IT Support and Hardware for Clinics
31.3K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

FBI Alert: Business Email Scam Losses Exceed $1.2 Billion

FBI Alert: Business Email Scam Losses Exceed $1.2 Billion | IT Support and Hardware for Clinics | Scoop.it

The FBI, in a new alert, estimates that fraud losses linked to so-called business email compromise scams worldwide totaled more than $1.2 billion from October 2013 to August 2015. But some financial fraud experts say the losses from this largely overlooked threat could be even higher because the incidents often are not reported.


David Pollino, bank fraud prevention officer at Bank of the West, who calls these scams "masquerading" schemes, has warned of upticks in this type of wire fraud since January 2014.


In May, he predicted that losses linked to masquerading, or business email compromise attacks, in 2015 alone would exceed $1 billion. "This is a global fraud trend," he said.


In a white paper Bank of the West recently posted about this fraud trend, Pollino notes that masquerading attacks are among the top three fraud threats facing small businesses today.


"Masquerading is a payments scheme in which a fraudster impersonates a company executive or outside vendor and requests a wire transfer through a phone call or email to a company controller, or someone else with authority to wire funds," Pollino writes. "The controller will usually tell the business' bank to wire the funds because the email or phone call seems legitimate."


Fraudsters' social-engineering methods include sending these bogus requests to accounting departments with a sense of urgency, Pollino notes. To speed up payments, the fraudsters often ask the bank or credit union to bypass the normal out-of-band authentication and transaction verification processes in place for wires, especially those being sent to overseas accounts, he says.


"For the third consecutive year, three in five companies were targets of payments fraud," which includes BEC scams, Pollino points out, quoting statistics in the Association for Financial Professionals' 2015 Payments Fraud and Control Survey.


To mitigate risks associated with these scams, Pollino recommends that businesses:


  • Develop an approval process for high-dollar wire transfers;
  • Use a purchase order model for wire transfers, to ensure that all transfers have an order reference number that can be verified before approval;
  • Confirm and reconfirm transfers through out-of-band channels, such as a confirmation emails or SMS/texts; and
  • Notify the banking institution if a request for a transfer seems suspicious or out-of-the-norm.
FBI Alert

In its Aug. 27 alert, the FBI notes that most of the companies that have fallen victim to BEC scams have been asked to send urgent wires to foreign bank accounts, most of which are based in China and Hong Kong.


"The BEC scam continues to grow and evolve and it targets businesses of all sizes," the FBI notes. "There has been a 270 percent increase in identified victims and exposed loss since January 2015. The scam has been reported in all 50 states and in 79 countries."

From October 2013 through August 2015, the FBI estimates that some 7,066 U.S. businesses and 1,113 international businesses fell victim to this socially engineered scheme.

Quantifying Losses a Challenge

But quantifying losses from BEC scams has proven challenging because many of the incidents are not reported.


"Certainly these losses are understated, because many companies are not reporting them to the FBI due to embarrassment, lack of knowledge of where to turn, or the realization that there is no chance of retrieving their funds," says financial fraud expert Shirley Inscoe, an analyst at consultancy Aite. "So much money is being stolen through this scam that it is only going to continue, costing businesses billions of dollars."


In an effort to curb losses associated with these socially engineered schemes, Inscoe says financial institutions must educate their commercial customers about how these types of attacks are waged.


And she contends that the Asian banks to which these fraudulent wires are being sent should be held accountable. "Clearly, these banks are assisting in laundering these ill-gotten gains," she says. "An appeal could be made to their regulators to crack down on them from amoney-laundering perspective, but I have no idea how receptive the regulators would be to that avenue of action."


Dave Jevans, co-founder of the Anti-Phishing Working Group and chief technology officer of mobile security firm Marble Security, says federal law enforcement agencies have been strengthening their relationships with agencies in Asian markets to help curb some of this fraud.


"They can always work more closely with the financial institutions in these regions to monitor activity. However, it is really up to the originating companies and their U.S. financial institutions to solve this problem," he says. "Law enforcement is about investigating and arresting criminals. They are not a regulatory agency, nor are they a fraud-detection agency."

Preventive Measures

Jevans argues that the solution to the BEC problem is ensuring that businesses have stronger internal controls and targeted attack prevention on their email systems. "Banks can help their customers get educated, and can strengthen their validation processes and requirements when funds are being requested to be sent to new, untrusted accounts," he says. "Only focusing on overseas accounts won't solve the problem, and many of the smaller BEC frauds are routed through money mule accounts here in the USA."


Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says businesses have to understand that bypassing banks' procedures for wire-transfer confirmation is exposing them to fraud.

"Internal procedures should change to ensure that all requests for the transfer of funds be verified," Kellermann says.


Kellermann says businesses' employees should be trained to carefully examine the URLs from which emails are sent. Spoofed email addresses, for instance, will be slightly different yet resemble legitimate email addresses. And he says all external wire transfers should be required to have some type of out-of-band confirmation, through a secondary email, phone call or SMS/text, before they are approved and scheduled.


Stronger email authentication and adoption of DMARC, the Domain-based Message Authentication, Reporting & Conformance initiative, could have a big impact on reducing fraud losses related to BEC, Kellerman contends.


Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says identify-proofing technology, which requires that an online account user provide a headshot or picture of a driver's license captured with a mobile phone, could make a difference.


More banking institutions are exploring identity-proofing to authenticate new-account customers, Litan says, by employing the same technology they use for the remote-deposit capture of check images from smart phones and PC scanners.


"Perhaps this technology for identity proofing and documents transfer [such as check images] can be rolled out to the customer sites," she says. "Now you start asking the person requesting the wire to prove who they are by saying, 'Sorry, CEO, but before I act on your instructions, I need to see your driver's license.'"

more...
Scoop.it!

Adobe patches Flash zero-day found in Hacking Team data breach

Adobe patches Flash zero-day found in Hacking Team data breach | IT Support and Hardware for Clinics | Scoop.it

The massive Hacking Team data breach led to the release of 400GB worth of data including a zero-day vulnerability for Adobe Flash. Adobe has released an out-of-band patch for the flaw just two days after it was discovered.


The vulnerability was described by the Hacking Team in a readme file in the data dump as "the most beautiful Flash bug for the last four years". Accompanying the readme in the data was a proof-of-concept exploit of the flaw.


Adobe categorized the vulnerability (CVE-2015-5119) as critical and said it affects Flash Player versions 18.0.0.194 and earlier on Windows and Mac, and versions 11.2.202.468 and earlier on Linux. Successful exploitation of the flaw could allow remote code execution.


Security researcher Kafeine found that the vulnerability has already been added to the Angler, Fiddler, Nuclear and Neutrino exploit kits. Because of this, admins are recommended to apply the patch as soon as possible.


Also found in the Hacking Team data was another Adobe Flash zero-day (CVE-2015-0349), which was patched in April, and a zero-day affecting the Windows kernel. The inclusion of these zero-days has caused experts to question if these exploits are being used by Hacking Team clients, including law enforcement and governments.


"As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully," said Ken Westin, security analyst for Tripwire. "Given the depth and amount of data compromised in this breach, it will reveal a great deal about the market for offensive tools designed for espionage with a great deal of fallout and embarrassment for some organizations."


Hacking Team spokesman Eric Rabe confirmed the breach and said that while law enforcement is investigating, the company suggests its clients suspend the use of its surveillance tools until it can be determined what exactly has been exposed.


In a new statement, Rabe warned that its software could be used by anyone because "sufficient code was released to permit anyone to deploy the software against any target of their choice.


"Before the attack, HackingTeam could control who had access to the technology that was sold exclusively to governments and government agencies," Rabe wrote. "Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation."

more...
No comment yet.
Scoop.it!

Surveillance Software Firm Breached

Surveillance Software Firm Breached | IT Support and Hardware for Clinics | Scoop.it

Hacking Team, an Italian developer of "easy-to-use offensive technology" - including spywareand other surveillance software that it sells to police, law enforcement and intelligence agencies - appears to have been breached and large quantities of corporate information leaked.


On July 5, hackers also appeared to have seized control of the Hacking Team's Twitter account,@hackingteam, after which they changed the company's logo and posted the following message: "Since we have nothing to hide, we're publishing all our e-mails, files, and source code."


The message included links to a Torrent file that reportedly includes 400 GB of the aforementioned data, including the source code for its "Remote Control System," known as both DaVinci and Galileo. Hacking Team advertises that the software is able to intercept Skype and voice calls, as well as data stored on PCs. The leaked data reportedly also includes passwords for multiple Hacking Team employees and customers, as well as previously disclosed zero-day vulnerabilities.

The Hacking Team data leak reportedly reveals that the company's customers have apparently ranged from the U.S. FBI and Drug Enforcement Agency to the governments of Sudan and the United Arab Emirates. Credit for the hack and data breach has reportedly been claimed by PhineasFisher, who has previously targeted vendors for allegedly selling surveillance software to repressive regimes. "Gamma and HT down, a few more to go :),"PhineasFisher said July 6 via Twitter.


Threat intelligence firm iSight Partners says in a research note that it believes that the breach occurred, and that most or all of the leaked data is genuine, because "convincingly fabricating that much information is prohibitively time intensive." It also warns that the source code could soon become part of other hackers' toolsets. "Hacking Team's tools and techniques will likely begin to be incorporated in other malware and surveillance tools." Allegedly leaked Hacking Team code has already been added to the GitHub code-sharing repository.


Hacking Team did not immediately respond to a request for comment about the breach, so the contents of those alleged customer lists could not be confirmed. Hacking Team senior system and security engineer Christian Pozzi, whose emails and personal passwords - including for multiple social media accounts - appear to have been included in the leak, says via Twitter on July 6: "We are currently working closely with the police at the moment. I can't comment about the recent breach."

