Monthly Archives: May 2016

There is no doubt that data breaches are on the rise. Hardly a day goes without headlines about any significant data breach.

According to the latest ‘Cyber Security Breaches Survey 2016‘ report published by UK government, two-thirds of the biggest firm in the UK have experienced at least a cyber attacks or data breaches within the past 12 months.

Here’s today, I am writing about top 4 data breaches reported in last 24 hours, threatened your data privacy and online security.

1. Kiddicare Hacked! 794,000 Accounts Leaked

Kiddicare has admitted that the company has suffered a data breach, which led to the theft of sensitive data belonging to 794,000 users, including phone numbers and residential addresses.

Kiddicare, company that sells child toys and accessories across the United Kingdom, became aware of the data breach after its customers started receiving suspicious text messages – most likely part of a phishing campaign – that attempted to pilfer them to click on a link that takes them for an online survey.

Although the company assured its customers that no banking or financial detail have been compromised in the breach, personal information belonging to nearly 794,000 customers, including their names, delivery addresses, email addresses and telephone numbers, have been exposed.

2. UserVoice Hacked! Users’ Accounts Breached

Today morning, I received an email from UserVoice, a web-based service that offers customer service and helpdesk tools, notifying that the company suffered a data breach and some user accounts were compromised, including their names, email addresses, and passwords.

The company admitted that user passwords were protected with the SHA1 hashing algorithm, which is considered as a weak encryption.

“Despite the fact that the passwords were encrypted, it is very possible that an attacker can decrypt this information,” the company notified. “As a precautionary measure, we have reset all UserVoice passwords to prevent any chance of the attacker gaining further access to accounts.”

Some famous companies are using customer service tools from UserVoice, including Twitch, Microsoft and more.

3. Google Suffers Insider Data Breach

Google suffered a minor data breach after a vendor unintentionally leaked sensitive information about its undisclosed number of employees to the wrong email address — but luckily, the person who received it deleted the email straight away.

According to report, the data breach happened after an employee at a third-party company that Google uses for its staff benefit management service mistakenly sent personal data to another company.

Google is still investigating the insider data breach that leaked the personal details of Google employees apparently included Social Security Numbers (SSNs) and names, but no details on benefits or family members.

4. London Clinic fined £180,000 for Leaking HIV Patients Data

The Information Commissioner’s Office (ICO) has imposed a £180,000 (about $260,000) fine to a London-based HIV clinic run by Chelsea and Westminster Hospital National Health Service (NHS) Foundation Trust, for leaking data of 781 HIV patients

The clinic mistakenly sent a newsletter email containing sensitive medical information relating to a total 781 HIV patients together rather than individually, using ‘bcc’ field in the email, leaking their names and email addresses to one another.

“People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data,” Information Commissioner Christopher Graham said. “The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen.”

The Clinic’s medical director said:

“We fully accept the ruling of the ICO for what was a serious breach, and we have worked to ensure that it can never happen again.”

Via: thehackernews

Google has begun notifying some of its employees that their information was compromised by one of its third-party vendors.

In a sample breach notification letter Softpedia obtained from the Office of the Attorney General for the State of California, the tech giant provides some details on what transpired in the incident:

“We recently learned that a third-party vendor that provides Google with benefits management services mistakenly sent a document containing certain personal information of some of our Googlers to a benefits manager at another company. Promptly upon viewing the document, the benefits manager deleted it and notified Google’s vendor of the issue. After the vendor informed us of the issue, we conducted an investigation to determine the facts.”

That document is believed to have contained the affected employees’ names and Social Security Numbers. It did not include information regarding their benefits or on their dependents/family members.

Google is confident that no malicious actors gained access to the exposed information.

“We have no evidence that any of your information has been misused as a result of this incident, and computer access logs indicate that no other individuals viewed your information before it was deleted. In addition, the benefits manager has confirmed that she did not save, download, disclose or otherwise use the information contained in the document.”

