IT Support and Hardware for Clinics
32.7K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

FBI Alert: Business Email Scam Losses Exceed $1.2 Billion

FBI Alert: Business Email Scam Losses Exceed $1.2 Billion | IT Support and Hardware for Clinics | Scoop.it

The FBI, in a new alert, estimates that fraud losses linked to so-called business email compromise scams worldwide totaled more than $1.2 billion from October 2013 to August 2015. But some financial fraud experts say the losses from this largely overlooked threat could be even higher because the incidents often are not reported.


David Pollino, bank fraud prevention officer at Bank of the West, who calls these scams "masquerading" schemes, has warned of upticks in this type of wire fraud since January 2014.


In May, he predicted that losses linked to masquerading, or business email compromise attacks, in 2015 alone would exceed $1 billion. "This is a global fraud trend," he said.


In a white paper Bank of the West recently posted about this fraud trend, Pollino notes that masquerading attacks are among the top three fraud threats facing small businesses today.


"Masquerading is a payments scheme in which a fraudster impersonates a company executive or outside vendor and requests a wire transfer through a phone call or email to a company controller, or someone else with authority to wire funds," Pollino writes. "The controller will usually tell the business' bank to wire the funds because the email or phone call seems legitimate."


Fraudsters' social-engineering methods include sending these bogus requests to accounting departments with a sense of urgency, Pollino notes. To speed up payments, the fraudsters often ask the bank or credit union to bypass the normal out-of-band authentication and transaction verification processes in place for wires, especially those being sent to overseas accounts, he says.


"For the third consecutive year, three in five companies were targets of payments fraud," which includes BEC scams, Pollino points out, quoting statistics in the Association for Financial Professionals' 2015 Payments Fraud and Control Survey.


To mitigate risks associated with these scams, Pollino recommends that businesses:


  • Develop an approval process for high-dollar wire transfers;
  • Use a purchase order model for wire transfers, to ensure that all transfers have an order reference number that can be verified before approval;
  • Confirm and reconfirm transfers through out-of-band channels, such as a confirmation emails or SMS/texts; and
  • Notify the banking institution if a request for a transfer seems suspicious or out-of-the-norm.
FBI Alert

In its Aug. 27 alert, the FBI notes that most of the companies that have fallen victim to BEC scams have been asked to send urgent wires to foreign bank accounts, most of which are based in China and Hong Kong.


"The BEC scam continues to grow and evolve and it targets businesses of all sizes," the FBI notes. "There has been a 270 percent increase in identified victims and exposed loss since January 2015. The scam has been reported in all 50 states and in 79 countries."

From October 2013 through August 2015, the FBI estimates that some 7,066 U.S. businesses and 1,113 international businesses fell victim to this socially engineered scheme.

Quantifying Losses a Challenge

But quantifying losses from BEC scams has proven challenging because many of the incidents are not reported.


"Certainly these losses are understated, because many companies are not reporting them to the FBI due to embarrassment, lack of knowledge of where to turn, or the realization that there is no chance of retrieving their funds," says financial fraud expert Shirley Inscoe, an analyst at consultancy Aite. "So much money is being stolen through this scam that it is only going to continue, costing businesses billions of dollars."


In an effort to curb losses associated with these socially engineered schemes, Inscoe says financial institutions must educate their commercial customers about how these types of attacks are waged.


And she contends that the Asian banks to which these fraudulent wires are being sent should be held accountable. "Clearly, these banks are assisting in laundering these ill-gotten gains," she says. "An appeal could be made to their regulators to crack down on them from amoney-laundering perspective, but I have no idea how receptive the regulators would be to that avenue of action."


Dave Jevans, co-founder of the Anti-Phishing Working Group and chief technology officer of mobile security firm Marble Security, says federal law enforcement agencies have been strengthening their relationships with agencies in Asian markets to help curb some of this fraud.


"They can always work more closely with the financial institutions in these regions to monitor activity. However, it is really up to the originating companies and their U.S. financial institutions to solve this problem," he says. "Law enforcement is about investigating and arresting criminals. They are not a regulatory agency, nor are they a fraud-detection agency."

Preventive Measures

Jevans argues that the solution to the BEC problem is ensuring that businesses have stronger internal controls and targeted attack prevention on their email systems. "Banks can help their customers get educated, and can strengthen their validation processes and requirements when funds are being requested to be sent to new, untrusted accounts," he says. "Only focusing on overseas accounts won't solve the problem, and many of the smaller BEC frauds are routed through money mule accounts here in the USA."


Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says businesses have to understand that bypassing banks' procedures for wire-transfer confirmation is exposing them to fraud.

"Internal procedures should change to ensure that all requests for the transfer of funds be verified," Kellermann says.


Kellermann says businesses' employees should be trained to carefully examine the URLs from which emails are sent. Spoofed email addresses, for instance, will be slightly different yet resemble legitimate email addresses. And he says all external wire transfers should be required to have some type of out-of-band confirmation, through a secondary email, phone call or SMS/text, before they are approved and scheduled.


Stronger email authentication and adoption of DMARC, the Domain-based Message Authentication, Reporting & Conformance initiative, could have a big impact on reducing fraud losses related to BEC, Kellerman contends.


Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says identify-proofing technology, which requires that an online account user provide a headshot or picture of a driver's license captured with a mobile phone, could make a difference.


More banking institutions are exploring identity-proofing to authenticate new-account customers, Litan says, by employing the same technology they use for the remote-deposit capture of check images from smart phones and PC scanners.


"Perhaps this technology for identity proofing and documents transfer [such as check images] can be rolled out to the customer sites," she says. "Now you start asking the person requesting the wire to prove who they are by saying, 'Sorry, CEO, but before I act on your instructions, I need to see your driver's license.'"

more...
Scoop.it!

More Retailers Hit by New Third-Party Breach?

More Retailers Hit by New Third-Party Breach? | IT Support and Hardware for Clinics | Scoop.it

CVS, Rite-Aid, Sam's Club, Walmart Canada and other large retail chains have suspended their online photo services following a suspected hack attack against a third-party service provider that may, in some cases, have resulted in the compromise of payment card data.


The suspected breach centers on PNI Digital Media Inc., a Vancouver-based firm that manages and hosts online photo services for numerous retailers. The incident serves as a reminder of the security challenges that organizations face when it comes to managing their third-party vendors and entrusting them with sensitive customer information.


Numerous chains have confirmed that they are investigating potential breaches - some involving payment card data - after being warned by PNI Digital Media that it may have suffered a hack attack that resulted in the compromise of retailers' customers' names, addresses, phone numbers, email addresses, photo account passwords and credit card information. But none of the retailers involved have so far reported that they believe the breach would affect any of their in-store customers, including anyone who used in-store photo services.


PNI Digital Media did not immediately respond to a request for comment on its reported breach investigation. Until July 17, the company's investors page reported that it worked with numerous retailers, and while that page is now blank, a recent version cached by Google's search engine reads: "PNI Digital Media provides a proprietary transactional software platform that is used by leading retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year. Last year, the PNI Digital Media platform worked with over 19,000 retail locations and 8,000 kiosks to generate more than 18M transactions for personalized products."

CVS Confirms Investigation

On July 17, CVS spokesman Mike DeAngelis confirmed that CVSPhoto.com may have been affected by the suspected PNI Digital Media breach. "We disabled the site as a matter of precaution while this matter is being investigated," DeAngelis tells Information Security Media Group.


The cvsphoto.com site now reads in part: "We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience."

CVS says PNI Digital Media collects credit and debit information for customers who purchase online photo services through CVSPhoto.com. Accordingly, CVS recommends that all customers of its online photo service review their credit card statements "for any fraudulent or suspicious activity" and notify their bank or card issuer if anything appears to be amiss. "Nothing is more central to us than protecting the privacy and security of our customer information, including financial information," CVS says. "We are working closely with the vendor and our financial partners and will share updates as we know more."

Rite Aid: No Suspected Card Theft

Drugstore chain Rite Aid has also taken its online and mobile photo services offline. "We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data," Rite Aid's site reads. "The data that may have been affected is name, address, phone number, email address, photo account password and credit card information."


