IT Support and Hardware for Clinics
32.0K views | +2 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Windows 10 Ransomware Scam Represents Growing Trend in Malware

Windows 10 Ransomware Scam Represents Growing Trend in Malware | IT Support and Hardware for Clinics | Scoop.it

I don’t usually jump on the new software or device bandwagon immediately. I tend to wait until something has been on the market for a little while and let other people work the bugs out first. However, the release of Windows 10 intrigues me. I had the chance to talk to some people at RSA about it, and I’m not sure the last time I heard so much enthusiasm for a new Microsoft product.


The release came at the end of July, with the upgrade made available for free. Who doesn’t like free, right?

Consumers aren’t the only ones who appreciate a free upgrade, though. Scammers and bad guys are taking advantage of the Windows 10 launch, too, using phishing emails to spoof the arrival of the OS. As PC World explained, the scam does a very good job mimicking a legitimate Microsoft announcement regarding Windows 10. The difference, though, was this:


An attached .zip file purports to be a Windows 10 installer … the attachment contains a piece of ransomware called CTB-Locker that encrypts your files and requests payment within 96 hours, lets your files be encrypted forever.


I can’t imagine that anyone would be surprised that the bad guys would try to take advantage of the OS release. However, according to Cisco’s midyear report, using ransomware is part of a growing trend with hackers using social and breaking news events to deliver ransomware. According to the report, ransomware has really stepped up its game, with improved professional development to encourage innovation and to ensure that the malware brings in financial gains.

The Cisco blog explained more about how it works:


The ransoms demanded are usually affordable, generally a few hundred dollars depending on the bitcoin exchange rate. Criminals appear to have done their market research to determine the right price points for the best results: Fees are not so high that victims will refuse to pay or will tip of law enforcement. Ransomware authors keep their risk of detection low by using channels such as Tor and the Invisible Internet Project to communicate, and they use bitcoin so that financial transactions are difficult for law enforcement to trace.


Will we see more problems with ransomware going forward? I suspect the answer is “Yes,” especially as the developers get smarter about manipulating the ransom for their own gain. (Remember, as successful as Cryptolocker was at locking down a computer’s data, too many weren’t able to pay the ransom with Bitcoin, and, in turn, the developers weren’t able to make the money they planned to make.) We know that the spammers are very good at faking us out with phishing attacks. So enjoy your new Windows 10 upgrade. Just download with a lot of caution.

more...
No comment yet.
Scoop.it!

A government key to unlock your encrypted messages has major problems and security experts are up in arms

A government key to unlock your encrypted messages has major problems and security experts are up in arms | IT Support and Hardware for Clinics | Scoop.it

Top computer scientists and security experts are warning that government proposals to gain special access to encrypted communications could result in significant dangers. 

A consortium of world-renowned security experts has penned a report detailing the harm that regulating encryption would cause, writes the New York Times


Hard encryption — which global authorities are now trying to combat — is a way to mathematically cipher digital communications and is widely considered the most secure way to communicate online to avoid external snooping. 


This follows news last week that British Prime Minister David Cameron made a proposal to ban encryption as a way to "ensure that terrorists do not have a safe space in which to communicate."  


Since then, experts have begun weighing in about the effect of such drastic measures. This includes well-known cryptographer Bruce Schneier, who told Business Insider that such a strong encryption ban would "destroy the internet."

The new report, which was released today, takes a similarly hard stance. "The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws," it writes. Not only that, but federal authorities have yet to explain exactly how they planned to gain "exceptional access" to private communications.


The report concludes, "The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict." In short, the experts believe that trying to put limitations on encrypted communications would create myriad problems for everyone involved. 


This sort of fissure between security experts and federal authorities isn’t new. In fact, a similar proposal was made by the Clinton Administration in 1997 that also took aim at hard cryptography. Back then, a group of experts — many of whom are authors on this new report — also wrote critically about the anti-encryption efforts.

In the end, the security experts prevailed. 


Now, it’s not so certain. FBI director James Comey has joined the ant-encryption brigade, saying that "there are many costs to [universal strong encryption.]"

He and the US deputy attorney general Sally Quillan Yates are scheduled to testify before Senate tomorrow to defend their views, the New York Times reports.

The question now is whether other federal officials will side with people like Comey and Cameron or the group of security experts. 

In the paper's words, creating such back-door access to encrypted communications "will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend."

more...
No comment yet.
Scoop.it!

Microsoft just made a huge privacy move to make Bing more competitive with Google and Yahoo

Microsoft just made a huge privacy move to make Bing more competitive with Google and Yahoo | IT Support and Hardware for Clinics | Scoop.it

Microsoft’s search engine Bing has announced that it will encrypt all of its search traffic by default this summer. Bing had already offered optional encryption, but soon it will be a default for everyone.

