IT Support and Hardware for Clinics
32.4K views | +7 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

More Retailers Hit by New Third-Party Breach?

More Retailers Hit by New Third-Party Breach? | IT Support and Hardware for Clinics | Scoop.it

CVS, Rite-Aid, Sam's Club, Walmart Canada and other large retail chains have suspended their online photo services following a suspected hack attack against a third-party service provider that may, in some cases, have resulted in the compromise of payment card data.


The suspected breach centers on PNI Digital Media Inc., a Vancouver-based firm that manages and hosts online photo services for numerous retailers. The incident serves as a reminder of the security challenges that organizations face when it comes to managing their third-party vendors and entrusting them with sensitive customer information.


Numerous chains have confirmed that they are investigating potential breaches - some involving payment card data - after being warned by PNI Digital Media that it may have suffered a hack attack that resulted in the compromise of retailers' customers' names, addresses, phone numbers, email addresses, photo account passwords and credit card information. But none of the retailers involved have so far reported that they believe the breach would affect any of their in-store customers, including anyone who used in-store photo services.


PNI Digital Media did not immediately respond to a request for comment on its reported breach investigation. Until July 17, the company's investors page reported that it worked with numerous retailers, and while that page is now blank, a recent version cached by Google's search engine reads: "PNI Digital Media provides a proprietary transactional software platform that is used by leading retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year. Last year, the PNI Digital Media platform worked with over 19,000 retail locations and 8,000 kiosks to generate more than 18M transactions for personalized products."

CVS Confirms Investigation

On July 17, CVS spokesman Mike DeAngelis confirmed that CVSPhoto.com may have been affected by the suspected PNI Digital Media breach. "We disabled the site as a matter of precaution while this matter is being investigated," DeAngelis tells Information Security Media Group.


The cvsphoto.com site now reads in part: "We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience."

CVS says PNI Digital Media collects credit and debit information for customers who purchase online photo services through CVSPhoto.com. Accordingly, CVS recommends that all customers of its online photo service review their credit card statements "for any fraudulent or suspicious activity" and notify their bank or card issuer if anything appears to be amiss. "Nothing is more central to us than protecting the privacy and security of our customer information, including financial information," CVS says. "We are working closely with the vendor and our financial partners and will share updates as we know more."

Rite Aid: No Suspected Card Theft

Drugstore chain Rite Aid has also taken its online and mobile photo services offline. "We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data," Rite Aid's site reads. "The data that may have been affected is name, address, phone number, email address, photo account password and credit card information."


Unlike CVS, however, Rite Aid reports that it does not believe that its customers' payment-card data is at risk. "Unlike for other PNI customers, PNI does not process credit card information on Rite Aid's behalf and PNI has limited access to this information," it says, adding that it has received no related fraud reports from its customers.

Sam's Club has also taken its online photo service offline, "in an abundance of caution and as a result of recent reports suggesting a potential security compromise of the third-party vendor that hosts Sam's Photo website." As with Rite Aid, however, Sam's Club reports that "at this time, we do not believe customer credit card data has been put at risk."


Costco and Tesco Photo have also suspended their online photo services.


Walmart Canada, which also outsources online photo services to PNI, also may have been affected by the possible breach, according to the The Toronto Star, and the retailer has since suspended its online photo services website. "We were recently informed of a potential compromise of customer credit card data involving Walmart Canada's Photocentre website, www.walmartphotocentre.ca," Walmart states. "We immediately launched an investigation and will be contacting customers who may be impacted. At this time, we have no reason to believe that Walmart.ca, Walmart.com or in-store transactions are affected.


Walmart did not respond to Information Security Media Group's request for comment. ISMG also reached out to office supplier Staples, which owns PNI, but did not get a response.

"PNI is investigating a potential credit card data security issue," a Staples spokesperson told The Toronto Star.

Growing Third-Party Breach Concerns

PNI's potential breach comes just a week after Denver-based managed services provider Service Systems Associates announced that a breach linked to a malware attack against its network had likely affected about 12 of the payments systems it operates for gifts shops at retail locations, which include zoos, museums and parks, across the country.


Service Systems Associates says debit and credit purchases made between March 23 and June 25 may have been compromised.

On July 7, the Financial Services Information Sharing and Analysis Center, along with Visa, the U.S. Secret Service and The Retail Cyber Intelligence Sharing Center, which provides threat intelligence for retailers, issued a cybersecurity alert about risks merchants face when dealing with third parties.


The alert lists a number of security recommendations for managing third-party risks, including using multifactor authentication for remote-access login to point-of-sale systems and including specific policies related to outdated operating systems and software in contracts with vendors.


Earlier this month, Chris Bretz, director of payment risk at the FS-ISAC, warned that managed service providers that offer outsourced services to numerous merchants are increasingly being targeted by cybercriminals.


"Criminals continue to find success by targeting smaller retailers that use common IT and payments systems," Bretz said in an interview with ISMG. "Merchants in industry verticals often use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business."

more...
No comment yet.
Scoop.it!

A government key to unlock your encrypted messages has major problems and security experts are up in arms

A government key to unlock your encrypted messages has major problems and security experts are up in arms | IT Support and Hardware for Clinics | Scoop.it

Top computer scientists and security experts are warning that government proposals to gain special access to encrypted communications could result in significant dangers. 

A consortium of world-renowned security experts has penned a report detailing the harm that regulating encryption would cause, writes the New York Times


Hard encryption — which global authorities are now trying to combat — is a way to mathematically cipher digital communications and is widely considered the most secure way to communicate online to avoid external snooping. 


This follows news last week that British Prime Minister David Cameron made a proposal to ban encryption as a way to "ensure that terrorists do not have a safe space in which to communicate."  


Since then, experts have begun weighing in about the effect of such drastic measures. This includes well-known cryptographer Bruce Schneier, who told Business Insider that such a strong encryption ban would "destroy the internet."

The new report, which was released today, takes a similarly hard stance. "The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws," it writes. Not only that, but federal authorities have yet to explain exactly how they planned to gain "exceptional access" to private communications.


The report concludes, "The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict." In short, the experts believe that trying to put limitations on encrypted communications would create myriad problems for everyone involved. 


This sort of fissure between security experts and federal authorities isn’t new. In fact, a similar proposal was made by the Clinton Administration in 1997 that also took aim at hard cryptography. Back then, a group of experts — many of whom are authors on this new report — also wrote critically about the anti-encryption efforts.

In the end, the security experts prevailed. 


Now, it’s not so certain. FBI director James Comey has joined the ant-encryption brigade, saying that "there are many costs to [universal strong encryption.]"