Unlike CVS, however, Rite Aid reports that it does not believe that its customers' payment-card data is at risk. "Unlike for other PNI customers, PNI does not process credit card information on Rite Aid's behalf and PNI has limited access to this information," it says, adding that it has received no related fraud reports from its customers.

Sam's Club has also taken its online photo service offline, "in an abundance of caution and as a result of recent reports suggesting a potential security compromise of the third-party vendor that hosts Sam's Photo website." As with Rite Aid, however, Sam's Club reports that "at this time, we do not believe customer credit card data has been put at risk."


Costco and Tesco Photo have also suspended their online photo services.


Walmart Canada, which also outsources online photo services to PNI, also may have been affected by the possible breach, according to the The Toronto Star, and the retailer has since suspended its online photo services website. "We were recently informed of a potential compromise of customer credit card data involving Walmart Canada's Photocentre website, www.walmartphotocentre.ca," Walmart states. "We immediately launched an investigation and will be contacting customers who may be impacted. At this time, we have no reason to believe that Walmart.ca, Walmart.com or in-store transactions are affected.


Walmart did not respond to Information Security Media Group's request for comment. ISMG also reached out to office supplier Staples, which owns PNI, but did not get a response.

"PNI is investigating a potential credit card data security issue," a Staples spokesperson told The Toronto Star.

Growing Third-Party Breach Concerns

PNI's potential breach comes just a week after Denver-based managed services provider Service Systems Associates announced that a breach linked to a malware attack against its network had likely affected about 12 of the payments systems it operates for gifts shops at retail locations, which include zoos, museums and parks, across the country.


Service Systems Associates says debit and credit purchases made between March 23 and June 25 may have been compromised.

On July 7, the Financial Services Information Sharing and Analysis Center, along with Visa, the U.S. Secret Service and The Retail Cyber Intelligence Sharing Center, which provides threat intelligence for retailers, issued a cybersecurity alert about risks merchants face when dealing with third parties.


The alert lists a number of security recommendations for managing third-party risks, including using multifactor authentication for remote-access login to point-of-sale systems and including specific policies related to outdated operating systems and software in contracts with vendors.


Earlier this month, Chris Bretz, director of payment risk at the FS-ISAC, warned that managed service providers that offer outsourced services to numerous merchants are increasingly being targeted by cybercriminals.


"Criminals continue to find success by targeting smaller retailers that use common IT and payments systems," Bretz said in an interview with ISMG. "Merchants in industry verticals often use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business."

more...
No comment yet.
Scoop.it!

A government key to unlock your encrypted messages has major problems and security experts are up in arms

A government key to unlock your encrypted messages has major problems and security experts are up in arms | IT Support and Hardware for Clinics | Scoop.it

Top computer scientists and security experts are warning that government proposals to gain special access to encrypted communications could result in significant dangers. 

A consortium of world-renowned security experts has penned a report detailing the harm that regulating encryption would cause, writes the New York Times


Hard encryption — which global authorities are now trying to combat — is a way to mathematically cipher digital communications and is widely considered the most secure way to communicate online to avoid external snooping. 


This follows news last week that British Prime Minister David Cameron made a proposal to ban encryption as a way to "ensure that terrorists do not have a safe space in which to communicate."  


Since then, experts have begun weighing in about the effect of such drastic measures. This includes well-known cryptographer Bruce Schneier, who told Business Insider that such a strong encryption ban would "destroy the internet."

The new report, which was released today, takes a similarly hard stance. "The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws," it writes. Not only that, but federal authorities have yet to explain exactly how they planned to gain "exceptional access" to private communications.


The report concludes, "The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict." In short, the experts believe that trying to put limitations on encrypted communications would create myriad problems for everyone involved. 


This sort of fissure between security experts and federal authorities isn’t new. In fact, a similar proposal was made by the Clinton Administration in 1997 that also took aim at hard cryptography. Back then, a group of experts — many of whom are authors on this new report — also wrote critically about the anti-encryption efforts.

In the end, the security experts prevailed. 


Now, it’s not so certain. FBI director James Comey has joined the ant-encryption brigade, saying that "there are many costs to [universal strong encryption.]"

He and the US deputy attorney general Sally Quillan Yates are scheduled to testify before Senate tomorrow to defend their views, the New York Times reports.

The question now is whether other federal officials will side with people like Comey and Cameron or the group of security experts. 

In the paper's words, creating such back-door access to encrypted communications "will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend."

more...
No comment yet.
Scoop.it!

FBI Alert: $18 Million in Ransomware Losses

FBI Alert: $18 Million in Ransomware Losses | IT Support and Hardware for Clinics | Scoop.it

In the past year, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.


In total, IC3 - a collaboration between the FBI and the National White Collar Crime Center - says it received 992 CryptoWall-related complaints from April 2014 to June 2015. And it says the reported losses relate not just to ransom payments potentially made by victims, but additional costs that can include "network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or customers."

The quantity of ransomware attacks continues to escalate, security experts say, because it offers criminals the potential for high rewards with little risk (see Crime: Why So Much Is Cyber-Enabled). Indeed, ransomware attacks can be launched en masse by remote attackers and are relatively cheap and easy to perpetrate. Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.

"In most cases, once the victim pays a ransom fee, he or she regains access to the files that were encrypted," IC3 reports. "Most criminals involved in ransomware schemes demand payment in Bitcoin. Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity."

Because ransomware can rely so heavily on social engineering - tricking - victims into executing related malware or falling for ransom scams, many security experts have urged businesses to continually educate their employees and customers about ways to spot such attacks and defend themselves.

Click-Fraud Attack Spike


Earlier this month, security firm Symantec warned that it had seen a spike in attacks that began with the year-old Poweliks Trojan, which was designed to perpetrate click fraud, and which also downloaded CryptoWall onto an infected system. Click fraud refers to infecting systems with malware that is used to make "bogus requests" for online advertising, without the malware revealing its presence to the user of the infected system.

Using a single piece of malware - or "dropper" - to infect a system and then download and install many other types of malware onto the same system is not a new attack technique.

For example, authorities have accused the gang behind Gameover Zeus of first using that Trojan to harvest bank credentials, and then infecting systems with Cryptolocker ransomware. The U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.

Attacks Get Modular


But attackers have been retooling their malware to make it easier to rapidly infect PCs with multiple types of malware. Security firm Trend Micro warned in 2013 that the aging Asprox botnet, which was first discovered in 2007, had re-emerged "with a new and improved modular framework," and been rebranded as Kuluoz malware, which was a dropper designed to download additional malware onto infected PCs.

By December 2014, the Level 42 threat-intelligence research group at security vendor Palo Alto Networks reported seeing a spike in Asprox-related attack activity. "This malware sends copies of itself over email quickly and to users all around the world and then attempts to download additional malware," it said. The researchers noted that of the 4,000 organizations that it was monitoring, the malware had been tied to "approximately 80 percent of all attack sessions" seen in October and had attempted to infect nearly half of all those organizations.

Also in December, the Association of National Advertisers warned that U.S. businesses were losing about $6.3 billion annually to click fraud. The same month, a study conducted for the ANA by the security firm White Ops found that botnets were responsible for "viewing" 11 percent of all online advertisement, and 23 percent of all online video advertisements.

Asprox Botnet Serves CryptoWall


But click-fraud malware attacks are increasingly blended with other types of malware as attackers attempt to monetize infected PCs as much - and as rapidly - as possible.

In a recent series of attacks, Asprox malware - now typically distributed via phishing attacks - "phoned home" to the Asprox command-and-control server after it infected a PC, and received back the Zemot dropper malware, according to a new report released by the security firm Damballa. The dropper then downloaded the Rovnix rootkit, as well as Rerdom, which is a click-fraud installer.

Damballa says that it has also seen Zemot get installed via crimeware toolkit exploits, which can exploit systems using known vulnerabilities, for example if attackers compromise otherwise legitimate websites and use them to launch drive-by attacks.

Inside enterprises, "click fraud is generally viewed as a low-priority risk," Damballa says. "In reality, click fraud is often a precursor to something more sinister. A device infected with click-fraud [malware] may leave the enterprise susceptible to dangerous downstream infections."