The Menlo Park-based company is currently working with the vendor to ensure similar security incidents do not occur again. In the meantime, it is offering all affected employees free identity protection and credit monitoring services.

This breach helps illuminate the growing security threat suppliers and third-party vendors pose to organizations.

In a recent survey of some 320 IT professionals sponsored by Tripwire, 81 percent of respondents said they were confident in their organization’s ability to protect sensitive data. Just over half (55 percent) said the same about their suppliers and vendors, which could explain why 43.6 percent of participants said their organizations require their partners to pass a security audit if they are to sign with them.

For more information on the perceived threat posed by partners and suppliers, please click here.

Via: tripwire

With magnetic-stripe payment card transactions gradually starting to disappear in the US, cybercriminals have been on a tear with PoS attacks against retail and hospitality targets that haven’t yet adopted EMV card payment, FireEye researchers say.

Cybercriminals are doubling down their attacks on US point-of-sale systems (PoS) still using magnetic-stripe card transactions as the window for exploiting those weaker systems gradually closes.

One particularly pervasive gang, dubbed FIN6 by FireEye, has been especially active. According to FireEye, the latest PoS attacks overall, including from FIN6, are all signs of the bad guys trying to take advantage of weaker, non-EMV PoS systems without other security protections as well such as end-to-end encryption, while they are still in place.

FIN6 is a cybercrime group tracked by FireEye that focuses on stealing payment card information for profit, and was responsible for stealing millions of payment card numbers in 2015 in retail and hospitality firm PoS breaches later investigated by FireEye’s Mandiant team.

“We’ve actually seen discussion in undergound communities collaborating and talking about the need to exploit magnetic-stripe transactions while they can,” says John Miller, director of Threatscape Cybercrime at FireEye. “The number of PoS breaches in the last couple [of months] has been reflective of that as well.”

A few big names have been in the news recently for payment card attacks, although nowhere near the volume of rapid-fire attacks seen during 2014, aka The Year Of The Retailer Data Breach, when numerous big-box retailers were hit, including Home Depot, Michael’s, Neiman Marcus, and of course, Target. Now that retailers are rolling out EMV payment cards to replace the more vulnerable swipe cards, as well as end-to-end encryption, cybercriminals are shifting their targets to retailers and hospitality chains that haven’t yet caught up with the new security wave.

Most recently, Trump Hotel Collection (a chain of luxury hotels owned by Republican presidential candidate and real estate magnate Donald Trump), Starwood Hotels (Sheraton, Westin, etc.), and Hilton Worldwide have reported data breaches of customer payment card data.

FireEye wouldn’t confirm which recent payment card breaches were the handiwork of FIN6, but says the cybercrime group is still in action and continues to successfully steal payment card data.

Researchers from FireEye and iSIGHT Partners, which FireEye recently acquired, teamed up and compared notes to flesh out just how FIN6 monetizes stolen card data in the criminal underground. While they are still unsure just how FIN6 initially infects a victim, they confirmed the gang employs the so-called Grabnew (aka Vawtrek, aka Neverquest) credential-stealing malware, some Metasploit hacking tools, and then installs Trinity (aka FrameworkPOS) PoS malware to pilfer magnetic-stripe payment card data.

The researchers traced FIN6’s stolen card data to a particular underground shop that then in turn sells the stolen information to fraudsters. More than 10 million cards from FIN6’s data breaches were seen in the shop at times. In one data breach by FIN6, the card shop was selling the stolen US card data for an average of $21 per account. According to FireEye, that shop then could theoretically make $400 million if all of the data sold. “In reality, the shop would typically only make a fraction of this figure, since not all the data would be sold (laundering stolen cards is typically much harder than stealing them), buyers want the newest data they can get (data that has been on the shop for a while loses its value), and the shop offers discounts based on various criteria. Still, a fraction of $400 million is a significant sum,” according to FireEye’s report.

It’s also possible that FIN6 members could also work the shop or that FIN6 sells the stolen data to the shop for resale, FireEye says.

