Monthly Archives: April 2016

Email Scams and Awareness

Email_Scam

Emails are the fastest means of communication! This is what we studied in our childhood. And how true! It indeed is. Today, no one can imagine living without an email ID. No work can be completed without the use of emails. Whether it be a job application, or inviting your friends to a party.

This culture of emails has opened up a lot of loopholes which can be exploited by the online scammers to gain monetary or other profits. Scammers these days have been employing new tools and methods to ruin common netizens’ experience of the web. Thus, in this article, we shall be enlisting some common email scams to make you aware of them and the methods to stay protected.

1. Phishing Attacks
Phishing attacks are when an email is sent to you containing a link to a webpage which looks strikingly similar to an authentic webpage. And once you put in your private information such as login credentials, credit card numbers then such data are stored in the depositories of such scammers which can be used later to give action to their malicious intent.

In order to avoid such attacks, recheck the URL of the webpage you’re accessing. If you observe even a slight difference, then close the tab and thank the almighty. Think twice before divulging your personal information on any webpage. Do not download any attachment until you’re 100% sure about the authenticity of the sender. Enable 2-factor-verification for websites which allows so.

2. Nigerian Prince Scam
You might have come across an email stating that you have inherited millions of dollars of a ‘Nigerian Prince’ since he died in a plane crash. Such emails are called “419” emails or Nigerian scams. The poor English in such emails is the first giveaway. However, many newbies on the internet including the senior citizens give into such emails and fall for the trap. Through their sweet talks, they will coerce you into depositing few thousands as the “transfer expenses”. And you guessed right about what happens next!

Avoiding such scams are simple. DO NOT RESPOND TO SUCH EMAILS seems to be the only solution. If you have responded out of curiosity then do not send your personal information and do not deposit any amount that they ask you to do.

3. Viruses in email
Online scammers are smart enough to create a program that can send your banking information as soon as you conduct a monetary transaction over the internet. Such programs or viruses can be attached to the emails as a picture or video or other executable files. And once you click onto it, it latches on to your system and gives out the required information to the hacker.

Updating your OS as well as the antivirus on your system is the key to avoiding such attacks. Scan all your attachments in your emails for viruses and malware and if anything looks suspicious then do not click on them. If you do, then you stand the chance of losing all your hard earned money.

4. Lottery Scam!
Similar to the Nigerian Prince scam, lottery scams, too, are rampant. Needless to say but such emails are fraudulent and believe me, no one is going to give you even $5, forget about the $5 million you just “won.” This is another tactic of collecting your personal information and gaining monetary profit through the “processing fee”.

The solution is simple. Do not fall into the trap. Report such emails as spam and block the email address from sending you such emails again.

Endnote
The advent of technology has made the scammers, too, advance. Above tactics employed by them have been successful for them for a very long period. It’s easy to fall into their traps if you’re not aware of such scams. But once, you’re aware, make sure to not fall or any of the above. Keep your eyes open for any scandalous emails and follow the suggestions given above to avoid the catastrophe.

Law firms should update potential electronic security vulnerabilities

Expect_Us

The Panama Papers scandal should prompt law firms, and other professional services firms, to update their electronic security measures, says Toronto business lawyer Joel Berkovitz.

Panamanian law firm Mossack Fonseca, which specializes in the creation of offshore companies, claims it was the victim of a hacking in the massive leak of its client files — a reported 11.5 million documents covering a 40-year period — turned over to journalists from news outlets around the world.

“This is a bit of a warning signal for Canadian law firms, and other professional entities regarding their electronic security measures,” says Berkovitz, a lawyer with Shibley Righton LLP.

He says the reputational damage done to the firm as a result of the leak could pale in comparison to the financial burden it could face in the years to come.

“This is a huge problem for the law firm because, if they were negligent in their electronic security system, they could be liable to clients for any damage that flows from the material that was leaked. If there are fines or prosecutions as a result, they might look to sue the law firm for damages,” Berkovitz tells AdvocateDaily.com.

Internet security experts recently told Wired magazine that the law firm’s front-end computer systems, such as its webmail and client portal software, were outdated and shot through with security vulnerabilities.

“If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology,” Alan Woodward, a professor of computer science at the U.K.’s Surrey University, told Wired.

Berkovitz says there is a chance prosecutors will try to use the leaked documents even though, had they not been leaked, many would be covered by solicitor-client privilege.

“Solicitor-client privilege generally covers all legitimate communications between clients and their lawyers, and is fiercely guarded by courts,” he says. “Lawyers can’t waive privilege over documents, because the privilege is not theirs to waive, but in cases of inadvertent disclosure the courts sometimes find that that privilege has been lost. If governments try to bring prosecutions based on the leaked documents, expect to see a fierce fight over whether solicitor-client privilege has been lost.”

The Canada Revenue Agency (CRA) has requested access to the documents in order to determine whether any tax rules were broken by holders of the offshore accounts, while the Royal Bank of Canada has defended its role after it emerged it used Mossack Fonseca to create more than 370 foreign corporations for its clients over the course of many years, the CBC reports.

“Right now, there seems to be some limited ties to Canada, but no evidence of any wrongdoing,” Berkovitz says. “Given the vast scope of the documents though, it’s likely more ties to Canada will be discovered as time goes on.”