Indeed, Damballa reports that tests of Asprox-infected machines found that over the course of two hours, a single PC was infected with three different types of click-fraud malware, as well as the CryptoWall ransomware. Even after CryptoWall encrypted much of the infected PC's hard drive, furthermore, the click-fraud malware continued to operate, so long as the machine remained Internet-connected.

more...
No comment yet.
Scoop.it!

Hack Attack Grounds Airplanes

Hack Attack Grounds Airplanes | IT Support and Hardware for Clinics | Scoop.it

Polish airline LOT claims that a hack attack disrupted the state-owned airline's ground-control computers, leaving it unable to issue flight plans and forcing it to cancel or delay flights, grounding 1,400 passengers.


The airline said the June 21 cyber-attack against its IT systems at Warsaw Chopin airport lasted about five hours and affected the computers that it uses to issue flight plans. "As a result, we're not able to create flight plans and outbound flights from Warsaw are not able to depart," the company said in a statement.


But the airline emphasized that the attack had "no influence on plane systems" and that no in-progress flights were affected by the incident. It also said that all flights bound for Warsaw were still able to land safely. The IT disruption did, however, result in the airline having to cancel 10 flights - destined for locations inside Poland, to multiple locations in Germany, as well as to Brussels, Copenhagen and Stockholm - and then delay 12 more flights.


An airline spokeswoman didn't immediately respond to a request for more information about the disruption, how LOT judged it to be a hack attack or who might be responsible. No group or individual appears to have taken credit for the disruption.


Airline spokesman Adrian Kubicki says that Polish law enforcement agencies are investigating the hack and warned that other airlines might be at risk from similar types of attacks. "We're using state-of-the-art computer systems, so this could potentially be a threat to others in the industry."

Follows Plane Hacking Report

It's been a busy year for airline-related hacking reports.

In May, information security expert Chris Roberts claimed to have exploited vulnerabilities in airplanes' onboard entertainment systems more than a dozen times in recent years, allowing him to access flight controls. Roberts claimed that his repeated warnings about the problems to manufacturers and aviation officials had resulted in no apparent fixes being put in place.

Question: Hack or IT Error?

Despite the presence of vulnerabilities in avionics systems, however, airline-related IT disruptions are often caused by internal problems, and some security experts are questioning whether that might be the case with the supposed cyber-attack against LOT. "The story doesn't make sense, and most of the actual info so far suggests a 'glitch' caused by an unauthorized user," says the Bangkok-based security expert who calls himself the Grugq, via Twitter.


On June 2, for example, a computer glitch grounded almost 150 United Airlines flights in the United States, representing about 8 percent of the company's planned morning flights. The airline blamed the problem on "dispatching information," and some fliers - such as software firm Cloudstitch CTO Ted Benson - reported via Twitter that pilots told passengers that the ground computers appeared to be spitting out fake flight plans.


As a result of the glitch, the Federal Aviation Administration reportedly grounded all United flights for 40 minutes, until related problems were corrected.

United Airlines Bug Bounty

That glitch followed United Airlines in May launching a bug bounty program - not for the software that runs its airplanes, in-flight entertainment systems, or ground-control computers, but rather its website. "If you think you have discovered a potential security bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort," United says on the bug bounty page.


Rather than offering cash rewards like many other bug-bounty programs, however, United is instead offering frequent-flier "award" miles - for example 50,000 miles for cross-site scripting attacks, 250,000 for authentication bypass attacks, and 1,000,000 for a remote-code execution attack.

more...
No comment yet.
Scoop.it!

Microsoft just made a huge privacy move to make Bing more competitive with Google and Yahoo

Microsoft just made a huge privacy move to make Bing more competitive with Google and Yahoo | IT Support and Hardware for Clinics | Scoop.it

Microsoft’s search engine Bing has announced that it will encrypt all of its search traffic by default this summer. Bing had already offered optional encryption, but soon it will be a default for everyone.

This levels up Bing to match the security standards of the other big search giants like Google and Yahoo, and the added encryption also makes Bing a worthy search engine competitor. Google first made all search encrypted by default in 2013. Yahoo did so in 2014. 


Like Google, however, Bing will still report referrer data to marketers, although Bing will not let the marketers know what the search term was. This means that if a Bing user clicks on an ad after searching for something, the advertiser will know that Bing is what brought that customer to the website but they will not know what the precise term was that was typed into the search bar. 


While this encryption move may seem like a tiny piece of news, it indicates a new shift toward better privacy standards. With Microsoft joining the ranks of Google and Yahoo in terms of security standards, this marks the first time the top three search engines provide privacy by default, making it much more difficult for external snoopers to know what people are searching for.


It also makes it possible for Bing to further gain a search engine edge. Though Google still is king, Microsoft has been working to give itself an edge on mobile — Siri uses Bing search by default, for example.

But the main question for Microsoft is still whether its move towards an encrypted Bing search engine will be noticed by the average user, and whether it will convince any Google or Yahoo fans to make the switch.

more...
No comment yet.
Scoop.it!

President Obama calls for stronger American cybersecurity

President Obama calls for stronger American cybersecurity | IT Support and Hardware for Clinics | Scoop.it

Citing a series of embarrassinghigh profile incursions against US computer networks in recent months, President Obama called for "much more aggressive" efforts to shore up the government's vulnerable cyber-infrastructure. "This problem is not going to go away," the President told reporters at a G7 press conference in Germany. "It is going to accelerate. And that means that we have to be as nimble, as aggressive and as well-resourced as those who are trying to break into these systems." As such, he urged Congress to pass its pending cybersecurity legislation, such as the Cybersecurity Information Sharing Act of 2015.

more...
No comment yet.
Scoop.it!

Over 4 billion people still have no Internet connection

Over 4 billion people still have no Internet connection | IT Support and Hardware for Clinics | Scoop.it

The number of people using the Internet is growing at a steady rate, but 4.2 billion out of 7.4 billion will still be offline by the end of the year.

Overall, 35.3 percent of people in developing countries will use the Internet, compared to 82.2 percent in developed countries, according to data from the ITU (International Telecommunication Union). People who live in the so-called least developed countries will the worst off by far: In those nations only 9.5 percent will be connected by the end of December.


This digital divide has resulted in projects such as the Facebook-led Internet.org. Earlier this month, Facebook sought to address some of the criticism directed at the project, including charges that it is a so-called walled garden, putting a limit on the types of services that are available.


Mobile broadband is seen as the way to get a larger part of the world’s population connected. There are several reasons for this. It’s much easier to cover rural areas with mobile networks than it is with fixed broadband. Smartphones are also becoming more affordable.

But there are still barriers for getting more people online, especially in rural areas in poor countries.


The cost of maintaining and powering cell towers in remote, off-grid locations, combined with lower revenue expected from thinly spread, low income populations, are key hurdles, according to the GSM Association. Other barriers include taxes, illiteracy and a lack of content in local languages, according to the organization.


At the end of 2015, 29 percent of people living in rural areas around the world will be covered by 3G. Sixty-nine percent of the global population will be covered by a 3G network. That’s up from 45 percent four years ago.


The three countries with the fastest broadband speeds in the world are South Korea, France and Ireland, and at the bottom of the list are Senegal, Pakistan and Zambia, according to the ITU.

more...
No comment yet.
Scoop.it!

A Security Flaw Leaves Millions of Verizon Customers Vulnerable

A Security Flaw Leaves Millions of Verizon Customers Vulnerable | IT Support and Hardware for Clinics | Scoop.it

Verizon may be snatching up media companies left and right, but it might want to spend some funds on upping its security game. Joseph Bernstein at Buzzfeed News reports that a Verizon security flaw potentially left 9 millions customers vulnerable to an attack by spoofed IP addresses. The scary nature of this particular security flaw is that it doesn’t even require any real hacking knowledge. All you need is a Firefox plug-in and a specific recipe and anyone could get sensitive information like credit card data and social security numbers.

According to Verizon, the flaw has been fixed and was originally entered into the system via a coding error on April 22. But if you happen to be a Verizon customer, it may be worth making sure your bank accounts aren’t showing any suspicious behavior.


more...
No comment yet.
Scoop.it!

