Category Archives: Data Breach

Hackers built a ‘master key’ for millions of hotel rooms

Posted on April 27, 2018 | Leave a comment

Security researchers have built a master key that exploits a design flaw in a popular and widely used hotel electronic lock system, allowing unfettered access to every room in the building.

The electronic lock system, known as Vision by VingCard and built by Swedish lock manufacturer Assa Abloy, is used in more than 42,000 properties in 166 countries, amounting to millions of hotel rooms — as well as garages and storage units.

These electronic lock systems are commonplace in hotels, used by staff to provide granular controls over where a person can go in a hotel — such as their room — and even restricting the floor that the elevator stops at. And these keys can be wiped and reused when guests check-out.

It turns out these key cards aren’t as secure as first thought.

F-Secure’s Tomi Tuominen and Timo Hirvonen, who carried out the work, said they could create a master key “basically out of thin air.”

Any key card will do. Even old and expired, or discarded keys retain enough residual data to be used in the attack. Using a handheld device running custom software, the researchers can steal data off of a key card — either using wireless radio-frequency identification (RFID) or the magnetic stripe. That device then manipulates the stolen key data, which identifies the hotel, to produce an access token with the highest level of privileges, effectively serving as a master key to every room in the building.

This wasn’t an overnight effort. It took the researchers over a decade of work to get here.

The researchers started their room key bypass efforts in 2003 when a colleague’s laptop was stolen from a hotel room. With no sign of forced entry or unauthorized access to the room, the hotel staff are said to have dismissed the incident. The researchers set out to find a popular brand of smart lock to examine. In their words, finding and building the master key was far from easy, and took “several thousand hours of work” on an on-off basis, and using trial and error.

“Developing [the] attack took considerable amount of time and effort,” said Tuominen and Hirvonen, in an email to ZDNet.

“We built a RFID demo environment in 2015 and were able to create our first master key for a real hotel in March 2017,” they said. “If somebody was to do this full time, it would probably take considerably less time.

There was good news, the researchers said.

“We don’t know of anyone else performing this particular attack in the wild right now,” said the researchers, downplaying the risk to hotel customers.

Their discovery also prompted Assa Abloy to release a security patch to fix the flaws. According to their disclosure timeline, Assa Abloy was first told of the vulnerabilities a month later in April 2017, and met again over several months to fix the flaws.

The software is patched at the central server, but the firmware on each lock needs to be updated.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking

Tagged ,

Cybersecurity for Executives

Posted on April 12, 2018 | Leave a comment


Looking forward to another local speaking event here in Sacramento:

By invitation only, DSA Technologies is hosting FBI expert Kurt Pipal and licensed Computer Forensics Investigator Michael Reese to discuss the current state of Cybercrime in the Northern California & Sacramento Area. Executives who are responsible for the public perception for their organizations should attend.
This event will feature several security topics frequently seen in the news today, including:
• Financial Fraud
• Intellectual Property Threats
• Ransomware
• Identity Theft
• Phishing/Social Engineering scams
• Attacks on Critical Infrastructure
Where: Morton’s Steakhouse
621 Capitol Mall, Sacramento, CA 95814
When: April 19th @ 11:30AM
Event Partners: FBI, Palo Alto Networks

https://info.dsatechnologies.com/cybersecurity-executives?utm_medium=email&_hsenc=p2ANqtz-87pG_MltR6-NVDUCbEqHXmas6WEnVdPihwf6CQZKXnI7oZBdlSlwOQD-on1JuQWymhLINfPsaZYxcDFufz1yiaEKOklqJGsr8ZnhofQ5pdK4P60aQ&_
hsmi=61681952&utm_content=61681952&utm_source=hs_email&hsCtaTracking=00e12be2-db07-4fe5-8ea2-5a7a5ab18189%7C9cb78923-d767-46b3-bc62-b8a4d0c88fa6

 

Leave a comment

Posted in Cyber Security, Data Breach, Forensic, Hacking

Tagged ,

GitHub Survived the Biggest DDoS Attack Ever Recorded

Posted on March 7, 2018 | Leave a comment

On Wednesday, at about 12:15 pm EST, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method, no botnet required.

GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off.