But the authenticity of that message is questionable, since Pozzi's Twitter account later posted a message suggesting that it too had been compromised by hackers: "We are closing down. Bye Saudi Arabia. You paid us well. Allahuhakbah." After those messages appeared, Pozzi's Twitter account appears to have been deleted in its entirety.

The Company's Customers

Numerous privacy rights groups say that the data leak provides a rare look into how governments spy on people at home and abroad. "Hacking Team is one of the most aggressive companies currently supplying governments with hacking tools," says Eric King, deputy director of civil rights group Privacy International. "[The] leak of materials reportedly shows how Hacking Team assisted some of the world's most repressive regimes - from Bahrain to Uzbekistan, Ethiopia to Sudan - to spy on their citizens.


Hacking Team advertises its Galileo and DaVinci software as being "the hacking suite for governmental interception," noting that it can handle "up to hundreds of thousands of targets, all managed from a central place." Some of the software's capabilities have been previously described by Citizen Lab, a privacy project run by the University of Toronto, which says that the vendor's spyware can copy files from the hard drive of an infected PC, record Skype calls and emails, intercept passwords typed into Web browsers, as well as remotely activate webcams and microphones. To employ the spyware, however, government agencies must first sneak it onto targets' PCs, and Citizen Lab says that phishing attacks are likely the most-used technique for accomplishing this.


Privacy researcher Christopher Soghoian, principal technologist at the American Civil Liberties Union, says via Twitter that according to the leaked information, Hacking Team's customer list "includes South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia."


Soghoian adds via Twitter that according to a leaked March 2013 invoice for the first half of a related payment, Hacking Team also completed a €260,000 ($290,000) deal with the government of Azerbaijan by selling "through a shadowy front company in Nevada" named Horizon Global Group.


Citizen Lab had previously questioned whether Hacking Team was selling to governments that are widely viewed as being repressive. "We suspect that agencies of these twenty-one governments are current or former users of RCS: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan," it says in a 2014 report. "Nine of these countries receive the lowest ranking, 'authoritarian,' in The Economist's 2012 Democracy Index. Additionally, two current users - Egypt and Turkey - have brutally repressed recent protest movements."


The company's customer list had also earned it a place on the "Enemies of the Internet" list maintained by civil rights group Reporters Without Borders.


The Hacking Team's alleged "maintenance agreement" tracker has been published to text-sharing website Pastebin; it says that the company's customers also include the U.S. Drug Enforcement Agency - as news outlet Vice first reported in April - and government agencies across the EU, including the Czech Republic, Hungary, Luxembourg, Poland and Spain. The FBI, meanwhile, is listed in that maintenance agreement as having an "active maintenance contract" with Hacking Team through June 30, 2015, while both Russia and Sudan are listed as being "not officially supported." Again, however, the authenticity of that information could not be confirmed, and it's possible that whoever leaked the files altered, added or fabricated the information.

The FBI did not immediately respond to Information Security Media Group's inquiry about whether the bureau is, or has been, a Hacking Team customer.

Hacker Targets

Cryptography expert Matthew Green, a Johns Hopkins University professor, says that more than any other type of company except bitcoin exchanges, surveillance software vendors should expect to face serious and sustained hacks. Thus, they should harden their defenses accordingly, but few seem to do so, he says.


Indeed, Hacking Team is not the first surveillance software vendor to have been hacked. In August 2014, Gamma Group - the creator of FinFisher malware, which it spun off as a separate company in 2013 - was also breached by PhineasFisher, who announced via Reddit that a 40GB data dump leaked to BitTorrent included internal documents, as well as price lists and support queries.

more...
No comment yet.
Scoop.it!

Five Steps to Secure Your Data After I.R.S. Breach

Five Steps to Secure Your Data After I.R.S. Breach | IT Support and Hardware for Clinics | Scoop.it

The Internal Revenue Service has been added to a long list of companies and government agencies that hackers have breached in the last year.

And so, if there is any advice security experts have for those trying to keep their personal information safe, it is simply: You can’t.

“Your information has already been out there for years, available to anyone who wants to pay a couple dollars,” Brian Krebs, a security blogger who has been a frequent target of hackers, said Wednesday.

The attack on the I.R.S. is just the latest evidence that hackers already have all the information necessary to steal your identity. The agency said Tuesday that hackers used information stolen from previous breaches — including Social Securitynumbers, birth dates, street addresses and passwords — to complete a multistep authentication process and 


But consumers can make things harder for criminals. There may be a trade-off in convenience, but experts say the alternative is a lot worse.

1. Turn on multifactor authentication.

If a service offers added security features like multifactor authentication, turn them on. When you enter your password, you will receive a message, usually via text, with a one-time code that you must enter before you can log in.

Most banking sites and popular sites like Google, Apple, Twitter and Facebook offer two-factor authentication, and will ask for a second one-time code anytime you log in from a new computer.

2. Change your passwords again.

Yes, you need to change passwords again and they have to be passwords you have never used before. They need to be long and not words you would find in a dictionary. The first thing hackers do when trying to break into a site is use computer programs that can test every word in the dictionary.

Password managers like LastPass or Password Safe create long, unique passwords for the websites you visit and store them in a database that is protected by a master password you have memorized.

It may sound counterintuitive, but the truly paranoid write down their passwords.

Security experts advise creating anagrams based on song lyrics, movie quotations or sayings, and using symbols or numbers and alternating lower and upper cases to make the password more difficult. For instance, the “Casablanca” movie quotation “Of all the gin joints, in all the towns, in all the world, she walks into mine” becomes OaTgJ,iAtT,iAtW,sWiM.

Use stronger, longer passwords for sites that contain the most critical information, like bank or email accounts.

3. Forget about security questions.

Sites will often use security questions such as “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.

These questions are problematic because the Internet has made public record searches a snap and the answers are usually easy to guess.

In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)

With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.

Jonathan Zdziarski, a computer forensics expert, said he often answers these questions with an alternate password. If a site offers only multiple choice answers, or only requires short passwords, he won’t use it.

“You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.

4. Monitor your credit.

Typically a service will offer one year of free credit monitoring if it has been breached. But be aware that attackers do not dispose of your Social Security number, birth date or password a year after they acquire it.

It is better to monitor your credit aggressively at all times through free services like AnnualCreditReport.com.

5. Freeze your credit.

In the attack at the I.R.S., a credit freeze may not have thwarted thieves from filing for false tax refunds, but it could have stopped them from pulling tax transcripts or opening other accounts.

To freeze your credit, call Equifax, Experian or TransUnion and ask to have your account frozen. The credit agency will mail a one-time PIN or password to unfreeze your account later.

The fee to freeze and refreeze credit varies by state. If you plan on applying for a new job, renting an apartment or buying insurance, you will have to thaw a freeze temporarily and pay a fee to refreeze the account.

But if you have been a victim of identity theft, and can show a police report proving as much, most states will waive the freeze fee.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

United Can't Even Be Bothered To Pay Money For Finding Security Bugs

United Can't Even Be Bothered To Pay Money For Finding Security Bugs | IT Support and Hardware for Clinics | Scoop.it

Bug bounty programs are pretty common among tech firms: the likes of Facebook and Google (although notably not Apple) will offer you hundreds of thousands of dollars in order for exposing security flaws in their products. It’s a good system, and one United Airlines wants to use: just without offering cold, hard cash.

Instead, United is offering air miles as the reward for the fruits of your labor. Sure, you can’t feed a family, or pay your internet bill with United miles — but you can at least fly to Europe whilst losing all feeling in your feet! United is offering 50,000 miles (cash equivalent: about $1000) for small flaws, like cross-site scripting, 250,000 miles for authentication bypass, and a million miles if you can remotely execute code.

Notably, eligible bugs are limited to United’s customer-facing websites and apps: onboard Wi-Fi, avionics, and entertainment systems are off-limits. That’s not surprising, given United’s previous response to onboard hackers, but it does limit the program somewhat.


Although it’s good that United has a bug bounty system at all — they work well at preventing hacks from being used nefariously — it would be nice if United actually rewarded the work of security researchers with real money.



more...
No comment yet.
Scoop.it!

Why It's Tough to Pass Data Breach Bill

Why It's Tough to Pass Data Breach Bill | IT Support and Hardware for Clinics | Scoop.it

Backers of a national data breach notification law say it would greatly simplify compliance for businesses, which now must comply with laws in 51 different jurisdictions - 47 states, three territories and Washington, D.C.


But does that simplification come at too high a cost? Some federal lawmakers thinks so. They say passing a national data breach notification law would weaken data security protections found in certain states' statutes, thus doing more harm than good.

And those concerns are a major reason why building a consensus that paves the way for enacting a national breach notification law will prove difficult, if not impossible.

'Confusing for Businesses'

Last January, President Obama noted when he proposed his version of national data breach notification: "Right now, nearly every state has a different law on this, and it's confusing for consumers and it's confusing for companies, and it's costly, too, to have to comply to this patchwork.


Almost every bill introduced in Congress over the past decade to create a national data breach notification standard would pre-empt state statutes. But that comes at a price. Several states, most notably Massachusetts, prescribe specific steps businesses must take to safeguard personally identifiable information. Most national data breach notification proposals don't require safeguards beyond saying businesses should take "reasonable" steps to secure PII.


Some industry experts - such as Larry Clinton, president of the trade group Internet Security Alliance - say they have seen no evidence that consumers' PII is more secure in those states that have more stringent security requirements. "To the notion that states can enact strong laws is, from a consumer perspective, a red herring," he says.

Middle Ground?

But some senators strongly disagree with Clinton's point of view.

