IT Support and Hardware for Clinics
32.1K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

FBI Alert: Business Email Scam Losses Exceed $1.2 Billion

FBI Alert: Business Email Scam Losses Exceed $1.2 Billion | IT Support and Hardware for Clinics | Scoop.it

The FBI, in a new alert, estimates that fraud losses linked to so-called business email compromise scams worldwide totaled more than $1.2 billion from October 2013 to August 2015. But some financial fraud experts say the losses from this largely overlooked threat could be even higher because the incidents often are not reported.


David Pollino, bank fraud prevention officer at Bank of the West, who calls these scams "masquerading" schemes, has warned of upticks in this type of wire fraud since January 2014.


In May, he predicted that losses linked to masquerading, or business email compromise attacks, in 2015 alone would exceed $1 billion. "This is a global fraud trend," he said.


In a white paper Bank of the West recently posted about this fraud trend, Pollino notes that masquerading attacks are among the top three fraud threats facing small businesses today.


"Masquerading is a payments scheme in which a fraudster impersonates a company executive or outside vendor and requests a wire transfer through a phone call or email to a company controller, or someone else with authority to wire funds," Pollino writes. "The controller will usually tell the business' bank to wire the funds because the email or phone call seems legitimate."


Fraudsters' social-engineering methods include sending these bogus requests to accounting departments with a sense of urgency, Pollino notes. To speed up payments, the fraudsters often ask the bank or credit union to bypass the normal out-of-band authentication and transaction verification processes in place for wires, especially those being sent to overseas accounts, he says.


"For the third consecutive year, three in five companies were targets of payments fraud," which includes BEC scams, Pollino points out, quoting statistics in the Association for Financial Professionals' 2015 Payments Fraud and Control Survey.


To mitigate risks associated with these scams, Pollino recommends that businesses:


  • Develop an approval process for high-dollar wire transfers;
  • Use a purchase order model for wire transfers, to ensure that all transfers have an order reference number that can be verified before approval;
  • Confirm and reconfirm transfers through out-of-band channels, such as a confirmation emails or SMS/texts; and
  • Notify the banking institution if a request for a transfer seems suspicious or out-of-the-norm.
FBI Alert

In its Aug. 27 alert, the FBI notes that most of the companies that have fallen victim to BEC scams have been asked to send urgent wires to foreign bank accounts, most of which are based in China and Hong Kong.


"The BEC scam continues to grow and evolve and it targets businesses of all sizes," the FBI notes. "There has been a 270 percent increase in identified victims and exposed loss since January 2015. The scam has been reported in all 50 states and in 79 countries."

From October 2013 through August 2015, the FBI estimates that some 7,066 U.S. businesses and 1,113 international businesses fell victim to this socially engineered scheme.

Quantifying Losses a Challenge

But quantifying losses from BEC scams has proven challenging because many of the incidents are not reported.


"Certainly these losses are understated, because many companies are not reporting them to the FBI due to embarrassment, lack of knowledge of where to turn, or the realization that there is no chance of retrieving their funds," says financial fraud expert Shirley Inscoe, an analyst at consultancy Aite. "So much money is being stolen through this scam that it is only going to continue, costing businesses billions of dollars."


In an effort to curb losses associated with these socially engineered schemes, Inscoe says financial institutions must educate their commercial customers about how these types of attacks are waged.


And she contends that the Asian banks to which these fraudulent wires are being sent should be held accountable. "Clearly, these banks are assisting in laundering these ill-gotten gains," she says. "An appeal could be made to their regulators to crack down on them from amoney-laundering perspective, but I have no idea how receptive the regulators would be to that avenue of action."


Dave Jevans, co-founder of the Anti-Phishing Working Group and chief technology officer of mobile security firm Marble Security, says federal law enforcement agencies have been strengthening their relationships with agencies in Asian markets to help curb some of this fraud.


"They can always work more closely with the financial institutions in these regions to monitor activity. However, it is really up to the originating companies and their U.S. financial institutions to solve this problem," he says. "Law enforcement is about investigating and arresting criminals. They are not a regulatory agency, nor are they a fraud-detection agency."

Preventive Measures

Jevans argues that the solution to the BEC problem is ensuring that businesses have stronger internal controls and targeted attack prevention on their email systems. "Banks can help their customers get educated, and can strengthen their validation processes and requirements when funds are being requested to be sent to new, untrusted accounts," he says. "Only focusing on overseas accounts won't solve the problem, and many of the smaller BEC frauds are routed through money mule accounts here in the USA."


Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says businesses have to understand that bypassing banks' procedures for wire-transfer confirmation is exposing them to fraud.

"Internal procedures should change to ensure that all requests for the transfer of funds be verified," Kellermann says.


Kellermann says businesses' employees should be trained to carefully examine the URLs from which emails are sent. Spoofed email addresses, for instance, will be slightly different yet resemble legitimate email addresses. And he says all external wire transfers should be required to have some type of out-of-band confirmation, through a secondary email, phone call or SMS/text, before they are approved and scheduled.


Stronger email authentication and adoption of DMARC, the Domain-based Message Authentication, Reporting & Conformance initiative, could have a big impact on reducing fraud losses related to BEC, Kellerman contends.


Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says identify-proofing technology, which requires that an online account user provide a headshot or picture of a driver's license captured with a mobile phone, could make a difference.


More banking institutions are exploring identity-proofing to authenticate new-account customers, Litan says, by employing the same technology they use for the remote-deposit capture of check images from smart phones and PC scanners.


"Perhaps this technology for identity proofing and documents transfer [such as check images] can be rolled out to the customer sites," she says. "Now you start asking the person requesting the wire to prove who they are by saying, 'Sorry, CEO, but before I act on your instructions, I need to see your driver's license.'"

more...
Scoop.it!

A government key to unlock your encrypted messages has major problems and security experts are up in arms

A government key to unlock your encrypted messages has major problems and security experts are up in arms | IT Support and Hardware for Clinics | Scoop.it

Top computer scientists and security experts are warning that government proposals to gain special access to encrypted communications could result in significant dangers. 

A consortium of world-renowned security experts has penned a report detailing the harm that regulating encryption would cause, writes the New York Times


Hard encryption — which global authorities are now trying to combat — is a way to mathematically cipher digital communications and is widely considered the most secure way to communicate online to avoid external snooping. 


This follows news last week that British Prime Minister David Cameron made a proposal to ban encryption as a way to "ensure that terrorists do not have a safe space in which to communicate."  


Since then, experts have begun weighing in about the effect of such drastic measures. This includes well-known cryptographer Bruce Schneier, who told Business Insider that such a strong encryption ban would "destroy the internet."

The new report, which was released today, takes a similarly hard stance. "The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws," it writes. Not only that, but federal authorities have yet to explain exactly how they planned to gain "exceptional access" to private communications.


The report concludes, "The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict." In short, the experts believe that trying to put limitations on encrypted communications would create myriad problems for everyone involved. 


This sort of fissure between security experts and federal authorities isn’t new. In fact, a similar proposal was made by the Clinton Administration in 1997 that also took aim at hard cryptography. Back then, a group of experts — many of whom are authors on this new report — also wrote critically about the anti-encryption efforts.

In the end, the security experts prevailed. 


Now, it’s not so certain. FBI director James Comey has joined the ant-encryption brigade, saying that "there are many costs to [universal strong encryption.]"

He and the US deputy attorney general Sally Quillan Yates are scheduled to testify before Senate tomorrow to defend their views, the New York Times reports.

The question now is whether other federal officials will side with people like Comey and Cameron or the group of security experts. 

In the paper's words, creating such back-door access to encrypted communications "will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend."

more...
No comment yet.
Scoop.it!

LastPass Sounds Breach Alert

LastPass Sounds Breach Alert | IT Support and Hardware for Clinics | Scoop.it

Warning to all LastPass users: Change your master password for the service now and ensure you're using multi-factor authentication. There has been a data breach that might allow attackers to crack master passwords and password reminders.


"Our team discovered and blocked suspicious activity on our network," reads a security notice from Joe Siegrist, the CEO of online password management service LastPass, which allows people to store multiple passwords inside a single, cloud-based password vault.


Siegrist says the intrusion was discovered June 12. "In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


This is not the first time that LastPass has reported that passwords or data might have been hacked. In 2011, the firm reported finding a "traffic anomaly from one of our databases" that could have resulted in data exfiltration. In response, the firm said it took a number of steps to tighten security, including registering domains that might be used by phishing attackers, as well as removing non-core services from the LastPass network.


In the wake of this newly announced breach, Siegrist says that the company is "confident that our encryption measures are sufficient to protect the vast majority of users," noting that the site's techniques for creating users' authentication hashes - in essence, how their authentication credentials get protected - would make it very difficult for an attacker to crack those hashes "with any significant speed." But because that is a possibility, the company says it has now "locked down" all accounts, meaning that any attempt to access an account from a new device or IP address will require the user to first verify their identity via email, unless they're already using multi-factor authentication.


"We will also be prompting all users to change their master passwords," Siegrist says. "You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites." He adds that because encrypted user data wasn't stolen, users do not need to change the passwords for any sites stored inside their LastPass password vault.


LastPass also offers multi-factor authentication - including Google Authenticator, Yubikey and the Duo Security Authenticator - to safeguard accounts. And in the wake of the breach, multiple information security experts recommend that all LastPass users ensure that they are using this feature.

Rethink Password Reset Questions

"Should I panic because LastPass was hacked?" asks Robert David Graham, head of information security research firm Errata Security. "If you chose a long, non-dictionary password, nobody can crack it," he says, thanks to the way LastPass creates its hashing algorithms. "Conversely, if you haven't, then yes, you need to change it."


Some security experts, meanwhile, say that the biggest risk now facing LastPass users will bephishing attacks, especially because users' email addresses have been compromised. "LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority," says Martin Vigo, a product security engineer for salesforce.com who's due to present the talk "Breaking Vaults: Stealing LastPass protected secrets" at the July Shakacon conference in Hawaii. "You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass."


Vigo says many users undercut their security by using password reminders - he recommends never using them, if possible - or else creating weak ones. "While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as 'My password is correct horse battery staple' are possible," he says. "Other more common passwords reminders such as 'My dogs name' can help attackers guess your master password. Remember that they have your email, which leads to your Twitter, Facebook, etc., where possibly that information can be found."

Password Vaults: Pros and Cons

The LastPass breach begs the question of whether people should ever use password managers, a.k.a. password vaults. "If a crook gets hold of your master password, then that's like getting the crown jewels - because now the crook has access to all your accounts at once," says Paul Ducklin, a senior security adviser for anti-virus firm Sophos, in a blog post. As a result, some security experts decry their use, on the grounds that the password manager master password creates a potential single point of failure.


But many security experts, including Bruce Schneier, have long advocated using such tools, saying that it is much more likely that users will get hacked if they reuse passwords, or select weak ones, than have their encrypted password database stolen and cracked.