But, he warns, people shouldn’t look at this as a smoking gun. 

“People are jumping to a lot of conclusions that offshore accounts and holding companies are necessarily evidence of tax evasion or any other illegal activity,” Berkovitz says. “That may be true for some of these entities, but there are all sorts of legitimate tax-planning reasons for using these types of companies. It comes down to the difference between legitimate strategies to minimize your tax obligations versus tax evasion.”

He says the CRA will look at transactions to determine if they comply with s. 245 of the federal Income Tax Act, the General Anti-Avoidance Rule. The rule requires all transactions to be carried out for a bona fide purpose other than to avoid tax.

“A transaction will not offend the Anti-Avoidance Rule as long as the primary purpose of the transaction is not to avoid tax,” Berkovitz says. “If you’re a global company with operations in many countries, there are many legitimate business reasons why you may need to set up a company in Panama or another low-tax jurisdiction.”

The Future of Passwords and Biometrics

Biometrics
In today’s world filled with computers, smartphones, and other smart gadgets, passwords have played an important role. Passwords have played a key role in authenticating one’s identity online. But how long do you think this authentication measure will work? The power of the computers is increasing every day. Such computers, when used by hackers and scammers, can prove to them as an effective tool for cracking passwords and accessing our online databases.

Simple or even complex passwords are easily crack able thanks to the advances in the field of technology. There has been a growing demand for using biometrics in place of textual passwords. But are biometrics as safe and secure as its supporters claim it to be?

In this article, we shall be analyzing the future of passwords and the shift in the methods of authenticating your identity. We shall also be analyzing about the various option available to us in case passwords are proved to be ineffective in the near future. Keep reading:

Are biometrics really that secure?

You may say that biometrics are the most secure way of authentication. However, biometrics has its own flaws, sometimes, even more dangerous than those in the textual passwords. Biometrics involve various methods like retina scan, finger-print scans, facial recognition. All these methods have their own merits and flaws. However, thinking them of being flawless is an overstatement which can cost you dearly.

Consider the following situation: You are “under the influence” of drugs or alcohol. Someone knowingly/forcefully puts your thumb on the finger-print sensors and steals your data.

What do you do in such a situation? Can you change your biological information? Someone said it right, that “I can change my password, but I can’t change my eyeballs!” Further, there are chances of such biometric data being stolen from the server of such companies storing such data and reverse engineered to create another set of biometric credentials to hack into your system.

What might be the future?

There are already several features in the present world which is a reflection of what is to come in the near future. There are Bluetooth bands around your arms to unlock your phone, or gadgets that follow your voice commands. Apart from these, your behavioral patterns may also be used in the future to authenticate yourself. Given below are a list of behavioral pattern which could be used for authentication purposes:

·         Characteristics of speech

“Voiceprints” will not be enough. Voiceprints will be supplemented with additional information like accent, emotional state, cadence, which will form a part of a strong password.

·         Blinking

MasterCard has already implemented the Identity Check system whereby you can use a selfie to authenticate yourself. In addition to selfies, the check also requires you to blink.  The blink patterns may prove to be a key factor in differentiating between the true user and an imposter.

·         Walking

You walking pattern might also add a layer of security. You speed, or gait will provide your devices with sufficient information to determine the authenticity of the owner.

From the above discussion, it becomes very clear that passwords and biometrics are not secure enough in today’s online world. There, definitely, is a need for a stronger authentication method which has no or little loopholes. There is a need to add another layer to the biometrics to beef up the security.

In the near future, we might see a combination of biometric authenticators and other methods to enable swift and secure authentication into our devices.  Hopefully, this will be done soon and in an efficient manner so that chances of being compromised remains minimal.

FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen

shutterstock_70882576-680x400

he FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data.

The FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack.

“This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost.

Details regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks.

“Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,” Deepen said.

In its February bulletin, the FBI wrote: “The FBI has obtained and validated information regarding a group of malicious cyber actors who have compromised and stolen sensitive information from various government and commercial networks.

The FBI said the “group of malicious cyber actors” (known as APT6 or 1.php) used dedicated top-level domains in conjunction with the command and control servers to deliver “customized malicious software” to government computer systems. A list of domains is listed in the bulletin.

“These domains have also been used to host malicious files – often through embedded links in spear phish emails. Any activity related to these domains detected on a network should be considered an indication of a compromise requiring mitigation and contact with law enforcement,” wrote the FBI in its bulletin.

When asked for attack specifics, the FBI declined Threatpost’s request for an interview. Instead, FBI representatives issued a statement calling the alert a routine advisory aimed at notifying system administrators of persistent cyber criminals. “The release was important to add credibility and urgency to the private sector announcements and ensure that the message reached all members of the cyber-security information sharing networks,” wrote the FBI.

Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts, Defense Department entities, and geospatial groups within the federal government. According to Deepen, APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file. The payload, Deepen said, is often the Poison Ivy remote access tool/Trojan or similar. He said the group has varied its command-and-control check-in behavior, but it is typically web-based and sometimes over HTTPS.

Experts believe that attacks are widespread and not limited to the US federal government systems. “The same or similar actors are compromising numerous organizations in order to steal sensitive intellectual property,” wrote Zscaler in a past report on APT6.

