IT Support and Hardware for Clinics
32.7K views | +5 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Windows 10 Ransomware Scam Represents Growing Trend in Malware

Windows 10 Ransomware Scam Represents Growing Trend in Malware | IT Support and Hardware for Clinics | Scoop.it

I don’t usually jump on the new software or device bandwagon immediately. I tend to wait until something has been on the market for a little while and let other people work the bugs out first. However, the release of Windows 10 intrigues me. I had the chance to talk to some people at RSA about it, and I’m not sure the last time I heard so much enthusiasm for a new Microsoft product.


The release came at the end of July, with the upgrade made available for free. Who doesn’t like free, right?

Consumers aren’t the only ones who appreciate a free upgrade, though. Scammers and bad guys are taking advantage of the Windows 10 launch, too, using phishing emails to spoof the arrival of the OS. As PC World explained, the scam does a very good job mimicking a legitimate Microsoft announcement regarding Windows 10. The difference, though, was this:


An attached .zip file purports to be a Windows 10 installer … the attachment contains a piece of ransomware called CTB-Locker that encrypts your files and requests payment within 96 hours, lets your files be encrypted forever.


I can’t imagine that anyone would be surprised that the bad guys would try to take advantage of the OS release. However, according to Cisco’s midyear report, using ransomware is part of a growing trend with hackers using social and breaking news events to deliver ransomware. According to the report, ransomware has really stepped up its game, with improved professional development to encourage innovation and to ensure that the malware brings in financial gains.

The Cisco blog explained more about how it works:


The ransoms demanded are usually affordable, generally a few hundred dollars depending on the bitcoin exchange rate. Criminals appear to have done their market research to determine the right price points for the best results: Fees are not so high that victims will refuse to pay or will tip of law enforcement. Ransomware authors keep their risk of detection low by using channels such as Tor and the Invisible Internet Project to communicate, and they use bitcoin so that financial transactions are difficult for law enforcement to trace.


Will we see more problems with ransomware going forward? I suspect the answer is “Yes,” especially as the developers get smarter about manipulating the ransom for their own gain. (Remember, as successful as Cryptolocker was at locking down a computer’s data, too many weren’t able to pay the ransom with Bitcoin, and, in turn, the developers weren’t able to make the money they planned to make.) We know that the spammers are very good at faking us out with phishing attacks. So enjoy your new Windows 10 upgrade. Just download with a lot of caution.

more...
No comment yet.
Scoop.it!

Adobe patches Flash zero-day found in Hacking Team data breach

Adobe patches Flash zero-day found in Hacking Team data breach | IT Support and Hardware for Clinics | Scoop.it

The massive Hacking Team data breach led to the release of 400GB worth of data including a zero-day vulnerability for Adobe Flash. Adobe has released an out-of-band patch for the flaw just two days after it was discovered.


The vulnerability was described by the Hacking Team in a readme file in the data dump as "the most beautiful Flash bug for the last four years". Accompanying the readme in the data was a proof-of-concept exploit of the flaw.


Adobe categorized the vulnerability (CVE-2015-5119) as critical and said it affects Flash Player versions 18.0.0.194 and earlier on Windows and Mac, and versions 11.2.202.468 and earlier on Linux. Successful exploitation of the flaw could allow remote code execution.


Security researcher Kafeine found that the vulnerability has already been added to the Angler, Fiddler, Nuclear and Neutrino exploit kits. Because of this, admins are recommended to apply the patch as soon as possible.


Also found in the Hacking Team data was another Adobe Flash zero-day (CVE-2015-0349), which was patched in April, and a zero-day affecting the Windows kernel. The inclusion of these zero-days has caused experts to question if these exploits are being used by Hacking Team clients, including law enforcement and governments.


"As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully," said Ken Westin, security analyst for Tripwire. "Given the depth and amount of data compromised in this breach, it will reveal a great deal about the market for offensive tools designed for espionage with a great deal of fallout and embarrassment for some organizations."


Hacking Team spokesman Eric Rabe confirmed the breach and said that while law enforcement is investigating, the company suggests its clients suspend the use of its surveillance tools until it can be determined what exactly has been exposed.


In a new statement, Rabe warned that its software could be used by anyone because "sufficient code was released to permit anyone to deploy the software against any target of their choice.


"Before the attack, HackingTeam could control who had access to the technology that was sold exclusively to governments and government agencies," Rabe wrote. "Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation."

more...
No comment yet.
Scoop.it!

Surveillance Software Firm Breached

Surveillance Software Firm Breached | IT Support and Hardware for Clinics | Scoop.it

Hacking Team, an Italian developer of "easy-to-use offensive technology" - including spywareand other surveillance software that it sells to police, law enforcement and intelligence agencies - appears to have been breached and large quantities of corporate information leaked.


On July 5, hackers also appeared to have seized control of the Hacking Team's Twitter account,@hackingteam, after which they changed the company's logo and posted the following message: "Since we have nothing to hide, we're publishing all our e-mails, files, and source code."


The message included links to a Torrent file that reportedly includes 400 GB of the aforementioned data, including the source code for its "Remote Control System," known as both DaVinci and Galileo. Hacking Team advertises that the software is able to intercept Skype and voice calls, as well as data stored on PCs. The leaked data reportedly also includes passwords for multiple Hacking Team employees and customers, as well as previously disclosed zero-day vulnerabilities.

The Hacking Team data leak reportedly reveals that the company's customers have apparently ranged from the U.S. FBI and Drug Enforcement Agency to the governments of Sudan and the United Arab Emirates. Credit for the hack and data breach has reportedly been claimed by PhineasFisher, who has previously targeted vendors for allegedly selling surveillance software to repressive regimes. "Gamma and HT down, a few more to go :),"PhineasFisher said July 6 via Twitter.


Threat intelligence firm iSight Partners says in a research note that it believes that the breach occurred, and that most or all of the leaked data is genuine, because "convincingly fabricating that much information is prohibitively time intensive." It also warns that the source code could soon become part of other hackers' toolsets. "Hacking Team's tools and techniques will likely begin to be incorporated in other malware and surveillance tools." Allegedly leaked Hacking Team code has already been added to the GitHub code-sharing repository.


Hacking Team did not immediately respond to a request for comment about the breach, so the contents of those alleged customer lists could not be confirmed. Hacking Team senior system and security engineer Christian Pozzi, whose emails and personal passwords - including for multiple social media accounts - appear to have been included in the leak, says via Twitter on July 6: "We are currently working closely with the police at the moment. I can't comment about the recent breach."

But the authenticity of that message is questionable, since Pozzi's Twitter account later posted a message suggesting that it too had been compromised by hackers: "We are closing down. Bye Saudi Arabia. You paid us well. Allahuhakbah." After those messages appeared, Pozzi's Twitter account appears to have been deleted in its entirety.

The Company's Customers

Numerous privacy rights groups say that the data leak provides a rare look into how governments spy on people at home and abroad. "Hacking Team is one of the most aggressive companies currently supplying governments with hacking tools," says Eric King, deputy director of civil rights group Privacy International. "[The] leak of materials reportedly shows how Hacking Team assisted some of the world's most repressive regimes - from Bahrain to Uzbekistan, Ethiopia to Sudan - to spy on their citizens.


Hacking Team advertises its Galileo and DaVinci software as being "the hacking suite for governmental interception," noting that it can handle "up to hundreds of thousands of targets, all managed from a central place." Some of the software's capabilities have been previously described by Citizen Lab, a privacy project run by the University of Toronto, which says that the vendor's spyware can copy files from the hard drive of an infected PC, record Skype calls and emails, intercept passwords typed into Web browsers, as well as remotely activate webcams and microphones. To employ the spyware, however, government agencies must first sneak it onto targets' PCs, and Citizen Lab says that phishing attacks are likely the most-used technique for accomplishing this.


Privacy researcher Christopher Soghoian, principal technologist at the American Civil Liberties Union, says via Twitter that according to the leaked information, Hacking Team's customer list "includes South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia."


Soghoian adds via Twitter that according to a leaked March 2013 invoice for the first half of a related payment, Hacking Team also completed a €260,000 ($290,000) deal with the government of Azerbaijan by selling "through a shadowy front company in Nevada" named Horizon Global Group.


Citizen Lab had previously questioned whether Hacking Team was selling to governments that are widely viewed as being repressive. "We suspect that agencies of these twenty-one governments are current or former users of RCS: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan," it says in a 2014 report. "Nine of these countries receive the lowest ranking, 'authoritarian,' in The Economist's 2012 Democracy Index. Additionally, two current users - Egypt and Turkey - have brutally repressed recent protest movements."


