Archive for December, 2017

DDoS Blended Multiple Attack

December 29th, 2017

Nexusguard’s Q3 2017 Threat Report shows that 55 percent of DDoS attacks in the Q3 of 2017  were multi-vector attacks, blending UDP-flood, NTP amplification and other attack vectors.

The survey analyzed more than 9,600 attacks. This number is 10 times more than the previous year.

“Our Q1 predictions that UDP-based attacks originating from NTP vulnerabilities would increase came true, as we observed NTP amplification reach a new high with a 425 percent jump compared to Q2,” Nexusguard CTO Juniman Kasman said in a statement. “Additionally, multi-vector attacks created higher levels of difficulty in differentiating attack traffic from normal traffic, overwhelming traditional mitigation methods.”

“To protect against these types of attacks, organizations need to develop coordinated efforts to uncover new threats, remedy affected apps and ensure mitigation methods can flex and suppress growing attacks,” Kasman added.

As per the reports, China accounted for almost 21 percent of DDoS attacks worldwide in the third quarter. US stands at 5 percent.

Another survey conducted by Imperva’s Global DDoS Threat Landscape shows that attacks on bitcoin exchanges represented 3.6 percent of network layer DDoS attacks during the quarter.

“This is a clear example of DDoS attackers following the money,” Imperva senior manager Igal Zeifman said by email. “As a rule, extortionists and other cybercriminals are commonly drawn to successful online industries, especially emerging ones that are less likely to be well-protected.”

The survey was conducted after analyzing 5,765 DDoS attacks. There is also rise in the number of high packet rate network layer attacks, in which the packet forwarding rate exceeded 50 Mpps or even 100 Mpps.

“This is a cause for concern, as many mitigation solutions are ill equipped to process packets at such a high rate,” the report notes.

__________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted. 

Almost One Third U.S. Businesses breached in 2017

December 26th, 2017

Twenty-nine percent of U.S. businesses were affected by a data breach in the 2017. The analysis was done by HSB of 403 senior executives in the U.S., and conducted by Zogby Analytics.

Company reputation gets a hit after the breach says two third of respondents. The amount spent was $5,000 and $50,000 to respond to a breach as per the twenty seven respondents. Thirty  percent said they spent between $50,000 and $100,000.

Fifty one percent mentioned that lack of knowledge is the reason behind the success of the attack.

“The results highlight how closely our economy and society are interconnected digitally,” HSB vice president Timothy Zellman said in a statement. “Almost all of our personal and business data can be accessible on the Internet through online business connections, websites and social media. And that exposes our private information to attacks from hackers and cyber thieves.”

Another survey conducted by Balabit of 222 IT executives and IT security professionals shows that 35 percent of respondents see themselves as the largest internal security risk to networks within their companies. IT staff has higher rights than other users.

The report also has below findings –

Forty seven percent of respondents mentioned that the time and location of login, followed by private activities using corporate devices (41 percent), and biometrics identification characteristics such as keystroke analytics (31 percent) is the most important user data for spotting malicious activity

“As attacks become more sophisticated, targeted attacks and APTs more commonly involve privileged users inside organizations — often via hacks involving stolen credentials,” Balabit security evangelist Csaba Krasznay said in a statement. “Today, IT security professionals’ tough job has become even tougher. It is not enough to keep the bad guys out; security teams must continuously monitor what their own users are doing with their access rights.”

__________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology. It is designed to enforce that devices are encrypted before access to a network is granted. 

Cyber Attacks

December 25th, 2017

Austin Manual Therapy mentioned that they suffered data breach due to unauthorized access to its system. As per the reports, limited parts of the system were accessed. There is no data which shows that the attack was also carried on the organization’s core EHR system.

“Despite conducting a comprehensive forensic analysis, we have very little evidence as to what documents or information the attacker was able to access or steal,” Austin Manual Therapy stated. “We know that the attacker was able to access one of our computers and a shared file system.”