In December 2014, US government systems were compromised by hackers who broke into the Office of Personnel Management computer systems. That data breach, where 18 million people had their personal identifiable information stolen, didn’t come to light until months later in June of 2015.

Russian cyber criminal targets elite Chicago law firms

russian-cyber-criminal-targets-elite-chicago-law-firms

Photo by ThinkStock

A Russian cyber criminal has targeted nearly 50 elite law firms, including four in Chicago, to collect confidential client information for financial gain.

The mastermind, a broker named “Oleras” living in Ukraine, has been attempting since January to hire hackers to break into the firms’ computer systems so he can trade on insider information, according to a Feb. 3 alert from Flashpoint, a New York threat intelligence firm.

Kirkland & Ellis, Sidley Austin, McDermott Will & Emery and Jenner & Block all were listed on a spreadsheet of potential marks. It named 46 of the country’s largest law firms, plus two members of the UK’s Magic Circle.

A spokeswoman for Flashpoint said the firm had notified law enforcement and declined to comment further.

The FBI was investigating as of March 4, when it published its own industry alert detailing the threat. The agency’s press office did not return a message seeking comment.

Kirkland was aware of the threat, and no client data was accessed, the firm’s chief information officer, Dan Nottke, said in an email. The firm subscribes to several security information-sharing services, including ones operated by the FBI and the Financial Services Information Sharing and Analysis Center, the cybersecurity information clearinghouse for the financial services industry.

Spokesmen for McDermott and Jenner declined to comment. Messages to Sidley seeking comment were not returned.

Law firms have largely trailed their clients in confronting the possibility of hackers accessing their networks for illegal profit. Though they hold vast repositories of confidential information, many firms are slow to adopt up-to-date defenses against malware and spyware, said Jay Kozie, principal at Keno Kozie Associates, a Chicago-based law firm technology consultancy.

“I’ve always been surprised, frankly, that the law firms have not been more aggressively targeted in the past,” he said. “If you’ve got confidential information about a merger or a patent, it’s going to be very valuable.”

In this latest scheme, Oleras posted on a cyber criminal forum a plan to infiltrate the law firms’ networks, then use keywords to locate drafts of merger agreements, letters of intent, confidentiality agreements and share purchase agreements. The list of targeted law firms also included names, email address and social media accounts for specific employees at the firms.

“Overall, Oleras wanted to know in advance which companies were going to be merged with the help of the stolen law firm documents and subsequently leverage this information to execute algorithmic insider trading activities,” the Flashpoint alert says, with the money then laundered through front companies in Belize and Cypriot bank accounts.

The broker hoped to recruit a black-hat hacker to handle the job’s technical aspects for $100,000, plus another 45,000 rubles (about $564). He offered to split the proceeds of any insider trading 50-50 after the first $1 million.

On Feb. 22, another Flashpoint alert noted that Oleras had singled out eight lawyers from top firms, including one from Kirkland’s management committee, for a sophisticated phishing attack. The phishing email appeared to originate from an assistant at trade journal Business Worldwide and asked to profile the lawyer for excellence in M&A.

Targeted Firms
A Russian cyber criminal has targeted 48 law firms, including four in Chicago.

Firm
Akin Gump Strauss Hauer & Feld
Allen & Overy
Baker & Hostetler
Baker Botts
Cadwalader Wickersham & Taft
Cleary Gottlieb Steen & Hamilton
Covington & Burling
Cravath Swaine & Moore
Davis Polk & Wardwell
Debevoise & Plimpton
Dechert
DLA Piper
Ellenoff Grossman & Schole
Freshfields Bruckhaus Deringer
Fried Frank Harris Shriver & Jacobson
Gibson Dunn & Crutcher
Goodwin Procter
Hogan Lovells
Hughes Hubbard & Reed
Jenner & Block
Jones Day
Kaye Scholer
Kirkland & Ellis
Kramer Levin Naftalis & Frankel
Latham & Watkins
McDermott Will & Emery
Milbank Tweed Hadley & McCloy
Morgan Lewis & Bockius
Morrison & Foerster
Nixon Peabody
Paul Hastings
Paul Weiss Rifkind Wharton & Garrison
Pillsbury Winthrop Shaw Pittman
Proskauer Rose
Ropes & Gray
Schulte Roth & Zabel
Seward & Kissel
Shearman & Sterling
Sidley Austin
Simpson Thacher & Bartlett
Skadden Arps Slate Meagher & Flom
Sullivan & Cromwell
Vinson & Elkins
Wachtell Lipton Rosen & Katz
Weil Gotshal & Manges
White & Case
Wilkie Farr & Gallagher

Source: Flashpoint Feb. 3 email alert

Microsoft sues U.S. government over data requests

Microsoft

An important case to pay attention to:

SAN FRANCISCO (Reuters) – Microsoft Corp (MSFT.O) has sued the U.S. government for the right to tell its customers when a federal agency is looking at their emails, the latest in a series of clashes over privacy between the technology industry and Washington.

The lawsuit, filed on Thursday in federal court in Seattle, argues that the government is violating the U.S. Constitution by preventing Microsoft from notifying thousands of customers about government requests for their emails and other documents.