The company's customer list had also earned it a place on the "Enemies of the Internet" list maintained by civil rights group Reporters Without Borders.


The Hacking Team's alleged "maintenance agreement" tracker has been published to text-sharing website Pastebin; it says that the company's customers also include the U.S. Drug Enforcement Agency - as news outlet Vice first reported in April - and government agencies across the EU, including the Czech Republic, Hungary, Luxembourg, Poland and Spain. The FBI, meanwhile, is listed in that maintenance agreement as having an "active maintenance contract" with Hacking Team through June 30, 2015, while both Russia and Sudan are listed as being "not officially supported." Again, however, the authenticity of that information could not be confirmed, and it's possible that whoever leaked the files altered, added or fabricated the information.

The FBI did not immediately respond to Information Security Media Group's inquiry about whether the bureau is, or has been, a Hacking Team customer.

Hacker Targets

Cryptography expert Matthew Green, a Johns Hopkins University professor, says that more than any other type of company except bitcoin exchanges, surveillance software vendors should expect to face serious and sustained hacks. Thus, they should harden their defenses accordingly, but few seem to do so, he says.


Indeed, Hacking Team is not the first surveillance software vendor to have been hacked. In August 2014, Gamma Group - the creator of FinFisher malware, which it spun off as a separate company in 2013 - was also breached by PhineasFisher, who announced via Reddit that a 40GB data dump leaked to BitTorrent included internal documents, as well as price lists and support queries.

more...
No comment yet.
Scoop.it!

Will Sony Settle Cyber-Attack Lawsuit?

Will Sony Settle Cyber-Attack Lawsuit? | IT Support and Hardware for Clinics | Scoop.it

Did Sony underspend on information security, thus contributing to the success of the devastating hack attack against it, which came to light in November 2014? And can a business be held legally accountable by employees for their employer's information security shortcomings?


Those questions are central to a lawsuit filed by Michael Corona and eight other former Sony employees in the wake of what plaintiffs rightly dub a data breach "epic nightmare, much better suited to a cinematic thriller than to real life." Their suit accuses Sony of having failed to put an effective information security program in place, despite having previously suffered repeated, serious attacks.


 An epic nightmare, much better suited to a cinematic thriller than to real life. 


"Sony failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years," the lawsuit alleges, citing in part a September 2014 audit by PricewatershouseCoopers, which found that Sony's information security and monitoring practices fell below "prudent industry standards."


The lawsuit further alleges that nearly 100 terabytes of data was stolen, including 47,000 Social Security numbers and personally identifiable information for at least 15,000 current and former employees, some of whom had not worked for the studio since 1955. As a result, breach victims "face ongoing future vulnerability to identity theft, medical theft, tax fraud, and financial theft," the lawsuit plaintiffs allege. "In fact, plaintiffs' PII has already been traded on black market websites and used by identity thieves."

Lawsuit Ruling

Sony asked a court to dismiss the suit, and U.S. District Judge R. Gary Klausner this week did dismiss some parts, including allegations of breach of contract and that Sony failed to notify breach victims in a timely manner.


But in a setback for Sony, the judge ruled that other parts of the lawsuit can proceed, although he has yet to rule on the merits of these claims, including plaintiffs' allegation that Sony "made a business decision to accept the risk of losses associated with being hacked." The federal judge also agreed with the former employees' allegation that "to receive compensation and employment benefits, they were required to provide their PII to Sony." While many data breach lawsuits get dismissed on the grounds that the breach did not cause any economic harm to people whose information was stolen, Klausner said that by requiring employees' PII, Sony created a "special relationship that provides an exception to the economic loss doctrine."


Michael Sobol, an attorney for the plaintiffs, told the BBC, "We are pleased that the court has properly recognized the harm to Sony's employees."


A spokeswoman for Sony Pictures Entertainment did not immediately respond to a request for comment on the ruling.


In the wake of the 2014 attack, at least nine other lawsuits were filed against Sony by individual former employees. Like the Corona suit, all of these lawsuits seek class-action status, meaning they would include all current and former employees who were affected by the cyber-attack.

Wiper Malware Attack

To recap: Sony suffered a devastating wiper malware attack in November 2014, ostensibly designed to punish the company for releasing "The Interview," a satiric film starring James Franco and Seth Rogan that featured the fictional death of North Korean leader Kim Jong-un.


But before the attackers unleashed their wiper malware and began erasing Sony hard drives and bricking laptops, they penetrated Sony's network and stolen tens of terabytes of data, including copies of unreleased movies and the script for the upcoming James Bond film "Spectre," as well as numerous private email exchanges, all of which the attackers began leaking.


Sony, in a December 2014 breach notification filed with California state authorities, reported that the breach appeared to compromise current and former employees' names, addresses, Social Security numbers, driver's licenses and passport numbers, corporate credit card information, usernames and passwords, and salaries. Sony also warned that individuals' "HIPAA-protected health information" may have been exposed, including medical diagnoses, dates of birth, health plan identification numbers, and personal and health-related information.


As noted in Corona's lawsuit, large amounts of this information were leaked to the Internet by attackers and likely remain in circulation.

Lawsuit Resolution: Unclear

What will happen next in the Sony class-action lawsuit saga, of course, is not clear. But based on past breach-related lawsuits, it's likely that unless the lawsuit gets dismissed, Sony will ultimately settle, rather than risk a jury trial and ruling that might give breach victims more rights.


If Sony did make a business decision to underspend on security, it was a costly move. In February, Sony said in an earnings report that it expected to spend $35 million in cleanup costs through the end of its fiscal year in March, largely related to restoring the company's "financial and IT systems." But as the multiple lawsuits highlight, Sony faces continuing legal costs, as well as the risk that it will eventually have to pay damages or settlements.


But any such settlement likely would not happen soon. Indeed, Sony only settled a lawsuit filed in the wake of its April 2011 breach - a year in which the company fell victim to more than a dozen breaches - in June 2014. That breach exposed personal information for 77 million users of the Sony PlayStation Network and Qriocity services.


By that timeline, the lawsuits stemming from the 2014 Sony cyber-attack may not be resolved until at least 2017.

more...
No comment yet.
Scoop.it!

LastPass Sounds Breach Alert

LastPass Sounds Breach Alert | IT Support and Hardware for Clinics | Scoop.it

Warning to all LastPass users: Change your master password for the service now and ensure you're using multi-factor authentication. There has been a data breach that might allow attackers to crack master passwords and password reminders.


"Our team discovered and blocked suspicious activity on our network," reads a security notice from Joe Siegrist, the CEO of online password management service LastPass, which allows people to store multiple passwords inside a single, cloud-based password vault.


Siegrist says the intrusion was discovered June 12. "In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


This is not the first time that LastPass has reported that passwords or data might have been hacked. In 2011, the firm reported finding a "traffic anomaly from one of our databases" that could have resulted in data exfiltration. In response, the firm said it took a number of steps to tighten security, including registering domains that might be used by phishing attackers, as well as removing non-core services from the LastPass network.


In the wake of this newly announced breach, Siegrist says that the company is "confident that our encryption measures are sufficient to protect the vast majority of users," noting that the site's techniques for creating users' authentication hashes - in essence, how their authentication credentials get protected - would make it very difficult for an attacker to crack those hashes "with any significant speed." But because that is a possibility, the company says it has now "locked down" all accounts, meaning that any attempt to access an account from a new device or IP address will require the user to first verify their identity via email, unless they're already using multi-factor authentication.


"We will also be prompting all users to change their master passwords," Siegrist says. "You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites." He adds that because encrypted user data wasn't stolen, users do not need to change the passwords for any sites stored inside their LastPass password vault.


LastPass also offers multi-factor authentication - including Google Authenticator, Yubikey and the Duo Security Authenticator - to safeguard accounts. And in the wake of the breach, multiple information security experts recommend that all LastPass users ensure that they are using this feature.

Rethink Password Reset Questions

"Should I panic because LastPass was hacked?" asks Robert David Graham, head of information security research firm Errata Security. "If you chose a long, non-dictionary password, nobody can crack it," he says, thanks to the way LastPass creates its hashing algorithms. "Conversely, if you haven't, then yes, you need to change it."