Affected information included addresses, phone numbers, occupations, dates of birth, insurance policy information, insurance coverage and eligibility information, charge amounts, dates of service, driver’s license information, diagnosis, health screening information, referring physician information, and full or partial Social Security numbers.

As per the OCR tool, total 1,750 individuals may have been affected.

“While our investigation is substantially complete, it remains ongoing and will likely continue through the end of the year,” Austin Manual explained. “We also have implemented and are continuing to implement additional security measures designed to prevent a recurrence of this type of attack, to quickly identify unusual activity, and to further protect the privacy of your information.”

CA Facility Data Breach

California-based Stanislaus County Behavioral Health and Recovery Services (BHRS) mentioned that it suffered data breach due to a ransomware attack.

“The network has been shut down and isolated from the County-wide network while online services and communication are being provided by other means temporarily, and client care has continued,” read a Stanislaus County statement from December 15, 2017.

Stanislaus County said that it has previously mitigated ransomware attacks, but this time “the particular techniques used in this attack were able to get past the security mechanisms that are in place.”

“All BHRS computers are being held in quarantine to prevent any further infection,” the statement read. “No breech of personal information has been detected at this time.”

Stanislaus County did not mention the affected number of individuals.

BHRS has more than 400 employees and provides services “for about 14,000 adults and children, including mental health services and help with overcoming addictions.”

__________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted.

Devices and Data Breach

December 24th, 2017

Pennsylvania-based Washington Health System (WHS) Greene mentioned that it suffered data breach due to missing external hard drive.

The device was used for Bone Densitometry machine. Facility mentioned that data of patients who underwent bone density studies at WHS Greene from 2007 until October 11, 2017 may have been present in the hard drive.

Affected information included certain patient information which includes patient names, height, weight, race, and gender information, medical record numbers and health issues may have been included for some patients. Social Security and financial information were not present.

WHS Greene mentioned that there are no signs of information misuse.

“Washington Health System Greene is committed to maintaining the privacy and security of patient information, including regular review and evaluation of the security of all processes in place,” WHS Green stated. “This unprecedented situation has our full attention and please be assured that we have taken and will continue to take steps to ensure that a breach of this nature will not happen in the future.”

As per the OCR data breach reporting tool, total 4,145 individuals may have been affected.

Data sold online in another breach

New Jersey-based Chilton Medical Center recently mentioned that an employee removed a computer hard drive. The person sold it on the internet. Hard drive was sold in the last month.

Patients treated May 1, 2008 to October 15, 2017 may have had their information present on the device.

Affected information included patients’ names, dates of birth, addresses, medical record numbers, allergies, and medications the patient may have received at Chilton Medical Center.

“During our investigation, we determined that the former employee removed other devices and assets from Chilton Medical Center to sell on the internet in violation of policy,” the statement explained. “While we currently have no indication that any of these devices or assets contain patient information, we continue to investigate this incident and, if we determine additional patients are affected, we will notify them as appropriate.”

____________________________________________________________________________________________

AlertSec ACCESS checks for full disk encryption on PCs running Windows 7, 8, and 10 Home, Pro and Enterprise as well as Mac OS El Capitan and Sierra.

Security Budgets After WannaCry, NotPetya Attacks

December 22nd, 2017

AlienVault conducted survey of 233 IT professionals worldwide. The report shows that only 14 percent increased budgets for cyber security after the WannaCry and NotPetya cyber attacks. Only twenty percent were able to apply changes or implement security projects that had previously been put on hold.

Only 16 percent mentioned that their company leadership and boards took interest in security after the attacks.

“WannaCry and NotPetya are generally believe to have marked a turning point in cyber awareness, but the reality on the ground paints a different picture,” AlienVault security advocate Javvad Malik said in a statement. “Destructive malware poses existential threats to companies across all industries and can no longer be ignored.”

“To improve our cyber resilience, corporate strategy needs to be developed that covers how to plan for, detect, mitigate and recover from such destructive attacks,” Malik added.

“The IT security profession remains a very tough place to work, where resilience is the key to success — particularly if you are blamed in the event of your company suffering a security incident,” Malik said.