The scale of the attack has few parallels, but a massive DDoS that struck the internet infrastructure company Dyn in late 2016 comes close. That barrage peaked at 1.2 terabits per second and caused connectivity issues across the US as Dyn fought to get the situation under control.

“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,” Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. “So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It’s one thing to have the confidence. It’s another thing to see it actually play out how you’d hope.”

Akamai defended against the attack in a number of ways. In addition to Prolexic’s general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren’t meant to be exposed on the public internet; anyone can query them, and they’ll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them and send them a special command packet that the server will respond to with a much larger reply.

Unlike the formal botnet attacks used in large DDoS efforts, like against Dyn and the French telecom OVH, memcached DDoS attacks don’t require a malware-driven botnet. Attackers simply spoof the IP address of their victim and send small queries to multiple memcached servers—about 10 per second per server—that are designed to elicit a much larger response. The memcached systems then return 50 times the data of the requests back to the victim.

Known as an amplification attack, this type of DDoS has shown up before. But as internet service and infrastructure providers have seen memcached DDoS attacks ramp up over the last week or so, they’ve moved swiftly to implement defenses to block traffic coming from memcached servers.

“Large DDoS attacks such as those made possible by abusing memcached are of concern to network operators,” says Roland Dobbins, a principal engineer at the DDoS and network-security firm Arbor Networks who has been tracking the memcached attack trend. “Their sheer volume can have a negative impact on the ability of networks to handle customer internet traffic.”

The infrastructure community has also started attempting to address the underlying problem, by asking the owners of exposed memcached servers to take them off the internet, keeping them safely behind firewalls on internal networks. Groups like Prolexic that defend against active DDoS attacks have already added or are scrambling to add filters that immediately start blocking memcached traffic if they detect a suspicious amount of it. And if internet backbone companies can ascertain the attack command used in a memcached DDoS, they can get ahead of malicious traffic by blocking any memcached packets of that length.

“We are going to filter that actual command out so no one can even launch the attack,” says Dale Drew, chief security strategist at the internet service provider CenturyLink. And companies need to work quickly to establish these defenses. “We’ve seen about 300 individual scanners that are searching for memcached boxes, so there are at least 300 bad guys looking for exposed servers,” Drew adds.

Most of the memcached DDoS attacks CenturyLink has seen top out at about 40 to 50 gigabits per second, but the industry had been increasingly noticing bigger attacks up to 500 gbps and beyond. On Monday, Prolexic defended against a 200 gbps memcached DDoS attack launched against a target in Munich.

Wednesday’s onslaught wasn’t the first time a major DDoS attack targeted GitHub. The platform faced a six-day barrage in March 2015, possibly perpetrated by Chinese state-sponsored hackers. The attack was impressive for 2015, but DDoS techniques and platforms—particularly Internet of Things–powered botnets—have evolved and grown increasingly powerful when they’re at their peak. To attackers, though, the beauty of memcached DDoS attacks is there’s no malware to distribute, and no botnet to maintain.

The web monitoring and network intelligence firm ThousandEyes observed the GitHub attack on Wednesday. “This was a successful mitigation. Everything transpired in 15 to 20 minutes,” says Alex Henthorne-Iwane, vice president of product marketing at ThousandEyes. “If you look at the stats you’ll find that globally speaking DDoS attack detection alone generally takes about an hour plus, which usually means there’s a human involved looking and kind of scratching their head. When it all happens within 20 minutes you know that this is driven primarily by software. It’s nice to see a picture of success.”

GitHub continued routing its traffic through Prolexic for a few hours to ensure that the situation was resolved. Akamai’s Shaul says he suspects that attackers targeted GitHub simply because it is a high-profile service that would be impressive to take down. The attackers also may have been hoping to extract a ransom. “The duration of this attack was fairly short,” he says. “I think it didn’t have any impact so they just said that’s not worth our time anymore.”

Until memcached servers get off the public internet, though, it seems likely that attackers will give a DDoS of this scale another shot.

What is a DDoS Hack and How Do You Avoid Them?

DDoS! It stands for distributed denial of service, a kind of attack that turns insecure, internet-connected devices into a sort of zombie army. So here’s how you can avoid being part of that zombie army.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Can You Spot the Bait in a Phishing Attack?