He and the US deputy attorney general Sally Quillan Yates are scheduled to testify before Senate tomorrow to defend their views, the New York Times reports.

The question now is whether other federal officials will side with people like Comey and Cameron or the group of security experts. 

In the paper's words, creating such back-door access to encrypted communications "will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend."

more...
No comment yet.
Scoop.it!

FBI Alert: $18 Million in Ransomware Losses

FBI Alert: $18 Million in Ransomware Losses | IT Support and Hardware for Clinics | Scoop.it

In the past year, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.


In total, IC3 - a collaboration between the FBI and the National White Collar Crime Center - says it received 992 CryptoWall-related complaints from April 2014 to June 2015. And it says the reported losses relate not just to ransom payments potentially made by victims, but additional costs that can include "network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or customers."

The quantity of ransomware attacks continues to escalate, security experts say, because it offers criminals the potential for high rewards with little risk (see Crime: Why So Much Is Cyber-Enabled). Indeed, ransomware attacks can be launched en masse by remote attackers and are relatively cheap and easy to perpetrate. Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.

"In most cases, once the victim pays a ransom fee, he or she regains access to the files that were encrypted," IC3 reports. "Most criminals involved in ransomware schemes demand payment in Bitcoin. Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity."

Because ransomware can rely so heavily on social engineering - tricking - victims into executing related malware or falling for ransom scams, many security experts have urged businesses to continually educate their employees and customers about ways to spot such attacks and defend themselves.

Click-Fraud Attack Spike


Earlier this month, security firm Symantec warned that it had seen a spike in attacks that began with the year-old Poweliks Trojan, which was designed to perpetrate click fraud, and which also downloaded CryptoWall onto an infected system. Click fraud refers to infecting systems with malware that is used to make "bogus requests" for online advertising, without the malware revealing its presence to the user of the infected system.

Using a single piece of malware - or "dropper" - to infect a system and then download and install many other types of malware onto the same system is not a new attack technique.

For example, authorities have accused the gang behind Gameover Zeus of first using that Trojan to harvest bank credentials, and then infecting systems with Cryptolocker ransomware. The U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.

Attacks Get Modular


But attackers have been retooling their malware to make it easier to rapidly infect PCs with multiple types of malware. Security firm Trend Micro warned in 2013 that the aging Asprox botnet, which was first discovered in 2007, had re-emerged "with a new and improved modular framework," and been rebranded as Kuluoz malware, which was a dropper designed to download additional malware onto infected PCs.

By December 2014, the Level 42 threat-intelligence research group at security vendor Palo Alto Networks reported seeing a spike in Asprox-related attack activity. "This malware sends copies of itself over email quickly and to users all around the world and then attempts to download additional malware," it said. The researchers noted that of the 4,000 organizations that it was monitoring, the malware had been tied to "approximately 80 percent of all attack sessions" seen in October and had attempted to infect nearly half of all those organizations.

Also in December, the Association of National Advertisers warned that U.S. businesses were losing about $6.3 billion annually to click fraud. The same month, a study conducted for the ANA by the security firm White Ops found that botnets were responsible for "viewing" 11 percent of all online advertisement, and 23 percent of all online video advertisements.

Asprox Botnet Serves CryptoWall


But click-fraud malware attacks are increasingly blended with other types of malware as attackers attempt to monetize infected PCs as much - and as rapidly - as possible.

In a recent series of attacks, Asprox malware - now typically distributed via phishing attacks - "phoned home" to the Asprox command-and-control server after it infected a PC, and received back the Zemot dropper malware, according to a new report released by the security firm Damballa. The dropper then downloaded the Rovnix rootkit, as well as Rerdom, which is a click-fraud installer.

Damballa says that it has also seen Zemot get installed via crimeware toolkit exploits, which can exploit systems using known vulnerabilities, for example if attackers compromise otherwise legitimate websites and use them to launch drive-by attacks.

Inside enterprises, "click fraud is generally viewed as a low-priority risk," Damballa says. "In reality, click fraud is often a precursor to something more sinister. A device infected with click-fraud [malware] may leave the enterprise susceptible to dangerous downstream infections."

Indeed, Damballa reports that tests of Asprox-infected machines found that over the course of two hours, a single PC was infected with three different types of click-fraud malware, as well as the CryptoWall ransomware. Even after CryptoWall encrypted much of the infected PC's hard drive, furthermore, the click-fraud malware continued to operate, so long as the machine remained Internet-connected.

more...
No comment yet.
Scoop.it!

President Obama calls for stronger American cybersecurity

President Obama calls for stronger American cybersecurity | IT Support and Hardware for Clinics | Scoop.it

Citing a series of embarrassinghigh profile incursions against US computer networks in recent months, President Obama called for "much more aggressive" efforts to shore up the government's vulnerable cyber-infrastructure. "This problem is not going to go away," the President told reporters at a G7 press conference in Germany. "It is going to accelerate. And that means that we have to be as nimble, as aggressive and as well-resourced as those who are trying to break into these systems." As such, he urged Congress to pass its pending cybersecurity legislation, such as the Cybersecurity Information Sharing Act of 2015.

more...
No comment yet.
Scoop.it!

Do you know where your sensitive data lives?

Do you know where your sensitive data lives? | IT Support and Hardware for Clinics | Scoop.it

Challenges with tracking where sensitive and regulated data is flowing, and the inability to control that flow in outsourced environments such as SaaS cloud applications, where it can move freely between data centers and cloud provider’s partner’s systems, is a key challenge for enterprises in regulated sectors.

More than 125 attendees at RSA Conference 2015 took the survey, which was conducted via in-person interviews by Perspecsys. The results interestingly reveal a split decision when it comes to trust in Cloud Service Providers (CSPs): 52 percent of respondents say they trust their CSP to take care of protecting and controlling their enterprise data and the other half (48 percent) do not.

Enterprises need to consider encrypting or tokenizing any sensitive data before it goes to the cloud, so they retain full control of their information while it is in-transit to the cloud, while it is stored at-rest in the cloud and while it is in-use being processed in the cloud.

IDC forecasts that public IT cloud services will account for more than half of global software, server, and storage spending growth by 2018. The Perspecsys survey findings align with this projection, with 67 percent of respondents preferring to store the majority of enterprise data in the cloud – that is – if data privacy and compliance regulations could be addressed. Interestingly, the current perception remains that private cloud is more secure than its public cloud cousins. For example:


  • About half of respondents say existing or impending data privacy regulations impact up to 50 percent of their cloud strategy
  • The majority of respondents still house less than a quarter of their data in public cloud environments
  • About a third claim no public cloud use at any level (IaaS, PaaS or SaaS), as far as they know.