“It’s not only the intrusion to the PoS system, but how the cards end up in these underground shops,” says Nart Villanueve, principal threat intelligence analyst at FireEye.

According to the report:

“The story of FIN6 shows how real-world threat actors operate, providing a glimpse not only into the technical details of the compromise, but into the human factor as well; namely, the interactions among different criminals or criminal groups, and how it is not just data being bartered or sold in the underground, but also tools, credentials and access,” FireEye’s report says.

Via: darkreading

As discussed in my previous article, threat intelligence provides organizations with contextual details regarding specific threats. Such information is crucial for companies that are committed to formalizing their information security practices.

By relying on multiple feeds of threat intelligence, for instance, enterprises can continuously prioritize vulnerabilities based upon their severity and create effective patching schedules.

Threat intelligence and context-driven awareness are just two features of what is known in the industry as “security maturity.”

Gartner, a leading provider of technology research, first developed a security maturity model back in 2001. It takes into consideration organizations’ information security principles, practices, policies, and tools and helps them measure the maturity (formalization) of their systems.

Gartner’s model spans across six levels. Level 0 means no formalization, whereas Level 5 is used to describe an organization that is context-driven, risk-aware, effective and whose security decisions are integrated with business concerns.

Maturity models, such as Gartner’s, which G. Mark Hardy of SANS Institute explained last year, are a great starting point for organizations to begin addressing challenges in endpoint security.

But they are criteria-based, a format which excludes other important elements that businesses should take into consideration.

Acknowledging those limitations, what should information security mean to an organization?

To help answer that question, Tripwire has published Endpoint Detection and Response for Dummies, an online resource that can help security personnel understand endpoint protection.

Ultimately, information security is about more than just checking a box. Organizations also have an obligation to ensure that their employees demonstrate some understanding of security awareness.

Indeed, while uninformed users can pose a major threat to organizations’ digital security, educated users can effectively help defend the organization against threats at the front lines. By being able to identify a phishing attack, for instance, they can block certain threats from getting in and/or limit the impact of a threat that gets past the organization’s network defenses.

Ultimately, information security isn’t a checklist. It’s an ever-evolving process. As the threat landscape changes, organizations should change their security policies and make sure their employees are made aware of those modifications.

In the meantime, they should conduct audits to make sure their security infrastructure is sufficiently robust.

For more information on what information security should mean to an organization, please download Tripwire’s eBook here.

Via: tripwire

There are a million and one fitness apps on the market today, and each of them does pretty much the same thing – monitor distances, record heart rates, recommend workouts, etc. Few, however, bribe users to get fit with real rewards from the retailers they love.

Count Sweatcoin among the few.

Reuters reported that Sweatcoin, a free app launched in the U.K.’s App Store, seeks to change the way people attempt to live healthy lifestyles by dangling in front of them carrots comprised of rewards they can redeem toward purchases at real stores. Oleg Fomenko, one of Sweatcoin’s founders, explained that the app uses movement and location trackers to make sure that users aren’t trying to game the system to earn more rewards then they’re due and pegs its perks – also called sweatcoins – to bitcoins to ensure stability.

“This whole business is pegged to making movement valuable,” Fomenko told Reuters. “Eventually, sweatcoin is going to have a rate of exchange tied to the British pound.”

Owing to the app’s aspirations to become a go-to fitness tracking platform for users and retailers alike, Sweatcoin has signed partnerships with four London-area startups to have their service offered as part of the companies’ health plans. Employees will be able to accrue sweatcoins – about 1 for every 1,000 steps – for which they can redeem for anything from paid days off to discounted healthy meals and even decreased premiums.

Fomenko has even bigger plans for employers’ roles in Sweatcoin’s future. As the rewards offered will be tied to a functioning economy of bitcoin, Fomenko imagined a world where businesses are paying him to reserve a chunk of sweatcoins from market fluctuations so their employees have access to a finite amount of rewards.