The government’s actions contravene the Fourth Amendment, which establishes the right for people and businesses to know if the government searches or seizes their property, the suit argues, and Microsoft’s First Amendment right to free speech.

The Department of Justice is reviewing the filing, spokeswoman Emily Pierce said.

Microsoft’s suit focuses on the storage of data on remote servers, rather than locally on people’s computers, which Microsoft says has provided a new opening for the government to access electronic data.

Using the Electronic Communications Privacy Act (ECPA), the government is increasingly directing investigations at the parties that store data in the so-called cloud, Microsoft says in the lawsuit. The 30-year-old law has long drawn scrutiny from technology companies and privacy advocates who say it was written before the rise of the commercial Internet and is therefore outdated.

“People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft says in the lawsuit. It adds that the government “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”

SURVEILLANCE BATTLE

The lawsuit represents the newest front in the battle between technology companies and the U.S. government over how much private businesses should assist government surveillance.

By filing the suit, Microsoft is taking a more prominent role in that battle, dominated by Apple Inc (AAPL.O) in recent months due to the government’s efforts to get the company to write software to unlock an iPhone used by one of the shooters in a December massacre in San Bernardino, California.

Apple, backed by big technology companies including Microsoft, had complained that cooperating would turn businesses into arms of the state.

“Just as Apple was the company in the last case and we stood with Apple, we expect other tech companies to stand with us,” Microsoft’s Chief Legal Officer Brad Smith said in a phone interview after the suit was filed.

One security expert questioned Microsoft’s motivation and timing. Its lawsuit was “one hundred percent motivated by business interests” and timed to capitalize on new interest in customer privacy issues spurred in part by Apple’s dispute, said D.J. Rosenthal, a former White House cyber security official in the Obama administration.

As Microsoft’s Windows and other legacy software products are losing some traction in an increasingly mobile and Internet-centric computing environment, the company’s cloud-based business is taking on more importance. Chief Executive Satya Nadella’s describes Microsoft’s efforts as “mobile first, cloud first.”

Its customers have been asking the company about government surveillance, Smith said, suggesting that the issue could hurt Microsoft’s ability to win or keep cloud customers.

In its complaint, Microsoft says over the past 18 months it has received 5,624 legal orders under the ECPA, of which 2,576 prevented Microsoft from disclosing that the government is seeking customer data through warrants, subpoenas and other requests. Most of the ECPA requests apply to individuals, not companies, and provide no fixed end date to the secrecy provision, Microsoft said.

Microsoft and other companies won the right two years ago to disclose the number of government demands for data they receive. This case goes farther, requesting that it be allowed to notify individual businesses and people that the government is seeking information about them.

Increasingly, U.S. companies are under pressure to prove they are helping protect consumer privacy. The campaign gained momentum in the wake of revelations by former government contractor Edward Snowden in 2013 that the government routinely conducted extensive phone and Internet surveillance to a much greater degree than believed.

Late last year, after Reuters reported that Microsoft had not alerted customers, including leaders of China’s Tibetan and Uigher minorities, that their email was compromised by hackers operating from China, Microsoft said publicly it would adopt a policy of telling email customers when it believed their email had been hacked by a government.

The company’s lawsuit on Thursday comes a day after a U.S. congressional panel voted unanimously to advance a package of reforms to the ECPA.

Last-minute changes to the legislation removed an obligation for the government to notify a targeted user whose communications are being sought. Instead, the bill would require disclosure of a warrant only to a service provider, which retains the right to voluntarily notify users, unless a court grants a gag order.

It is unclear if the bill will advance through the Senate and become law this year.

Separately, Microsoft is fighting a U.S. government warrant to turn over data held in a server in Ireland, which the government argues is lawful under another part of the ECPA. Microsoft argues the government needs to go through a procedure outlined in a legal-assistance treaty between the U.S. and Ireland.

Twitter Inc (TWTR.N) is fighting a separate battle in federal court in Northern California over public disclosure of government requests for information on users.

The case is Microsoft Corp v United States Department of Justice et al in the United States District Court, Western District of Washington, No. 2:16-cv-00537.

Who is responsible for your cloud application breach?

Cloud_Security

Cloud application security has been a big concern of lately due to several data breaches occurring in the cloud services such as the icloud hack, Target, Home Depot, United States internal Revenue system. Therefore the security of application poses a question as where does the responsibility of the application security lie?
Is it with the vendor or the company or person availing the services? The answer goes both sides, as the security aspect of the server side is only covered by the vendor of the cloud application services the client side still needs the security which is mostly overlooked by the people or the companies.
The client side application security is of utmost importance as only the server side security is not enough to protect the application from security breaches.
The different kind of security threats which pose a great danger to the cloud application security are as follows:

Data breaches

  • Account Hijacking
  • Compromised credentials
  • Permanent Data loss
  • Shared Technologies
  • Cloud service abuse
  • Hacked Interface and API

Data Breaches

This is one of the biggest threat to the cloud services because of the vast amount of data stored on the cloud servers. The sensitivity of the data can be imagined easily, as the cloud is storing the financial details as well as personal details of millions of people. And if this vast amount of data is breached in any case it will cause a downfall of the company and also a threat to the lives of people who have been exposed due to the breach.