Twenty percent said that IT advice is now taken seriously after the attacks.

Another survey conducted by Spiceworks shows that thirty two percent hope to look for another job.

Eight one percent mentioned that its critical to have cyber security expertise.

“Although the majority of IT professionals are satisfied with their jobs, many also believe they should be making more money, and will take the initiative to find an employer who is willing to pay them what they’re worth in 2018,” Spiceworks senior technology analyst Peter Tsai said in a statement.

“Many IT professionals are also motivated to change jobs to advance their skills, particularly in cyber security,” Tsai added. “As data breaches and ransomware outbreaks continue to haunt businesses, IT professionals recognize there is high demand for skilled security professionals now, and in the years to come.”

____________________________________________________________________________________________

AlertSec ACCESS checks all computers and smartphones and detects all encryption types.

Keeper Security Patches Password Protection Flaw

December 19th, 2017

Google Project Zero security researcher Tavis Ormandy sent a email to Keeper Security about a new vulnerability. Company replied to Ormandy and delivered a patch within 24 hours to the users. The security issue is identified as “privileged UI injection into pages”.

“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” Ormandy wrote in a bug report. “I checked and, they’re doing the same thing again with this version.”

The first time Ormandy informed Keeper Security of the privileged UI injection into pages” issue was in August 2016. At that time, Ormandy explained how the flaw could simply enable an attacker to steal passwords from Keeper users.

“This is a complete compromise of Keeper security, allowing any website to steal any password,” Ormandy wrote in his new advisory.

Keeper browser extension has this particular flaw.

“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension,” Keeper wrote in its advisory.

Google Project Zero has a 90-day disclosure policy to publicly reveal the issue. But Keeper solved the issue in 24 hours.

Keeper browser extension has already been automatically updated.

“Assume that everything is hackable,” Jeff Bohren, Chief Software Engineer at Optimal IdM suggests.

Boren mentioned that users look for a password manager which is cloud based along with two-factor authentication.

“2FA does a good job of allowing only individual account owners access to their login credentials,” Bohren said. “If hackers do succeed in guessing a password, they must still breach additional authentication steps before they can reach important data.”

 ___________________________________________________________________________________

AlertSec ACCESS is a patent pending technology. It is designed to enforce that devices are encrypted before access to a network is granted. Encrypted devices secure your data in case a device is lost or stolen.

ICS Malware

December 16th, 2017

FireEye researchers mentioned that the company’s Mandiant subsidiary is attacked by new industrial control systems(ICS) malware. The hackers shut down plant operations by targeting emergency shutdown systems.

Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers were targeted specifically. The researchers are calling the malware Triton. The operations were shut down during reconnaissance performance by attackers.

“FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state,” the researchers wrote. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.”

Russian, Iranian, North Korean, U.S. and Israeli state actors may be behind the attacks. “Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency,” the researchers mentioned.

Phil Neray, vice president of industrial cyber security at CyberX, mentioned that his company believes the targeted plant was in Saudi Arabia, which would likely mean that Iran was responsible for the attack.

“It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs,”

Neray said. “This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary.”

Chris Morales, head of security analytics at Vectra, mentioned that an attack like this was all but inevitable. “The connectivity and integration of traditional information technology with operational technology — IT/OT convergence — is increasing exponentially,” he said.

“The IoT and IT/OT convergence is accelerated by the speed of business and the implementation of AI to drive decisions in ICS environments,” Morales added. “In addition, more ICS devices are running commercial operating systems, exposing ICS systems to a wider swath of known vulnerabilities.”

____________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted.

Google Encryption for Clouds

December 13th, 2017

Largest cloud networks in the planet is operated by Google. It employs multiple techniques to keep the data secure. Company is now providing some insight about the encryption techniques.

Google, like others, uses Transport Layer Security (TLS) to encrypt connections for data in motion from external hosts to the Google Cloud. But Google has its own method for encrypting data connections within its own data centers. It is called Application Layer Transport Security (ALTS).

“We get a lot of customer questions about encryption, so we’re trying to build trust through transparency,” Maya Kaczorowski, Security and Privacy Product Manager at Google, told eSecurityPlanet.