This levels up Bing to match the security standards of the other big search giants like Google and Yahoo, and the added encryption also makes Bing a worthy search engine competitor. Google first made all search encrypted by default in 2013. Yahoo did so in 2014. 


Like Google, however, Bing will still report referrer data to marketers, although Bing will not let the marketers know what the search term was. This means that if a Bing user clicks on an ad after searching for something, the advertiser will know that Bing is what brought that customer to the website but they will not know what the precise term was that was typed into the search bar. 


While this encryption move may seem like a tiny piece of news, it indicates a new shift toward better privacy standards. With Microsoft joining the ranks of Google and Yahoo in terms of security standards, this marks the first time the top three search engines provide privacy by default, making it much more difficult for external snoopers to know what people are searching for.


It also makes it possible for Bing to further gain a search engine edge. Though Google still is king, Microsoft has been working to give itself an edge on mobile — Siri uses Bing search by default, for example.

But the main question for Microsoft is still whether its move towards an encrypted Bing search engine will be noticed by the average user, and whether it will convince any Google or Yahoo fans to make the switch.

more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

Ransomware: The Right Response

Ransomware: The Right Response | IT Support and Hardware for Clinics | Scoop.it

So-called ransomware attacks are on the rise, namely because targeted businesses are increasingly willing to negotiate with - and even pay - their extortionists.


Ransomware has been getting a lot of media attention of late. On April 1, security firm Trend Micro reported that since the beginning of the year, numerous variants of crypto-ransomware have been discovered in the wild, striking consumers and businesses throughout the world.

 Criminals rarely hold up their end of the bargain, so negotiating with anyone who is demanding a ransom is just a bad idea. 


Just weeks earlier, security firms FireEye and Bitdefender issued warnings about new ransomware trends that were making these attacks more difficult to thwart and detect.


Now experts are calling attention to one of the reasons why ransomware attacks are becoming more common - because organizations say they'd rather not deal with the fallout that trails a breach or cyber-attack that goes public. Instead of getting law enforcement involved, they'd rather try their hands at making deals with their attackers first.


But paying ransom is short-sighted and is never a good idea. Why? Because cybercriminals rarely keep their end of the bargain. Organizations that negotiate with hackers often end up with lost data after paying a hefty ransom.


Lance James, who heads up cyber-intelligence at consultancy Deloitte & Touche, says most businesses that pay ransoms never have their data restored or their encrypted files decrypted.


During his presentation at Information Security Media Group's Fraud Summit in Atlanta, James discussed ransomware cases he has investigated. He noted that in most of those cases, businesses paid the ransom and then the attackers disappeared, never fulfilling their end of the negotiating bargain.


Of course, organizations should prepare for these types of attacks by taking steps now to ensure they have data and drive backups, and that they have strong multifactor authentication requirements for access to servers, in the event an employee's credentials are hijacked during one of these attacks.


But businesses also need to spend more time educating their staff about how ransomware attacks work, why these attacks are waged, and why reporting these attacks to law enforcement, rather than trying to handle them internally, is so critical.

The Attack Strategy

Ransomware attacks are waged in two parts. First, a PC or mobile device is infected with malware that locks the corporate user out or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he or she has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased.


The tools for these attacks are easy to buy and technical support for waging the attacks is inexpensive.


Law enforcement agencies, such as the Federal Bureau of Investigation, have advised consumers and businesses to immediately report ransomware schemes when they occur.


But security researchers say that, despite of those warnings, many businesses are opting to either pay the ransom or are engaging in direct negotiations with their attackers instead of getting the authorities involved.

Willingness to Negotiate

A new study from cyber-intelligence firm ThreatTrack Security finds that 40 percent of security professionals believe their organizations have been targeted by a ransomware attack. Of those that believe they've been targeted, 55 percent say that when under attack, they are willing to negotiate a ransom in exchange for the release of corporate data or files.


ThreatTrack's research also finds that one in three security pros would recommend to upper management that their companies negotiate a ransom to see if they could avoid public disclosure of a breach involving stolen data or files that have been encrypted as part of the attack.


In fact, 66 percent of those surveyed by ThreatTrack say they fear negative reactions from customers and/or employees whose data was compromised in a breach if those customers or employees were to learn that their organizations chose not to negotiate with cybercriminals for the return of data.


ThreatTrack's survey includes responses from 250 U.S. security professionals at companies with 500 to 2,500 employees.

Beware of a Quick Fix

When it comes to ransomware attacks waged against corporations, many victimized organizations see paying the criminals what they want as the easiest way to make the problem go away.


But criminals rarely hold up their end of the bargain, so negotiating with anyone who is demanding a ransom is just a bad idea.

Obviously, more education, from the CEO down to the employee, is needed. But we also need a shift in the corporate culture, with an emphasis on looking beyond a "quick fix" for avoiding breach publicity.