 Account Hijacking

This attack has been there for a quite long time, it includes Fraud, Phishing, Software Exploits etc. Using these kind of attacks, the cloud services can be compromised and can lead to launching of other attacks, changing the settings of account, manipulate transactions, uploading malwares and illegal contents.

 Compromised Credentials

The credentials are compromised generally due to weak passwords, casual authentication, poor key or certificate management. Also the identity access management becomes a problem as the user access are sometimes not changed with the job role and responsibilities or when the user leaves the organization.
Embedding credentials and cryptographic keys in source code and leaving them in the online repositories such as GitHub also makes a big vulnerability which can be exploited easily. Aligning the identity with the cloud provider needs an understanding of the security measures taken in account.

 Permanent Data Loss

Malicious hackers have gained access to the cloud services and deleted data permanently in the past affecting the business. Also the cloud data centers are vulnerable to natural disasters which can swipe away the data which has been stored on the cloud.
If the user encrypts the data before uploading to the cloud and loses the key then data is lost. Thus the client side protection of data should be managed and well kept. Permanent data loss can lead to financial crisis and disruption of the working system.

 Shared Technologies

As the cloud service providers share infrastructure, platforms and applications from different sources therefore any reconfiguration or vulnerability in these layers affects the users and can also lead to compromise of the users system as well as the cloud depending upon the potential of the vulnerability.
Thus the security alone at the cloud server side is not only the real issue, Security has to be maintained at a vast level consisting of all the aspects of the cloud environment. The client side also needs to be secured as the attacks also possible from the client side due to low or no security measures.

 Cloud Service Abuse

Cloud applications are breached to gain access to the commanding position in the cloud where the resources can be used for different malicious purposes such as launching a DDOS attacks or sending bulk spams and phishing emails, breaking an encryption key or hosting Malicious content.
This abuse may lead to unavailability of the services or can also lead to loss of data of the users stored on the cloud, therefore it is very much necessary to secure the applications from abuse.

 Hacked Interface and API

To build an application now the developers are using ready to use interfaces and API to make their work simple, but these API’s and Interfaces tend to be the most exposed part of the system as they are available freely on the internet.
Almost every cloud service and application now offer API, IT reams are using these interfaces to interact with the cloud services such as management, provisioning, monitoring etc. Thus the level of threat to the cloud services increases manifold. This requires rigorous code reviews and penetrating testing to secure the application and services.

 Conclusion

As we see that there are a lot of possibilities of breaching your data stored in the cloud due to the importance of data. Therefore your data cannot be secured alone just by the cloud service provider, there is a shear work required from the client side to protect the application and data from the outer security threats. Therefore security audits should be done in order to secure your precious data from threats.

Ransomware: Lucrative, fast growing, hard to stop

103537634-GettyImages-492752888.530x298

The hackers behind recent high-profile ransomware attacks on U.S. hospitals are using business methods that might be familiar to some Silicon Valley start-ups.

Cybercriminal gangs are attacking large markets with rich customers. They offer a product with a clear value proposition (giving you back your seized data) that alleviates a specific pain point (the inability to run your business). They act with agility and stealth enabling them to outwit the competition. They are also scrappy, often bootstrapping their illicit businesses.

“It is an economic business system, it is just perpetrated at a criminal level,” said Matt Devost, CEO of FusionX, a unit of Accenture. “There are a lot of analogies between that and a start-up environment.”

What started as a basic scam — extorting, say, a $300 ransom from a grandmother wanting to get family photos back — has escalated. Last year there was a “reported loss of more than $24 million as a result of ransomware attacks,” according to the FBI, a figure that surely massively underrepresents the scale of the problem due to the unwillingness of many victims to report.

The start-up costs for an illicit ransomware business are minimal. The hackers write their own code or buy ransomware as a service on the black market, often as part of a suite of other products.

Many groups are already operating other cybercriminal businesses, so getting into the ransomware business is just another way of leveraging existing talent and infrastructure. It requires minimal investment, is relatively low risk and the returns are potentially massive.

 

Enterprise victims frequently have no choice but to pay up, since hackers are often able to seize backup data as well, said Denise Anderson, president of the National Health Information Sharing and Analysis Center. “So if they need to stay in business, they are paying it.”

With the recent attacks on U.S. hospitals, the assailants are expanding beyond consumer to enterprise “customers” — their victims — and adjusting pricing accordingly. For example, Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of $17,000 in bitcoin in February. Other enterprises are likely paying a lot more than that already, said experts. (The FBI does not condone payment of ransom, an agency official told CNBC.)

Read MoreThe hospital held hostage by hackers

“Last year alone there was a reported loss of more than $24 million as a result of ransomware attacks” -FBI official

“I imagine it will hit into the millions of dollars, if they are able to infect some of the right types of targets in an enterprise environment,” said Devost.

Like smart start-up CEOs, the hackers are testing the market and refining the business model. As the vast majority of attacks are likely settled without going public, more research is needed to figure out just how profitable the business really is, said experts. Unlike the criminal networks, which often share information freely, many of the victims do not.

“The cybercriminals collude when their business model merits it,” said Anderson. “Shame on us for not working together to protect against them.”