F-Secure security adviser Sean Sullivan, for example, has said he "can't imagine life" without using one, because such tools can ensure that a user only uses strong passwords, and never repeats them across sites. But Sullivan also takes certain precautions, such as never entering the master password for his password manager when he's using an untrusted system - such as the shared family PC at home - in case a keylogger might be in operation.

Cloud Versus PC-Based

Users can also choose between PC-based, cloud-based or hybrid password managers. Some encryption experts, such as Johns Hopkins cryptographer Matthew Green, have voiced concerns about the security of cloud-based password management services.

more...
No comment yet.
Scoop.it!

Do you know where your sensitive data lives?

Do you know where your sensitive data lives? | IT Support and Hardware for Clinics | Scoop.it

Challenges with tracking where sensitive and regulated data is flowing, and the inability to control that flow in outsourced environments such as SaaS cloud applications, where it can move freely between data centers and cloud provider’s partner’s systems, is a key challenge for enterprises in regulated sectors.

More than 125 attendees at RSA Conference 2015 took the survey, which was conducted via in-person interviews by Perspecsys. The results interestingly reveal a split decision when it comes to trust in Cloud Service Providers (CSPs): 52 percent of respondents say they trust their CSP to take care of protecting and controlling their enterprise data and the other half (48 percent) do not.

Enterprises need to consider encrypting or tokenizing any sensitive data before it goes to the cloud, so they retain full control of their information while it is in-transit to the cloud, while it is stored at-rest in the cloud and while it is in-use being processed in the cloud.

IDC forecasts that public IT cloud services will account for more than half of global software, server, and storage spending growth by 2018. The Perspecsys survey findings align with this projection, with 67 percent of respondents preferring to store the majority of enterprise data in the cloud – that is – if data privacy and compliance regulations could be addressed. Interestingly, the current perception remains that private cloud is more secure than its public cloud cousins. For example:


  • About half of respondents say existing or impending data privacy regulations impact up to 50 percent of their cloud strategy
  • The majority of respondents still house less than a quarter of their data in public cloud environments
  • About a third claim no public cloud use at any level (IaaS, PaaS or SaaS), as far as they know.

Via Paulo Félix
more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

Will Executive Order Impact Cybercrime?

Will Executive Order Impact Cybercrime? | IT Support and Hardware for Clinics | Scoop.it

President Obama on April 1 issued an executive order that allows the U.S. government to block or seize the assets of suspected "malicious cyber actors." But some legal and security experts already are questioning whether the order is legally defensible or will have any meaningful impact on either cybercrime or online espionage.


"There are so many problems with this," attorney Mark Rasch, a former U.S. Department of Justice official who created its computer crime unit, tells Information Security Media Group, citing, for example, the government's ability to presume someone is guilty, without first having to prove it. "In general, sanctions are a political tool for putting pressure on recalcitrant governments to change their ways, [but] these sanctions are a legal tool to impose punishment without trial on persons we believe to be criminals and hackers."


The Obama administration, however, says that the executive order - officially titled "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" is necessary to give the U.S. government much-needed new legal tools in its fight against cybercrime and online espionage. The executive order represents the first time that the White House has authorized broad sanctions to be imposed specifically for cyber-attacks, and regardless of the location of whoever is behind the attacks.


"Our primary focus will be on cyberthreats from overseas, Obama writes on news website Medium. "In many cases, diplomatic and law enforcement tools will still be our most effective response. But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst."


The executive order authorizes the Secretary of the Treasury - in consultation with the Attorney General and the Secretary of State - to impose such sanctions "on individuals or entities that engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy or economic health or financial stability of the United States," Obama says in an April 1 statement distributed by the White House.


While the executive order doesn't define "significant," it says sanctions can be imposed for a variety of reasons, for example, in response to attacks that target critical infrastructure, which disrupt networks - via distributed denial-of-service attacks, for instance - as well as for targeting or stealing trade secrets or personally identifiable information, and for computer crime in general.

Intent: To Fill Gaps

White House Cybersecurity Coordinator Michael Daniel says the executive order is meant to expand the "spectrum of tools" that the government can use to combat cyber-attacks, by supplementing current diplomatic, law enforcement, military, economic and intelligence capabilities.


"It is designed to fill in a gap that we have identified where individuals carrying out significant malicious cyber-attacks are located in places that it's difficult for our diplomatic and law enforcement tools to reach - whether because they're behind the borders of a country that has weak cybersecurity laws, or the government is complicit in or turning a blind eye to the activity that is happening, and we don't have good law enforcement relationships or other kinds of relationships," he said on an April 1 a press call. "So what we're doing is putting in place a tool that will enable us to impose costs on those actors."


John Smith, the Treasury Department's acting director of the Office of Foreign Assets Control, or OFAC, which administers and enforces U.S. economic sanctions programs, said on the press call that the executive order elevates cyber-attacks to the realm of such activities as counterterrorism, narcotics trafficking and transnational crime, which the United States targets, regardless of where they're based. Smith says the administration is hoping that by designating cybercrime and online espionage in this manner, more countries will be spurred to put a stop to related activities inside their borders, or which touches their financial system.

Sony Hack Inspired Order

The Washington Post reports that the executive order has been under development for the past two years. But Daniel says the need for the executive order was highlighted after the president called for a "proportional response" to the hack attack against Sony Pictures. "That process informed us as we were finishing up this executive order and highlighted the need for us to have this capability and to have this tool."


The move follows another executive order, signed by the president in January, that imposed sanctions on 10 individuals and three entities associated with the North Korean government, after the FBI attributed the November 2014 hack and wiper malware attack against Sony Pictures Entertainment to "North Korea actors." But numerous information security experts have continued to question that attribution.

Questioning the Rationale

And some legal and security experts are now questioning the rationale behind the new executive order. "It's really built out of frustration, because the international legal process does not deal effective with cybercrime," says Rasch, the former DOJ official. "So there's the urge to take the law into your own hands. Resist that urge."


Rasch adds that another problem with the executive order is that it's not aimed just at state sponsors - or nation-state-backed attackers - but anyone who the U.S. believes has broken the law. Furthermore, it allows the government to impose punishments, such as seizing U.S. citizens' assets, without any due process, or having to first prove the government's case.


The administration says that anyone who wants to contest sanctions that get imposed using this executive order can do so with OFAC, or by filing a lawsuit against the federal government.

Cybercrime Impact?

But will the executive order lead to any meaningful reduction in cybercrime or online espionage? "I'm somewhat skeptical, to say the least," Sean Sullivan, a security adviser for Helsinki, Finland-based anti-virus firm F-Secure, tells ISMG. "There's a great deal of Russian-speaker-based 'espionage as a service' that would be very difficult to do much about. And China seems even more of a challenge. But then again, maybe there are some officials who do actually have American assets to go after - New York real estate, for example."


James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, believes that the new program could have an impact, for example to combat Chinese-promulgated economic espionage. "You have to create a process to change the behavior of people who do cyber-economic espionage," he tells The Washington Post. "Some of that is to create a way to say it's not penalty free. This is an effective penalty. So it moves them in the right direction."

But Rasch thinks it's unlikely that the executive order would fulfill the stated White House purpose of deterring future cybercrime, espionage and large-scale attacks. "The rogues are not going to be deterred by this," he says. "The state sponsors are not going to be deterred by this."


more...
No comment yet.
Scoop.it!

Online trust is at the breaking point

Online trust is at the breaking point | IT Support and Hardware for Clinics | Scoop.it

IT security professionals around the globe believe the system of trust established by cryptographic keys and digital certificates, as well as the security of trillions of dollars of the world's economy, is at the breaking point.

For the first time, half of the more than 2,300 IT security professionals surveyed by The Ponemon Institute now believe the technology behind the trust their business requires to operate is in jeopardy. 100% of organizations surveyed had responded to multiple attacks on keys and certificates over the last two years.


Research reveals that over the next two years, the risk facing every Global 5000 enterprise from attacks on keys and certificates is at least $53 million USD, an increase of 51 percent from 2013. For four years running, 100 percent of the companies surveyed said they had responded to multiple attacks on keys and certificates, and vulnerabilities have taken their toll.

"The overwhelming theme in this year's report is that online trust is at the breaking point. And it's no surprise. Leading researchers from FireEye, Intel, Kaspersky, and Mandiant, and many others consistently identify the misuse of key and certificates as an important part of APT and cybercriminal operations," said Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi. "Whether they realize it or not, every business relies upon cryptographic keys and digital certificates to operate. Without the trust established by keys and certificates, we'd be back to the Internet 'stone age' – not knowing if a website, device, or mobile application can be trusted."

As risk increases, so does the number of keys and certificates: Over the last two years, the number of keys and certificates deployed on infrastructure such as web servers, network appliances, and cloud services grew more than 34 percent to almost 24,000 per enterprise. The use of more keys and certificates makes them a better target for attack. Stolen certificates sell for almost $1000 on underground marketplaces, and doubled in price in just one year. Researchers from Intel believe hacker interest is growing quickly.

Organizations are more uncertain than ever about how and where they use keys and certificates: Now 54 percent of organizations admit to not knowing where all keys and certificates are located and how they're being used. This leads to the logical conclusion: how can any enterprise know what's trusted or not?

Security pros worry about a Cryptoapocalypse-like event: A scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight is reported as the most alarming threat. Instantly transactions, payments, mobile applications, and a growing number of Internet of Things could not be trusted. Coined by researchers at Black Hat 2013, a Cryptoapocalypse would dwarf Heartbleed in scope, complexity, and time to remediate.

The misuse of enterprise mobile certificates is a lurking concern: The misuse of enterprise mobility certificates used for applications like WiFi, VPN, and MDM/EMM is a growing concern for security professionals. Misuse of enterprise mobility certificates was a close second to a Cryptoapocalypse-like event as the most alarming threat. Incidents involving enterprise mobility certificates were assessed to have the largest total impact, over $126 million, and the second largest risk. With a quickly expanding array of mobile devices and applications in enterprises, it's no wonder why security pros are so concerned.

"With the rising tide of attacks on keys and certificates, it's important that enterprises really understand the grave financial consequences. We couldn't run the world's digital economy without the system of trust they create," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "This research is incredibly timely for IT security professionals everywhere – they need a wake up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals."survey


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Should we hack the hackers? - The Guardian

Should we hack the hackers? - The Guardian | IT Support and Hardware for Clinics | Scoop.it

If we’re losing the war against cybercrime, then should we take off the gloves and strike back electronically against hackers?

As banks reel from another major hacking revelation, a former US director of intelligence has joined some of them in advocating for online counterstrikes against cybercriminals.

In February, security firm Kaspersky detailed a direct hack against 100 banks, in a co-ordinated heist worth up to $1bn. This follows growing sentiment among banks, expressed privately, that they should be allowed to hack back against the cybercriminals penetrating their networks.

