Category Archives: Hacking

U.S. warns public about attacks on energy, industrial firms

Posted on October 23, 2017 | Leave a comment

(Reuters) – The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Department of Homeland Security spokesman Scott McConnell declined to elaborate on the information in the report or say what prompted the government to go public with the information at this time.

“The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats,” he said.

The FBI declined to comment on the report, which security researchers said described an escalation in targeting of infrastructure in Europe and the United States that had been described in recent reports from private firms, including Symantec Corp.

“This is very aggressive activity,” said Robert Lee, an expert in securing industrial networks.

Lee, chief executive of cyber-security firm Dragos, said the report appears to describe hackers working in the interests of the Russian government, though he declined to elaborate. Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

    The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

The report said the attacker was the same as one described by Symantec in a September report that warned advanced hackers had penetrated the systems controlling operations of some U.S. and European energy companies.

Symantec researcher Vikram Thakur said in an email that much of the contents of Friday’s report were previously known within the security community.

Cyber-security firm CrowdStrike said the technical indicators described in the report suggested the attacks were the work of a hacking group it calls Berserk Bear, which is affiliated with the Russian Federation and has targeted the energy, financial and transportation industries.

“We have not observed any destructive action by this actor,” CrowdStrike Vice President Adam Meyers said in an email.

It’s just a matter of time.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Law Enforcement, Security

Tagged ,

Another AWS leak exposes 150,000 Patient Home Monitoring Corp. client records

Posted on October 13, 2017 | Leave a comment

Another publicly accessible Amazon S3 repository has been once again been left exposing sensitive consumer information, this time affecting approximately 150,000 U.S. patients.

Kromtech Security Researchers discovered the exposed server belonging to Patient Home Monitoring Corp. which contained in 47.5 GB worth of data in the form of 316,363 PDF reports detailing weekly blood test results including patient and doctor names, case management notes, other client information and the Development Server Backup.

The vulnerable server was spotted on Sept. 29 and researchers said they notified the company on Oct 5. and by Oct. 6, the bucket had been secured. Kromtech pointed out that the company’s privacy page stated that patients have the right to be notified when their information is being accessed and that it’s unclear how or if patients will be notified of the incident.

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.

Some researchers aren’t surprised that admins are misconfiguring Amazon S3 buckets and leaving them exposed with the rapid adoption of the new technology.

“The Amazon S3 bucket can be easily switched from private to public access – with public being the default.” Josh Mayfield, platform specialist, Immediate Insight at FireMon said. “With the speed that organizations are moving to AWS and cloud infrastructure, it is only natural to miss something.”

Mayfield said companies should have policy controls that are automated irrespective of future technology so that admins don’t have to sacrifice security for speed and that added that policy management consoles with the flexibility to handle heterogeneous infrastructures and devices are invaluable.

Other researchers weren’t as forgiving. AlienVault Security Advocate Javvad Malik said the issue of misconfigured cloud services is a growing problem and a lack of skill may be to blame.

“As more and more companies migrate datasets to the cloud, it is becoming apparent that many lack the cloud skills needed to secure the cloud infrastructure, gain assurance that the cloud infrastructure is secured appropriately, or monitor their cloud environments for unauthorized access,” Malik said. “While cloud can bring benefits of having a resilient infrastructure, security cannot be outsourced, and much of the responsibility remains with the customer.”

Malik added that unfortunately, the people affected the most are the patients who have had their sensitive information exposed. Researchers agreed mistakes like this emphasize the impact breaches like this can have on individuals.

The narrative surrounding breaches is so often defined by the financial implications, but the impact of medical records being leaked on individuals could be equally if not more damaging,” DomainTools Senior Sybersecurity Threat Researcher Kyle Wilhoit said. “Revealing potentially sensitive personally identifiable information could impact an individual’s employment or it could be used by criminals/state entities for targeted attacks, such as spear phishing.”

Wilhoit said Medical organizations need to start taking the data they have access to as seriously as financial organizations, all assets must be discovered and tested against current vulnerabilities and patches must be deployed quickly.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Public Cloud, Security

Tagged ,

And the plot thickens: Hackers Entered Equifax Systems in March

Posted on September 21, 2017 | Leave a comment

Equifax previously disclosed data was potentially accessed in May

Hackers roamed undetected in Equifax Inc.’s computer network for more than four months before its security team uncovered the massive data breach, the security firm FireEye Inc. said this week in a confidential note Equifax sent to some of its customers.

FireEye’s Mandiant group, which has been hired by Equifax to investigate the breach, said the first evidence of hackers’ “interaction” with the company occurred on March 10, according to the Mandiant report, which was reviewed by The Wall Street Journal.

Equifax had previously disclosed that data belonging to approximately 143 million Americans was potentially accessed in May. It isn’t known when Equifax learned from Mandiant that the hacking activity began in March, not May. Equifax wasn’t available for comment.

Equifax has said it didn’t discover the breach until July 29. Days later it called in Mandiant. Equifax didn’t disclose the breach until Sept. 7.

The attack, which is being probed by the Federal Bureau of Investigation, is one of the most significant data breaches given the scope of the information disclosed: people’s names, addresses, dates of birth and Social Security numbers. In its wake, consumers, customers, regulators and legislators have been asking how the attack occurred and whether Equifax took sufficient measures to protect such sensitive information.

Equifax sent the Mandiant report to some customers, many of which are financial firms, with a cover letter dated Tuesday, Sept. 19, that was signed by the company’s new chief information officer, Mark Rohrwasser, and new chief security officer, Russ Ayres. Equifax last Friday announced the departure of the two executives who previously held those positions.