Posted on March 6, 2018 | Leave a comment

Hackers are always trying to find creative and new ways to steal data and information from businesses. While spam (unwanted messages in your email inbox) has been around for a very long time, phishing emails have risen in popularity because they are more effective at achieving the desired endgame. How can you make sure that phishing scams don’t harm your business in the future?

Phishing attacks come in many different forms. We’ll discuss some of the most popular ways that hackers and scammers will try to take advantage of your business through phishing scams, including phone calls, email, and social media.

Phishing Calls
Do you receive calls from strange or restricted numbers? If so, chances are that they are calls that you want to avoid. Hackers will use the phone to make phishing phone calls to unsuspecting employees. They might claim to be with IT support, and in some cases, they might even take on the identity of someone else within your office. These types of attacks can be dangerous and tricky to work around, particularly if the scammer is pretending to be someone of authority within your organization.

For example, someone might call your organization asking about a printer model or other information about your technology. Sometimes they will be looking for specific data or information that might be in the system, while other times they are simply looking for a way into your network. Either way, it’s important that your company doesn’t give in to their requests, as there is no reason why anyone would ask for sensitive information over the phone. If in doubt, you should cross-check contact information to make sure that the caller is who they say they are.

Phishing Emails
Phishing emails aren’t quite as pressing as phishing phone calls because you’re not being pressured to make an immediate decision. Still, this doesn’t lessen the importance of being able to identify phishing messages. You might receive tailor-made customized phishing messages with the sole intent of a specific user handing over important information or clicking on a link/attachment. Either way, the end result is much the same as a phone call phishing scam;

To avoid phishing emails, you should implement a spam filter and train your employees on how to identify the telltale signs of these messages. These include spelling errors, incorrect information, and anything that just doesn’t belong. Although, phishing messages have started to become more elaborate and sophisticated.

Phishing Accounts
Social media makes it incredibly easy for hackers to assume an anonymous identity and use it to attack you; or, even more terrifying, the identity of someone you know. It’s easy for a hacker to masquerade as someone that they’re not, providing an outlet for attack that can be somewhat challenging to identify. Some key pointers are to avoid any messages that come out of the blue or seemingly randomly. You can also ask questions about past interactions that tip you off that they may (or may not) be who they say they are.

Ultimately, it all comes down to approaching any phishing incident intelligently and with a healthy dose of skepticism.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security, Technology

Tagged , ,

Real Estate Industry Has A ‘False Sense Of Security’ When It Comes To Cyber Safety

Posted on March 1, 2018 | Leave a comment

Last December, government services in Mecklenburg, North Carolina, ground to a halt. What began as a malicious email attachment sent to a county employee turned into a crippling cyberattack that held 48 of the county’s 500 data servers hostage.

The attack prevented services ranging from intakes at the county jail to processing applications for marriage licenses. Contractors were among those hit the hardest. Unable to schedule inspections or receive approval to pour foundations or complete electrical work, contractors had to put development projects on hold during the multiday recovery process.

The Mecklenburg County attack, and an increasing number of high-profile hacks in the past year, have brought to light a sobering reality: The real estate industry is unprepared for cyberattacks.

“Real estate firms have been generally lucky where they have not experienced the type of breaches that you see in other industry sectors, and that has probably given many people a false sense of security,” Baker Tilly Cybersecurity and IT Risk Senior Manager Mike Cullen said. “As other businesses get better at security, criminals are looking for easy targets. Construction and real estate could be such targets because they have historically not always taken the necessary precautions.”

Cullen works with Baker Tilly clients to lead and execute IT risk assessments, IT process audits and information security assessments, among other cybersecurity initiatives. Historically, real estate companies were at lower risk because they maintained less personal information and intellectual property than financial or healthcare businesses. More recently, attackers have been drawn to the select pool of wealthy investors real estate ventures attract, Cullen said.

Data like personal information, blueprints and schematics, access to building technology systems and financial information can be sold or used to gain a competitive advantage. Money can be skimmed from tenant and vendor accounts or credit cards and extorted directly thanks to ransomware. Last June, property management firm BNP Paribas Real Estate reported a ransomware attack that took down most of its global systems.

The rise of the Internet of Things, which I call Internet of Threats has brought the threat of cyberattacks more directly into tangible property. Building managers have started to embrace more systems that allow them to manage security infrastructure, HVAC, lighting controls and utilities remotely. This gives hackers another point of entry for attacking systems and stealing data, Cullen said.