"There are a number of like-minded senators who are paying attention to this issue and trying to push for a federal law ... that keeps state laws untouched as a middle-ground approach," says Chris Pierson, general counsel and chief security officer at payments provider Viewpost. "While this is more palatable for Congress, it does little to stem the growing diversity of state laws and the burden of conflicting state requirements."


One of those senators seeking a middle-ground approach is Richard Blumenthal, D-Conn., who, along with five other Democratic senators, has introduced legislation creating a national data breach notification law with a proviso: It won't pre-empt more stringent state laws.


"We must ensure consumers have strong protections on the federal level, but in so doing, we must make sure Congress doesn't weaken state protections that consumers rely on to keep their information safe," Blumenthal says. "Importantly, this measure strikes the right balance between state rights and strong federal enforcement and extends consumer privacy protections into a new digital era."

A right balance? Sasha Romanosky, an associate policy researcher at the think tank Rand Corp., characterizes the Democratic senators' bill as a "workaround" that sets a "national floor for breach compliance." But Romanosky is concerned that "then you'd just have the same issue as there is now: 47 potentially distinct state laws."


The Democrats' bill - like the Massachusetts statute - contains a list of security requirements with which businesses would have to comply. That makes the bill unpassable. Nearly every GOP lawmaker opposes any measure that that would place additional requirements on businesses.

60-Vote Threshold

Consumer advocacy groups generally oppose national data breach notification legislation that would weaken states' security standards. And those groups might have the clout to get enough Democratic senators to oppose any measure that would pre-empt state laws.

Sixty votes generally are needed for a bill to be considered by the Senate; the upper chamber has 44 Democrats and two independents who caucus with them. So getting 41 senators to block a vote on a data breach notification bill is possible.


Whether stricter state laws actually provide consumers with better security protections is debatable, but the perception among a number of lawmakers - mostly Democrats - is that they do. If at least 41 senators agree with that notion, then Congress will not enact a national breach notification law.


more...
No comment yet.
Scoop.it!

House OKs 2nd Cyberthreat Info-Sharing Bill

House OKs 2nd Cyberthreat Info-Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

A second cyberthreat information sharing bill passed the House of Representatives on April 23. That measure, the National Cybersecurity Protection Advancement Act, now will be combined with the House Intelligence Committee's Protecting Cyber Networks Act, which passed on April 22, before it's sent to the Senate.

The National Cybersecurity Protection Act, which was approved by a 355-63 vote, provides businesses with liability protections if they share cyberthreat information with the federal government and other businesses. The bill designates the National Cybersecurity and Communications Integration Center as the portal for government and business to share data.

"Ultimately, this legislation will arm those who protect our networks with valuable cyber-threat indicators that they can use to fortify defenses against future attacks," said one of the bill's sponsors, Rep. John Ratcliffe, chairman of a House Homeland Security Committee subcommittee, which has cybersecurity oversight.

Supporters of cyberthreat information sharing legislation, including President Obama, say such a measure is needed because many businesses will not share information with the government unless they're protected from civil and criminal lawsuits resulting from the sharing of data. Both bills, and one approved by the Senate Intelligence Committee, would provide those liability safeguards.

The House-passed bills' supporters contend their measures protect citizens' privacy and liberties by requiring businesses to strip personally identifiable information from information to be shared. Language added to the National Cybersecurity Protection Advancement Act specifically says the shared data is to be used for cyberdefense only and cannot be used for intelligence or law enforcement purposes. Still, consumer advocacy groups contend the bill does not go far enough to prevent sharing of data for purposes other than cyberdefense.

The White House, in Statements of Administration Policies, has given both House-passed bills a lukewarm endorsement, but it made suggestions on changes it seeks, especially the narrowing of the liability protections the measures offer.

In the Senate, Majority Leader Mike McConnell said its version of cyberthreat information sharing legislation should come up for a vote shortly, but did not provide a specific date. If the Senate passes its own cyberthreat information sharing legislation, conferees from both chambers, weighing recommendations from the White House, will draft new language in hopes of winning the support of a majority of House and Senate lawmakers as well as the president.


more...
No comment yet.
Scoop.it!

Breach Exposed Obama Records

Breach Exposed Obama Records | IT Support and Hardware for Clinics | Scoop.it

 A breach of the White House IT system last October, believed to be by Russian hackers, exposed sensitive details about White House operations, such as the president's schedule, CNN reports.

Investigators believe the White House intrusion began with a phishing email that was launched using a State Department email account that the hackers had taken over, CNN reports, citing several U.S. officials briefed on the investigation into the breach.

The State Department revealed in October that the breach of its system and that of the White House were linked (see State Department, White House Hacks Linked).

The White House downplayed the report. "This report is not referring to a new incident - it is speculating on the attribution of the activity of concern on the unclassified EOP (Executive Office of the President) network that the White House disclosed last year," Mark Stroh, National Security Council spokesman said April 7. "Any such activity is something we take very seriously. In this case, as we made clear at the time, we took immediate measures to evaluate and mitigate the activity. As has been our position, we are not going to comment on the referenced article's attribution to specific actors."
Alternative to Email

Jerry Irvine - a member of the National Cybersecurity Task Force, a joint operation between the Department of Homeland Security and the U.S. Chamber of Commerce - says phishing and spear phishing attacks are increasingly plaguing governments and businesses, and suggests that if they persist, organizations might need to limit email communications.

"It can happen to anyone, and it did," Irvine says, referring to the White House breach. "This is the way of the world. Organizations now are starting to look at the value of email and are questioning whether it's worth the risk. Are there other methods to share information other than email?"

Irvine, partner and chief information officer at IT outsourcer Prescient Solutions, says governments and businesses should look to email alternatives, such as instant messaging, which he contends poses fewer risks.


more...
No comment yet.
Scoop.it!

Will Executive Order Impact Cybercrime?

Will Executive Order Impact Cybercrime? | IT Support and Hardware for Clinics | Scoop.it

President Obama on April 1 issued an executive order that allows the U.S. government to block or seize the assets of suspected "malicious cyber actors." But some legal and security experts already are questioning whether the order is legally defensible or will have any meaningful impact on either cybercrime or online espionage.


"There are so many problems with this," attorney Mark Rasch, a former U.S. Department of Justice official who created its computer crime unit, tells Information Security Media Group, citing, for example, the government's ability to presume someone is guilty, without first having to prove it. "In general, sanctions are a political tool for putting pressure on recalcitrant governments to change their ways, [but] these sanctions are a legal tool to impose punishment without trial on persons we believe to be criminals and hackers."


The Obama administration, however, says that the executive order - officially titled "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" is necessary to give the U.S. government much-needed new legal tools in its fight against cybercrime and online espionage. The executive order represents the first time that the White House has authorized broad sanctions to be imposed specifically for cyber-attacks, and regardless of the location of whoever is behind the attacks.


"Our primary focus will be on cyberthreats from overseas, Obama writes on news website Medium. "In many cases, diplomatic and law enforcement tools will still be our most effective response. But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst."


The executive order authorizes the Secretary of the Treasury - in consultation with the Attorney General and the Secretary of State - to impose such sanctions "on individuals or entities that engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy or economic health or financial stability of the United States," Obama says in an April 1 statement distributed by the White House.


While the executive order doesn't define "significant," it says sanctions can be imposed for a variety of reasons, for example, in response to attacks that target critical infrastructure, which disrupt networks - via distributed denial-of-service attacks, for instance - as well as for targeting or stealing trade secrets or personally identifiable information, and for computer crime in general.

Intent: To Fill Gaps

White House Cybersecurity Coordinator Michael Daniel says the executive order is meant to expand the "spectrum of tools" that the government can use to combat cyber-attacks, by supplementing current diplomatic, law enforcement, military, economic and intelligence capabilities.


"It is designed to fill in a gap that we have identified where individuals carrying out significant malicious cyber-attacks are located in places that it's difficult for our diplomatic and law enforcement tools to reach - whether because they're behind the borders of a country that has weak cybersecurity laws, or the government is complicit in or turning a blind eye to the activity that is happening, and we don't have good law enforcement relationships or other kinds of relationships," he said on an April 1 a press call. "So what we're doing is putting in place a tool that will enable us to impose costs on those actors."


John Smith, the Treasury Department's acting director of the Office of Foreign Assets Control, or OFAC, which administers and enforces U.S. economic sanctions programs, said on the press call that the executive order elevates cyber-attacks to the realm of such activities as counterterrorism, narcotics trafficking and transnational crime, which the United States targets, regardless of where they're based. Smith says the administration is hoping that by designating cybercrime and online espionage in this manner, more countries will be spurred to put a stop to related activities inside their borders, or which touches their financial system.

Sony Hack Inspired Order

The Washington Post reports that the executive order has been under development for the past two years. But Daniel says the need for the executive order was highlighted after the president called for a "proportional response" to the hack attack against Sony Pictures. "That process informed us as we were finishing up this executive order and highlighted the need for us to have this capability and to have this tool."


The move follows another executive order, signed by the president in January, that imposed sanctions on 10 individuals and three entities associated with the North Korean government, after the FBI attributed the November 2014 hack and wiper malware attack against Sony Pictures Entertainment to "North Korea actors." But numerous information security experts have continued to question that attribution.

Questioning the Rationale

And some legal and security experts are now questioning the rationale behind the new executive order. "It's really built out of frustration, because the international legal process does not deal effective with cybercrime," says Rasch, the former DOJ official. "So there's the urge to take the law into your own hands. Resist that urge."


Rasch adds that another problem with the executive order is that it's not aimed just at state sponsors - or nation-state-backed attackers - but anyone who the U.S. believes has broken the law. Furthermore, it allows the government to impose punishments, such as seizing U.S. citizens' assets, without any due process, or having to first prove the government's case.