In a progress report that accompanied that announcement last Friday, Equifax said hackers accessed consumers’ data from May 13 through July 30. It didn’t mention in that report that the attack had begun at an earlier date.

Mandiant’s report this week noted the hackers accessed one of Equifax’s servers by taking advantage of a flaw in software called Apache Struts, used by many companies to build interactive websites.

Two days before the access occurred, on March 8, security researchers at Cisco Systems Inc. warned of the flaw in Struts and a patch was issued by the Apache Software Foundation. Equifax in its report last week said its security staff “took efforts” to fix the system, saying it understood the intense focus outside the company on patching efforts and that its review was ongoing.

After interacting with Equifax’s server in early March, the hackers then entered the computer command “Whoami,” Mandiant wrote. This command would have given the attackers the username of the computer account to which they had just gained access, an early step in a hacking attempt.

Investigators have not determined for certain whether the March incident was issued by the data thieves or a different set of hackers, but it was likely the beginning of a monthslong reconnaissance mission, according to a person familiar with the investigation. It is common for attackers to lurk for months after their initial break-in as they probe corporate systems—the digital equivalent of trying as many doorknobs as possible to see which doors can be opened.

The March activity was likely a result of the hackers “spamming the internet for vulnerable systems,” said Johannes Ullrich, dean of research with the SANS Technology Insitute, a cybersecurity training school.

It isn’t surprising that the hackers took weeks before accessing the sensitive data, Mr. Ullrich said. “Typically, you first build out a beachhead so that it’s difficult to get kicked out,” he added.

On average, it takes companies close to 100 days to discover that they have been hacked, FireEye said in a report released earlier this year. In Equifax’s case, it took 141 days.

Eventually, between May 13 and late July, the attackers accessed files that contained Equifax credentials, such as username and password, and “performed database queries that provided access to documents and sensitive information stored in databases in an Equifax legacy environment,” the Mandiant report said.

Overall, the attackers accessed “numerous database tables in several databases,” the Mandiant report said.

The report added that the attackers “compromised two systems” that support Equifax’s online dispute web application. This is the place where consumers go to dispute information on their credit reports.

The hackers also set up about 30 Web shells—hidden pages that would allow them to remotely run commands on Equifax’s systems even if the Struts vulnerability was patched, the report said. The attackers “remotely accessed” the Equifax systems from approximately 35 “distinct public IP addresses,” it added.

The identity of the hackers is still unknown. Mandiant said in its letter that it hadn’t been able to attribute the breach to any “threat group actor” it currently tracks. Nor did the “tools, tactics and procedures” used overlap with those seen in previous investigations by the firm.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security, Technology

Tagged ,

Critical Bluetooth Flaws Put Over 5 Billion Devices At Risk Of Hacking

Posted on September 14, 2017 | Leave a comment


Bluetooth is one of the most popular short-range wireless communications technologies in use today and is built into many types of devices, from phones, smartwatches and TVs to medical equipment and car infotainment systems. Many of those devices are now at risk of being hacked due to critical flaws found in the Bluetooth implementations of the operating systems they use.

Over the past several months, a team of researchers from IoT security firm Armis have been working with Google, Microsoft, Apple and Linux developers, to silently coordinate the release of patches for eight serious vulnerabilities that could allow attackers to completely take over Bluetooth-enabled devices or to hijack their Internet traffic.

The flaws found by Armis are particularly dangerous because they can be exploited over the air without any type of authentication or device pairing. Simply having Bluetooth enabled on a device is enough to make it vulnerable if patches for these issues are not installed.

The attacks can be fully automated and they don’t require any user interaction, as attackers can force vulnerable devices to open Bluetooth connections. In one scenario, the flaws can be used to build a worm-like attack where one compromised device automatically infects others when they come in its Bluetooth range. This can lead to the creation of massive botnets.

The Armis researchers have dubbed this new attack vector BlueBorne and they estimate that it affects over 5.3 billion devices. Furthermore, based on their discussions with vendors, they believe that 40% of the impacted devices will never be patched, either because they’re old and won’t receive firmware updates at all or because updating them is too complicated and users won’t bother.

The vulnerabilities are not located in the Bluetooth protocol itself, but in the individual Bluetooth implementations — or stacks — that are present in Android, Windows, Linux and iOS. Because of this, it doesn’t matter what version of the Bluetooth protocol a device supports — they’re all affected, with the exception of those that support only Bluetooth Low Energy, also known as Bluetooth Smart.

The Armis team first stumbled across one of the flaws during their regular work on the company’s security product, which helps organizations identify rogue or compromised IoT devices on their networks. The team then checked the similar code in other Bluetooth stacks and found additional vulnerabilities.

Four of the eight vulnerabilities were found in Android’s Bluetooth implementation, two in Linux, one in iOS and one in Windows. Their impact varies based on operating system.

“I think this is really just the tip of the iceberg as far as vulnerabilities in Bluetooth implementations go,” the Armis researchers said. “We feel that there are potentially other stacks affected by similar issues, but future research needs to be done to determine this.”

The vulnerability that affects the Bluetooth stack in Windows Vista and later does not lead to remote code execution but allows hackers to launch man-in-the-middle traffic interception attacks. Attackers can remotely force vulnerable Windows computers to set up a malicious Bluetooth-based network interface and route all of their communications through it. In this way, attackers can get all of a victim’s Internet traffic over Bluetooth.