Information sharing with peers can play a critical role as well. The more we talk about these attacks and share the techniques used, the more we can learn about how to defend our networks and shield our employees from falling victim to the phishing schemes that are often used to infect systems in the first place.


Security vendors need to step up their efforts here, too. Rather than just supplying intrusion detection, they also need to provide some good-old-fashioned education.

more...
Ivan Garcia-Hidalgo's curator insight, April 8, 2015 1:33 PM

Ransomware: The Right Response #InfoSec #cybersecurity

Scoop.it!

OpenDNS trials system that quickly detects computer crime

OpenDNS trials system that quickly detects computer crime | IT Support and Hardware for Clinics | Scoop.it

A security system undergoing testing by a San-Francisco-based company aims to speed up the detection of websites and domains used for cybercrime.

The technology is being developed by OpenDNS, which specializes in performing DNS (Domain Name System) lookups. The DNS translates domain names such as idg.com into an IP address that can be called into a browser

OpenDNS offers a secure DNS service for ISPs and organizations that blocks requests from Web browsers to sites that may be associated with cybercrime or spoof a company such as PayPal.

The company, which was founded in 2005, has grown so much that its systems respond to some 71 billion DNS requests per day. That’s just 2 percent of global DNS traffic but is enough of a sample to pick up on many cybercrime campaigns.

The new system, called Natural Language Processing rank (NLPRank) looks at a range of metrics around a particular domain name or website to figure out if it’s suspicious.

It scores a domain name to figure out if it’s likely fraudulent by comparing it to a corpus of suspicious names or phrases. For example, g00gle.com—with zeros substituting for the letter “o”—would raise a red flag.

Many cybercriminal groups have surprisingly predictable patterns when registering domains names for their campaigns, a type of malicious vernacular that OpenDNS is indexing. Bogus domain names use company names, or phrases like “Java update,” “billinginfo” or “security-info” to try to appear legitimate.

But there’s a chance that NLPRank could trigger a false positive, flagging a variation of a domain that is legitimate, said Andrew Hay, director of security research at OpenDNS.

To prevent false positives, the system also checks to see if a particular domain is running on the same network, known as its ASN (autonomous system number), that the company or organization usually uses. NLPRank also looks at the HTML composition of a new domain. If it differs from that of the real organization, it can be a sign of fraud.

NLPRank is still being refined to make sure the false positive rate is as low as possible. But there have been encouraging signs that the system has already spotted malware campaigns seen by other security companies, Hay said.

Earlier this month, Kaspersky Lab released a report on a gang that stole upwards of US$1 billion from banks in 25 countries. The group infiltrated banks by gaining the login credentials to key systems through emails containing malicious code, which were opened by employees.

Hay said Kaspersky approached OpenDNS before the report was published to see if it had information on domains associated with the attacks. NLPRank was already blocking some of the suspicious domains, even though OpenDNS didn’t know more details about the attacks.

“We caught these things well back,” Hay said.

In some cases, NLPRank could allow a domain to be blocked even before one is actively used. After cybercriminals register a domain, they’ll often visit it once to make sure it’s accessible. It may then go dormant for a few days before it is incorporated in a campaign, Hay said.

If a fraudster is connected to an ISP that uses OpenDNS’s service, just a single DNS query for that new domain would allow OpenDNS to analyze and potentially block it before it is used for crime.

“As soon as we see that little bump on the wire, we can block it and monitor to see what’s going on,” Hay said. “It’s almost an early warning system for fraudulent activity.”



more...
No comment yet.
Scoop.it!

Visual hacking exposed

Visual hacking exposed | IT Support and Hardware for Clinics | Scoop.it

While most security professionals focus on thwarting data breaches from cyber attacks, a new study exposes visual hacking, a low-tech method used to capture sensitive, confidential and private information for unauthorized use, as an under-addressed corporate risk.


A visual hacking experiment conducted by the Ponemon Institute on behalf of the Visual Privacy Advisory Council and 3M Company, found that in nearly nine out of ten attempts (88 percent), a white hat hacker was able to visually hack sensitive company information, such as employee access and login credentials, that could potentially put a company at risk for a much larger data breach.

During the study, a computer security expert specializing in penetration testing, entered the offices of eight U.S.-based companies under the guise of a temporary or part-time worker. He attempted to visually retrieve sensitive or confidential information using three methods: walking through the office scouting for information in full-view on desks, screens and other indiscrete locations, taking a stack of business documents labeled as confidential and finally, using his smartphone to take a picture of confidential information displayed on a computer screen. All three of these tasks were completed in full-view of other office workers.

The study revealed the following:

Visual hacking happens quickly: Companies can be visually hacked in a matter of minutes, with 45 percent occurring in less than 15 minutes and 63 percent of visual hacks occurring in less than a half hour.

