Archive for May, 2017

Records available online due to flaw in the system

May 29th, 2017

Molina Healthcare had patients’ medical claims online. The duration of the breach is not clear. Also, the reason behind the leak is also not available. Investigative reporter Brian Krebs received tip about the breach.

According to the reports, customer could see other customers’ medical claims only by changing a single number in the URL. There was no requirement of the authentication.

“It’s unconscionable that such a basic, Security 101 flaw could still exist at a major healthcare provider today,” Krebs wrote. “However, the more I write about these lame but otherwise very serious vulnerabilities at healthcare firms the more I hear about how common they are from individual readers.”

Records did not include Social Security numbers. Affected information included patient names, addresses and birthdates, as well as diagnosis, medication and medical procedure information. Molina said that it has fixed the problem.

“Because protecting our members’ information is of utmost importance to Molina and out of an abundance of caution, we are taking our ePortal temporarily offline to perform additional testing of our system security,” the company said. “Molina has also engaged Mandiant to assist the company in continuing to strengthen our system security.”

World focus remains on cyber threats like WannaCry but many organizations lack basic security, Bitglass CEO Nat Kausik mentioned. “This is especially true in the heavily regulated healthcare industry,” he said. “Molina Healthcare is just one example of an IT oversight that led to massive exposure of PHI.”

“Healthcare organizations are major targets and will see any and all flaws exploited by malicious individuals,” Kausik added. “As healthcare organizations make patient data more accessible to individuals and new systems, they must make information security their top priority.”

There is increase in data breach this year.

“Unauthorized disclosures continue to tick up and are now the leading cause of breaches as data moves to cloud and mobile and as external sharing becomes easier. Unauthorized disclosures includes all non-privileged access to PII or PHI,” the report states. “Hacking and IT-related incidents doubled year-over-year, an indication that malicious actors are not letting up and are increasingly aware of PHI’s high long-term value.”

____________________________________________________________________________________________

Alertsec is powered by Check Point and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Increase in DDoS Attacks

May 26th, 2017

Verisign recent report shows that 59 percent of distributed denial of service attacks peaked over 1 Gbps. Also, 23 percent peaked over 10 Gbps. The average peak attack size was 14.1 Gbps which is 26 percent increase over the last quarter.

The biggest attack included 60 Gbps for more than 15 hours.

“The attackers were very persistent in their attempts to disrupt the victim’s network by sending attack traffic on a daily basis for over two weeks.”

Survey also mentioned that IT services/cloud/SaaS industry was the prime target.

“In Q1 2017, Verisign observed that DDoS attacks remain unpredictable and persistent, and vary widely in terms of volume, speed and complexity,” the report mentioned. “To combat these attacks, it is becoming increasingly important to constantly monitor attacks for changes in order to optimize the mitigation strategy.”

Imperva’s Global DDoS Threat Landscape mentioned that 74 percent of DDoS attack victims were repeated.

“In the most extreme case, an established U.S.-based science news website was hit 1,046 times by low-volume bursts lasting 10 minutes or less,” Igal Zeifman, Incapsula security evangelist at Imperva, told eSecurity Planet by email. “This attack, and many other repeat assaults, fit the pattern of online harassment.”

“These attacks are a sign of the times — launching a DDoS assault has become as simple as downloading an attack script or paying a few dollars for a DDoS-for-hire service,” Zeifman added.

“Using these, non-professionals can take a website offline over a personal grievance or just as an act of cyber vandalism in what is essentially a form of Internet trolling.”

It also mentioned that the U.S. was the most targeted country and majority of attacks came from China.

Neustar’s Worldwide DDoS Attacks and Cyber Insights Research Report mentioned that the average cost of a DDoS attack amounts to $2.5 million in lost revenue.

“The question organizations must ask now is how they are prepared to manage these highly disruptive events,” Neustar head of research and development Barrett Lyon mentioned in a statement.

“Are they prepared for the bad day where they customers call and ask why the website is down?”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Security Patch at Twitter

May 24th, 2017

One can send message to anyone using ‘@‘ from any given account in Twitter platform. But this arrangement is challenged by a security bug. Security researcher who goes by alias ‘Kedrisch’ reported this bug to the twitter through Twitter’s bug bounty program run by Hackerone.

“The reporter discovered a flaw in the handling of Twitter Ads Studio requests which allowed an attacker to tweet as any user,” the Hackerone bug report states. “By sharing media with a victim user and then modifying the post request with the victim’s account ID, the media in question would be posted from the victim’s account.”

Kedrisch also provided detailed writeup on the flaw and the steps to discover the vulnerability. The process involves intercepting the owner_id and user_id parameters and using it as a part of the GET and POST actions.

The bug allowed hackers to publish post through any user. Twitter mentioned that the vulnerability was not exploited.