Some security experts, meanwhile, say that the biggest risk now facing LastPass users will bephishing attacks, especially because users' email addresses have been compromised. "LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority," says Martin Vigo, a product security engineer for salesforce.com who's due to present the talk "Breaking Vaults: Stealing LastPass protected secrets" at the July Shakacon conference in Hawaii. "You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass."


Vigo says many users undercut their security by using password reminders - he recommends never using them, if possible - or else creating weak ones. "While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as 'My password is correct horse battery staple' are possible," he says. "Other more common passwords reminders such as 'My dogs name' can help attackers guess your master password. Remember that they have your email, which leads to your Twitter, Facebook, etc., where possibly that information can be found."

Password Vaults: Pros and Cons

The LastPass breach begs the question of whether people should ever use password managers, a.k.a. password vaults. "If a crook gets hold of your master password, then that's like getting the crown jewels - because now the crook has access to all your accounts at once," says Paul Ducklin, a senior security adviser for anti-virus firm Sophos, in a blog post. As a result, some security experts decry their use, on the grounds that the password manager master password creates a potential single point of failure.


But many security experts, including Bruce Schneier, have long advocated using such tools, saying that it is much more likely that users will get hacked if they reuse passwords, or select weak ones, than have their encrypted password database stolen and cracked.

F-Secure security adviser Sean Sullivan, for example, has said he "can't imagine life" without using one, because such tools can ensure that a user only uses strong passwords, and never repeats them across sites. But Sullivan also takes certain precautions, such as never entering the master password for his password manager when he's using an untrusted system - such as the shared family PC at home - in case a keylogger might be in operation.

Cloud Versus PC-Based

Users can also choose between PC-based, cloud-based or hybrid password managers. Some encryption experts, such as Johns Hopkins cryptographer Matthew Green, have voiced concerns about the security of cloud-based password management services.

more...
No comment yet.
Scoop.it!

Apple is making it harder to steal the Apple Watch

t didn't make it into today's WWDC keynote address, but Apple is adding an important security feature to watchOS 2. The new version of the wearable OS will bring Activation Lock — a feature that has been on iPhones since 2013 — to the Apple Watch.


Activation Lock is an anti-theft measure that makes stolen devices less attractive to potential thieves. If someone were to steal your device and wipe it (something that can be done on a Watch in just a few taps), Activation Lock won't let the device be reactivated without first inputting the Apple ID and password that was originally used to set it up. It may not stop someone from stealing and selling your Watch for parts, and there's still no comparable feature to "Find my iPhone," but Activation Lock is a start.


IT'S NO FIND MY IPHONE, BUT IT'S A START

Just last month, users grew worried after9to5Mac pointed out how easy it is to wipe the settings, data, and passcode from an Apple Watch. From there, someone could pair a Watch to any new iPhone. In the user guide, Apple frames this as a way to restore your Watch's functionality should you forget your passcode, which is convenient. But for many people the function made it far too easy for someone else to wind up using your Watch as their own.


Users will have the choice to enable Activation Lock on their Watch or not, so it's ultimately up to them. The watchOS 2 developer beta is available today, and the final version will be released this fall.

more...
No comment yet.
Scoop.it!

Five Steps to Secure Your Data After I.R.S. Breach

Five Steps to Secure Your Data After I.R.S. Breach | IT Support and Hardware for Clinics | Scoop.it

The Internal Revenue Service has been added to a long list of companies and government agencies that hackers have breached in the last year.

And so, if there is any advice security experts have for those trying to keep their personal information safe, it is simply: You can’t.

“Your information has already been out there for years, available to anyone who wants to pay a couple dollars,” Brian Krebs, a security blogger who has been a frequent target of hackers, said Wednesday.

The attack on the I.R.S. is just the latest evidence that hackers already have all the information necessary to steal your identity. The agency said Tuesday that hackers used information stolen from previous breaches — including Social Securitynumbers, birth dates, street addresses and passwords — to complete a multistep authentication process and 


But consumers can make things harder for criminals. There may be a trade-off in convenience, but experts say the alternative is a lot worse.

1. Turn on multifactor authentication.

If a service offers added security features like multifactor authentication, turn them on. When you enter your password, you will receive a message, usually via text, with a one-time code that you must enter before you can log in.

Most banking sites and popular sites like Google, Apple, Twitter and Facebook offer two-factor authentication, and will ask for a second one-time code anytime you log in from a new computer.

2. Change your passwords again.

Yes, you need to change passwords again and they have to be passwords you have never used before. They need to be long and not words you would find in a dictionary. The first thing hackers do when trying to break into a site is use computer programs that can test every word in the dictionary.

Password managers like LastPass or Password Safe create long, unique passwords for the websites you visit and store them in a database that is protected by a master password you have memorized.

It may sound counterintuitive, but the truly paranoid write down their passwords.

Security experts advise creating anagrams based on song lyrics, movie quotations or sayings, and using symbols or numbers and alternating lower and upper cases to make the password more difficult. For instance, the “Casablanca” movie quotation “Of all the gin joints, in all the towns, in all the world, she walks into mine” becomes OaTgJ,iAtT,iAtW,sWiM.

Use stronger, longer passwords for sites that contain the most critical information, like bank or email accounts.

3. Forget about security questions.

Sites will often use security questions such as “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.

These questions are problematic because the Internet has made public record searches a snap and the answers are usually easy to guess.

In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)

With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.

Jonathan Zdziarski, a computer forensics expert, said he often answers these questions with an alternate password. If a site offers only multiple choice answers, or only requires short passwords, he won’t use it.

“You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.

4. Monitor your credit.

Typically a service will offer one year of free credit monitoring if it has been breached. But be aware that attackers do not dispose of your Social Security number, birth date or password a year after they acquire it.

It is better to monitor your credit aggressively at all times through free services like AnnualCreditReport.com.

5. Freeze your credit.

In the attack at the I.R.S., a credit freeze may not have thwarted thieves from filing for false tax refunds, but it could have stopped them from pulling tax transcripts or opening other accounts.

To freeze your credit, call Equifax, Experian or TransUnion and ask to have your account frozen. The credit agency will mail a one-time PIN or password to unfreeze your account later.

The fee to freeze and refreeze credit varies by state. If you plan on applying for a new job, renting an apartment or buying insurance, you will have to thaw a freeze temporarily and pay a fee to refreeze the account.

But if you have been a victim of identity theft, and can show a police report proving as much, most states will waive the freeze fee.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Apple and Google ask Obama to leave smartphone security alone

Apple and Google ask Obama to leave smartphone security alone | IT Support and Hardware for Clinics | Scoop.it

FBI director James Comey has asked Congress for help getting around the upgraded encryption on Apple's smartphone, something he believes is creating too high a hurdle for law enforcement. It's not clear if his calls for new legislation have much chance for success, but they are clearly causing ripples in Silicon Valley. In a letter obtained by The Washington Post, tech heavyweights like Apple and Google call on President Obama to reject any new laws that would weaken security.

Better domestic surveillance is not an easy sell


There have been laws kicking around Congress for a while that would create the kind of backdoors Comey and other security hawks have been pushing for. CALEA II is one such bill, but it trips over all the outsized fears about government surveillance that the public has long held, even more so in the wake of Edward Snowden and revelations about just how much of our everyday communication is being vacuumed up by the NSA.


As we wrote back in October of 2014, that means "Comey's left exactly where we started, making ominous noises and generating headlines favorable to the FBI, but not actually doing anything. It's a bluff, a way to nudge public opinion without committing the bureau to anything. This isn't a crypto war — it's a pageant."


more...
No comment yet.
Scoop.it!

United Can't Even Be Bothered To Pay Money For Finding Security Bugs

United Can't Even Be Bothered To Pay Money For Finding Security Bugs | IT Support and Hardware for Clinics | Scoop.it

Bug bounty programs are pretty common among tech firms: the likes of Facebook and Google (although notably not Apple) will offer you hundreds of thousands of dollars in order for exposing security flaws in their products. It’s a good system, and one United Airlines wants to use: just without offering cold, hard cash.

Instead, United is offering air miles as the reward for the fruits of your labor. Sure, you can’t feed a family, or pay your internet bill with United miles — but you can at least fly to Europe whilst losing all feeling in your feet! United is offering 50,000 miles (cash equivalent: about $1000) for small flaws, like cross-site scripting, 250,000 miles for authentication bypass, and a million miles if you can remotely execute code.

Notably, eligible bugs are limited to United’s customer-facing websites and apps: onboard Wi-Fi, avionics, and entertainment systems are off-limits. That’s not surprising, given United’s previous response to onboard hackers, but it does limit the program somewhat.