Microsoft released security updates to address this vulnerability on supported Windows versions in July and customers who installed those updates are protected against this attack.

“We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates,” a Microsoft spokesperson said in an emailed statement.

An almost identical man-in-the-middle issue was found in the Android Bluetooth stack. However, Android’s implementation also has an information leak flaw and two remote code execution vulnerabilities.

Attackers can exploit the information leak problem in order to extract sensitive information from the device memory, information that can then help them exploit the remote code execution vulnerabilities and take complete control of the targeted devices. According to the Armis team, this attack would be completely invisible to the user.

“We have released security updates for these issues, and will continue working with other affected platforms across the industry to develop protections that help keep users safe,” Google said in an emailed statement.

Google releases security fixes for its Pixel and Nexus devices every month and also contributes those patches to the Android Open Source Project. Device manufacturers that are in the Android partner program receive security patches a month or more before they’re made public, to give them enough time to integrate them in their own Android-based firmware.

Even so, there are millions of Android devices out there that have long reached end of support and will not get these patches. Those devices will remain vulnerable to these Bluetooth attacks indefinitely.

Please be sure to update all of your devices with the newest firmware or patches.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak

Posted on September 12, 2017 | Leave a comment

Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month.

The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Wrestling Entertainment. Two Amazon S3 buckets were eventually found and linked to BroadSoft, a global communications company that partners with service providers, including AT&T and TWC.

Not all of the TWC records contained information about unique customers. Some contained duplicative information, meaning the breach ultimately exposed less than four million customers. Due to the size of the cache, however, the researchers could not immediately say precisely how many were affected. The leaked data included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information—though it does not appear that any Social Security numbers or credit card information was exposed.

Time Warner Cable was purchased by Charter Communications last year and is now called Spectrum, though the leaked records date back from this year to at least 2010.

Other databases revealed billing addresses, phone numbers, and other contact info for at least hundreds of thousands of TWC subscribers. The servers also contained a slew of internal company records, including SQL database dumps, internal emails, and code containing the credentials to an unknown number of external systems.

A leak of administrative credentials typically heightens the risk of further systems and sensitive materials being compromised. But Kromtech did not attempt to access or review any of the password protected data, and so the contents of any other servers potentially vulnerable remains unknown.

CCTV footage, presumably of BroadSoft’s workers in Bengaluru, India—where the breach is believed to have originated—was also discovered on the Amazon bucket.

“We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes,” said Bob Diachenko, Kromtech’s chief communications officer. “In this case engineers accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access company’s network and infrastructure.”

Publication of the breach, which Kromtech detailed on its website Friday, was delayed so that BroadSoft could privately alert its customers.

A spokesperson for BroadSoft said the company had verified that customer data was exposed to the public internet, but that it does not believe the information to be “highly sensitive.” The company also does not believe it was accessed by anyone with malicious intent. “We immediately secured these Amazon S3 bucket exposures and are continuing to aggressively investigate these exposures and will take additional remedial actions as needed.”

Charter Communications sent the following statement:

“We were notified by a vendor that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources. Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them. There is no indication that any Charter systems were impacted. We encourage customers who used the MyTWC app to change their user names and passwords. Protecting customer privacy is of the utmost importance to us. We apologize for the frustration and anxiety this causes, and will communicate directly to customers if their information was involved in this incident.”

Seems to be an everyday occurrence, cybersecurity is something everyone should be aware of.

 

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers

Posted on September 8, 2017 | Leave a comment

Social Security numbers, birth dates, addresses and driver’s license numbers exposed.

Credit-reporting company Equifax Inc. said Thursday that hackers gained access to some of its systems, potentially compromising the personal information of roughly 143 million U.S. consumers in one of the biggest and most threatening data breaches of recent years.

The size of the hack is second only to the pair of attacks on Yahoo disclosed last year that affected the information of as many as 1.5 billion customers. It also involves nearly twice the number affected by one of the highest-profile breaches at a financial firm, the cyberattack at J.P. Morgan Chase & Co. about three years ago.

The Equifax breach could prove especially damaging given the gateway role credit-reporting companies play in helping to determine which consumers gain access to financing and how much of it is made available. The attack differs, too, in that the attackers in one swoop gained access to several pieces of consumers’ information that could make it easier for the attackers to try to commit fraud.

Equifax said hackers gained access to systems containing customers’ names, Social Security numbers, birth dates and addresses. The company also offers credit-monitoring and identity-theft protection products to guard consumers’ personal information.

“This is the nightmare scenario—all four pieces of information in one place,” said John Ulzheimer, a credit specialist and former manager at Equifax.

On Friday, shares of Equifax fell 14% to $123.03 in morning trading in New York.

The incident comes at a time of heightened sensitivity to cyberattacks in the political, commercial and personal realms, especially in the wake of presumed Russian interference in the U.S. presidential election last year.

The number of large hacks has increased in recent years—with incidents involving tens of millions of accounts each involving tech companies, banks, retailers and others.

More companies are putting more information online from more users, creating bigger targets for hackers who continually develop and refine their techniques and tools.

Equifax is one of the big three credit-reporting firms in the U.S. and maintains credit reports on more than 200 million U.S. adults. The other two are TransUnion and Experian. Credit reports compiled by such companies include personally identifiable information as well as records of the credit cards and loans consumers have, their spending limits on cards, and whether they are on time with their debt payments.


