Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

#RSAC: President Talks Monitoring Future and Dell Takeover

#RSAC: President Talks Monitoring Future and Dell Takeover

In the opening keynote of RSA Conference, Amit Yoran, President of RSA Security admitted that the challenge of technology to prevent breaches was a failing one but with advances in artificial intelligence there is a brighter future.

Calling the 2016 RSA Conference, the 25th anniversary of the annual event “the greatest conference ever”, Yoran focused on technologies in his opening keynote and how despite investment, problems still occur. Looking at the Anthem and Ashley Madison breaches, Yoran said that these stories proves cyber is not only a booming career field, but “a powerful conversation starter at home too”.

He said: “The general focus is that paradigms cannot be protected and with the emergence of IoT, our challenges are only going to get exponentially worse. Yet we push collaboration online and rely on technology like anti-virus, sandboxing, firewalls and next-generation firewalls and hope that they will keep us safe when we know that they won’t. But this is not translating into change behavior fast enough.”

Yoran referred to RSA Security’s own research that found that two-third rely on SIEM technology for detection, and said “of course we are not satisfied, prevention is a failed strategy but we only invest in that.”

Looking to the future, Yoran said that the future is in monitoring and “knowing that there will be a fail”. He also said that we need “full packet analysis on networks” as “logs are simply not enough” and “comprehensive visibility is the base block for truly insightful analytics and scoping out incidents correctly”.

Referring to the acquisition of RSA parent EMC by Dell last year, Yoran said that he had dinner with Michael Dell and the Dell President said that while Yoran did a good job of addressing the problems facing the industry, “I didn’t do it in a way to promote RSA products so please buy both of these” showing an image of RSA Security Analytics and Enterprise Compromise Assessment Tool (ECAT).

Yoran said: “I am excited that RSA has announced availability for the behavioral analytics module and how to detect and highlight sophisticated attacks not seen before. While artificial intelligence is sophisticated, it is not magic. All items can be bypassed and that is why pervasive visibility and understanding is foundational, and there is no actual magic which will save us.

Source: Information Security Magazine

UC Berkeley Hit by Another Suspected Data Breach

UC Berkeley Hit by Another Suspected Data Breach

Sensitive financial and personal information on 80,000 UC Berkeley staff, students and vendors may have been exposed to hackers after they exploited an unpatched hole in a university financial app, it has been revealed.

The attackers struck in late December last year as university IT staff were in the process of patching the vulnerability in the Berkeley Financial System (BFS), according to an official Berkeley News report.

The BFS is a financial management app handling things like staff payments, student grants, and travel reimbursements.

As such, the breach has potentially affected half of all current students and 65% of employees, the report claimed.

That is: 57,000 current and former students; 8800 past and present employees; and 10,300 vendors who do business with the campus and therefore had their Social Security bank account numbers logged in the system.

The university said it doesn’t know for definitive if any of the 80,000 thought to be affected have had their details – potentially including Social Security or bank account details – stolen. However, as of last week it began informing them as a precaution.

As is usually the case, free credit monitoring and identity theft insurance will be offered – this time for one year – as well as other help to spot suspicious account activity.

“The security and privacy of the personal information provided to the university is of great importance to us,” said UC Berkeley CISO, Paul Rivers, in a statement. “We regret that this occurred and have taken additional measures to better safeguard that information.”

Rivers’ team apparently spotted the intrusion attempt within 24 hours of it happening and pulled the plug on any impacted servers, but they may not have been quick enough.

It’s not the first time the prestigious California university has been hit by a cyber-attack.

In April last year the university was forced to notify hundreds of students of a potential data breach after spotting an unauthorized access attempt to a campus web server managed by the Division of Equity and Inclusion.

Tripwire security researcher, Lane Thames, argued that universities are an increasingly popular target for cyber-criminals as a source not only of potentially lucrative IP but also personally identifiable information (PII).

“Universities and post-secondary educational institutions should not be using Social Security numbers for their students. School-specific identifiers should be used instead,” he explained.

“The Social Security Administration frowns upon use of Social Security numbers for school identity purposes, and the Family Educational Rights and Privacy Act (FERPA) provides guidance on the use of students' Social Security numbers. Universities that still utilize Social Security numbers for students should consider implementing a more modern approach based on their own internal identification system.”

Source: Information Security Magazine

Skills Shortage Hits Hackers

Skills Shortage Hits Hackers

The skills shortage has hit the attacking community too, with cyber-criminals also struggling to find the right talent.

According to research by Digital Shadows, attackers need an ecosystem of malware writers, exploit developers, botnet operators and mules, but finding individuals who can be trusted is difficult and requires a rigorous application procedure.

This has led many to adopt traditional recruitment techniques to identify top talent to meet their needs. This includes job ads on forums or boards, and weeding out people with no legitimate technical skills.