In the past, building management systems were more proprietary and offline, creating a higher barrier to entry for hackers. Newer building systems are more standardized, using software obtained from vendors. These programs, like all software, come with vulnerabilities that hackers can exploit. Many companies may also have insufficient password protection or outdated antivirus programs that contribute to heightened cyberrisk.

More than directly sabotage the systems themselves, hackers can pull personal data from “smart” or intelligent building infrastructure. In November 2013, hackers infiltrated Target Corp.’s HVAC contractor’s systems to steal the payment card records and other personal information of nearly 110 million customers. The company reported a gross financial loss of $252M by the end of Q4 2014 as a result of the cyberattack.

Risk will continue to rise as intelligent buildings gain popularity. According to Faculty Executive, an estimated 95% of building systems connected to the internet have insecure connections, and 65% of vendors have remote access to building systems.

Talking to vendors about potential cyberthreats and hiring a dedicated person in charge of cybersecurity are the first steps real estate companies should take in arming themselves against the growing risk, Cullen said. Companies must have an employee who spends at least 50% of their time on the job dealing with cybersecurity.

Once key personnel are put in place, creating a security program that is specific to the type of real estate business and adaptable to new threats will ensure a strong defense against future attacks.

“It is impossible to prevent 100% of every attack,” Cullen said. “Your security program needs to include how you react to an incident so that you can respond in a timely and thoughtful way instead of a fire drill, figure-it-out-as-you-go strategy.”

Global spending on cybersecurity will exceed $1 trillion over the next five years, from 2017 to 2021, with 1.5 million cybersecurity job openings by 2019. While the industry is growing, real estate might not be able to attract the same top talent as the finance or healthcare sectors.

“Other industries have more money to attract top talent and CRE has not been willing to spend as much on cybersecurity, which means they are not getting the best resources,” Cullen said. “To be prepared for what is ahead, real estate companies will need to invest more in cybersecurity.”

Leave a comment

Posted in Cyber Security, Data Breach, Security

Tagged ,

Meltdown and Spectre CPU Flaws Affect Intel, ARM, AMD Processors

Posted on January 9, 2018 | Leave a comment

Unlike the initial reports suggested about Intel chips being vulnerable to some severe ‘memory leaking’ flaws, full technical details about the vulnerabilities have now been emerged, which revealed that almost every modern processor since 1995 is vulnerable to the issues.

Disclosed today by Google Project Zero, the vulnerabilities potentially impact all major CPUs, including those from AMD, ARM, and Intel—threatening almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system.

These hardware vulnerabilities have been categorized into two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could allow attackers to steal sensitive data which is currently processed on the computer.

Both attacks take advantage of a feature in chips known as “speculative execution,” a technique used by most modern CPUs to optimize performance.

“In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions,” Project Zero says.

Therefore, it is possible for such speculative execution to have “side effects which are not restored when the CPU state is unwound and can lead to information disclosure,” which can be accessed using side-channel attacks.

Meltdown Attack:

The first issue, Meltdown (paper), allows attackers to read not only kernel memory but also the entire physical memory of the target machines, and therefore all secrets of other programs and the operating system.

“Meltdown is a related microarchitectural attack which exploits out-of-order execution in order to leak the target’s physical memory.”

Meltdown uses speculative execution to break the isolation between user applications and the operating system, allowing any application to access all system memory, including memory allocated for the kernel.

“Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection.”

Nearly all desktop, laptop, and cloud computers affected by Meltdown.

Spectre Attack:
The second problem, Spectre (paper), is not easy to patch and will haunt people for quite some time since this issue requires changes to processor architecture in order to fully mitigate.

Spectre attack breaks the isolation between different applications, allowing the attacker-controlled program to trick error-free programs into leaking their secrets by forcing them into accessing arbitrary portions of its memory, which can then be read through a side channel.

Spectre attacks can be used to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

“In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.” the paper explains.

 

“KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”

According to researchers, this vulnerability impacts almost every system, including desktops, laptops, cloud servers, as well as smartphones—powered by Intel, AMD, and ARM chips.

What You Should Do: Mitigations And Patches
Many vendors have security patches available for one or both of these attacks.

  • Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018
  • MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
  • Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
  • Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update.  Other users have to wait for their device manufacturers to release a compatible security update.

Mitigations for Chrome Users:

Since this exploit can be executed through the website, Chrome users can turn on Site Isolation feature on their devices to mitigate these flaws.
Here’s how to turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
  • Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
  • Look for Strict Site Isolation, then click the box labeled Enable.
  • Once done, hit Relaunch Now to relaunch your Chrome browser.

There is no single fix for both the attacks since each requires protection independently.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged , ,

U.S. warns public about attacks on energy, industrial firms

Posted on October 23, 2017 | Leave a comment

(Reuters) – The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Department of Homeland Security spokesman Scott McConnell declined to elaborate on the information in the report or say what prompted the government to go public with the information at this time.

“The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats,” he said.

The FBI declined to comment on the report, which security researchers said described an escalation in targeting of infrastructure in Europe and the United States that had been described in recent reports from private firms, including Symantec Corp.

“This is very aggressive activity,” said Robert Lee, an expert in securing industrial networks.

Lee, chief executive of cyber-security firm Dragos, said the report appears to describe hackers working in the interests of the Russian government, though he declined to elaborate. Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

    The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

The report said the attacker was the same as one described by Symantec in a September report that warned advanced hackers had penetrated the systems controlling operations of some U.S. and European energy companies.

Symantec researcher Vikram Thakur said in an email that much of the contents of Friday’s report were previously known within the security community.

Cyber-security firm CrowdStrike said the technical indicators described in the report suggested the attacks were the work of a hacking group it calls Berserk Bear, which is affiliated with the Russian Federation and has targeted the energy, financial and transportation industries.

“We have not observed any destructive action by this actor,” CrowdStrike Vice President Adam Meyers said in an email.

It’s just a matter of time.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Law Enforcement, Security

Tagged ,

Another AWS leak exposes 150,000 Patient Home Monitoring Corp. client records

Posted on October 13, 2017 | Leave a comment

Another publicly accessible Amazon S3 repository has been once again been left exposing sensitive consumer information, this time affecting approximately 150,000 U.S. patients.

Kromtech Security Researchers discovered the exposed server belonging to Patient Home Monitoring Corp. which contained in 47.5 GB worth of data in the form of 316,363 PDF reports detailing weekly blood test results including patient and doctor names, case management notes, other client information and the Development Server Backup.

The vulnerable server was spotted on Sept. 29 and researchers said they notified the company on Oct 5. and by Oct. 6, the bucket had been secured. Kromtech pointed out that the company’s privacy page stated that patients have the right to be notified when their information is being accessed and that it’s unclear how or if patients will be notified of the incident.

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.

Some researchers aren’t surprised that admins are misconfiguring Amazon S3 buckets and leaving them exposed with the rapid adoption of the new technology.

“The Amazon S3 bucket can be easily switched from private to public access – with public being the default.” Josh Mayfield, platform specialist, Immediate Insight at FireMon said. “With the speed that organizations are moving to AWS and cloud infrastructure, it is only natural to miss something.”

Mayfield said companies should have policy controls that are automated irrespective of future technology so that admins don’t have to sacrifice security for speed and that added that policy management consoles with the flexibility to handle heterogeneous infrastructures and devices are invaluable.

Other researchers weren’t as forgiving. AlienVault Security Advocate Javvad Malik said the issue of misconfigured cloud services is a growing problem and a lack of skill may be to blame.

“As more and more companies migrate datasets to the cloud, it is becoming apparent that many lack the cloud skills needed to secure the cloud infrastructure, gain assurance that the cloud infrastructure is secured appropriately, or monitor their cloud environments for unauthorized access,” Malik said. “While cloud can bring benefits of having a resilient infrastructure, security cannot be outsourced, and much of the responsibility remains with the customer.”

Malik added that unfortunately, the people affected the most are the patients who have had their sensitive information exposed. Researchers agreed mistakes like this emphasize the impact breaches like this can have on individuals.

The narrative surrounding breaches is so often defined by the financial implications, but the impact of medical records being leaked on individuals could be equally if not more damaging,” DomainTools Senior Sybersecurity Threat Researcher Kyle Wilhoit said. “Revealing potentially sensitive personally identifiable information could impact an individual’s employment or it could be used by criminals/state entities for targeted attacks, such as spear phishing.”