At February’s Davos forum, senior banking officials reportedly lobbied for permission to track down hackers’ computers and disable them. They are frustrated by sustained hacking campaigns from attackers in other countries, intent on disrupting their web sites and stealing their data.

Dennis Blair, former director of national intelligence in the Obama administration, has now spoken out in favour of electronic countermeasures, known in cybersecurity circles as hacking back, or strikeback.

Blair co-authored a 2013 report from the US Commission on the Theft of American Intellectual Property. It considered explicitly authorising strikeback operations but stopped short of endorsing this measure at the time.

Instead, the report suggested exploring non-destructive alternatives, such as electronically tagging stolen data for later detection. It also called for a rethinking of the laws that forbid hacking, even in self-defence.

Western law enforcers don’t have jurisdiction in the countries where cybercriminals operate. Ideally, they would pass information about hackers onto their counterparts there, said Blair, but in many cases local police are un-cooperative. It’s time to up the ante, he suggested.

“I am more leaning towards some controlled experiments in officially conducting aggressive cyber-tracking of where attacks come from, discovering their origin, and then taking electronic action against them,” he told the Guardian.

Legal problems

There’s just one problem with strikeback operations, said Mark Rasch, a former federal cybercrime prosecutor and the head of Maryland-based Rasch Technology and Cyber-law: it’s against the law. “You have to start with the general assumption that hacking back is most likely illegal,” he said.

Long-standing laws on both sides of the Atlantic clearly forbid unauthorised tampering with a computer, even if someone is using that computer to attack you. In the UK, the Computer Misuse Act sets those rules. In the US, the Computer Fraud and Abuse Act does the same.

Even without this legislation, the law generally frowns upon what Rasch calls “self help”. Judges dislike vigilante justice.

The stakes are getting higher, though. Since the report’s release, corporate America has seen several devastating cyber-attacks. JP Morgan suffered a breach affecting 76 million households. Home Depot and Target were also hacked, and most recently, Sony Entertainment was embarrassed by the theft of internal documents.

“I’ve been seeing the way that technology is developing. I think it’s worth some limited legislation to post penalties back to hackers,” Mr Blair said, adding that companies should work with law enforcement rather than taking matters into their own hands.

“Law enforcement authorities can go back down the same route that [the hackers] use to attack, and cause physical damage to their equipment,” he added.



Via Paulo Félix
more...
No comment yet.
Scoop.it!

Despite High-Profile Data Breaches, Fraud is Down

Despite High-Profile Data Breaches, Fraud is Down | IT Support and Hardware for Clinics | Scoop.it

Home Depot, Staples, Neiman Marcus — 2014 was a blockbuster year for the high-profile data breaches, with at least $16 billion stolen from a reported 12.7 million fraud victims.

But those numbers are actually an improvement, according to a new study by Javelin Strategy & Research. Last year, the amount of money lost to fraud dropped 11 percent, down from $18 billion in 2013. And in 2012, the amount was even higher, at $21 billion.

The number of victims is down too, dipping 3 percent in 2014.

Though hacks appear to be growing in size and targeting larger retailers, financial institutions have also gotten better at performing triage after such an attack occurs.

“The combined efforts of industry, consumers, and monitoring and protection systems that are catching fraud more quickly helped reduce the incidence of fraud and the amount stolen over the past year,” said Al Pascual, director of fraud and security at Javelin, a consulting firm that analyzes consumer transactions. “When detected, fraud is being resolved quicker than ever before.”

After 110 million credit card numbers were stolen in the December 2013 Target breach, for example, banks went on the offensive, spending more than $200 million to replace consumer credit and debit cards.

In 2014, 1 in 4 consumers received data breach notifications, but a smaller proportion of those people became fraud victims than in 2013. Last year, fraud incidents among notified breach victims dropped 17 percentage points to 13.7 percent, the lowest rate since Javelin began conducting its annual study in 2004.

The report hypothesized that the huge number of data breaches in 2014 may have spurred banks and retailers to take such attacks more seriously, driving down the incidents of fraud. Improvements in technology that can help detect fraud also contributed to the decline, the report said.

Pascual warned that despite dropping reports of fraud, consumers should still be wary of identity theft.

“We have seen declines in the past, but they have reversed as fraudsters try new approaches or when new technologies make it easier for fraudsters to get consumer information,” he said.

For instance, while new-account fraud (in which a fraudster uses stolen information to open an account in a victim’s name) reached record lows in 2014 according to the Javelin report, this year such incidents have increased due to security weaknesses in Apple’s new mobile payments system, Apple Pay.

In the Javelin report, 13 percent of victims of new-account fraud did not detect the identity theft for more than a year.

Though 2014’s number of victims was down, 2013 had the second-highest number of identity theft victims since Javelin began its annual study.

In the end, said Pascual, more breaches will result in more victims of identity theft. In 2014, two-thirds of identity fraud victims had previously received a data breach notification that year.

“This is a long, drawn-out battle against identity thieves,” he said. “While there have been some victories this year, there have also been some discouraging setbacks. It really reinforces why we need the combined efforts of industry, consumers, and monitoring and protection systems working together to continue the downward trend.”


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Obama Imposes Sanctions on North Korea for Hack

Obama Imposes Sanctions on North Korea for Hack | IT Support and Hardware for Clinics | Scoop.it

Holding North Korea responsible for the cyber-attack on Sony Pictures Entertainment, President Obama imposed sanctions on 10 individuals and three entities associated with the North Korean government.

The president ordered on Jan. 2 the seizing of property held by the individuals and organizations in the United States, a mostly symbolic action because few, if any, assets of those designated in the order are likely located in the U.S.


The organizations facing sanctions include the Reconnaissance General Bureau, North Korea's primary intelligence agency; Korea Mining Development Training Corp., or KOMID, North Korea's primary arms dealer; and Korea Tangun Trading Corp., the North Korean agency primarily responsible for the procurement of commodities and technologies to support its defense research and development programs.

"Our response to North Korea's attack against Sony Pictures Entertainment will be proportional, and will take place at a time and in a manner of our choosing," a White House statement says. "Today's actions are the first aspect of our response."

Further Isolating North Korea

The executive order authorizes Treasury Secretary Jack Lew to impose the sanctions. Lew, in a statement, says the sanctions are driven by the government's commitment to hold North Korea accountable for its destructive and destabilizing conduct.

"Even as the FBI continues its investigation into the cyber-attack against Sony Pictures Entertainment, these steps underscore that we will employ a broad set of tools to defend U.S. businesses and citizens, and to respond to attempts to undermine our values or threaten the national security of the United States," Lew says. "The actions taken today ... will further isolate key North Korean entities and disrupt the activities of close to a dozen critical North Korean operatives. We will continue to use this broad and powerful tool to expose the activities of North Korean government officials and entities."

An administration official told The New York Times that these sanctions are a first step to punish the North Koreans for the Sony breach. "The administration felt that it had to do something to stay on point," the official said. "This is certainly not the end for them."


more...
No comment yet.
Scoop.it!

Sony Hack a 'National Security Matter'

Sony Hack a 'National Security Matter' | IT Support and Hardware for Clinics | Scoop.it

The White House says that it's treating the malware attack against Sony Pictures Entertainment and subsequent data leaks as a "national security matter." But the administration says it's too early in its investigation into the attack to definitively attribute the attacks to any particular group or nation state.


"This is something that's being treated as a serious national security matter," White House Press Secretary Josh Earnest told reporters in a Dec. 18 briefing. "There is evidence to indicate that we have seen destructive activity with malicious intent that was initiated by a sophisticated actor. And it is being treated by those investigative agencies, both at the FBI and the Department of Justice, as seriously as you would expect."

The hacker attack against Sony has reportedly included data theft and, on Nov. 24, wiper malware being used to erase Sony data. That's been followed by ongoing data leaks and other threats against Sony Pictures Entertainment and its employees.

Earnest says the ongoing attack "has also been the subject of a number of daily meetings that have been convened here at the White House," led by homeland security adviser Lisa Monaco and cybersecurity coordinator Michael Daniel and including representatives from intelligence, diplomatic, military and law enforcement agencies.

A group that calls itself the Guardians of Peace has claimed credit for the attack against Sony Pictures, including the leaks of stolen data, which has included top Sony Pictures executives' Outlook e-mail spools. After "G.O.P." launched its attacks and began leaking data, however, the group then claimed it would stop the data leaks if Sony canceled its forthcoming comedy "The Interview," which centers on a tabloid TV reporting team that gets approached by the CIA to assassinate Kim Jong-un, who heads the Pyongyang-based communist dictatorship that rules North Korea.

After G.O.P. published a "terror" threat against movie theaters, U.S. theater chains announced that they would not show the film. Subsequently, Sony announced that it would shelve "The Interview" indefinitely, which has sparked a further backlash against the already beleaguered movie and television studio.

Investigation Still 'Progressing'

In response to questions about whether North Korea launched or sponsored the Sony attack, Earnest said that while the investigation is "progressing," he was not yet able to comment on that question, Reuters reports. But he said that the administration "would be mindful of the fact that we need a proportional response," and cautioned that the people behind these types of malicious attacks were "often seeking to provoke a response."

"They may believe that a response from us in one fashion or another would be advantageous to them," Earnest said, for example, by focusing international attention on their agenda, or increasing their standing with peers.

Ken Westin, a security analyst at information security vendor Tripwire, says it is premature to attribute the Sony hack to any specific group or nation. "FBI notices have been sent out stating specifically no connection has been made and that the investigation is still under way," he says.


While the White House and FBI say it's too soon to blame the hack attack against Sony Pictures - which is a subsidiary of Japanese multinational conglomerate Sony - on any particular group or actor, other government officials have nevertheless been sharing their own theories with multiple media outlets. "We have found linkage to the North Korean government," a "U.S. government source" tells NBC News, which reports that the attack against Sony appeared to have been launched from outside North Korea. But no evidence was supplied that might confirm any supposed linkage to Pyongyang having participated in or ordered up the attacks.

Information security experts, meanwhile, have warned against reading too much into any supposed "linkage" between the Sony hack and North Korea, or the fact that unnamed government sources told the New York Times that North Korea was "centrally involved" in the attack against Sony, saying such suppositions have yet to be confirmed by the release of any supporting facts. In fact, security experts warn, the information being cited by unnamed government officials at times seems to contradict suggestions of Pyongyang involvement.

"People don't seem to be reading past the headline or first couple of paragraphs," says attrition.org CEO and security expert Brian Martin, a.k.a. Jericho, in a blog post, referring to the New York Times report. "What seems like a strong, definitive piece falls apart and begins to contradict itself entirely halfway through the article."