“As former appsec tech lead for twitter, I’ll just say I’m not shocked this was in code from the ads team,” security researcher Charlie Miller wrote in a Twitter message.

Miller has won the famous Pwn2own hacking competition. He is also one who hacked iPhone first time.

Miller responded to one of his team mate, “if a team is responsible for the vast majority of security issues, maybe they should feel not awesome?”

Twitter awarded Kedrisch with $7,560 for the disclosure of the bug. Kedrisch has also disclosed the bug in the twitter platform in December 2016. He got $1,120 for a low severity bug. The ethical hacker also got $1,260 in Oct 2016 for reporting disclosure flaw in the publish.twitter.com. This particular bug was rated as medium security issue.

Kedrisch received three other bounties totaling $1,540 which was not publicly disclosed.

____________________________________________________________________________________________

The Alertsec service protects everything stored on the computer such as Word, PowerPoint, Excel, Outlook, Gmail, Photos, Credit Card data files etc.

IoT Threat Defense Platform of Cisco

May 22nd, 2017

Cisco has created new IoT Threat Defense Platform to tackle growing threats. It consists of integrated security technologies which protects enterprise IoT deployment from hackers. It uses the network segmentation capabilities. Its’ AnyConnect provides remote access functionality.

Marc Blackmer, product marketing manager of Industrial Solution at Cisco’s Security Business Group said that it’s best not to leave any stone unturned given the scale and complexity of IoT implementations.

“A characteristic of the IoT is that it opens a multitude of attack vectors,” Blackmer mentioned. “Now, organizations need to be aware of, not just what servers and workstations are online, but whether their HVAC system or connected lighting have been mistakenly connected to the Internet.”

Researchers at Dalhousie University in Canada and Weizmann Institute of Science in Israel conducted a test. It demonstrated a citywide bricking attack using smart bulbs. Companies are connecting their IoT devices to internet and hackers are looking for loopholes.

“A simple Shodan search can turn up medical devices and industrial equipment connected to the Internet, as well,” Blackmer said. “With this in mind, we selected the technologies in our portfolio that would, first, segment IoT devices, to protect them from external attacks, as well as protect the business should one of those devices be compromised, and then those that provide broad, complementary coverage across a range of attack vectors.”

Connecting virtual local area networks (VLANs) to the scale of the IoT can overwhelm even the most efficient IT teams. Cisco products and team is also helping companies to secure their networks from stealthier threats.

“We are inspecting the traffic throughout the organization (with Stealthwatch, Advanced Malware Protection, and our NGIPS [Next-Generation Intrusion Prevention System], which is included with our NGFW [Next-Generation Firewall]), as well as that attempting to exit the organization (with Umbrella and Cognitive Threat Analytics).”

____________________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leader’s quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.

Data Breach at Zomato

May 20th, 2017

Zomato is the restaurant search portal which has more than 120 million users per month. The team of the company recently found that approximately 17 million user IDs, names, user names, email addresses and hashed passwords were unauthorizedly accessed.

”We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password,” the company stated. “This means your password cannot be easily converted back to plain text. We however strongly advise you to change your pasword for any other services where you are using the same password.”

Zomato mentioned that the passwords of the affected accounts have been reset. Also, the database which contained payment information was not affected. It also mentioned that the hacker has agreed to stop sale of the data.

“The marketplace link which was being used to sell the data on the dark Web is no longer available,” the company said.

Hacker wanted company to start bug bounty program which got positive response. Hacker also gave information the way of hacking a present Zomato database. It will be made public when loopholes are closed.

“Having said that, we are going to be cautious and paranoid, as this is a sensitive matter,” the company added. “6.6 million users had password hashed in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms. We will be reaching out to these users to get them to update their password on all services where they might have used the same password.”

Breach harms the brands

Ponemon Institute study recently conducted survey on the brand impact of a data breach. It shows that breach causes decline in stock value.

The survey sponsored by Centrify mentioned that 31 percent of users stop using the services and products provided by company who gets affected by data breach. Sixty five percent said that they lost trust in company. Eight one percent mentioned that organizations should take reasonable steps to secure personal data.

Forty five percent of IT practitioners present in the survey mentioned that they don’t believe brand protection is taken seriously in the C-suite.

“It is no longer just an IT problem — it must be elevated to the C-suite and boardroom because it requires a holistic and strategic approach to protecting the whole organization,” Centrify CEO Tom Kemp said.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organizations laptops and computers.

US Hit Hard by WannaCry Ransomware

May 18th, 2017

A Department of Homeland Security official mentioned that WannaCry ransomware campaigns affected some U.S. critical infrastructure operators. It also mentioned that there are no victims in U.S. federal government.

Dragos CEO Robert M. Lee mentioned that his company is “aware of infections that occurred in the industrial control system community and had impact,” including small utilities and manufacturing sites in the United States — though he said “no one’s been hurt and no safety was at risk.”