The research found that the recruitment process often requires strong due diligence to ensure that the proper candidates come through the process. Speaking to Infosecurity, Digital Shadows’ Vice President of Strategy Rick Holland said that in the untrusted environment of the attacker, reputation is as significant as in the online world and if someone does a bad job, then script kiddies and those who have inflated their abilities will be called out.

“Reputation is key, and that is why we see a multi-stage vetting process from interview to demonstrating their ability to make sure they hire right candidates,” he said.

“Also if you hire in the traditional world it can take time, but hiring as a cyber-criminal is a short time. If you steal credit cards then there is a short window to monetise them and if you have people without the right skills then you lose that window as fraud and policy are on to it. There is a sense of urgency to deliver profits.”

Holland explained that there is a need to build up a persona and brand, and a person that for a person who is good at running botnets or setting up mules, reputation is important to them. But also while creating a profile, it requires some level of anonymity and takes time to be vetted.

Asked what the required common skills are, Holland said that it is the common attacker motivations, such as exploitation of cross-site scripting and SQL, but not for the most advanced capabilities.

He said: “They are using same thing that has been used for decades and it is good, but those who are hiring are not going after bleeding edge or technical knowledge, instead go after the low hanging fruit as they have a finite time to monetise the data.”

Source: Information Security Magazine

ICO Slaps Nuisance Calls Biz With £350,000 Fine

ICO Slaps Nuisance Calls Biz With £350,000 Fine

UK privacy watchdog the Information Commissioner’s Office (ICO) has levied its biggest ever fine, against a lead generation firm said to have been responsible for 46 million nuisance calls.

Brighton-based Prodial operated out of a residential property, using internet-based telephone services to cheaply make automated marketing calls to tens of millions of victims.

After 1000+ people complained to the ICO about the pre-recorded PPI calls it investigated and found the firm had not sought consent from any of the people it called to contact them in that way.

In fact, any information harvested from the calls was then passed on to claims management companies – generating close to £1 million in turnover for Prodial, the ICO revealed.

The ICO has fined Prodial £350,000 and will now be following up with the firm's liquidators to recover the money.

Commissioner Christopher Graham said it was one of the worst cold calling cases the ICO had ever come across.

“This was a company that knew it was breaking the law. A company director admitted that once the ICO became involved, the company shut down,” he said in a statement.

“That stopped the calls, but we want to send a clear message to other firms that this type of law-breaking will not pay. That is why we have handed out our highest ever fine.”

The news comes just a day after the ICO revealed it had sent out a “stop” order to Sale-based Advanced Voip Solutions, which is accused of coordinating millions of unsolicited phone calls.

Two related firms in the same Manchester town, Money Help Marketing and Preferred Pension, have been hit with enforcement notices, while a fourth – The Review Experts – has been dissolved.

The ICO began investigating after receiving a whopping 6000 complaints about the calls – which are said to have covered PPI, mis-sold pensions, delayed flight compensation and more.

“Unfortunately, it’s surprisingly easy to set up an operation that makes automated calls because you don’t need specialist equipment, a huge staff or fancy premises,” said ICO group enforcement manager, Andy Curry.

“But they can’t hide from us. We’ll continue to keep one step ahead of them and crack down on illegal practices.”

Source: Information Security Magazine

Brooklyn Judge Denies Feds Access to iPhone

Brooklyn Judge Denies Feds Access to iPhone

Apple was given a boost in its ongoing tussle with the FBI over providing a means to access the iPhone of the San Bernardino gunman, after a Brooklyn judge backed the firm in a separate case.

US magistrate judge James Orenstein ruled that the All Writs Act of 1789 couldn’t be used to compel Apple to circumvent the security of a device recovered during a drug raid.

Although the owner has already pleaded guilty, the FBI had argued that evidence on the device “will assist us in an active criminal investigation.”

However, Apple maintained that complying with the request “could threaten the trust between Apple and its customers and substantially tarnish the Apple brand,” according to court records seen by Reuters.

"The implications of the government's position are so far-reaching – both in terms of what it would allow today and what it implies about Congressional intent in 1789 – as to produce impermissibly absurd results,” said judge Orenstein.

The Justice Department is said to be “disappointed” by the ruling and will apparently look to get a senior judge to review the decision in the next few days.

The ruling will be a boost for Apple in its fight with the FBI over providing access to the iPhone of San Bernardino shooter Syed Farook, as the Feds are also trying to use the All Writs Act in that case.

While the judge there will not be bound by this decision, it could be influential.

Although Apple has complied in the past with scores of court orders based on the All Writs Act, it is thought they related to devices running iOS versions from which data could be easily extracted.