Why It's Tough to Pass Data Breach Bill

Why It's Tough to Pass Data Breach Bill | IT Support and Hardware for Clinics | Scoop.it

Backers of a national data breach notification law say it would greatly simplify compliance for businesses, which now must comply with laws in 51 different jurisdictions - 47 states, three territories and Washington, D.C.


But does that simplification come at too high a cost? Some federal lawmakers thinks so. They say passing a national data breach notification law would weaken data security protections found in certain states' statutes, thus doing more harm than good.

And those concerns are a major reason why building a consensus that paves the way for enacting a national breach notification law will prove difficult, if not impossible.

'Confusing for Businesses'

Last January, President Obama noted when he proposed his version of national data breach notification: "Right now, nearly every state has a different law on this, and it's confusing for consumers and it's confusing for companies, and it's costly, too, to have to comply to this patchwork.


Almost every bill introduced in Congress over the past decade to create a national data breach notification standard would pre-empt state statutes. But that comes at a price. Several states, most notably Massachusetts, prescribe specific steps businesses must take to safeguard personally identifiable information. Most national data breach notification proposals don't require safeguards beyond saying businesses should take "reasonable" steps to secure PII.


Some industry experts - such as Larry Clinton, president of the trade group Internet Security Alliance - say they have seen no evidence that consumers' PII is more secure in those states that have more stringent security requirements. "To the notion that states can enact strong laws is, from a consumer perspective, a red herring," he says.

Middle Ground?

But some senators strongly disagree with Clinton's point of view.

"There are a number of like-minded senators who are paying attention to this issue and trying to push for a federal law ... that keeps state laws untouched as a middle-ground approach," says Chris Pierson, general counsel and chief security officer at payments provider Viewpost. "While this is more palatable for Congress, it does little to stem the growing diversity of state laws and the burden of conflicting state requirements."


One of those senators seeking a middle-ground approach is Richard Blumenthal, D-Conn., who, along with five other Democratic senators, has introduced legislation creating a national data breach notification law with a proviso: It won't pre-empt more stringent state laws.


"We must ensure consumers have strong protections on the federal level, but in so doing, we must make sure Congress doesn't weaken state protections that consumers rely on to keep their information safe," Blumenthal says. "Importantly, this measure strikes the right balance between state rights and strong federal enforcement and extends consumer privacy protections into a new digital era."

A right balance? Sasha Romanosky, an associate policy researcher at the think tank Rand Corp., characterizes the Democratic senators' bill as a "workaround" that sets a "national floor for breach compliance." But Romanosky is concerned that "then you'd just have the same issue as there is now: 47 potentially distinct state laws."


The Democrats' bill - like the Massachusetts statute - contains a list of security requirements with which businesses would have to comply. That makes the bill unpassable. Nearly every GOP lawmaker opposes any measure that that would place additional requirements on businesses.

60-Vote Threshold

Consumer advocacy groups generally oppose national data breach notification legislation that would weaken states' security standards. And those groups might have the clout to get enough Democratic senators to oppose any measure that would pre-empt state laws.

Sixty votes generally are needed for a bill to be considered by the Senate; the upper chamber has 44 Democrats and two independents who caucus with them. So getting 41 senators to block a vote on a data breach notification bill is possible.


Whether stricter state laws actually provide consumers with better security protections is debatable, but the perception among a number of lawmakers - mostly Democrats - is that they do. If at least 41 senators agree with that notion, then Congress will not enact a national breach notification law.


more...
No comment yet.
Scoop.it!

House OKs 2nd Cyberthreat Info-Sharing Bill

House OKs 2nd Cyberthreat Info-Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

A second cyberthreat information sharing bill passed the House of Representatives on April 23. That measure, the National Cybersecurity Protection Advancement Act, now will be combined with the House Intelligence Committee's Protecting Cyber Networks Act, which passed on April 22, before it's sent to the Senate.

The National Cybersecurity Protection Act, which was approved by a 355-63 vote, provides businesses with liability protections if they share cyberthreat information with the federal government and other businesses. The bill designates the National Cybersecurity and Communications Integration Center as the portal for government and business to share data.

"Ultimately, this legislation will arm those who protect our networks with valuable cyber-threat indicators that they can use to fortify defenses against future attacks," said one of the bill's sponsors, Rep. John Ratcliffe, chairman of a House Homeland Security Committee subcommittee, which has cybersecurity oversight.

Supporters of cyberthreat information sharing legislation, including President Obama, say such a measure is needed because many businesses will not share information with the government unless they're protected from civil and criminal lawsuits resulting from the sharing of data. Both bills, and one approved by the Senate Intelligence Committee, would provide those liability safeguards.

The House-passed bills' supporters contend their measures protect citizens' privacy and liberties by requiring businesses to strip personally identifiable information from information to be shared. Language added to the National Cybersecurity Protection Advancement Act specifically says the shared data is to be used for cyberdefense only and cannot be used for intelligence or law enforcement purposes. Still, consumer advocacy groups contend the bill does not go far enough to prevent sharing of data for purposes other than cyberdefense.

The White House, in Statements of Administration Policies, has given both House-passed bills a lukewarm endorsement, but it made suggestions on changes it seeks, especially the narrowing of the liability protections the measures offer.

In the Senate, Majority Leader Mike McConnell said its version of cyberthreat information sharing legislation should come up for a vote shortly, but did not provide a specific date. If the Senate passes its own cyberthreat information sharing legislation, conferees from both chambers, weighing recommendations from the White House, will draft new language in hopes of winning the support of a majority of House and Senate lawmakers as well as the president.


more...
No comment yet.
Scoop.it!

House Panel Passes Cyberthreat Info Sharing Bill

House Panel Passes Cyberthreat Info Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

After beating back amendments by Democratic members to limit liability protections for businesses, the House Homeland Security Committee on April 14 unanimously approved cyberthreat information sharing legislation on a voice vote.


The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to the full House, where differences with another cyberthreat information sharing measure approved by the House Intelligence Committee last month will be worked out. House leaders indicated that the full House could vote on cyberthreat information sharing legislation as early as next week.


In the Senate, a version of its cyberthreat information sharing bill could come up for a vote shortly. Senate Majority Leader Mitch McConnell included the Cybersecurity Information Sharing Act passed last month by the Senate Intelligence Committee as among several bipartisan bills that the Senate is "working hard to advance."


The National Cybersecurity Protection Advancement Act of 2015, approved by the House Homeland Security Committee, provides many of the privacy and civil liberties protections sought by President Obama that were absent in earlier versions of cyberthreat information sharing legislation that passed the House and the White House had threatened to veto in the two previous congresses.

Limits Placed on Shared Data

The House committee approved one amendment that explicitly states that shared cyberthreat information processed through the National Cybersecurity and Communications Integration Center - known as NCCIC, the Department of Homeland Security portal - could not be used for law enforcement or intelligence purposes. Civil liberties groups have raised concerns that some cyberthreat information sharing bills could allow the use of collected cyberthreat data to spy on Americans, violating their privacy and liberties.


The legislation would require private companies to remove personally identifiable information unrelated to the cybersecurity risk before sharing information with the NCCIC or other private entities. It would also require the NCCIC to conduct a second scrub and destroy any personal information that is unrelated to the cybersecurity risk before further sharing with other government agencies or private organizations.


The aim of the cyberthreat information sharing legislation is to encourage businesses and other private organizations to share voluntarily threat data with the government and other businesses to mitigate damaging cyber-attacks. But some businesses are reluctant to share the information unless they are protected from legal actions, which led to the various provisions to offers liability protections.

Liability Provisions Remain Intact

The Democratic minority on the House Homeland Security Committee, along with the Obama administration, contend that the liability protections offered to businesses in the committee's bill were too broad, providing legal protections when not warranted. An amendment offered by Rep. Cedric Richmond, D-La., would have removed liability protection for businesses that received threat data but failed to act on it. "If you abide by the provisions of this act," Richmond said, "then you're exempt from liability. It's just that simple. Instead of adding all these other concepts to the liability language, if we take the time to pass a bill and you abide by it, you have liability exemption. If you don't, then you don't have exemption."