PAS Global CEO Eddie Habibi mentioned that companies that depend on industrial control systems (ICS) are put on high alert.

“In a corporate IT network, cyber security professionals have the option of isolating traffic or entire systems if they are compromised,” Habibi said. “Personnel can also apply patches in real time with confidence that patching will not impact system performance.”

“Those systems may have primary responsibility for controlling volative processes or ensuring worker and environmental safety,” Habibi said. “System uptime is paramount.”

“Real-time patches are also no-nos within a facility’s network,” Habibi added. “First, any Microsoft patch must have ICS vendor approval before application. Even with approval, patching typically occurs during maintenance windows and turnarounds when systems are offline — something that may occur only once or twice per year.”

Patches can’t be applied if there are chances of process disruption.

“In these cases, asset owners may place additional security controls in front of the unpatched system to mitigate risk,” Habibi said. “This assumes that there is a closed-loop, enterprise-wide patch management process in place that can evaluate the steps required to mitigate risk; many companies are missing this capability.”

Microsoft has released patches for security but it is not enough for limited ability work force of critical infrastructure.

“As we watch WannaCry continue to proliferate and see new variants spring up, the risk to industrial process facilities remains high,” he said.

Langner founder and CEO Ralph Langner mentioned that the abled attacker could hit industrial targets and force a production halt. “We haven’t seen that on a large scale yet, but I predict it’s coming, with ransom demands in the six and seven digits,” he said.

____________________________________________________________________________________________

The Alertsec service protects everything stored on the computer such as Word, PowerPoint, Excel, Outlook, Gmail, Photos, Credit Card data files etc.

Cyber Security Professional Salaries

May 16th, 2017

Salaries of information security personnel of U.S. government agencies should increase approximately $7,000 to match the annual salaries of their private sector counterparts.

As per the recent survey sponsored by (ISC)2, Booz Allen Hamilton and Alta Associates, eighty seven percent believe that hiring and retaining qualified information security professionals is important for organization’s infrastructure.

“It’s crystal clear that the government must enhance its benefits offering to attract future hires and retain existing personnel given its fierce competition with the private sector for skilled workers and the unprecedented demand; unfortunately, the layers of complexity involved in fulfilling that goal are significant,” (ISC)2 managing director Dan Waddell mentioned in a statement.

As per the respondents, effectiveness of the security can be achieved by –

Increase in training programs (62 percent)

Monetary package for professional cyber security certifications (62 percent)

Improving salary packages (57 percent)

Flexible work schedules (56 percent)

“In today’s environment where cyber talent is scarce, organizations must recruit and train untapped talent pools, focusing on women, minorities, veterans and older workers,” Booz Allen Hamilton senior executive advisor Ron Sanders said.

“And while it can be difficult for government agencies to compete on salary alone when vying for these cyber warriors, they can appeal to a recruit’s sense of mission and purpose, tout the cutting-edge work being done and highlight opportunities for advancement,” Sanders added.

Challenges in Security

“The U.S. federal government is racing to boost data security against odds not generally faced in the private sector today,” 451 Research principal analyst Garrett Bekker said in a statement. “A major challenge in securing the far-flung systems in the U.S. federal government is the plethora of aging legacy systems still in place, with one example being a 53-year-old Strategic Automated Command and Control System at the Department of Defense that coordinates U.S. nuclear forces and uses 8-inch floppy disks.”

“In short, this ‘perfect storm’ of very old systems, tight budgets and being a prime cybercrime target has created a stressful environment,” Bekker added.

Accenture conducted survey of 3500 US citizens. It found out that seventy four percent do not have much confidence in government considering data security.

“While government agencies face many cyber security challenges, the research found strong citizen support for government organizations to take steps to increase data security and protect citizen information,” Accenture public service strategy lead Peter Hutchinson said in a statement.

“Government agencies that take a comprehensive end-to-end security approach by integrating cyber security deep into their organizations will not only secure their data, but also win the trust and confidence of the citizens they serve,” Hutchinson added.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Seventy four countries hit with WannaCry ransomware

May 14th, 2017

Kaspersky researchers mentioned that tens of thousands of computers are infected in 74 countries worldwide by WannaCry ransomware.

“It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher,” the researchers mentioned.

MalwareTech has published live map for the area affected in the world.

“Russia, Ukraine and Taiwan leading,” Avast researcher Jakub Kroustek tweeted on Friday. “This is huge.”

Major company affected included FedEx, the Spanish phone company Telefonica, the Russian mobile phone operator MegaFon, and the UK’s National Health Service (NHS).

“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors.” NHS mentioned.

Joshua Douglas, chief strategy officer at Raytheon Foreground Security mentioned that the target was vital services like healthcare.