“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax Chief Executive Richard Smith said in prepared remarks. “I apologize to consumers and our business customers for the concern and frustration this causes.”

The four pieces of information exposed in the attack are generally needed for consumers to apply for many forms of consumer credit, including credit cards and personal loans. That means that swindlers who have access to this data could have an easier time getting approved for credit in other people’s names and potentially makes it more difficult for lenders to spot a problem. In addition, Equifax said the hackers gained access to some driver’s license numbers.

An added concern is that the breach raises the chances of more fraudulent loan approvals occurring when various forms of fraud are already hitting lenders and contributing to higher losses.

Smaller financial institutions, including community banks, credit unions and online personal-loan lenders, are more vulnerable to the effects of this breach, said Al Pascual, head of fraud and security at Javelin Strategy & Research.

That is because they are more reliant on the four, key pieces of borrower information when determining whether they are dealing with a legitimate applicant, he said. The biggest banks, he added, have in recent years moved to relying on additional information. With online applications, for example, that includes pinpointing what geographic area the applicant is located in to figure out whether they are an actual person or a fraudster.

Equifax said in its statement that while the incident potentially affected approximately 143 million U.S. consumers, “the company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Equifax said an internal investigation revealed hackers exploited a vulnerability in a U.S. website application to gain unauthorized access to files from mid-May through July. The company said it discovered the breach on July 29.

Equifax said it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review. In the days following the company’s discovery of the breach, three top Equifax executives, including Chief Financial Officer John Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange Commission filings. A company spokesman said the three executives who sold a small percentage of their Equifax shares on Tuesday, Aug. 1, and Wednesday, Aug. 2, had no knowledge that an intrusion had occurred at the time they sold their shares.

Equifax also said credit-card numbers for approximately 209,000 U.S. consumers were accessed, as well as dispute documents with sensitive information for another 182,000 people.

With the Equifax attack, banks now will have to reissue cards for the approximately 209,000 credit cards stolen in the breach, but for consumers the theft uniquely identifying information such as Social Security numbers and birth dates could have a permanent effect. Additionally, a limited number of people in Canada and the U.K. were affected, the company said.

Stock of other financial companies weren’t initially affected with shares of credit-card issuers and big banks mostly unchanged or up slightly in after-hours trading.

Equifax said it has set up a website—www.equifaxsecurity2017.com—to help consumers determine if their information has been compromised and to allow them to sign up for a complimentary slate of credit-monitoring and identity-theft protection. The company also has established a dedicated call center for consumers.

This is becoming an everyday occurrence.  When are we going to get the message to tighten up security across this nation !!

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Law Enforcement, Security

Tagged ,

How Good Cybersecurity Habits Could Save You Millions

Posted on September 7, 2017 | Leave a comment
Landlords collect extremely valuable information from residents. What many don’t know, however, is that they are liable if their residents’ information is stolen.
by Meeghan Fuhr | Aug 30, 2017

Landlords collect extremely valuable information from residents, including addresses, credit card numbers, social security numbers and bank account numbers, making the multifamily industry an attractive target for hackers. Prevention and detection are key aspects of cybersecurity. What many small multifamily owners and managers don’t know, however, is that they are liable if their residents’ information is stolen.

Small multifamily owners and managers may think they have limited options when it comes to keeping their data secure, but there are many simple preventative measures they can take, and ultimately, it is their responsibility to take them.

“An identity is worth about $10-$20 on the dark net, but the actual liability stemming from its loss could be $158 or more,” said Michael Reese, chief information officer at USA Properties Fund. Multiply that by however many residents are in a database, and you could be looking at millions of dollars.

So, Who is Responsible for Making Cybersecurity a Priority?

A common misconception among management is that cybersecurity is an IT issue when, in reality, every level of an organization needs to be involved and bringing in an outside cybersecurity firm is recommended.

“It’s very difficult to have your own IT department manage your cybersecurity framework. You must have a ‘separation of duties,’ [similar to how] you can’t audit yourself. Cybersecurity is an executive decision, not an IT decision. You need to have governance, policies and procedures, and continuous training and education,” Reese said.

Many people believe they are protected because they have a good firewall, but that is just the first line of defense. “It’s best to have a layered approach,” said Reese, with firewalls, IDS/IPS (intrusion detection systems and intrusion prevention systems), server and workstation anti-virus, and SIEM (security information and event management) software/hardware. Reese also stressed that when you receive a notice that software needs to be updated, don’t ignore it!

Simple, Inexpensive Ways to Lessen the Risk of an Attack

Requiring employees to have strong passwords that are changed regularly is a simple measure multifamily firms of all sizes can implement. “Poor password practices make it that much easier for hackers to get into a company’s network or email,” Reese said. “Passwords that use a combination of numbers, symbols, upper and lower case letters are much more difficult to break.”

Another good practice is to require that Virtual Private Networks (VPNs) always be used for remote access. “If any of your employees work remotely, or link to a public Wi-Fi network (think Starbucks), they should have a VPN network installed on their laptop, tablet or smartphone. A VPN provides a secure path through the web and protects your activities from anyone trying to get in.” Reese noted that there are many relatively affordable options out there.

Additionally, it is important to control access to your firm’s data. Not everyone in your company needs access to all of the systems and data that you have,” Reese said. “Do sales people need access to personnel files, or do operations people need access to accounts receivable information?” It’s best to limit access to data only to those employees who regularly need it.