But the bill's cosponsor, Republican Rep. John Ratcliffe of Texas, said the broader liability protections in the bill are aimed to get the greatest number of businesses to participate in cyberthreat information sharing. "Stakeholders are concerned about putting their customers or consumers at risk, and their information at risk; they're concerned about exposing their own sensitive business information by sharing," Ratcliffe said. "And, they're also concerned about possibly violating federal privacy laws. Having strong liability protection is going to be absolutely critical and vital to the success of this bill, and the phraseology in this bill is absolutely critical and essential to that point."

The bill originally provided liability protection for businesses that conducted its network security awareness in "good faith," but the committee voted to excise those words from the measure because, as McCaul noted, the term is too ambiguous and could lead to confusion in enforcing the measure should it become law.

Awaiting Word from White House

The White House has not said whether it would support or veto any of the cyberthreat information sharing bills winding their way through Congress. Statements of Administration Policy, such as the ones containing the earlier veto threats, usually are issued shortly before one of the chambers is set to vote on the legislation.

After the committee vote, the Financial Services Roundtable called for swift floor action on the legislation. "Congressional action to better protect consumers from cyber-attacks is long overdue," said Tim Pawlenty, CEO of the Roundtable, a financial services industry advocacy group. "We applaud the House for addressing gaps in our nation's cybersecurity laws and urge both chambers of Congress to quickly put a bill on the president's desk."


more...
No comment yet.
Scoop.it!

Breach Exposed Obama Records

Breach Exposed Obama Records | IT Support and Hardware for Clinics | Scoop.it

 A breach of the White House IT system last October, believed to be by Russian hackers, exposed sensitive details about White House operations, such as the president's schedule, CNN reports.

Investigators believe the White House intrusion began with a phishing email that was launched using a State Department email account that the hackers had taken over, CNN reports, citing several U.S. officials briefed on the investigation into the breach.

The State Department revealed in October that the breach of its system and that of the White House were linked (see State Department, White House Hacks Linked).

The White House downplayed the report. "This report is not referring to a new incident - it is speculating on the attribution of the activity of concern on the unclassified EOP (Executive Office of the President) network that the White House disclosed last year," Mark Stroh, National Security Council spokesman said April 7. "Any such activity is something we take very seriously. In this case, as we made clear at the time, we took immediate measures to evaluate and mitigate the activity. As has been our position, we are not going to comment on the referenced article's attribution to specific actors."
Alternative to Email

Jerry Irvine - a member of the National Cybersecurity Task Force, a joint operation between the Department of Homeland Security and the U.S. Chamber of Commerce - says phishing and spear phishing attacks are increasingly plaguing governments and businesses, and suggests that if they persist, organizations might need to limit email communications.

"It can happen to anyone, and it did," Irvine says, referring to the White House breach. "This is the way of the world. Organizations now are starting to look at the value of email and are questioning whether it's worth the risk. Are there other methods to share information other than email?"

Irvine, partner and chief information officer at IT outsourcer Prescient Solutions, says governments and businesses should look to email alternatives, such as instant messaging, which he contends poses fewer risks.


more...
No comment yet.
Scoop.it!

Windows 10 Ransomware Scam Represents Growing Trend in Malware

Windows 10 Ransomware Scam Represents Growing Trend in Malware | IT Support and Hardware for Clinics | Scoop.it

I don’t usually jump on the new software or device bandwagon immediately. I tend to wait until something has been on the market for a little while and let other people work the bugs out first. However, the release of Windows 10 intrigues me. I had the chance to talk to some people at RSA about it, and I’m not sure the last time I heard so much enthusiasm for a new Microsoft product.


The release came at the end of July, with the upgrade made available for free. Who doesn’t like free, right?

Consumers aren’t the only ones who appreciate a free upgrade, though. Scammers and bad guys are taking advantage of the Windows 10 launch, too, using phishing emails to spoof the arrival of the OS. As PC World explained, the scam does a very good job mimicking a legitimate Microsoft announcement regarding Windows 10. The difference, though, was this:


An attached .zip file purports to be a Windows 10 installer … the attachment contains a piece of ransomware called CTB-Locker that encrypts your files and requests payment within 96 hours, lets your files be encrypted forever.


I can’t imagine that anyone would be surprised that the bad guys would try to take advantage of the OS release. However, according to Cisco’s midyear report, using ransomware is part of a growing trend with hackers using social and breaking news events to deliver ransomware. According to the report, ransomware has really stepped up its game, with improved professional development to encourage innovation and to ensure that the malware brings in financial gains.

The Cisco blog explained more about how it works:


The ransoms demanded are usually affordable, generally a few hundred dollars depending on the bitcoin exchange rate. Criminals appear to have done their market research to determine the right price points for the best results: Fees are not so high that victims will refuse to pay or will tip of law enforcement. Ransomware authors keep their risk of detection low by using channels such as Tor and the Invisible Internet Project to communicate, and they use bitcoin so that financial transactions are difficult for law enforcement to trace.


Will we see more problems with ransomware going forward? I suspect the answer is “Yes,” especially as the developers get smarter about manipulating the ransom for their own gain. (Remember, as successful as Cryptolocker was at locking down a computer’s data, too many weren’t able to pay the ransom with Bitcoin, and, in turn, the developers weren’t able to make the money they planned to make.) We know that the spammers are very good at faking us out with phishing attacks. So enjoy your new Windows 10 upgrade. Just download with a lot of caution.

more...
No comment yet.
Scoop.it!

Adobe patches Flash zero-day found in Hacking Team data breach

Adobe patches Flash zero-day found in Hacking Team data breach | IT Support and Hardware for Clinics | Scoop.it

The massive Hacking Team data breach led to the release of 400GB worth of data including a zero-day vulnerability for Adobe Flash. Adobe has released an out-of-band patch for the flaw just two days after it was discovered.


The vulnerability was described by the Hacking Team in a readme file in the data dump as "the most beautiful Flash bug for the last four years". Accompanying the readme in the data was a proof-of-concept exploit of the flaw.


Adobe categorized the vulnerability (CVE-2015-5119) as critical and said it affects Flash Player versions 18.0.0.194 and earlier on Windows and Mac, and versions 11.2.202.468 and earlier on Linux. Successful exploitation of the flaw could allow remote code execution.


Security researcher Kafeine found that the vulnerability has already been added to the Angler, Fiddler, Nuclear and Neutrino exploit kits. Because of this, admins are recommended to apply the patch as soon as possible.


Also found in the Hacking Team data was another Adobe Flash zero-day (CVE-2015-0349), which was patched in April, and a zero-day affecting the Windows kernel. The inclusion of these zero-days has caused experts to question if these exploits are being used by Hacking Team clients, including law enforcement and governments.


"As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully," said Ken Westin, security analyst for Tripwire. "Given the depth and amount of data compromised in this breach, it will reveal a great deal about the market for offensive tools designed for espionage with a great deal of fallout and embarrassment for some organizations."


Hacking Team spokesman Eric Rabe confirmed the breach and said that while law enforcement is investigating, the company suggests its clients suspend the use of its surveillance tools until it can be determined what exactly has been exposed.


In a new statement, Rabe warned that its software could be used by anyone because "sufficient code was released to permit anyone to deploy the software against any target of their choice.


"Before the attack, HackingTeam could control who had access to the technology that was sold exclusively to governments and government agencies," Rabe wrote. "Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation."

more...
No comment yet.
Scoop.it!

Surveillance Software Firm Breached

Surveillance Software Firm Breached | IT Support and Hardware for Clinics | Scoop.it

Hacking Team, an Italian developer of "easy-to-use offensive technology" - including spywareand other surveillance software that it sells to police, law enforcement and intelligence agencies - appears to have been breached and large quantities of corporate information leaked.


On July 5, hackers also appeared to have seized control of the Hacking Team's Twitter account,@hackingteam, after which they changed the company's logo and posted the following message: "Since we have nothing to hide, we're publishing all our e-mails, files, and source code."


The message included links to a Torrent file that reportedly includes 400 GB of the aforementioned data, including the source code for its "Remote Control System," known as both DaVinci and Galileo. Hacking Team advertises that the software is able to intercept Skype and voice calls, as well as data stored on PCs. The leaked data reportedly also includes passwords for multiple Hacking Team employees and customers, as well as previously disclosed zero-day vulnerabilities.