“Right now, movement is valued at zero,” Fomenko said. “How much value a sweatcoin will have will be a market decision but we know it’s not zero.”

Via: pymnts

There was a lot of publicity regarding the new national cyber security plan and the billions of dollars pledged to its various parts, including the appointment of the United States’ first ever federal chief information security officer (CISO). We understand in large part that the monies “pledged” are goals and aspirations. They are subject to the whims of Congress, which only begrudgingly passed CISA after seven painful years in 2015.

Now let’s be clear: large budgets are nice. They afford us a certain degree of flexibility insofar as our investment options are concerned. But large budgets aren’t without their faults. Copious amounts of money can beget purchases that are sometimes not well thought out. Purchases that are wasteful. Purchases of equipment that are already out-of-date by the time they are built.

Organizations must carefully select what to invest in these days, especially given the continuously evolving computer threat landscape. With that in mind, a discussion that revolves around your current cyber security posture is a great starting point for deciding where to allocate your budget.

Some say they don’t have time for conversation. To those who do, we urge you to maketime. Reports note that cyber crime now costs the United States $445 billion per year. That’s not an insignificant amount of money. With even a fraction of that amount, we could strengthen our universities’ cyber security education and training programs and perhaps do away with our skills gap once and for all. Think of the possibilities.

Clearly, organizations need to work towards limiting the annual costs of cyber crime, and that process begins with an realistic assessment of one’s cyber security posture. But how can we effectively initiate such a discussion? How can we strengthen our defenses and hope to eradicate some instances of cyber crime? It might not seem possible. However, the National Institute of Standards and Technology (NIST) Cyber Security Framework (hereinafter referred to as “the Framework”) makes it so.

Have you ever sat down and walked your IT team or C-Suite or board of directors through Identify, Protect, Detect, Respond, and Recover–the core elements of the Framework? If you have, you know that proactive change in the organization often follows. People start to remember the exact spots where and on what servers data is stored. They also begin to talk about introducing new employee training and awareness courses that focus on spearphishing attacks, or they bring up in conversation the need for email hardware devices that scrub suspicious attachments off of employees’ emails.

When we talk to clients about the Framework, we spend much of our time discussing new or emerging threats, like blended denial-of-service (DoS) attacks that combine the worst distributed denial-of-service (DDoS) offensives with ransomware or malware, or their current data protection policies. Almost always, we work together to come up with new strategies and new tools that they can use to better protect their data from tomorrow’s threats.

Conversations with our clients also tend to focus in on the importance of incident response planning and business continuity planning. The conversation goes something like this: “Assume you have been breached (or infected with ransomware). What do you do? How do you remediate the attack? How can you leverage pre-tested, already segmented back-up media in an effort to restore your network when you need it?” Major cities like New York City and Boston have similar types of conversations all the time about what they would do if they were attacked by terrorists. Organizations are no less vulnerable when it comes to digital threats.

Enterprises need a common language that can facilitate plain-English conversations between directors, C-Suite executives, and IT professionals on how to do better protect business critical data. Fortunately, the NIST Cyber Security Framework provides an excellent starting point for these types of talks.

If we are right, and if these discussions prove fruitful, don’t thank us. Thank the good people of the National Institute of Standards and Technology for giving us such an amazing tool.

Happy Second Birthday to the NIST Framework.

Via: tripwire

On April 21^st, an email from Microsoft appeared in the mailbox of mailing list subscribers informing everyone that MS16-039 had been revised and the update for Microsoft Live Meeting 2007 Console had been re-released.

It contained an additional tidbit of information that many people overlooked:

“Effective as of the May 2016 security bulletin release, all Windows updates will be available only via the Microsoft Update Catalog (http://catalog.update.microsoft.com/), and will no longer be available on the Microsoft Download Center (http://download.microsoft.com/). Making the updates available from only one location simplifies the process for our customers of finding and downloading security updates.”

Anyone who has visited a Microsoft bulletin for a Windows 10 update knows that this was already the case for Windows 10 patches, but this is a major change for users of other versions of Windows. This means that a lot of users will need to change their process. So far, there has been very little discussion on the topic.