Intelligence Not 100% Reliable

Furthermore, what one unnamed intelligence source believes may not square with another intelligence source, warns Jeffrey Carr, CEO of threat-intelligence sharing firm Gaia International. He says the intelligence community "is rarely unified when it comes to intelligence analysis; especially cyber-intelligence."

Carr and other security experts have also warned that whoever is sharing supposed Sony-related intelligence may also have a political agenda. "Cybersecurity has become an increasingly political topic thanks to recent NSA revelations and increased defense spending being allocated to cyber defense - and offense - not to mention issues of pirating, net neutrality, privacy and related topics, all of which the Sony breach touches on," Tripwire's Westin says.

Despite the lack of solid evidence that proves North Korea is responsible for the Sony attack, some commentators have been referring to the hack against Sony in military terms. Former Congressman Newt Gingrich, for example, claims that "with the Sony collapse America has lost its first cyberwar."

But security experts have cautioned against jumping to conclusions. "I've said it for a week, and I must say it again," Martin of attrition.org says. "How about we wait for actual evidence. ... Remember, North Korea is the same country that threatened the U.S. with a nuclear missile earlier this year. They like to rattle their saber at everyone, but it doesn't mean they actually did anything."



more...
Kyle Greene's curator insight, October 18, 2017 11:59 AM

Cyber Security is a growing concern among all companies in the Entertainment and Media industries. This article addresses the notion that the treaty to companies cyber security is so prominent that government agencies such as the White House and the FBI. I feel that this article is a reliable source because it is from a website hosted by Cyber Security workers, and authors who have first hand experience in Cyber Security.

Scoop.it!

Sony data breach: how not to protect your passwords

Sony data breach: how not to protect your passwords | IT Support and Hardware for Clinics | Scoop.it

Sony Pictures Entertainment faces being left completely red-faced after reports began to emerge that it contributed to its latest data breach by storing thousands of passwords in a folder entitled "Password".

Personal details of some 47,000 employees and actors have been leaked online in recent days and the much-publicized leak contains confidential details including social security numbers and reams of other tidbits, according to The Telegraph.

The controversially named "Password" folder contains 139 Word documents, Excel spreadsheets, zip files and PDFs that give access to passwords and usernames for everything from internal computers to social media accounts.

One of those files, which has been seen by BuzzFeed, contains scores of usernames and passwords to various social media accounts thus giving anyone easy access to Facebook, MySpace, YouTube and Twitter accounts linked to the firm.

Sony hasn’t spoken publicly about the hack and the only noises came in an internal company-wide memo from CEO Michael Lynton and co-chairman Amy Pascal that called it a "brazen attack on our company, our employees and our business partners".

Sony’s leak comes at the same time that a clutch of high profile upcoming films were made available online with many reports pointing the finger at North Korea in retaliation for an upcoming film that pokes fun at the country.

Since then, the country has come out to deny that it is responsible for the hack and called claims that it had anything to do with it "another fabrication targeting the country".

The film in question, The Interview, stars Seth Rogan and James Franco and centers on a fictional plot by the US government to assassinate North Korea’s leader, who bears an uncanny resemblance to the real life leader Kim Jong-un.

Employees at Sony Pictures, who are some of the worst affected, aren’t likely to be surprised at the leak given that former workers told Fusion that the company’s "long-running lax attitude towards security" is likely to blame.



more...
No comment yet.
Scoop.it!

Data breach trends for 2015: Credit cards, healthcare records will be vulnerable

Data breach trends for 2015: Credit cards, healthcare records will be vulnerable | IT Support and Hardware for Clinics | Scoop.it

The data breaches of 2014 have yet to fade into memory, and we already have 2015 looming. Experian's 2015 Data Breach Industry Forecast gives us much to anticipate, and I've asked security experts to weigh in with their thoughts for the coming year as well.

Experian highlights a number of key factors that will drive or contribute to data breaches in 2015. A few of them aren't surprising: Organizations are focusing too much on external attacks when insiders are a significantly bigger threat, and attackers are likely to go after cloud-based services and data. A few new factors, however, merit your attention. 

First, there is a looming deadline of October, 2015 for retailers to upgrade to point-of-sale systems capable of processing chip-and-PIN credit cards. As banks and credit card issuers adopt more secure chip-and-PIN cards, and more consumers have them in hand, it will be significantly more difficult to clone cards or perpetrate credit card fraud. That’s why Experian expects cybercriminals to increase the volume of attacks early in 2015, to compromise as much as possible while they still can.

The third thing that stands out in the Experian report is an increased focus on healthcare breaches. Electronic medical records, and the explosion of health or fitness-related wearable devices make sensitive personal health information more vulnerable than ever to being compromised or exposed.

The risk of health related data being breached is also a concern voiced by Ken Westin, security analyst with Tripwire. He pointed out that part of the reason that retail breaches have escalated is because cybercriminals have developed the technologies and market for monetizing that data. “The bad news is that other industries can easily become targets once a market develops for the type of data they have. I am particularly concerned about health insurance fraud—it’s driving increasing demand for health care records and most healthcare organizations are not prepared for the level of sophistication and persistence we have seen from attackers in the retail segment.”

“There will absolutely be more breaches in 2015—possibly even more than we saw in 2014 due to the booming underground market for hackers and cybercriminals around both credit card data and identity theft,” warned Kevin Routhier, founder and CEO of Coretelligent. “This growing market, coupled with readily available and productized rootkits, malware and other tools will continue to drive more data breaches in the coming years as this is a lucrative practice for enterprising criminals.”

The rise in data breach headlines, however, may not necessarily suggest an increase in actual data breaches. It’s possible that organizations are just getting better at discovering that they’ve been breached, so it gets more attention than it would have in previous years.

Tim Erlin, director of IT risk and security strategy for Tripwire, echoed that sentiment. “The plethora of announced breaches in the news this year is, by definition, a trailing indicator of actual breach activity. You can only discover breaches that have happened, and there’s no indication that we’re at the end of the road with existing breach activity. Because we expect organizations to improve their ability to detect the breaches, we’ll see the pattern of announcements continue through 2015.”

The combination of a rise in actual data breach attacks, and an increase in the ability to discover them will make 2015 a busy year for data breaches. Whether we’re defending against new attacks, or just detecting existing breaches that have already compromised organizations, there will be no shortage of data breach headlines in 2015.





Via Kenneth Carnesi,JD, Paulo Félix
more...
No comment yet.
Scoop.it!

More Retailers Hit by New Third-Party Breach?

More Retailers Hit by New Third-Party Breach? | IT Support and Hardware for Clinics | Scoop.it

CVS, Rite-Aid, Sam's Club, Walmart Canada and other large retail chains have suspended their online photo services following a suspected hack attack against a third-party service provider that may, in some cases, have resulted in the compromise of payment card data.


The suspected breach centers on PNI Digital Media Inc., a Vancouver-based firm that manages and hosts online photo services for numerous retailers. The incident serves as a reminder of the security challenges that organizations face when it comes to managing their third-party vendors and entrusting them with sensitive customer information.


Numerous chains have confirmed that they are investigating potential breaches - some involving payment card data - after being warned by PNI Digital Media that it may have suffered a hack attack that resulted in the compromise of retailers' customers' names, addresses, phone numbers, email addresses, photo account passwords and credit card information. But none of the retailers involved have so far reported that they believe the breach would affect any of their in-store customers, including anyone who used in-store photo services.


PNI Digital Media did not immediately respond to a request for comment on its reported breach investigation. Until July 17, the company's investors page reported that it worked with numerous retailers, and while that page is now blank, a recent version cached by Google's search engine reads: "PNI Digital Media provides a proprietary transactional software platform that is used by leading retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year. Last year, the PNI Digital Media platform worked with over 19,000 retail locations and 8,000 kiosks to generate more than 18M transactions for personalized products."

CVS Confirms Investigation

On July 17, CVS spokesman Mike DeAngelis confirmed that CVSPhoto.com may have been affected by the suspected PNI Digital Media breach. "We disabled the site as a matter of precaution while this matter is being investigated," DeAngelis tells Information Security Media Group.


The cvsphoto.com site now reads in part: "We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience."

CVS says PNI Digital Media collects credit and debit information for customers who purchase online photo services through CVSPhoto.com. Accordingly, CVS recommends that all customers of its online photo service review their credit card statements "for any fraudulent or suspicious activity" and notify their bank or card issuer if anything appears to be amiss. "Nothing is more central to us than protecting the privacy and security of our customer information, including financial information," CVS says. "We are working closely with the vendor and our financial partners and will share updates as we know more."

Rite Aid: No Suspected Card Theft

Drugstore chain Rite Aid has also taken its online and mobile photo services offline. "We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data," Rite Aid's site reads. "The data that may have been affected is name, address, phone number, email address, photo account password and credit card information."


Unlike CVS, however, Rite Aid reports that it does not believe that its customers' payment-card data is at risk. "Unlike for other PNI customers, PNI does not process credit card information on Rite Aid's behalf and PNI has limited access to this information," it says, adding that it has received no related fraud reports from its customers.

Sam's Club has also taken its online photo service offline, "in an abundance of caution and as a result of recent reports suggesting a potential security compromise of the third-party vendor that hosts Sam's Photo website." As with Rite Aid, however, Sam's Club reports that "at this time, we do not believe customer credit card data has been put at risk."


Costco and Tesco Photo have also suspended their online photo services.


Walmart Canada, which also outsources online photo services to PNI, also may have been affected by the possible breach, according to the The Toronto Star, and the retailer has since suspended its online photo services website. "We were recently informed of a potential compromise of customer credit card data involving Walmart Canada's Photocentre website, www.walmartphotocentre.ca," Walmart states. "We immediately launched an investigation and will be contacting customers who may be impacted. At this time, we have no reason to believe that Walmart.ca, Walmart.com or in-store transactions are affected.


Walmart did not respond to Information Security Media Group's request for comment. ISMG also reached out to office supplier Staples, which owns PNI, but did not get a response.

"PNI is investigating a potential credit card data security issue," a Staples spokesperson told The Toronto Star.

Growing Third-Party Breach Concerns

PNI's potential breach comes just a week after Denver-based managed services provider Service Systems Associates announced that a breach linked to a malware attack against its network had likely affected about 12 of the payments systems it operates for gifts shops at retail locations, which include zoos, museums and parks, across the country.


Service Systems Associates says debit and credit purchases made between March 23 and June 25 may have been compromised.

On July 7, the Financial Services Information Sharing and Analysis Center, along with Visa, the U.S. Secret Service and The Retail Cyber Intelligence Sharing Center, which provides threat intelligence for retailers, issued a cybersecurity alert about risks merchants face when dealing with third parties.


The alert lists a number of security recommendations for managing third-party risks, including using multifactor authentication for remote-access login to point-of-sale systems and including specific policies related to outdated operating systems and software in contracts with vendors.


Earlier this month, Chris Bretz, director of payment risk at the FS-ISAC, warned that managed service providers that offer outsourced services to numerous merchants are increasingly being targeted by cybercriminals.