The Hacking Team data leak reportedly reveals that the company's customers have apparently ranged from the U.S. FBI and Drug Enforcement Agency to the governments of Sudan and the United Arab Emirates. Credit for the hack and data breach has reportedly been claimed by PhineasFisher, who has previously targeted vendors for allegedly selling surveillance software to repressive regimes. "Gamma and HT down, a few more to go :),"PhineasFisher said July 6 via Twitter.


Threat intelligence firm iSight Partners says in a research note that it believes that the breach occurred, and that most or all of the leaked data is genuine, because "convincingly fabricating that much information is prohibitively time intensive." It also warns that the source code could soon become part of other hackers' toolsets. "Hacking Team's tools and techniques will likely begin to be incorporated in other malware and surveillance tools." Allegedly leaked Hacking Team code has already been added to the GitHub code-sharing repository.


Hacking Team did not immediately respond to a request for comment about the breach, so the contents of those alleged customer lists could not be confirmed. Hacking Team senior system and security engineer Christian Pozzi, whose emails and personal passwords - including for multiple social media accounts - appear to have been included in the leak, says via Twitter on July 6: "We are currently working closely with the police at the moment. I can't comment about the recent breach."

But the authenticity of that message is questionable, since Pozzi's Twitter account later posted a message suggesting that it too had been compromised by hackers: "We are closing down. Bye Saudi Arabia. You paid us well. Allahuhakbah." After those messages appeared, Pozzi's Twitter account appears to have been deleted in its entirety.

The Company's Customers

Numerous privacy rights groups say that the data leak provides a rare look into how governments spy on people at home and abroad. "Hacking Team is one of the most aggressive companies currently supplying governments with hacking tools," says Eric King, deputy director of civil rights group Privacy International. "[The] leak of materials reportedly shows how Hacking Team assisted some of the world's most repressive regimes - from Bahrain to Uzbekistan, Ethiopia to Sudan - to spy on their citizens.


Hacking Team advertises its Galileo and DaVinci software as being "the hacking suite for governmental interception," noting that it can handle "up to hundreds of thousands of targets, all managed from a central place." Some of the software's capabilities have been previously described by Citizen Lab, a privacy project run by the University of Toronto, which says that the vendor's spyware can copy files from the hard drive of an infected PC, record Skype calls and emails, intercept passwords typed into Web browsers, as well as remotely activate webcams and microphones. To employ the spyware, however, government agencies must first sneak it onto targets' PCs, and Citizen Lab says that phishing attacks are likely the most-used technique for accomplishing this.


Privacy researcher Christopher Soghoian, principal technologist at the American Civil Liberties Union, says via Twitter that according to the leaked information, Hacking Team's customer list "includes South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia."


Soghoian adds via Twitter that according to a leaked March 2013 invoice for the first half of a related payment, Hacking Team also completed a €260,000 ($290,000) deal with the government of Azerbaijan by selling "through a shadowy front company in Nevada" named Horizon Global Group.


Citizen Lab had previously questioned whether Hacking Team was selling to governments that are widely viewed as being repressive. "We suspect that agencies of these twenty-one governments are current or former users of RCS: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan," it says in a 2014 report. "Nine of these countries receive the lowest ranking, 'authoritarian,' in The Economist's 2012 Democracy Index. Additionally, two current users - Egypt and Turkey - have brutally repressed recent protest movements."


The company's customer list had also earned it a place on the "Enemies of the Internet" list maintained by civil rights group Reporters Without Borders.


The Hacking Team's alleged "maintenance agreement" tracker has been published to text-sharing website Pastebin; it says that the company's customers also include the U.S. Drug Enforcement Agency - as news outlet Vice first reported in April - and government agencies across the EU, including the Czech Republic, Hungary, Luxembourg, Poland and Spain. The FBI, meanwhile, is listed in that maintenance agreement as having an "active maintenance contract" with Hacking Team through June 30, 2015, while both Russia and Sudan are listed as being "not officially supported." Again, however, the authenticity of that information could not be confirmed, and it's possible that whoever leaked the files altered, added or fabricated the information.

The FBI did not immediately respond to Information Security Media Group's inquiry about whether the bureau is, or has been, a Hacking Team customer.

Hacker Targets

Cryptography expert Matthew Green, a Johns Hopkins University professor, says that more than any other type of company except bitcoin exchanges, surveillance software vendors should expect to face serious and sustained hacks. Thus, they should harden their defenses accordingly, but few seem to do so, he says.


Indeed, Hacking Team is not the first surveillance software vendor to have been hacked. In August 2014, Gamma Group - the creator of FinFisher malware, which it spun off as a separate company in 2013 - was also breached by PhineasFisher, who announced via Reddit that a 40GB data dump leaked to BitTorrent included internal documents, as well as price lists and support queries.

more...
No comment yet.
Scoop.it!

Will Sony Settle Cyber-Attack Lawsuit?

Will Sony Settle Cyber-Attack Lawsuit? | IT Support and Hardware for Clinics | Scoop.it

Did Sony underspend on information security, thus contributing to the success of the devastating hack attack against it, which came to light in November 2014? And can a business be held legally accountable by employees for their employer's information security shortcomings?


Those questions are central to a lawsuit filed by Michael Corona and eight other former Sony employees in the wake of what plaintiffs rightly dub a data breach "epic nightmare, much better suited to a cinematic thriller than to real life." Their suit accuses Sony of having failed to put an effective information security program in place, despite having previously suffered repeated, serious attacks.


 An epic nightmare, much better suited to a cinematic thriller than to real life. 


"Sony failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years," the lawsuit alleges, citing in part a September 2014 audit by PricewatershouseCoopers, which found that Sony's information security and monitoring practices fell below "prudent industry standards."


The lawsuit further alleges that nearly 100 terabytes of data was stolen, including 47,000 Social Security numbers and personally identifiable information for at least 15,000 current and former employees, some of whom had not worked for the studio since 1955. As a result, breach victims "face ongoing future vulnerability to identity theft, medical theft, tax fraud, and financial theft," the lawsuit plaintiffs allege. "In fact, plaintiffs' PII has already been traded on black market websites and used by identity thieves."

Lawsuit Ruling

Sony asked a court to dismiss the suit, and U.S. District Judge R. Gary Klausner this week did dismiss some parts, including allegations of breach of contract and that Sony failed to notify breach victims in a timely manner.


But in a setback for Sony, the judge ruled that other parts of the lawsuit can proceed, although he has yet to rule on the merits of these claims, including plaintiffs' allegation that Sony "made a business decision to accept the risk of losses associated with being hacked." The federal judge also agreed with the former employees' allegation that "to receive compensation and employment benefits, they were required to provide their PII to Sony." While many data breach lawsuits get dismissed on the grounds that the breach did not cause any economic harm to people whose information was stolen, Klausner said that by requiring employees' PII, Sony created a "special relationship that provides an exception to the economic loss doctrine."


Michael Sobol, an attorney for the plaintiffs, told the BBC, "We are pleased that the court has properly recognized the harm to Sony's employees."


A spokeswoman for Sony Pictures Entertainment did not immediately respond to a request for comment on the ruling.


In the wake of the 2014 attack, at least nine other lawsuits were filed against Sony by individual former employees. Like the Corona suit, all of these lawsuits seek class-action status, meaning they would include all current and former employees who were affected by the cyber-attack.

Wiper Malware Attack

To recap: Sony suffered a devastating wiper malware attack in November 2014, ostensibly designed to punish the company for releasing "The Interview," a satiric film starring James Franco and Seth Rogan that featured the fictional death of North Korean leader Kim Jong-un.


But before the attackers unleashed their wiper malware and began erasing Sony hard drives and bricking laptops, they penetrated Sony's network and stolen tens of terabytes of data, including copies of unreleased movies and the script for the upcoming James Bond film "Spectre," as well as numerous private email exchanges, all of which the attackers began leaking.


Sony, in a December 2014 breach notification filed with California state authorities, reported that the breach appeared to compromise current and former employees' names, addresses, Social Security numbers, driver's licenses and passport numbers, corporate credit card information, usernames and passwords, and salaries. Sony also warned that individuals' "HIPAA-protected health information" may have been exposed, including medical diagnoses, dates of birth, health plan identification numbers, and personal and health-related information.