Visual hacking generally goes unnoticed: In 70 percent of incidences, a visual hacker was not stopped by employees – even when using a cell phone to take a picture of data displayed on a screen. In situations when a visual hacker was stopped by an employee, the hacker was still able to obtain an average of 2.8 pieces of company information (compared to 4.3 when not stopped).

Multiple pieces of sensitive information were able to be visually hacked. During the study, an average of five pieces of information were visually hacked per trial, including employee contact lists (63 percent), customer information (42 percent) and corporate financials (37 percent), employee access & login information/credentials (37 percent) and information about employees (37 percent) during any given hack.

Unprotected devices pose the greatest opportunity for sensitive information to be visually hacked. 53 percent of information deemed sensitive (access or login credentials, confidential or classified documents, financial, accounting or budget information or attorney-client privileged documents) was gleaned by the visual hacker from the computer screen, greater than vacant desks (29 percent), printer bins (9 percent), copiers (6 percent) and fax machines (3 percent) combined.

Open floor plans pose a greater threat to visual privacy. In experimental trials completed in companies with an open-office layout, an average of 4.4 information types were visually hacked, while those conducted in a traditional office layout saw 3.0 information types visually hacked.

Unregulated functional areas were the most likely to experience a visual hack. On average, customer service roles consistently saw the highest number of visual hacks at 6.0, with communications at 5.6 and sales force management 5.2. Regulated functional areas like accounting & finance saw lower averages at 1.9, and legal at 1.0 experienced the least.

Visual hacking controls work. Companies that had relatively low visual hacking rates had more controls in place, such as mandatory training and awareness, clean desk policies document shredding process, suspicious reporting process, and employed the use of privacy filters, to protect against the threat than those without. For instance, in those companies that employed the use of privacy filters, 50 percent of trials saw three or less information types visually hacked while 43 percent of companies that did not use privacy filters saw four or more information types visually hacked.

“Visual privacy is a security issue that is often invisible to senior management, which is why it often goes unaddressed,” says Mari Frank, attorney/mediator and privacy consultant/expert at Mari J. Frank, Esq. and Associates and member of the Visual Privacy Advisory Council. “This study helps to emphasize the importance of implementing a visual privacy policy, educating employees and contractors about how to be responsible with sensitive data they are handling, as well as equipping high-risk employees with the proper tools, such as privacy filters, to protect information as it is displayed.”


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Symantec - Cybercriminals are increasingly targeting web-connecting Devices including Home Appliances.

 As we look forward to 2015, it’s had to forget the complex bugs, data breaches and Privacy violations that have marred the Tech world in the ending year.  Symantec Security firm now projects doom for 2015, warning that attacks will get Smarter and sharper.

It’s the end of the year, a perfect time to look back at the numerous bugs and data breaches that have rocked the Tech world in the recent past.  It’s hard to forget bugs such Heartbleed in 2013, the ShellShock and the Poodle bug which caused a shudder in Silicon Valley earlier this year. Well, Symantec security firms says 2015 won’t be any different either, warning users to get ready for more bugs and highly sophisticated attacks. “In 2015, we can expect attacks to get smarter and sharper,” projects Symantec.

With the advancement of Internet of Things (IoT), attackers now have an array of attack vectors to propagate their heinous acts. More internet connecting devices, from Smartphones to plug and play devices such Smart TV, Smart Fridges and IP cameras, spells doom for the future of internet users.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Adobe patches Flash zero-day found in Hacking Team data breach

Adobe patches Flash zero-day found in Hacking Team data breach | IT Support and Hardware for Clinics | Scoop.it

The massive Hacking Team data breach led to the release of 400GB worth of data including a zero-day vulnerability for Adobe Flash. Adobe has released an out-of-band patch for the flaw just two days after it was discovered.


The vulnerability was described by the Hacking Team in a readme file in the data dump as "the most beautiful Flash bug for the last four years". Accompanying the readme in the data was a proof-of-concept exploit of the flaw.


Adobe categorized the vulnerability (CVE-2015-5119) as critical and said it affects Flash Player versions 18.0.0.194 and earlier on Windows and Mac, and versions 11.2.202.468 and earlier on Linux. Successful exploitation of the flaw could allow remote code execution.


Security researcher Kafeine found that the vulnerability has already been added to the Angler, Fiddler, Nuclear and Neutrino exploit kits. Because of this, admins are recommended to apply the patch as soon as possible.


Also found in the Hacking Team data was another Adobe Flash zero-day (CVE-2015-0349), which was patched in April, and a zero-day affecting the Windows kernel. The inclusion of these zero-days has caused experts to question if these exploits are being used by Hacking Team clients, including law enforcement and governments.