"Criminals continue to find success by targeting smaller retailers that use common IT and payments systems," Bretz said in an interview with ISMG. "Merchants in industry verticals often use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business."

more...
No comment yet.
Scoop.it!

Will Sony Settle Cyber-Attack Lawsuit?

Will Sony Settle Cyber-Attack Lawsuit? | IT Support and Hardware for Clinics | Scoop.it

Did Sony underspend on information security, thus contributing to the success of the devastating hack attack against it, which came to light in November 2014? And can a business be held legally accountable by employees for their employer's information security shortcomings?


Those questions are central to a lawsuit filed by Michael Corona and eight other former Sony employees in the wake of what plaintiffs rightly dub a data breach "epic nightmare, much better suited to a cinematic thriller than to real life." Their suit accuses Sony of having failed to put an effective information security program in place, despite having previously suffered repeated, serious attacks.


 An epic nightmare, much better suited to a cinematic thriller than to real life. 


"Sony failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years," the lawsuit alleges, citing in part a September 2014 audit by PricewatershouseCoopers, which found that Sony's information security and monitoring practices fell below "prudent industry standards."


The lawsuit further alleges that nearly 100 terabytes of data was stolen, including 47,000 Social Security numbers and personally identifiable information for at least 15,000 current and former employees, some of whom had not worked for the studio since 1955. As a result, breach victims "face ongoing future vulnerability to identity theft, medical theft, tax fraud, and financial theft," the lawsuit plaintiffs allege. "In fact, plaintiffs' PII has already been traded on black market websites and used by identity thieves."

Lawsuit Ruling

Sony asked a court to dismiss the suit, and U.S. District Judge R. Gary Klausner this week did dismiss some parts, including allegations of breach of contract and that Sony failed to notify breach victims in a timely manner.


But in a setback for Sony, the judge ruled that other parts of the lawsuit can proceed, although he has yet to rule on the merits of these claims, including plaintiffs' allegation that Sony "made a business decision to accept the risk of losses associated with being hacked." The federal judge also agreed with the former employees' allegation that "to receive compensation and employment benefits, they were required to provide their PII to Sony." While many data breach lawsuits get dismissed on the grounds that the breach did not cause any economic harm to people whose information was stolen, Klausner said that by requiring employees' PII, Sony created a "special relationship that provides an exception to the economic loss doctrine."


Michael Sobol, an attorney for the plaintiffs, told the BBC, "We are pleased that the court has properly recognized the harm to Sony's employees."


A spokeswoman for Sony Pictures Entertainment did not immediately respond to a request for comment on the ruling.


In the wake of the 2014 attack, at least nine other lawsuits were filed against Sony by individual former employees. Like the Corona suit, all of these lawsuits seek class-action status, meaning they would include all current and former employees who were affected by the cyber-attack.

Wiper Malware Attack

To recap: Sony suffered a devastating wiper malware attack in November 2014, ostensibly designed to punish the company for releasing "The Interview," a satiric film starring James Franco and Seth Rogan that featured the fictional death of North Korean leader Kim Jong-un.


But before the attackers unleashed their wiper malware and began erasing Sony hard drives and bricking laptops, they penetrated Sony's network and stolen tens of terabytes of data, including copies of unreleased movies and the script for the upcoming James Bond film "Spectre," as well as numerous private email exchanges, all of which the attackers began leaking.


Sony, in a December 2014 breach notification filed with California state authorities, reported that the breach appeared to compromise current and former employees' names, addresses, Social Security numbers, driver's licenses and passport numbers, corporate credit card information, usernames and passwords, and salaries. Sony also warned that individuals' "HIPAA-protected health information" may have been exposed, including medical diagnoses, dates of birth, health plan identification numbers, and personal and health-related information.


As noted in Corona's lawsuit, large amounts of this information were leaked to the Internet by attackers and likely remain in circulation.

Lawsuit Resolution: Unclear

What will happen next in the Sony class-action lawsuit saga, of course, is not clear. But based on past breach-related lawsuits, it's likely that unless the lawsuit gets dismissed, Sony will ultimately settle, rather than risk a jury trial and ruling that might give breach victims more rights.


If Sony did make a business decision to underspend on security, it was a costly move. In February, Sony said in an earnings report that it expected to spend $35 million in cleanup costs through the end of its fiscal year in March, largely related to restoring the company's "financial and IT systems." But as the multiple lawsuits highlight, Sony faces continuing legal costs, as well as the risk that it will eventually have to pay damages or settlements.


But any such settlement likely would not happen soon. Indeed, Sony only settled a lawsuit filed in the wake of its April 2011 breach - a year in which the company fell victim to more than a dozen breaches - in June 2014. That breach exposed personal information for 77 million users of the Sony PlayStation Network and Qriocity services.


By that timeline, the lawsuits stemming from the 2014 Sony cyber-attack may not be resolved until at least 2017.

more...
No comment yet.
Scoop.it!

Five Steps to Secure Your Data After I.R.S. Breach

Five Steps to Secure Your Data After I.R.S. Breach | IT Support and Hardware for Clinics | Scoop.it

The Internal Revenue Service has been added to a long list of companies and government agencies that hackers have breached in the last year.

And so, if there is any advice security experts have for those trying to keep their personal information safe, it is simply: You can’t.

“Your information has already been out there for years, available to anyone who wants to pay a couple dollars,” Brian Krebs, a security blogger who has been a frequent target of hackers, said Wednesday.

The attack on the I.R.S. is just the latest evidence that hackers already have all the information necessary to steal your identity. The agency said Tuesday that hackers used information stolen from previous breaches — including Social Securitynumbers, birth dates, street addresses and passwords — to complete a multistep authentication process and 


But consumers can make things harder for criminals. There may be a trade-off in convenience, but experts say the alternative is a lot worse.

1. Turn on multifactor authentication.

If a service offers added security features like multifactor authentication, turn them on. When you enter your password, you will receive a message, usually via text, with a one-time code that you must enter before you can log in.

Most banking sites and popular sites like Google, Apple, Twitter and Facebook offer two-factor authentication, and will ask for a second one-time code anytime you log in from a new computer.

2. Change your passwords again.

Yes, you need to change passwords again and they have to be passwords you have never used before. They need to be long and not words you would find in a dictionary. The first thing hackers do when trying to break into a site is use computer programs that can test every word in the dictionary.

Password managers like LastPass or Password Safe create long, unique passwords for the websites you visit and store them in a database that is protected by a master password you have memorized.

It may sound counterintuitive, but the truly paranoid write down their passwords.

Security experts advise creating anagrams based on song lyrics, movie quotations or sayings, and using symbols or numbers and alternating lower and upper cases to make the password more difficult. For instance, the “Casablanca” movie quotation “Of all the gin joints, in all the towns, in all the world, she walks into mine” becomes OaTgJ,iAtT,iAtW,sWiM.

Use stronger, longer passwords for sites that contain the most critical information, like bank or email accounts.

3. Forget about security questions.

Sites will often use security questions such as “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.

These questions are problematic because the Internet has made public record searches a snap and the answers are usually easy to guess.

In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)

With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.

Jonathan Zdziarski, a computer forensics expert, said he often answers these questions with an alternate password. If a site offers only multiple choice answers, or only requires short passwords, he won’t use it.

“You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.

4. Monitor your credit.

Typically a service will offer one year of free credit monitoring if it has been breached. But be aware that attackers do not dispose of your Social Security number, birth date or password a year after they acquire it.

It is better to monitor your credit aggressively at all times through free services like AnnualCreditReport.com.

5. Freeze your credit.

In the attack at the I.R.S., a credit freeze may not have thwarted thieves from filing for false tax refunds, but it could have stopped them from pulling tax transcripts or opening other accounts.

To freeze your credit, call Equifax, Experian or TransUnion and ask to have your account frozen. The credit agency will mail a one-time PIN or password to unfreeze your account later.

The fee to freeze and refreeze credit varies by state. If you plan on applying for a new job, renting an apartment or buying insurance, you will have to thaw a freeze temporarily and pay a fee to refreeze the account.

But if you have been a victim of identity theft, and can show a police report proving as much, most states will waive the freeze fee.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Why It's Tough to Pass Data Breach Bill

Why It's Tough to Pass Data Breach Bill | IT Support and Hardware for Clinics | Scoop.it

Backers of a national data breach notification law say it would greatly simplify compliance for businesses, which now must comply with laws in 51 different jurisdictions - 47 states, three territories and Washington, D.C.


But does that simplification come at too high a cost? Some federal lawmakers thinks so. They say passing a national data breach notification law would weaken data security protections found in certain states' statutes, thus doing more harm than good.

And those concerns are a major reason why building a consensus that paves the way for enacting a national breach notification law will prove difficult, if not impossible.

'Confusing for Businesses'

Last January, President Obama noted when he proposed his version of national data breach notification: "Right now, nearly every state has a different law on this, and it's confusing for consumers and it's confusing for companies, and it's costly, too, to have to comply to this patchwork.


Almost every bill introduced in Congress over the past decade to create a national data breach notification standard would pre-empt state statutes. But that comes at a price. Several states, most notably Massachusetts, prescribe specific steps businesses must take to safeguard personally identifiable information. Most national data breach notification proposals don't require safeguards beyond saying businesses should take "reasonable" steps to secure PII.


Some industry experts - such as Larry Clinton, president of the trade group Internet Security Alliance - say they have seen no evidence that consumers' PII is more secure in those states that have more stringent security requirements. "To the notion that states can enact strong laws is, from a consumer perspective, a red herring," he says.

Middle Ground?

But some senators strongly disagree with Clinton's point of view.

"There are a number of like-minded senators who are paying attention to this issue and trying to push for a federal law ... that keeps state laws untouched as a middle-ground approach," says Chris Pierson, general counsel and chief security officer at payments provider Viewpost. "While this is more palatable for Congress, it does little to stem the growing diversity of state laws and the burden of conflicting state requirements."


One of those senators seeking a middle-ground approach is Richard Blumenthal, D-Conn., who, along with five other Democratic senators, has introduced legislation creating a national data breach notification law with a proviso: It won't pre-empt more stringent state laws.


"We must ensure consumers have strong protections on the federal level, but in so doing, we must make sure Congress doesn't weaken state protections that consumers rely on to keep their information safe," Blumenthal says. "Importantly, this measure strikes the right balance between state rights and strong federal enforcement and extends consumer privacy protections into a new digital era."

A right balance? Sasha Romanosky, an associate policy researcher at the think tank Rand Corp., characterizes the Democratic senators' bill as a "workaround" that sets a "national floor for breach compliance." But Romanosky is concerned that "then you'd just have the same issue as there is now: 47 potentially distinct state laws."