As noted in Corona's lawsuit, large amounts of this information were leaked to the Internet by attackers and likely remain in circulation.

Lawsuit Resolution: Unclear

What will happen next in the Sony class-action lawsuit saga, of course, is not clear. But based on past breach-related lawsuits, it's likely that unless the lawsuit gets dismissed, Sony will ultimately settle, rather than risk a jury trial and ruling that might give breach victims more rights.


If Sony did make a business decision to underspend on security, it was a costly move. In February, Sony said in an earnings report that it expected to spend $35 million in cleanup costs through the end of its fiscal year in March, largely related to restoring the company's "financial and IT systems." But as the multiple lawsuits highlight, Sony faces continuing legal costs, as well as the risk that it will eventually have to pay damages or settlements.


But any such settlement likely would not happen soon. Indeed, Sony only settled a lawsuit filed in the wake of its April 2011 breach - a year in which the company fell victim to more than a dozen breaches - in June 2014. That breach exposed personal information for 77 million users of the Sony PlayStation Network and Qriocity services.


By that timeline, the lawsuits stemming from the 2014 Sony cyber-attack may not be resolved until at least 2017.

more...
No comment yet.
Scoop.it!

LastPass Sounds Breach Alert

LastPass Sounds Breach Alert | IT Support and Hardware for Clinics | Scoop.it

Warning to all LastPass users: Change your master password for the service now and ensure you're using multi-factor authentication. There has been a data breach that might allow attackers to crack master passwords and password reminders.


"Our team discovered and blocked suspicious activity on our network," reads a security notice from Joe Siegrist, the CEO of online password management service LastPass, which allows people to store multiple passwords inside a single, cloud-based password vault.


Siegrist says the intrusion was discovered June 12. "In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


This is not the first time that LastPass has reported that passwords or data might have been hacked. In 2011, the firm reported finding a "traffic anomaly from one of our databases" that could have resulted in data exfiltration. In response, the firm said it took a number of steps to tighten security, including registering domains that might be used by phishing attackers, as well as removing non-core services from the LastPass network.


In the wake of this newly announced breach, Siegrist says that the company is "confident that our encryption measures are sufficient to protect the vast majority of users," noting that the site's techniques for creating users' authentication hashes - in essence, how their authentication credentials get protected - would make it very difficult for an attacker to crack those hashes "with any significant speed." But because that is a possibility, the company says it has now "locked down" all accounts, meaning that any attempt to access an account from a new device or IP address will require the user to first verify their identity via email, unless they're already using multi-factor authentication.


"We will also be prompting all users to change their master passwords," Siegrist says. "You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites." He adds that because encrypted user data wasn't stolen, users do not need to change the passwords for any sites stored inside their LastPass password vault.


LastPass also offers multi-factor authentication - including Google Authenticator, Yubikey and the Duo Security Authenticator - to safeguard accounts. And in the wake of the breach, multiple information security experts recommend that all LastPass users ensure that they are using this feature.

Rethink Password Reset Questions

"Should I panic because LastPass was hacked?" asks Robert David Graham, head of information security research firm Errata Security. "If you chose a long, non-dictionary password, nobody can crack it," he says, thanks to the way LastPass creates its hashing algorithms. "Conversely, if you haven't, then yes, you need to change it."


Some security experts, meanwhile, say that the biggest risk now facing LastPass users will bephishing attacks, especially because users' email addresses have been compromised. "LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority," says Martin Vigo, a product security engineer for salesforce.com who's due to present the talk "Breaking Vaults: Stealing LastPass protected secrets" at the July Shakacon conference in Hawaii. "You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass."


Vigo says many users undercut their security by using password reminders - he recommends never using them, if possible - or else creating weak ones. "While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as 'My password is correct horse battery staple' are possible," he says. "Other more common passwords reminders such as 'My dogs name' can help attackers guess your master password. Remember that they have your email, which leads to your Twitter, Facebook, etc., where possibly that information can be found."

Password Vaults: Pros and Cons

The LastPass breach begs the question of whether people should ever use password managers, a.k.a. password vaults. "If a crook gets hold of your master password, then that's like getting the crown jewels - because now the crook has access to all your accounts at once," says Paul Ducklin, a senior security adviser for anti-virus firm Sophos, in a blog post. As a result, some security experts decry their use, on the grounds that the password manager master password creates a potential single point of failure.


But many security experts, including Bruce Schneier, have long advocated using such tools, saying that it is much more likely that users will get hacked if they reuse passwords, or select weak ones, than have their encrypted password database stolen and cracked.

F-Secure security adviser Sean Sullivan, for example, has said he "can't imagine life" without using one, because such tools can ensure that a user only uses strong passwords, and never repeats them across sites. But Sullivan also takes certain precautions, such as never entering the master password for his password manager when he's using an untrusted system - such as the shared family PC at home - in case a keylogger might be in operation.

Cloud Versus PC-Based

Users can also choose between PC-based, cloud-based or hybrid password managers. Some encryption experts, such as Johns Hopkins cryptographer Matthew Green, have voiced concerns about the security of cloud-based password management services.

more...
No comment yet.
Scoop.it!

Apple is making it harder to steal the Apple Watch

t didn't make it into today's WWDC keynote address, but Apple is adding an important security feature to watchOS 2. The new version of the wearable OS will bring Activation Lock — a feature that has been on iPhones since 2013 — to the Apple Watch.


Activation Lock is an anti-theft measure that makes stolen devices less attractive to potential thieves. If someone were to steal your device and wipe it (something that can be done on a Watch in just a few taps), Activation Lock won't let the device be reactivated without first inputting the Apple ID and password that was originally used to set it up. It may not stop someone from stealing and selling your Watch for parts, and there's still no comparable feature to "Find my iPhone," but Activation Lock is a start.


IT'S NO FIND MY IPHONE, BUT IT'S A START

Just last month, users grew worried after9to5Mac pointed out how easy it is to wipe the settings, data, and passcode from an Apple Watch. From there, someone could pair a Watch to any new iPhone. In the user guide, Apple frames this as a way to restore your Watch's functionality should you forget your passcode, which is convenient. But for many people the function made it far too easy for someone else to wind up using your Watch as their own.


Users will have the choice to enable Activation Lock on their Watch or not, so it's ultimately up to them. The watchOS 2 developer beta is available today, and the final version will be released this fall.

more...
No comment yet.
Scoop.it!

Five Steps to Secure Your Data After I.R.S. Breach

Five Steps to Secure Your Data After I.R.S. Breach | IT Support and Hardware for Clinics | Scoop.it

The Internal Revenue Service has been added to a long list of companies and government agencies that hackers have breached in the last year.

And so, if there is any advice security experts have for those trying to keep their personal information safe, it is simply: You can’t.

“Your information has already been out there for years, available to anyone who wants to pay a couple dollars,” Brian Krebs, a security blogger who has been a frequent target of hackers, said Wednesday.

The attack on the I.R.S. is just the latest evidence that hackers already have all the information necessary to steal your identity. The agency said Tuesday that hackers used information stolen from previous breaches — including Social Securitynumbers, birth dates, street addresses and passwords — to complete a multistep authentication process and 


But consumers can make things harder for criminals. There may be a trade-off in convenience, but experts say the alternative is a lot worse.

1. Turn on multifactor authentication.

If a service offers added security features like multifactor authentication, turn them on. When you enter your password, you will receive a message, usually via text, with a one-time code that you must enter before you can log in.

Most banking sites and popular sites like Google, Apple, Twitter and Facebook offer two-factor authentication, and will ask for a second one-time code anytime you log in from a new computer.

2. Change your passwords again.

Yes, you need to change passwords again and they have to be passwords you have never used before. They need to be long and not words you would find in a dictionary. The first thing hackers do when trying to break into a site is use computer programs that can test every word in the dictionary.

Password managers like LastPass or Password Safe create long, unique passwords for the websites you visit and store them in a database that is protected by a master password you have memorized.

It may sound counterintuitive, but the truly paranoid write down their passwords.