"As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully," said Ken Westin, security analyst for Tripwire. "Given the depth and amount of data compromised in this breach, it will reveal a great deal about the market for offensive tools designed for espionage with a great deal of fallout and embarrassment for some organizations."


Hacking Team spokesman Eric Rabe confirmed the breach and said that while law enforcement is investigating, the company suggests its clients suspend the use of its surveillance tools until it can be determined what exactly has been exposed.


In a new statement, Rabe warned that its software could be used by anyone because "sufficient code was released to permit anyone to deploy the software against any target of their choice.


"Before the attack, HackingTeam could control who had access to the technology that was sold exclusively to governments and government agencies," Rabe wrote. "Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation."

more...
No comment yet.
Scoop.it!

LastPass Sounds Breach Alert

LastPass Sounds Breach Alert | IT Support and Hardware for Clinics | Scoop.it

Warning to all LastPass users: Change your master password for the service now and ensure you're using multi-factor authentication. There has been a data breach that might allow attackers to crack master passwords and password reminders.


"Our team discovered and blocked suspicious activity on our network," reads a security notice from Joe Siegrist, the CEO of online password management service LastPass, which allows people to store multiple passwords inside a single, cloud-based password vault.


Siegrist says the intrusion was discovered June 12. "In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


This is not the first time that LastPass has reported that passwords or data might have been hacked. In 2011, the firm reported finding a "traffic anomaly from one of our databases" that could have resulted in data exfiltration. In response, the firm said it took a number of steps to tighten security, including registering domains that might be used by phishing attackers, as well as removing non-core services from the LastPass network.


In the wake of this newly announced breach, Siegrist says that the company is "confident that our encryption measures are sufficient to protect the vast majority of users," noting that the site's techniques for creating users' authentication hashes - in essence, how their authentication credentials get protected - would make it very difficult for an attacker to crack those hashes "with any significant speed." But because that is a possibility, the company says it has now "locked down" all accounts, meaning that any attempt to access an account from a new device or IP address will require the user to first verify their identity via email, unless they're already using multi-factor authentication.


"We will also be prompting all users to change their master passwords," Siegrist says. "You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites." He adds that because encrypted user data wasn't stolen, users do not need to change the passwords for any sites stored inside their LastPass password vault.


LastPass also offers multi-factor authentication - including Google Authenticator, Yubikey and the Duo Security Authenticator - to safeguard accounts. And in the wake of the breach, multiple information security experts recommend that all LastPass users ensure that they are using this feature.

Rethink Password Reset Questions

"Should I panic because LastPass was hacked?" asks Robert David Graham, head of information security research firm Errata Security. "If you chose a long, non-dictionary password, nobody can crack it," he says, thanks to the way LastPass creates its hashing algorithms. "Conversely, if you haven't, then yes, you need to change it."


Some security experts, meanwhile, say that the biggest risk now facing LastPass users will bephishing attacks, especially because users' email addresses have been compromised. "LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority," says Martin Vigo, a product security engineer for salesforce.com who's due to present the talk "Breaking Vaults: Stealing LastPass protected secrets" at the July Shakacon conference in Hawaii. "You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass."


Vigo says many users undercut their security by using password reminders - he recommends never using them, if possible - or else creating weak ones. "While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as 'My password is correct horse battery staple' are possible," he says. "Other more common passwords reminders such as 'My dogs name' can help attackers guess your master password. Remember that they have your email, which leads to your Twitter, Facebook, etc., where possibly that information can be found."

Password Vaults: Pros and Cons

The LastPass breach begs the question of whether people should ever use password managers, a.k.a. password vaults. "If a crook gets hold of your master password, then that's like getting the crown jewels - because now the crook has access to all your accounts at once," says Paul Ducklin, a senior security adviser for anti-virus firm Sophos, in a blog post. As a result, some security experts decry their use, on the grounds that the password manager master password creates a potential single point of failure.


But many security experts, including Bruce Schneier, have long advocated using such tools, saying that it is much more likely that users will get hacked if they reuse passwords, or select weak ones, than have their encrypted password database stolen and cracked.

F-Secure security adviser Sean Sullivan, for example, has said he "can't imagine life" without using one, because such tools can ensure that a user only uses strong passwords, and never repeats them across sites. But Sullivan also takes certain precautions, such as never entering the master password for his password manager when he's using an untrusted system - such as the shared family PC at home - in case a keylogger might be in operation.

Cloud Versus PC-Based

Users can also choose between PC-based, cloud-based or hybrid password managers. Some encryption experts, such as Johns Hopkins cryptographer Matthew Green, have voiced concerns about the security of cloud-based password management services.

more...
No comment yet.
Scoop.it!