The administration says that anyone who wants to contest sanctions that get imposed using this executive order can do so with OFAC, or by filing a lawsuit against the federal government.

Cybercrime Impact?

But will the executive order lead to any meaningful reduction in cybercrime or online espionage? "I'm somewhat skeptical, to say the least," Sean Sullivan, a security adviser for Helsinki, Finland-based anti-virus firm F-Secure, tells ISMG. "There's a great deal of Russian-speaker-based 'espionage as a service' that would be very difficult to do much about. And China seems even more of a challenge. But then again, maybe there are some officials who do actually have American assets to go after - New York real estate, for example."


James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, believes that the new program could have an impact, for example to combat Chinese-promulgated economic espionage. "You have to create a process to change the behavior of people who do cyber-economic espionage," he tells The Washington Post. "Some of that is to create a way to say it's not penalty free. This is an effective penalty. So it moves them in the right direction."

But Rasch thinks it's unlikely that the executive order would fulfill the stated White House purpose of deterring future cybercrime, espionage and large-scale attacks. "The rogues are not going to be deterred by this," he says. "The state sponsors are not going to be deterred by this."


more...
No comment yet.
Scoop.it!

More than half of Americans says it's 'unacceptable' for government to monitor citizens' communications

More than half of Americans says it's 'unacceptable' for government to monitor citizens' communications | IT Support and Hardware for Clinics | Scoop.it

More than half of Americans now say it's unacceptable for the government to monitor the communications of US citizens, according to a new survey conducted by the Pew Research Center on Americans’ privacy strategies post-Snowden.

In 2013, NSA contractor Edward Snowden leaked documents detailing the explosion of government surveillance programs after 9/11.

Outrage ensued. Americans had no idea the spying had become so pervasive, and many were shocked to learn their phone and email communications may have been monitored.

But even after the Snowden revelations, Americans remain divided on the acceptability of government surveillance: 52% describe themselves as “very concerned” or “somewhat concerned” about government surveillance of Americans’ data and electronic communications, while 46% describe themselves as “not very concerned” or “not at all concerned” about the surveillance, according to the Pew survey. 

When it comes to government surveillance of suspected terrorists or foreign leaders, Americans are more than comfortable with government spying: 82% of Pew survey respondents said it's acceptable to monitor communications of suspected terrorists, while 60% believe it is acceptable to monitor the communications of American leaders.

Interestingly, Americans' attitudes towards surveillance have not changed much in the last decade. In 2006, roughly 51% of Americans surveyed responded that government surveillance, including wire-tapping, was acceptable, acording to a survey by the Washington Post and Pew Research Center. The same survey revealed that even after Snowden leaked NSA documents, revealing the extensive powers of the agency, 56% of Americans surveyed said such powers were warranted. 

Most Americans still believe the government should investigate terrorists even if it intrudes on their own privacy. When asked in 2013 whether they thought the government should be able to monitor everyone's email to protect against terorrism, 45% of respondents said yes. Two years later, more than half of survey respondents say they are not at all concerned about government surveillance of their own email messages. 


more...
No comment yet.
Scoop.it!

This USB Drive Can Nuke A Computer

This USB Drive Can Nuke A Computer | IT Support and Hardware for Clinics | Scoop.it

Do not ever use a random USB flash drive. There are plenty of software exploits that can ruin your computer or life. And with this flash drive, it can physically destroy your computer by blasting a load of voltage to the USB controller with negative voltage. Think Wile E. Coyote and an ACME Human Cannon. BOOM!


The basic idea of the USB drive is quite simple. When we connect it up to the USB port, an inverting DC/DC converter runs and charges capacitors to -110V. When the voltage is reached, the DC/DC is switched off. At the same time, the filed transistor opens. It is used to apply the -110V to signal lines of the USB interface. When the voltage on capacitors increases to -7V, the transistor closes and the DC/DC starts. The loop runs till everything possible is broken down. Those familiar with the electronics have already guessed why we use negative voltage here. I‘ll explain to others that negative voltage is easier to commutate, as we need the N-channel field resistor, which, unlike the P-channel one, can have larger current for the same dimensions.

Put simply, the bits inside the USB drive draws and stores a ton of power. When a certain level is hit, it returns the power to the source, which is either a dedicated USB controller or the CPU itself. This is bad news bears. The amount of power returned overloads the circuits, rendering it useless. Since a lot of USB controllers are built directly into the main processor… bye bye computer.

Scary. Thankfully the creator hasn’t released the schematic for the drive.

There are enough USB exploits floating around to warrant caution. Some will unknowingly install malware or backdoor software, and now, there is at least one, that will actually destroy your computer. It’s straight out of Colin Farrell spy movie and a fantastic argument for Apple’s vision of the future.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Despite High-Profile Data Breaches, Fraud is Down

Despite High-Profile Data Breaches, Fraud is Down | IT Support and Hardware for Clinics | Scoop.it

Home Depot, Staples, Neiman Marcus — 2014 was a blockbuster year for the high-profile data breaches, with at least $16 billion stolen from a reported 12.7 million fraud victims.

But those numbers are actually an improvement, according to a new study by Javelin Strategy & Research. Last year, the amount of money lost to fraud dropped 11 percent, down from $18 billion in 2013. And in 2012, the amount was even higher, at $21 billion.

The number of victims is down too, dipping 3 percent in 2014.

Though hacks appear to be growing in size and targeting larger retailers, financial institutions have also gotten better at performing triage after such an attack occurs.

“The combined efforts of industry, consumers, and monitoring and protection systems that are catching fraud more quickly helped reduce the incidence of fraud and the amount stolen over the past year,” said Al Pascual, director of fraud and security at Javelin, a consulting firm that analyzes consumer transactions. “When detected, fraud is being resolved quicker than ever before.”

After 110 million credit card numbers were stolen in the December 2013 Target breach, for example, banks went on the offensive, spending more than $200 million to replace consumer credit and debit cards.

In 2014, 1 in 4 consumers received data breach notifications, but a smaller proportion of those people became fraud victims than in 2013. Last year, fraud incidents among notified breach victims dropped 17 percentage points to 13.7 percent, the lowest rate since Javelin began conducting its annual study in 2004.

The report hypothesized that the huge number of data breaches in 2014 may have spurred banks and retailers to take such attacks more seriously, driving down the incidents of fraud. Improvements in technology that can help detect fraud also contributed to the decline, the report said.

Pascual warned that despite dropping reports of fraud, consumers should still be wary of identity theft.

“We have seen declines in the past, but they have reversed as fraudsters try new approaches or when new technologies make it easier for fraudsters to get consumer information,” he said.

For instance, while new-account fraud (in which a fraudster uses stolen information to open an account in a victim’s name) reached record lows in 2014 according to the Javelin report, this year such incidents have increased due to security weaknesses in Apple’s new mobile payments system, Apple Pay.

In the Javelin report, 13 percent of victims of new-account fraud did not detect the identity theft for more than a year.

Though 2014’s number of victims was down, 2013 had the second-highest number of identity theft victims since Javelin began its annual study.

In the end, said Pascual, more breaches will result in more victims of identity theft. In 2014, two-thirds of identity fraud victims had previously received a data breach notification that year.

“This is a long, drawn-out battle against identity thieves,” he said. “While there have been some victories this year, there have also been some discouraging setbacks. It really reinforces why we need the combined efforts of industry, consumers, and monitoring and protection systems working together to continue the downward trend.”


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Raduege: Why New Cyber Agency Matters

Raduege: Why New Cyber Agency Matters | IT Support and Hardware for Clinics | Scoop.it

A new federal cyberthreat intelligence center could help the government build more resilient networks and better identify cyber-attackers, leading to arrests and punishments, a former top Defense Department IT executive says.

"Those three areas could really go a long way in providing much-needed deterrence to bad cyber-activity on the networks today," says Harry Raduege, a retired Air Force lieutenant general who was the longest serving director of the Defense Information Systems Agency.

Raduege, in an interview with Information Security Media Group, praises the Obama administration's standing up of the Cyber Threat Intelligence Integration Center, announced Feb. 10. The center, known as CTIIC (pronounced see-tick), would cull cyberthreat intelligence from other government agencies to try to identify rapidly responses to protect critical IT systems in government and business.

"I welcome any attempt by our government to improve speed of collaboration and information sharing among government activities and the industry, and also think that this CTIIC can be helpful in more effectively providing fused cyberthreat intelligence and information from across the entire intelligence community in a more timely manner," says Raduege, chairman of the Deloitte Center for Cyber Innovation.

Private Sector Benefits Without Direct Ties

Raduege says he doesn't see the private sector working directly with CTIIC, but says it should benefit from the center's work. He explains that cyberthreat intelligence will be fed to CTIIC from other governmental cybersecurity organizations such as the Department of Homeland Security's National Cybersecurity and Communications Integration Center, a 24x7 cyber-situational awareness, incident response and management center known as NCCIC (pronounced n-kick). NCCIC, which works with the private sector, will forward to CTIIC cyberthreat information from the business community.

When CTIIC comes up with a plan to defend against or respond to attacks, it alerts the other centers, including NCCIC, to execute it. If private sector systems are threatened, NCCIC will work with affected businesses using the CTIIC plan. Through partnerships and the government cybersecurity framework, Raduege says, a trust has developed between DHS and industry in combating cyberthreats.

In the interview, Raduege discusses the:

  • Importance of fusing cyber-intelligence to be analyzed by one agency;
  • Benefits of drawing cybersecurity experts from various agencies to work at CTIIC; the initial team of 50 employees at CTIIC will come from other intelligence agencies;
  • Efforts by DHS to build a strong relationship with the private sector in promoting cyberthreat information sharing.