I’ve seen a few minor discussions on forums and mailing lists, but most individuals seem to think that this won’t affect the majority of enterprises due to the use of third party patch management software or Microsoft’s own offerings.

Working in vulnerability management, I can tell you that none of these products are infallible, and I often work with customers that need to go and download a single update for any number of reasons. In some cases, this process is about to become more difficult.

Take, for example, Company X, where the operations team uses Macs due to the additional scripting capabilities that it provides. They will no longer be able to obtain updates, as the Microsoft Update Catalog is only accessible from Windows.

Company Y will also run into issues because while they run Windows, they use application whitelisting to prevent the use of Internet Explorer and have standardized on Google Chrome. Unfortunately for Company Y, the Microsoft Update Catalog only works in Internet Explorer and Edge.

These are important considerations as you prepare for May 10^th. While it’s true that pure Windows shops that run Internet Explorer will see a more simplified search process, enterprises that operate outside of this configuration will find themselves frustrated and struggling to find workarounds.

Via: tripwire

Brunswick Corp. was victimized by a spearsphishing scam that netted the W-2 information for possibly all 13,000 current and former company employees.

How many victims?  Up to 13,000.

What type of information? The names, social security numbers, 2015 earnings, withholding and deduction information was compromised for current and former full and part-time workers. Brunswick Corp., whose subsidiaries include outboard motor manufacturer Mercury Marine, said customer data was not involved in the breech.

What happened? On April 29, 2016 a Brunswick employee responded to what was thought to be a legitimate email from management requesting the W-2 information. In fact, the data was sent to an unknown and unauthorized and individual.

What was the response? The Brunswick employee who was phished and sent the W-2 information told management of the mistake later that day. The company notified the IRS along with the potentially affected employees by email. The company is offering credit monitoring and identity theft assistance services and ID theft insurance free to every affected person.

Quote? “At this time, the Company has no reason to believe that its information systems or any customer data or other employee information have been compromised. Brunswick noted that this was not a technical intrusion of its information systems, but rather a criminal scam that plays on human nature.”

Via: scmagazine

A few weeks ago, I woke up one morning to discover that Android had 34 software updates waiting for me. This was followed by my laptop wanting to reboot after installing the latest patches from Microsoft, my tablet needing a reboot after its latest firmware update, and my server screaming for me to put “yum” into action to install the latest patches available from Red Hat. All before 10:00 am in the morning!

With all of the technology that we have today, installing software updates has become a near-daily activity. That statement is true for all professionals in the technology industry, especially those who handle patch management for large-scale enterprise IT systems.

Recently, we wondered how organizations might be handling the influx of patches, so we decided to conduct some research on the topic. Not surprisingly, we found that many organizations are having trouble keeping up with the vast number of patches constantly being added to the work queue.

To many, installing a patch might sound easy. It’s just the simple click of a button, right? Not really. Patch installation difficulty varies across platforms, ranging from the most trivial of installation methods (clicking a button) to complex scenarios involving delicate sequences of events.

However, patch installation difficulty is not the only variable in this equation. Patch testing is another critical piece of the puzzle and, along with scale, is one of the more challenging aspects of patch management in the modern world of enterprise IT.

Enterprises cannot go about installing patches blindly without understanding potential impacts of the change brought by a patch. Patches have a history of breaking things and, when things break in the enterprise, chaos ensues.

In a recent survey, we asked 483 IT professionals their thoughts on patch management topics. We found that roughly half of those involved with patch management will always test patches before deployment, with approximately 30% saying it depends on the patch. Fewer than 20% never test their patches.

Another set of questions was related to the amount of time spent testing patches for desktops and servers. As you can see in Figure 1, most organizations spend approximately one week or less testing patches in their environment before deployment.

Figure 1: Time taken to test patches.