Since October, the firm has either rejected or is seeking additional information in 12 separate cases – including the Brooklyn one – in which the FBI is trying to use the 1789 law to compel the firm to circumvent iOS security.

Source: Information Security Magazine

IBM Plans Resilient Acquisition

IBM Plans Resilient Acquisition

IBM has announced plans to acquire Resilient Systems to add incident response capabilities to its services.

The Resilient incident response platform automates and orchestrates the processes needed when dealing with cyber incidents – from breaches to lost devices. This will enables users to respond and mitigate cyber incidents more quickly while helping minimize their exposure. Financial terms were not disclosed.  The transaction is expected to close later this year, subject to any required regulatory reviews.

Upon acquisition of Resilient Systems, IBM Security will offer an integrated end-to-end security operation and incident response platform offering. The platform will bring together security analytics, forensics and vulnerability management along with incident response into a coordinated approach for enterprise threat protection, detection and response.

John Bruce, Resilient Systems Co-Founder and CEO, said: “By combining, the market now has access to the leading prevention, detection and response technologies available in the same portfolio – the security trifecta.”

IBM has also launched new X-Force Incident Response Services, further expanding its capabilities to help clients plan for, manage and respond to cyber-attacks, utilising the knowledge of 3,000 consultants and security researchers globally. New services include a remote incident response capability to help clients map how a breach occurred and take action to shut it down.

IBM X-Force security experts will help clients develop response strategies, including Computer Incident Response Team playbooks, and a means to more effectively discover, track, respond to and report on security incidents.  These new capabilities will be further enhanced through the planned acquisition of Resilient Systems.

The new services will also include a new remote incident response service, which actively hunts for threats and allows IBM security experts to remotely manage active attacks via the cloud. Part of this capability will be enhanced via technology from Carbon Black, which will enable IBM security analysts to conduct security forensics on compromised endpoint devices, determine where a breach first occurred, map it across other devices, contain it quickly and take action to shut it down.

“By adding Resilient Systems’ technology and expertise, IBM will have an industry-leading range of capabilities to help clients respond to cyber breaches, across consulting, services, and products,” said Marc van Zadelhoff, General Manager, IBM Security.

“With our intent to acquire Resilient Systems, and our other announcements today, we are doubling down on the incident response market. Cybersecurity needs to function like an immune system, both in preventing breaches, but also in quickly eradicating those that do occur.”

In an email to Infosecurity, Scott Crawford, research director at 451 Research, said: “IBM had incident response services before, but it was part of the overall Professional Security Services organization. This announcement appears to be a more formal, front-and-center positioning of incident response services to be more directly competitive with FireEye-Mandiant et al, which had also recently acquired security automation capabilities with Invotas.

“Resilient is more specifically focused on incident response processes, however, so I would see both IBM announcements as being more directly competitive with FireEye-Mandiant.”

Source: Information Security Magazine

56% of Companies Ignore Encryption on the Cloud

56% of Companies Ignore Encryption on the Cloud

A new report by Thales e-Security and the Ponemon Institute has revealed the use of encryption within organizations is almost three-times greater than it was a decade ago, with 37% of the 5000 business and IT managers polled saying they have an encryption strategy in place across their entire enterprise. Despite this, the ‘2016 Global Encryption Trends Study’ found a significant amount of companies still have a lot of work to do regarding consistently applied encryption, especially when it comes to the cloud.

Peter Galvin, Vice President of strategy at Thales e-Security, said:

“As businesses increasingly turn to cloud services, we’re seeing a rapid rise in sensitive or confidential data being transferred to the cloud and yet only a third of respondents had an overall, consistently applied encryption strategy. Encryption is now widely accepted as best-practice for protecting data, and a good encryption strategy depends on well-implemented encryption and proper key management.”

More than half (57%) of respondents said that determining where their sensitive data resides is the biggest hurdle they face in deploying encryption. A company not knowing where/what its sensitive data is becomes a significant issue when you consider the security risks that come with an ever-increasing reliance on cloud-based services, which create more connectivity and endpoint devices. The danger here is that they also increase a company’s attack surface, effectively removing their ‘perimeter’ and leaving their network more vulnerable to attack from cyber-hackers. 

“There is no perimeter,” Chester Wisniewski, Senior Security Advisor at Sophos told Infosecurity. “Today's most successful defenses depend upon data classification and acting on that classification. What data is sensitive to your company? Protect that first.”

It is concerning, then, to read that 56% of those polled are transferring sensitive or confidential data to the cloud regardless of whether or not it is encrypted or made unreadable with some other data masking, a figure expected to be as high as 84% from 2018 onwards. 

David Kennerley, Senior Manager for threat research at Webroot said whilst large companies are discussing the importance of encryption on a daily basis and many unsecure protocols are being made redundant, the fact that such a high percentage admitted to transferring data without checking if it is encrypted is very surprising.

