcare organizations and 60% of their business associates have experienced data breaches over the past two years. And 79% of healthcare organizations experienced multiple data breaches (two or more) in that time period—up 20% since 2010.

Overall, breaches in healthcare are costing the industry $6.2 billion per year, according to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute and sponsored by ID Experts. They remain consistently high in terms of volume, frequency, impact and cost.

In fact, breaches have yet to decline since 2010—despite a slight increase in awareness and spending on security technology. More than one-third, or 34%, of healthcare organizations experienced two to five breaches. And nearly half of healthcare organizations, or 45%, had more than five breaches.

While recent large healthcare data breaches have heightened the industry’s awareness of the growing threats to patient data and have led to an improvement in security practices and policy implementation, respondents say that not enough is being done to curtail or minimize the risks.

Criminal attacks are the leading cause of data breaches in the vertical—up 5% to 50% this year. Medical records are the most commonly exposed data, followed by billing and insurance records, and payment details. While the majority of breaches are small (under 500 records) and are not reported to the US Department of Health and Human Services (HHS) and the media, the financial impact is significant.

Hackers aren’t the only issue for the sector. Mistakes (unintentional employee actions, third-party snafus and lost/stolen computer devices) are cited as the root cause of the other half of data breaches.

“In the last six years of conducting this study, it’s clear that efforts to safeguard patient data are not improving. More healthcare organizations are experiencing data breaches now than six years ago,” said  Larry Ponemon, chairman and founder, Ponemon Institute. “Negligence—sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem.”

And, hospitals and clinics also lack the budget, people resources and expertise to manage data breaches caused by employee negligence and evolving cyber threats, including the newest threat cited for 2016: ransomware. Nearly half of healthcare organizations, and more than half of their business associates, have little or no confidence that they can detect all patient data loss or theft. The findings also show that as a result, many healthcare organizations and their third-party business associates are negligent in the handling of sensitive patient information.

In fact, 59% of healthcare organizations and 60% of business associates don’t think their organization’s security budget is sufficient to curtail or minimize data breaches. The findings also reveal that BAs and healthcare organizations point their fingers at each other. Healthcare organizations say that third parties and partners are not doing enough, and BAs say that healthcare organizations are not investing in technology and employees are negligent.

Unfortunately, patients are suffering the effects of data breaches. About 38% of healthcare organizations and 26% of business associates are aware of medical identity theft cases affecting their own patients and customers. Yet despite the known risks, 64% of healthcare organizations and 67% of BAs don’t offer any protection services for victims whose information has been breached.

There’s not just ID theft to worry about. About 58% of healthcare organizations and 67% of BAs do not have a process in place to correct errors in victims’ medical records. Such errors can leave a patient vulnerable to receiving the wrong medical treatment or obtaining the wrong medications.

“This is about real people and the exposure of their sensitive information,” said Rick Kam, CIPP/US president and co-founder of ID Experts. “The lack of accountability is a big issue in the healthcare industry, with a lot of finger pointing going on. To get a better handle on internal data threats, healthcare organizations can start by getting back to basics with employee training, mobile device policies, regular data risk assessments, and enforceable internal procedures.”

The findings aren’t that surprising, given that a recent survey conducted by the Nasdaq and Tanium found that more than 90% of corporate executives admitted to not being able to read or understand a cybersecurity report, and 40% felt no personal responsibility for cybersecurity or securing customer data.

“The findings of the Ponemon study are consistent with what most would have guessed about the state of security in the healthcare industry,” said Adam Laub, SVP of product marketing at STEALTHbits Technologies. “It’s also not surprising that BA’s and healthcare organizations are pointing fingers at each other either; and they’re both right. If you want to point a finger, point it up. Until corporate executives in the healthcare industry feel the same level of pressure concerning the security of their corporate networks and are measured as such, like they are from a financial perspective, this problem will persist.”

Photo © SonicN

Source: Information Security Magazine

Brits Shun Brands Following Breaches

Brits Shun Brands Following Breaches

There appears to be a significant disconnect between the amount of reputational damage organizations believe they incur following a breach and the reality in the minds of their customers, according to two new reports out this week.

The UK government’s 2016 Cyber Security Breaches Survey released on Sunday claims that just 4% of breached UK firms thought their brand or reputation had been damaged by the incident over the past year.

This is compared to 31% who said it stopped staff carrying out their work and 55% who said it forced them to look at new security measures to prevent a similar attack in the future.

However the reality, according to security vendor FireEye, is much different.

The firm interviewed 1000 UK consumers and found that 72% would probably stop buying from a company in the future if it was revealed that a data breach had been partly caused by the boardroom neglecting to invest in cybersecurity.

Over a third (38%) said that they have a negative perception of firms breached last year, while 27% said that the breaches made them view all organizations they buy from more negatively.

Nearly two-thirds (62%) said they’ll give less personal information to firms as a result of breaches over the past year, while over half (52%) said they’d take legal action if their details were stolen from a company they buy from.

The stats seem to show rising expectation levels among the public that the firms they interact with keep their personal data safe and secure.

