Monthly Archives: September 2016

Ransomware Is Now Officially Extortion Under California Law

Extortion

Of course everyone knows that hacking into a computer is a federal crime, and infecting a system with ransomware already falls into that bucket. However, California’s SB-1137signed into law last Tuesday by Governor Jerry Brown, is the first one that specifically expands extortion laws to include ransomware.

The bill’s support in the California Senate was helped by testimony from Hollywood Presbyterian Medical Center, where operations were largely shut down by a ransomware infection. The attackers sent the decryption code after the hospital paid $17,000 in Bitcoin.

It is very easy to hide your tracks as a ransomware criminal. Very few people have been arrested for ransomware attacks in the continental U.S. From our perspective, the California bill is more of an “awareness” thing than anything else. Some hackers decided to have some fun with it and soon after the California Senate passed it, its site was hit with ransomware and in a separate attack, Sen. Bob Hertzberg who introduced the bill, saw his office also hit.

Though it’s existed for at least 10 years, ransomware has skyrocketed since September 2013 with CryptoLocker. Europol declared Wednesday it’s the internet’s “most prominent malware threat.” The FBI has issued multiple warnings to American businesses. Prevention requires a multi-layered approach.

Here Are 8 Things To Do About It (apart from having weapons-grade backup)
  1. From here on out with any ransomware infection, wipe the machine and re-image from bare metal.
  2. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it’s tuned correctly.
  3. Make sure your endpoints are patched religiously, OS and 3rd Party Apps.
  4. Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers.
  5. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA).
  6. Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud.
  7. Check your firewall configuration and make sure no criminal network traffic is allowed out.
  8. Deploy new-school security awareness training, which includes social engineering via multiple channels, not just email.

Since phishing has risen to the #1 malware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must.

 

IT Security Vulnerabilities that Can Lead to an Inside Job

Vlad de Ramos, a 22 year veteran at IT Management and IT Security, guest blog writer today, giving us some practical advice on IT Security Vulnerabilities.  What a timely piece of writing.  So many industries are facing security issues today both external and internal.  Vlad will cover how to take steps to guard your business from all fronts.  Please help me welcome Vlad to TheDigitalAgeBlog.

Data breach can happen to anyone and IT security failures are not only damaging and costly for businesses, but customers would suffer as well, and people lose their jobs too.

In a study conducted by Scott & Scott, LLP, researchers found that 85 percent of businesses suffered a breach in their data security. Despite the prevalence, about 46 percent did not employ encryption solutions following the IT security failure. About 74 percent of the companies surveyed report losing customers, while others faced potential lawsuits (59 percent) and fines (33 percent).

It’s not enough that you guard your business against outside threats. There are many dangers inside the organization that should be managed before they can cost your leadership team their jobs and the business its integrity.

Companies who take IT security seriously should guard their business against all fronts. Unfortunately, many companies admit that they are still lacking in terms of securing safety from the inside. And one of the reasons many organizations fail to set up effective safeguards is because they are in denial about the magnitude of IT security threats stemming from an inside job.

Here are some of the reasons your employees can contribute to IT security failures.

Inside Insider Jobs

There are a variety of reasons a company’s very own employees can take part in inside jobs such as financial gain, desire for power and recognition, revenge on a co-worker or boss, and response to blackmail from inside and outside the organization.

Some employees are lured into inside jobs due to their loyalty to some people in the organization or to colleagues who recently left on not-so-good terms, while others do it for personal and political beliefs.

There are also insider jobs that are linked to activist groups and organized crimes. In a 2012 report by Carnegie Mellon University’s CERT (computer emergency readiness team) Insider Threat Center, researchers found that out of 150 cases of IT security failures analyzed, about 16 percent were linked to organized crime.

According to a psychologist, Monica Whitty, from the University of Leicester, employees who “willingly” assist in IT security attacks may be suffering from one or more of the following conditions: narcissism, psychopathy, and Machiavellianism, which is defined as the “the employment of cunning and duplicity in statecraft or in general conduct”.

In a 2013 study by Centre for the Protection of National Infrastructure (CPNI), findings showed that people who engage in insider attacks might have two or more of the following qualities: low self-esteem, lack of ethics, immaturity, tendency to fantasize, impulsiveness, lack of conscientiousness, instability, and manipulativeness.

Regarding work behaviors, the CPNI study found that insiders often engage in unusual copying jobs such creating copies of sensitive materials beyond what is necessary and removing protective markings on documents when creating their own copies. Insiders also often engage in usual IT activities such as searching for keywords in a company-sensitive database.

Management Vulnerabilities

Motivations and unusual behaviors are just one side of the story.

The lack of an effective IT security protocol opens up vulnerabilities within the organization that employees can use. Some of these include:

  • Administrator and other privileged access that aren’t monitored.
  • Unattended company devices such as USB’s and laptops.
  • Hard drives that weren’t properly disposed.

But even with an advanced security practice, human error can still pose a threat. Most of the time these are innocent mistakes due to the lack of knowledge in IT security. These include improper file transfers, illegal uploads and downloads, as well as using personal devices in the workplace for business purposes.