Although it’s good that United has a bug bounty system at all — they work well at preventing hacks from being used nefariously — it would be nice if United actually rewarded the work of security researchers with real money.



more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

House Expected To Pass Cybersecurity Bill, Indemnifying Companies That Share Breach Data

House Expected To Pass Cybersecurity Bill, Indemnifying Companies That Share Breach Data | IT Support and Hardware for Clinics | Scoop.it

The House is expected to pass a bill Wednesday that is intended to compel private companies to give investigators access to their computer records and networks in the event of a data breach. The bill has been in the making for years, and comes after a series of embarrassing, high-profile hacks at companies such as Sony and Anthem health insurance.


The vote, which coincides with that for a similar Senate bill, is an assertive response from the federal government after major intrusions have resulted in a delayed movie release, lost credit card information, stolen medical records and a shaken faith in corporate America’s ability to protect itself online. Yet debate over the House bill has raised concerns from privacy and transparency advocates, including initial resistance from President Barack Obama and prominent congressional Democrats.


The House bill provides hacked companies with legal liability protection if they share sensitive information with the government. Privacy advocates demanded, and obtained, assurances under this provision that require data to undergo two rounds of scrubbing -- the removal of personal information -- when they're turned over to a government agency. The data will not be sent to the National Security Agency or the Department of Defense first, though it could ultimately end up there.

The privacy changes were enough to win over prominent Democrats, with Obama expected to sign a modified version of the House and Senate bills. Yet the White House still expressed reservations in a statement Tuesday, suggesting that the liability protections that are meant to protect companies from penalties that come with unauthorized use of customer data go too far.


“Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks,” the White House said. Overly broad liability protections might “remove incentives for companies to protect their customers’ personal information and may weaken cybersecurity writ large,” the statement went on.


more...
No comment yet.
Scoop.it!

Breach Exposed Obama Records

Breach Exposed Obama Records | IT Support and Hardware for Clinics | Scoop.it

 A breach of the White House IT system last October, believed to be by Russian hackers, exposed sensitive details about White House operations, such as the president's schedule, CNN reports.

Investigators believe the White House intrusion began with a phishing email that was launched using a State Department email account that the hackers had taken over, CNN reports, citing several U.S. officials briefed on the investigation into the breach.

The State Department revealed in October that the breach of its system and that of the White House were linked (see State Department, White House Hacks Linked).

The White House downplayed the report. "This report is not referring to a new incident - it is speculating on the attribution of the activity of concern on the unclassified EOP (Executive Office of the President) network that the White House disclosed last year," Mark Stroh, National Security Council spokesman said April 7. "Any such activity is something we take very seriously. In this case, as we made clear at the time, we took immediate measures to evaluate and mitigate the activity. As has been our position, we are not going to comment on the referenced article's attribution to specific actors."
Alternative to Email

Jerry Irvine - a member of the National Cybersecurity Task Force, a joint operation between the Department of Homeland Security and the U.S. Chamber of Commerce - says phishing and spear phishing attacks are increasingly plaguing governments and businesses, and suggests that if they persist, organizations might need to limit email communications.

"It can happen to anyone, and it did," Irvine says, referring to the White House breach. "This is the way of the world. Organizations now are starting to look at the value of email and are questioning whether it's worth the risk. Are there other methods to share information other than email?"

Irvine, partner and chief information officer at IT outsourcer Prescient Solutions, says governments and businesses should look to email alternatives, such as instant messaging, which he contends poses fewer risks.


more...
No comment yet.
Scoop.it!

Ransomware: The Right Response

Ransomware: The Right Response | IT Support and Hardware for Clinics | Scoop.it

So-called ransomware attacks are on the rise, namely because targeted businesses are increasingly willing to negotiate with - and even pay - their extortionists.


Ransomware has been getting a lot of media attention of late. On April 1, security firm Trend Micro reported that since the beginning of the year, numerous variants of crypto-ransomware have been discovered in the wild, striking consumers and businesses throughout the world.

 Criminals rarely hold up their end of the bargain, so negotiating with anyone who is demanding a ransom is just a bad idea. 


Just weeks earlier, security firms FireEye and Bitdefender issued warnings about new ransomware trends that were making these attacks more difficult to thwart and detect.


Now experts are calling attention to one of the reasons why ransomware attacks are becoming more common - because organizations say they'd rather not deal with the fallout that trails a breach or cyber-attack that goes public. Instead of getting law enforcement involved, they'd rather try their hands at making deals with their attackers first.


But paying ransom is short-sighted and is never a good idea. Why? Because cybercriminals rarely keep their end of the bargain. Organizations that negotiate with hackers often end up with lost data after paying a hefty ransom.


Lance James, who heads up cyber-intelligence at consultancy Deloitte & Touche, says most businesses that pay ransoms never have their data restored or their encrypted files decrypted.


During his presentation at Information Security Media Group's Fraud Summit in Atlanta, James discussed ransomware cases he has investigated. He noted that in most of those cases, businesses paid the ransom and then the attackers disappeared, never fulfilling their end of the negotiating bargain.


Of course, organizations should prepare for these types of attacks by taking steps now to ensure they have data and drive backups, and that they have strong multifactor authentication requirements for access to servers, in the event an employee's credentials are hijacked during one of these attacks.


But businesses also need to spend more time educating their staff about how ransomware attacks work, why these attacks are waged, and why reporting these attacks to law enforcement, rather than trying to handle them internally, is so critical.

The Attack Strategy

Ransomware attacks are waged in two parts. First, a PC or mobile device is infected with malware that locks the corporate user out or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he or she has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased.


The tools for these attacks are easy to buy and technical support for waging the attacks is inexpensive.


Law enforcement agencies, such as the Federal Bureau of Investigation, have advised consumers and businesses to immediately report ransomware schemes when they occur.


But security researchers say that, despite of those warnings, many businesses are opting to either pay the ransom or are engaging in direct negotiations with their attackers instead of getting the authorities involved.

Willingness to Negotiate

A new study from cyber-intelligence firm ThreatTrack Security finds that 40 percent of security professionals believe their organizations have been targeted by a ransomware attack. Of those that believe they've been targeted, 55 percent say that when under attack, they are willing to negotiate a ransom in exchange for the release of corporate data or files.


ThreatTrack's research also finds that one in three security pros would recommend to upper management that their companies negotiate a ransom to see if they could avoid public disclosure of a breach involving stolen data or files that have been encrypted as part of the attack.


In fact, 66 percent of those surveyed by ThreatTrack say they fear negative reactions from customers and/or employees whose data was compromised in a breach if those customers or employees were to learn that their organizations chose not to negotiate with cybercriminals for the return of data.


ThreatTrack's survey includes responses from 250 U.S. security professionals at companies with 500 to 2,500 employees.

Beware of a Quick Fix

When it comes to ransomware attacks waged against corporations, many victimized organizations see paying the criminals what they want as the easiest way to make the problem go away.


But criminals rarely hold up their end of the bargain, so negotiating with anyone who is demanding a ransom is just a bad idea.

Obviously, more education, from the CEO down to the employee, is needed. But we also need a shift in the corporate culture, with an emphasis on looking beyond a "quick fix" for avoiding breach publicity.

Information sharing with peers can play a critical role as well. The more we talk about these attacks and share the techniques used, the more we can learn about how to defend our networks and shield our employees from falling victim to the phishing schemes that are often used to infect systems in the first place.


Security vendors need to step up their efforts here, too. Rather than just supplying intrusion detection, they also need to provide some good-old-fashioned education.

more...
Ivan Garcia-Hidalgo's curator insight, April 8, 2015 1:33 PM

Ransomware: The Right Response #InfoSec #cybersecurity

Scoop.it!

More Retailers Hit by New Third-Party Breach?

More Retailers Hit by New Third-Party Breach? | IT Support and Hardware for Clinics | Scoop.it

CVS, Rite-Aid, Sam's Club, Walmart Canada and other large retail chains have suspended their online photo services following a suspected hack attack against a third-party service provider that may, in some cases, have resulted in the compromise of payment card data.


The suspected breach centers on PNI Digital Media Inc., a Vancouver-based firm that manages and hosts online photo services for numerous retailers. The incident serves as a reminder of the security challenges that organizations face when it comes to managing their third-party vendors and entrusting them with sensitive customer information.