Lastly, train employees regularly. More than 75 percent of hacks come through some action by an employee, usually as the result of phishing,” Reese said. Phishing emails typically appear to come from a “legitimate” source such as a company, customer or employee, with the goal of either obtaining private information or getting the recipient to click attachments that allow malware into the network. “You should train your employees to question these emails and even call the supposed sender to confirm.”

Train your people to become good ‘cyber-citizens,’” Reese said. “And support a culture of data security!”

You can read the original article at link below from Commercial Property Executive:

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Trove of Private Military Contractor Job Applicants Exposed Online

Posted on September 7, 2017 | Leave a comment

Another day another trove of data goes public – This time, personal and sensitive data of American citizens who applied for jobs at North Carolina-based Private Military Contractor (mercenary and security firm) TigerSwan and hundreds of those claiming “Top Secret” US government security clearances.

According to Chris Vickery, director of cyber risk research at security firm UpGuard; Resumé files of 9,402 people were found available publically on an unprotected Amazon Web Services ran by a third-party vendor TalentPen who used the files for recruitment purposes until February 2017.

A look at the exposed files revealed applicant names, home addresses, phone numbers, email addresses, driver’s license numbers and highly sensitive job history of US military veterans, mercenaries and even Iraqi and Afghan nationals who worked alongside US forces and government institutions back in their countries.

Rich Campagna, CEO at Bitglass, told HackRead.com that: “In the last few months, we’ve seen a string of high profile data incidents of this nature, including Deep Root Analytics, Verizon Wireless, and Dow Jones. These exposures are difficult to stop because they originate from human error, not malice. Just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk. This is why Amazon recently introduced ‘Macie’: to discover, classify and protect sensitive data in AWS S3.

Organisations using IaaS must leverage at least some of the security technologies available to them, either from public cloud providers, IDaaS providers, or CASBs, which provide visibility and control over cloud services like AWS. It could also be argued that these AWS server misconfigurations could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”

TigerSwan was founded in 2008 by retired US Army lieutenant colonel and Delta Force operator James Reese. Since then the international security and global stability firm have provided its services during the infamous Iraq war, 2014 Sochi Olympics and Standing Rock Protests (Dakota Access Pipeline protests, DAPL).

However, in May 2017, The Intercept cited leaked documents indicating that the firm used counterterrorism tactics at standing rock to “defeat pipeline insurgencies.” In 2011, the firm also won a one year contract in Saudi Arabia where it provided construction and security services for the South Gate Entry Control Point, Eskan Village, Riyadh.

In their statement, the firm has acknowledged the issue and said that:

“At no time was there ever a data breach of any TigerSwan server. All resume files in TigerSwan’s possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resumé.”

It is unclear for how long the data remained unprotected or whether it was accessed by anyone else other than UpGuard researchers.

“A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details, said UpGuard.

At the time of publishing this article, there was no official response from TalentPen, LLC since the company has been dissolved. However, TigerSwan forwarded an email to Gizmodo showing conversation with a former TalentPen employee.

“I’m afraid that it does show activity that seems to be consistent with the number of files and overall size of the total number of files. I want to know exactly how there could even be a possibility of this happening given the security in place to protect data and files. The account was setup to only give access to you and I. I even had to provide you with security credentials to access the information. While I no longer work for TalentPen since it had been dissolved earlier this year, I certainly want to help you get to the bottom of this,” the email said.

Here is an archive look at the now offline TalentPen’s website.

This is not the first time when unprotected trove of data has been discovered online. In January 2017, medical data of Veterans affected by sleep disorders was exposed online. The database contained personal details of over 1,200 veterans who have been suffering from of sleep disorders.

In March this year, a misconfigured drive led to data leak of thousands of US Air Force officials including passports, names, social security numbers and other highly sensitive and personal data.

In June this year again, UpGuard discovered secret Pentagon files left unprotected on an Amazon server. The data included over 60,000 files with some of the very sensitive info publicly accessible and not even protected with a password.

If you are working as a database administrator, it’s time to run a security check and keep the data secure.  If you are using a third party “cloud” provider, double check the security features and your contract with the provider.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

The Russian Company That Is a Danger to Our Security

Posted on September 6, 2017 | Leave a comment

Eugene Kaspersky, the founder of Kaspersky Lab, is a graduate of the KGB’s elite cryptology institute and was a software engineer for Soviet military intelligence.

MADBURY, N.H. — The Kremlin hacked our presidential election, is waging a cyberwar against our NATO allies and is probing opportunities to use similar tactics against democracies worldwide. Why then are federal agencies, local and state governments and millions of Americans unwittingly inviting this threat into their cyber networks and secure spaces?

That threat is posed by antivirus and security software products created by Kaspersky Lab, a Moscow-based company with extensive ties to Russian intelligence. To close this alarming national security vulnerability, I am advancing bipartisan legislation to prohibit the federal government from using Kaspersky Lab software.

Kaspersky Lab insists that it has “no inappropriate ties with any government.” The company’s products, which are readily available at big-box American retailers, have more than 400 million users around the globe. And it provides security services to major government agencies, including the Department of State, the National Institutes of Health and, reportedly, the Department of Defense.

But at a public hearing of the Senate Intelligence Committee in May, six top intelligence officials, including the heads of the F.B.I., C.I.A. and National Security Agency, were asked if they would be comfortable with Kaspersky Lab software on their agencies’ computers. Each answered with an unequivocal no. I cannot disclose the classified assessments that prompted the intelligence chiefs’ response. But it is unacceptable to ignore questions about Kaspersky Lab because the answers are shielded in classified materials. Fortunately, there is ample publicly available information to help Americans understand the reasons Congress has serious doubts about the company.