In other cases they are intentional because of management issues. Disgruntled, burned out, and dissatisfied employees can turn to accomplices. The Verizon Data Breach Report 2016 have found that employees transferred data via USB before they left the company. Companies who have fraud detection were able to weed out the employees who provided information in weeks, but those who don’t identified them in months or years.

Secure Your Posts

Don’t just look for loopholes in the IT infrastructure. In ensuring the safety of your business and customers, you also have to analyze the status of the people within your organization. Ensure the security of all your posts by looking not just outside in but also inside out.
Please feel free to comment on Vlad’s post.

ABOUT THE AUTHOR:
Vlad
Vlad de Ramos has been in the IT industry for more than 22 years, focusing on IT Management, Infrastructure Design and IT Security. He is a certified information security professional, a certified ethical hacker, a forensics investigator, and a certified information systems auditor. Vlad joins Homegrown.ph to help increase knowledge on IT security awareness in the Philippines. Outside the IT field, he is a professional business and life coach, a teacher, and a change manager.

 

 

Yahoo says 500 million accounts stolen

500 million accounts stolen
Yahoo_Hacked
Yahoo (YHOO, Tech30) confirmed on Thursday data “associated with at least 500 million user accounts” have been stolen in what may be one of the largest cybersecurity breaches ever.

The company said it believes a “state-sponsored actor” was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement.

Yahoo urges users to change their password and security questions and to review their accounts for suspicious activity.

The silver lining for users — if there is one — is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.

Yahoo is working with law enforcement to learn more about the breach.

“The FBI is aware of the intrusion and investigating the matter,” an FBI spokesperson said. “We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals.”

A large-scale data breach was first rumored in August when a hacker who goes by the name of “Peace” claimed to be selling data from 200 million Yahoo users online. The same hacker has previously claimed to sell stolen accounts from LinkedIn (LNKD, Tech30) and MySpace.

Yahoo originally said it was “aware of a claim” and was investigating the situation. Nearly two months later, it turns out the situation is even worse.

“This is massive,” said cybersecurity expert Per Thorsheim on the scale of the hack. “It will cause ripples online for years to come.”

U.S. Sen. Richard Blumenthal called for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.”

“If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust,” he said in a statement.

160922095225-yahoo-hack-780x439

Re/code first reported Yahoo would confirm the data breach.

The data breach comes at a sensitive time for Yahoo.

Verizon (VZ, Tech30) agreed to buy Yahoo’s core properties for $4.83 billion in late July, just days before the hack was first reported. The deal is expected to close in the first quarter of 2017.

Verizon says it only learned of the breach this week.

“Within the last two days, we were notified of Yahoo’s security incident,” a spokesperson for Verizon said in a statement provided to CNNMoney.

We understand Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact.”

The mega-breach could create a headache for both companies, including damaging press, scrutiny from regulators and a user exodus, just as they’re working to close the deal and figure out the future of Yahoo.

Blumenthal said law enforcement and regulators “should investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.”

 

 

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed

Hackers take Remote Control of Tesla’s Brakes and Door locks from 12 Miles Away

Hack-Tesla

Next time when you find yourself hooked up behind the wheel, make sure your car is actually in your control.

Hackers can remotely hijack your car and even control its brakes from 12 miles away.

Today many automobiles companies have been offering vehicles with the majority of functions electronically controlled, from instrument cluster to steering, brakes, and accelerator.

These auto-control electronic systems not only improve your driving experience but at the same time also increase the risk of getting hacked.

The most recent car hacking has been performed on Tesla Model S by a team of security researchers from Keen Security Lab, demonstrating how they were able to hijack the Tesla car by exploiting multiple flaws in the latest models running the most recent software.

The team said the hacks worked on multiple models of Tesla and believed they would work across all marques.

“We have discovered multiple security vulnerabilities and successfully implemented remote, aka none physical contact, control on Tesla Model S in both Parking and Driving Mode,” Keen writes in a blog post. “We used an unmodified car with the latest firmware to demonstrate the attack.”
“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars.”

In a YouTube video, the team of Chinese researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated how it could remotely take control of a Tesla’s brakes and apply the brakes from 12 miles away by compromising the CAN bus that controls many vehicle systems in the car.

The researchers were also able to remotely unlock the door of the car, take over control of the dashboard computer screen, open the boot, move the seats and activate the indicators and windscreen wipers, as well as fold in the wing mirrors while the vehicle was in motion.

The hack requires the car to be connected to a malicious WiFi hotspot and is only triggered when the car’s web browser is used.

The team demonstrated the hacks against a Tesla Model S P85 and Model 75D and said its attacks would work on multiple Tesla models. It was able to compromise the Tesla cars in both parking and driving modes at slow speed in a car park.

Tesla Releases Firmware v7.1 (2.36.31) To Patch It

“Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.”

Thankfully, the vulnerabilities were privately disclosed to Tesla and the company addressed the issues worldwide with an over-the-air software update.