Wilhoit said Medical organizations need to start taking the data they have access to as seriously as financial organizations, all assets must be discovered and tested against current vulnerabilities and patches must be deployed quickly.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Public Cloud, Security

Tagged ,

And the plot thickens: Hackers Entered Equifax Systems in March

Posted on September 21, 2017 | Leave a comment

Equifax previously disclosed data was potentially accessed in May

Hackers roamed undetected in Equifax Inc.’s computer network for more than four months before its security team uncovered the massive data breach, the security firm FireEye Inc. said this week in a confidential note Equifax sent to some of its customers.

FireEye’s Mandiant group, which has been hired by Equifax to investigate the breach, said the first evidence of hackers’ “interaction” with the company occurred on March 10, according to the Mandiant report, which was reviewed by The Wall Street Journal.

Equifax had previously disclosed that data belonging to approximately 143 million Americans was potentially accessed in May. It isn’t known when Equifax learned from Mandiant that the hacking activity began in March, not May. Equifax wasn’t available for comment.

Equifax has said it didn’t discover the breach until July 29. Days later it called in Mandiant. Equifax didn’t disclose the breach until Sept. 7.

The attack, which is being probed by the Federal Bureau of Investigation, is one of the most significant data breaches given the scope of the information disclosed: people’s names, addresses, dates of birth and Social Security numbers. In its wake, consumers, customers, regulators and legislators have been asking how the attack occurred and whether Equifax took sufficient measures to protect such sensitive information.

Equifax sent the Mandiant report to some customers, many of which are financial firms, with a cover letter dated Tuesday, Sept. 19, that was signed by the company’s new chief information officer, Mark Rohrwasser, and new chief security officer, Russ Ayres. Equifax last Friday announced the departure of the two executives who previously held those positions.

In a progress report that accompanied that announcement last Friday, Equifax said hackers accessed consumers’ data from May 13 through July 30. It didn’t mention in that report that the attack had begun at an earlier date.

Mandiant’s report this week noted the hackers accessed one of Equifax’s servers by taking advantage of a flaw in software called Apache Struts, used by many companies to build interactive websites.

Two days before the access occurred, on March 8, security researchers at Cisco Systems Inc. warned of the flaw in Struts and a patch was issued by the Apache Software Foundation. Equifax in its report last week said its security staff “took efforts” to fix the system, saying it understood the intense focus outside the company on patching efforts and that its review was ongoing.

After interacting with Equifax’s server in early March, the hackers then entered the computer command “Whoami,” Mandiant wrote. This command would have given the attackers the username of the computer account to which they had just gained access, an early step in a hacking attempt.

Investigators have not determined for certain whether the March incident was issued by the data thieves or a different set of hackers, but it was likely the beginning of a monthslong reconnaissance mission, according to a person familiar with the investigation. It is common for attackers to lurk for months after their initial break-in as they probe corporate systems—the digital equivalent of trying as many doorknobs as possible to see which doors can be opened.

The March activity was likely a result of the hackers “spamming the internet for vulnerable systems,” said Johannes Ullrich, dean of research with the SANS Technology Insitute, a cybersecurity training school.

It isn’t surprising that the hackers took weeks before accessing the sensitive data, Mr. Ullrich said. “Typically, you first build out a beachhead so that it’s difficult to get kicked out,” he added.

On average, it takes companies close to 100 days to discover that they have been hacked, FireEye said in a report released earlier this year. In Equifax’s case, it took 141 days.

Eventually, between May 13 and late July, the attackers accessed files that contained Equifax credentials, such as username and password, and “performed database queries that provided access to documents and sensitive information stored in databases in an Equifax legacy environment,” the Mandiant report said.

Overall, the attackers accessed “numerous database tables in several databases,” the Mandiant report said.

The report added that the attackers “compromised two systems” that support Equifax’s online dispute web application. This is the place where consumers go to dispute information on their credit reports.

The hackers also set up about 30 Web shells—hidden pages that would allow them to remotely run commands on Equifax’s systems even if the Struts vulnerability was patched, the report said. The attackers “remotely accessed” the Equifax systems from approximately 35 “distinct public IP addresses,” it added.