Numerous chains have confirmed that they are investigating potential breaches - some involving payment card data - after being warned by PNI Digital Media that it may have suffered a hack attack that resulted in the compromise of retailers' customers' names, addresses, phone numbers, email addresses, photo account passwords and credit card information. But none of the retailers involved have so far reported that they believe the breach would affect any of their in-store customers, including anyone who used in-store photo services.


PNI Digital Media did not immediately respond to a request for comment on its reported breach investigation. Until July 17, the company's investors page reported that it worked with numerous retailers, and while that page is now blank, a recent version cached by Google's search engine reads: "PNI Digital Media provides a proprietary transactional software platform that is used by leading retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year. Last year, the PNI Digital Media platform worked with over 19,000 retail locations and 8,000 kiosks to generate more than 18M transactions for personalized products."

CVS Confirms Investigation

On July 17, CVS spokesman Mike DeAngelis confirmed that CVSPhoto.com may have been affected by the suspected PNI Digital Media breach. "We disabled the site as a matter of precaution while this matter is being investigated," DeAngelis tells Information Security Media Group.


The cvsphoto.com site now reads in part: "We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience."

CVS says PNI Digital Media collects credit and debit information for customers who purchase online photo services through CVSPhoto.com. Accordingly, CVS recommends that all customers of its online photo service review their credit card statements "for any fraudulent or suspicious activity" and notify their bank or card issuer if anything appears to be amiss. "Nothing is more central to us than protecting the privacy and security of our customer information, including financial information," CVS says. "We are working closely with the vendor and our financial partners and will share updates as we know more."

Rite Aid: No Suspected Card Theft

Drugstore chain Rite Aid has also taken its online and mobile photo services offline. "We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data," Rite Aid's site reads. "The data that may have been affected is name, address, phone number, email address, photo account password and credit card information."


Unlike CVS, however, Rite Aid reports that it does not believe that its customers' payment-card data is at risk. "Unlike for other PNI customers, PNI does not process credit card information on Rite Aid's behalf and PNI has limited access to this information," it says, adding that it has received no related fraud reports from its customers.

Sam's Club has also taken its online photo service offline, "in an abundance of caution and as a result of recent reports suggesting a potential security compromise of the third-party vendor that hosts Sam's Photo website." As with Rite Aid, however, Sam's Club reports that "at this time, we do not believe customer credit card data has been put at risk."


Costco and Tesco Photo have also suspended their online photo services.


Walmart Canada, which also outsources online photo services to PNI, also may have been affected by the possible breach, according to the The Toronto Star, and the retailer has since suspended its online photo services website. "We were recently informed of a potential compromise of customer credit card data involving Walmart Canada's Photocentre website, www.walmartphotocentre.ca," Walmart states. "We immediately launched an investigation and will be contacting customers who may be impacted. At this time, we have no reason to believe that Walmart.ca, Walmart.com or in-store transactions are affected.


Walmart did not respond to Information Security Media Group's request for comment. ISMG also reached out to office supplier Staples, which owns PNI, but did not get a response.

"PNI is investigating a potential credit card data security issue," a Staples spokesperson told The Toronto Star.

Growing Third-Party Breach Concerns

PNI's potential breach comes just a week after Denver-based managed services provider Service Systems Associates announced that a breach linked to a malware attack against its network had likely affected about 12 of the payments systems it operates for gifts shops at retail locations, which include zoos, museums and parks, across the country.


Service Systems Associates says debit and credit purchases made between March 23 and June 25 may have been compromised.

On July 7, the Financial Services Information Sharing and Analysis Center, along with Visa, the U.S. Secret Service and The Retail Cyber Intelligence Sharing Center, which provides threat intelligence for retailers, issued a cybersecurity alert about risks merchants face when dealing with third parties.


The alert lists a number of security recommendations for managing third-party risks, including using multifactor authentication for remote-access login to point-of-sale systems and including specific policies related to outdated operating systems and software in contracts with vendors.


Earlier this month, Chris Bretz, director of payment risk at the FS-ISAC, warned that managed service providers that offer outsourced services to numerous merchants are increasingly being targeted by cybercriminals.


"Criminals continue to find success by targeting smaller retailers that use common IT and payments systems," Bretz said in an interview with ISMG. "Merchants in industry verticals often use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business."

more...
No comment yet.
Scoop.it!

A government key to unlock your encrypted messages has major problems and security experts are up in arms

A government key to unlock your encrypted messages has major problems and security experts are up in arms | IT Support and Hardware for Clinics | Scoop.it

Top computer scientists and security experts are warning that government proposals to gain special access to encrypted communications could result in significant dangers. 

A consortium of world-renowned security experts has penned a report detailing the harm that regulating encryption would cause, writes the New York Times


Hard encryption — which global authorities are now trying to combat — is a way to mathematically cipher digital communications and is widely considered the most secure way to communicate online to avoid external snooping. 


This follows news last week that British Prime Minister David Cameron made a proposal to ban encryption as a way to "ensure that terrorists do not have a safe space in which to communicate."  


Since then, experts have begun weighing in about the effect of such drastic measures. This includes well-known cryptographer Bruce Schneier, who told Business Insider that such a strong encryption ban would "destroy the internet."

The new report, which was released today, takes a similarly hard stance. "The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws," it writes. Not only that, but federal authorities have yet to explain exactly how they planned to gain "exceptional access" to private communications.


The report concludes, "The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict." In short, the experts believe that trying to put limitations on encrypted communications would create myriad problems for everyone involved. 


This sort of fissure between security experts and federal authorities isn’t new. In fact, a similar proposal was made by the Clinton Administration in 1997 that also took aim at hard cryptography. Back then, a group of experts — many of whom are authors on this new report — also wrote critically about the anti-encryption efforts.

In the end, the security experts prevailed. 


Now, it’s not so certain. FBI director James Comey has joined the ant-encryption brigade, saying that "there are many costs to [universal strong encryption.]"

He and the US deputy attorney general Sally Quillan Yates are scheduled to testify before Senate tomorrow to defend their views, the New York Times reports.

The question now is whether other federal officials will side with people like Comey and Cameron or the group of security experts. 

In the paper's words, creating such back-door access to encrypted communications "will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend."

more...
No comment yet.
Scoop.it!

FBI Alert: $18 Million in Ransomware Losses

FBI Alert: $18 Million in Ransomware Losses | IT Support and Hardware for Clinics | Scoop.it

In the past year, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.


In total, IC3 - a collaboration between the FBI and the National White Collar Crime Center - says it received 992 CryptoWall-related complaints from April 2014 to June 2015. And it says the reported losses relate not just to ransom payments potentially made by victims, but additional costs that can include "network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or customers."

The quantity of ransomware attacks continues to escalate, security experts say, because it offers criminals the potential for high rewards with little risk (see Crime: Why So Much Is Cyber-Enabled). Indeed, ransomware attacks can be launched en masse by remote attackers and are relatively cheap and easy to perpetrate. Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.

"In most cases, once the victim pays a ransom fee, he or she regains access to the files that were encrypted," IC3 reports. "Most criminals involved in ransomware schemes demand payment in Bitcoin. Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity."

Because ransomware can rely so heavily on social engineering - tricking - victims into executing related malware or falling for ransom scams, many security experts have urged businesses to continually educate their employees and customers about ways to spot such attacks and defend themselves.

Click-Fraud Attack Spike


Earlier this month, security firm Symantec warned that it had seen a spike in attacks that began with the year-old Poweliks Trojan, which was designed to perpetrate click fraud, and which also downloaded CryptoWall onto an infected system. Click fraud refers to infecting systems with malware that is used to make "bogus requests" for online advertising, without the malware revealing its presence to the user of the infected system.

Using a single piece of malware - or "dropper" - to infect a system and then download and install many other types of malware onto the same system is not a new attack technique.

For example, authorities have accused the gang behind Gameover Zeus of first using that Trojan to harvest bank credentials, and then infecting systems with Cryptolocker ransomware. The U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.

Attacks Get Modular


But attackers have been retooling their malware to make it easier to rapidly infect PCs with multiple types of malware. Security firm Trend Micro warned in 2013 that the aging Asprox botnet, which was first discovered in 2007, had re-emerged "with a new and improved modular framework," and been rebranded as Kuluoz malware, which was a dropper designed to download additional malware onto infected PCs.

By December 2014, the Level 42 threat-intelligence research group at security vendor Palo Alto Networks reported seeing a spike in Asprox-related attack activity. "This malware sends copies of itself over email quickly and to users all around the world and then attempts to download additional malware," it said. The researchers noted that of the 4,000 organizations that it was monitoring, the malware had been tied to "approximately 80 percent of all attack sessions" seen in October and had attempted to infect nearly half of all those organizations.