The Keen team said it is Tesla’s “proactive attitude” towards its vulnerability report that made the fix available to its customers within ten days when other automakers required much time and more complex procedures to update vehicles following the major bug exposures.

The team has planned to release details of its hacks in coming days, Keen said on Twitter.

 

 

FBI Director — You Should Cover Your Webcam With Tape

Webcam
Should you put a tape or a sticker over the lens of your laptop’s webcam?

Yes, even Facebook CEO Mark Zuckerberg and FBI Director James Comey do that.

Covering your laptop’s webcam might be a hell cheap and good idea to guard against hackers and intruders who might want to watch your private life and environment through your devices.

In fact, Comey recently came out defending his own use of tape to cover his personal laptop’s webcam.

People Are Responsible for Their Safety, Security & Privacy

During a conference at the Center for Strategic and International Studies, when Comey was asked that he still put tape over his cameras at home, he replied:

“Heck yeah, heck yeah. And also, I get mocked for a lot of things, and I am much mocked for that, but I hope people lock their cars… lock your doors at night. I have an alarm system. If you have an alarm system you should use it, I use mine.”

Comey went on to explain that it was common practice at the FBI and other government offices to cover computers and laptops’ webcams with tape or any physical cover.

“It’s not crazy that the FBI Director cares about personal security as well,” he continued. “If you go into any government office, we all have our little camera things that sit on top of the screen, they all have a little lid that closes down on them, you do that, so people who do not have authority don’t look at you, I think that’s a good thing.”

Comey believes that putting a cover over webcams is one of the “sensible things” that everyone should be doing to “take responsibility for their own safety and security.”

Edward Snowden Leaks revealed the NSA’s Optic Nerve operation that was carried out to capture webcam images every 5 minutes from random Yahoo users, and in just six months, images of 1.8 Million users’ were captured and stored on the government servers in 2008.

Internet of Things: Security Nightmare

However, putting a tape over the lens of your computer’s webcam would not solve the problem, especially in this era when we are surrounded by so many Internet-connected devices that are a security nightmare.

Due to the insecure implementation, these Internet-connected or Internet of Things (IoTs) devices, including Security Cameras, are so vulnerable that hackers are routinely hijacking them and using them as weapons in cyber attacks.

So, it is far more easy for hackers to hack your security cameras, instead of your laptop’s webcam, to keep track on you and your environment.

Do you feel the need to use a tape over your webcam? Let us know your comments.

Federal Judge: Hacking Someone’s Computer Is Definitely a ‘Search’

FederalJudge_Hacking
Courts across the country can’t seem to agree on whether the FBI’s recent hacking activities ran afoul of the law—and the confusion has led to some fairly alarming theories about law enforcement’s ability to remotely compromise computers.

In numerous cases spawned from the FBI takeover of a darkweb site that hosted child abuse images, courts have been split on the legality of an FBI campaign that used a single warrant to hack thousands of computers accessing the site from unknown locations, using malware called a Network Investigative Technique, or NIT.  Some have gone even further, arguing that hacking a computer doesn’t constitute a “search,” and therefore doesn’t require a warrant at all.

But a federal judge in Texas ruled this week that actually, yes, sending malware to someone’s computer to secretly retrieve information from it—as the FBI did with the NIT—is a “search” under the Fourth Amendment.

“[T]he NIT placed code on Mr. Torres’ computer without his permission, causing it to transmit his IP address and other identifying data to the government,” Judge David Alan Ezra of wrote Friday, in a ruling for one of the NIT cases, in San Antonio, Texas.  “That Mr. Torres did not have a reasonable expectation of privacy in his IP address is of no import.  This was unquestionably a “search” for Fourth Amendment purposes.”

As obvious as that sounds, not everyone agrees.  Previously, another judge in Virginia stunningly ruled that a warrant for hacking isn’t required at all,because a defendant infected with government malware “has no reasonable expectation of privacy in his computer.”

That judgment was a leap from several other rulings, in which judges claimed that users of the Tor anonymity network, where the illegal site was hidden, have  no expectation of privacy in their IP address—even though hiding your IP is the entire point of using Tor. The argument—which the Department of Justice apparently agrees with—states this is because Tor users technically “reveal” their true IP address to another computer when they first enter the Tor network, through an entry point called a “guard node.” (That computer can not determine what sites the user visits, however)

But while the FBI’s use of malware was definitely a search, Judge Ezra of Texas nevertheless denied the defendant’s motion to suppress evidence obtained by the NIT.

That’s because it can’t be proven that the FBI “willfully” violated Rule 41(b), a procedural rule that’s meant to stop judges from authorizing searches outside of their districts. The FBI is now controversially seeking to expand that rule, which would grant them the power to hack computers anywhere—not just within the jurisdictions where the hacking was authorized.

Instead, Judge Ezra wrote that the NIT warrant “has brought to light the need for Congressional clarification regarding a magistrate’s authority to issue a warrant in the internet age, where the location of criminal activity is obscured through the use of sophisticated systems of servers designed to mask a user’s identity.”