In fact, 92% said they’d expect to be contacted within 24 hours of a breach – faster than the 72-hour window which will be imposed by the forthcoming EU General Data Protection Regulation (GDPR).

The regulations will also impose fines of up to 4% of global annual turnover, which should also finally focus boardroom minds on cybersecurity.

It’s not just customer dissatisfaction that firms have to deal with following a breach, of course.

As TalkTalk’s financials proved this week, there can also be a serious hit to the bottom line.

The UK ISP revealed its profits for FY16 were more than half that of the previous year, thanks to the firm being forced to spend over £40 million on the aftermath of a serious breach in October and other security incidents.

“The findings from this survey show that people’s negative perceptions of brands can stick, long after the publicity has subsided, and that consumers affected by data breaches are increasingly pointing the finger at people at the top,” commented FireEye EMEA president, Richard Turner.

“There are some key lessons here for board executives who are beginning to recognize why they should take a more active role in cybersecurity.”

Source: Information Security Magazine

Banks on High Alert as Swift Reveals Second Attack

Banks on High Alert as Swift Reveals Second Attack

Banks around the world are being urged to revisit their security controls after a second Swift customer was hit by a malware attack designed to steal funds, following the $81 million heist from Bangladesh Bank in February.

Swift, which operates a network for banks to manage transfers and the like, revealed the news in a lengthy statement on Friday.

Once again it claimed that its own “core messaging services and software” had been unaffected but that the attack was aimed at the unnamed bank’s “secondary controls.”

“Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks,” Swift said in the statement.

“In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over Swift.”

The second attack differed from that on the Bangladesh central bank in that it also uses PDF Reader malware to manipulate PDF reports of payment confirmations – hiding evidence of the fraudulent transactions initiated by the cyber crooks.

Aside from that, the two attacks were very similar, Swift said. Attackers first compromise the targeted bank before gaining privileged credentials which they use to authorize Swift messages from the bank, transferring money out. The final step is to hide evidence of the fraudulent messages.

Swift claimed that the hackers clearly know what they’re doing.

“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both,” it said.

The news comes as Bangladesh Bank staff accused Swift technicians earlier in the week of leaving a lot of security loopholes when they were connecting the bank’s real-time gross settlement (RTGS) system to the Swift network, according to Reuters.

They failed to put in firewalls to segment networks, left a poorly protected wireless network up-and-running and failed to disable USB ports on PCs connected to the Swift network, it is alleged.

Swift has since rejected those claims, reiterating that its customers are responsible for their own security.

Matthias Maier, security evangelist at Splunk, argued that this second attack should be a wake-up call to the banking industry.

“These are not isolated incidents. Serious investigations must follow given the custom-built nature of the malware used in these attacks,” he added.

“It appears to have been created by someone with an intimate knowledge of how the Swift software works as well as its business processes, which is cause for concern. However, basic system monitoring at the bank would have stopped this at the server endpoint by tracking system changes in real time, triggering alerts to analysts.”

Other Swift customers must now compare IoCs released by investigators at BAE Systems with their own data to check if they too have been hit.

It hasn’t yet been revealed whether the hackers were successful in this second attack and, if so, how much they managed to steal.

Source: Information Security Magazine

Adobe Patches Yet Another Flash Zero Day

Adobe Patches Yet Another Flash Zero Day

Enterprise users have yet again been urged to uninstall Flash from their PCs after Adobe was forced to patch another zero-day vulnerability.

Bulletin APSB16-15 was released yesterday to fix 25 vulnerabilities in Flash, including CVE-2016-4117, for which an exploit already exists in the wild.

The firm said in a statement:

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”

The bulletin comes after Adobe released patches for over 90 other bugs in its regular monthly update round on Tuesday.

APSB16-15 covers vulnerabilities with a priority rating of either 1 or 3. They include code execution, use-after-free, heap buffer overflow, and memory corruption flaws, as well as a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116).

Flash is one of the most commonly exploited pieces of software around, with exploits often being wrapped into one of the popular kits like Angler.

In fact, just last month Adobe was forced to issue an out-of-band update after reports circulated that hackers were taking advantage of CVE-2016-1019 to take control of users’ PCs.

This has led many security professionals to argue that IT security managers should simply ban the software from enterprise networks.

“Adobe flash is still found on way too many machines. It’s one of those programs that’s often not actually used as many vendors see it as a huge security problem,” argued Eset security specialist, Mark James.

“The program itself is one of many that users will leave on their machine without actually using it or understanding the security risk. As with all software these days you need to keep them on the latest versions or better still uninstall it if you don’t need it.”

Meanwhile, Jonathan Sander, VP product strategy at Lieberman Software, argued that only gamers should need Flash on their PC.

“If you’re strictly a business user who uses email, documents, and Web, then you could likely never want or need to install Flash,” he said.

“While a Flash vulnerability won’t be a direct path to critical data in most cases, if it allows a bad guy to get a foothold – it can be dangerous.”

