Author Archives: Security Experts

Facebook API Bug Exposes 6.8M Users’ Photos to Developers

News is breaking that Facebook has exposed the private photos of an estimated 6.8 million users, due to an API bug. The bug allowed access to photos beyond the third-party app request, pulling their timeline photos, Facebook Stories, Marketplace photos, in addition to photos they’d uploaded to Facebook but never shared.
Facebook says the bug impacted users between Sept. 13 to Sept. 25, 2018. The company has said users impacted by this Facebook API bug have been notified with an alert (notification) in Facebook. IT security experts commented below.

Mark Weiner, CMO at Balbix:

“Facebook failed to report this bug to Europe’s Information and Data Protection Commissioner (IDPC), putting the company at risk of receiving sanctions under GDPR. However, that’s likely the least of Facebook’s worries. Mishandling the disclosure of another serious security incident this year not only gives the company a poor public image, it can also affect their stock price over the long-term.
Facebook joins Google+ as another social media platform affected by an API bug in recent news proving that most organizations today – including tech giants – do not have adequate visibility into the hundreds of vulnerabilities and other threats facing their networks that could lead to unauthorized exposure of sensitive information. Even when gaps in security are detected, most companies struggle to decide which remediations to prioritize, given limited IT resources and manpower. With 2019 around the corner, we will start to see organizations adopt security tools that leverage artificial intelligence and machine learning to continuously monitor for vulnerabilities and attack vectors, and to produce lists of prioritized fixes based on potential business impact.”

Bryan Becker, Application Security Researcher at WhiteHat Security:

“If we take Facebook at their word that the exposure only ran for 12 days, I think it’s best to assume this was caused by a bug in a code update (rather than, say, a poorly thought out security policy). Preventing bugs like this from making it to production takes an organized effort across the team. Secure code review, automated testing, and auditing are all needed to help defend against insecure code pushes. When these review steps aren’t in place, or are circumvented in the name of efficiency, breaches and information leaks will happen. Organizations should look for ways to automate these processes to make it easier to vet new code before it goes live.”
.

The ISBuzz Post: This Post Facebook API Bug Exposes 6.8M Users’ Photos to Developers appeared first on Information Security Buzz.

New Android Trojan Bypasses PayPal’s 2FA

In response to new research finding that an Android Trojan steals money from PayPal accounts even with 2FA on, two experts with OneSpan offer perspective and considerations for both end users and developers.

Sam Bakken, Senior Product Marketing Manager at OneSpan:

It’s time for all of us to be more scrupulous when it comes to the apps that we install and the permissions we grant them. Accessibility permissions are incredibly powerful and can lead to malware taking action on your behalf inside your apps which is what occurred in this case. Though it’s not a cure-all (after all banking Trojans make it onto official stores as well), it’s best to stick with official app stores. In addition, before you download the app, make sure you’re taking time to read reviews — especially the negative reviews as miscreants are known to create fake positive reviews of their apps in order to hook more victims. Finally, when we download an app, we need to think hard about whether there’s actually good reason to grant an app the permissions it asks for, and really, to be safest we should default to not granting those permissions even if it means you can’t use that particular app. App developers and publishers can also offer some relief by using app shielding technology in their mobile apps to detect malicious behaviors and shut the targeted app down and stop fraud before it takes place.

Will LaSala, Director of Security Solutions, Security Evangelist at OneSpan:

“The newly released information regarding an attack against the PayPal app highlights the vulnerabilities of installing apps from unknown sources and how easily an overlay attack can hijack a strong application. This starts with the user being tricked into downloading a simple utility app, which is in actuality a malware application.  What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device.  What’s new for this malware is that it is not focused on phishing for the users credentials, although it appears to attempt to phish for the user’s credit card information, instead it attempts to directly attack the transaction by creating an instant money transfer to the attacker’s account.

“Application providers need to offer protection against these types of attacks.  Solutions such as mobile application shielding prevent screen overlay attacks and can render this type of attack useless.  Additionally, application providers should use application repackage prevention technologies and only publish their application on official app stores, as this will further strengthen the bond for their users and encourage them to also only get their applications from the trusted app stores.  Finally, applications should be implementing intelligent risk based step-up authentication.  This allows the application to detect a fraudulent transaction and then automatically request that the user perform the correct type of authentication before the transaction is allowed to be completed.  In this particular case, if intelligent risk based step-up authentication had been used, it is likely that the application would have flagged this transaction and would have asked the user for a fingerprint or facial authentication before allowing the transaction to continue.

“Consumers should be wary against installing any applications from any external sources and wary about the permissions they allow their applications to have.  Permissions are not always clear cut, and if a user is questioning a permission it is better not to allow the permission and ask the developer for more information before allowing it.  Open communication with the app developer and full clear understanding of how an app works are key objectives to any app developer for their users.”

The ISBuzz Post: This Post New Android Trojan Bypasses PayPal’s 2FA appeared first on Information Security Buzz.

Ransomware Attack Exposing Data Of 16,000 Patients

Cybersecurity experts Matan Or-El and Leon Lerman commented on recent news of yet another healtcare data breach, this one a ransomware attack at the Redwood Eye Center in California.

Matan Or-El, CEO at Panorays:

“As healthcare organizations integrate more third-party software and systems, their risk increases as well. The Redwood Eye Care Center found this out when its EMR hosting vendor was hit with ransomware, exposing the personal information of more than 16,000 patients. Healthcare information is a popular target with cybercriminals, as it sells for high prices on the dark web. Even though Redwood Eye Care Center has changed vendors, this could happen again. That is why healthcare organizations need to continuously monitor the security of all their third-party vendors to detect any changes in security and react quickly.”

Leon Lerman, CEO at Cynerio:

“In the 2018 HIMSS Cybersecurity Survey, more than two-thirds of healthcare leaders admitted to face a significant security incident in the last year. This strongly shows us that attackers continue to find ways into the hospital’s network and it’s inevitable for the initial infection to happen – organizations need to make sure they have the right controls in place to detect the attack on time and stop the spread before a significant damage is done. This includes adding Visibility, detection and protection capabilities to areas to which the providers are typically blind to – like connected medical devices & their ecosystem which attackers use as a gateway to the hospital’s sensitive data.

The increased resources to address cybersecurity needs is a step in the right direction, as one of the main reasons healthcare is among the top targeted industries by hackers is its lax security posture which hackers leverage to put their hands on sensitive patient data which is still one of the most profitable assets on the black market , providers will need to leverage the resource increase to deal with the growing number of security risks, which include not only the traditional infosec risks but also healthcare specific emerging risks – like the risk associated with the increased introduction of connected medical devices.”

The ISBuzz Post: This Post Ransomware Attack Exposing Data Of 16,000 Patients appeared first on Information Security Buzz.

Stolen Government Login Credentials

Login credentials for more than 40,000 Government accounts in 30 countries have been discovered by Russian cybersecurity researchers from Group-IB.

Mike Bittner, Digital Security & Operations Manager at The Media Trust:

“Government agencies are easy targets of phishing campaigns because they often publish their employee directories online. They are also highly desired targets because they store sensitive information on state secrets, on new products in the process of approval, including those of the world’s largest companies, and on private citizens. And given budget cuts, many of these agencies rely on large pool of third parties, who are listed in publicly available government sites. Since transparency is a government’s responsibility in a democracy, agencies should beef up their security measures. A few key steps include continuously scanning in real time the sites and mobile apps that citizens and companies use to access government services in order to identify any unauthorized activities and nip them in the bud. Second, they should know all who all their third parties are and what activities they have authorized them to conduct. Third, they should use physical devices that generate a new token each time a government employee logs in. Fourth, they should train all staff to be wary of phishing scams and other suspicious events. Finally, since securing sensitive information is key to accomplishing their mission, it should therefore be appropriately funded. These phishing campaigns will only grow in frequency, mainly because they pay off.”

Justin Jett, Director of Audit and Compliance at Plixer:

“Stolen credentials are a primary mechanism for malicious actors to gain access to sensitive information. The latest news of 40,000 stolen government portal logins is just another example. Proper password resets and time limits are important, but organizations should also ensure they deploy network traffic analytics to uncover when malicious actors attempt to access systems on the network. Because the hackers have the credentials, they aren’t going to try connecting to a machine more than once. Instead, they will try to connect to many machines until they gain access. Once they have a foothold, they will try to steal any sensitive data they can access. Network traffic analytics can show there are attempts to log in to multiple machines, especially when the user has never legitimately accessed those machines. Finally, where possible, two-factor authentication should be deployed to limit access to authorized individuals.”

The ISBuzz Post: This Post Stolen Government Login Credentials appeared first on Information Security Buzz.

Operation Sharpshooter Targets Global Defense, Critical Infrastructure

McAfee Labs has issued new findings today: ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure. The attacks start with phishing campaigns and move on using more sophisticated approaches.

Colin Bastable, CEO at Lucy Security:

“Phishing attacks evolve very quickly: this looks like a trial run, and it will escalate and spread metastatically.

State actors use misdirection, because they are engaged in asymmetric cold warfare, and they will not be concerned about collateral damage. For them, the more the merrier. Cyber criminals will pick it up and run with it – the end results will be the same, regardless of who instigated the attack.

But, because it is a phishing attack it is possible to defend against and mitigate losses from successful attacks.

To successfully defend against such attacks, you must secure people and systems in a holistic model and allow them to evolve together as a single unit. The siloed approach – security systems on one side, people testing and awareness training on the other – is the wrong approach. It is also wrong to focus on decreasing intrusion rates because it only takes one intrusion to ruin a CISO’s day.”

Anthony James, CMO at CipherCloud:

“Operation Sharpshooter is a sophisticated attack campaign likely part of an effort by a nation-state or their proxy to compromise and gather defense information globally. Phishing remains a reliable and competent attack vector which the attackers are successfully using to compromise targeted organizations.

Yes, you can guard and reduce the probability of successful social engineering attacks using techniques like phishing, but you cannot eliminate them all. Attackers will gain access to your internal networks. It becomes critical to protect data, guard against the commonly expected threats, and have the visibility to detect them and rapidly shut them down.

Once attackers acquire credentials, you must be able to ascertain the use of these credentials. Is this user accessing your network at 2 am? Is that normal behavior? Is one of your users trying to log in from Beijing yet they only logged in from Chicago two hours prior? Is a set of credentials being used from an unauthorized non-corporate device or mobile device? Acting upon this type of information is part of the necessary cyber defense counter-balance to meet and defeat the attackers that have successfully penetrated your networks.”

The ISBuzz Post: This Post Operation Sharpshooter Targets Global Defense, Critical Infrastructure appeared first on Information Security Buzz.

Payment System Hack At Texas Hospital

Nearly 48,000 patients have been affected by a breach of a credit card processing system that was utilized by Baylor, Scott and White Medical Center, a hospital in Texas.

Justin Jett, Director of Audit and Compliance at Plixer:

“Medical-related data breaches are lucrative because malicious actors can try to sell data to advertisers based on health conditions. While credit card systems don’t contain information relating to specific medical data, it does leak information about which providers a patient has visited, which is protected under HIPAA. This is why network traffic analytics is critical to organizations. Without this type of data, businesses don’t have the forensic data they need to trace a breach from its origin, and, therefore, have a much harder time root-causing the breach. By looking at network traffic patterns, organizations can verify that sensitive information isn’t being accessed by non-authorized systems or third-party vendors.”

Mike Bittner, Digital Security & Operations Manager at The Media Trust:

“Credit card-related hacks are happening with rising frequency because when successful they provide bad actors with a trove of information they can immediately exploit, use in later attacks, or sell in the black market. Bad actors know that third-party providers are often involved in processing this information; to the formers’ benefit, the latter often have weak security postures and provide a trusted connection to their clients’ systems—factors that make them ideal targets. Industry standards like PCI DSS and HIPAA that promote data privacy and security should recognize and address the risks that third parties pose, especially as outsourcing payment processes and website management have become the norm. Companies that do outsource should make data security and privacy a priority when vetting third parties. Moreover, they should frequently audit their third parties’ data practices. Finally, they should continuously monitor their websites and mobile apps for any unauthorized activities. These steps will beef up data security and reduce the risk of a breach.”

The ISBuzz Post: This Post Payment System Hack At Texas Hospital appeared first on Information Security Buzz.

One In Four NHS Trusts Spent No Money On Cyber Security Last Year

It has been reported that four National Health Service trusts in England and Wales spent no money on specialist cyber-security training or expertise in the past year, according to new figures compiled by cyber-security company Redscan.  The data revealed that on average, trusts employed just one qualified cyber-security professional for every 2,582 employees, and many are failing short of training targets.

Edgard Capdevielle, CEO at Nozomi Networks:

“Research has repeatedly shown that people are often the weakest link when it comes to cyber security. We are also seeing a number of security incidents where cyber criminals are targeting employees within critical infrastructure organisations with phishing emails in order to gain deeper access to systems. So teaching staff how to handle these emails is key to defending against them.

Because Attackers understand that humans offer the easiest route into organisations, cyber security awareness training should be treated as a necessity, not something which is optional.”

Sam Curry, Chief Security Officer at Cybereason:

“This is a wakeup call that we are all digitally connected and can’t ignore it. Much as we might like to pretend we can spend our budgets in a pre-digital age manner, we can’t; and security is a small tax to spend for all the benefits that the digital age with clouds, big data, machine learning and global connectivity bring for improving the health of Britain. Britons deserve health and privacy and security and no less.

Most trustees try to optimise spend to save lives and security (and privacy) isn’t on their priority list. This should be, though, and they should be required to have cyber advisors on staff and to have both emergency contingency plans, an assessment of cyber posture and a target and plan to improve.