President Obama calls for stronger American cybersecurity

President Obama calls for stronger American cybersecurity | IT Support and Hardware for Clinics | Scoop.it

Citing a series of embarrassinghigh profile incursions against US computer networks in recent months, President Obama called for "much more aggressive" efforts to shore up the government's vulnerable cyber-infrastructure. "This problem is not going to go away," the President told reporters at a G7 press conference in Germany. "It is going to accelerate. And that means that we have to be as nimble, as aggressive and as well-resourced as those who are trying to break into these systems." As such, he urged Congress to pass its pending cybersecurity legislation, such as the Cybersecurity Information Sharing Act of 2015.

more...
No comment yet.
Scoop.it!

How to avoid getting hacked due to vulnerable WordPress plugins

How to avoid getting hacked due to vulnerable WordPress plugins | IT Support and Hardware for Clinics | Scoop.it

I’m a huge WordPress fan because it’s a very powerful, effective, and amazingly extensible platform which is why it’s used by 60.4% of [websites with identifiable content management systems which amounts to] 23.7% of all websites. But there’s a risk with any platform that’s extensible trough the use of third party software (called “plugins” in WordPress): That risk is from software vulnerabilities.


Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues. The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin. For a summary of current Wordpress vulnerabilities check out the WPScan Vulnerability Database, a “black box WordPress vulnerability scanner.”

If you’re running a WordPress site and given the number of potentially show-stopping problems that exist, get fixed, and are replaced with new problems that are just as bad then you need to be on top of what plugins you’re using and what problems they might have. Rather than scanning through loads of vulnerability notices and checking each plugin’s Web site for news there’s not only WPScan, there’s also a free plugin that check the plugins you use for known issues. It’s called Plugin Vulnerabilities and published by WhiteFirDesign.


The publishers also offer another free plugin, Automatic Plugin Updates that, as its name implies, will update your plugins automatically as new versions become available (you can also set up an “ignore” list to exclude specific plugins from automatic updates).

When you activate Plugin Vulnerabilities, all of your other plugins are examined and checked against WhiteFirDesign’s database of vulnerabilities. They’re also rechecked whenever a plugin in manually updated or an update executed by the Automatic Plugin Updates or by any other method.


WhiteFirDesign’s vulnerability stats were, as of April 6:

  • 257 vulnerabilities included
  • 61 included vulnerabilities are in the most recent version of plugins (57 of these plugins have been removed from the Plugin Directory)
  • 24 vulnerabilities have been fixed in part due to our work on this plugin
  • 5 included vulnerabilities in security plugins
  • Top vulnerability types:
    • cross-site request forgery (CSRF)/cross-site scripting (XSS): 52 vulnerabilities
    • reflected cross-site scripting (XSS): 45 vulnerabilities
    • arbitrary file upload: 45 vulnerabilities
    • arbitrary file viewing: 23 vulnerabilities
    • SQL injection: 16 vulnerabilities



This plugin is, in short, something you shouldn’t do without if you’re running WordPress. It could make the difference between smooth, uninterrupted operations and spending lots of time rebuilding your WordPress site after being hacked.

The Plugin Vulnerabilities and Automatic Plugin Updates plugins both get a Gearhead rating of 5 out of 5.


more...
No comment yet.
Scoop.it!

Hackers have found a way to get into nearly every computer

Hackers have found a way to get into nearly every computer | IT Support and Hardware for Clinics | Scoop.it

Hacking even the most secure data is easier than previously thought. This was evidenced by two researchers at the CanSecWest security conference in Vancouver last week.

The two computer security experts, Xeno Kovah and Corey Kallenberg, exhibited a proof-of-concept, showing how to hack into BIOS chips, which are microchips containing the firmware of a computer’s motherboard.

"The BIOS boots a computer and helps load the operating system," Wired explained. "By infecting this core software, which operates below antivirus and other security products and therefore is not usually scanned by them, spies can plant malware that remains live and undetected even if the computer’s operating system were wiped and re-installed. "

The attacks can be levied either through remote exploitation — such as phishing emails — or through “physical interdiction of a system,” Wired reports. The researchers discovered what they called "incursion vulnerabilities," giving them access to the BIOS. Once the BIOS is compromised, they can grant themselves the highest of system privileges. Then, they are able to gain all sorts of control over the system. This includes the ability to steal passwords as well as surveil other data. 

Kovah told Business Insider that of the 10,000 enterprise-grade machines they analyzed, 80% of them had at least one BIOS vulnerability.

Most alarming is that any and all data is up for grabs once the BIOS is compromised. This means encrypted data is accessible — even if the computer user is using privacy-oriented security software.

For example, the researchers said that the Tails system — a widely used OS known for its immense security — could be hijacked. Edward Snowden and Glenn Greenwald use Tails to share data. Kovah and Kallenberg say that their malware could subvert Tails making it possible to gain access to any of its data. 