Also in December, the Association of National Advertisers warned that U.S. businesses were losing about $6.3 billion annually to click fraud. The same month, a study conducted for the ANA by the security firm White Ops found that botnets were responsible for "viewing" 11 percent of all online advertisement, and 23 percent of all online video advertisements.

Asprox Botnet Serves CryptoWall


But click-fraud malware attacks are increasingly blended with other types of malware as attackers attempt to monetize infected PCs as much - and as rapidly - as possible.

In a recent series of attacks, Asprox malware - now typically distributed via phishing attacks - "phoned home" to the Asprox command-and-control server after it infected a PC, and received back the Zemot dropper malware, according to a new report released by the security firm Damballa. The dropper then downloaded the Rovnix rootkit, as well as Rerdom, which is a click-fraud installer.

Damballa says that it has also seen Zemot get installed via crimeware toolkit exploits, which can exploit systems using known vulnerabilities, for example if attackers compromise otherwise legitimate websites and use them to launch drive-by attacks.

Inside enterprises, "click fraud is generally viewed as a low-priority risk," Damballa says. "In reality, click fraud is often a precursor to something more sinister. A device infected with click-fraud [malware] may leave the enterprise susceptible to dangerous downstream infections."

Indeed, Damballa reports that tests of Asprox-infected machines found that over the course of two hours, a single PC was infected with three different types of click-fraud malware, as well as the CryptoWall ransomware. Even after CryptoWall encrypted much of the infected PC's hard drive, furthermore, the click-fraud malware continued to operate, so long as the machine remained Internet-connected.

more...
No comment yet.
Scoop.it!

Hack Attack Grounds Airplanes

Hack Attack Grounds Airplanes | IT Support and Hardware for Clinics | Scoop.it

Polish airline LOT claims that a hack attack disrupted the state-owned airline's ground-control computers, leaving it unable to issue flight plans and forcing it to cancel or delay flights, grounding 1,400 passengers.


The airline said the June 21 cyber-attack against its IT systems at Warsaw Chopin airport lasted about five hours and affected the computers that it uses to issue flight plans. "As a result, we're not able to create flight plans and outbound flights from Warsaw are not able to depart," the company said in a statement.


But the airline emphasized that the attack had "no influence on plane systems" and that no in-progress flights were affected by the incident. It also said that all flights bound for Warsaw were still able to land safely. The IT disruption did, however, result in the airline having to cancel 10 flights - destined for locations inside Poland, to multiple locations in Germany, as well as to Brussels, Copenhagen and Stockholm - and then delay 12 more flights.


An airline spokeswoman didn't immediately respond to a request for more information about the disruption, how LOT judged it to be a hack attack or who might be responsible. No group or individual appears to have taken credit for the disruption.


Airline spokesman Adrian Kubicki says that Polish law enforcement agencies are investigating the hack and warned that other airlines might be at risk from similar types of attacks. "We're using state-of-the-art computer systems, so this could potentially be a threat to others in the industry."

Follows Plane Hacking Report

It's been a busy year for airline-related hacking reports.

In May, information security expert Chris Roberts claimed to have exploited vulnerabilities in airplanes' onboard entertainment systems more than a dozen times in recent years, allowing him to access flight controls. Roberts claimed that his repeated warnings about the problems to manufacturers and aviation officials had resulted in no apparent fixes being put in place.

Question: Hack or IT Error?

Despite the presence of vulnerabilities in avionics systems, however, airline-related IT disruptions are often caused by internal problems, and some security experts are questioning whether that might be the case with the supposed cyber-attack against LOT. "The story doesn't make sense, and most of the actual info so far suggests a 'glitch' caused by an unauthorized user," says the Bangkok-based security expert who calls himself the Grugq, via Twitter.


On June 2, for example, a computer glitch grounded almost 150 United Airlines flights in the United States, representing about 8 percent of the company's planned morning flights. The airline blamed the problem on "dispatching information," and some fliers - such as software firm Cloudstitch CTO Ted Benson - reported via Twitter that pilots told passengers that the ground computers appeared to be spitting out fake flight plans.


As a result of the glitch, the Federal Aviation Administration reportedly grounded all United flights for 40 minutes, until related problems were corrected.

United Airlines Bug Bounty

That glitch followed United Airlines in May launching a bug bounty program - not for the software that runs its airplanes, in-flight entertainment systems, or ground-control computers, but rather its website. "If you think you have discovered a potential security bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort," United says on the bug bounty page.


Rather than offering cash rewards like many other bug-bounty programs, however, United is instead offering frequent-flier "award" miles - for example 50,000 miles for cross-site scripting attacks, 250,000 for authentication bypass attacks, and 1,000,000 for a remote-code execution attack.

more...
No comment yet.
Scoop.it!

Microsoft just made a huge privacy move to make Bing more competitive with Google and Yahoo

Microsoft just made a huge privacy move to make Bing more competitive with Google and Yahoo | IT Support and Hardware for Clinics | Scoop.it

Microsoft’s search engine Bing has announced that it will encrypt all of its search traffic by default this summer. Bing had already offered optional encryption, but soon it will be a default for everyone.

This levels up Bing to match the security standards of the other big search giants like Google and Yahoo, and the added encryption also makes Bing a worthy search engine competitor. Google first made all search encrypted by default in 2013. Yahoo did so in 2014. 


Like Google, however, Bing will still report referrer data to marketers, although Bing will not let the marketers know what the search term was. This means that if a Bing user clicks on an ad after searching for something, the advertiser will know that Bing is what brought that customer to the website but they will not know what the precise term was that was typed into the search bar. 


While this encryption move may seem like a tiny piece of news, it indicates a new shift toward better privacy standards. With Microsoft joining the ranks of Google and Yahoo in terms of security standards, this marks the first time the top three search engines provide privacy by default, making it much more difficult for external snoopers to know what people are searching for.


It also makes it possible for Bing to further gain a search engine edge. Though Google still is king, Microsoft has been working to give itself an edge on mobile — Siri uses Bing search by default, for example.

But the main question for Microsoft is still whether its move towards an encrypted Bing search engine will be noticed by the average user, and whether it will convince any Google or Yahoo fans to make the switch.

more...
No comment yet.
Scoop.it!

President Obama calls for stronger American cybersecurity

President Obama calls for stronger American cybersecurity | IT Support and Hardware for Clinics | Scoop.it

Citing a series of embarrassinghigh profile incursions against US computer networks in recent months, President Obama called for "much more aggressive" efforts to shore up the government's vulnerable cyber-infrastructure. "This problem is not going to go away," the President told reporters at a G7 press conference in Germany. "It is going to accelerate. And that means that we have to be as nimble, as aggressive and as well-resourced as those who are trying to break into these systems." As such, he urged Congress to pass its pending cybersecurity legislation, such as the Cybersecurity Information Sharing Act of 2015.

more...
No comment yet.
Scoop.it!

Over 4 billion people still have no Internet connection

Over 4 billion people still have no Internet connection | IT Support and Hardware for Clinics | Scoop.it

The number of people using the Internet is growing at a steady rate, but 4.2 billion out of 7.4 billion will still be offline by the end of the year.

Overall, 35.3 percent of people in developing countries will use the Internet, compared to 82.2 percent in developed countries, according to data from the ITU (International Telecommunication Union). People who live in the so-called least developed countries will the worst off by far: In those nations only 9.5 percent will be connected by the end of December.


This digital divide has resulted in projects such as the Facebook-led Internet.org. Earlier this month, Facebook sought to address some of the criticism directed at the project, including charges that it is a so-called walled garden, putting a limit on the types of services that are available.


Mobile broadband is seen as the way to get a larger part of the world’s population connected. There are several reasons for this. It’s much easier to cover rural areas with mobile networks than it is with fixed broadband. Smartphones are also becoming more affordable.

But there are still barriers for getting more people online, especially in rural areas in poor countries.


The cost of maintaining and powering cell towers in remote, off-grid locations, combined with lower revenue expected from thinly spread, low income populations, are key hurdles, according to the GSM Association. Other barriers include taxes, illiteracy and a lack of content in local languages, according to the organization.


At the end of 2015, 29 percent of people living in rural areas around the world will be covered by 3G. Sixty-nine percent of the global population will be covered by a 3G network. That’s up from 45 percent four years ago.