“Organizations are beginning to fully appreciate their exposure to risk, whether from negligent or malicious insiders, the growing attack surface are represented by the Internet of Things, or from the growing number of sophisticated attackers,” Douglas said.

“Healthcare, an industry with mountains of sensitive personal data and lives at stake, should consider security measures that take into account network users in addition to outside threats,” Douglas added. “When dealing with ransomware, advance security protections, basic cyber hygiene, tested disaster recovery plans and employee training are critical to protecting data.”

The attack has devastating impact on the services and systems.

“This is the first time that a worm-link tool has been used in conjunction with ransomware that has created devastating impact against entire organizations,” Fidelis Cybersecurity threat research manager John Bambenek said by email. “Strong and swift patching would have helped mitigate this threat. It has undoubtedly captured the imagination of criminals who don’t want to hold individual machines ransom but to take entire organizations hostage, and surely we will see much more of this in the coming weeks.”

“The fact that a vulnerability developed by the NSA was used in this attack shows the dangers that can happen when this knowledge gets out into the wild even after a patch has been developed,” Bambenek added. “Intelligence agencies will always be developing zero-days, but unlike traditional weapons, these tools can be repurposed quickly for devastating criminal attacks.”

“The intelligence community should develop strong procedures that when such tools leak, they immediately give relevant information to software developers and security vendors so protections can be developed before attacks are seen in the wild,” Bambenek said.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Privacy and Security for Americans

May 12th, 2017

A Recent survey conducted by AnchorFree shows that more than eighty percent of Americans are worried about online privacy and security as compared to previous year.

The bill is passed which allowed companies to collect personal data without permission through ISPs. Ninety-five percent of respondents are concerned about this bill. More than fifty percent people are looking to increase their security for personal data.

The survey also shows that more than 70 percent are employing more ways to protect their data as compared to previous year.

“Our survey finds that the majority of consumers are concerned in the aftermath of the Federal Communications Commission’s rollback of Internet privacy protections,” AnchorFree founder and CEO David Gorodyansky said in a statement.

“As more connected devices emerge and threats to Internet freedom persist, it’s imperative for Americans to learn about online privacy protection options and take personal responsibility for safeguarding their health, wealth and family,” Gorodyansky added. “They otherwise risk the misuse of this data by hackers and third party companies.”

Another survey by TeleSign survey shows that thirty-one percent of consumers have their online life worth of $100,000 or more. Fifty percent believe that businesses are primarily responsible for security.

“Companies make plenty of money with the time and money we invest in them and they should do the same to protect our accounts and personal identity,” one survey respondent said.

A survey conducted by Lawless Research shows that 51 percent faced data breach in the previous year. Forty-two percent suffered financial loss. One-third of the respondents stopped doing business with that companies.

Almost 61 percent changed their password after it was compromised. Seventy percent said that they use reused passwords.

Another survey conducted by EyeVerify mentioned that eighty-six percent believes that biometrics makes logging in apps easier. Also, seventy percent believe mobile apps are more secure with biometrics authentication.

“Most people use some form of biometrics every day, but they want more opportunities to use it to make their lives easier and more secure,” EyeVerify CEO and founder Toby Rush said in a statement.

 ___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Corporate Security Survey

May 10th, 2017

Bromium conducted a survey of 210 security professionals which showed that thirty-five percent have bypassed their own corporate security one way or the other. Ten percent have paid a ransom or hid a breach without letting the team know.

“While we expect employees to find workarounds to corporate security, we don’t expect it from the very people overseeing the operation,” Bromium co-founder and CTO Simon Crosby said in a statement. “Security professionals go to great lengths to protect their companies, but to learn that their decisions don’t protect the business is frankly rather shocking.”

“To find from their own admission that security pros have actually paid ransoms or hidden breaches speak to the human factor in cyber security,” Crosby added.

Another survey conducted by ESET shows that one-third respondents among 400 have not received any form of cyber security training at their organization.

A recent ESET survey of over 400 U.S. adults found that third of respondents hadn’t received any form of cyber security training at their organization. Sixty-two percent said they don’t receive recurring cyber security training.

Participants also provided insights about the cyber security knowledge gaps which includes as below –

Email Threats – 30%

Protecting Mobile Devices – 30%

Smart Device – 29%

Strong Passwords – 16%

A survey conducted by MediaPro shows that seventy percent of cybersecurity risks or novices can be reduced with increased awareness. The study also shows that respondents have less knowledge of reporting, identifying personal information, working remotely, cloud computing, and acceptable use of social media.

“The results of this survey strongly suggest retailers need to rethink cyber security and data privacy as matters of overall risk management, not just check-the-box compliance based on PCI standards alone,” the MediaPro report states. “Retailers limit their employee education to PCI training at their own risk, as threats to an organization’s financial and reputational well-being exist beyond the typical coverage of this training.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.