Raduege, who retired from the Air Force in 2005 after a 35-year career, heads the Deloitte Center for Cyber Innovation, which focuses on developing cyber solutions for organizations grappling with the need to secure interoperable information systems. In the lead up to the 2008 presidential election, Raduege co-chaired the Commission on Cybersecurity for the 44th Presidency, a group of top governmental, military and cybersecurity thought-leaders and practitioners, that presented the new president with an action plan to address IT security challenges.

Since September, he's been a member of DHS's Science and Technology Advisory Committee. For the past five years, he's been a member of the President's Advisory Council at the EastWest Institute, a think tank.


more...
No comment yet.
Scoop.it!

More Retailers Hit by New Third-Party Breach?

More Retailers Hit by New Third-Party Breach? | IT Support and Hardware for Clinics | Scoop.it

CVS, Rite-Aid, Sam's Club, Walmart Canada and other large retail chains have suspended their online photo services following a suspected hack attack against a third-party service provider that may, in some cases, have resulted in the compromise of payment card data.


The suspected breach centers on PNI Digital Media Inc., a Vancouver-based firm that manages and hosts online photo services for numerous retailers. The incident serves as a reminder of the security challenges that organizations face when it comes to managing their third-party vendors and entrusting them with sensitive customer information.


Numerous chains have confirmed that they are investigating potential breaches - some involving payment card data - after being warned by PNI Digital Media that it may have suffered a hack attack that resulted in the compromise of retailers' customers' names, addresses, phone numbers, email addresses, photo account passwords and credit card information. But none of the retailers involved have so far reported that they believe the breach would affect any of their in-store customers, including anyone who used in-store photo services.


PNI Digital Media did not immediately respond to a request for comment on its reported breach investigation. Until July 17, the company's investors page reported that it worked with numerous retailers, and while that page is now blank, a recent version cached by Google's search engine reads: "PNI Digital Media provides a proprietary transactional software platform that is used by leading retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year. Last year, the PNI Digital Media platform worked with over 19,000 retail locations and 8,000 kiosks to generate more than 18M transactions for personalized products."

CVS Confirms Investigation

On July 17, CVS spokesman Mike DeAngelis confirmed that CVSPhoto.com may have been affected by the suspected PNI Digital Media breach. "We disabled the site as a matter of precaution while this matter is being investigated," DeAngelis tells Information Security Media Group.


The cvsphoto.com site now reads in part: "We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience."

CVS says PNI Digital Media collects credit and debit information for customers who purchase online photo services through CVSPhoto.com. Accordingly, CVS recommends that all customers of its online photo service review their credit card statements "for any fraudulent or suspicious activity" and notify their bank or card issuer if anything appears to be amiss. "Nothing is more central to us than protecting the privacy and security of our customer information, including financial information," CVS says. "We are working closely with the vendor and our financial partners and will share updates as we know more."

Rite Aid: No Suspected Card Theft

Drugstore chain Rite Aid has also taken its online and mobile photo services offline. "We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data," Rite Aid's site reads. "The data that may have been affected is name, address, phone number, email address, photo account password and credit card information."


Unlike CVS, however, Rite Aid reports that it does not believe that its customers' payment-card data is at risk. "Unlike for other PNI customers, PNI does not process credit card information on Rite Aid's behalf and PNI has limited access to this information," it says, adding that it has received no related fraud reports from its customers.

Sam's Club has also taken its online photo service offline, "in an abundance of caution and as a result of recent reports suggesting a potential security compromise of the third-party vendor that hosts Sam's Photo website." As with Rite Aid, however, Sam's Club reports that "at this time, we do not believe customer credit card data has been put at risk."


Costco and Tesco Photo have also suspended their online photo services.


Walmart Canada, which also outsources online photo services to PNI, also may have been affected by the possible breach, according to the The Toronto Star, and the retailer has since suspended its online photo services website. "We were recently informed of a potential compromise of customer credit card data involving Walmart Canada's Photocentre website, www.walmartphotocentre.ca," Walmart states. "We immediately launched an investigation and will be contacting customers who may be impacted. At this time, we have no reason to believe that Walmart.ca, Walmart.com or in-store transactions are affected.


Walmart did not respond to Information Security Media Group's request for comment. ISMG also reached out to office supplier Staples, which owns PNI, but did not get a response.

"PNI is investigating a potential credit card data security issue," a Staples spokesperson told The Toronto Star.

Growing Third-Party Breach Concerns

PNI's potential breach comes just a week after Denver-based managed services provider Service Systems Associates announced that a breach linked to a malware attack against its network had likely affected about 12 of the payments systems it operates for gifts shops at retail locations, which include zoos, museums and parks, across the country.


Service Systems Associates says debit and credit purchases made between March 23 and June 25 may have been compromised.

On July 7, the Financial Services Information Sharing and Analysis Center, along with Visa, the U.S. Secret Service and The Retail Cyber Intelligence Sharing Center, which provides threat intelligence for retailers, issued a cybersecurity alert about risks merchants face when dealing with third parties.


The alert lists a number of security recommendations for managing third-party risks, including using multifactor authentication for remote-access login to point-of-sale systems and including specific policies related to outdated operating systems and software in contracts with vendors.


Earlier this month, Chris Bretz, director of payment risk at the FS-ISAC, warned that managed service providers that offer outsourced services to numerous merchants are increasingly being targeted by cybercriminals.


"Criminals continue to find success by targeting smaller retailers that use common IT and payments systems," Bretz said in an interview with ISMG. "Merchants in industry verticals often use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business."

more...
No comment yet.
Scoop.it!

A government key to unlock your encrypted messages has major problems and security experts are up in arms

A government key to unlock your encrypted messages has major problems and security experts are up in arms | IT Support and Hardware for Clinics | Scoop.it

Top computer scientists and security experts are warning that government proposals to gain special access to encrypted communications could result in significant dangers. 

A consortium of world-renowned security experts has penned a report detailing the harm that regulating encryption would cause, writes the New York Times


Hard encryption — which global authorities are now trying to combat — is a way to mathematically cipher digital communications and is widely considered the most secure way to communicate online to avoid external snooping. 


This follows news last week that British Prime Minister David Cameron made a proposal to ban encryption as a way to "ensure that terrorists do not have a safe space in which to communicate."  


Since then, experts have begun weighing in about the effect of such drastic measures. This includes well-known cryptographer Bruce Schneier, who told Business Insider that such a strong encryption ban would "destroy the internet."

The new report, which was released today, takes a similarly hard stance. "The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws," it writes. Not only that, but federal authorities have yet to explain exactly how they planned to gain "exceptional access" to private communications.


The report concludes, "The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict." In short, the experts believe that trying to put limitations on encrypted communications would create myriad problems for everyone involved. 


This sort of fissure between security experts and federal authorities isn’t new. In fact, a similar proposal was made by the Clinton Administration in 1997 that also took aim at hard cryptography. Back then, a group of experts — many of whom are authors on this new report — also wrote critically about the anti-encryption efforts.

In the end, the security experts prevailed. 


Now, it’s not so certain. FBI director James Comey has joined the ant-encryption brigade, saying that "there are many costs to [universal strong encryption.]"

He and the US deputy attorney general Sally Quillan Yates are scheduled to testify before Senate tomorrow to defend their views, the New York Times reports.

The question now is whether other federal officials will side with people like Comey and Cameron or the group of security experts. 

In the paper's words, creating such back-door access to encrypted communications "will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend."

more...
No comment yet.
Scoop.it!

FBI Alert: $18 Million in Ransomware Losses

FBI Alert: $18 Million in Ransomware Losses | IT Support and Hardware for Clinics | Scoop.it

In the past year, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.


In total, IC3 - a collaboration between the FBI and the National White Collar Crime Center - says it received 992 CryptoWall-related complaints from April 2014 to June 2015. And it says the reported losses relate not just to ransom payments potentially made by victims, but additional costs that can include "network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or customers."

The quantity of ransomware attacks continues to escalate, security experts say, because it offers criminals the potential for high rewards with little risk (see Crime: Why So Much Is Cyber-Enabled). Indeed, ransomware attacks can be launched en masse by remote attackers and are relatively cheap and easy to perpetrate. Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.

"In most cases, once the victim pays a ransom fee, he or she regains access to the files that were encrypted," IC3 reports. "Most criminals involved in ransomware schemes demand payment in Bitcoin. Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity."

Because ransomware can rely so heavily on social engineering - tricking - victims into executing related malware or falling for ransom scams, many security experts have urged businesses to continually educate their employees and customers about ways to spot such attacks and defend themselves.

Click-Fraud Attack Spike


Earlier this month, security firm Symantec warned that it had seen a spike in attacks that began with the year-old Poweliks Trojan, which was designed to perpetrate click fraud, and which also downloaded CryptoWall onto an infected system. Click fraud refers to infecting systems with malware that is used to make "bogus requests" for online advertising, without the malware revealing its presence to the user of the infected system.

Using a single piece of malware - or "dropper" - to infect a system and then download and install many other types of malware onto the same system is not a new attack technique.

For example, authorities have accused the gang behind Gameover Zeus of first using that Trojan to harvest bank credentials, and then infecting systems with Cryptolocker ransomware. The U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.

Attacks Get Modular


But attackers have been retooling their malware to make it easier to rapidly infect PCs with multiple types of malware. Security firm Trend Micro warned in 2013 that the aging Asprox botnet, which was first discovered in 2007, had re-emerged "with a new and improved modular framework," and been rebranded as Kuluoz malware, which was a dropper designed to download additional malware onto infected PCs.