While spend isn’t strictly proportional to effectiveness when looking to improve a plan, it does matter. Quality may matter more than quantity, but many have neither quantity nor quality. This is a problem. Even with stretched budgets, there should be guidelines for assessing security maturity and standard percentage-of-IT spend guidelines. Trustees should have to justify not meeting these minimum criteria and quality rather than quantity can be addressed later. First get the spend up, then worry about optimizing. The potential also exists to pool resources and to use third parties for efficiency and critical mass as other private sector industries (such as insurance and banking) have done or to work with other parts of the government.”

The ISBuzz Post: This Post One In Four NHS Trusts Spent No Money On Cyber Security Last Year appeared first on Information Security Buzz.

Australia’s New Data Encryption Law

Following the news that Australia passed a hotly-debated national encryption law, IT security experts commented below.

Colin Bastable, CEO at Lucy Security:

“The issue is back doors and exploits – if governments can use them lawfully, cyber criminals can use them unlawfully. EternalBlue, for example, was gifted to cybercriminals by a leak from the NSA.

Australia is opening a backdoor, and we should assume that other Five Eyes nations will follow or are already there.

People should act on the basis that they have no privacy with email, web browsing or using a mobile app.”

Terrie Anderson, APAC Regional Director at Venafi:

“This new law will have an unfortunate impact on Australia’s citizens and technology industry. Simply put: it is not feasible to force organizations to create backdoors into their products and have them comply with the consumer protection standards outlined in GDPR.

In addition, giving the government backdoors to encryption destroys our security and makes communications more vulnerable. Government mandated backdoors will allow cyber criminals to undermine all types of private, secure communication.

Jake Moore, Cyber Securitye Expert at ESET UK:

“This could have a devastating knock-on effect around the world. Creating a back door for law enforcement will never assure that no one else will be able to access the database or files, and criminals will learn to exploit these vulnerabilities. If you break the fundamental way that encryption works, you risk breaking the internet and eradicating any trust and security. The www would stand for the ‘Wild Wild West’ not ‘World Wide Web.”

Ultimately, this law will not only hurt our technology industry, it will bolster the actions of malicious actors.”

The ISBuzz Post: This Post Australia’s New Data Encryption Law appeared first on Information Security Buzz.

Russia Attacks Ukraine’s Telecommunications Systems

Following the news that Ukrainian authorities say they’ve thwarted a huge cyberattack on their telecommunications systems and are blaming Russia for the assault, please see below comments from Security experts.

Moreno Carullo, Co-founder and CTO at Nozomi Networks:

“The attacks on Ukraine’s telecommunications systems highlight that attackers are once again relying on phishing as a means to target critical infrastructure. It is therefore extremely important that staff within critical infrastructure organisations are taught to recognise phishing emails and not to click on links or open attachments from unknown sources.

Phishing is one of the major attack vectors cybercriminals will use to target critical infrastructure, and this was demonstrated in our recent study around GreyEnergy – another piece of malware which was targeting critical infrastructure in Ukraine via phishing.

Today’s determined attackers are showing no signs of slowing down, so teaching staff to ‘think before they click’ is key to defending against these types of attacks.”

Sam Curry, Chief Security Officer at Cybereason:

“Russia is at a geopolitical crossroads between empire and obsolescence. One future has Russia being a minor, divided, ageing nation that no longer innovates or is an economic powerhouse. Another has it re-exerting regional influence and creating a new balance of power. It’s this later path that has led to election tampering, alleged assassinations, statism and adventurism. Without a change in leadership, it’s naive to expect that the Russian Bear will quiesce and retire to its cave, let alone find a third path fostering innovation, energising a people and engaging in a new peace with the West, the East and the Middle East.

“The Ukraine is just far enough out of reach for Western powers, with a carefully nurtured Russian minority and from the former buffer states that the playbook is obvious. Ukraine and any other adjacent nation in a similar position needs to be leery of attacks that soften, test, probe and seek to destabilise, because destabilisation is a heartbeat away from so-called police actions, nation building and adventurism. The world needs to pay attention to the Ukraine; it’s not a side show, but is main stage in Eastern Europe for the balance of world powers. ”

The ISBuzz Post: This Post Russia Attacks Ukraine’s Telecommunications Systems appeared first on Information Security Buzz.

London Blue’ Hacker Group Targets 35,000 Chief Financial Officers

A hacker group has compiled a list of 35,000 chief financial officers, some working at the world’s biggest banks and mortgage companies, so it can target them with requests to transfer money.

The “London Blue” hackers are the latest group to focus on “business email compromise” (BEC) campaigns, according to the cyber threat detection company Agari, which found a list of 50,000 targets. Most of the rest of the people on the list were in accounting departments.

Agari has handed its evidence to the US and UK law enforcement agencies. If members of the hacking group are found to be based in the UK and US, it could be easier to prosecute them than in other territories.

Commenting on the rise of BEC campaigns in targeting CFOs and the global threat posed by London Blue, are IT security experts commented below.

Tim Sadler, Co-founder and CEO at Tessian:

“Business email compromise (BEC) campaigns, like any other strong-form impersonation email attack, seek to defraud an organisation of money or sensitive information by spoofing a trusted individual’s identity and hijacking their relationship with an unsuspecting colleague in order to reveal the necessary information.

In this case, the unsuspecting individuals are CFOs at globally renowned financial institutions. As Agari’s research highlights, high profile and C-level employees of financial institutions are becoming increasingly popular targets of BEC scams because they have access to lucrative data and have the power to authorise high-value money transfers. The Pathé incident from a few weeks, in which 19 million euros was stolen after the company’s CFO was duped by a BEC email scam, also emphasises how effective, and costly, these attacks can be.

It is clear that no employee, regardless of seniority, is safe from the threat of spear-phishing. As long as a willing attacker can gain access to the requisite information, and email networks remain open and unprotected, they can effectively masquerade as an employee in order to exploit those that have the power to manage and release company funds. With access to global contact lists and a deftness for strong-form impersonation methods, London Blue have the resources and know-how to extract money at a great scale.”

Corin Imai, Senior Security Advisor at DomainTools:

“This revelation should be a serious concern to businesses. BEC fraud can have devastating consequences for the organisation targeted; The amounts of money involved more than often outweigh those associated with the more general phishing scams, which cast a wide net in the hopes of securing multiple payments. These scams prey on the high-pressure environments of large corporations, hoping that those responsible for transferring funds will be more concerned with completing the task quickly than by making sure it is an authentic request. CFOs should make efforts to verify any requests that they find unusual– Taking slightly longer to make a transfer is significantly better than unwittingly helping to facilitate a fraudulent transaction.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“It should come as no surprise for companies to experience BEC or similar targeting phishing attacks against CEO’s, CFO’s and other executives.

It is a social engineering attack which relies on fooling the recipients into making payments. Therefore, educating and making execs aware of these scams is thefirst step in nipping the problem in the bud. Additional measures can be taken whereby double authorisation is needed to setup a new recipient or to send large payments.”

The ISBuzz Post: This Post London Blue’ Hacker Group Targets 35,000 Chief Financial Officers appeared first on Information Security Buzz.

Industry Leaders Reaction On Quora Breach

Quora.com, a site where people ask and answer questions on a range of topics, said hackers breached its computer network and accessed a variety of potentially sensitive personal data for about 100 million users. Compromised information includes cryptographically protected passwords, full names, email addresses, data imported from linked networks, and a variety of non-public content and actions, including direct messages, answer requests and downvotes. The breached data also included public content and actions, such as questions, answers, comments, and upvotes.

Colin Bastable, CEO at Lucy Security:

“The bad news just keeps coming: Dark Web hackers now have access to data imported to Quora from linked networks; the passwords were probably decrypted over the weekend; names, email addresses and personal addresses are probably being cross-referenced against Marriott accounts right now.

Quora requires that people use their real names to register and doesn’t store the identities of people who post anonymous content; perhaps the most important message for consumers online is “stay anonymous” – because if you don’t have an account, you are less vulnerable.”

John Gunn, CMO at OneSpan:

“As breaches go, this is really relatively mild – no credit card information, no social security numbers, no passport data, just user names, passwords, and email addresses. Considering that there have already been countless breaches of passwords, and no responsible security professional protecting assets of value relies on them anymore, the l00 million Quora “victims” are really at no greater risk than they were before the breach.”

.

George Wrenn, CEO and Founder at CyberSaint:

This particular breach could mean more for the individual consumer who integrates the use of his or her social networks, uses the platform more often, and leaves more personal information on the platform than those who don’t. Only time will tell what the true impact of this breach is as the company investigates further. The recommendation I would make to all organizations maintaining data such as this is to align with and measure their NIST Cybersecurity Framework posture at a minimum, so that they are at least supporting best practices, and to add data privacy and protection measurement to their program as well for the sake of users.”

Anthony James, CMO at CipherCloud:

“At 100 million records the Quora breach likely makes the unhappy list of top ten data breaches of all time. The top ten includes Yahoo! Twice (1 billion and 500 million), MySpace at 360 million, EBay at 145 million, Equifax at 143 million, Target at 110 million, LinkedIN at 100 million, and others.

Quora is not alone in finding that current perimeter defense and endpoint security strategy doesn’t work well anymore. Attackers will get into your cloud. New technology is available to ensure all of your cloud data is transparently encrypted before it is delivered to the cloud application (zero trust encryption), so that at any unauthorized entry point to your cloud data renders the attackers access futile. This gives you the time you need to detect these cyberthieves, shut down the attack, and resume normal operations with confidence. If the data is encrypted, and the data encryption keys are stored separately, by definition there is no breach as they cannot access the data.”

Ruchika Mishra, Director of Products and Solutions at Balbix:

“The news about Quora’s data breach comes one week after Dell announced a similar breach of its Dell.com online accounts. These breaches highlight how most enterprises today do not have adequate visibility into all vulnerabilities in their networks and infrastructure, and therefore cannot take proper actions to avoid breaches.

Quora has made statements to try and reassure affected users that the information exposed would unlikely lead to identity theft, since the company does not collect or store Social Security numbers or credit card information for its users. However, any breach of personal info is reason enough for users to be alarmed, and breaches like this can still significantly damage a company’s reputation. It’s not just about the data that was breached, it’s also a breach of trust.”

Jacob Serpa, Product Marketing Manager at Bitglass:

“At 100 million records, Quora’s breach is the one of the largest reported data breaches this year – it ranks behind those experienced by Under Armour (150 million records) and Marriott (500 million records). For companies like Quora that boast massive databases of customer information, brand reputation and user data security are intricately intertwined. Even if companies aren’t collecting the kind of information that can lead to credit fraud or identity theft, they must still prioritize security and take the proper steps to ensure that user data is protected. For example, they should adopt technologies and processes that deny unauthorized access to sensitive information, protect data at rest, and configure all systems and tools correctly.”

Carl Wright, Chief Commercial Officer at AttackIQ:

“A week barely passes without the disclosure of a significant breach these days. Companies should be learning from others’ mistakes before a similar breach happens to them. Executives and Board of Directors must evaluate how much of the IT budget is being allocated to security control validation and testing, especially since several U.S. states have passed legislation to expand data breach notification rules and penalties to mirror those of GDPR. Organizations need to continuously assess the viability of their security controls the same way adversaries do in order to protect against future events.”

Joseph Patanella, CEO at Trusted Knight:

“It seems barely a day passes now when a major company is not breached – and today it is the turn of website Quora, who have revealed that a staggering 100 million users have had their details stolen. The breached data includes email addresses, passwords – and most worryingly – data imported from linked networks, when authorized by users. This means that for many individuals, who would have used their Google or Facebook accounts to sign up to Quora, the criminals are likely to have an extensive amount of data readily available at their fingertips.

“Quora have reported that they are still investigating the breach, and have for the moment logged all of their users out, and forced accounts with a password to reset them. Quora said that stolen passwords were encrypted to prevent hackers from using them, but users should err on the side of caution and also reset passwords on their other accounts if they used the same one. People should also change their passwords for any networks that they had linked to Quora.

“Quora have responded quickly to the breach, but the point to be made is that the frequency to which companies are hacked now is simply unacceptable, and major changes need to be made. When will companies begin to take responsibility for protecting their customers’ data seriously? And actually do what needs to be done to protect their customers’ personal information? The time to address this is now.”

Irra Ariella Khi, CEO and Co-founder at VChain:

““This is a breach that will come as a shock to online services, and people who use them. Quora is a site where users post interesting questions and other members of the community answer. You mightn’t expect that there would be a lot of sensitive data at stake there, but evidently you would be wrong. Names, contact information, encrypted passwords, and any linked social media accounts have been exposed – as well as a lot of potentially personal information, as private interactions on the site were also accessible.

“This is a wake up call. Any site or service you volunteer your data to can be breached. These organisations – no matter how trivial the service they provide is – have a responsibility to protect your data.

“Yet, organisations across all industries continue to store personal data on centralised, vulnerable systems where it is just a matter of time before they are breached – and for some reason expect themselves to be different to the last company that was hacked. It’s imperative that cyber security and data management move towards privacy by design: using systems that are built from the outset to be secure, with privacy by design architecture built into the core of any sensitive data product.

“Look at how much damage can be caused by a Q&A site being hacked. Now think of all the airlines, shops, tech giants storing your data in exactly the same way. Organisations need to change the way they store and manage data, and fast.”

Andy Wright, Regional Director for Northern Europe at Checkpoint:

“Hackers are deliberately targeting companies and websites which hold massive amounts of customer data – as we’ve seen with the recent major attacks against airlines and hotel chains. While it is not known how Quora’s systems were breached, the attackers could have exploited any one of several vectors to get access. Organizations need to protect themselves against sophisticated fifth-generation threats which spread across networks, endpoints, mobiles and cloud services, and prevent them from being able to impact on their business.