 

The most lucrative potential victims have a specific set of characteristics. They hold critical information and infrastructure, have immature and vulnerable security programs and the ability to pay the ransom. Small- to medium-sized U.S. hospitals have proven to be a sweet spot in ransomware because of their often poor security infrastructure as well as the willingness to pay to retrieve patient data, get back online quickly and prevent reputational damage.

“We will see much more successful attacks in other industries,” said Ed Cabrera, vice president of cybersecurity strategy at Trend Micro.

Law firms, which protect confidential and valuable information about their clients, and venture-backed start-ups that have invested in developing intellectual property are two targets criminals may increasingly go after, he said.

“It is an economic business system, it is just perpetrated at a criminal level” -Matt Devost, CEO of FusionX, a unit of Accenture

The black market for high-value trade secrets or intellectual property is a lot more lucrative than the market for personally identifiable information, which is fairly saturated after numerous data breaches, said Devost. It is also a lot riskier, potentially exposing hackers attempting to sell their ill-gotten goods to law enforcement.

Within businesses, it is almost always employees at the top and bottom of the pyramid who represent the best “leads” for attackers. Often, hackers will specifically target C-level executives with high-level access to an entire corporate network, or find success when low-level employees click on something they should not, said Vinny Troia, CEO of cybersecurity consulting firm Night Lion Security.

In a perhaps counterintuitive twist, some ransomware criminals actually want to make their attacks “user friendly” for their victims. Like legitimate businesses, they want to maintain a five-star rating, said experts. Some will offer the opportunity for victims to “try before they buy,” unencrypting a small portion of the files held hostage to prove they can deliver the product — a decryption key to get their files back.

 

They are creating user interfaces with sleeker designs and, in some cases, even providing customer support to make it easier to for victims to pay, said Devost. That makes it easier for even low-level victims — i.e., the grandma who just wants her photos back, and who has never heard of bitcoin — to make a payment.

“To the extent that you have a support apparatus to help your victims pay tells me there is a lot of money being made,” said Cabrera.

On the back end, the hackers continue to innovate to make ransomware more robust, and to stay one step ahead of cybersecurity companies and law enforcement. When the “good guys” discover a decryption key, they often release it to enable victims to decrypt their own data, undercutting the attackers’ business.

An example of how nimble these illicit enterprises are is shown by the rapid product evolution of CryptoWall, first released in 2014. CryptoWall is one of the most widely used forms of ransomware, and has been updated several times to make it stronger, said cybersecurity and threat intelligence firm Webroot in its 2016 Threat Brief.

CryptoWall 3.0 is smarter, more secure and stealthier than previous generations. The malware generates unique encryption keys instead of using one key for all infections, secures the master key itself to prevent unauthorized access, and conceals the location of the servers containing the decryption keys and payment mechanisms, among other things.

“In late 2015, CryptoWall 4.0 was released, with numerous enhancements to help sidestep security software,” said Webroot.

 

The next evolution of CryptoWall will likely more aggressively try to encrypt attached network storage devices, Devost said.

The software is largely operated by criminal gangs, many with ties to organized crime, often located in Eastern Europe and Russia.

“Whenever it comes to malware that is written with the focus of strictly making more of a profit, it has typically come out of that region of the world,” said Brian Calkin, vice president of operations at the Center for Internet Security.

For example, the architect believed to be behind CryptoLocker, Evgeniy Mikhaylovich Bogachev, remains at large, and is suspected to be in Russia. “Many of the most sophisticated cybercriminal actors are located in jurisdictions that do not cooperate directly with the United States,” said the U.S. Department of Justice on March 4 in response to an inquiry by Sen. Tom Carper (D-Del.) about the challenges in bringing the suspected criminals behind these types of ransomware attacks to justice.

“If all individuals and businesses backed up their files, ransomware that relies on encrypting user files would not be as profitable a business for cybercriminal actors,” said the DOJ.

The business of backing up data is also booming thanks in part to the recent high-profile ransomware attacks, with cybersecurity companies crowding the market. For example, Code42 provides a backup and real-time recovery solution. The company counts 37,000 organizations — including Lockheed Martin, Mayo Clinic and Kohl’s — as customers.

“If you had our solution you certainly would not have to pay for ransomware,” said Rick Orloff, chief security officer at Code42. “The flip side of the coin is, here is a thousand types of vulnerabilities, do you want to pay to be protected from all of them?”

“Companies need to align around what types of attacks do they want protection from,” he said.

FBI Warns of Cyber Threat to Electric Grid

DHS intel report downplayed cyber threat to power grid

Silhouette of power lines under sunset sky (Blend Images via AP Images)

Silhouette of power lines under sunset sky (Blend Images via AP Images)

Three months after a Department of Homeland Security intelligence report downplayed the threat of a cyber attack against the U.S. electrical grid, DHS and the FBI began a nationwide program warning of the dangers faced by U.S. utilities from damaging cyber attacks like the recent hacking against Ukraine’s power grid.

The nationwide campaign by DHS and the FBI began March 31 and includes 12 briefings and online webinars for electrical power infrastructure companies and others involved in security, with sessions in eight U.S. cities, including a session next week in Washington.