Via Paulo Félix
more...
No comment yet.
Scoop.it!

Cybersecurity Bills: Latest Developments

Cybersecurity Bills: Latest Developments | IT Support and Hardware for Clinics | Scoop.it

The House Intelligence Committee has approved cyberthreat information sharing legislation that its leaders developed, one of four such proposals pending before Congress.


Meanwhile, the co-chairman of the House Cybersecurity Caucus, Rep. Jim Langevin, D-R.I., has introduced a national data breach notification bill modeled on language proposed earlier this year by the White House.


The leaders of the House Intelligence Committee recently introduced the cyberthreat information sharing bill known as the Protecting Cyber Networks Act. After incorporating some additional privacy protections proposed by the White House and committee remembers, the bill was unanimously approved by the panel in a closed session on March 26. It now goes to the full House for consideration.


"This bill will help defend U.S. networks against a wide array of cybercriminals who are becoming more active and more threatening every day," committee chairman Devin Nunes, R-Calif., said in a statement after the bill was approved. "It's a bipartisan approach with strong privacy protections that will have a deep impact on this growing problem."


Nunes told reporters that the approved version of the bill included a manager's amendment - a single amendment that contains a number of smaller amendments from several committee members from both sides of the aisle, as well as the White House - aimed at strengthening the bill's privacy protections, The Hill reports.


Committee ranking member Adam Schiff, D-Calif., said in a statement that he's "optimistic about its prospects for passage," especially in light of the bill having been updated to reflect requests from the White House, although he did not identify what those requests or resulting changes were.


Four information-sharing bills are currently pending, including the Senate's Cybersecurity Information Sharing Act. The Senate Intelligence Committee approved CISA in a closed session on March 12. CISA offers liability protection to businesses that share cyberthreat information with each other, as well as with the government.


Earlier this month, Rep. Mike McCaul, R-Texas, introduced competing draft legislation called the National Cybersecurity Protection Advancement Act, which gives businesses that share such information immunity from related lawsuits, provided they have not committed "willful misconduct or gross negligence." Meanwhile a fourth measure, the Cyber Threat Sharing Act, sponsored by Sen. Tom Carper, D-Del., hews more closely to a White House proposal. It designates the Department of Homeland Security's National Cybersecurity and Communications Integration Center as the key government agency to collaborate with the private sector through information sharing and analysis organizations, known as ISAOs, to share cyberthreat information.

New Data Breach Notification Bill

Beyond its consideration of cyberthreat information-sharing bills, Congress has been increasingly focused on the prospect of passing national data breach notification legislation.


On March 26, Rep. Jim Langevin, D-R.I., introduced the Personal Data Notification and Protection Act of 2015, which is modeled on a January 2015 proposal from the White House. It includes a 30-day notification requirement after an organization discovers a breach. But the U.S. Secret Service or FBI would be able to delay such notifications on national security grounds, or if it would jeopardize related investigations.


"We have seen time and again the vulnerability of companies large and small, and consumers deserve to know as quickly as possible when their personal information has been compromised," Langevin said in a statement.


His bill would apply to any business that maintains records on 10,000 or more people in a 12-month period. Breached businesses would also be required to not only notify consumers whose personal information was exposed, but also media outlets if more than 5,000 records are breached that relate to consumers in a single state. They also would be required to notify credit-reporting agencies for any breach involving 5,000 records or more. The measure would expand the Federal Trade Commission's definition of deceptive acts or practices to include noncompliance with the law.


Organizations would be exempt from breach notifications - though only with the FTC's approval - if they determined that there was no risk that consumers would actually be harmed by the breach.

Rival Breach Notification Bill

Langevin's bill competes with the Data Security and Breach Notification Act of 2015, which the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade approved March 25. Its provisions include a requirement for organizations to report any breaches that expose personal information, no matter how many records they maintain. Such notifications would not be required within 30 days of the breached organization having concluded a related digital forensics investigation and repaired affected systems. The bill would also require businesses to "implement and maintain reasonable security measures and practices to protect and secure personal information" and supplant any such requirements at the state level.

Some Democratic members of the House subcommittee had attempted to amend the Data Security and Breach Notification Act of 2015 so states could retain stronger breach-protection and notification requirements than the bill proposes. But those amendments were voted down before the subcommittee approved the bill, which now advances to the full Energy and Commerce Committee.


Both pending breach notification bills, if enacted, would usurp the patchwork of breach notification laws now in place across 51 different jurisdictions - 47 states, three territories and Washington, D.C. - in favor of a single federal statute.

Both of the bills would also exempt from compliance organizations that must comply with the Health Insurance Portability and Accountability Act's breach notification requirements.

Proposal: Cyberspace Office

Langevin this week also reintroduced his Executive Cyberspace Coordination Act - first proposed in August 2013 - which would create a new National Office for Cyberspace at the White House to coordinate all government-level cyberspace-related initiatives, as well as review all related budgets.


"A cybersecurity coordinator, freed from other budgetary pressures, would be able to offer independent analysis as to whether departments and agencies are adequately defended," Langevin said in a statement. "Making these smart investments now will save us paying a much higher price later."


more...
No comment yet.
Scoop.it!

Cybersecurity Hindsight And A Look Ahead At 2015

Cybersecurity Hindsight And A Look Ahead At 2015 | IT Support and Hardware for Clinics | Scoop.it

This year we witnessed a series of high-profile security breaches, from the aftermath of the Target and Home Depot fiascos, to a number of attacks on other national retailers, including Michaels, Goodwill and Neiman Marcus. Then there was the massive breach at JP Morgan Chase, which compromised personal information of more than 83 million households and businesses, and finally over 100 terabytes of internal files and films recently stolen from Sony.

Nobody was safe in 2014. In addition to large retailers, media companies and financial institutions, technology companies like eBay and Snapchat were hacked, too, and so were government organizations and healthcare institutions. Also this year, massive Internet infrastructure vulnerabilities were discovered, including Shellshock, Heartbleed and POODLE.

Of course, these publicized events are only a fraction of the overall exposure to losses emanating from cyber incidents, which in 2014 we estimate to be well into the hundreds of billions of dollars. Hence, many firms have dramatically increased their cybersecurity budgets for 2015, and we project that these budget allocations will continue to rise.

Here are five of the most prominent cybersecurity market trends that we believe will define the sector next year:

The Rise of Automated Incident Response

Today, enterprises must not only detect and prevent potential threats; they must also be prepared to react quickly when breaches occur. Enterprises like Target are successfully being sued by banks for failing to act on security alerts. Incident Response solutions counter the aftermath of a breach, allowing businesses to limit damages and reduce recovery time.