“Luckily, there was no financial information associated with the exposed user data, and the stolen passwords were encrypted, but users should consider changing their passwords on other accounts if they have used the same password as for their Quora account. They should also be suspicious of emails claiming to be related to the Quora breach, as these could be phishing attempts to try and extract more sensitive information.”

The ISBuzz Post: This Post Industry Leaders Reaction On Quora Breach appeared first on Information Security Buzz.

Industry Leaders Reaction On Marriott Data Breach Exposing 500M Customers

Marriott International said last week that up to 500 million guests’ information may have been accessed as part of a data breach of its Starwood guest reservation database. The world’s largest hotel chain said it determined on Nov. 19 that an “unauthorized party” had accessed the database as early as 2014. For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

Adam Brown, Manager of Security Solutions at Synopsys: 

“The world’s largest hotel chain may have just reported the worlds largest hotel guest data breach and the world’s second largest data breach.

In line with protocol, the breacg has been reported to the Information Commissioners office – this would need to have been no later than 72 hours after their data protection officer was aware of the breach being real. Of the half a billion data subjects that have been breached, many will be EU citizens which is why the ICO has been alerted under GDPR rules. Of the 327 million for whom personal data has been leaked, that data is stated as encrypted. However, this isn’t offering any protection since the means to decrypt have also been obtained. This could either be due to unsafe key storage or use of inappropriate encryption mechanisms.

To avoid such breaches going undetected firms should implement sufficient logging and monitoring of their data as per OWASP’s new #10 of the OWASP Top 10. To avoid such breaches in the first place firms should implement a software security initiative, a good observation of what mature firms do in this regard can be seen in the freely published BSIMM study – now in its 10th year: www.bsimm.com

Satya Gupta, CTO and Co-founder at Virsec:

“What’s most disturbing about this attack is the enormous dwell time inside Starwood’s systems. The attackers apparently had unauthorized access since 2014 – a massive window of opportunity to explore internal servers, escalate privileges, moves laterally to other systems, and plot a careful exfiltration strategy before being discovered. All organizations should assume that the next threat is already inside their networks and won’t be caught by conventional perimeter security. We need much more careful scrutiny of what critical applications are actually doing to spot signs of internal corruption. We must reduce dwell time from years to seconds.”

Rich Campagna, CMO at Bitglass:

“Marriott is not alone in its lack of visibility over its infrastructure. Any organization that acquires another business and its IT assets will be faced with major security blind spots unless the right tools are in place. Marriott should be looking at the infrastructure affiliated with all its prior acquisitions, ensuring that the security controls in place are as effective as possible.

It’s concerning when it takes an organization months, or even years, to recognize that a breach has occurred – it highlights the inadequacy of reactive security solutions. To avoid these kinds of events, organizations must adopt flexible security platforms that proactively detect and respond to new threats as they arise. Ensuring proactive security and remediating threats before hackers have a chance to exploit them is key to securing data.”

Mark Weiner, CMO at Balbix:

“Mitigating the damages of a breach like this is an incredibly difficult task for Marriott, especially since the breach could potentially be one of the largest in history behind the hacking of about 3 billion Yahoo accounts. Companies must rethink their reactive cybersecurity strategies that detect and control breaches in progress or after they happen. At that point, it’s too late. Organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems to detect vulnerabilities that could be exploited—as opposed to those that have been already. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches.”

Stephan Chenette, Co-Founder and CTO at AttackIQ:

“The Marriott Starwood breach stands as potentially one of the largest breaches on record and is another example of a merger and acquisition where testing the resiliency of the current security controls would have assisted in both the visibility of gaps and discovery that Starwood Hotels was already breached.

Data breaches are expensive for everyone involved. Marriott will feel the burden of this breach through fines under GDPR and damage to their reputation, potentially causing customers to turn to their competitors.”

Dan Dearing, senior director of Product Marketing at Pulse Secure:

“Early reports stated that security experts working with Marriott determined that there had been unauthorized access of the Starwood network since 2014.

This type of “lying in wait” threat is driving many IT organizations to rethink how they secure their network to combat hackers who are sophisticated and  patient to wait for the big payoff. The new security buzzword that describes how companies can defeat this type of threat is “zero-trust.” Essentially, IT cannot trust anything or anyone inside or outside of their network. Instead, they must deploy security tools that help enable them to always verify who the user is, whether the user is authorized to access the desired application or data, and finally if the user’s laptop or mobile device meets the security standards of the company. Only if all three conditions are met is the user allowed on the network.”

Brian Vecci, Technical Evangelist at Varonis:

“With any major breach like this one, especially one hitting an upscale brand, it’s extremely likely that high-profile individuals have had their information stolen. But it really does not matter if the individual is a C-level executive or a parent taking their kids on vacation to Euro Disney: the damage has been done.

Like the Equifax breach, hackers made off with sensitive information that can’t be changed: names, passport numbers, dates of birth, and more. Now 500 million people are going to have to watch their credit reports and may likely be inconvenienced for the rest of their lives. Many will likely fall victim to spearphishing scams in the months and years to come due to the highly personalized nature of the stolen information.

It’s crazy to think that in this day and age of massive breaches, major brands are spending millions on advertising and customer loyalty programs but failing to protect what matters most: the person data of their most dedicated customers. It’s no wonder why customers continue to grow distrustful and demand regulations such as the GDPR and, now in the U.S., the California Consumer Privacy Act.”

Colin Bastable, CEO at Lucy Security:

“Kudos to Marriott for getting the news out as soon as they learned about the breach. It will be very painful for Marriott’s staff and shareholders, especially as this breach apparently started four years ago. Ninety-six percent of  cyberattacks start with a phishing email and continue to badly impact consumers and the C Suite long after the attack. Marriott’s fast reporting showssome other recent cyberattack victims up in a bad light;  they clearly had a plan in place for such a situation and executed on it.

In terms of consumer advice, consumers should never allow travel companies to consolidate different rewards or loyalty programs from airline and rental car companies, as this just broadens the consumer’s vulnerability footprint. It is a case of when, not if, consumers’ accounts are hacked – it will happen, so be prepared.”

Sherban Naum, Senior Vice President at Bromium:

“After a four year long-term-stay in the Starwood Hotel database, the hackers finally checked out, and with more than the complimentary bath robes. Laying dormant in systems is a common tactic for advanced cybercriminal groups and nation state actors, who will focus on staying hidden and taking time to exfiltrate data, obtain secrets and insert backdoors, ensuring long-term access. Often, hackers will gain a foothold through an unsuspecting users and spend time working their way through the network, escalating privileges in order to access a company’s crown jewels. The longer a hacker has access, the more damage they can do, so this is much more serious than a one-off breach, continuously putting customers at risk of targeted phishing attacks and card fraud. Attackers are growing smarter in leveraging the very systems enterprises depend on to exploit vulnerabilities. It appears the dependence on legacy detect-to-protect approaches has, yet again, failed. It’s incredible that hackers were able to gain access and persist unnoticed for so long, and that the breach seems to have been overlooked during the merging of Starwood and Marriott’s global networks. I’d be curious to know how much control the hackers had: Perhaps they were able to exploit the very systems Starwood depended on to scan and patch systems, knowing when to move or what to avoid. Of course, each day a potential adversary checks into a property or logs into their account.”

“Organisations need to be locking down high-value assets, such as customer data, and applying a zero trust approach to endpoints and networks by applying security right down to the application level. By abstracting and segmenting Access to high value applications and data, isolating the application in a hardware-enforced virtual environment, even if the network, server or end-user device is compromised, cybercriminals can’t see or access the data – so no information would have been accessed. Lessons need to be learnt here so that a catastrophic breach of this kind can be prevented.”

Robin Tombs, Co-Founder and CEO at Yoti:

“We have to trust that companies will protect our personal data, yet it can be hacked and stolen in the blink of an eye. News of the latest data breach, this time Marriott International, has impacted millions of people who will now have the worry and stress of what has happened to their precious personal information.

Big databases are a hot target for hackers; especially ones which contain sensitive data like passport information and payment details. It’s time companies put an end to big databases, and only asked for the necessary information from their customers. This would help strike a balance between protecting individuals’ confidentiality whilst ensuring companies have the details they need.

Individuals should also be able to secure their accounts with biometrics instead of passwords – this would offer greater protection of our online accounts and personal information.”

John Gunn, CMO at OneSpan:

The significance of the Marriott breach is not in the number of records that were compromised, that is relatively small. It’s impact on the victims is much greater than the numbers reveal. It is remarkably easy to request a replacement credit card from your financial institution and you are not responsible for fraudulent activities – try that with your passport. This may be an emerging trend with hacking organizations, to target large pools of passport data. Stolen passports sell for a magnitude more that stolen credit cards on the dark web.

Michael Magrath, Director, Global Regulations & Standards at OneSpan: 

The vast stores of personally identifiable data on the Dark Web continues to grow at historic rates, and fraudsters have rich resources with which to steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information. For example, the personal data obtained in one breach could be crossed referenced with data obtained from another breach and other widely publicized private sector breaches, and the Marriott breach only makes their task that much easier and more likely to succeed.  Having the databases in the same place makes things even easier for the bad guys.

Cyber attacks such as Marriott’s will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk based fraud detection technologies in their organizations, but also making sure all third party partners have equal cybersecurity measures in place.

Gary Roboff, Senior Advisor at Santa Fe Group:

“How could a breach like this continue for 4 years?

If encryption keys were compromised and payment data was in fact exposed, this could indicate that stolen credentials were released at an exceptionally slow release rate versus a “mass data dump exfiltration event” in order to make it harder for fraud and security teams to identify the kinds of patterns that would normally indicate a point of compromise.

While we don’t fully understand what happened at Starwood and Marriott, basic security hygiene requires extraordinary attention to detail and diligence.  In 2014, a JP Morgan Chase hack exposed 76 million households. A single neglected server that was not protected by a dual password scheme was the last line of defense standing between the hacker and the exposed data. If diligence isn’t constant and systematic, the potential for compromise, with all that implies, increases significantly.”

Bimal Gandhi, Chief Executive Officer at Uniken: 

“Events like this Marriott Starwood breach underscore the sheer folly of continued reliance on outdated security methods such as using PII in authentication, given the sheer proliferation of stolen and leaked PII now available on the Dark Web.

“Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well.  Hotels, hospitality companies, banks and eCommerce entities are all moving to newer ways to enable customers authenticate themselves across channels, without requiring any PII.

“Customer-facing commerce and financial institutions seeking to thwart credential stuffing are increasingly seeking to migrate beyond PII authentication to more advanced methods that do not require the user to know, manufacture or receive and manually enter a verification factor, in order to eliminate the ability for bad actors to guess, phish, credential-stuff, socially engineer, mimic or capture their way into the network.

“Invisible multifactor authentication solutions that rely on cryptographic key based authentication combined with device, environmental and behavioral technologies provide just such a solution. By their very nature, they are easy to use, issued and leveraged invisibly to the user, remove human error, and defy credential stuffing and other common attacks.”

Kevin Curran, Senior IEEE Member and Professor of Cybersecurity at Ulster University:

“This is not the largest data breach by any means although 500 million is no small number and potentially a very sensitive data breach. The sensitive data stolen in this breach can be used by criminals for identity theft where they could convince targeted individuals to give up vital, personal infomation, like a password or access to banking sites. The more convincing a phishing email is – the more likely someone is to reply to it.

The reason we are seeing so many data breaches this year is simply an indication of where we are in time. We are situated between a time where companies really face no penalties for poor storage and protection of data – apart from reputation loss – and a future world where organisations will be fined enormous sums for allowing data to leak. People are also in a semi-state of ignorance (or deliberate ignorance) of safe computing practices. A recent report stated that cybercrime damage is to hit $6 trillion annually by 2021. Cyber theft is simply becoming the fastest growing crime in the world. Gartner reports that this rising tide of cybercrime has pushed cybersecurity spending to more than $80 billion in 2016. A major problem is that there is a severe shortage of cybersecurity talent with unfilled cybersecurity jobs to reach 1.5 million by 2019.

In the wider context, according to the National Crime Agency Cyber Crime Assessment 2016 report, cybercrime accounted for 53 per cent of all crimes in 2015. This percentage is rising steadily each year. We can expect to see cybercrime continue to develop into a highly lucrative and well organised enterprise.  Cyber criminals whether state sponsored or not are even beginning to devote funds to research and development as yet. Criminals are increasingly moving online because this is where the money is. The annual Mary Meekers state of the Internet report for 2017 reports that Network Breaches are increasingly caused by email spam/phishing. In fact spam has increased 350% in one year. The trend for ransomware is also showing worrying trends. Malwarebytes show increase from 17% in 2015 to 259% in 2016. Across the board we are seeing increases in attacks and breaches like Marriott will only make this problem worse.”

Ryan Wilk, VP at NuData Security:

“The hospitality sector has been hit hard this year with breaches at such hotels as the Prince, Radisson,  and Intercontinental to name a few. Unfortunately, this breach was going on since 2014 which means that cyber hackers secured a treasure trove of personal information. This news needs to remind merchants and other companies transacting online that their systems are never entirely safe from breaches; these can happen at any time, and companies need to have their post-breach process ready.  This plan includes the implementation of a stronger verification framework so they can still correctly authenticate their good users despite potentially stolen credentials. This sort of data exposure is why so many organisations – from the hospitality sector through to eCommerce companies, financial institutions and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioural analytics that identify customers by their online behaviour thus mitigating post-breach damage as hackers are not able to impersonate individual behavior.”