The three countries with the fastest broadband speeds in the world are South Korea, France and Ireland, and at the bottom of the list are Senegal, Pakistan and Zambia, according to the ITU.

more...
No comment yet.
Scoop.it!

A Security Flaw Leaves Millions of Verizon Customers Vulnerable

A Security Flaw Leaves Millions of Verizon Customers Vulnerable | IT Support and Hardware for Clinics | Scoop.it

Verizon may be snatching up media companies left and right, but it might want to spend some funds on upping its security game. Joseph Bernstein at Buzzfeed News reports that a Verizon security flaw potentially left 9 millions customers vulnerable to an attack by spoofed IP addresses. The scary nature of this particular security flaw is that it doesn’t even require any real hacking knowledge. All you need is a Firefox plug-in and a specific recipe and anyone could get sensitive information like credit card data and social security numbers.

According to Verizon, the flaw has been fixed and was originally entered into the system via a coding error on April 22. But if you happen to be a Verizon customer, it may be worth making sure your bank accounts aren’t showing any suspicious behavior.


more...
No comment yet.
Scoop.it!

Why It's Tough to Pass Data Breach Bill

Why It's Tough to Pass Data Breach Bill | IT Support and Hardware for Clinics | Scoop.it

Backers of a national data breach notification law say it would greatly simplify compliance for businesses, which now must comply with laws in 51 different jurisdictions - 47 states, three territories and Washington, D.C.


But does that simplification come at too high a cost? Some federal lawmakers thinks so. They say passing a national data breach notification law would weaken data security protections found in certain states' statutes, thus doing more harm than good.

And those concerns are a major reason why building a consensus that paves the way for enacting a national breach notification law will prove difficult, if not impossible.

'Confusing for Businesses'

Last January, President Obama noted when he proposed his version of national data breach notification: "Right now, nearly every state has a different law on this, and it's confusing for consumers and it's confusing for companies, and it's costly, too, to have to comply to this patchwork.


Almost every bill introduced in Congress over the past decade to create a national data breach notification standard would pre-empt state statutes. But that comes at a price. Several states, most notably Massachusetts, prescribe specific steps businesses must take to safeguard personally identifiable information. Most national data breach notification proposals don't require safeguards beyond saying businesses should take "reasonable" steps to secure PII.


Some industry experts - such as Larry Clinton, president of the trade group Internet Security Alliance - say they have seen no evidence that consumers' PII is more secure in those states that have more stringent security requirements. "To the notion that states can enact strong laws is, from a consumer perspective, a red herring," he says.

Middle Ground?

But some senators strongly disagree with Clinton's point of view.

"There are a number of like-minded senators who are paying attention to this issue and trying to push for a federal law ... that keeps state laws untouched as a middle-ground approach," says Chris Pierson, general counsel and chief security officer at payments provider Viewpost. "While this is more palatable for Congress, it does little to stem the growing diversity of state laws and the burden of conflicting state requirements."


One of those senators seeking a middle-ground approach is Richard Blumenthal, D-Conn., who, along with five other Democratic senators, has introduced legislation creating a national data breach notification law with a proviso: It won't pre-empt more stringent state laws.


"We must ensure consumers have strong protections on the federal level, but in so doing, we must make sure Congress doesn't weaken state protections that consumers rely on to keep their information safe," Blumenthal says. "Importantly, this measure strikes the right balance between state rights and strong federal enforcement and extends consumer privacy protections into a new digital era."

A right balance? Sasha Romanosky, an associate policy researcher at the think tank Rand Corp., characterizes the Democratic senators' bill as a "workaround" that sets a "national floor for breach compliance." But Romanosky is concerned that "then you'd just have the same issue as there is now: 47 potentially distinct state laws."


The Democrats' bill - like the Massachusetts statute - contains a list of security requirements with which businesses would have to comply. That makes the bill unpassable. Nearly every GOP lawmaker opposes any measure that that would place additional requirements on businesses.

60-Vote Threshold

Consumer advocacy groups generally oppose national data breach notification legislation that would weaken states' security standards. And those groups might have the clout to get enough Democratic senators to oppose any measure that would pre-empt state laws.

Sixty votes generally are needed for a bill to be considered by the Senate; the upper chamber has 44 Democrats and two independents who caucus with them. So getting 41 senators to block a vote on a data breach notification bill is possible.


Whether stricter state laws actually provide consumers with better security protections is debatable, but the perception among a number of lawmakers - mostly Democrats - is that they do. If at least 41 senators agree with that notion, then Congress will not enact a national breach notification law.


more...
No comment yet.
Scoop.it!

House OKs 2nd Cyberthreat Info-Sharing Bill

House OKs 2nd Cyberthreat Info-Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

A second cyberthreat information sharing bill passed the House of Representatives on April 23. That measure, the National Cybersecurity Protection Advancement Act, now will be combined with the House Intelligence Committee's Protecting Cyber Networks Act, which passed on April 22, before it's sent to the Senate.

The National Cybersecurity Protection Act, which was approved by a 355-63 vote, provides businesses with liability protections if they share cyberthreat information with the federal government and other businesses. The bill designates the National Cybersecurity and Communications Integration Center as the portal for government and business to share data.

"Ultimately, this legislation will arm those who protect our networks with valuable cyber-threat indicators that they can use to fortify defenses against future attacks," said one of the bill's sponsors, Rep. John Ratcliffe, chairman of a House Homeland Security Committee subcommittee, which has cybersecurity oversight.

Supporters of cyberthreat information sharing legislation, including President Obama, say such a measure is needed because many businesses will not share information with the government unless they're protected from civil and criminal lawsuits resulting from the sharing of data. Both bills, and one approved by the Senate Intelligence Committee, would provide those liability safeguards.

The House-passed bills' supporters contend their measures protect citizens' privacy and liberties by requiring businesses to strip personally identifiable information from information to be shared. Language added to the National Cybersecurity Protection Advancement Act specifically says the shared data is to be used for cyberdefense only and cannot be used for intelligence or law enforcement purposes. Still, consumer advocacy groups contend the bill does not go far enough to prevent sharing of data for purposes other than cyberdefense.

The White House, in Statements of Administration Policies, has given both House-passed bills a lukewarm endorsement, but it made suggestions on changes it seeks, especially the narrowing of the liability protections the measures offer.

In the Senate, Majority Leader Mike McConnell said its version of cyberthreat information sharing legislation should come up for a vote shortly, but did not provide a specific date. If the Senate passes its own cyberthreat information sharing legislation, conferees from both chambers, weighing recommendations from the White House, will draft new language in hopes of winning the support of a majority of House and Senate lawmakers as well as the president.


more...
No comment yet.
Scoop.it!

How to avoid getting hacked due to vulnerable WordPress plugins

How to avoid getting hacked due to vulnerable WordPress plugins | IT Support and Hardware for Clinics | Scoop.it

I’m a huge WordPress fan because it’s a very powerful, effective, and amazingly extensible platform which is why it’s used by 60.4% of [websites with identifiable content management systems which amounts to] 23.7% of all websites. But there’s a risk with any platform that’s extensible trough the use of third party software (called “plugins” in WordPress): That risk is from software vulnerabilities.


Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues. The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin. For a summary of current Wordpress vulnerabilities check out the WPScan Vulnerability Database, a “black box WordPress vulnerability scanner.”

If you’re running a WordPress site and given the number of potentially show-stopping problems that exist, get fixed, and are replaced with new problems that are just as bad then you need to be on top of what plugins you’re using and what problems they might have. Rather than scanning through loads of vulnerability notices and checking each plugin’s Web site for news there’s not only WPScan, there’s also a free plugin that check the plugins you use for known issues. It’s called Plugin Vulnerabilities and published by WhiteFirDesign.


The publishers also offer another free plugin, Automatic Plugin Updates that, as its name implies, will update your plugins automatically as new versions become available (you can also set up an “ignore” list to exclude specific plugins from automatic updates).

When you activate Plugin Vulnerabilities, all of your other plugins are examined and checked against WhiteFirDesign’s database of vulnerabilities. They’re also rechecked whenever a plugin in manually updated or an update executed by the Automatic Plugin Updates or by any other method.