The Democrats' bill - like the Massachusetts statute - contains a list of security requirements with which businesses would have to comply. That makes the bill unpassable. Nearly every GOP lawmaker opposes any measure that that would place additional requirements on businesses.

60-Vote Threshold

Consumer advocacy groups generally oppose national data breach notification legislation that would weaken states' security standards. And those groups might have the clout to get enough Democratic senators to oppose any measure that would pre-empt state laws.

Sixty votes generally are needed for a bill to be considered by the Senate; the upper chamber has 44 Democrats and two independents who caucus with them. So getting 41 senators to block a vote on a data breach notification bill is possible.


Whether stricter state laws actually provide consumers with better security protections is debatable, but the perception among a number of lawmakers - mostly Democrats - is that they do. If at least 41 senators agree with that notion, then Congress will not enact a national breach notification law.


more...
No comment yet.
Scoop.it!

Ransomware: The Right Response

Ransomware: The Right Response | IT Support and Hardware for Clinics | Scoop.it

So-called ransomware attacks are on the rise, namely because targeted businesses are increasingly willing to negotiate with - and even pay - their extortionists.


Ransomware has been getting a lot of media attention of late. On April 1, security firm Trend Micro reported that since the beginning of the year, numerous variants of crypto-ransomware have been discovered in the wild, striking consumers and businesses throughout the world.

 Criminals rarely hold up their end of the bargain, so negotiating with anyone who is demanding a ransom is just a bad idea. 


Just weeks earlier, security firms FireEye and Bitdefender issued warnings about new ransomware trends that were making these attacks more difficult to thwart and detect.


Now experts are calling attention to one of the reasons why ransomware attacks are becoming more common - because organizations say they'd rather not deal with the fallout that trails a breach or cyber-attack that goes public. Instead of getting law enforcement involved, they'd rather try their hands at making deals with their attackers first.


But paying ransom is short-sighted and is never a good idea. Why? Because cybercriminals rarely keep their end of the bargain. Organizations that negotiate with hackers often end up with lost data after paying a hefty ransom.


Lance James, who heads up cyber-intelligence at consultancy Deloitte & Touche, says most businesses that pay ransoms never have their data restored or their encrypted files decrypted.


During his presentation at Information Security Media Group's Fraud Summit in Atlanta, James discussed ransomware cases he has investigated. He noted that in most of those cases, businesses paid the ransom and then the attackers disappeared, never fulfilling their end of the negotiating bargain.


Of course, organizations should prepare for these types of attacks by taking steps now to ensure they have data and drive backups, and that they have strong multifactor authentication requirements for access to servers, in the event an employee's credentials are hijacked during one of these attacks.


But businesses also need to spend more time educating their staff about how ransomware attacks work, why these attacks are waged, and why reporting these attacks to law enforcement, rather than trying to handle them internally, is so critical.

The Attack Strategy

Ransomware attacks are waged in two parts. First, a PC or mobile device is infected with malware that locks the corporate user out or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he or she has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased.


The tools for these attacks are easy to buy and technical support for waging the attacks is inexpensive.


Law enforcement agencies, such as the Federal Bureau of Investigation, have advised consumers and businesses to immediately report ransomware schemes when they occur.


But security researchers say that, despite of those warnings, many businesses are opting to either pay the ransom or are engaging in direct negotiations with their attackers instead of getting the authorities involved.

Willingness to Negotiate

A new study from cyber-intelligence firm ThreatTrack Security finds that 40 percent of security professionals believe their organizations have been targeted by a ransomware attack. Of those that believe they've been targeted, 55 percent say that when under attack, they are willing to negotiate a ransom in exchange for the release of corporate data or files.


ThreatTrack's research also finds that one in three security pros would recommend to upper management that their companies negotiate a ransom to see if they could avoid public disclosure of a breach involving stolen data or files that have been encrypted as part of the attack.


In fact, 66 percent of those surveyed by ThreatTrack say they fear negative reactions from customers and/or employees whose data was compromised in a breach if those customers or employees were to learn that their organizations chose not to negotiate with cybercriminals for the return of data.


ThreatTrack's survey includes responses from 250 U.S. security professionals at companies with 500 to 2,500 employees.

Beware of a Quick Fix

When it comes to ransomware attacks waged against corporations, many victimized organizations see paying the criminals what they want as the easiest way to make the problem go away.


But criminals rarely hold up their end of the bargain, so negotiating with anyone who is demanding a ransom is just a bad idea.

Obviously, more education, from the CEO down to the employee, is needed. But we also need a shift in the corporate culture, with an emphasis on looking beyond a "quick fix" for avoiding breach publicity.

Information sharing with peers can play a critical role as well. The more we talk about these attacks and share the techniques used, the more we can learn about how to defend our networks and shield our employees from falling victim to the phishing schemes that are often used to infect systems in the first place.


Security vendors need to step up their efforts here, too. Rather than just supplying intrusion detection, they also need to provide some good-old-fashioned education.

more...
Ivan Garcia-Hidalgo's curator insight, April 8, 2015 1:33 PM

Ransomware: The Right Response #InfoSec #cybersecurity

Scoop.it!

More than half of Americans says it's 'unacceptable' for government to monitor citizens' communications

More than half of Americans says it's 'unacceptable' for government to monitor citizens' communications | IT Support and Hardware for Clinics | Scoop.it

More than half of Americans now say it's unacceptable for the government to monitor the communications of US citizens, according to a new survey conducted by the Pew Research Center on Americans’ privacy strategies post-Snowden.

In 2013, NSA contractor Edward Snowden leaked documents detailing the explosion of government surveillance programs after 9/11.

Outrage ensued. Americans had no idea the spying had become so pervasive, and many were shocked to learn their phone and email communications may have been monitored.

But even after the Snowden revelations, Americans remain divided on the acceptability of government surveillance: 52% describe themselves as “very concerned” or “somewhat concerned” about government surveillance of Americans’ data and electronic communications, while 46% describe themselves as “not very concerned” or “not at all concerned” about the surveillance, according to the Pew survey. 

When it comes to government surveillance of suspected terrorists or foreign leaders, Americans are more than comfortable with government spying: 82% of Pew survey respondents said it's acceptable to monitor communications of suspected terrorists, while 60% believe it is acceptable to monitor the communications of American leaders.

Interestingly, Americans' attitudes towards surveillance have not changed much in the last decade. In 2006, roughly 51% of Americans surveyed responded that government surveillance, including wire-tapping, was acceptable, acording to a survey by the Washington Post and Pew Research Center. The same survey revealed that even after Snowden leaked NSA documents, revealing the extensive powers of the agency, 56% of Americans surveyed said such powers were warranted. 

Most Americans still believe the government should investigate terrorists even if it intrudes on their own privacy. When asked in 2013 whether they thought the government should be able to monitor everyone's email to protect against terorrism, 45% of respondents said yes. Two years later, more than half of survey respondents say they are not at all concerned about government surveillance of their own email messages. 


more...
No comment yet.
Scoop.it!

This USB Drive Can Nuke A Computer

This USB Drive Can Nuke A Computer | IT Support and Hardware for Clinics | Scoop.it

Do not ever use a random USB flash drive. There are plenty of software exploits that can ruin your computer or life. And with this flash drive, it can physically destroy your computer by blasting a load of voltage to the USB controller with negative voltage. Think Wile E. Coyote and an ACME Human Cannon. BOOM!


The basic idea of the USB drive is quite simple. When we connect it up to the USB port, an inverting DC/DC converter runs and charges capacitors to -110V. When the voltage is reached, the DC/DC is switched off. At the same time, the filed transistor opens. It is used to apply the -110V to signal lines of the USB interface. When the voltage on capacitors increases to -7V, the transistor closes and the DC/DC starts. The loop runs till everything possible is broken down. Those familiar with the electronics have already guessed why we use negative voltage here. I‘ll explain to others that negative voltage is easier to commutate, as we need the N-channel field resistor, which, unlike the P-channel one, can have larger current for the same dimensions.

Put simply, the bits inside the USB drive draws and stores a ton of power. When a certain level is hit, it returns the power to the source, which is either a dedicated USB controller or the CPU itself. This is bad news bears. The amount of power returned overloads the circuits, rendering it useless. Since a lot of USB controllers are built directly into the main processor… bye bye computer.

Scary. Thankfully the creator hasn’t released the schematic for the drive.

There are enough USB exploits floating around to warrant caution. Some will unknowingly install malware or backdoor software, and now, there is at least one, that will actually destroy your computer. It’s straight out of Colin Farrell spy movie and a fantastic argument for Apple’s vision of the future.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

'Freak' Flaw Also Affects Windows

'Freak' Flaw Also Affects Windows | IT Support and Hardware for Clinics | Scoop.it

Microsoft is warning that all Windows operating systems are at risk from the vulnerability known as Freak, for "Factoring RSA-EXPORT Keys." The flaw exists in SSL, which is used to secure online communications, and could be abused by an attacker to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

A new Microsoft security advisory (KB3046015) warns that Secure Channel, or Schannel, which encrypts traffic and transactions on most Windows platforms, is at risk from the Freak flaw.


"Microsoft is aware of a security feature bypass vulnerability in Secure Channel that affects all supported releases of Microsoft Windows," the alert says. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."

As yet, there's no patch available for vulnerable Windows systems, although information security experts say they expect Microsoft to release related fixes quickly. In the interim, Microsoft has detailed a temporary workaround that can be used for most Windows systems. "You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor," it says. But it warns: "Windows will fail to connect to systems that do not support any of the ciphers listed in the workaround."

To date, however, there's no fix or workaround available for Windows Server 2003. "The cipher management architecture on Windows Server 2003 does not allow for the enabling or disabling of individual ciphers," Microsoft says.

Risks to Apple, Android, Cloud

After quietly warning security vendors, government agencies and other organizations in recent weeks, security researchers first sounded a public alert about the Freak vulnerability on March 3. They've warned that the vulnerability exists in versions of OpenSSL prior to 1.0.1k, all Android devices that ship with the standard browser, as well as in Apple SSL/TLS clients, which are used by both Mac OS X clients and iOS mobile devices, among other operating systems. The vulnerability has been designated as CVE-2015-0204.

The Freak flaw could be exploited to downgrade a browser or other client's Internet connection from a relatively secure cipher, to an outdated - and weak - "export cipher," which attackers could then crack, allowing them to intercept communications or inject attack code into browsers. "What Freak allows you to do is, if you can break the RSA export-strength key, then you can provide a 'valid' certificate for a man-in-the-middle attack," says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. Tenable, which sells the widely used Nessus vulnerability scanner, has released a Nessus plug-in that will scan for Windows clients and servers that are vulnerable to Freak.

No Attacks Seen

But to date, there have been no signs that the Freak flaw has ever been exploited in the wild - against Windows servers and systems, or any other device. "The reality is, it's still really difficult to do - to break a key, it would still take a few hours or $100 of Amazon EC2 time," Millard says, referring to Amazon's Elastic Compute Cloud, which offers on-demand processing power. "There are so many other ways to break into a site. Hackers are smart; they don't use a sledgehammer to crack a walnut."