Bill Evans, Senior Director at One Identity:

“In yet another breach, Marriott’s Starwood Hotel reservation database was recently hacked exposing swathes of data on as many as 500,000,000 guests. While a breach of any information of even a single individual is bad, there are levels of severity regarding the types of personal information that is hacked. For example, Marriott states that around 327,000,000 guest had phone numbers and email address compromised. While this is a concern, compromising this type of information is not the end of the world. However, Marriott has also stated that credit card information and even passport information may have been compromised. This is a much more challenging situation for the company and its customers.

Although it might be a nuisance, affected customers should contact their credit card company to disable their compromised card, create a new account and order a replacement. By now, I am sure we have all had to do this. In addition, those people will need to begin (or continue) monitoring their credit history. The exposal of passport information is another level. It’s not a simple process to get a new passport. We will have to see what Marriott’s guidance is for this situation.”

Simon McCalla, CTO at Nominet:

“The Marriott hack is the latest in a long line of hacks that would concern consumers across the world. But perhaps the most concerning part of this data breach is that, during their investigation into the cause, they found that there had been unauthorised access to the Starwood network since 2014.

“The company received an internal security alert in September of this year – four years after the initial breach. This paints a grim picture of the security system they had in place and how susceptible they were to threats from outside the business.

“Ensuring threat monitoring and security systems are able to catch threats when they first interact with your critical systems is vital. Proactive defence is better than retrospective and with 500m customers affected by this breach, Starwood Groups are finding this out the hard way.”

Irra Ariella Khi, CEO and Co-founder at VChain:

“Yet again, we see huge international corporations making the same mistake of storing substantial amounts of highly personalised, customer data in centralised locations.  These organisations are trusted with personally identifiable customer data, which should never be stored on these vulnerable systems of ‘confidential’ centralised data storage. These systems are private by assumption, but are actually alarmingly open – particularly to today’s increasingly receptive hacker.

“With GDPR now in play as a standard that we all expect, it’s essential that consumers – as well as regulators – demand for better practices when it comes to data protection. It’s imperative that cyber security and data management move towards privacy by design: using systems that are built from the outset to be secure, with privacy by design architecture built into the core of any sensitive data product.

“The “if it ain’t broke, don’t fix it” approach has not only proven to be unsustainable, but ultimately ends up affecting share prices. In today’s modern world, where technologies are increasingly available to inhibit exactly this kind of thing from happening in the first place, these corporations are running out of excuses.”

Ed Macnair, CEO at CensorNet :

“If 500 million individual guests were indeed impacted by this breach, it will make it one of the most significant data security incidents that we have seen to date. While it is still yet to be determined exactly what information has been accessed, it seems likely that there is a huge amount of data involved – including payment details – and anyone who has stayed with the hotel chain in recent years has good reason to be concerned.

“Worryingly, it appears that the information was accessed in 2014, leaving a lot of individuals vulnerable for years. Reports suggest that, for more than 300 million people, the information accessed includes name, address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences – that is a huge amount of information about individuals that, in the wrong hands, could do a lot of damage, from identity theft through to brute force attacks on other online accounts.

“There is likely to be more information about exactly how this breach happened emerging over the next few weeks but, in the meantime, anyone that has been effected by this breach – or thinks they may have been – would be well advised to sign up with a credit checking service to make sure their details haven’t been used untowardly. It would also be sensible to change passwords for other accounts that used the same log-in details.”

James Hadley, CEO at Immersive Labs:

“The fact that 500 million customers personal details – including payment information and addresses – has been taken is disturbing. However, what’s  more concerning is that this has been happening since 2014. This clearly demonstrates that something is off in the company’s approach to security and urgently needs to be re-assessed.

“This is the most significant breach we’ve seen this year and, if the number of people involved is correct, may well be one of the biggest hacks ever to occur and, while Marriott has a lot of questions to answer, it’s not alone in struggling to keep up with the massive barrage of threats everyone is facing. Cyber criminals are constrained by internal red tape and laws, so can be as creative as they want in order to get their pay day. Security teams don’t have the same luxury.

“In order to have any hope of playing the criminals at their own game, companies need to be more agile in their approach to security – making sure their employees have exactly the right skills to deal with what’s happening in the real world. Scenarios like this are all too common and something needs to change. That starts with making sure people have the capabilities to identify and rectify situations like this.”

Trevor Reschke, Threat Intelligence Officer, Trusted Knight:

“This is a data breach on a scale that blows the rest out of the water – with over 500 million people affected. It is certainly the largest breach recorded this year, and one of the largest breaches in history. The sheer number of customers affected is staggering. Stolen data includes phone numbers, email addresses, passport numbers – and even payment card numbers and expiration dates. It’s highly likely that the details of these 500 million people are being sold online and anyone who thinks they may have been caught up will really need to keep a close eye on their personal accounts. If you’ve stayed at a Starwood or Marriott property in the past few years, and have experienced some type of fraud, whether compromised credit card information or identity theft, this data breach may have been leveraged to enhance the criminal’s chances of success. Anyone impacted should make sure that any accounts using the same log-in details are changed, and also sign up with credit checking agencies to double check nothing untoward has happened.

“What is most alarming about this hack – after the almost incomprehensible number of people affected – is that in its investigation into the breach, Marriott discovered that there had been unauthorised access to its network since 2014. We have been shown again and again that organisations do not take the security of their customer data seriously – and such unauthorised access going unnoticed for four years is a prime example of this. We don’t know yet how this breach happened, but whatever the cause, it’s simply unacceptable that it went undetected for so long.”

Joseph Carson, Chief Security Scientist at Thycotic:

“What is shocking about this data breach is that the cybercriminals potentially got away with both the encrypted data as well as the methods to decrypt the data which appears that Marriott have not practiced adequate cybersecurity protection for their customers personal and sensitive information.

The major problem of such data breaches in the past is that those companies who have been entrusted to protect their customer data have only offered up to one year of identity theft protection. But, many of the identity information that is stolen typically can last between 5-10 years such as drivers licenses and passports. So while victims may get some protection, they are at serious risk for years unless they actively replace compromised identity documents which is done at a cost.  Companies who fail to protect their customers should be at least responsible for the cost of replacing compromised information and documents rather than deflecting responsibility and accountability.

This latest major data breach will raise questions to when Marriott knew about the breach and whether or not they complied with global regulations such as the EU General Data Protection Regulation which imposes financial penalties of 20m Euros or 4% of annual turnover.  If you are a customer of the latest Marriott data breach then it is important to know what data is at risk and consider taking extra precautions as well as changing your Marriott account password.”

Franklyn Jones, CMO at Cequence:

Franklin Jones“Unfortunately, we can also expect to see a long tail effect from this breach.  As this data finds its way to the dark web, these stolen credentials will be acquired by other bad actors. They, in turn, will orchestrate high volume bot attacks to see if the stolen credentials can also provide access to web, mobile, and API application services of other organizations.”

The ISBuzz Post: This Post Industry Leaders Reaction On Marriott Data Breach Exposing 500M Customers appeared first on Information Security Buzz.

Dunkin’ Donuts Breach

Dunkin’, the company behind the Dunkin’ Donuts franchise, has notified owners of DD Perks rewards accounts that a hacker might have accessed their profiles and personal data last month.

The company said it didn’t suffer an actual breach of its backend systems but only fell victim to an automated attack known in the cyber-security field as a credential stuffing attack. IT security experts commented below.

Michael Griffin, Director of Information Security at Janrain:

“Credential stuffing is an automated attack that simply attempts to login to sites with user credentials that have been stolen elsewhere or by simply guessing. The tricky part is that there is no 100% bulletproof protection against this type of attack — if an attacker happens to have the correct username and password of an account, chances are even the best-secured website or app will think it’s the real user. However, there is a lot that companies can (and should!) do to fend off such attacks; their websites and apps should be able to recognize suspicious behaviour, for example, if multiple unsuccessful login attempts occur in short period of time, or if a user based in the US suddenly attempts to login from a foreign IP address. Accounts should then require step-up authentication, meaning that the user is required to provide additional information to log in, or the account should be locked down completely to protect the user’s data.”

Jon Fielding, Managing Director at EMEA Apricorn:

“It’s clear that breach fatigue has kicked in, but security should always be front of mind. Whilst data isn’t always lost, stolen, or hacked in the same manner, the security processes in place to protect that data should be consistent. The Dunkin’ Donuts breach is a prime example of why basic security best practice should be followed at all times.

Strong password hygiene is a critical component of a security defence. When choosing a password, it should be long and complex. It should also be regularly changed and never reused, particularly to prevent credential stuffing attacks as seems to be the case in this instance.”

Ryan Wilk, VP of Customer Success for NuData Security, a Mastercard company says, “Just when you thought that hackers could not come between you and your morning coffee, they get you right in the rewards points. NuData Security has found that 90% of cyberattacks start with some sort of automation, credential stuffing being a prominent one like the one perpetrated on Dunkin’ Donuts. The software for credential stuffing is now so affordable that this type of attack is becoming accessible for almost anyone. What this means is that adversaries can automatically cycle through username and password pairs against login portals. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found. Having customers change their passwords is a temporary fix, a band-aid that doesn’t get to the root of the problem. One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioral biometrics, automated activity is flagged at login before it can even test any credentials in the company’s environment.”

Jeremy Cheung, Vulnerability Verification Specialist at WhiteHat Security:

“The fact that hackers were able to gain access to Dunkin’ Donuts DD Perks accounts utilizing credentials obtained from previous breaches of other applications reinforces the importance of setting a different username/password combination for every application you utilize as an end user. It is essential to practice security mindedness as you browse the web to lessen the personal impact data breaches will have on you once they occur. Some other tips you can practice to secure yourself online are:

  1. Utilizing multi-factor authentication on any application that supports it. This can prevent an attacker from gaining access to your account even if they determine your username/password combination
  2. Only log into sites that send your credentials and other sensitive information over SSL. A quick way to determine this is if the URL you are viewing is prefaced with “ https:// ”
  3. Whenever you’re checking your email in a web browser and are sent messages with hyperlinks, hover your mouse over the links and verify where the link is really going to take you to by looking at the URL that appears on the lower left corner of the screen. It’s possible the blue highlighted URL written in the email body is actually a disguised malicious link.”

The ISBuzz Post: This Post Dunkin’ Donuts Breach appeared first on Information Security Buzz.

Industry Leaders Reaction On Data Of 114 Million American Companies And Individuals Left Unprotected

News is breaking that a huge database with over 114 million records of US citizens and companies has been discovered sitting online unprotected. The number of individuals impacted by the exposure is estimated to almost 83 million. Researchers from HackenProof, a penetration testing company based in Estonia, found the massive cache of data via the Shodan search engine, in two Elasticsearch indices.

One of the instances contained personal information of 56,934,021 US citizens, including sensitive details like full name, employer, job title, email and street address, ZIP code, phone number, and an IP address. “Another index of the same database contained more than 25 million records with more of a “Yellow Pages” details directory: name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes, and etc,” the company informs in a blog post.

Industry leaders commented below.

Corin Imai, Senior Security Advisor at DomainTools:

“This is an astounding amount of data to be left unprotected online, leaving 83 million Americans vulnerable. It goes to show that while we have made significant steps in data protection in recent years, we have a long way to go. Not only the volume but the content of the data available means that hackers have a wide variety of avenues from which to approach potential victims in order to attempt a social engineering campaign. Organisations are also left wide open by this data, which could facilitate BEC fraud and the serious financial consequences associated with it. American companies and consumers should (as always) be exercising extreme caution when responding to unsolicited emails, and clicking on email links.”

Ryan Wilk, VP at NuData Security:

“This is a vast sum of data to be available online in an unprotected format, and is yet another example of organisations not taking data protection in any way seriously. The information available is a hacker’s dream, with more than enough information to pull off a social engineering campaign which could compromise a wide range of accounts, ranging from consumer accounts with retailers to bank accounts or sensitive documents. Programmes of passive biometrics and two factor authentication are needed across the board if we are to differentiate between legitimate and bad users following breaches such as this.”

Tim Erlin, VP at Tripwire:

“If you leave unsecured data on the Internet, it will eventually be discovered and either exploited, reported or both.

Discovering the data is the first step, but identifying the responsible organization or individual will come next. We should all be waiting for the other shoe to drop on this story.

Technology can solve a lot of problems, but security still requires a careful review and implementation of the basics. These types of incidents don’t require sophisticated hackers or nation-state cyberwar budgets. Anyone with the time and an Internet connection can find this data.”

Julien Cassignol, IAM Specialist at One Identity:

“It might be quite possible that at one point, for automation or in production, we end up with sensitive information in elastic indices. What then can be done to protect these indices?

It all has to do with identity. Who’s supposed to access this information? Who *actually* has access to this information at a given time? Can we assess the risk that is linked to people being able to see this data? How is it mitigated?

There are several ways to tackle this problem. First and foremost, organisations should consider identity as the new perimeter. Properly defined identity, managed through the entire “flow” of communication from user to data, linked to appropriate entitlements and authenticated using the appropriate means – be it through a password, MFA, or biometrics – is paramount.

Accesses to this data have to be made in a legitimate context. Which then opens the second part of this Pandora’s box: which accesses have been made, whom by, and for what purpose? How are these accesses audited? Were they made by a privileged user or by a legitimate business user? Were they made by APIs?

It seems quite clear that it is best practice to enforce authentication at the very beginning of such accesses. That this data could be accessible without any authentication, let alone identification, is what’s key here: there are such commandments as “Know thine users”, “Know their entitlements”. If no authentication was provided, the first commandment was broken and instead of protecting the perimeter by the means of identity, we end up having to audit post mortem tracks of the intruders to hopefully get an idea of what they did and who they were. As a modern-day hunter “tasting” the logs and judging how long ago the breach took places is determined by looking at the “tracks” in the system.”