By December 2014, the Level 42 threat-intelligence research group at security vendor Palo Alto Networks reported seeing a spike in Asprox-related attack activity. "This malware sends copies of itself over email quickly and to users all around the world and then attempts to download additional malware," it said. The researchers noted that of the 4,000 organizations that it was monitoring, the malware had been tied to "approximately 80 percent of all attack sessions" seen in October and had attempted to infect nearly half of all those organizations.

Also in December, the Association of National Advertisers warned that U.S. businesses were losing about $6.3 billion annually to click fraud. The same month, a study conducted for the ANA by the security firm White Ops found that botnets were responsible for "viewing" 11 percent of all online advertisement, and 23 percent of all online video advertisements.

Asprox Botnet Serves CryptoWall


But click-fraud malware attacks are increasingly blended with other types of malware as attackers attempt to monetize infected PCs as much - and as rapidly - as possible.

In a recent series of attacks, Asprox malware - now typically distributed via phishing attacks - "phoned home" to the Asprox command-and-control server after it infected a PC, and received back the Zemot dropper malware, according to a new report released by the security firm Damballa. The dropper then downloaded the Rovnix rootkit, as well as Rerdom, which is a click-fraud installer.

Damballa says that it has also seen Zemot get installed via crimeware toolkit exploits, which can exploit systems using known vulnerabilities, for example if attackers compromise otherwise legitimate websites and use them to launch drive-by attacks.

Inside enterprises, "click fraud is generally viewed as a low-priority risk," Damballa says. "In reality, click fraud is often a precursor to something more sinister. A device infected with click-fraud [malware] may leave the enterprise susceptible to dangerous downstream infections."

Indeed, Damballa reports that tests of Asprox-infected machines found that over the course of two hours, a single PC was infected with three different types of click-fraud malware, as well as the CryptoWall ransomware. Even after CryptoWall encrypted much of the infected PC's hard drive, furthermore, the click-fraud malware continued to operate, so long as the machine remained Internet-connected.

more...
No comment yet.
Scoop.it!

Apple and Google ask Obama to leave smartphone security alone

Apple and Google ask Obama to leave smartphone security alone | IT Support and Hardware for Clinics | Scoop.it

FBI director James Comey has asked Congress for help getting around the upgraded encryption on Apple's smartphone, something he believes is creating too high a hurdle for law enforcement. It's not clear if his calls for new legislation have much chance for success, but they are clearly causing ripples in Silicon Valley. In a letter obtained by The Washington Post, tech heavyweights like Apple and Google call on President Obama to reject any new laws that would weaken security.

Better domestic surveillance is not an easy sell


There have been laws kicking around Congress for a while that would create the kind of backdoors Comey and other security hawks have been pushing for. CALEA II is one such bill, but it trips over all the outsized fears about government surveillance that the public has long held, even more so in the wake of Edward Snowden and revelations about just how much of our everyday communication is being vacuumed up by the NSA.


As we wrote back in October of 2014, that means "Comey's left exactly where we started, making ominous noises and generating headlines favorable to the FBI, but not actually doing anything. It's a bluff, a way to nudge public opinion without committing the bureau to anything. This isn't a crypto war — it's a pageant."


more...
No comment yet.
Scoop.it!

Do you know where your sensitive data lives?

Do you know where your sensitive data lives? | IT Support and Hardware for Clinics | Scoop.it

Challenges with tracking where sensitive and regulated data is flowing, and the inability to control that flow in outsourced environments such as SaaS cloud applications, where it can move freely between data centers and cloud provider’s partner’s systems, is a key challenge for enterprises in regulated sectors.

More than 125 attendees at RSA Conference 2015 took the survey, which was conducted via in-person interviews by Perspecsys. The results interestingly reveal a split decision when it comes to trust in Cloud Service Providers (CSPs): 52 percent of respondents say they trust their CSP to take care of protecting and controlling their enterprise data and the other half (48 percent) do not.

Enterprises need to consider encrypting or tokenizing any sensitive data before it goes to the cloud, so they retain full control of their information while it is in-transit to the cloud, while it is stored at-rest in the cloud and while it is in-use being processed in the cloud.

IDC forecasts that public IT cloud services will account for more than half of global software, server, and storage spending growth by 2018. The Perspecsys survey findings align with this projection, with 67 percent of respondents preferring to store the majority of enterprise data in the cloud – that is – if data privacy and compliance regulations could be addressed. Interestingly, the current perception remains that private cloud is more secure than its public cloud cousins. For example:


  • About half of respondents say existing or impending data privacy regulations impact up to 50 percent of their cloud strategy
  • The majority of respondents still house less than a quarter of their data in public cloud environments
  • About a third claim no public cloud use at any level (IaaS, PaaS or SaaS), as far as they know.

Via Paulo Félix
more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

House Panel Passes Cyberthreat Info Sharing Bill

House Panel Passes Cyberthreat Info Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

After beating back amendments by Democratic members to limit liability protections for businesses, the House Homeland Security Committee on April 14 unanimously approved cyberthreat information sharing legislation on a voice vote.


The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to the full House, where differences with another cyberthreat information sharing measure approved by the House Intelligence Committee last month will be worked out. House leaders indicated that the full House could vote on cyberthreat information sharing legislation as early as next week.


In the Senate, a version of its cyberthreat information sharing bill could come up for a vote shortly. Senate Majority Leader Mitch McConnell included the Cybersecurity Information Sharing Act passed last month by the Senate Intelligence Committee as among several bipartisan bills that the Senate is "working hard to advance."


The National Cybersecurity Protection Advancement Act of 2015, approved by the House Homeland Security Committee, provides many of the privacy and civil liberties protections sought by President Obama that were absent in earlier versions of cyberthreat information sharing legislation that passed the House and the White House had threatened to veto in the two previous congresses.

Limits Placed on Shared Data

The House committee approved one amendment that explicitly states that shared cyberthreat information processed through the National Cybersecurity and Communications Integration Center - known as NCCIC, the Department of Homeland Security portal - could not be used for law enforcement or intelligence purposes. Civil liberties groups have raised concerns that some cyberthreat information sharing bills could allow the use of collected cyberthreat data to spy on Americans, violating their privacy and liberties.


The legislation would require private companies to remove personally identifiable information unrelated to the cybersecurity risk before sharing information with the NCCIC or other private entities. It would also require the NCCIC to conduct a second scrub and destroy any personal information that is unrelated to the cybersecurity risk before further sharing with other government agencies or private organizations.


The aim of the cyberthreat information sharing legislation is to encourage businesses and other private organizations to share voluntarily threat data with the government and other businesses to mitigate damaging cyber-attacks. But some businesses are reluctant to share the information unless they are protected from legal actions, which led to the various provisions to offers liability protections.

Liability Provisions Remain Intact

The Democratic minority on the House Homeland Security Committee, along with the Obama administration, contend that the liability protections offered to businesses in the committee's bill were too broad, providing legal protections when not warranted. An amendment offered by Rep. Cedric Richmond, D-La., would have removed liability protection for businesses that received threat data but failed to act on it. "If you abide by the provisions of this act," Richmond said, "then you're exempt from liability. It's just that simple. Instead of adding all these other concepts to the liability language, if we take the time to pass a bill and you abide by it, you have liability exemption. If you don't, then you don't have exemption."


But the bill's cosponsor, Republican Rep. John Ratcliffe of Texas, said the broader liability protections in the bill are aimed to get the greatest number of businesses to participate in cyberthreat information sharing. "Stakeholders are concerned about putting their customers or consumers at risk, and their information at risk; they're concerned about exposing their own sensitive business information by sharing," Ratcliffe said. "And, they're also concerned about possibly violating federal privacy laws. Having strong liability protection is going to be absolutely critical and vital to the success of this bill, and the phraseology in this bill is absolutely critical and essential to that point."

The bill originally provided liability protection for businesses that conducted its network security awareness in "good faith," but the committee voted to excise those words from the measure because, as McCaul noted, the term is too ambiguous and could lead to confusion in enforcing the measure should it become law.

Awaiting Word from White House

The White House has not said whether it would support or veto any of the cyberthreat information sharing bills winding their way through Congress. Statements of Administration Policy, such as the ones containing the earlier veto threats, usually are issued shortly before one of the chambers is set to vote on the legislation.

After the committee vote, the Financial Services Roundtable called for swift floor action on the legislation. "Congressional action to better protect consumers from cyber-attacks is long overdue," said Tim Pawlenty, CEO of the Roundtable, a financial services industry advocacy group. "We applaud the House for addressing gaps in our nation's cybersecurity laws and urge both chambers of Congress to quickly put a bill on the president's desk."


more...
No comment yet.
Scoop.it!

Ransomware: The Right Response

Ransomware: The Right Response | IT Support and Hardware for Clinics | Scoop.it

So-called ransomware attacks are on the rise, namely because targeted businesses are increasingly willing to negotiate with - and even pay - their extortionists.


Ransomware has been getting a lot of media attention of late. On April 1, security firm Trend Micro reported that since the beginning of the year, numerous variants of crypto-ransomware have been discovered in the wild, striking consumers and businesses throughout the world.

 Criminals rarely hold up their end of the bargain, so negotiating with anyone who is demanding a ransom is just a bad idea. 


Just weeks earlier, security firms FireEye and Bitdefender issued warnings about new ransomware trends that were making these attacks more difficult to thwart and detect.


Now experts are calling attention to one of the reasons why ransomware attacks are becoming more common - because organizations say they'd rather not deal with the fallout that trails a breach or cyber-attack that goes public. Instead of getting law enforcement involved, they'd rather try their hands at making deals with their attackers first.