Still, related vulnerabilities remain widespread. The Freak Attack website, which is run by researchers at the University of Michigan, has been tracking the extent of the Freak vulnerability. The site reports that as of March 6, 9.5 percent of the websites on the Alexa index of the 1 million most popular top-level domains remained vulnerable to Freak, although that was a decrease from 12.2 percent of all such sites when the Freak vulnerability was first publicized on March 3. But 37 percent of all HTTPS servers with browser-trusted certificates remained vulnerable to Freak, as did 26 percent of all HTTPS servers, and neither of those statistics had declined since Freak was first publicized, the researchers say.

As of March 6, the Freak Attack website reported that the following client software remained vulnerable to the Freak flaw:

  • Internet Explorer
  • Chrome on Mac OS (patch available now)
  • Chrome on Android
  • Safari on Mac OS (patch due week of March 9)
  • Safari on iOS (patch due week of March 9)
  • Stock Android Browser
  • BlackBerry Browser
  • Opera on Mac OS
  • Opera on Linux

Cloud security firm Skyhigh Networks reported that as of March 4, 766 cloud providers also remained unpatched against the vulnerability, thus leaving their users at risk. "These services include some of the leading backup, HR, security, collaboration, CRM, ERP, cloud storage, and backup services," Sekhar Sarukkai, vice president of engineering at Skyhigh, says in a March 5 blog post. Across the company's 350 customers, meanwhile, he reports that 99 percent use at least one cloud provider that's vulnerable to the Freak flaw, while the average company uses 122 vulnerable services.

Don't Freak: How to Mitigate

The Freak Attack site says that to mitigate the vulnerability, anyone running a server "should immediately disable support for TLS export cipher suites," and that anyone who uses a browser should ensure that they have the latest version installed, and keep checking for new upgrades, since all major browsers should soon see a fix.

Finally, Freak Attack recommends that all systems administrators and developers ensure that their TLS libraries are fully updated. "Both OpenSSL and Microsoft Schannel are known to be vulnerable," it says. "Note that these libraries are used internally by many other programs." The site offers a number of tools that can be used to test for related flaws.

This is not the first time that the Microsoft Schannel has been at risk from a newly discovered vulnerability. In particular, a zero-day vulnerability in Schannel was discovered in November 2014. Before that, Schannel was at risk from the so-called POODLE flaw - first publicly revealed Oct. 14 - in SSL, and which was later found in TLS. The flaw could be exploited to intercept and read encrypted Internet communications, steal session cookies and impersonate users.


more...
No comment yet.
Scoop.it!

Lenovo Website Hijacked

Lenovo Website Hijacked | IT Support and Hardware for Clinics | Scoop.it

The website of Lenovo.com, the world's largest PC manufacturer, was hacked on Feb. 25 and visitors directed to an attacker-controlled page. The hacking group Lizard Squad, which has claimed credit for the attack via Twitter, also appears to have intercepted some Lenovo e-mails.

"Lenovo has been the victim of a cyber-attack," spokeswoman Wendy Fung told Information Security Media Group on Feb. 26. "One effect of this attack was to redirect traffic from the Lenovo website. We are also actively investigating other aspects. We are responding and have already restored certain functionality to our public-facing website.


"We regret any inconvenience that our users may have if they are not able to access parts of our site at this time," Fung added. "We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users' information and experience. We are also working proactively with third parties to address this attack and we will provide additional information as it becomes available."

Lenovo appeared to have restored complete access to its public website by the evening of Feb. 25.

The attack follows revelations that Lenovo, in recent months, had been preinstalling Superfish, which is adware that information security experts warn could be abused by attackers to intercept consumers' communications on many of its consumer devices.

In response to those reports, Lenovo has apologized and released utilities consumers can use to expunge Superfish from their systems. Working with McAfee, Microsoft and Trend Micro, the Superfish software has also been classified as malware and targeted for removal by their anti-virus engines, which Lenovo says will remotely wipe the adware from many systems.

Lizard Squad has recently claimed credit for a number of attacks, including the January disruption of the Malaysian Airline website, as well as the 2014 Christmas Day disruption of the Sony PlayStation and Microsoft Xbox Live networks.

Hacking Lenovo's DNS

The Lenovo.com website disruption began Feb. 25 at about 4 p.m. ET, with visitors to the site being redirected to another site that was labeled as being "the new and improved rebranded Lenovo website," accompanied by a slideshow of bored-looking teenagers looking at webcams, as the song "Breaking Free" - from the movie "High School Musical" - played in the background, technology publication The Verge first reported.

"We're breaking free! Soarin', flyin', there's not a star in heaven that we can't reach!" Lizard Squad tweeted at 4:19 p.m. ET via its @LizardCircle account, referencing the lyrics from the High "School Musical" song.

Security experts say Lizard Squad appears to have hijacked the Lenovo.com website by compromising its domain registrar, Web Commerce Communications Limited - better known as Webnic.cc. The attackers were then able to alter the Lenovo.com DNS settings, ultimately transferring them to servers run by the distributed denial-of-service attack defense service CloudFlare.

"To all asking: Lenovo was NOT a CF customer; their domain was hijacked & transferred to us," CloudFlare principal security research Marc Rogers tweeted on Feb. 25. "We are working with them to restore service."

The choice of CloudFlare was no doubt an ironic move, given that Lizard Squad says its attacks are meant to advertise its own DDoS service, Lizard Stresser.

Domain Registrar Offline

Following the attack, the Webnic.cc website has been unavailable and resolving to a "service temporarily unavailable" error message. Contacted on Feb. 26, a member of the Webnic.cc customer support team, based in Kuala Lumpur, Malaysia, declined to comment on the reported attack, and whether the website outage was intentional, for example if the registrar is attempting to conduct a digital forensics investigation and remediate affected systems following the apparent hack attack.

If Lizard Squad obtained access to internal Webnic.cc systems, then it could have transferred the Lenovo.com website to any address of its choosing. Bolstering that theory, Lizard Squad has published what it claims to be an authorization key - also known as an auth code or EFF key - that it stole from Webnic.cc. Such keys are used to authorize the transfer of domains between registrars.

Lenovo E-Mail Theft?

Lizard Squad has also published two e-mails that had apparently been sent to employees at Lenovo - with a Lenovo.com e-mail address - on Feb. 25, during the time when the hacking group appeared to have been in control of the Lenovo.com DNS settings. One e-mail cited The Verge report that the Lenovo.com website had been hacked as of 4 p.m. ET, and that Lizard Squad appeared to be responsible.

Another published e-mail referred to a Lenovo Yoga laptop that was "bricked" when a customer attempted to run Lenovo's update to remove the Superfish application and root certificate that it was preinstalling on many of its consumer devices (see Lenovo Drops Superfish Adware). "FYI - the process to remove the Superfish software from the Yoga 11 has resulted in a failed device. Can we get him a new one?" the internal e-mail reads.

Lenovo's Fung declined to comment on whether those e-mails were genuine. But Lizard Squad says via Twitter: "We'll comb the Lenovo dump for more interesting things later."

Follows Google Vietnam Hack

The Lenovo website hack follows Lizard Squad claiming credit for the recent disruption of Google.com.vn, or Google Vietnam, which was reportedly also registered with Webnic.cc. For several hours on Feb. 23, visitors to that Google website were reportedly redirected to a website that showed a man taking a "selfie" in the mirror with his iPhone, underneath the words "Hacked by Lizard Squad," The Wall Street Journal reports.

Google says that its systems were not breached by the attack, and said its domain name registrar was responsible. "For a short period today, some people had trouble connecting to google.com.vn, or were being directed to a different website," a Google spokesman told The Wall Street Journal. "We've been in contact with the organization responsible for managing this domain name and the issue should be resolved."


more...
No comment yet.
Scoop.it!

6 Sony Breach Lessons We Must Learn

6 Sony Breach Lessons We Must Learn | IT Support and Hardware for Clinics | Scoop.it

After the complete collapse of network security at Sony Pictures Entertainment - in the wake of its data breach - the organization's fundamental mistakes deserve to be highlighted; there are lessons to be learned for all. Here's my macro view of the information security lessons every organization should take away:

1. Watch Your Risk Tolerance. First, Sony Pictures appears to have chosen a relatively high level of risk regarding its information security posture. This conclusion is supported both by comments made by its chief information security officer and by e-mails leaked by the attackers. In choosing that posture, it is highly unlikely that Sony's executives anticipated the consequences that would ultimately befall either their enterprise or the nation. Perhaps many enterprises need to rethink the duty they owe to their neighbors.

 I have always argued that outsiders damage the brand, but insiders bring down the business. Sony may break that rule. 


Sony Pictures is a publishing company. Its "crown jewels" are information assets. Unreleased movies, scripts, agreements with talent, and even technology are Sony's "stock in trade." The compromise of one, or even a few systems on its network should not result in the loss of strategic assets, much less absolutely everything on the network.

2. This is Vandalism, Not War. North Korea was a huge beneficiary of the Sony breach, while the "world's remaining superpower" and another prime adversary - Japan - were both humiliated in name, if not at their instigation. That said, the Sony breach was vandalism, not an act of war. It may even have been purely opportunistic, with a patina of justification added after the fact.

3. Data Exfiltration Must be Caught. The attack used widely available tools against people and weak system and network configurations, rather than exploiting glaring software vulnerabilities. Most significantly, the attack required days to weeks to unfold, and involved all kinds of related, malicious activity, including the exfiltration of hundreds of gigabytes of data - if not more - that should not have gone unrecognized.

4. We're All Vulnerable. We're all at risk from the type of attack that successfully breached Sony. That vulnerability is rooted partly in our culture of freedom, which is valued, but too easily eroded in the face of fear. It is also rooted in our technology infrastructure, which we use widely and depend on heavily, and from which we derive both productivity and comfort. The success of the Sony attack, however, has raised fears - which may or may not be true - that our entire infrastructure is vulnerable to attack, and that as a society we could be not just beneficiaries of the Internet, but also victimized by it.

5. Beware the Business Impact. I have always argued that outsiders damage the brand, but insiders bring down the business. Sony may break that rule. By the time the final cost of this breach is tallied, we will probably have lost interest, but it may be the most damaging attack against a single enterprise that wasn't launched by an insider. I expect that Sony Pictures will survive as a business unit within Sony. Whether it could survive as a stand-alone business is far less certain.

6. These Incidents Make Us All Look Bad. The changing rhetoric from Sony has been less than satisfying. The response of the exhibitors can best be described as craven. The coverage of the media has been gleeful. So far the government has been reduced to the wringing of hands. None of us looks very good. One would like to hope that we take all these lessons to heart, but I fear that in the face of the exponential growth of our information infrastructure, things are likely to get worse before they get better.