The identity of the hackers is still unknown. Mandiant said in its letter that it hadn’t been able to attribute the breach to any “threat group actor” it currently tracks. Nor did the “tools, tactics and procedures” used overlap with those seen in previous investigations by the firm.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security, Technology

Tagged ,

Critical Bluetooth Flaws Put Over 5 Billion Devices At Risk Of Hacking

Posted on September 14, 2017 | Leave a comment


Bluetooth is one of the most popular short-range wireless communications technologies in use today and is built into many types of devices, from phones, smartwatches and TVs to medical equipment and car infotainment systems. Many of those devices are now at risk of being hacked due to critical flaws found in the Bluetooth implementations of the operating systems they use.

Over the past several months, a team of researchers from IoT security firm Armis have been working with Google, Microsoft, Apple and Linux developers, to silently coordinate the release of patches for eight serious vulnerabilities that could allow attackers to completely take over Bluetooth-enabled devices or to hijack their Internet traffic.

The flaws found by Armis are particularly dangerous because they can be exploited over the air without any type of authentication or device pairing. Simply having Bluetooth enabled on a device is enough to make it vulnerable if patches for these issues are not installed.

The attacks can be fully automated and they don’t require any user interaction, as attackers can force vulnerable devices to open Bluetooth connections. In one scenario, the flaws can be used to build a worm-like attack where one compromised device automatically infects others when they come in its Bluetooth range. This can lead to the creation of massive botnets.

The Armis researchers have dubbed this new attack vector BlueBorne and they estimate that it affects over 5.3 billion devices. Furthermore, based on their discussions with vendors, they believe that 40% of the impacted devices will never be patched, either because they’re old and won’t receive firmware updates at all or because updating them is too complicated and users won’t bother.

The vulnerabilities are not located in the Bluetooth protocol itself, but in the individual Bluetooth implementations — or stacks — that are present in Android, Windows, Linux and iOS. Because of this, it doesn’t matter what version of the Bluetooth protocol a device supports — they’re all affected, with the exception of those that support only Bluetooth Low Energy, also known as Bluetooth Smart.

The Armis team first stumbled across one of the flaws during their regular work on the company’s security product, which helps organizations identify rogue or compromised IoT devices on their networks. The team then checked the similar code in other Bluetooth stacks and found additional vulnerabilities.

Four of the eight vulnerabilities were found in Android’s Bluetooth implementation, two in Linux, one in iOS and one in Windows. Their impact varies based on operating system.

“I think this is really just the tip of the iceberg as far as vulnerabilities in Bluetooth implementations go,” the Armis researchers said. “We feel that there are potentially other stacks affected by similar issues, but future research needs to be done to determine this.”

The vulnerability that affects the Bluetooth stack in Windows Vista and later does not lead to remote code execution but allows hackers to launch man-in-the-middle traffic interception attacks. Attackers can remotely force vulnerable Windows computers to set up a malicious Bluetooth-based network interface and route all of their communications through it. In this way, attackers can get all of a victim’s Internet traffic over Bluetooth.

Microsoft released security updates to address this vulnerability on supported Windows versions in July and customers who installed those updates are protected against this attack.

“We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates,” a Microsoft spokesperson said in an emailed statement.

An almost identical man-in-the-middle issue was found in the Android Bluetooth stack. However, Android’s implementation also has an information leak flaw and two remote code execution vulnerabilities.

Attackers can exploit the information leak problem in order to extract sensitive information from the device memory, information that can then help them exploit the remote code execution vulnerabilities and take complete control of the targeted devices. According to the Armis team, this attack would be completely invisible to the user.

“We have released security updates for these issues, and will continue working with other affected platforms across the industry to develop protections that help keep users safe,” Google said in an emailed statement.

Google releases security fixes for its Pixel and Nexus devices every month and also contributes those patches to the Android Open Source Project. Device manufacturers that are in the Android partner program receive security patches a month or more before they’re made public, to give them enough time to integrate them in their own Android-based firmware.

Even so, there are millions of Android devices out there that have long reached end of support and will not get these patches. Those devices will remain vulnerable to these Bluetooth attacks indefinitely.

Please be sure to update all of your devices with the newest firmware or patches.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,