But paying ransom is short-sighted and is never a good idea. Why? Because cybercriminals rarely keep their end of the bargain. Organizations that negotiate with hackers often end up with lost data after paying a hefty ransom.


Lance James, who heads up cyber-intelligence at consultancy Deloitte & Touche, says most businesses that pay ransoms never have their data restored or their encrypted files decrypted.


During his presentation at Information Security Media Group's Fraud Summit in Atlanta, James discussed ransomware cases he has investigated. He noted that in most of those cases, businesses paid the ransom and then the attackers disappeared, never fulfilling their end of the negotiating bargain.


Of course, organizations should prepare for these types of attacks by taking steps now to ensure they have data and drive backups, and that they have strong multifactor authentication requirements for access to servers, in the event an employee's credentials are hijacked during one of these attacks.


But businesses also need to spend more time educating their staff about how ransomware attacks work, why these attacks are waged, and why reporting these attacks to law enforcement, rather than trying to handle them internally, is so critical.

The Attack Strategy

Ransomware attacks are waged in two parts. First, a PC or mobile device is infected with malware that locks the corporate user out or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he or she has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased.


The tools for these attacks are easy to buy and technical support for waging the attacks is inexpensive.


Law enforcement agencies, such as the Federal Bureau of Investigation, have advised consumers and businesses to immediately report ransomware schemes when they occur.


But security researchers say that, despite of those warnings, many businesses are opting to either pay the ransom or are engaging in direct negotiations with their attackers instead of getting the authorities involved.

Willingness to Negotiate

A new study from cyber-intelligence firm ThreatTrack Security finds that 40 percent of security professionals believe their organizations have been targeted by a ransomware attack. Of those that believe they've been targeted, 55 percent say that when under attack, they are willing to negotiate a ransom in exchange for the release of corporate data or files.


ThreatTrack's research also finds that one in three security pros would recommend to upper management that their companies negotiate a ransom to see if they could avoid public disclosure of a breach involving stolen data or files that have been encrypted as part of the attack.


In fact, 66 percent of those surveyed by ThreatTrack say they fear negative reactions from customers and/or employees whose data was compromised in a breach if those customers or employees were to learn that their organizations chose not to negotiate with cybercriminals for the return of data.


ThreatTrack's survey includes responses from 250 U.S. security professionals at companies with 500 to 2,500 employees.

Beware of a Quick Fix

When it comes to ransomware attacks waged against corporations, many victimized organizations see paying the criminals what they want as the easiest way to make the problem go away.


But criminals rarely hold up their end of the bargain, so negotiating with anyone who is demanding a ransom is just a bad idea.

Obviously, more education, from the CEO down to the employee, is needed. But we also need a shift in the corporate culture, with an emphasis on looking beyond a "quick fix" for avoiding breach publicity.

Information sharing with peers can play a critical role as well. The more we talk about these attacks and share the techniques used, the more we can learn about how to defend our networks and shield our employees from falling victim to the phishing schemes that are often used to infect systems in the first place.


Security vendors need to step up their efforts here, too. Rather than just supplying intrusion detection, they also need to provide some good-old-fashioned education.

more...
Ivan Garcia-Hidalgo's curator insight, April 8, 2015 1:33 PM

Ransomware: The Right Response #InfoSec #cybersecurity

Scoop.it!

Cybersecurity Bills: Latest Developments

Cybersecurity Bills: Latest Developments | IT Support and Hardware for Clinics | Scoop.it

The House Intelligence Committee has approved cyberthreat information sharing legislation that its leaders developed, one of four such proposals pending before Congress.


Meanwhile, the co-chairman of the House Cybersecurity Caucus, Rep. Jim Langevin, D-R.I., has introduced a national data breach notification bill modeled on language proposed earlier this year by the White House.


The leaders of the House Intelligence Committee recently introduced the cyberthreat information sharing bill known as the Protecting Cyber Networks Act. After incorporating some additional privacy protections proposed by the White House and committee remembers, the bill was unanimously approved by the panel in a closed session on March 26. It now goes to the full House for consideration.


"This bill will help defend U.S. networks against a wide array of cybercriminals who are becoming more active and more threatening every day," committee chairman Devin Nunes, R-Calif., said in a statement after the bill was approved. "It's a bipartisan approach with strong privacy protections that will have a deep impact on this growing problem."


Nunes told reporters that the approved version of the bill included a manager's amendment - a single amendment that contains a number of smaller amendments from several committee members from both sides of the aisle, as well as the White House - aimed at strengthening the bill's privacy protections, The Hill reports.


Committee ranking member Adam Schiff, D-Calif., said in a statement that he's "optimistic about its prospects for passage," especially in light of the bill having been updated to reflect requests from the White House, although he did not identify what those requests or resulting changes were.


Four information-sharing bills are currently pending, including the Senate's Cybersecurity Information Sharing Act. The Senate Intelligence Committee approved CISA in a closed session on March 12. CISA offers liability protection to businesses that share cyberthreat information with each other, as well as with the government.


Earlier this month, Rep. Mike McCaul, R-Texas, introduced competing draft legislation called the National Cybersecurity Protection Advancement Act, which gives businesses that share such information immunity from related lawsuits, provided they have not committed "willful misconduct or gross negligence." Meanwhile a fourth measure, the Cyber Threat Sharing Act, sponsored by Sen. Tom Carper, D-Del., hews more closely to a White House proposal. It designates the Department of Homeland Security's National Cybersecurity and Communications Integration Center as the key government agency to collaborate with the private sector through information sharing and analysis organizations, known as ISAOs, to share cyberthreat information.

New Data Breach Notification Bill

Beyond its consideration of cyberthreat information-sharing bills, Congress has been increasingly focused on the prospect of passing national data breach notification legislation.


On March 26, Rep. Jim Langevin, D-R.I., introduced the Personal Data Notification and Protection Act of 2015, which is modeled on a January 2015 proposal from the White House. It includes a 30-day notification requirement after an organization discovers a breach. But the U.S. Secret Service or FBI would be able to delay such notifications on national security grounds, or if it would jeopardize related investigations.


"We have seen time and again the vulnerability of companies large and small, and consumers deserve to know as quickly as possible when their personal information has been compromised," Langevin said in a statement.


His bill would apply to any business that maintains records on 10,000 or more people in a 12-month period. Breached businesses would also be required to not only notify consumers whose personal information was exposed, but also media outlets if more than 5,000 records are breached that relate to consumers in a single state. They also would be required to notify credit-reporting agencies for any breach involving 5,000 records or more. The measure would expand the Federal Trade Commission's definition of deceptive acts or practices to include noncompliance with the law.


Organizations would be exempt from breach notifications - though only with the FTC's approval - if they determined that there was no risk that consumers would actually be harmed by the breach.

Rival Breach Notification Bill

Langevin's bill competes with the Data Security and Breach Notification Act of 2015, which the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade approved March 25. Its provisions include a requirement for organizations to report any breaches that expose personal information, no matter how many records they maintain. Such notifications would not be required within 30 days of the breached organization having concluded a related digital forensics investigation and repaired affected systems. The bill would also require businesses to "implement and maintain reasonable security measures and practices to protect and secure personal information" and supplant any such requirements at the state level.

Some Democratic members of the House subcommittee had attempted to amend the Data Security and Breach Notification Act of 2015 so states could retain stronger breach-protection and notification requirements than the bill proposes. But those amendments were voted down before the subcommittee approved the bill, which now advances to the full Energy and Commerce Committee.


Both pending breach notification bills, if enacted, would usurp the patchwork of breach notification laws now in place across 51 different jurisdictions - 47 states, three territories and Washington, D.C. - in favor of a single federal statute.

Both of the bills would also exempt from compliance organizations that must comply with the Health Insurance Portability and Accountability Act's breach notification requirements.

Proposal: Cyberspace Office

Langevin this week also reintroduced his Executive Cyberspace Coordination Act - first proposed in August 2013 - which would create a new National Office for Cyberspace at the White House to coordinate all government-level cyberspace-related initiatives, as well as review all related budgets.


"A cybersecurity coordinator, freed from other budgetary pressures, would be able to offer independent analysis as to whether departments and agencies are adequately defended," Langevin said in a statement. "Making these smart investments now will save us paying a much higher price later."


more...
No comment yet.
Scoop.it!

Online trust is at the breaking point

Online trust is at the breaking point | IT Support and Hardware for Clinics | Scoop.it

IT security professionals around the globe believe the system of trust established by cryptographic keys and digital certificates, as well as the security of trillions of dollars of the world's economy, is at the breaking point.

For the first time, half of the more than 2,300 IT security professionals surveyed by The Ponemon Institute now believe the technology behind the trust their business requires to operate is in jeopardy. 100% of organizations surveyed had responded to multiple attacks on keys and certificates over the last two years.


Research reveals that over the next two years, the risk facing every Global 5000 enterprise from attacks on keys and certificates is at least $53 million USD, an increase of 51 percent from 2013. For four years running, 100 percent of the companies surveyed said they had responded to multiple attacks on keys and certificates, and vulnerabilities have taken their toll.

"The overwhelming theme in this year's report is that online trust is at the breaking point. And it's no surprise. Leading researchers from FireEye, Intel, Kaspersky, and Mandiant, and many others consistently identify the misuse of key and certificates as an important part of APT and cybercriminal operations," said Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi. "Whether they realize it or not, every business relies upon cryptographic keys and digital certificates to operate. Without the trust established by keys and certificates, we'd be back to the Internet 'stone age' – not knowing if a website, device, or mobile application can be trusted."