Last month, in an interviewed by “Padre” over at TWiT for an episode on the TWiET channel, the topic was “Enterprise Patch Fatigue,” and one of the questions Padre asked was related to the feasibility of thoroughly testing patches before enterprise rollout.

An organization’s ability to thoroughly test patches depends on scale and resources. Virtualization and orchestration technologies, coupled with good patch management and vulnerability management software, can help organizations create environments that enable extensive patch testing.

Still, testing every possible configuration is hard for any organization. As you scale, it becomes impossible. More nodes means an increase in the number of scenarios that need to be tested. Those considerations can quickly spiral out of control.

This leads us to the following conclusion: patch testing is currently done on a best effort basis and, as with most software-based testing, it only covers a small portion of the overall “state space” of test cases. An important question to ask is the following: will this scenario work in the future as more and more systems become highly interconnected?

Current trends, such as the Internet of Things, the Industrial Internet, and cyber-physical systems, are pushing the envelope of scale with an exponential explosion of devices coming online in the near future.

Will the failure of a patch installation in some datacenter in Australia cause my infotainment center to malfunction, possibly causing my navigation to go wacky? What other questions need to be asked? Technologists should be considering these types of questions.

Obviously, new techniques and innovations will surface to help alleviate some of our patch testing problems. I believe automation will play a huge role, and advanced research in automated testing processes will surely help us in this domain. It will be interesting to see what developments tomorrow will bring us in the realm of patching.

Via: tripwire

And 65 percent of companies expect to suffer a breach due to compromised credentials int the future, a recent survey found.

A recent survey of more than 300 professionals worldwide found that 22 percent of respondents whose company had experienced a data breach said the breach was due to compromised credentials.

The survey, conducted by the Cloud Security Alliance and sponsored by Centrify, also found that 65 percent of respondents said the likelihood that their company would experience a breach in the future due to compromised credentials was medium to high.

“We hope that these findings will encourage organizations to leverage single sign-on, multi-factor authentication, mobile and Mac management, along with privileged access security and session monitoring, in order to minimize attack surfaces, thwart in-progress attacks and achieve continuous compliance,” Centrify chief product office Bill Mann said in a statement.

Separately, a Lieberman Software survey of almost 200 attendees at the RSA Conference 2016 last month found that 55 percent of IT professionals require their users to change their passwords more frequently than they change their own admin credentials.

Ten percent of IT professionals never change their administrative passwords at all, and 74 percent change them only on a monthly or less frequest basis.

“Administrative passwords are the most powerful credentials in an organization – the keys to the IT kingdom,” Lieberman Software president and CEO Philip Lieberman said in a statement. “The fact that 10 percent of IT professionals admitted that they never change these credentials is astounding. It’s almost like an open invitation to hackers to come in and stay a while. In the meantime, the intruders are nosing their way around the network.”

Thirty-six percent of IT professionals said passwords are shared among their IT staff, and 15 percent said that if they left their current companies, they would still be able to gain remote access with their admin credentials.

“Given that insider threats are one of the biggest concerns for CISOs, knowing that more than a third of IT professionals share privileged passwords is ludicrous,” Lieberman added. “The same can be said about so many ex-employees who can still access administrative credentials.”

A separate SecureAuth survey, conducted in conjunction with Wakefield Research, found that 35 percent of Americans write passwords down to help remember them.

When asked what’s most annoying about passwords, the leading responses were keeping up with different password requirements across accounts (29 percent), meeting complex password requirements (18 percent), needing to change passwords regularly (15 percent), and getting locked out after too many incorrect attempts (12 percent).

“From email to social media to your online bank account, just about every online identity requires a password,” SecureAuth CEO Craig Lund said in a statement. “In this high-tech age, passwords are a way of life. Many, however, are making some low-tech choices — as evidenced by the 35 percent of individuals who write down passwords.”

“Cyber attacks cost millions of dollars a year, hurt individuals and lead to long, drawn-out lawsuits,” Lund added. “Just ask the FBI, Target or IRS.”

Via: esecurityplanet