“Whether by choice or by accident, it is simply incredible to believe any organization would put its data at risk by transferring it insecurely when so many secure transfer methods and technologies exist. There is no excuse on this one.”

Source: Information Security Magazine

IRS Security Breach: Over 700,000 Now Affected

IRS Security Breach: Over 700,000 Now Affected

The United States Internal Revenue Service (IRS) has been forced to admit that a scam targeting taxpayers via its “Get Transcript” application has affected far more people that at first thought – nearly 400,000 more.

In a lengthy update on Friday, the organization claimed that a review of the system following the security incident in May last year had revealed that transcript details for 390,000 additional taxpayers were probably compromised.

That brings the total figure to over 700,000 – far more than the 100,000 initially thought.

Get Transcript was launched in 2014 as an easy way for taxpayers to view, download or have mailed to them their tax transcript.

However, fraudsters soon got in on the act, using stolen Social Security and other data to pose as genuine in order to get filings and tax returns for previous years reissued to them.

The information contained in these was then used to file fraudulent returns early and claim refunds back from the IRS on behalf of their victims.

The IRS said it will be notifying all those affected from today, as well as offering free identity theft protection services and Identity Protection PINs.

“The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort,” said IRS commissioner, John Koskinen, in a statement.

“We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed. We are moving quickly to help these taxpayers.”

The organization also claimed it is sharing information about this incident with the states as part of the Security Summit initiative – a partnership between itself, state revenue departments and the tax industry.

The nine-month long investigation into the security incident followed the discovery that scammers were gaming the system back in May 2015.

It was initially thought that 114,000 taxpayers were affected, but that number soon rose by 220,000 in August last year.

Source: Information Security Magazine

Consumers Letting Themselves Down Over Online Privacy

Consumers Letting Themselves Down Over Online Privacy

New research has revealed that consumers’ lack of cyber-savvy is threatening to undermine their privacy.

Kaspersky Lab claimed in its Are you cyber savvy? study that 79% of consumers actually dislike being tracked online by advertisers, social media platforms, e-commerce firms and so on.

However, nearly half (41%) claimed they do nothing to protect themselves online, while 9% said they didn’t even know tracking took place.

Just over a quarter said they use a privacy mode in their browser and only 11% claimed they use a plug-in to achieve the same ends.

Kaspersky Lab advised consumers to disable automatic add-on installation, block suspicious web sites and pop-ups, make SSL certificate checks compulsory and block third party cookies.

It added that using VPNs and HTTPS sites will also improve your ability to stay hidden online.

Downloads of new software can trigger bulk collection of user data, so consumers should be careful to untick any boxes that could lead to extra toolbars, plugins and extensions being installed.

“With tracking data, it’s possible for advertisers, or even malicious third parties, to peer into the life of a person – from where they go, to the sites they browse,” explained Kaspersky Lab principal security researcher, David Emm.

“However, the crux of the problem is that many users simply aren’t cyber-savvy enough when it comes to protecting themselves from online tracking. They may be concerned, but do nothing about it. Even worse, they may not understand that they are putting their privacy at risk at all.”

This might be about to change in Europe, however, with the impending launch of the General Data Protection Regulation (GDPR).

The GDPR will look to impose fines of up to 4% of global annual turnover for firms failing to comply with its strict new rules on data protection.

Part of the new law will also force firms to design products and services with user privacy in mind from the very start.

Source: Information Security Magazine

Snapchat Suckered by Payroll Phishing Attack

Snapchat Suckered by Payroll Phishing Attack

Messaging service Snapchat has admitted that sensitive financial information about some of its employees was phished after a member of staff fell for an email scam.

In a blog post on Sunday, the firm claimed that the phishing attack managed to con one of its employees into revealing payroll information about their colleagues.

“Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information,” it revealed.

“Unfortunately, the phishing email wasn’t recognized for what it was–a scam–and payroll information about some current and former employees was disclosed externally. To be perfectly clear though: None of our internal systems were breached, and no user information was accessed.”

Snapchat claims it responded swiftly and aggressively to the incident, notifying which employees were affected and offering them identity theft insurance and monitoring for two years.

“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” the firm admitted.

“To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.”

Wieland Alge, EMEA general manager at Barracuda Networks, explained that phishing attacks are becoming increasingly difficult to detect.

“HR and payroll are flooded with emails containing all types of attachments and they are encouraged and even obliged to open them. IT security teams must implement countermeasures against targeted attacks against this channel,” he added.

“At the end of the day, all businesses have a duty of care to ensure that they have robust security systems in place to protect their own and their customers’ data. If they fail to do so, they are rolling the dice when it comes to their reputation and ultimately long-term survival.” 

Source: Information Security Magazine