WhiteFirDesign’s vulnerability stats were, as of April 6:

  • 257 vulnerabilities included
  • 61 included vulnerabilities are in the most recent version of plugins (57 of these plugins have been removed from the Plugin Directory)
  • 24 vulnerabilities have been fixed in part due to our work on this plugin
  • 5 included vulnerabilities in security plugins
  • Top vulnerability types:
    • cross-site request forgery (CSRF)/cross-site scripting (XSS): 52 vulnerabilities
    • reflected cross-site scripting (XSS): 45 vulnerabilities
    • arbitrary file upload: 45 vulnerabilities
    • arbitrary file viewing: 23 vulnerabilities
    • SQL injection: 16 vulnerabilities



This plugin is, in short, something you shouldn’t do without if you’re running WordPress. It could make the difference between smooth, uninterrupted operations and spending lots of time rebuilding your WordPress site after being hacked.

The Plugin Vulnerabilities and Automatic Plugin Updates plugins both get a Gearhead rating of 5 out of 5.


more...
No comment yet.
Scoop.it!

How DNS is Exploited

How DNS is Exploited | IT Support and Hardware for Clinics | Scoop.it

The Internet is a global engine of commerce today, but it was never designed with such grandiose applications in mind. In the underlying architecture of the Internet, hostility was never a design criterion, and this has been extensively exploited by criminals, who capitalize on the Domain Name System infrastructure - the map of the Internet - which is indispensable for the Internet as we know it to function.

"Right now the Internet is being used to transfer hundreds of billions of dollars per year from the productive part of the world's economy toward the unproductive part because it is such a gaping hole," says Internet pioneer and DNS thought leader Dr. Paul Vixie, CEO of Farsight Security, a provider of real-time passive DNS solutions that provide contextual intelligence to threat and reputation feeds.

The Internet was built without any thought of authentication, admission control or security, and so almost any application or website can be abused by a creative criminal, he says. But the DNS is proving essential to both the good guys and the bad guys - almost a unifying field theory.

"Everything you need to do on the Internet requires DNS - regardless of intent," says Vixie, who is also the principal author of version 8 of BIND, the most widely used DNS software on the Internet. "I think this makes DNS an interesting place to look for criminals and signs that criminals must leave," he says.

In part one of an exclusive two-part interview with Information Security Media Group (transcript below), Vixie talks about DNS and the impact it has on the Internet's security landscape. He shares insights on:

Part two of this interview will feature Vixie's views on the evolution of the Internet as an ecosystem that has evolved to make crime easier.

Vixie, CEO of Farsight Security, previously served as president, chairman and founder of the Internet Systems Consortium. He has served on the ARIN board of trustees since 2005, where he served as chairman in 2008 and 2009, and is a founding member of the ICANN Root Server System Advisory Committee and the ICANN Security and Stability Advisory Committee. He has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8. He has authored or co-authored about a dozen Request for Comments, a publication of the principal technical development and standards-setting body for the Internet, the Internet Engineering Task Force - mostly on DNS and related topics. He was named to the Internet Hall of Fame in 2014.

Varun Haran: How are criminals exploiting DNS infrastructure to perpetrate crime today?

Dr. Paul Vixie: One main area where DNS is facilitating crime is denial-of-service attacks, where the purpose may be economic or ideological to prevent the victim from being able to use the Internet. This is achieved by filling their Internet connection with unsolicited traffic so that they cannot use their connection for good traffic.

Now, unfortunately, the Internet was designed by scientists and engineers to work in a completely friendly environment. Hostility was never one of the design criteria for the Internet. What that means is it is trivial to send packets forging someone else's address as the source. Which means that if you direct the packets forged with a victim's address towards a powerful server, a lot of response traffic will go to your victim. And because the victim did not solicit it, they cannot turn it off. This is a very popular attack, and anytime that you hear that Google or Spamhaus has been hit with a 400 Gbit/s DDoS attack, it is the exact same method being employed - IP source forgery.

This is not only something the Internet was designed without, it is something that the current Internet economy is resisting fixing, because in order to fix this problem, an ISP has to turn on some new features in their Internet routing equipment. Those features need to be tested, there needs to be documentation, there has to be monitoring, so there is a small cost - there may even be a performance cost in the routing equipment if you turn on this feature.

The cost is trivial, but not zero. The benefit that the operator will see, in exchange for that investment will be measurably zero, because what they are doing is protecting the rest of the Internet against their customers. So if an ISP does this, it is only for the greater good and it is very difficult to get an ISP - who has investors, shareholders, board of directors, management chain etc. - to act for the greater good at their own expense. It simply does not make good business sense to fix this problem.
Internet Vulnerabilities

Haran: The Internet wasn't designed for all the purposes it's being put to today. What are some of the security issues that the current nature of the Internet, in terms of infrastructure and architecture, gives rise to?

Vixie: I gave you one example, which is the lack of source address validation. But there are other admission control problems also. For example, there are control packets that you can transmit that can potentially interrupt other people's conversations. Various TCP and ICMP packets can be transmitted toward parts of the network that will respond by denying other people the ability to communicate for a few seconds.

This comes from when the Internet was just a collection of universities and government contractors. Everybody on the Internet for the first 10 years had a contract with the U.S. government. None of them had any incentive to transmit damaging traffic. The nature of the Internet took that into account. It was a very fragile network, which was intended only for mature computer science professionals to interact.

So, if we turn our attention now to spam, the email system has no admission control. Anyone can send an email to anyone. That was, in fact, an important design criteria to avoid central clearinghouses and make email an end-to-end activity. But what that means is that spammers are also endpoints and have the same right to transmit email to anyone. There is no differentiation, there is no privilege required.

Add to that the fact that, just like IP packets can have their sources forged, even email sources can be forged. And unless you are a technology expert or have a high-end email firewall appliance, you won't be able to tell the difference. This works at scale. Right now, the Internet is being used to transfer hundreds of billions of dollars per year from the productive part of the world's economy toward the unproductive part because it is such a gaping hole. The Internet is the backbone of global commerce today, and yet it was built without any thought of authentication, admission control or security, and so almost any application or website can be abused by a creative criminal.
The Internet's Map

Haran: You have said that DNS is like a unified field theory between the good guys and the bad guys. Can you elaborate? How indispensable is DNS to the structure of the Internet?

Vixie: If the Internet were a territory, the DNS would be its map. We who have grown up in a world that is completely mapped, completely discovered, find it impossible to conceptualize the idea of a territory without a map. Without DNS, the Internet would be a trackless wild, where things would exist but you wouldn't know how to get there or the cost of admission. So I mean it when I say that all Internet communication begins with a DNS transaction - at least in order for the initiator to discover the responder and to find out where to send the packets that will represent their conversation.

But there may be other things as well, such as looking up a key, so that they can build a secure conversation by sharing key-in information or for looking up directory servers for authentication and authorization. Pretty much everything you need to do on the Internet is going to be a TCP/IP session. And every TCP/IP session is going to begin with one or more DNS transactions. This is true regardless of your intent. You intent might be to create wealth, to innovate, to make the world a better place, or it could be that your intent is criminal and you want to lie, cheat, take, force, defraud and you have purposes which would be seen as evil in the eyes of your fellow man. Your intent does not matter - you are not going to be able to do anything on the Internet without DNS. And it is that that I think makes DNS such an interesting place to look for criminals and signs that criminals must leave.
DNS Response Rate Limiting

Haran: You are a strong advocate of DNS Response Rate Limiting, which is something that you have worked on yourself. What can you tell me about DNS RRL?

Vixie: In DNS, there are many different kinds of DNS agents. Some only ask questions and receive answers and some only provide answers. It is that second type that concerns rate limiting, because a server in the DNS - the so-called authority server, which is where DNS content comes from - must be very powerfully built, having a lot of capability. Otherwise, if someone sends you a DDoS, they will make your content unreachable because your network pipe would be full of attack traffic.

It is common to buy an extra-large connection to your authority servers and to buy not just one authority server, but maybe a dozen and put them behind load balancers, with redundant power and so forth, because you want to make sure that no matter what happens, you can address queries and your content is reachable.

The difficulty that this presents to the rest of us is that in DNS, a response is larger than a request and that means that you are a potential amplifier. And if you are hearing a question that was forged - the IP address used by the attacker is forged to become the IP address of their intended victim - then you as a very powerful content server would be willing to help that attacker DDoS that victim simply because you are a powerful content server, and you have to be powerful for reasons of your own.

So when we designed response rate limiting, it was to allow those servers to differentiate between attack flows and non-attack flows so that they would be not as usable as an amplifier of third-party attacks. The tricky part is that you have to be very careful not to drop legitimate queries. So there is a little bit of mathematical trickery involved in the DNS RRL system that helps to make sure that you can stop most DDoS attacks without causing collateral damage.

more...
No comment yet.