Intrusion Detection/Prevention Systems (“IDS/IPS”) strengthen the organization’s security posture, however highly targeted attacks do penetrate eventually. Determined hackers find their way into the network, despite the various IDS/IPS systems that generate an increasing number of alerts for the security operations team to handle. It is now only a matter of time – how long before a breach is reacted upon and remediated?

One of the clear lessons from Target’s attack is that the traditional Incident Response process, which is mostly based on manual processes, is broken. Reducing the time from detection to remediation could dramatically minimize an attack’s damage.

That’s where Automated Incident Response solutions come in – they don’t leave alerts unhandled, and can react instantly (much faster than humans) when bad scenarios unfold. Enterprises, with their limited human resources, face escalating liabilities for failing to adequately respond to detected threats. Expect chief information security officers (“CISOs”) to turn to Automated Incident Response solutions in 2015.

Cloud Security Becomes a Shared Responsibility

Enterprise IT departments are generally behind in keeping the cloud secure, heavily relying on security features provided by cloud vendors. Most of the SaaS vendors in particular don’t have security as first priority, and so they fail to provide sufficient data governance, control and compliance. In 2014, many CIOs and CISOs have realized that maintaining enterprise-grade security in cloud application usage is a shared responsibility, and we expect that in 2015 they will act on that.

A new crop of startups provides deeper visibility into cloud usage, unique threat analysis and proactive enforcement of cloud application security policies. These startups enable employees to enjoy all of the cloud’s advantages securely. There are so many great cloud applications out there, and CIOs desire to be business enablers rather than blockers. That’s what makes this sector so exciting. Expect CIOs and CISOs to allocate meaningful budgets to it in 2015.

Advanced Persistent Threats Surge

In 2015, cybersecurity departments should be particularly careful about advanced persistent threats (APTs). These attacks are stealthy as they target a specific entity and secretly penetrate the network over weeks or months, waiting for the right moment to make their move and exfiltrate valuable data from the enterprise. Credit card numbers will still be valuable to hackers throughout 2015 because the deadline for retailers to upgrade to point-of-sale systems capable of processing chip-and-PIN credit cards is not until October 2015, and we foresee this deadline being extended.

To carry out APTs, custom malicious code gets installed on one or multiple hosts to perform specific tasks while remaining undetected for the longest possible time. Sometimes these attacks are financially driven; in other cases, government or corporate-sponsored hackers are after intellectual property. In the long run, APTs can sever national security and economic stability of nations.

According to the Ponemon Institute, the average cost of a data breach in 2014 was $3.5 million, while Target optimistically projected more than $148 million in damages. Accurate detection is the necessary first step toward threat remediation. There are various methods to detect an ongoing cyber attack, and we feel that the ones that are focused on the late stages of the cyber kill chain, post-infection, will be the most interesting in the near future.

“Cloud-first” detection solutions that leverage multiple sources of threat intelligence (for example: botnet interception + log analysis + sandboxing) and are easy for enterprises to deploy will be the most successful in 2015.

Cybersecurity Vendors Become Frenemies

The constant formation of new cyber-threat categories results in the nonstop introduction of startups that are working on new solutions. Managing multiple point solutions is nontrivial for CISOs. For example, there are various vendors that detect malware in the enterprise network, in the data center, on employees’ PCs and mobile devices. Some of these are signature-based, others use machine-learning algorithms, and some use big-data analytics. Buyers find themselves perplexed with the plethora of offerings.

Rather than manage all of these processes separately, CISOs prefer to deploy comprehensive solutions that integrate well with one other, and create a synergetic security posture. This past year we noticed increasing security vendor collaboration. For example, Fortinet, McAfee, Palo Alto Networks, and Symantec founded the Cyber Threat Alliance. Check Point created an alliance with several threat intelligence vendors to merge their feeds. Increased collaboration among cybersecurity vendors is key to helping CISOs fight cybercrime more effectively, and this trend will accelerate in 2015.

Mergers & Acquisitions on the Rise

Now more than ever, most cybersecurity innovation is carried out by small teams working within startups. The large vendors are always on the lookout to acquire new products to complement their existing portfolios, fully realizing that customers seek comprehensive (rather than point) solutions.

Two of the most notable acquisitions in 2014 were FireEye’s purchase of Mandiant and Palo Alto Networks acquiring Cyvera. Generally this past year, large security vendors acquired companies with capabilities outside of their core business, with intention to expand their offerings and gain competitive advantage. Thus, now FireEye offers professional services powered by Mandiant, complementing its core detection products, and Palo Alto Networks released TRAPS, an endpoint protection product powered by Cyvera, complementing its Next-Generation Firewall.

We project an active M&A scene in cybersecurity in 2015. Expect to see large vendors acquiring more high-tech startups to strengthen their core competencies and rapidly expand their offering.

The Venture Capitalist’s Perspective

In 2014, most mid-to-large enterprises experienced a sharp increase in cyber-attacks, both in breadth and sophistication. Awareness for potential damages is high at boards of directors and management teams of the Fortune 1000. Gartner estimates that the global cybersecurity market will grow from $67 billion in 2013 to $93 billion in 2017.

According to CB Insights, in 2013 venture capital firms invested an all-time record of $1.4 billion in 239 cybersecurity companies. During just the first six months of 2014, cybersecurity investments already totaled $894 million. We expect this upward trend to continue in 2015, as demand for innovation in this category stays high.

We are ever more enthusiastic about the cybersecurity sector. Enterprises require advanced solutions to combat ever-more-sophisticated adversaries. Incumbent security vendors need new bleeding-edge technology. The venture capital industry is eager to back the entrepreneurs that can deliver outstanding solutions in 2015 and beyond.



more...
Vicente Pastor's curator insight, January 4, 2015 1:34 PM

I would be really interested in being exposed to the announced automated incident response solutions. Automation, as always, works up to a certain degree. Human intervention cannot be completely eliminated (at least within the current status of reasearch) for all tasks. This type of announces make lots of people think that those solutions work autonomously without the need for a number of people to continuously maintain and configure them. But more automation means also more people maintaining and tuning the solution. What do you think?

Scoop.it!

Why Are We So Stupid About Passwords?

Why Are We So Stupid About Passwords? | IT Support and Hardware for Clinics | Scoop.it

Despite the seemingly nonstop pace of data breaches, organizations worldwide still don't seem to be paying much attention to detail when it comes to the proper use of passwords.

The latest entrant into the password "hall of shame" is Sony Pictures Entertainment, as the ongoing leaks of purloined Sony data by Guardians of Peace - a.k.a. G.O.P. - continue to highlight. It wasn't just that Sony was - according to numerous reports - using weak, overly short passwords for many systems. Sony was also storing lists of passwords in text files, Word documents and Excel spreadsheets, Mashable reports. Furthermore, none of those files appears to have been password-protected or encrypted.