Michael Magrath, Director, Global Regulations & Standards at OneSpan, Inc.

“The treasure trove of personally identifiable data on the “Legitimate Web” and the Dark Web just continues to grow enabling fraudsters and steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information.  For example, the personal obtained in the one breach could be crossed referenced with data obtained from another breach and other widely publicized private sector breaches.  Having the databases in the same place makes things even easier for the bad guys.

“Cyberattacks will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk based fraud detection technologies in their organizations, but also making sure all third party partners have equal cybersecurity measures in place.”

Tom Garrubba, Sr. Director at Shared Assessments: 

“This is of course a major data breach and, at the root of it, appears to have been a user error (i.e., “misconfiguration of the Elasticsearch instances” allowing public access to the data without authentication). We cannot stress enough of the importance of established checks and balances, segregation of duties, etc., to be defined in procedures and followed with appropriate sign-offs by management.  With an estimated number of affected citizens to be almost 83 million it appears the hackers struck a gold mine. The only hope left here is that there are some iron pyrite – or “fool’s gold” records (meaning – old and no longer usable) – mixed in with the gold of actual current individual records.”

The ISBuzz Post: This Post Industry Leaders Reaction On Data Of 114 Million American Companies And Individuals Left Unprotected appeared first on Information Security Buzz.

Financial Watchdog Suggests Banks Putting Customers At Risk Of Cyberattacks

Following a new report from the financial watchdog that suggests banks are putting customers at risk of cyberattacks due to old IT systems, I’m reaching out with comment and additional insight on this topic from my client VMware.

Research VMware conducted earlier this year revealed the immense challenges frontline IT security teams in the financial services sector face and how this impacts their actions:

  • 67 percent admitted to cyber security practices in their organisations ‘which would shock outsiders’
  • 90 percent of IT security professionals are forced to make compromises to protect their organisation against cyber threats
  • 71 percent focus on protecting customer applications often at the expense of other systems
  • Half don’t believe their leadership team understands the complexity of threats

VMware executives commented below.

Richard Bennett, Head of Accelerate and Advisory Services at VMware:

“This past era of compromise towards cybersecurity must end. A revised approach to protecting digital assets, starting at a security by design philosophy, is required to allow IT security professionals to dynamically manage the myriad of threats now faced. This involves understanding that cybersecurity does not begin and end with IT, but is a challenge for the whole organisation. It is also about recognising that adaptive networking, applications and systems are no longer nice to haves, and that cyberhygiene is intrinsic to a company’s digital footprint today.”

.

Ian Jenkins, Head of Network and Security, UK at VMware:

“In chasing the digital promised land, financial services organisations run the constant risk of overstretching already antiquated security infrastructures. Those on the front line defending against cyberthreats clearly feel there are significant flaws ready to be exploited: this should act as a wake-up call that there are serious risks to data if security isn’t baked into everything the organisations do. Ignoring them and the compromises they’re having to make could be hugely damaging.”

The ISBuzz Post: This Post Financial Watchdog Suggests Banks Putting Customers At Risk Of Cyberattacks appeared first on Information Security Buzz.

FBI Disrupts Major Ad Fraud Rings

Following the news that the United States Department of Justice has announced that it has taken action to pull down two major ad fraud rings, unveiling a 13-count indictment to charge criminal violations. IT security experts commented below.

Martin Jartelius, CSO at Outpost24:

“It is estimated that ad fraud is costing organisations billions of dollars every year so it is good to see law enforcement dedicating such large amounts of time to taking down this ring.

Anyone who believes their computers could have been impacted by the attack should try to isolate those machines from the network and take steps to harden their systems.

The rule that prevention is cheaper than recovery holds true if one is starting with protection, but we must treat both internet as well as client networks as hostile networks. Human error will always factor in and as a mature security team it is our responsibility to give our non-security employees room for error. Trust is great, but control is better.”

Mike Bittner, Digital Security & Operations Manager at The Media Trust:

“3ve underscores the importance of knowing who you do business with along the digital ad supply chain and of collaborating with them on identifying the underlying malicious code, which wreaks havoc on unknowing users and undermines the supply chain. While a lot of attention has been paid to the use of botnets by the three 3ve sub-operations, the most damning feature of these operations were the various malicious code that was deployed to infect computers, redirect traffic, etc. The malware, which would check for user names, IP addresses, certain ISPs and geographical locations, as well as for any security software, is part of a new generation of malware designed to refrain from execution unless the right conditions are met. Not only does this capability enable the malware to escape detection, it also opens up victims’ machines and devices to later attacks. Publishers and e-commerce sites that want to protect their digital assets and users from such campaigns should closely monitor all code that courses through their digital ecosystem, through continuous and real-time scanning; ensure all of them are authorized; and if not, work with their digital partners and third parties on terminating them at their source. At the end of the day, the malicious code is the real weapon and it can be stopped in its tracks.”

The ISBuzz Post: This Post FBI Disrupts Major Ad Fraud Rings appeared first on Information Security Buzz.

Brits Among Most Fearful Of Cyberattacks In Europe

British citizens are among the most afraid in Europe of cyberattacks taking place during elections, a report by the European Commission has found. Three out of four voters in the UK are concerned about widespread hacking while casting their vote, the report said. This level of concern was only beaten by Spain, where 77pc said they were afraid of such attacks. The survey asked more than 27,000 individuals from across the 28 EU member states about their concerns over disinformation campaigns, and whether they thought data breaches and cyberattacks would interfere with electoral processes.

Corin Imai, Senior Security Advisor at DomainTools:

“When we consider how disinformation campaigns spread by outside forces attempted to exert influence over the EU referendum campaign, it makes sense that the UK is more fearful of the cyber-threat to elections than other parts of Europe, but this does not mean that those outside of the UK are safe. All Western democracies should be concerned by attempts to use cyberattacks and fake news, which could be used by hostile nation-states for their own gain. While much has been made of how utilities represent critical infrastructure which is vulnerable to cyberattack, the integrity of our electoral process is just as, if not more critical to our way of life, and should also be considered critical.”

Laurie Mercer, Security Engineer at HackerOne:

“Awareness of cyber attacks and breaches has never been greater. It can seem like the number and skill of cybercriminals is higher than the defenders. Confidence in Government IT systems is low. British citizens are worried that their data will be breached. That said, it is difficult to justify this level of concern when thinking of the paper-based elections that we hold in the UK. During British elections, voters mark ballot papers with a pen in a voting booth in a polling station, which are later counted manually. The process is physical: there is a risk of social engineering, but it is really quite difficult to ‘hack’ a paper-based election to the extent that the result can be affected.

It is inevitable that at some point the British election process will digitise. Imagine if you could vote from home. Digital technology including biometrics and digital ledgers hold great promise for improving the process of voting. Digital transformation could reduce the cost of holding elections and referenda to the point where people could be regularly polled for their opinion on the big decisions that affect their daily lives. It is important that as we adopt the technology necessary to hold elections digitally, security takes the prime position. Any digital transformation of British elections needs to ensure that the security of the process increases and does not regress.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“There has been much in the news around hacking and manipulation of elections, so it is not surprising to see a high number of people worried about cyber attacks around election time.

Public perceptions aside, it is a reminder of how embedded and reliant on digital systems the world has become – and as a result, any intentional or accidental misconfigurations or errors can have huge impact. Therefore, it is essential for all providers to invest in security to ensure that systems operate as required.”

The ISBuzz Post: This Post Brits Among Most Fearful Of Cyberattacks In Europe appeared first on Information Security Buzz.

Expert Commentary: Uber Breach

Following the announcement that Uber has been fined £385,000 by the ICO over ‘a series of avoidable data security flaws’ which allowed hackers to collect sensitive information on 2.7 million customers, IT security experts commented below.

Rich Campagna, CMO at Bitglass:

“This fine shows that even the most prominent public organisations need to pay more attention to data security policies and put in place appropriate measures to keep personal data safe. Many companies continue to display poor stewardship over the personal details belonging to customers, employees, and other parties. Unless organisations begin to respect the importance of protecting customer data, we will continue to see more big-name companies making costly mistakes that harm countless individuals.”

Stephen Moore, Chief Security Strategist at Exabeam:

 Stephen Moore“The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organisational alerts they receive in a day. That complexity, when combined with the inherent difficulties of detecting credential-based attacks, because the attackers are impersonating legitimate users, creates an environment that lacks control and trust. In this case, the security incident was likely the result of malicious actors using previously collected or breached login data to access accounts. To protect against these types of attacks, organisations must shift the enterprise security strategy. To remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach that is closely aligned with monitoring user behaviour–to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioural characteristics, when events have occurred – especially when it comes to client/member/customer-facing incidents.”

Luke Brown, VP EMEA at WinMagic:

“Data loss, data theft, data breach – these phrases are now part and parcel of the daily news agenda. My guess is that Uber hadn’t deployed encryption technology across all its platforms and environments. It’s well known that data residing anywhere in a company’s increasingly complex environment is at risk unless there is a standardised ubiquitous encryption platform in place. Falling victim to cyber criminals is the new normal, and all organisations need to take precautions to protect sensitive information should they become the victim of an attack.”

Jake Moore, Cyber Security Expert at ESET UK: 

“Cyber criminals can do a lot of damage with a large breached list containing only names and emails so the ICO are determined to stamp out this type of activity – especially when it has been ruled ‘avoidable’. Having hackers know a set of live emails and names means they can send phishing emails or even attempt to work out the customers’ passwords. An incredibly large amount of people still use predictable or simple passwords. Together with previous and even recent high profile breaches, many people’s passwords are also readily available on the dark web so it can sadly be made very simple for the cyber criminals. There is no doubt that this fine would be higher if it had been post GDPR.”

Tim Erlin, VP at Tripwire:

“The ICO has previously demonstrated a willingness to fine organizations in circumstances like this, though it remains unclear whether such fines make a material difference in the overall security across industries. While this incident pre-dates the GDPR, fines like these must now be viewed in light of the more expansive regulations that have come into force. It’s important to remember that GDPR isn’t the first regulation to address security and data privacy. GDPR is designed to harmonize and update a disparate set of regulations across the EU. While GDPR provides the framework for significant fines, they are maximums, not minimums. The actual fines levied will be situationally determined.”

Javvad Malik, Security Advocate at AlienVault: 

Javvad Malik“The Uber fine shouldn’t come as a surprise to anyone that has been following the story. The company had inadequate protective and detective security controls. To make matters worse, the company tried to cover up the breach and paid money to keep things quiet, and in the process exposed its customers. While breaches are an unfortunate cost of doing business these days, it’s how a company acts in response that can make the difference between a large fine and a warning.”

.

Martin Jartelius, CSO at Outpost24:

“Taking into account the substantial impact of this breach and the way it was handled by Uber, this is also a good example of why GDPR is of importance to us all. We may not be protected from those recurring breaches, but customers and end users have a right to know when companies have failed to meet their obligation to protect our information.”

The ISBuzz Post: This Post Expert Commentary: Uber Breach appeared first on Information Security Buzz.

Atrium Third Party Healthcare Breach (2.65 Million Records)

Atrium Health, previously Carolinas HealthCare System, said today that data of about 2.65 million patients including addresses, dates of birth and social security numbers may have been compromised in a breach at its third-party provider AccuDoc Solutions.

Atrium, which provides healthcare and wellness programs throughout the Southeast region in the United States, said a review revealed an unauthorized access to AccuDoc’s databases between Sept. 22 and Sept. 29.

Pravin Kothari, CEO at CipherCloud:

Pravin Kothari“Just when we thought things might be improving in healthcare data security, the Atrium Health Breach repositions 2018 as a record year for healthcare cyber attackers. In the first half of 2017, approximately 1.6m+ healthcare records were reported as breached. In the second half of 2017 this number increased slightly to 1.7m+ healthcare records for a grand total in 2017 of about 3.4 million records. In the first half of 2018, we noted roughly 1.9+ million healthcare records breached.

Now, with the Atrium Health breach the ball for the 2nd half of 2018 threatens to set a new half record with over 2.65 million patient records in just one reported event. The moral of the story? Healthcare security, both on-premise and in the cloud, has not caught up with best practices and likely won’t do so anytime soon.

Note that CipherCloud lab analysis is based upon our sources of data which reflect large breaches in the U.S. impacting over 500 patients. This data, in great part, is derived from data which must be reported to the U.S. HHS OCR in the event of a healthcare data breach. HHS OCR administers Health Insurance Portability and Accountability (HIPAA) compliance, which can levy very substantial fines in the event that electronic personal health information (ePHI) has not been protected adequately.“

George Wrenn, CEO and Founder at CyberSaint Security: 

“Naturally, scaling a business includes partnerships. It’s a matter of how to manage the risks that come with a rapidly growing vendor list. Seventy-five percent of mid-sized companies and enterprises expect their vendor list to grow by at least 20% this coming year and beyond. Third party risk management isn’t just a security problem anymore- these issues are making their way up to the Board because higher levels of risk deter business success and growth.

If nothing else, unknown risks within a supply chain can fuel fear around expansion. According to Gartner, 75% of the Fortune 500 will treat Vendor Risk Management as a board-level issue by 2020, driven by uncertainty and the pressing need to manage risk.

Every stakeholder should have easily accessible visibilityinto where risks lie within any given vendor list, and should be able to have the insights from that information to take meaningful action. There needs to be a better way to manage the growing risk that comes with expanding businesses.”

The ISBuzz Post: This Post Atrium Third Party Healthcare Breach (2.65 Million Records) appeared first on Information Security Buzz.

2019 Security Predictions

Jon Fielding, Managing Director, EMEA at Apricorn:

“Whatever the future holds in term of new and advancing technologies, the questions we need to answer are the same: what are the security implications, and how do we manage them? Everyone has a view on this, but the overarching response should always be to revert to basic security best practice.