The unclassified briefings are titled “Ukraine Cyber Attack: Implications for U.S. Stakeholders,” and are based on work with the Ukrainian government in the aftermath of the Dec. 23 cyber attack against the Ukrainian power infrastructure.

“These events represent one of the first known physical impacts to critical infrastructure which resulted from cyber-attack,” the announcement by the DHS Industrial Control Systems Cyber Emergency Response Team read.

“The attacks leveraged commonly available tools and tactics against the control systems which could be used against infrastructure in every sector.”

The briefings will outline the details of the attacks, the techniques used by the hackers, and strategies to be used to limit risks and improve cyber security for grid organizations.

Security researchers have concluded the attack was carried out by Russian government hackers based on the type of malicious software, called BlackEnergy, that was detected in the incident.

The threat briefings followed an internal DHS intelligence report published in January that stated the risk of a cyber attack against U.S. electrical infrastructure was low.

“We assess the threat of a damaging or disruptive cyber attack against the U.S energy sector is low,” the report, labeled “for official use only,” says.

The report said advanced cyber attackers, such as nation states like Russia and China, are mainly seeking to conduct “cyber espionage.”

Penetration by foreign hackers into industrial control systems used to remotely control the electrical power grids as well as water and other infrastructure “probably is focused on acquiring and maintaining persistent access to facilitate the introduction of malware, and likely is part of nation-state contingency planning that would only be implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States,” the eight-page report states.

The majority of malicious cyber attacks against energy companies was downplayed as “low-level cybercrime that is likely opportunistic in nature rather than specifically aimed at the sector, [and] is financially or ideologically motivated, and is not meant to be destructive.”

The report also sought to dismiss public references to “cyber-attacks” as exaggeration. “Overuse of the term ‘cyber attack,’ risks ‘alarm

“Overuse of the term ‘cyber attack,’ risks ‘alarm fatigue,’ which could lead to longer response times or to missing important incidents,” the report said.

The report raises questions about whether DHS, which has primary responsibility for protecting U.S. government computer networks and works with the private sector to prevent cyber attacks, understands the infrastructure cyber threat and is seeking to downplay the threat for political reasons.

The Obama administration has adopted an approach that seeks to play down foreign national security threats under conciliatory foreign policies pursuing warmer relations with states such as Russia, China, and Iran.

The DHS report, however, contrasts sharply with recent statements by Adm. Mike Rogers, commander of the Cyber Command, who warned recently that a major cyber attack by nation-states against critical infrastructures poses a major security threat.

“It is only a matter of the ‘when,’ not the ‘if’—we’re going to see a nation-state, group, or actor engage in destructive behavior against critical infrastructure in the United States,” Rogers, who is also director of the National Security Agency, said in a speech March 2.

Rogers described the Ukraine cyber attacks as “a well-crafted attack” that temporarily disrupted electrical power in Ukraine.

The four-star admiral said the cyber attack also included the use of sophisticated monitoring of how Ukrainian authorities reacted to the attack. The attackers then took additional cyber measures designed to slow down the process of restoring electrical power, he said.

“Seven weeks ago it was the Ukraine. This isn’t the last we’re going to see this, and that worries me,” Rogers said.

A report by the State Department-led Overseas Security Advisory Council, a public-private security group, provided details of the Ukrainian electrical grid attack from open sources.

“While cyber attacks on critical infrastructure systems have long been viewed as digital aggression with physical consequences, very few have been documented to date, making the late December events in Ukraine a hallmark incident,” the report said, adding that in addition to the power grid, hackers targeted airport, rail and mining system networks.

On Dec. 23, the Ukrainian power provider Prykarpattyaoblenergo, in the western Ukrainian region of Ivan-Frankivsk, was hit by a large-scale breakdown that left 200,000 people in the region without power for several hours.

The cause was determined to be interference with the automated control system from malicious software.

The research group SANS Institute investigated and determined the blackout was caused by hackers who gained remote access and inflicted changes on the electrical distribution system.

“The cyber attack was allegedly timed to occur during a telephone flood aimed at the help desks of Ukrainian electric companies, intending to keep support staff pre-occupied and divert attention from the network intrusion,” the report said.

Other outages occurred in Kyiv Oblast that produced loss of electrical power to 80,000 people. Another unidentified power company in Ukraine also was hit.
The malware used against the three power companies was identified as BlackEnergy 3, which is believed to be Russian in origin and designed to attack infrastructure systems.

“A unique feature of BlackEnergy 3 is its KillDisk function, enabling the attacker to rewrite files on the infected system with random data and blocking the user from rebooting their system, rendering it inoperable,” the report said. “The virus also searches victim computers for software that is primarily used in electric control systems, indicating a potential focus on critical infrastructure systems.”

The Ukraine security service said in a statement that Russia was behind the power grid attack, and the Ukrainian Energy Ministry concluded Feb. 12 that the hackers “used a Russian-based Internet provider and made phone calls from inside Russia as part of a coordinated cyber attack on Ukraine’s power grid.”

The security firm iSight Partners traced the Ukraine cyber attack to a team of Russian hackers called Sandworm and noted that it was among the first destructive cyber attacks by the group that in the past had limited its activities to cyber theft.

The State Department report said some analysts believe power failures from malware cyber attacks “could entice nation-states and other nefarious threat actors to execute similar cyber attacks in the future.”