 You don't store passwords in Word files or in Excel spreadsheets. 

Security experts react with incredulity at Sony's alleged password missteps. "You don't store passwords in Word files or in Excel spreadsheets," Tom Chapman, director of the security operations group at computer security firm EdgeWave, tells me.

G.O.P. didn't have to look far to unearth sensitive passwords for Sony's internal network, social media accounts and Web services. Indeed, many of them appear to have been shared on file-servers in a folder labeled "Passwords."

Sony has not responded to my multiple requests for comment about the hack attack and its password security practices.

Did Sony Learn From LulzSec?

But leaving passwords gift-wrapped for anyone who's able to penetrate the corporate network suggests that Sony's executives haven't learned from their previous information security missteps.

In 2011, Anonymous offshoot LulzSec claimed to have compromised 1 million SonyPictures.com users' passwords, as well as "all admin details of Sony Pictures (including passwords)."

Over the course of that year, in fact, the company was pummeled by 21 separate attacks that resulted in breaches of Sony sites, including the theft of 77 million consumers' credit card numbers. The attacks began not long after Sony had laid off a portion of its security staff. Sony subsequently received the year's Pwnie Award - decided by a distinguished panel of information security experts - for "most epic fail," as well as a fine of £250,000 (about $400,000) from the U.K. Information Commissioner's Office, which said in a statement that "the security measures in place were simply not good enough."

Missing: Password Management

Three years after what should have been Sony's security wakeup call, G.O.P. struck via what many security experts suspect was a phishing attack. How well-prepared was Sony for such an attack? After reviewing a recent batch of leaked documents, Buzzfeed claims Sony wasn't even using a social media management system. That's essential for adding two-factor authentication to restrict multi-user access to corporate Twitter and Facebook accounts. Internally, meanwhile, the "Passwords" folder means Sony wasn't enforcing the use of easy-to-use password management software.

Security experts recommend everyone use password managers, which automate the process of generating strong, random passwords; corralling them in one place; storing them in encrypted format; and restricting access. "It is a good practice to use a password manager, and that is essentially keeping everything in a folder called 'passwords' with one major difference - it is properly encrypted so that even if the adversary had it in their possession, they cannot read it without proper credentials," says TK Keanini, CTO of network security firm Lancope.

"There were many major mistakes made at Sony, but the question everyone should ask is: Why does it take a major incident to find these mistakes? Why didn't anyone catch these incredibly obvious insecurities prior to the incident and fix them?" Keanini asks.

Every other organization should now ask itself what would happen if - like Sony - attackers penetrated its network. Would they find social media credentials and lists of admin passwords to tens of thousands of systems in an unprotected Excel spreadsheet?

The obvious takeaway is that enterprises need to get smart about not just requiring strong passwords, but encrypting and restricting access to those passwords, preferably using multi-factor authentication.

Even better, look to advanced authentication mechanisms that provide risk-based access controls. For example, consider products that work with the FIDO Alliance - for "fast identity online" - specification. FIDO offers a "bring what you've got" approach that can treat combinations of a user's mobile device, public/private key, one-time passwords, USB security tokens and more as access tokens, thus eliminating the need for passwords.

Until that happens, of course, organizations must pay close attention to password security, or else risk becoming the next Sony.


more...
No comment yet.
Scoop.it!

Adobe patches Flash zero-day found in Hacking Team data breach

Adobe patches Flash zero-day found in Hacking Team data breach | IT Support and Hardware for Clinics | Scoop.it

The massive Hacking Team data breach led to the release of 400GB worth of data including a zero-day vulnerability for Adobe Flash. Adobe has released an out-of-band patch for the flaw just two days after it was discovered.


The vulnerability was described by the Hacking Team in a readme file in the data dump as "the most beautiful Flash bug for the last four years". Accompanying the readme in the data was a proof-of-concept exploit of the flaw.


Adobe categorized the vulnerability (CVE-2015-5119) as critical and said it affects Flash Player versions 18.0.0.194 and earlier on Windows and Mac, and versions 11.2.202.468 and earlier on Linux. Successful exploitation of the flaw could allow remote code execution.


Security researcher Kafeine found that the vulnerability has already been added to the Angler, Fiddler, Nuclear and Neutrino exploit kits. Because of this, admins are recommended to apply the patch as soon as possible.


Also found in the Hacking Team data was another Adobe Flash zero-day (CVE-2015-0349), which was patched in April, and a zero-day affecting the Windows kernel. The inclusion of these zero-days has caused experts to question if these exploits are being used by Hacking Team clients, including law enforcement and governments.


"As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully," said Ken Westin, security analyst for Tripwire. "Given the depth and amount of data compromised in this breach, it will reveal a great deal about the market for offensive tools designed for espionage with a great deal of fallout and embarrassment for some organizations."


Hacking Team spokesman Eric Rabe confirmed the breach and said that while law enforcement is investigating, the company suggests its clients suspend the use of its surveillance tools until it can be determined what exactly has been exposed.


In a new statement, Rabe warned that its software could be used by anyone because "sufficient code was released to permit anyone to deploy the software against any target of their choice.


"Before the attack, HackingTeam could control who had access to the technology that was sold exclusively to governments and government agencies," Rabe wrote. "Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation."

more...
No comment yet.
Scoop.it!

Surveillance Software Firm Breached

Surveillance Software Firm Breached | IT Support and Hardware for Clinics | Scoop.it

Hacking Team, an Italian developer of "easy-to-use offensive technology" - including spywareand other surveillance software that it sells to police, law enforcement and intelligence agencies - appears to have been breached and large quantities of corporate information leaked.


On July 5, hackers also appeared to have seized control of the Hacking Team's Twitter account,@hackingteam, after which they changed the company's logo and posted the following message: "Since we have nothing to hide, we're publishing all our e-mails, files, and source code."


The message included links to a Torrent file that reportedly includes 400 GB of the aforementioned data, including the source code for its "Remote Control System," known as both DaVinci and Galileo. Hacking Team advertises that the software is able to intercept Skype and voice calls, as well as data stored on PCs. The leaked data reportedly also includes passwords for multiple Hacking Team employees and customers, as well as previously disclosed zero-day vulnerabilities.

The Hacking Team data leak reportedly reveals that the company's customers have apparently ranged from the U.S. FBI and Drug Enforcement Agency to the governments of Sudan and the United Arab Emirates. Credit for the hack and data breach has reportedly been claimed by PhineasFisher, who has previously targeted vendors for allegedly selling surveillance software to repressive regimes. "Gamma and HT down, a few more to go :),"PhineasFisher said July 6 via Twitter.