The firm’s billionaire founder, Eugene Kaspersky, graduated from the elite cryptology institute of the K.G.B., the Soviet Union’s main intelligence service, and was a software engineer for Soviet military intelligence. He vehemently dismisses concerns that his company assists Russia’s intelligence agencies with cyberespionage and claims that he is the target of Cold War-style conspiracy theories. But Kaspersky Lab has committed missteps that reveal the true nature of its work with Russia’s Federal Security Service, or F.S.B., a successor to the K.G.B.

Bloomberg recently reported on emails from October 2009 in which Mr. Kaspersky directs his staff to work on a secret project “per a big request on the Lubyanka side,” a reference to the F.S.B.’s Moscow offices. The McClatchy news service uncovered records of the official certification of Kaspersky Lab by Russian military intelligence, which experts in this field call “persuasive public evidence” of the company’s links to the Russian government.

The challenge to United States national security grew last year when the company launched a proprietary operating system designed for electrical grids, pipelines, telecommunications networks and other critical infrastructure. The Defense Intelligence Agency recently warned American companies that this software could enable Russian government hackers to shut down critical systems.

Beyond the evidence of direct links between Mr. Kaspersky and the Russian government, we cannot ignore the indirect links inherent in doing business in the Russia of President Vladimir Putin, where oligarchs and tycoons have no choice but to cooperate with the Kremlin. Steve Hall, former C.I.A. station chief in Moscow, told a reporter: “These guys’ families, their well-being, everything they have is in Russia.” He added that he had no doubt that Kaspersky Lab “could be, if it’s not already, under the control of Putin.”

The technical attributes of antivirus software amplify the dangers from Kaspersky Lab. Mr. Kaspersky might be correct when he says that his antivirus software does not contain a “backdoor”: code that deliberately allows access to vulnerable information.

But a backdoor is not necessary. When a user installs Kaspersky Lab software, the company gets an all-access pass to every corner of a user’s computer network, including all applications, files and emails. And because Kaspersky’s servers are in Russia, sensitive United States data is constantly cycled through a hostile country. Under Russian laws and according to Kaspersky Lab’s certification by the F.S.B., the company is required to assist the spy agency in its operations, and the F.S.B. can assign agency officers to work at the company. Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the F.S.B. to monitor all of a company’s data transmissions.

The Senate Armed Services Committee in June adopted my measure to prohibit the Department of Defense from using Kaspersky Lab software, to limit fallout from what they fear is already a huge breach of national security data. When broad defense legislation comes before the Senate in the weeks ahead, they hope to amend it to ban Kaspersky software from all of the federal government.

Americans were outraged by Russia’s interference in our presidential election, but a wider threat is Russia’s doctrine of hybrid warfare, which includes cybersabotage of critical American infrastructure from nuclear plants to electrical grids. Kaspersky Lab, with an active presence in millions of computer systems in the United States, is capable of playing a powerful role in such an assault. It’s time to put a stop to this threat to our national security.
You do your own research and then decide if you would want Kaspersky software on your PC in your home.

 

Leave a comment

Posted in Cyber Security, Data Breach, Encryption, Hacking, Security

Tagged , ,

Third parties leave your network open to attacks

Posted on August 28, 2017 | Leave a comment

With the Target example as the high-water mark, enterprises need to worry about the lack of security on the part of third-party providers that have access to internal systems.

Most businesses hire third-party providers to fill in when they lack in-house resources. It is often necessary to allow third-party vendors access to their network. But after Target’s network was breached a few years ago because of an HVAC vendor’s lack of security, the focus continues to be on how to allow third parties access to the network without creating a security hole.

The use of third-party providers is widespread, as are breaches associated with them. Identity risk and lifestyle solution provider SecZetta claims that on average, 40 percent of the workforce make up third parties. A recent survey done by Soha Systems notes that 63 percent of all data breaches can be attributed to a third party. “The increased reliance on third-party employees, coupled with the growing sophistication of hackers, has led to the current identity and access management crisis that most businesses are faced with today — whether they realize it or not,” a SecZetta blog post stated.

Rick Caccia, CMO at Exabeam, explained that the Target breach shined a light on the risks that come with trusted partners. On one hand, they often have access to the most sensitive data and systems within a firm’s environment. On the other, the firm has little insight into the partner’s own security processes and doesn’t really know the partner’s employees or their routines.

David Baker, vice president of operations at Bugcrowd, said “The rule of thumb most CSOs live by is that you only use a third party if they do something better than you. So whether that’s delivering a package or managing your data center, if an outsourced third party does it better, it makes sense to use them. This extends to security.”

For example, a large number of organizations have outsourced their data centers to Amazon Web Services (AWS) not only because the functionality of building the technology on AWS is better than what organizations can achieve on their own, but also because the security offered is better than what companies can build themselves, he said.

“If you use a third party and want to avoid something like what happened with Target, you need to have a process by which you select those third parties, and a big part of that criteria should be security. Security has to be something you can measure that they do better than you,” Baker said.

Markus Jakobsson, chief scientist at Agari, said the one big disadvantage to working with third-party vendors is the loss of control over security. “Not only does each vendor create a new entry point into an organization’s network for cyber criminals to exploit, but it also means every employee for that vendor is now a potential target to breach your brand. Unfortunately, the only way to ensure your company is not exposed to greater risks is by keeping everything in-house. But in today’s digital world, this isn’t a reality.”