The biggest threats to enterprise data assets are the same ones we were worried about last year – and even a decade ago. Ultimately, our goals remain unchanged: data protection, compliance, breach avoidance, and – worst case scenario – incident response and remediation.

Many security breaches are still down to something as simple as choosing a weak password, using  non encrypted portable devices/ hardware, clicking on a link from an untrusted source, a lack of software and systems updates or poor employee education. To avoid putting data at risk and ensure compliance next year, and every year, organisations must create user-friendly policies and procedures and build a maximum level of education and awareness, and ensure sensitive and valuable data remains encrypted at all times.”

Sam Humphries, Senior Product Marketing Manager at Rapid7:

“2019 will see the GDPR really cut its teeth, both from a fining perspective and from a court case point of view. Supervisory authorities (such as the Information Commissioner’s Office) who have the power to audit, investigate, and fine organisations for non-compliance, have already begun issuing fines and enforcement notices under GDPR, and we expect to see this activity increase significantly during next year. There is a strong likelihood that we’ll see a maximum fine (20 million euro or 4% of total revenue) dealt to an organisation, given some of the investigations that are currently ongoing.”

Deral Heiland, IoT Research Lead at Rapid7:

“With the ever growing influx of new IoT products such as stoves, cookers, and microwaves, I expect we will see an increase in physical injuries directly related to the IoT enablement of devices. These devices, on their own, have a risk of physical injury, but with remote, and voice enabled functions they become potentially more dangerous.

With the number of IoT technologies in the workplace beginning to outnumber conventional IT assets, there is an ever increasing probability that these devices will be used as entry points by malicious actors to further compromise corporations for data breaches. Expect in 2019 to see this become a reality and news of several breaches directly tied to installed IoT technology.”

Jose Miguel Esparza, Head of Threat Intelligence at Blueliv:

Increase in IoT attacks

Gartner predicts that by 2020, there will be over 20 billion connected devices – and many of them remain currently comparatively easy to compromise. Indeed, the growth in devices will very likely mirror the growth in IoT-based malware and has already been evidenced in recent years by the likes Mirai, IoTroop/Reaper and more recently Sharebot attacking routers. Simply put, the pace of innovation and deployment of network connected systems has outstripped the necessary safeguarding measures – and even more worrying, it is often very difficult to retrofit cybersecurity to some of these IoT devices. Risk will remain at a high level in 2019.

GDPR and ‘ransom-hacking’

Barely a week goes by without another breach reported, and while GDPR is already in force, it is fair to say that both companies and regulators have been testing the waters regarding its implementation. Last year we predicted the rise of a phenomenon which has recently been named ‘ransom-hacking.’ In the event of a breach, it has been suggested that some companies would rather pay a ransom to the cybercriminals to recover their data, rather than admit the attack to the regulator and be hit with a penalty. We expect that 2019 will see both heavier implementation of the regulation, and a rise in ransom-hacking too.

Cybersecurity capturing the attention of the board

Cybersecurity is finally getting the attention it deserves in the boardroom. Major attacks on the likes of Facebook or British Airways (to name just two!) have made international headlines, encouraging members of the C-suite to start asking questions of their own security posture. Meanwhile, the threat of GDPR non-compliance has added an extra fear factor. The potential financial, reputational and business costs mean that 2019 will see CEOs, CFOs and Legal breaking down silos within companies, and assess how integral cybersecurity is to their business strategy. From the other direction, CIOs, CISOs and CTOs will encourage both their peers and the rest of the company to understand the importance of a robust security posture.

Barrier to entry to hackers much lower than before

The barrier to entry for cybercriminals is lower than it has ever been before. It is no longer the reserve of a seasoned hacker to launch an attack on an enterprise, nor is it difficult to get hold of the tools to commit cybercrime. For example, Agent Tesla is openly sold as malware-as-a-service directly from its ‘official’ website, www.agenttesla.com, for prices ranging between $9-15 per month, depending on the length of the subscription, and with the advantage of receiving updates and 24/7 support. It remains a popular choice among cybercriminals due to its price and availability, but likely that in 2019 access to malicious programs will be even easier.

Back to the future

Cybercriminals are constantly evolving their techniques to exploit the enterprise, developing new methods to attack and exfiltrate data. However, older unpatched vulnerabilities continue to be exploited to devastating effect – for example, old drivers that aren’t patched enable certain strains of malware to escape sandbox detection, providing an entry point to attackers that might not have been considered by the usual threat detection methods.

APT and targeted attacks continue to rocket

Currently, there has been a failure at the international level to respond to organized crime and clear state-sponsored cyberattacks. Many enterprises and institutions have demonstrated an inability to defend against such attacks, and therefore we expect a continued uplift and increased technical sophistication as APTs grow in confidence and scope. In addition, non-nation-state targeted attacks, carried out by groups such as Cobalt Gang or Anunak/Carbanak, are also likely to see an increase. Threat intelligence is one tool in a deep defence model which allows for enhanced threat mitigation.

The ISBuzz Post: This Post 2019 Security Predictions appeared first on Information Security Buzz.

Krebs Warning To Shoppers About Misleading “Green Padlock” On eCommerce Websites

Krebs on Security reported today that Half of all Phishing Sites Now Have the Padlock and warned: “Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”…  The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.  “In response, security experts commented below.

Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:

“The “green padlock” icon is a red herring as it misleads users into having a false sense of security. Many website visitors assume it means a website is safe to use but this is not the case, not by a long shot.

Attackers are always quick to adapt any innovative means to increase the click-through of their phishing sites. It does not cost them anything to get an SSL certificate from Let’s Encrypt to obtain the “green padlock”. In fact, Let’s Encrypt has become the largest certificate issuer in the world with over 380 million certificates issued on 129 million unique domains. That said, I am not surprised that attackers have doubled the number of HTTPS phishing sites in a year.”

Paul Bischoff, Privacy Advocate at Comparitech.com: 

“The study goes to show that there’s no one way to identify a phishing website. Making sure the site has a valid SSL certificate indicated by HTTPS and a padlock in the URL bar is just one step. Users should also look for character replacement (“punycode”), subdomains, and other inconsistencies in a site’s real URL and webpage. You can usually find the real site by Googling the company name, then check it against the suspected phishing URL. Other means of combating phishing usually deal with emails and other means of getting victims to the phishing site.

The PhishLabs study brings up an interesting discussion about the role of certificate authorities and browser makers. Certificate authorities like Let’s Encrypt make the web safer by making it cheap and easy for websites to use HTTPS, but they also lower the barrier for criminals. HTTPS instills trust in site visitors, so some argue certificate authorities should vet who they sell SSL certificates to. On the other hand, many experts argue that browser makers misrepresent what HTTPS accomplishes: encryption and authentication. It does not necessarily verify that the website owner is a legitimate entity.”

The ISBuzz Post: This Post Krebs Warning To Shoppers About Misleading “Green Padlock” On eCommerce Websites appeared first on Information Security Buzz.

Top Black Friday/Cyber Monday Security Threats And How To Avoid Them

With Black Friday and Cyber Monday almost upon us, several cybersecurity experts have given their advice on the top security threats and how to avoid them.

Sam Curry, Chief Security Officer at Cybereason:

Security Risks:

“1) The increase of online credit card collection imposters over the holidays will be apparent as they do more at this time as people balance year-end holiday finances and fear of debt. Example: The consumer stressing out about a high volume of debt they are carrying on multiple credit cards, might receive an email pretending to be from the credit card company saying their account is overdue and is subject to being shut down unless they make a minimum monthly payment. The unsuspecting consumer gives away their credit card information and other personable identifiable information.

2) Holiday Ransomware- While ransomware infections globally are down considerably over the past 3-5 years and in 2018 there hasn’t been a WannaCry or NotPetya attack, it is still an extremely effective method for hackers to make money. Consumers should understand that the pictures and other assets on their computers increase in value to hackers over the holiday season and this means that consumers are more likely to pay ransoms and panic if Ransomware strikes.

3) Phishing scams online are on a meteoric rise over the holidays, especially driven by deals and rebate offers. Basically don’t open any attachments or click on links appearing to be from trusted vendors you shop with. Go directly to the website of the vendor looking for the sales and deals.”

Advice to Reduce Risks While Online Shopping

“1. Remember to know your liability with your credit card and banking cards that can be used online — impose a voluntary limit or hiatus with your company if you don’t like the liability risk.

2. Also, check all of your bills and receipts online: keep a central family register of purchases for cards that you want to track to reconcile.

3. Default to suspicious of any inbound calls — worst case, take a case number, record the inbound source number, independently go to the Web and call support before doing anything as a default way to handle these.

4. If a deal looks too good to be true, it probably is…so don’t click on anything. Do feel free to record coupon and discount codes and to go directly to vendor websites with those codes.

5. Avoid downloading anything from questionable websites. Disable pop up ads on your devices by using trusted software. Always verify the vendor, look for typos or common permutations of email addresses.”

Paul Bischoff, Privacy Advocate at Comparitech.com:

“1. Phishing. Expect a lot of phishing emails claiming to be from retailers, banks, and payment processors. They will try to get you to click on links that lead to forgeries of legitimate websites where you enter your password or credit card information. Don’t click on links in unsolicited emails and always check for valid HTTPS before entering any information into a website.

2. Non-delivery scams. You buy something and it never shows up. This often occurs when a scammy merchant claims there is some problem with Amazon or Ebay’s payment system. They’ll try to contact you and extract payment through some other means. Don’t interact with merchants outside of the marketplace’s official channels.

3. Straight up theft. Thieves will be looking to lift packages off your front doorstep to put under their own Christmas trees. Consider using a locked drop box to receive packages, or install a security camera.

4. Digital credit card skimmers. Hackers compromise a website by installing a keylogger on payment pages. When a buyer enters their information, the keylogger records everything typed in and sends it to the hacker. There’s not much an average person can do to spot or prevent this from happening. It’s up to the website to properly secure their payment gateway.”

Todd Peterson, IAM specialist at One Identity:

“The pure eagerness for people to bag the best deals on Black Friday is a huge threat as people may neglect basic security hygiene in a rush to smash through their loved ones’ Christmas lists. Keen shoppers need to realise that ‘easy’ doesn’t necessarily equate to ‘safe’, so having non-essential websites store their passwords or credit card details or using the same password across all online stores is ill-advised. By taking extra measures, such as using a different password for every website, enabling multi-factor authentication or opting in to extra security provided by your bank, for example, it may be extra steps, but the security payoff will be worth it. After all, if it’s more difficult for you as the shopper, it will be more difficult for hackers. Treat personal online transactions the same as you do for work; if it wouldn’t fly with your boss at work, then reconsider.”

Lamar Bailey, Director of Security Research and Development at Tripwire:

“Your inbox with start getting flooded with Black Friday deals soon if it has not already started. Not all of the emails will be legit, as attackers will take valid emails and change the links to point you to malicious sites that may look like the real things. Always check the sender address to make sure it looks normal and instead of clicking on links go to the company website and the deals will generally be on the front page.

Never use your ATM/Debit card for any transactions. If your number is stolen it can take days for the bank to refund the money to your account and even longer to get a replacement card. If you use a credit card and your number is stolen the credit card company will quickly adjust your account and overnight a new card. The best option is to use virtual credit card account numbers from your credit card company. With these you can set a limit and timeline so there is less opportunity for theft.

Make sure your credit is frozen.”

Jack Baylor, Security Threat Researcher at Cylance:

“Avoid “too good to be true” resellers on auction sites such as eBay, especially for computer games or related products such as “Fifa points”. People often put up faked game codes claiming large discounts compared to buying directly from the game manufacturer or the likes of reputable markets such as Steam, Microsoft Store (Xbox1) or PlayStation Store (PS4). Often consumers are left out of pocket with nothing more than a nonsense string of letters and numbers to show for it.”

With Black Friday and Cyber Monday almost upon us, several cybersecurity experts have given their advice on the top security threats and how to avoid them.

Sam Curry, Chief Security Officer at Cybereason:

Security Risks:

“1) The increase of online credit card collection imposters over the holidays will be apparent as they do more at this time as people balance year-end holiday finances and fear of debt. Example: The consumer stressing out about a high volume of debt they are carrying on multiple credit cards, might receive an email pretending to be from the credit card company saying their account is overdue and is subject to being shut down unless they make a minimum monthly payment. The unsuspecting consumer gives away their credit card information and other personable identifiable information.

2) Holiday Ransomware- While ransomware infections globally are down considerably over the past 3-5 years and in 2018 there hasn’t been a WannaCry or NotPetya attack, it is still an extremely effective method for hackers to make money. Consumers should understand that the pictures and other assets on their computers increase in value to hackers over the holiday season and this means that consumers are more likely to pay ransoms and panic if Ransomware strikes.

3) Phishing scams online are on a meteoric rise over the holidays, especially driven by deals and rebate offers. Basically don’t open any attachments or click on links appearing to be from trusted vendors you shop with. Go directly to the website of the vendor looking for the sales and deals.”

Advice to Reduce Risks While Online Shopping

“1. Remember to know your liability with your credit card and banking cards that can be used online — impose a voluntary limit or hiatus with your company if you don’t like the liability risk.

2. Also, check all of your bills and receipts online: keep a central family register of purchases for cards that you want to track to reconcile.

3. Default to suspicious of any inbound calls — worst case, take a case number, record the inbound source number, independently go to the Web and call support before doing anything as a default way to handle these.

4. If a deal looks too good to be true, it probably is…so don’t click on anything. Do feel free to record coupon and discount codes and to go directly to vendor websites with those codes.

5. Avoid downloading anything from questionable websites. Disable pop up ads on your devices by using trusted software. Always verify the vendor, look for typos or common permutations of email addresses.”