Threat intelligence firm iSight Partners says in a research note that it believes that the breach occurred, and that most or all of the leaked data is genuine, because "convincingly fabricating that much information is prohibitively time intensive." It also warns that the source code could soon become part of other hackers' toolsets. "Hacking Team's tools and techniques will likely begin to be incorporated in other malware and surveillance tools." Allegedly leaked Hacking Team code has already been added to the GitHub code-sharing repository.


Hacking Team did not immediately respond to a request for comment about the breach, so the contents of those alleged customer lists could not be confirmed. Hacking Team senior system and security engineer Christian Pozzi, whose emails and personal passwords - including for multiple social media accounts - appear to have been included in the leak, says via Twitter on July 6: "We are currently working closely with the police at the moment. I can't comment about the recent breach."

But the authenticity of that message is questionable, since Pozzi's Twitter account later posted a message suggesting that it too had been compromised by hackers: "We are closing down. Bye Saudi Arabia. You paid us well. Allahuhakbah." After those messages appeared, Pozzi's Twitter account appears to have been deleted in its entirety.

The Company's Customers

Numerous privacy rights groups say that the data leak provides a rare look into how governments spy on people at home and abroad. "Hacking Team is one of the most aggressive companies currently supplying governments with hacking tools," says Eric King, deputy director of civil rights group Privacy International. "[The] leak of materials reportedly shows how Hacking Team assisted some of the world's most repressive regimes - from Bahrain to Uzbekistan, Ethiopia to Sudan - to spy on their citizens.


Hacking Team advertises its Galileo and DaVinci software as being "the hacking suite for governmental interception," noting that it can handle "up to hundreds of thousands of targets, all managed from a central place." Some of the software's capabilities have been previously described by Citizen Lab, a privacy project run by the University of Toronto, which says that the vendor's spyware can copy files from the hard drive of an infected PC, record Skype calls and emails, intercept passwords typed into Web browsers, as well as remotely activate webcams and microphones. To employ the spyware, however, government agencies must first sneak it onto targets' PCs, and Citizen Lab says that phishing attacks are likely the most-used technique for accomplishing this.


Privacy researcher Christopher Soghoian, principal technologist at the American Civil Liberties Union, says via Twitter that according to the leaked information, Hacking Team's customer list "includes South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia."


Soghoian adds via Twitter that according to a leaked March 2013 invoice for the first half of a related payment, Hacking Team also completed a €260,000 ($290,000) deal with the government of Azerbaijan by selling "through a shadowy front company in Nevada" named Horizon Global Group.


Citizen Lab had previously questioned whether Hacking Team was selling to governments that are widely viewed as being repressive. "We suspect that agencies of these twenty-one governments are current or former users of RCS: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan," it says in a 2014 report. "Nine of these countries receive the lowest ranking, 'authoritarian,' in The Economist's 2012 Democracy Index. Additionally, two current users - Egypt and Turkey - have brutally repressed recent protest movements."


The company's customer list had also earned it a place on the "Enemies of the Internet" list maintained by civil rights group Reporters Without Borders.


The Hacking Team's alleged "maintenance agreement" tracker has been published to text-sharing website Pastebin; it says that the company's customers also include the U.S. Drug Enforcement Agency - as news outlet Vice first reported in April - and government agencies across the EU, including the Czech Republic, Hungary, Luxembourg, Poland and Spain. The FBI, meanwhile, is listed in that maintenance agreement as having an "active maintenance contract" with Hacking Team through June 30, 2015, while both Russia and Sudan are listed as being "not officially supported." Again, however, the authenticity of that information could not be confirmed, and it's possible that whoever leaked the files altered, added or fabricated the information.

The FBI did not immediately respond to Information Security Media Group's inquiry about whether the bureau is, or has been, a Hacking Team customer.

Hacker Targets

Cryptography expert Matthew Green, a Johns Hopkins University professor, says that more than any other type of company except bitcoin exchanges, surveillance software vendors should expect to face serious and sustained hacks. Thus, they should harden their defenses accordingly, but few seem to do so, he says.


Indeed, Hacking Team is not the first surveillance software vendor to have been hacked. In August 2014, Gamma Group - the creator of FinFisher malware, which it spun off as a separate company in 2013 - was also breached by PhineasFisher, who announced via Reddit that a 40GB data dump leaked to BitTorrent included internal documents, as well as price lists and support queries.

more...
No comment yet.
Scoop.it!

Will Sony Settle Cyber-Attack Lawsuit?

Will Sony Settle Cyber-Attack Lawsuit? | IT Support and Hardware for Clinics | Scoop.it

Did Sony underspend on information security, thus contributing to the success of the devastating hack attack against it, which came to light in November 2014? And can a business be held legally accountable by employees for their employer's information security shortcomings?


Those questions are central to a lawsuit filed by Michael Corona and eight other former Sony employees in the wake of what plaintiffs rightly dub a data breach "epic nightmare, much better suited to a cinematic thriller than to real life." Their suit accuses Sony of having failed to put an effective information security program in place, despite having previously suffered repeated, serious attacks.


 An epic nightmare, much better suited to a cinematic thriller than to real life. 


"Sony failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years," the lawsuit alleges, citing in part a September 2014 audit by PricewatershouseCoopers, which found that Sony's information security and monitoring practices fell below "prudent industry standards."


The lawsuit further alleges that nearly 100 terabytes of data was stolen, including 47,000 Social Security numbers and personally identifiable information for at least 15,000 current and former employees, some of whom had not worked for the studio since 1955. As a result, breach victims "face ongoing future vulnerability to identity theft, medical theft, tax fraud, and financial theft," the lawsuit plaintiffs allege. "In fact, plaintiffs' PII has already been traded on black market websites and used by identity thieves."

Lawsuit Ruling

Sony asked a court to dismiss the suit, and U.S. District Judge R. Gary Klausner this week did dismiss some parts, including allegations of breach of contract and that Sony failed to notify breach victims in a timely manner.


But in a setback for Sony, the judge ruled that other parts of the lawsuit can proceed, although he has yet to rule on the merits of these claims, including plaintiffs' allegation that Sony "made a business decision to accept the risk of losses associated with being hacked." The federal judge also agreed with the former employees' allegation that "to receive compensation and employment benefits, they were required to provide their PII to Sony." While many data breach lawsuits get dismissed on the grounds that the breach did not cause any economic harm to people whose information was stolen, Klausner said that by requiring employees' PII, Sony created a "special relationship that provides an exception to the economic loss doctrine."