The ramifications for computer security are huge. For one, it was previous thought that only the most well-equipped hacking guns, like deep-pocketed governments, were able to compromise BIOS chips. This was most recently evidenced by findings from the Kaspersky Lab, which discovered a series of attacks targeting computers' firmware from what appears to be the NSA.

Now, given that Kovah and Kallenberg were able to hack these chips without a billion dollar government budget, things have changed. Already vendors are working on patches to deal with the vulnerability, but there's no way to know what sort of damage has already been done.

While the vectors for attack are numerous, Kovah and Kallenberg hope their findings bring awareness to how critical firmware security truly is. At the very least, they hope this forces companies to patch their systems. As Kovah explained, even when new patches are issued, "we keep finding new vulnerabilities."


more...
No comment yet.
Scoop.it!

Yes, You Can Afford a Hacker

Yes, You Can Afford a Hacker | IT Support and Hardware for Clinics | Scoop.it
Want to break into your partner’s email? Got a few hundred bucks lying around? You can afford your very own hacker.

If you’re looking to break into someone’s email account or snag a few compromising photos stored in the cloud, where would you go? Craigslist, of course.

“I am looking for someone who can get into a database to retrieve a few photos. Someone who is a genius at computers,” read a recent post. And it doesn’t stop there.

You can post “How do I get the password for my ex-girlfriend’s hotmail account?” or just “Need a computer hacker for a job!” on an online forum and just wait for people to respond, says Tyler Reguly, manager of security research at Tripwire. Then you just sit back and wait for the replies to roll in and strike a deal.

It’s that easy to hire a hacker.

Cybercrime used to be limited to the shadowy corners of the Internet and secret black market forums, but now these transactions are taking place on websites that millions of people use every day. Googling “hacker for hire” returns more than 1.6 million results. And for the slightly more tech-savvy, new marketplaces such as hackerslist.com, hackerforhire.org, and neighborhoodhacker.com provide a safe meeting place for hackers and those seeking their services. You can even leave Yelp-style feedback on forums like hackerforhirereview.com.

“It’s frightening that people have no qualms asking” for hacking in the same way they would ask someone to shovel snow from their driveway, Reguly says.

Black market websites have long offered a wide array of services for would-be cybercriminals—customized malware, carder forums selling stolen payment card details and cloned credit cards, exploit kits and other toolkits to craft campaigns, denial-of-service attack tools, and botnet rentals—at fairly affordable prices. Most of the sites accept the cryptocurrency Bitcoin, to keep transactions anonymous. Some sites welcome new users and others have strict membership requirements, but in general, these forums and stores are public, transparent, and easy to find, says Daniel Ingevaldson, CTO of Easy Solutions, a fraud detection company.

“It’s really hard to get in trouble for doing this, so there is no reason to hide,” Ingevaldson says. “It will take you only a few minutes to find it, even if you don’t know what you are doing.”

Hacking used to be thought of as a financial crime, but today’s hackers-for-hire will take personal jobs. Instead of offering botnets with hundreds or thousands of compromised machines or stolen payment card information, these sites target a much broader market. Offerings include breaking into email and social media accounts or hacking into online databases and services, says Grayson Milbourne, the security intelligence director at Webroot. Some sites may offer escrow accounts, letting customers transfer funds in and paying the hacker only after the service is complete. Prices vary, but usually range between $100 and $3,000, making these services “within reach of most,” he says.

That Craigslist ad for retrieving some photos off the database offered $500 for the gig.

If you’re willing to tread these muddy waters, finding a hacker is easy and just a simple Google search away.

That society doesn’t seem to care about this kind of hacking is “disconcerting,” Reguly says, noting that many people don’t view stealing digital assets as a real crime. The disconnect between the physical and digital worlds remains very strong, even as people’s offline and online lives merge.

The same person who would be upset when thieves steal credit card numbers would not consider breaking into email or Facebook accounts as serious, he said.

And some customers feel they deserve what they’re paying for or that they’re righting some wrong. A PhD student angry that his research paper has been posted without his permission on other sites might hire someone to make sure people can't search or link to those pirated copies. A mother might want someone to break into her son’s Facebook account and install something on his phone that would let her intercept both incoming and outgoing phone calls, text messages, and pictures.

Even though it’s relatively affordable, hiring a hacker for personal use is a risky business, Milbourne says.

Is there honor among thieves? There is no way to make sure the hacker will stop where you’ve told him or her to once they’ve done the job. That mom may receive her son’s Facebook password, but she can never be sure the hacker won’t use the information to steal her son’s identity, or to trick him into downloading a banking Trojan on the family computer to steal her bank account information.

The legal issues surrounding these transactions are murky.