Source: Information Security Magazine

PornHub Gets with the Bug Bounty Program

PornHub Gets with the Bug Bounty Program

Adult entertainment website Pornhub is the latest firm to ask the white hat research community to help fortify it against attack, after launching a bug bounty program.

Like many other firms, it had launched the program in partnership with the HackerOne platform, and is offering anywhere between $50 and $25,000 depending on the severity of the reported flaw.

However, for any security researchers looking to make a quick buck there are strict rules around eligibility and exceptions.

Any bugs must be reported within 24 hours of discovery and the use of automated tools are prohibited.

Also, a total of 12 vulnerability types – including cross-site request forgery (CSRF), cross-site scripting (XSS) via Post requests, and cross-domain leakage – will not qualify for a reward.

The HackerOne page has the following:

“Security is a top priority at Pornhub. We strive to work with skilled security researchers to improve the security of our service. If you believe you’ve found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.”

Well-known adult sites like Pornhub have also become popular among the black hat community as a quick and easy means of spreading malware to as many users as possible.

Malvertising is a particularly popular tactic, although in most cases it can’t be prevented by plugging holes on the site itself. In December last year Malwarebytes claimed compromised Flash ads served by adult advertising network AdXpansion were putting tens of millions at risk of infection.

It’s also widespread on the mobile web. In November last year, for example, Zscaler reported newly discovered ransomware and data stealing malware disguised as legitimate porn apps.

In February, researchers at Eset revealed they’d discovered 350 porn clicker trojans on Google Play over the previous seven months.

Porn sites also have to be on guard for hackers increasingly looking at their customer databases as a prime opportunity to extort money from users of such sites.

Last month, the emails and passwords of nearly four million users of the Naughty America site and affiliates apparently turned up on the dark web.

And according to tweets from the Have I Been Pwned site run by Troy Hunt this week, 107,000 accounts from a niche site known as The Rosebutt Board have been exposed in a new hack which could be highly embarrassing for those with .gov and .mil addresses who are apparently among those affected.

Source: Information Security Magazine

TalkTalk’s Profits Halve After Breach

TalkTalk’s Profits Halve After Breach

TalkTalk’s profits have more than halved over the past year as it absorbed the cost of several major breaches, in a case which experts claim should act as a cautionary tale for firms which fail to take cybersecurity seriously enough.

The UK ISP claimed in preliminary financials for FY16 that pre-tax profits stood at £14m, down from £32m the previous year – noting £83m was spent on “exceptional items” versus £46m in FY15.

The firm had already admitted a one-off bill of £35m would have to be paid to cover incident response, external consulting and increasing call volumes as a result of a breach in October when hackers apparently stole data on around 4% of customers after a simple SQLi attack.

That figure later rose to around £42 million.

It was also forced to contact customers on two other occasions in 2015 after it was suspected hackers gained access to sensitive information.

TalkTalk Group came under fire again in January this year after it was revealed that employees at one of its outsourcers, Wipro, had been arrested on suspicion of using customer data to commit fraud.

Marc Dautlich, partner at law firm Pinsent Masons, claimed the financial results are a “stark reminder” of the potentially severe consequences of a cyber-attack.

“The financial and reputational impacts can be real and long-lasting,” he added. “Business leaders should be looking at the events that have unfolded and asking themselves: ‘what if this were my organization? Am I prepared?’.”

Andrew Avanessian, vice president at Avecto, added that large organizations are sometimes guilty of mistaking compliance with data protection laws with robust security.

“That’s a dangerous assumption,” he added.

“If the security fundamentals are not addressed and the endpoint systems are not secured then you risk undermining all your defenses and ultimately putting your customers, organizational reputation and profits in the line of fire.”

Richard Parris, CEO of Intercede, argued that firms need to improve security now before the forthcoming EU GDPR levies strict fines on those which don’t effectively protect customer data.

“If companies want to continue to profit in the digital economy, a more proactive stance is required,” he claimed. “The industry must work together to ensure that security is embedded into the very fabric of the technology ecosystem, from the silicon chips that power our smartphones and connected cars, to the services and apps we use in our day-to-day lives.”

For its part, TalkTalk is putting a brave face on it, claiming that customer churn in FY16 is the lowest it has ever been – this despite a report from market watcher Kantar Worldpanel in January that the firm lost 7% of its broadband customers in the fourth quarter.

However, the low churn itself could be symptomatic of TalkTalk’s hardline stance on customers wanting to leave after the October breach.

It would only waive a significant leaving fee if customers could prove money had been stolen from their accounts as a result of the incident – a move widely criticized at the time.

Dan Howdle of comparison site Cable.co.uk argued that customers shouldn’t easily forgive any firm which suffered three major breaches in the space of the year.

“That TalkTalk lost only 3% of its existing customer base, however, points to problems both with the switching process itself and with its public perception,” he added.

“Our own research shows that only around half of UK broadband customers have ever switched provider. The key factors tend to be the financial cost of getting out of your contract, and risk averseness – a feeling of ‘better the devil you know’.”

Source: Information Security Magazine