“However, the incident in Ukraine still remains the first possible instance of a blackout caused by a malicious network intrusion, not yet indicative of a trend,” the report said.

Ukrainian authorities this week disclosed that police and IT companies disrupted a Russian “botnet” server of some 4,000 computers that were hijacked and operated covertly in Ukraine and 62 other countries. The botnet, apparently used for criminal purposes, was code-named Mumblehard.

An FBI spokeswoman referred questions to DHS. A DHS spokesman declined to comment, citing a policy of not commenting on “purportedly leaked documents.”

 

Ponemon Institute Reports Healthcare Data Under Attack by Criminals.

Linux
Results from the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data have confirmed what many in the healthcare industry had suspected and even feared: 65% of the healthcare organizations participating in the study had experienced electronic information-based security incidents over the past two years. In addition, some 87% of third-party vendors, identified by HIPAA as Business Associates (BAs), reported a data breach in the last two years.

More disturbing is the revelation that for the first time in the history of the study, criminal attacks are the number one cause of data breaches in healthcare. The number of criminal attacks on healthcare organizations and business associates has increased 125% compared to five years ago. According to the study, more than 90% of the healthcare organizations taking part had experienced a data breach, and 40% of the respondents had experienced more than five data breaches over the past two years.

No healthcare organization, no matter its size, is impervious to these attacks. And they are certainly not immune to the side effects of a breach.

The rapid growth of data breaches in the healthcare industry is putting health information at risk at an alarming rate. Moreover, it’s expensive—for all concerned. According to the Ponemon Institute study, “…the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million…the average cost of a data breach to BAs represented in this research is more than $1 million.”

The study’s findings also reveal that 45% of the healthcare organizations surveyed reported the occurrence of a Cyberattack indicated the source of the attack was criminal, while 12% cited the work of malicious insiders. 39% of the BAs reported breaches caused by criminal attackers while 10% attributed the attacks to malicious insiders.

The study described an increase in Web-borne malware attacks, citing 78% of the healthcare organizations surveyed as having experienced security incidents caused by malware; 82% of BAs had suffered security incidents attributed to malware.

Perhaps one of the most shocking data points reported is that in spite of the increased criminal activity and the rapidly evolving threat environment, the majority of healthcare organizations indicated implementing no changes to what they’re doing or how they’re doing it. Only 40% of healthcare organizations and 39% of BAs surveyed expressed concern about cyberattacks.

Other Findings Giving Cause for Increased Cyber security Measures

Policies and Procedures in Place

The survey results clearly illustrate the reality that healthcare organizations and the BAs with whom they work need to invest more in technologies that allow them to respond quickly to data breaches. While 58% of healthcare organizations responding agreed that they have policies and procedures in place that allow them to detect a data breach quickly and efficiently, fewer than half believe they have sufficient technologies in place to do so — and only 33% were confident they have the resources needed to prevent or quickly detect a data breach. Responses of BAs participating in the survey fell along similar lines. 50% of business associates responding stated that they have the policies and procedures in place to prevent or detect a security incident, while fewer than half believe they have sufficient technologies. Lastly, only 41% of BAs stated that they have adequate resources to be able to identify and repair data breaches.

Top Concerns of Respondents

The research also revealed interesting insights relating to the top concerns of survey respondents. While the number of criminal attacks on healthcare organizations and business associates has increased 125% compared to five years ago (and 45% of the organizations surveyed traced data breaches to criminal activity) only 40% of the respondents were most concerned about Cyberattacks as a security threat. BAs were even less immediately worried with only 35% citing Cyberattacks as a top concern. Here’s an overview of what they reported being most concerned about:

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data

The security threats BAs worry about most:

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data

How Attacks Are Discovered

Among other key findings detailed in the Poneman report are the statistics relating to how health organizations have uncovered the security attacks. 69% learned of a data breach through an audit or assessment, while 44 % were discovered by an employee. 30% of data breaches were reported by patients, 23% were uncovered accidentally, and 18%came from a legal complaint. Law enforcement was responsible for 6 % of the discoveries and loss prevention teams for 5%.

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data  

Business associates reported different statistics, with 60% of data breaches reported as being uncovered by employees and 49% discovered as a result of audit or assessment. BAs said 33% were found accidentally, 21% through a legal complaint, 17% from a patient complaint, 13% from loss prevention teams, and 12% by law enforcement.

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data

Conclusion

The findings of the Ponemon Institute survey paint an alarming picture: the healthcare industry, which manages vast amounts of personal data, is under attack by criminal elements and jeopardized by employee negligence, as well as the actions of malicious insiders. The number of data breaches is growing exponentially, and both healthcare organizations, and the business associates who serve them lack sufficient technologies, resources, and processes to ensure data is kept secure.

The report details a slow but steady increase in technologies used by both healthcare organizations and their business associates to detect and mitigate the impact of cybersecurity threats, but concludes that the pace of the investments in both technologies and security expertise is not sufficient at this time.

In conclusion, the Ponemon Institute calls for intensive employee training and awareness programs, ramped up investments in technologies and security expertise, and a broad application of innovative solutions to the industry to improve the current status of the privacy and security of the nation’s healthcare data.