Paul Bischoff, Privacy Advocate at Comparitech.com:

“1. Phishing. Expect a lot of phishing emails claiming to be from retailers, banks, and payment processors. They will try to get you to click on links that lead to forgeries of legitimate websites where you enter your password or credit card information. Don’t click on links in unsolicited emails and always check for valid HTTPS before entering any information into a website.

2. Non-delivery scams. You buy something and it never shows up. This often occurs when a scammy merchant claims there is some problem with Amazon or Ebay’s payment system. They’ll try to contact you and extract payment through some other means. Don’t interact with merchants outside of the marketplace’s official channels.

3. Straight up theft. Thieves will be looking to lift packages off your front doorstep to put under their own Christmas trees. Consider using a locked drop box to receive packages, or install a security camera.

4. Digital credit card skimmers. Hackers compromise a website by installing a keylogger on payment pages. When a buyer enters their information, the keylogger records everything typed in and sends it to the hacker. There’s not much an average person can do to spot or prevent this from happening. It’s up to the website to properly secure their payment gateway.”

Todd Peterson, IAM specialist at One Identity:

“The pure eagerness for people to bag the best deals on Black Friday is a huge threat as people may neglect basic security hygiene in a rush to smash through their loved ones’ Christmas lists. Keen shoppers need to realise that ‘easy’ doesn’t necessarily equate to ‘safe’, so having non-essential websites store their passwords or credit card details or using the same password across all online stores is ill-advised. By taking extra measures, such as using a different password for every website, enabling multi-factor authentication or opting in to extra security provided by your bank, for example, it may be extra steps, but the security payoff will be worth it. After all, if it’s more difficult for you as the shopper, it will be more difficult for hackers. Treat personal online transactions the same as you do for work; if it wouldn’t fly with your boss at work, then reconsider.”

Tristan Liverpool, Director of Systems Engineering at F5 Networks:

Below are my tips to help prevent cyber security failures this Black Friday:
Tips for consumers:
Consumers should use well-established, trusted websites, which are much easier to find if you avoid shopping via search engines. Signs of flawed authenticity such as wording or formatting errors are symptomatic of fake websites.
Only shop on locations that are encrypted, demonstrated by the ‘https’ prefix in a retailer’s website and a padlock symbol in the browser.

It’s important to keep an eye out for phishing emails. These usually appear to come from a well-known brand and ask for personal or financial information – something a retailer would never normally do.

Consumers should avoid retailers that ask for payments via money order, pre-loaded money card or wire, methods often associated with scammers.

Tips for retailers:

To help detect fraudulent activity, retailers should monitor regular customers and the devices they normally use for purchases. If an alternative device is used, they can challenge the transaction with additional checks.

Retailers must ensure that they can gather enough transactional data, and therefore evidence, to prove the fraudulent nature of a transaction, or its validity in the case of ‘friendly fraud’. Tactics such as using e-signatures or voice verification can help keep high-value transactions secure.

It’s vital to be able to detect new accounts that have been opened on an online retail store that may be used for fraud purposes. This information can be hooked into shared real-time fraud databases to cross-reference known fraud data such as flagged delivery addresses and mobile numbers, as well as highlighting inconsistencies in sales transactions.

Stephen Ritter, CTO at Mitek:

“The National Retail Federation forecasts an increase in holiday sales over 2017, which may be good for the economy, but also may mean a spike in fraudulent activity for online shopping. Consumers need to remain extra vigilant when scoping out the best deals and discounts and only rely on reputable sites that they can trust.

“The good news is that most consumers are already more cautious when it comes to online interactions and aren’t afraid to take extra precautions when shopping online. In fact, 85% of consumers are more likely to interact with websites that have a ‘seal of approval’, indicating that they verified the identity of all users, versus sites that do not.

This festive season, consumers can protect themselves by checking to see if they are purchasing from a reputable site and actually going to the website itself instead of clicking through pop-up ads and emails. While it may take an extra step, it will save more time and headaches in the long run. Businesses that take the steps to protect consumers are ultimately the ones that will see the most action and ROI.”

Tatyana Sidorina, Security Researcher at Kaspersky Lab.:

“The recent incident, which caused the exposure of a large amount of client emails from a popular online shop, is worrying. Emails may seem a small matter compared to the theft of bank details or other data breaches, but this sort of information is in fact precious for scammers.

“It’s important to understand that any personal data can be used by cybercriminals to target their victims. For example, if criminals compromise a company and get hold of their customer’s email addresses, they can create an automatized spam mailout that mimics an authentic email, and entices users to follow a malicious link or download a malicious file onto their devices.

“Now is the time to be extra careful. The world is heading into the busiest shopping season of the year, starting with Black Friday, and people are hurrying to bag fast-disappearing exclusive deals from the tons of e-mails in their mailbox. It’s becoming quite common for people to thoughtlessly compromise their bank accounts by following a phishing link and entering their bank credentials. It’s all too easy to do so. In fact, our research shows that malware designed to steal data from online banking and payment accounts has extended its reach to target online shoppers: in the first eight months of 2018, we detected 14 families of malware like this, targeting 67 different popular consumer brands around the world, including big online retail platforms.

“Amazon sent out a warning as soon as the leak was exposed. And, although Amazon’s actions have been criticized for a lack of technical detail and a recommendation not to change users passwords, it’s great that company’s representative’s didn’t hesitate to warn their customers about possible threats, asking them to be on the lookout to minimize possible damage.”

To keep yourself safe from fraudsters this Black Friday, Kaspersky Lab recommends taking the following precautionary measures:

Always check the link address and the sender’s email to find out if they are genuine before clicking anything – very often phishers create URLs and e-mails that are very similar to the authentic addresses of big companies, yet differ from them with one or two letters.
To make sure you follow a correct link, do not click on it, but type it into your browser’s address line instead.
Do not enter your credit card details in unfamiliar or suspicious sites and always double-check the webpage is genuine before entering any personal information (at least take a look at the URL). Fake websites may look just like the real ones.
If you think that you may have entered your data into a fake page, don’t hesitate. Change your passwords and pin-codes ASAP. Use strong passwords consisting of different symbols.
Never use the same password for several websites or services, because if one is stolen, all of your accounts will be put at risk. To create strong hack-proof passwords without having to face the struggle of remembering them, use a password manager such as Kaspersky Password Manager.
To ensure that no one penetrates your connection to invisibly replace genuine websites with fake ones, or intercept your web traffic, always use a secure connection – only use secure Wi-Fi with strong encryption and passwords, or apply VPN solutions that encrypt the traffic. For example, Kaspersky Secure Connection will switch on encryption automatically, when the connection is not secure enough.

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“For consumers, the biggest danger from retail cyberattacks is loss of personal information, such as their Social Security number, date-of-birth, and home address. This information can be used to take control of their assets as well as be sold on black markets like the Dark Web. The best advice for consumers is to more regularly monitor credit, debit and ATM card activity for fraudulent transactions and immediately report anything suspicious.”

The ISBuzz Post: This Post Top Black Friday/Cyber Monday Security Threats And How To Avoid Them appeared first on Information Security Buzz.

6 Months Since GDPR

As tomorrow marks 6 months since the implementation of the General Data Protection Regulation (GDPR), please find below commentary from security experts in relation to GDPR.

Chris Mayers, Chief Security Architect at Citrix:

“Today, there is still a strong chance that a number of organisations could be struggling with issues around data sprawl, the volume of personal customer information and uncertainty around data ownership – as our research from around a year ago suggested.

“The poll also found the average large UK business was reliant on 24 systems to manage and store personal data, with one in five (21 per cent) using over 40 systems to do so. Tackling such data sprawl wasn’t easy then and won’t be now if still the case.

“For those businesses still on the GDPR compliance journey, you cannot afford to rest on your laurels. Public awareness of an organisation’s responsibilities around data protection have never been higher – with breach complaints to the Information Commissioner’s Office on the increase. Reputations and revenues are on the line, and now is the time to ensure a long-term GDPR compliance strategy is in place, if it isn’t already.”

Joe Garber, Global Head of Product Marketing: Information Management & Governance at Micro Focus:

 “Having been in force for just six months, the GDPR has changed the face of data protection as we know it – even at this early stage of its implementation. Businesses and consumers are already seeing the positive consequences of compliance. This extends from improved data privacy and security through to organisations discovering the real value of their data.

“Despite the positive steps forward taken by many organisations, some could do more to capitalise on the innovative business drivers that stem from regulatory compliance. Though the GDPR was primarily intended to safeguard identity and data privacy, organisations can leverage this newfound insight into their data in ways that extend beyond the original intent of the regulation.  Armed with this insight – and naturally balanced with appropriate safeguards to protect customer privacy – organisations can not only manage the bottom line but also drive the top line by identifying untapped revenue streams and unmet customer needs, as well as by streamlining processes.

“Companies are starting to realise that GDPR is, in fact, a catalyst for doing a number of things they should have been doing already.  By bridging formerly distinct data silos and having the ability to then apply analytics across all this information, organisations are not only better protecting sensitive information, but also taking necessary steps to increase revenue and improve business processes.”

The ISBuzz Post: This Post 6 Months Since GDPR appeared first on Information Security Buzz.

York Council App Users Hacked: Nearly 6,000 Affected

In light of the news that the One Planet York app – used by York City Council and its residents – has been hacked and up to 6,000 people may have had their data stolen, IT security experts commented below.

Martin Thorpe, Enterprise Security Architect at Venafi8:

“This is a serious breach, with thousands of people having their personal data at put at risk. Unfortunately, hacks of these kind are rising year on year though; York is certainly not alone. There are now over 15.5 billion apps in the UK, often containing very personal information – from health data to financials. Yet developers are often more focused on features and usability than on security. In a bid to increase speed to market, developers are prioritising convenience and failing to build security in from the ground up. This rush to get products to market is resulting in corner cutting and sub-standard solutions are flooding the market. A clear example of this is with the use of free or cheap digital certificates, which are used to provide a ‘machine identity’ to prove that a system or app can be trusted and provide the foundations of secure machine to machine communication. Many developers are just picking the quickest or cheapest certificate they can find and there is often a lack of controls in the system that issues them which weakens security and increases the risk of manipulation.”

Jake Moore, Cyber Security Expert at ESET UK:

“Having personal data stolen is a violation of privacy and extremely lucrative to a hacker. Luckily the passwords were encrypted at the time of the breach but this doesn’t mean that an experienced hacker wouldn’t be able to unravel t hem – especially if it is a relatively easily guessable password, like a simple word and a number. Essentially, if your password may have been used by someone else before online, then it is not secure. My advice is that if your details are on the One Plant York App and your information was stolen or not, you may want to pay extra attention to forthcoming emails over the next few weeks. There may be cleverly designed phishing emails lurking around enticing you to divulge more information or download malware. Luckily, it seems no banking information was stolen but be extra vigilant just in case hackers try to take your identity in order to take cards out in your name.

However, there is also a chance that this “hacker” is an ethical hacker who reported it purely to raise awareness of the potential danger in the app’s weakness.”

The ISBuzz Post: This Post York Council App Users Hacked: Nearly 6,000 Affected appeared first on Information Security Buzz.

How To Navigate Black Friday And Cyber Monday Without Getting Scammed Or Hacked

With Black Friday and Cyber Monday almost upon us, please see below for commentary from cybersecurity experts on how to navigate both shopping days without getting scammed or hacked.

Tim Mackey, SeniorTechnical Evangelist at Synopsys:

“The core challenge as I see it relates to either inbound email ads or people searching for great deals and ending up in locations they didn’t expect. The key is to identify the legitimate from the fake when a “50% off all iPads” deal is enticing. With all the various data breaches over the past few years, identification is particularly difficult. Some simple options are:

  • If you received an “great deal” email and don’t recognise the source, don’t assume because its personalised that it’s legitimate. Visit the website directly and while logged in look for the same deal. If it’s there and still interests you, then go for it. If it’s not then the fact that the deal was tied to clicking a link in an email should indicate just how suspect the offer was.
  • Identifying the legitimacy of a “great deal” found on a non-vendor website is a bit harder. That deal might be the result of the website being an authorised distribution channel for the vendor or the website offering a fake deal. Authorised distribution channels will tend to behave in one of two ways – you’ll either purchase directly from them, or they’ll link you to the vendors website and pass along a referral code. The nice thing about authorised distribution channels is that neither party tends to benefit from the relationship being a secret. Perform an internet search with both company names and see if there is mutual identification and endorsement. Another thing to recognise is that if the deal site has you click a link and passes a referral code to the vendor, then that vendor will have your item in their cart. To avoid being scammed, first ensure you’re logged out from the vendor website and then click the link. That way if the deal site was suspect, they’re less likely to get any personal information from the vendor. Assuming the deal does show up in the cart at the correct price, simply login and complete the transaction.”

Larry Trowell, principal consultant at Synopsys:

  • Go directly to the website itself. Don’t trust quick links.
  • Use 2-factor authentication whenever possible.
  • If your credit provider doesn’t offer virtual credit cards, consider using PayPal or Amazon Pay (among other options) as a third-party payment solution. This provides one more layer of security between online stores and your financials.
  • Similarly, Google Pay (among others) will alert you when charges are made to your card. That way, if you’re not the one making a purchase, a red flag is raised early.
  • If you must create a password on the site to complete a purchase, don’t re-use a password. Take advantage of password managers to create new, unique passwords for each site.
  • Don’t allow websites to store your credit card information. Sure, it’s less convenient, but if the website or your account is hacked, the attackers won’t have access to your credit card information.