As risk increases, so does the number of keys and certificates: Over the last two years, the number of keys and certificates deployed on infrastructure such as web servers, network appliances, and cloud services grew more than 34 percent to almost 24,000 per enterprise. The use of more keys and certificates makes them a better target for attack. Stolen certificates sell for almost $1000 on underground marketplaces, and doubled in price in just one year. Researchers from Intel believe hacker interest is growing quickly.

Organizations are more uncertain than ever about how and where they use keys and certificates: Now 54 percent of organizations admit to not knowing where all keys and certificates are located and how they're being used. This leads to the logical conclusion: how can any enterprise know what's trusted or not?

Security pros worry about a Cryptoapocalypse-like event: A scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight is reported as the most alarming threat. Instantly transactions, payments, mobile applications, and a growing number of Internet of Things could not be trusted. Coined by researchers at Black Hat 2013, a Cryptoapocalypse would dwarf Heartbleed in scope, complexity, and time to remediate.

The misuse of enterprise mobile certificates is a lurking concern: The misuse of enterprise mobility certificates used for applications like WiFi, VPN, and MDM/EMM is a growing concern for security professionals. Misuse of enterprise mobility certificates was a close second to a Cryptoapocalypse-like event as the most alarming threat. Incidents involving enterprise mobility certificates were assessed to have the largest total impact, over $126 million, and the second largest risk. With a quickly expanding array of mobile devices and applications in enterprises, it's no wonder why security pros are so concerned.

"With the rising tide of attacks on keys and certificates, it's important that enterprises really understand the grave financial consequences. We couldn't run the world's digital economy without the system of trust they create," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "This research is incredibly timely for IT security professionals everywhere – they need a wake up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals."survey


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Should we hack the hackers? - The Guardian

Should we hack the hackers? - The Guardian | IT Support and Hardware for Clinics | Scoop.it

If we’re losing the war against cybercrime, then should we take off the gloves and strike back electronically against hackers?

As banks reel from another major hacking revelation, a former US director of intelligence has joined some of them in advocating for online counterstrikes against cybercriminals.

In February, security firm Kaspersky detailed a direct hack against 100 banks, in a co-ordinated heist worth up to $1bn. This follows growing sentiment among banks, expressed privately, that they should be allowed to hack back against the cybercriminals penetrating their networks.

At February’s Davos forum, senior banking officials reportedly lobbied for permission to track down hackers’ computers and disable them. They are frustrated by sustained hacking campaigns from attackers in other countries, intent on disrupting their web sites and stealing their data.

Dennis Blair, former director of national intelligence in the Obama administration, has now spoken out in favour of electronic countermeasures, known in cybersecurity circles as hacking back, or strikeback.

Blair co-authored a 2013 report from the US Commission on the Theft of American Intellectual Property. It considered explicitly authorising strikeback operations but stopped short of endorsing this measure at the time.

Instead, the report suggested exploring non-destructive alternatives, such as electronically tagging stolen data for later detection. It also called for a rethinking of the laws that forbid hacking, even in self-defence.

Western law enforcers don’t have jurisdiction in the countries where cybercriminals operate. Ideally, they would pass information about hackers onto their counterparts there, said Blair, but in many cases local police are un-cooperative. It’s time to up the ante, he suggested.

“I am more leaning towards some controlled experiments in officially conducting aggressive cyber-tracking of where attacks come from, discovering their origin, and then taking electronic action against them,” he told the Guardian.

Legal problems

There’s just one problem with strikeback operations, said Mark Rasch, a former federal cybercrime prosecutor and the head of Maryland-based Rasch Technology and Cyber-law: it’s against the law. “You have to start with the general assumption that hacking back is most likely illegal,” he said.

Long-standing laws on both sides of the Atlantic clearly forbid unauthorised tampering with a computer, even if someone is using that computer to attack you. In the UK, the Computer Misuse Act sets those rules. In the US, the Computer Fraud and Abuse Act does the same.

Even without this legislation, the law generally frowns upon what Rasch calls “self help”. Judges dislike vigilante justice.

The stakes are getting higher, though. Since the report’s release, corporate America has seen several devastating cyber-attacks. JP Morgan suffered a breach affecting 76 million households. Home Depot and Target were also hacked, and most recently, Sony Entertainment was embarrassed by the theft of internal documents.

“I’ve been seeing the way that technology is developing. I think it’s worth some limited legislation to post penalties back to hackers,” Mr Blair said, adding that companies should work with law enforcement rather than taking matters into their own hands.

“Law enforcement authorities can go back down the same route that [the hackers] use to attack, and cause physical damage to their equipment,” he added.



Via Paulo Félix
more...
No comment yet.
Scoop.it!

Lenovo Website Hijacked

Lenovo Website Hijacked | IT Support and Hardware for Clinics | Scoop.it

The website of Lenovo.com, the world's largest PC manufacturer, was hacked on Feb. 25 and visitors directed to an attacker-controlled page. The hacking group Lizard Squad, which has claimed credit for the attack via Twitter, also appears to have intercepted some Lenovo e-mails.

"Lenovo has been the victim of a cyber-attack," spokeswoman Wendy Fung told Information Security Media Group on Feb. 26. "One effect of this attack was to redirect traffic from the Lenovo website. We are also actively investigating other aspects. We are responding and have already restored certain functionality to our public-facing website.


"We regret any inconvenience that our users may have if they are not able to access parts of our site at this time," Fung added. "We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users' information and experience. We are also working proactively with third parties to address this attack and we will provide additional information as it becomes available."

Lenovo appeared to have restored complete access to its public website by the evening of Feb. 25.

The attack follows revelations that Lenovo, in recent months, had been preinstalling Superfish, which is adware that information security experts warn could be abused by attackers to intercept consumers' communications on many of its consumer devices.

In response to those reports, Lenovo has apologized and released utilities consumers can use to expunge Superfish from their systems. Working with McAfee, Microsoft and Trend Micro, the Superfish software has also been classified as malware and targeted for removal by their anti-virus engines, which Lenovo says will remotely wipe the adware from many systems.

Lizard Squad has recently claimed credit for a number of attacks, including the January disruption of the Malaysian Airline website, as well as the 2014 Christmas Day disruption of the Sony PlayStation and Microsoft Xbox Live networks.

Hacking Lenovo's DNS

The Lenovo.com website disruption began Feb. 25 at about 4 p.m. ET, with visitors to the site being redirected to another site that was labeled as being "the new and improved rebranded Lenovo website," accompanied by a slideshow of bored-looking teenagers looking at webcams, as the song "Breaking Free" - from the movie "High School Musical" - played in the background, technology publication The Verge first reported.

"We're breaking free! Soarin', flyin', there's not a star in heaven that we can't reach!" Lizard Squad tweeted at 4:19 p.m. ET via its @LizardCircle account, referencing the lyrics from the High "School Musical" song.

Security experts say Lizard Squad appears to have hijacked the Lenovo.com website by compromising its domain registrar, Web Commerce Communications Limited - better known as Webnic.cc. The attackers were then able to alter the Lenovo.com DNS settings, ultimately transferring them to servers run by the distributed denial-of-service attack defense service CloudFlare.

"To all asking: Lenovo was NOT a CF customer; their domain was hijacked & transferred to us," CloudFlare principal security research Marc Rogers tweeted on Feb. 25. "We are working with them to restore service."

The choice of CloudFlare was no doubt an ironic move, given that Lizard Squad says its attacks are meant to advertise its own DDoS service, Lizard Stresser.

Domain Registrar Offline

Following the attack, the Webnic.cc website has been unavailable and resolving to a "service temporarily unavailable" error message. Contacted on Feb. 26, a member of the Webnic.cc customer support team, based in Kuala Lumpur, Malaysia, declined to comment on the reported attack, and whether the website outage was intentional, for example if the registrar is attempting to conduct a digital forensics investigation and remediate affected systems following the apparent hack attack.

If Lizard Squad obtained access to internal Webnic.cc systems, then it could have transferred the Lenovo.com website to any address of its choosing. Bolstering that theory, Lizard Squad has published what it claims to be an authorization key - also known as an auth code or EFF key - that it stole from Webnic.cc. Such keys are used to authorize the transfer of domains between registrars.

Lenovo E-Mail Theft?

Lizard Squad has also published two e-mails that had apparently been sent to employees at Lenovo - with a Lenovo.com e-mail address - on Feb. 25, during the time when the hacking group appeared to have been in control of the Lenovo.com DNS settings. One e-mail cited The Verge report that the Lenovo.com website had been hacked as of 4 p.m. ET, and that Lizard Squad appeared to be responsible.

Another published e-mail referred to a Lenovo Yoga laptop that was "bricked" when a customer attempted to run Lenovo's update to remove the Superfish application and root certificate that it was preinstalling on many of its consumer devices (see Lenovo Drops Superfish Adware). "FYI - the process to remove the Superfish software from the Yoga 11 has resulted in a failed device. Can we get him a new one?" the internal e-mail reads.

Lenovo's Fung declined to comment on whether those e-mails were genuine. But Lizard Squad says via Twitter: "We'll comb the Lenovo dump for more interesting things later."

Follows Google Vietnam Hack

The Lenovo website hack follows Lizard Squad claiming credit for the recent disruption of Google.com.vn, or Google Vietnam, which was reportedly also registered with Webnic.cc. For several hours on Feb. 23, visitors to that Google website were reportedly redirected to a website that showed a man taking a "selfie" in the mirror with his iPhone, underneath the words "Hacked by Lizard Squad," The Wall Street Journal reports.

Google says that its systems were not breached by the attack, and said its domain name registrar was responsible. "For a short period today, some people had trouble connecting to google.com.vn, or were being directed to a different website," a Google spokesman told The Wall Street Journal. "We've been in contact with the organization responsible for managing this domain name and the issue should be resolved."


more...
No comment yet.