Mike McKee, CEO of ObserveIT, said the lack of visibility into what users at third-party providers are doing – accidentally or intentionally – is a huge security risk.

“Every organization must ensure it has identified the outside parties with access to systems and data and have secure procedures in place, strict policies for these users to follow, and effective technology in place to monitor and detect if the third parties are putting their organization at risk,” he said.

It is the cost of doing business that leaves your network vulnerable to third parties, said Yitzhak (Itzik) Vager, vice president of cyber product management and business development at Verint Systems. Manufacturers connect directly to suppliers to manage just-in-time production. Accounting departments connect to external invoicing and receipt systems, and the marketing team has given all types of automated solutions access to the network infrastructure.

“Organizations need to assume that they have been already breached by a third-party leaving a hole in your network, and therefore they need to move to detection and response area solutions that consider the big picture, delivering complete visibility by detecting across the entire network, endpoints and payloads.”

Richard Henderson, Global Security Strategist at Absolute, agrees. ​”In the majority of cases, companies will have no way to learn if those partners have a breach or fall prey to atta​ck. Add to this that regulators (and customers) really don’t care if someone else was responsibl​e and it seems like an unwinnable battle. After the damage is done, organizations are left picking up the pieces and will be the ones called to task and held accountable.”

Carl Herberger, vice president of security solutions at Radware, said that business units are under a lot of pressure to leverage new solutions to speed time-to-market and reduce costs. Typically, security is a secondary consideration.

“Most of these business teams don’t have the skills or knowledge to assess security requirements and can result in partnering with a vendor who may leave the company’s networks open to attack,” Herberger said.

If an enterprise lets a third party onto their network, regardless of the reason, that third party then becomes an integral part of their security perimeter, notes Amir Jerbi, CTO of container security company Aqua Security. “Organizations should therefore vet third parties for their security measures and practices and ensure they are aligned with their own, and furthermore, periodically check and test those practices to verify they are still in compliance. These checks may (and should) cover systems, process and people.”

Alertsec’s CEO Ebba Blitz advises to make sure everyone plays by your rules. If full disk encryption is mandated for your own staff, make sure that your third parties do the same. “All too many third parties log into your network from unknown devices – devices that you don’t manage and can’t control, unless they are enrolled in your network. Make sure data only flows to encrypted devices, whether they are enrolled in your IT infrastructure or not.”

Third-party risk management

The market has pushed forward with third-party risk management programs to answer this dilemma. A program such as this would tell if a third party was located offshore or onshore, use a corporate issued device or a personal device, have had a background check performed, and whether they will be performing a critical function for the organization.

“When it comes to the cyber world, vendors must demonstrate that they understand security and have a mature security program in place, including policies and employee training,” noted Asher DeMetz, manager- security consulting at Sungard Availability Services. Any third-party systems connected to the company’s network would need to have a proper business function and owner, and align to the company’s own security program (secure, monitored, controlled).

“The software or hardware would need to be validated with the correct security controls and attestation of security testing, and possibly compliance. If the third party is making configuration changes, these would have to go through proper change-management channels to ensure that they align to the security program and don’t introduce risk into the environment,” DeMetz added.

Risk management involving external actors can be a very challenging activity for a variety of reasons, said Bluelock Director of Engineering Derek Brost. “There are two major factors for consideration. First, is sufficiently involving legal counsel to ensure contractual designation of responsibility, diligence and due care. As a backstop, this should also permit enforcement or litigation related to reclaiming loss or damage if things go awry. Second, is allocating continuous resources for proper control and oversight of external activities in the form of authentication management, timely activity analysis, and especially audit review.”

Unfortunately, businesses commonly involve third parties for cost reduction or “quick fixes,” so an adequate level of investment may not be considered in the budget or overall cost for administering external actors, said Brost. However, like all risk management activities, these costs need to be considered up-front as part of the overall tolerance and loss potential.

Kennet Westby, president and co-founder of Coalfire, said every organization should have a robust third-party vendor management program that is built to support the validation that critical vendors are delivering on their committed services. Part of that vendor management process should be to validate that your vendor has internal security controls. If your vendor management program requires these third parties to operate at an even greater standard than your internal controls, you can actually reduce risk more than if internally managed.

That brings us to identity access management. As SecZetta explained in a blog post, no person or department is in charge of managing non-employee identities (people data) and their relationships at most companies. IT might provide access, but the initial access and managing of non-employee changes is charged to HR or procurement.

This is a challenge, especially in cases where non-employees have greater access to sensitive information than internal employees. If a non-employee is granted access to these sensitive systems for a nine-month period but finishes the job early after six months, there are three months in which the non-employee may still have access to sensitive systems. These are exactly the types of accounts that hackers look for when trying to penetrate systems and steal data, according to SecZetta.

Ryan Stolte, co-founder and CTO at Bay Dynamics, said keeping track of who is doing what is a daunting task. “Instead of trying to boil the ocean, keeping tabs on every user for every vendor, security teams must hone in on those that access the company’s most valued applications and systems.”

Instead of trying to boil the ocean, keeping tabs on every user for every vendor, security teams must hone in on those that access the company’s most valued applications and systems.
Ryan Stolte, co-founder and CTO at Bay Dynamics

Effective vendor risk management begins with identifying your crown jewels and the impact to your organization if those crown jewels were compromised, he said. Then, look at which vendors have access to those crown jewels and continuously monitor not just the vendor users’ activity, but also their team members and fellow users in the larger group. If your security tools flag an unusual behavior coming from a vendor user, it’s important to engage the application owner who governs the application at risk, asking the owner to qualify if the behavior is unusual or business justified. If the behavior is unusual, that threat alert should go to the top of the investigation pile.