Nick Murison, Managing Consultant at Synopsys:

“Black Friday and Cyber Monday can make or break a year for retailers, with online becoming a critical channel for most. This necessitates highly available and rock solid systems to deal with what has become a predictable yet simultaneously overwhelming demand. This shouldn’t just be focused on the underlying IT infrastructure; retailers also need to ensure their applications can handle the onslaught, be it their website, their mobile apps or their in-store payment terminals.

For years, the main driver for security within retail appears to have been PCI DSS, the data security standard merchants must comply with to accept and process payment cards. It’s reassuring to see some retailers join the BSIMM community, which may signal an evolution from a compliance-driven mentality to that of a proactive security mindset. Compliance will always be important, but retailers have much to gain from investing in strategic software security initiatives. This is especially true in territories where privacy legislation is getting more strict. Poor software security leading to information disclosure of customer data can now lead to business-altering fines in Europe, for example.”

The ISBuzz Post: This Post How To Navigate Black Friday And Cyber Monday Without Getting Scammed Or Hacked appeared first on Information Security Buzz.

Vision Direct Breach

European online contact lens supplier Vision Direct has revealed a data breach which compromised full credit card details for a number of its customers, as well as personal information.
Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV. IT security experts commented below.

Craig Young, Security Researcher at Tripwire:

Based on the description Vision Direct provided on the types of exposed data, it seems likely that an attacker was able to inject JavaScript onto the main Vision Direct web site. For example, an attacker may have used subdomain takeover techniques like those pioneered by Detectify’s Frans Rosén if Vision Direct was not diligent about maintaining their DNS records. Alternatively, the attacker may have found a way to alter the site through misconfigured load balancers or found some persistent cross-site scripting vulnerability on the main page. Having their JavaScript running on the site would have allowed them to log keystrokes from initial login through entering payment card details but not have access to the full customer database. As an interesting side note to this, I would also point out that PayPal transactions were unaffected. This makes sense as well since the attacker’s JavaScript would only have access to tabs under Vision Direct. This is a huge advantage of these third-party payment services like PayPal, Amazon, and Google because they all redirect to their own secured domains.

In addition to getting new credit cards, anyone who logged into Vision Direct during this time needs to quickly assess whether this password is unique to Vision Direct. A common attacker technique is to reuse email/username and password combinations on other valuable services. Attackers may use this additional access to create a more comprehensive dossier on a victim which can then either be resold for more money or directly used for identity theft.

Brooks Wallace, Head of EMEA at Trusted Knight:

“Another large merchant’s website is targeted by hackers for customer payment information, using an attack technique that seems all too familiar in 2018. Capturing customer details as they input them onto the website is also how the British Airways and Ticketmaster hackers operated.

“Vision Direct may seem like an unlikely target. However, the retailer claims to be Europe’s biggest online seller of contact lenses and eye care products, suggesting that it was evidently in the crosshairs for the high volume of customers going through the site. The data they managed to take from Vision Direct is the jackpot for the criminals. Payment card numbers, expiry dates and CVV codes are the holy trinity of details needed to make purchases using customer cards. Obtaining the CVV code is especially bad, as this is usually the key in verifying that you are the real card holder.

“If you entered your details on the Vision Direct website between the affected time window (3rd-8th November) you should cancel your card right away. While it may still be sitting in your wallet, effectively your card has been stolen, and you need to take the same recourse you would if it had been pickpocketed.”

The ISBuzz Post: This Post Vision Direct Breach appeared first on Information Security Buzz.

Fake Biometric Fingerprints Can Mimic Real Ones – “Deep Master Prints” Research

New findings from New York University Tandon and Michigan State University on “synthetic biometrics”  show how fake biometrics can potentially be used:  DeepMasterPrints: Generating MasterPrints for Dictionary Attacks – here’s the Guardian story on this: Fake fingerprints can mimic real ones in biometric systems.  In response, a cybersecurity expert with OneSpan offers perspective.

Sam Bakken, Senior Product Marketing Manager at OneSpan:

“This is impressive research that will contribute to continued improvement in the security of biometric authentication, but that doesn’t mean it’s time for financial institutions to give up on fingerprint recognition and authentication. The research was conducted in a laboratory environment with plenty of resources, and while that doesn’t invalidate the findings, the costs of executing such an attack are far from negligible and attackers probably don’t see a good return-on-investment at this time. In addition, no security system should rely solely on fingerprint authentication. Defense-in-depth with multiple safeguards can prevent such an attack. A layered approach might include taking into account additional contextual data (e.g., whether the authentication event is taking place on a compromised device or via an emulator, etc.) to score the risk associated with the transaction and if that risk is too high, ask the user to provide another authentication factor. Finally, 62 percent of U.S. consumers choose fingerprint as their first or second preference for logging into their banking accounts according to a recent survey from Javelin Strategy & Research. Adding stronger authentication along with other safeguards provides strong security for users and their banking institutions.”

Bimal Gandhi, Chief Executive Officer at Uniken:

“This news of potential synthetic biometrics is alarming and could eventually turn out to be a new permutation in credential stuffing, as hackers are able to access parts of fingerprints, reproduce them, then use them in large scale attacks. Institutions seeking to thwart the threat of these attacks need to move beyond relying on solely a biometric, and consider invisible multifactor authentication solutions that cannot be replicated by third parties, such as cryptographic key based authentication combined with device, environmental and behavioral technologies. By their very nature, they are easy to use, issued and leveraged invisibly to the user, defying credential stuffing and the threat of synthetic biometrics.”

The ISBuzz Post: This Post Fake Biometric Fingerprints Can Mimic Real Ones – “Deep Master Prints” Research appeared first on Information Security Buzz.

Voxox Database Misconfiguration Exposes 26M SMS Messages

The news broke yesterday that Voxox, a San Diego, California-based communications provider, left a database containing at least 26 million text messages, including password reset links, 2FA codes, shipping notifications and more exposed without a password. The exposure to personal information, phone numbers and 2FA codes in near-real-time could have put countless accounts at risk of hijack. Some websites only require a phone number to reset an account to meaning that this process could take just seconds. IT security experts commented below.

Jacob Serpa, Product Marketing Manager at Bitglass:

“It does not take much for outsiders to find unsecured databases and access sensitive information. In fact, there are now tools designed to detect abusable misconfigurations within cloud-tools like Amazon’s S3. Voxox’s misconfiguration left more than 26 million MFA codes, password reset links, and delivery tracking details out in the open, compromising the account security of millions.

Over the past year, misconfigurations have grown in popularity as an attack vector across all industries. This highlights the reality that organizations are struggling with limited IT resources and consequently are susceptible to careless and reckless mistakes like misconfigurations. As such, companies must turn to flexible and cost-effective solutions that can help them to defend against data leakage; for example, cloud security posture management (CSPM), data loss prevention (DLP), user and entity behavior analytics (UEBA) and more. Only then can they be certain that their data is truly safe.”

Mark Weiner, CMO at Balbix:

“Unfortunately, these 26 million 2FA codes, password reset links and delivery tracking details leave the exposed individuals easy targets for threat actors engaged in account hijacking. A basic misconfiguration like the one that caused this exposure should never occur, implementing a password is a simple but crucial first step in securing data.  The organization and its customers might still be secure if they had early visibility into vulnerabilities across their entire attack surface — including passwords — and been able to correct it shortly after launching the service.

It is mathematically impossible for humans to conduct the continuous monitoring of all IT assets and infrastructure needed to stay ahead of attack vectors—security platforms developed with artificial intelligence and machine learning are essential to support security teams, and proactively manage risk.”

Michael Magrath, Director, Global Regulations & Standards at OneSpan, Inc.:

“This egregious security lapse is significant.  The fact that one-time password (OTPs) codes were sent via SMS in clear text reinforces NIST’s decision to classify SMS-OTP as a restricted form of authentication in its 2017 revision of Special Publication 800-63-3 “Digital Identity Guidelines” Like passwords SMS OTPs are vulnerable to attacks and can be intercepted and reused.

“The fact that messages were sent in clear text with the ability to link one’s mobile phone number to a service provider opens the door to serious privacy infringements.  The only good news to come out of this for California-based, Voxox is that these security infractions occurred before the California Consumer Privacy Act of 2018 goes into effect in January 2020.  The Act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”    The article cites that a password was sent in plaintext to a Los Angeles phone number by dating app Badoo, which would be in direct violation of the Act. Let’s hope the Badoo subscriber is not married.  If so, they may be no longer.

“For convenience, many people reuse the same password across multiple websites.  Intercepted passwords sent in plain text could open a user to account takeover at their bank, brokerage, and favorite e-commerce sites.   Even more reasons why websites should accept strong authentication for users to access and make transactions.  Technologies like Intelligent Adaptive Authentication — which analyzes and score hundreds of user, device, and transaction data in real-time to determine the precise authentication requirements for each transaction — are beneficial to organizations of all sizes while offering robust, risk-based security without compromising end-user convenience.  With so many frictionless options commercially available, it is more of a question or “why not” rather than “when.”

Bimal Gandhi, Chief Executive Officer at Uniken: 

“Using SMS for authentication opens up several threat vectors for firms to worry about including device swap, SIM swamp and number porting. Companies using SMS should be put on high alert, as that data can be combined with commonly available personal information on the dark web and used in large scale attacks. While SMS is commonplace and easy to set up, companies need to make the right choice when choosing between doing what’s easy and doing what’s most secure for their customers and their firm.”

The ISBuzz Post: This Post Voxox Database Misconfiguration Exposes 26M SMS Messages appeared first on Information Security Buzz.

Japan’s Cybersecurity Minister Admits He’s ‘Never Used A Computer’

Japan’s new cybersecurity minister has ‘never used a computer’–claiming to have delegated to staff and secretaries since he was 25. This is especially interesting because his duties include overseeing cyber-defense preparations for the 2020 Olympic Games in Tokyo. In addition, Sakurada allegedly struggled to answer a follow-up question about whether USB drives were in use at the country’s nuclear power stations.

With the total cost of cybercrime committed expected to cost global businesses over $2 trillion by 2019, this revelation has raised concern, and the impact could weigh on Japan’s state of cybersecurity.

Two cybersecurity experts have commented on the incident below.

Bryan Becker, Application Security Researcher at WhiteHat Security:

“With Japan’s new Cybersecurity Minister Yoshitaka Sakurada admitting he’s never used a computer in his life, we can expect to see some unusual developments coming from their end. Remember when Zuckerberg was interviewed by a special hearing, and senators asked him questions as if they had never used the internet before? Not to be outdone, Sakurada is going to be developing policy without even having used a computer before!

All of that aside, if Sakurada is going to be effective, one likely option would be for him to turn to the private sector for help. There are probably going to be some very lucrative contracts available for partnerships with the Japanese government in the near future.

On the other hand, there is something to be said of the security of a man who’s never used a computer in his life. You can’t hack something that’s not there!”

Jeremy Cheung, Vulnerability Verification Specialist at WhiteHat Security:

“Whereas it’s generally possible for someone to be in a managerial position, without holding any technical expertise, it isn’t ideal for achieving high-quality results. Due to the nature of the cybersecurity industry involving not only technical devices but private data and personally identifiable information, the ramifications of someone in this position not holding any hands-on industry experience are quite severe. Without having ever even used a computer, Sakurada’s knowledge of cybersecurity practices, exploits and remediation are theoretical at best, which greatly increases the chance of compromise and a potential repeat of the Pyeongchang Winter Olympic Games Cyberattack. In preparation for the 2020 Olympic Games, Sakurada should definitely get in the trenches with his staff and experience what goes on in building a secure cyber-defense plan. To stop a hacker, you have to try to think like a hacker!”

The ISBuzz Post: This Post Japan’s Cybersecurity Minister Admits He’s ‘Never Used A Computer’ appeared first on Information Security Buzz.

French Film Company Pathe Loses €19m In BEC Scams

The Dutch branch of the French film production and distribution company Pathé has lost over 19 million euros to BEC scammers, Dutch News reported.

Information about how the scammers pulled it off has been gleaned from court documents relating to an unfair dismissal lawsuit brought against Pathé France by Edwin Slutter, the Dutch branch’s former chief financial officer.

Commenting on the news and offering advice are the following security professionals:

Javvad Malik, Security Advocate at AlienVault:

Javvad MalikBEC or CEO scams are very common tactics used by criminals. Because there is no malware, it relies purely on tricking the recipient. Therefore, employees should receive training in learning how to spot such emails, as well as knowing how and who to escalate suspicious emails to.

Segregation of duties would also have helped. The fact that only one employee was able to make such large payments was a process weakness that the criminals exploited.

Tim Sadler, Co-founder and CEO at Tessian:

“As this case indicates, fraudsters have a highly sophisticated understanding of the industry and individuals that they are targeting. This means that the email impersonation methods they use, such as spoofing trusted contacts – Pathé’s chief executive in this case – can be so advanced, that they are indiscernible to unsuspecting employees, including C-level executives.

Instances like this, where the attacker targets high profile employees to steal large sums of money or highly sensitive data, are known as whaling attacks. Senior executives are targeted because they have access to lucrative data, and they have the power to authorise high-value money transfers.

Human error is natural and inevitable. Therefore, if Pathé wishes to prevent whaling and phishing attacks and the significant financial and reputational damage they cause, it is imperative that the company implements a solution that doesn’t rely solely on employee vigilance and/or an existing rule-based security system(s) that has, up to this point, failed to protect the network. Hopefully, this incident will act as a wake-up call to the company: every employee is susceptible, regardless of their seniority, so every employee must be protected. Increasingly, organisations are protecting their people and data by applying machine intelligent technologies that automatically and comprehensively analyse the content and characteristics of inbound email to determine whether it is legitimate or a phishing email.”

The ISBuzz Post: This Post French Film Company Pathe Loses €19m In BEC Scams appeared first on Information Security Buzz.