Michael Sobol, an attorney for the plaintiffs, told the BBC, "We are pleased that the court has properly recognized the harm to Sony's employees."


A spokeswoman for Sony Pictures Entertainment did not immediately respond to a request for comment on the ruling.


In the wake of the 2014 attack, at least nine other lawsuits were filed against Sony by individual former employees. Like the Corona suit, all of these lawsuits seek class-action status, meaning they would include all current and former employees who were affected by the cyber-attack.

Wiper Malware Attack

To recap: Sony suffered a devastating wiper malware attack in November 2014, ostensibly designed to punish the company for releasing "The Interview," a satiric film starring James Franco and Seth Rogan that featured the fictional death of North Korean leader Kim Jong-un.


But before the attackers unleashed their wiper malware and began erasing Sony hard drives and bricking laptops, they penetrated Sony's network and stolen tens of terabytes of data, including copies of unreleased movies and the script for the upcoming James Bond film "Spectre," as well as numerous private email exchanges, all of which the attackers began leaking.


Sony, in a December 2014 breach notification filed with California state authorities, reported that the breach appeared to compromise current and former employees' names, addresses, Social Security numbers, driver's licenses and passport numbers, corporate credit card information, usernames and passwords, and salaries. Sony also warned that individuals' "HIPAA-protected health information" may have been exposed, including medical diagnoses, dates of birth, health plan identification numbers, and personal and health-related information.


As noted in Corona's lawsuit, large amounts of this information were leaked to the Internet by attackers and likely remain in circulation.

Lawsuit Resolution: Unclear

What will happen next in the Sony class-action lawsuit saga, of course, is not clear. But based on past breach-related lawsuits, it's likely that unless the lawsuit gets dismissed, Sony will ultimately settle, rather than risk a jury trial and ruling that might give breach victims more rights.


If Sony did make a business decision to underspend on security, it was a costly move. In February, Sony said in an earnings report that it expected to spend $35 million in cleanup costs through the end of its fiscal year in March, largely related to restoring the company's "financial and IT systems." But as the multiple lawsuits highlight, Sony faces continuing legal costs, as well as the risk that it will eventually have to pay damages or settlements.


But any such settlement likely would not happen soon. Indeed, Sony only settled a lawsuit filed in the wake of its April 2011 breach - a year in which the company fell victim to more than a dozen breaches - in June 2014. That breach exposed personal information for 77 million users of the Sony PlayStation Network and Qriocity services.


By that timeline, the lawsuits stemming from the 2014 Sony cyber-attack may not be resolved until at least 2017.

more...
No comment yet.
Scoop.it!

Five Steps to Secure Your Data After I.R.S. Breach

Five Steps to Secure Your Data After I.R.S. Breach | IT Support and Hardware for Clinics | Scoop.it

The Internal Revenue Service has been added to a long list of companies and government agencies that hackers have breached in the last year.

And so, if there is any advice security experts have for those trying to keep their personal information safe, it is simply: You can’t.

“Your information has already been out there for years, available to anyone who wants to pay a couple dollars,” Brian Krebs, a security blogger who has been a frequent target of hackers, said Wednesday.

The attack on the I.R.S. is just the latest evidence that hackers already have all the information necessary to steal your identity. The agency said Tuesday that hackers used information stolen from previous breaches — including Social Securitynumbers, birth dates, street addresses and passwords — to complete a multistep authentication process and 


But consumers can make things harder for criminals. There may be a trade-off in convenience, but experts say the alternative is a lot worse.

1. Turn on multifactor authentication.

If a service offers added security features like multifactor authentication, turn them on. When you enter your password, you will receive a message, usually via text, with a one-time code that you must enter before you can log in.

Most banking sites and popular sites like Google, Apple, Twitter and Facebook offer two-factor authentication, and will ask for a second one-time code anytime you log in from a new computer.

2. Change your passwords again.

Yes, you need to change passwords again and they have to be passwords you have never used before. They need to be long and not words you would find in a dictionary. The first thing hackers do when trying to break into a site is use computer programs that can test every word in the dictionary.

Password managers like LastPass or Password Safe create long, unique passwords for the websites you visit and store them in a database that is protected by a master password you have memorized.

It may sound counterintuitive, but the truly paranoid write down their passwords.

Security experts advise creating anagrams based on song lyrics, movie quotations or sayings, and using symbols or numbers and alternating lower and upper cases to make the password more difficult. For instance, the “Casablanca” movie quotation “Of all the gin joints, in all the towns, in all the world, she walks into mine” becomes OaTgJ,iAtT,iAtW,sWiM.

Use stronger, longer passwords for sites that contain the most critical information, like bank or email accounts.

3. Forget about security questions.

Sites will often use security questions such as “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.

These questions are problematic because the Internet has made public record searches a snap and the answers are usually easy to guess.

In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)

With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.

Jonathan Zdziarski, a computer forensics expert, said he often answers these questions with an alternate password. If a site offers only multiple choice answers, or only requires short passwords, he won’t use it.

“You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.

4. Monitor your credit.

Typically a service will offer one year of free credit monitoring if it has been breached. But be aware that attackers do not dispose of your Social Security number, birth date or password a year after they acquire it.

It is better to monitor your credit aggressively at all times through free services like AnnualCreditReport.com.

5. Freeze your credit.

In the attack at the I.R.S., a credit freeze may not have thwarted thieves from filing for false tax refunds, but it could have stopped them from pulling tax transcripts or opening other accounts.

To freeze your credit, call Equifax, Experian or TransUnion and ask to have your account frozen. The credit agency will mail a one-time PIN or password to unfreeze your account later.

The fee to freeze and refreeze credit varies by state. If you plan on applying for a new job, renting an apartment or buying insurance, you will have to thaw a freeze temporarily and pay a fee to refreeze the account.

But if you have been a victim of identity theft, and can show a police report proving as much, most states will waive the freeze fee.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

Bitcoin exchange loses $5 million in security breach

Bitcoin exchange loses $5 million in security breach | IT Support and Hardware for Clinics | Scoop.it

Bitstamp has just suspended its Bitcoin exchange services, because some of its operational wallets have been compromised. And, while it's nowhere near the scale of the Mt. Gox debacle (850,000 Bitcoins gone), the company says hackers still made off with 19,000 BTC or roughly $5 million. The service clarifies on its website (which now shows a splash page) that the stolen money came from its online wallets only and that the "overwhelming majority" of its reserves are stored safely offline. According to ZDNet, the service had $96.9 million store in offline storage in May 2014, but the amount might have gone down due to fluctuating Bitcoin values.

Bitstamp says it will honor any transaction made before January 5th, 4AM Eastern, but it warns users (in bold and all caps) not to transfer anything to "previously issued bitcoin deposit addresses" anymore as those transactions cannot be honored. It also promises to go back to business in a few days once it's done moving to a more secure server.