“It’s important to consider that often third-party vendors are non-malicious threats. Oftentimes, vendor employees are less conscious than full-time employees of good cyber security hygiene and therefore unintentionally expose your company to risk,” he said.

Viewpost’s CSO Chris Pierson said that having a well-developed vendor assurance program is necessary to oversee, quantify, communicate and mitigate risks. This program should consider the company mission, goals and objectives for the vendor, and provide a review process that looks at all types of risk – cybersecurity, privacy, regulatory/legal, financial, operational and reputational.

All vendor risks should then be scored, owned by the business line executive responsible for the product/service, and depending on level of harm, socialized and even approved by a governance risk committee. “By rating your vendors based on the criticality of the product/service they provide and the risks, the company can more adequately manage these risks, request mitigating controls, or off-board the vendor,” said Pierson.

Rod Murchison, vice president of product management at CrowdStrike, said when it comes to security, being knowledgeable after an event happens is insufficient. “Real-time visibility into the security posture of your network is something every organization should strive to achieve and maintain going forward,” he said.

To mitigate these types of threats, the most sophisticated endpoint security solutions can sense and analyze enough data in real-time to ensure that breaches and intrusions are observed in real-time, he added. “These new solutions leverage advancements in machine learning, artificial intelligence and analytics so organizations can quickly observe and fill unintentional, and sometimes intentional, holes left by third-party organizations.”

With the growing landscape of global privacy regulations, such as the General Data Protection Regulation (GDPR), the ability to control the uses of data throughout its life cycle will be critical. Strong access management controls can help, but often data masking and anonymization need to be implemented to manage access to key data fields, said Focal Point Data Risk’s Data Privacy Practice Leader Eric Dieterich.

What’s the solution?

Third-party access requires a layered security approach with dynamic contextual access control applied throughout, said Gerry Gebel, vice president of business development at Axiomatics. For example, one layer of security is to dynamically control who can access your network. Another layer would be to control access to APIs, data and other assets once these third parties are on the network.

Caccia advises that third-party access to assets is a perfect scenario for behavioral analytics, where the system baselines normal behavior of users on the network, even with limited knowledge of who those users actually are. “User behavior analytics (UBA) should be table stakes for any firm that works with partners extensively; it’s the best – perhaps only – way to understand and control what once-removed users are doing on your network and with your data,” he said.

Henderson recommended that companies make sure governance policies around vendor management are bolstered and reinforced. This should include policies around regular and random audits of those vendors. Those audits should have the ability to return quantifiable and definable metrics.

Also when it comes to creating and drafting contracts with these vendors, it’s critical that the appropriate sections clearly define the security and privacy obligations expected of the vendor are included.

“I like the idea of inserting data canaries into the record sets that are shared with third parties and then watching for those canaries to pop up in dumps online. You would be amazed at how often data leaks onto the web and shows up in places like pastebin,” Henderson said. “Other things that make me nervous about this problem are quite simply the fact that all the staff, resources, tools and technologies can often be defeated by nothing more than some middle manager somewhere dumping a huge amount of customer data into a spreadsheet then sending it off via email to some previously unknown third party contracted by a business unit to run a bulk email campaign.”

For other enterprises an important lesson is to ensure that third parties have no way to reach those portions of the network, he advised. “Microsegmentation of your environment, as well as many other tools designed to keep traffic from co-mingling, can stop or at the very least, slow down an attacker, giving your security teams valuable time to detect and respond to an incident,” he said.

While it’s not possible to avoid third parties, Javvad Malik, security advocate at AlienVault, said there are many fundamental security practices that can help mitigate the risks. Examples of such would include:

  • Knowing your assets – by understanding your assets, particularly critical ones, it can be easier to determine effectively what systems third parties should have access to and restricting it to those.
  • Monitoring controls – having in place effective monitoring to determine whether third parties are only accessing systems they should and in a manner they should. Behavioral monitoring can help in this regard by highlighting where activity falls outside of normal parameters.
  • Segregation – by segregating networks and assets, one can contain any breaches to one specific area.
  • Assurance – proactively seek out regular assurance that the security controls implemented are working as intended.

Jeremy Koppen, FireEye principal consultant, said there are four security controls that should be discussed regarding third-party access:

  • Assign a unique user account to each vendor user to better monitor each account and identify abnormal activity.
  • Require two-factor authentication for access to applications and resources that could provide direct or indirect access to the internal network. This protects an organization in case the vendor’s user credentials are compromised.
  • Restrict all third-party accounts to only allow access to systems and networks required.
  • Disable all accounts within the environment upon termination of third-party relationship.

In the enterprise application development world, Jerbi sees many companies being caught off guard by third-party use of emerging technologies such as virtual containers. If a company is using containerized applications from a third party, that application should be vetted for container-specific security risks such as vulnerabilities in container images, hard–coded secrets and configuration flaws.

Baker said there are plenty of best practices to look for when choosing a vendor: how transparent is their security? Do they have third-party security testing? Do they share the results of that testing? “In the end, choosing a secure vendor alone won’t necessarily prevent another Target, but it will prevent the third-party firms you work with from being the weak link,” he said.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Public Cloud, Security

Tagged ,