Security experts advise creating anagrams based on song lyrics, movie quotations or sayings, and using symbols or numbers and alternating lower and upper cases to make the password more difficult. For instance, the “Casablanca” movie quotation “Of all the gin joints, in all the towns, in all the world, she walks into mine” becomes OaTgJ,iAtT,iAtW,sWiM.

Use stronger, longer passwords for sites that contain the most critical information, like bank or email accounts.

3. Forget about security questions.

Sites will often use security questions such as “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.

These questions are problematic because the Internet has made public record searches a snap and the answers are usually easy to guess.

In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)

With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.

Jonathan Zdziarski, a computer forensics expert, said he often answers these questions with an alternate password. If a site offers only multiple choice answers, or only requires short passwords, he won’t use it.

“You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.

4. Monitor your credit.

Typically a service will offer one year of free credit monitoring if it has been breached. But be aware that attackers do not dispose of your Social Security number, birth date or password a year after they acquire it.

It is better to monitor your credit aggressively at all times through free services like AnnualCreditReport.com.

5. Freeze your credit.

In the attack at the I.R.S., a credit freeze may not have thwarted thieves from filing for false tax refunds, but it could have stopped them from pulling tax transcripts or opening other accounts.

To freeze your credit, call Equifax, Experian or TransUnion and ask to have your account frozen. The credit agency will mail a one-time PIN or password to unfreeze your account later.

The fee to freeze and refreeze credit varies by state. If you plan on applying for a new job, renting an apartment or buying insurance, you will have to thaw a freeze temporarily and pay a fee to refreeze the account.

But if you have been a victim of identity theft, and can show a police report proving as much, most states will waive the freeze fee.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Apple and Google ask Obama to leave smartphone security alone

Apple and Google ask Obama to leave smartphone security alone | IT Support and Hardware for Clinics | Scoop.it

FBI director James Comey has asked Congress for help getting around the upgraded encryption on Apple's smartphone, something he believes is creating too high a hurdle for law enforcement. It's not clear if his calls for new legislation have much chance for success, but they are clearly causing ripples in Silicon Valley. In a letter obtained by The Washington Post, tech heavyweights like Apple and Google call on President Obama to reject any new laws that would weaken security.

Better domestic surveillance is not an easy sell


There have been laws kicking around Congress for a while that would create the kind of backdoors Comey and other security hawks have been pushing for. CALEA II is one such bill, but it trips over all the outsized fears about government surveillance that the public has long held, even more so in the wake of Edward Snowden and revelations about just how much of our everyday communication is being vacuumed up by the NSA.


As we wrote back in October of 2014, that means "Comey's left exactly where we started, making ominous noises and generating headlines favorable to the FBI, but not actually doing anything. It's a bluff, a way to nudge public opinion without committing the bureau to anything. This isn't a crypto war — it's a pageant."


more...
No comment yet.
Scoop.it!

United Can't Even Be Bothered To Pay Money For Finding Security Bugs

United Can't Even Be Bothered To Pay Money For Finding Security Bugs | IT Support and Hardware for Clinics | Scoop.it

Bug bounty programs are pretty common among tech firms: the likes of Facebook and Google (although notably not Apple) will offer you hundreds of thousands of dollars in order for exposing security flaws in their products. It’s a good system, and one United Airlines wants to use: just without offering cold, hard cash.

Instead, United is offering air miles as the reward for the fruits of your labor. Sure, you can’t feed a family, or pay your internet bill with United miles — but you can at least fly to Europe whilst losing all feeling in your feet! United is offering 50,000 miles (cash equivalent: about $1000) for small flaws, like cross-site scripting, 250,000 miles for authentication bypass, and a million miles if you can remotely execute code.

Notably, eligible bugs are limited to United’s customer-facing websites and apps: onboard Wi-Fi, avionics, and entertainment systems are off-limits. That’s not surprising, given United’s previous response to onboard hackers, but it does limit the program somewhat.


Although it’s good that United has a bug bounty system at all — they work well at preventing hacks from being used nefariously — it would be nice if United actually rewarded the work of security researchers with real money.



more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

House Expected To Pass Cybersecurity Bill, Indemnifying Companies That Share Breach Data

House Expected To Pass Cybersecurity Bill, Indemnifying Companies That Share Breach Data | IT Support and Hardware for Clinics | Scoop.it

The House is expected to pass a bill Wednesday that is intended to compel private companies to give investigators access to their computer records and networks in the event of a data breach. The bill has been in the making for years, and comes after a series of embarrassing, high-profile hacks at companies such as Sony and Anthem health insurance.


The vote, which coincides with that for a similar Senate bill, is an assertive response from the federal government after major intrusions have resulted in a delayed movie release, lost credit card information, stolen medical records and a shaken faith in corporate America’s ability to protect itself online. Yet debate over the House bill has raised concerns from privacy and transparency advocates, including initial resistance from President Barack Obama and prominent congressional Democrats.


The House bill provides hacked companies with legal liability protection if they share sensitive information with the government. Privacy advocates demanded, and obtained, assurances under this provision that require data to undergo two rounds of scrubbing -- the removal of personal information -- when they're turned over to a government agency. The data will not be sent to the National Security Agency or the Department of Defense first, though it could ultimately end up there.

The privacy changes were enough to win over prominent Democrats, with Obama expected to sign a modified version of the House and Senate bills. Yet the White House still expressed reservations in a statement Tuesday, suggesting that the liability protections that are meant to protect companies from penalties that come with unauthorized use of customer data go too far.


“Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks,” the White House said. Overly broad liability protections might “remove incentives for companies to protect their customers’ personal information and may weaken cybersecurity writ large,” the statement went on.


more...
No comment yet.
Scoop.it!

How to avoid getting hacked due to vulnerable WordPress plugins

How to avoid getting hacked due to vulnerable WordPress plugins | IT Support and Hardware for Clinics | Scoop.it

I’m a huge WordPress fan because it’s a very powerful, effective, and amazingly extensible platform which is why it’s used by 60.4% of [websites with identifiable content management systems which amounts to] 23.7% of all websites. But there’s a risk with any platform that’s extensible trough the use of third party software (called “plugins” in WordPress): That risk is from software vulnerabilities.


Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues. The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin. For a summary of current Wordpress vulnerabilities check out the WPScan Vulnerability Database, a “black box WordPress vulnerability scanner.”

If you’re running a WordPress site and given the number of potentially show-stopping problems that exist, get fixed, and are replaced with new problems that are just as bad then you need to be on top of what plugins you’re using and what problems they might have. Rather than scanning through loads of vulnerability notices and checking each plugin’s Web site for news there’s not only WPScan, there’s also a free plugin that check the plugins you use for known issues. It’s called Plugin Vulnerabilities and published by WhiteFirDesign.


The publishers also offer another free plugin, Automatic Plugin Updates that, as its name implies, will update your plugins automatically as new versions become available (you can also set up an “ignore” list to exclude specific plugins from automatic updates).

When you activate Plugin Vulnerabilities, all of your other plugins are examined and checked against WhiteFirDesign’s database of vulnerabilities. They’re also rechecked whenever a plugin in manually updated or an update executed by the Automatic Plugin Updates or by any other method.


WhiteFirDesign’s vulnerability stats were, as of April 6:

  • 257 vulnerabilities included
  • 61 included vulnerabilities are in the most recent version of plugins (57 of these plugins have been removed from the Plugin Directory)
  • 24 vulnerabilities have been fixed in part due to our work on this plugin
  • 5 included vulnerabilities in security plugins
  • Top vulnerability types:
    • cross-site request forgery (CSRF)/cross-site scripting (XSS): 52 vulnerabilities
    • reflected cross-site scripting (XSS): 45 vulnerabilities
    • arbitrary file upload: 45 vulnerabilities
    • arbitrary file viewing: 23 vulnerabilities
    • SQL injection: 16 vulnerabilities



This plugin is, in short, something you shouldn’t do without if you’re running WordPress. It could make the difference between smooth, uninterrupted operations and spending lots of time rebuilding your WordPress site after being hacked.

The Plugin Vulnerabilities and Automatic Plugin Updates plugins both get a Gearhead rating of 5 out of 5.


more...
No comment yet.