Some users believe this page lists the illegal transactions that's crippled Bitstamp, since they're worth 18,868 BTC in all made over the weekend. But we still don't know what exactly went down, especially since no group of hackers has stepped forward to claim the security breach. Seeing as authorities still don't have a clear picture of the Mt. Gox fiasco in 2014, we might have wait a long while before we find out what happened to Bitstamp.


more...
No comment yet.
Scoop.it!

TorrentLocker ransom rampage encrypts 285 million files and counting

TorrentLocker ransom rampage encrypts 285 million files and counting | IT Support and Hardware for Clinics | Scoop.it

Slovakian security wizards ESET have delved deep into the guts of the TorrentLocker ransom malware and pulled out some interesting details of its destructive life story starting with the number of files it has encrypted—a misery-inducing 285 million to date.

Although TorrentLocker is nowhere near the scale of the infamous CryptoLocker, and will likely never acquire the latter’s notoriety, that sort of file scrambling still adds up to 39,670 infected PCs by ESET’s calculation.

On the basis of the spam used to distribute the malware, victims have also been surprisingly concentrated on a small group of countries: the UK, Australia, Canada, Czech Republic, Italy, Ireland, France, Germany, The Netherlands, New Zealand, Spain and Turkey. That means the US was apparently not targeted for some reason although some Americans might have encountered the malware through other channels.

Of the nearly 40,000 victims detected by analyzing numbers inside its command and control, ESET found 570 that had paid the Bitcoin ransom, netting the criminals between $292,700 and $585,401 (£200,000 and up). With a conversion rate of 1.45 percent that’s actually a decent pay-off in line with other examples of ransom malware analysed in a similar way.

As a side note, earlier this year ESET estimated that the total value of Bitcoins entering a wallet suspected of receiving TorrentLocker’s scam proceeds was around $40 million although not all of this would have been from ransom malware. Exactly how much money it has made is therefore still not clear.

A couple of smaller points worth pulling out. Versions of TorrentLocker appear to have been around a bit longer that previously realized, with the earliest examples turning up in anti-virus nets in February 2014, months before security company iSight Partners first publicised it.

Like Rumpelstiltskin, TorrentLocker also has its own private name that ESET reveals to be the rather prosaic ‘Racketeer’, presumably a translation of a Russian noun.

“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking Trojan malware,” said ESET’s Canadian-based researcher, Marc-Etienne M. Lveill.

As reported elsewhere, the attackers had also fixed an AES encryption flaw that made it possible to work out the key used to scramble files, he said.

The easiest to overlook aspect of ESET’s research is that it reveals the lures used in TorrentLocker’s spam campaign. As with every other malware attack through this channel, people receive an attachment they are socially-engineered into opening. Some of the lures are quite devious and in some countries will definitely grab the attention of users—an alleged unpaid invoice, a speeding ticket, and package tracking—all localized to the country of the victim.



more...
No comment yet.
Scoop.it!

Another Data Breach, Another Dollar For Identity Management Startups

Another Data Breach, Another Dollar For Identity Management Startups | IT Support and Hardware for Clinics | Scoop.it

As security breaches are reported for one major corporation after another, venture investors are writing bigger checks than ever in an attempt to buy some peace of mind.

From Target’s data breach that put a damper on last year’s holiday season to Bebe’s payment card data breach reported last week, we’ve seen countless examples of access management gone wrong. It’s become apparent that the present identity management solutions are just not cutting it, and investors are fully aware.

According to CrunchBase data, identity management startups have seen $350 million in venture dollars raised this year across 45 rounds — a big step up from last year’s $178 million raised over the same number of deals.

Q2 saw a major investment push as some of the first massive deals in the space were recorded for startups like Okta, Centrify, and Dashlane.

“Every time there’s a breach at one of these companies, we’ve seen enormous damages as a result,” says David Cowan of Bessemer Venture Partners, a frequent investor in the identity and security space.

“For businesses like Kmart and JP Morgan, these breaches cost them hundreds of millions of dollars,” says Cowan, and for users, “they’re able to steal your password from a website that you think is irrelevant to your life, and it turns out that’s the same password to your bank account and your Dropbox.”

Cowan is on the board at Dashlane, a password manager and secure digital wallet for consumers. Dashlane’s recent $22 million Series B is one of the larger rounds seen by a consumer-focused identity management application. To date, the majority of venture dollars have gone into companies like Centrify or Okta that provide multi-platform access management solutions for enterprise customers.

“When companies controlled all their systems on premise, everybody had a username and a password into those systems,” explains Robin Vasan of Mayfield Fund, an early Centrify backer, “but now with mobile devices and SaaS applications, those systems are no longer in control.”

“Identity management has seen such a resurgence of interest because enterprises are realizing that an employee of theirs goes and buys a new mobile device or is using a laptop from home and is accessing cloud applications, and those resources are no longer under the control of the enterprise,” says Vasan.

Centrify and others are tackling this issue by providing enterprises with secure identity management and single sign-on services that allow employees to access cloud-based applications across multiple devices.

Venture funding front-runner Okta will let you into all related apps with a single login, and five-year-old Dashlane will remember all of your passwords for you. But recently startups like Nymi and EyeVerify have closed sizable deals to replace passwords completely with biometric technology.

“People lump in together the identity management, access management, permissions and authentications — and we’re all about decoupling that,” says Nymi founder Karl Martin. “There’s a simple philosophy around privacy — a system should only know as much about you as it needs to for that application.”

Nymi seeks to accomplish this through a wristband that identifies a user by their unique electrocardiogram signal and acts as a gateway to provide easy authentication for a number of applications.

“Biometrics are a very useful tool for identity management, but the danger there is that you’re collecting a massive database of biometrics, and that has many implications for security and privacy,” says Martin. It’s a legitimate concern — the idea of handing over more personal data to protect the data that’s already out there seems a bit backward at first.

But Nymi isn’t collecting or storing any of this data. “It’s not verifying who you are, just that you’re the same person that showed up before,” says Martin of the Nymi band. “We’re not actually managing your identity — that should be application specific, and you shouldn’t have all of your information in one place.”

Nymi has locked down a variety of partnerships, from password manager PasswordBox to MasterCard, and is in the process of closing more deals to become something like the single sign on for the world.

“I don’t think anybody has a sense that we have actually good solutions in operation now, there’s absolutely a need for new technology,” says Martin. “On the one side it’s kind of crazy what we’re doing, but on the other side, do you imagine ten years from now that we’ll still be using passwords?”



more...
No comment yet.