The activities being posted online are criminal, but who is supposed to prosecute them? Hacking is a global service—the providers can be based anywhere in the world and out of U.S. jurisdiction. The customer looking for the services doesn’t need to know, and probably doesn’t even care, where the service is coming from. And the sellers know the odds of law enforcement coming after them are very low.

“Getting arrested is out of their realm of experience for what can possibly happen,” Ingevaldson said. “None of their friends have been arrested.”

Hacker-for-hire sites may or may not be breaking the law—no one has tested those limits yet. And mainstream sites such as Craigslist act as just a marketplace connecting buyers and sellers and so far have claimed they are not responsible for any resulting illegal activities.

“It should be simple … hacking into someone’s email is a crime, so discussing that with someone and paying them to do it should, therefore, be conspiracy to commit a crime,” Reguly says.

The recent proposals from the White House to amend the Racketeering Influenced and Corrupt Organizations Act—originally designed to prosecute the Mafia and gangs—to include hacking may change things. If RICO can be applied to cybercrime, just being in the same chatroom or forum as a hacker may make the person an accomplice.

If you’re willing to tread these muddy waters, finding a hacker is easy and just a simple Google search away.

“At this point, our lives are digital, the bits and bytes traversing the wires are as much a part of us as the clothes we choose to wear and the cards we carry in our wallets,” Reguly says. This means people have to protect their digital assets just as they take care of themselves in the physical world. “To make a mockery of that with sites like this is a great example of the decay of society.”


Via Roger Smith, Paulo Félix
more...
No comment yet.
Scoop.it!

Experts Question Sony Hack-Back Story

Experts Question Sony Hack-Back Story | IT Support and Hardware for Clinics | Scoop.it

Information security experts are questioning the accuracy of a news report that claims Sony Pictures Entertainment is attempting to "hack back" to disrupt distribution of stolen Sony files.

The report on the news website Re/code, which is affiliated with CNBC, cites two anonymous sources saying that "the company is using hundreds of computers in Asia to execute what's known as a denial-of-service attack on sites where its pilfered data is available."


Multiple information security experts, however, have questioned that account. "I highly doubt Sony is doing this," Tom Chapman, director of the security operations group at computer security firm EdgeWave, tells Information Security Media Group. "And I highly doubt this would work. As for the legality, [it's] probably highly illegal."

What Sony might be doing, however, some experts speculate, is attempting to disrupt BitTorrent networks on which the stolen files are currently circulating by sending the "peers" that are attempting to download the file to sites where only bogus versions of those files are being stored. "Screwing with torrents is as old as torrents, and even if it were 'hacking,' which it isn't, it isn't hitting the attackers," says Jack Daniel, a strategist at vulnerability detection vendor Tenable Network Security.

Sony has failed to respond to repeated requests for comment on the hack attack against it.

Attackers Threaten Further Releases

Meanwhile, a group calling itself Guardians of Peace, or G.O.P., which claimed credit for the Sony attack, is continuing to release more of the "tens of terabytes" its claims to have stolen.

In an e-mail sent to Information Security Media Group on Dec. 11, someone claiming to be part of G.O.P. included links to multiple sites that contain a message from the group that includes links to download a sixth batch of leaked data, which attackers claim includes the Outlook mailbox for Sony's general counsel, Leah Weil, who joined the company in 1996. That leak follows the reported release of the Outlook mailbox for Sony Picture Chairman Amy Pascal.

G.O.P.'s latest message includes a warning to all Sony's employees. "We still have huge amount of sensitive information to be released including your personal details and mailboxes," it says. "Make the company cancel the release of the movie of terrorism, or you have to be blamed for it," it adds, apparently referring to Sony's forthcoming comedy The Interview, which according to leaked e-mails features Kim Jong-un's head exploding after he gets hit with a shell fired from a tank, Reuters reports.

Sony's Breach Costs Mount

Sony information that's already been leaked to date - beyond high-quality copies of five unreleased films - has included exhaustive lists of Sony's passwords for social media networks, as well as private details for 47,000 employees.

As more and more such information - including Social Security numbers and other personally identifiable information on current and former employees - becomes public, and the related risk of identity theft increases, some commentators have been asking just how much Sony is going to have to pay to repair the damage.

Of course, that question can't yet be definitively answered. Full details of the Sony attack have yet to come to light, and the full ramifications of the data breach - including whether it might drive big-name stars, directors and writers to competing studios - probably won't be known for at least another six months, Jim Lewis, senior fellow at the Center for Strategic and International Studies, tells Reuters. "Usually, people get over it, but it does have a short-term effect," he says.

Still, Lewis believes that Sony's related breach costs could hit $100 million, although he notes that the costs would be higher had Sony lost customer data, as happened in the April 2011 attack that compromised the personal information of 77 million PlayStation network and Qriocity customers, triggering a U.K. fine and a U.S. class action lawsuit that Sony ultimately settled.



more...
No comment yet.