The Way Forward

Breaches, of course, are inevitable. But they should not compromise the crown jewels - that intellectual property that is crucial to the business strategy. They should not bring down the business, must not compromise the integrity of the infrastructure, or threaten our freedoms. Some have suggested that the President of the United States should have a "kill switch" that he could use to shut down the Internet so that it cannot be used to attack the power grid or the financial infrastructure. However, since both of these depend on the Internet, this is a solution worse than the problem it sets out to solve.

The solution is this: We must get the fundamentals right. We must use strong authentication and true-end-to-true-end encryption, everywhere. This will increase the time required to successfully execute an attack, make the attack more obvious, and raise the total cost. No less fundamental is the need to improve how we monitor and react. And we can put these fundamentals in place - even if it takes months or years to fully implement - using our available knowledge and tools.

While the Internet is resilient by design, that is a double-edged sword: it ensures availability, but makes it more difficult to address denial of service. Better resisting denial-of-service attacks will require further research, intelligence, new controls, new agreements, and perhaps legislation and treaties. This will take a little longer, but is no less important for making us all more secure.


more...
Rul's curator insight, December 29, 2014 3:42 PM

La multinationale réagit face au piratage informatique dont elle a été victime il y a quelques jours.

Scoop.it!

Another Data Breach, Another Dollar For Identity Management Startups

Another Data Breach, Another Dollar For Identity Management Startups | IT Support and Hardware for Clinics | Scoop.it

As security breaches are reported for one major corporation after another, venture investors are writing bigger checks than ever in an attempt to buy some peace of mind.

From Target’s data breach that put a damper on last year’s holiday season to Bebe’s payment card data breach reported last week, we’ve seen countless examples of access management gone wrong. It’s become apparent that the present identity management solutions are just not cutting it, and investors are fully aware.

According to CrunchBase data, identity management startups have seen $350 million in venture dollars raised this year across 45 rounds — a big step up from last year’s $178 million raised over the same number of deals.

Q2 saw a major investment push as some of the first massive deals in the space were recorded for startups like Okta, Centrify, and Dashlane.

“Every time there’s a breach at one of these companies, we’ve seen enormous damages as a result,” says David Cowan of Bessemer Venture Partners, a frequent investor in the identity and security space.

“For businesses like Kmart and JP Morgan, these breaches cost them hundreds of millions of dollars,” says Cowan, and for users, “they’re able to steal your password from a website that you think is irrelevant to your life, and it turns out that’s the same password to your bank account and your Dropbox.”

Cowan is on the board at Dashlane, a password manager and secure digital wallet for consumers. Dashlane’s recent $22 million Series B is one of the larger rounds seen by a consumer-focused identity management application. To date, the majority of venture dollars have gone into companies like Centrify or Okta that provide multi-platform access management solutions for enterprise customers.

“When companies controlled all their systems on premise, everybody had a username and a password into those systems,” explains Robin Vasan of Mayfield Fund, an early Centrify backer, “but now with mobile devices and SaaS applications, those systems are no longer in control.”

“Identity management has seen such a resurgence of interest because enterprises are realizing that an employee of theirs goes and buys a new mobile device or is using a laptop from home and is accessing cloud applications, and those resources are no longer under the control of the enterprise,” says Vasan.

Centrify and others are tackling this issue by providing enterprises with secure identity management and single sign-on services that allow employees to access cloud-based applications across multiple devices.

Venture funding front-runner Okta will let you into all related apps with a single login, and five-year-old Dashlane will remember all of your passwords for you. But recently startups like Nymi and EyeVerify have closed sizable deals to replace passwords completely with biometric technology.

“People lump in together the identity management, access management, permissions and authentications — and we’re all about decoupling that,” says Nymi founder Karl Martin. “There’s a simple philosophy around privacy — a system should only know as much about you as it needs to for that application.”

Nymi seeks to accomplish this through a wristband that identifies a user by their unique electrocardiogram signal and acts as a gateway to provide easy authentication for a number of applications.

“Biometrics are a very useful tool for identity management, but the danger there is that you’re collecting a massive database of biometrics, and that has many implications for security and privacy,” says Martin. It’s a legitimate concern — the idea of handing over more personal data to protect the data that’s already out there seems a bit backward at first.

But Nymi isn’t collecting or storing any of this data. “It’s not verifying who you are, just that you’re the same person that showed up before,” says Martin of the Nymi band. “We’re not actually managing your identity — that should be application specific, and you shouldn’t have all of your information in one place.”

Nymi has locked down a variety of partnerships, from password manager PasswordBox to MasterCard, and is in the process of closing more deals to become something like the single sign on for the world.

“I don’t think anybody has a sense that we have actually good solutions in operation now, there’s absolutely a need for new technology,” says Martin. “On the one side it’s kind of crazy what we’re doing, but on the other side, do you imagine ten years from now that we’ll still be using passwords?”



more...
No comment yet.
Scoop.it!

Sony Suffers Further Attacks

Sony Suffers Further Attacks | IT Support and Hardware for Clinics | Scoop.it

Sony has been attacked again, with a distributed-denial-of-service attack gang claiming credit for knocking the company's PlayStation Network and related store offline.


Visitors to the PSN sites - which support multiplayer gaming and distributes Sony's movies and games - have instead been seeing the following error message: "Page Not Found! It's not you, it's the Internet's fault."

Sony says via Twitter that it's aware of the outages: "We are aware that users are having issues connecting to PSN. Thanks for your patience as we investigate."


A hacker or gang called Lizard Squad claimed credit for the attacks in a Dec. 8 message posted to Twitter at 12:29 a.m. GMT. The disruption follows the group in recent days claiming that it disrupted other gaming networks, including Valve's Steam, and Microsoft's Xbox Live. And Lizard Squad says the disruptions are just a "small dose" of what it has planned for December. "Unlike Santa, we don't like giving all of our Christmas presents out on one day. This entire month will be entertaining," the group tweets. The gang previously claimed credit for a series of August DDoS attacks against Sony, as well as for a tweet about explosives being aboard an American Airlines flight on which Sony president John Smedley was traveling, which caused authorities to divert the flight. No explosives were found; the FBI launched a related investigation.

Lizard Squad has been cagey about its motives and declined to say who's funding its DDoS attacks against gaming networks, saying only that they're "interested parties." But whoever's behind Lizard Squad claims that it previously sold "DDoS as a service" to the public, starting at about 300 euros ($370) per hour to disrupt a site.

Sony's Latest Security Setback

The PSN and Sony online store disruption is only the latest of many information security setbacks for Sony, following a massive hack attack against Sony Pictures Entertainment, which resulted in attackers obtaining what they claim are "tens of terabytes" of Sony corporate data and digital media, as well as using wiper malware to erase an unknown number of Sony employees' hard drives and "brick" their computers, which prevents them from booting.

Sony has not responded to repeated requests for comment about the hack, for which a group calling itself the Guardians of Peace - or G.O.P. - has claimed credit.

To date, G.O.P. has reportedly leaked about 40 GB of stolen Sony data, which remains in circulation on BitTorrent networks. The data includes exhaustive lists of Sony's passwords for social media networks, private details for 47,000 employees - including the Social Security numbers for Expendables star Sylvester Stallone and other actors - as well as other HR-related information, including copies of disciplinary letters and termination notices, Mashable reports.

Sony employees recently also received an e-mail, allegedly from G.O.P., warning them that "your family will be in danger" unless they signed their names to an e-mailed petition in support of the hacker's activities. The e-mail also stated that the attacks and leaks to date were "only [a] small part of [a] further plan"'. The attackers declined to elaborate on what that plan entailed.

'Unprecedented' Attack

In the wake of the attacks, many information security experts have been asking if Sony's defenses were sufficient, and whether it should have been able to rebuff attackers. Furthermore, much of the leaked data appeared to be stored in unencrypted format, and security experts say many of the passwords being used by Sony - which were also leaked - were weak.

But a report into the investigation from digital forensics investigations firm FireEye, which was hired by Sony to investigate the attack, suggests that the hack attack that victimized Sony Pictures Entertainment would have compromised most organizations. "The attack is unprecedented in nature," Kevin Mandia, chief operating officer of FireEye, says in a Dec. 6 report addressed to Sony Pictures Entertainment CEO Michael Lynton and also distributed to Sony employees, The Wall Street Journal reports. "This was an unparalleled and well-planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared," Mandia says.

One explanation for the Nov. 24 hack attack - and subsequent data leaks - is that it was commissioned by the government of North Korea, in retaliation for the forthcoming comedy The Interview, in which a tabloid TV reporting team, heading to Pyongyang to interview dictator Kim Jong-Un, are approached by the CIA to kill him instead.

While referring to the film as a "terrorist act," North Korean officials have denied having any ties to the Sony hack. But in a statement issued Dec. 7, a spokesman for the country's National Defense Commission referred to it as a "righteous deed" that may have been launched by its "supporters and sympathizers."

Still Suspected: North Korea

The FireEye investigation team, however, says North Korea is "likely linked" to the attack, three anonymous sources with knowledge of the FireEye investigation tell the Journal, citing as partial evidence the Korean-language and timing of builds - which correspond with working hours in North Korea. But other security experts have said those details could also be "false flags" planted by attackers to fool investigators.

New details about the attack continue to surface. Citing people with knowledge of the investigation - who spoke on condition of anonymity - Bloomberg reports that the Sony data was first leaked from an IP address tied to the five-star St. Regis Bangkok hotel, located in the capital of Thailand, at 12:25 a.m. local time on Dec. 2. But it's not clear if the attackers may have been working from the hotel, or merely routing their data via its systems.

Information security researcher Liam O Murchu at Symantec tells Bloomberg that at least one of the command-and-control servers used by attackers to communicate with the Sony PCs they'd infected with their malware - known as both Destover and Wipal - used an IP address in Bolivia that was also used in the 2013 Dark Seoul campaign that targeted South Korea banks and broadcasters. South Korea has attributed that attack to North Korea, although multiple security experts interviewed by Information Security Media Group have suggested those allegations have not been fully confirmed.

"This is the same group that was working in Korea a year ago," O Murchu says. "There are so many similarities - this must be the same people."

Anti-virus vendor Kaspersky Lab likewise reports seeing "extraordinary" similarities between the wiper attack against Sony, Dark Seoul, and the 2011 "Shamoon" attack against Saudi Arabia's national petroleum and natural gas company, Saudi Aramco.



more...
Kyle Greene's curator insight, October 18, 2017 12:08 PM

This article addresses the hole in Sony's security covering the Playstation network. Sony has been on the receiving end of multiple attacks over the years, and it is because cyber security was never really prioritized in the past. Now Cyber Crime is on the rise and Sony need to find a way to prevent DDoS from occurring, because it has lost them a lot of revenue.