Kaczorowski mentioned that when a user connects to the Google Cloud, by default the connection is encrypted with TLS. Google is making use of TLS 1.3, which is not yet an official IETF standard.

Container vendor Docker has a model similar for its Swarm orchestration technology called mutually authenticated TLS (mTLS).

“TLS uses X.509 certificates, while ALTS uses protocol buffers,” Kaczorowski said.

Kaczorowski said that Protocol Buffers are a language-neutral technology for serializing data.

“It’s not based in hardware, Protocol Buffers are just a way for storing and transmitting information,” Kaczorowski said.

Kaczorowski mentioned that BeyondCorp is all about how Google employees access internal applications and resources.

“With ALTS, what we’re talking about is how every service at Google can authenticate with each other,” Kaczorowski said.

Company is also working on the open-source Istio service mesh project for Kubernetes.

“Istio authentication automatically aims to encrypt data transit between services,” she said. “The concept is similiar to ALTS.”

“For encryption in transit we have encryption at the network layer (Layer 3) and at the application layer (Layer 7),” Kaczorowski said. “With encryption at rest we’re encrypting both at the storage device layer and at the storage system layer.”

“We want to have multiple layers that we can fall back on,” she said.

____________________________________________________________________________________________

AlertSec ACCESS checks all computers and smartphones and detects all encryption types

NiceHash Breach

December 10th, 2017

The cryptocurrency mining marketplace NiceHash mentioned that its payment system had been affected by data breach. Contents of its Bitcoin wallet were stolen.

Company didn’t mention the number of bitcoin affected but according to Reddit, the hacker bitcoin address has 4,736 Bitcoin which values $83 million.

“Clearly, this is a matter of deep concern and we are working hard to rectify the matter in the coming days,” the company said in a statement. “In addition to undertaking our own investigation, the incident has been reported to the relevant authorities and law enforcement and we are cooperating with them as a matter of urgency.”

Company has temporarily stopped operations.

Webroot senior threat research analyst Tyler Moffitt mentioned email that the breach should serve as a reminder to the mining community that when mining for a pool, it’s always best to have payouts trigger at the smallest amount. “Even though there are fees associated with using the minimum payout, having the amount sit in the mining pool’s wallet is risky,” he said.

Cybercriminals targeting cryptocurrencies has increased. Imperva’s Global DDoS Threat Landscape Report shows that 73.9 percent of all Bitcoin exchanges were attacked by DDoS method.

“As a rule, extortionists and other cybercriminals are commonly drawn to successful online industries, especially emerging ones that are less likely to be well-protected,” Imperva security evangelist Igal Zeifman said by email. “Attackers can make a lot of money when attacking crypto exchanges due to factors such as the anonymity of the cryptocurrencies, hence the ability to ‘get rid’ of the stolen goods with limited risk.”

Recorded Future report also reported a rapid spike in mining malware.

“Our research has confirmed that cybercriminals are shifting attack vectors from highly damaging ransomware infections to long-term, low-velocity crypto mining operations,” the report states.

The researchers also found out that there are sixty two different types of cryptomining malware available for sale online.

____________________________________________________________________________________________

AlertSec ACCESS checks for full disk encryption on PCs running Windows 7, 8, and 10 Home, Pro and Enterprise as well as Mac OS El Capitan and Sierra.

Ransomware Attacks in 2017

December 7th, 2017

As compared to 2016, the ransomware attacks hitting business users increased from 22.6 percent in 2016 to 26.2 percent in 2017. Kaspersky Lab conducted survey.

“Welcome to ransomware in 2017 — the year global enterprises and industrial systems were added to the ever-growing list of victims, and targeted attackers started taking a serious interest in the threat,” the report states. “It was also a year of consistently high attack numbers, but limited innovation.”

Significant businesses lost amount or data due to ransomware.Three massive ransomware outbreaks in 2017 are WannaCry, NotPetya and Bad Rabbit.

”The headline attacks of 2017 are an extreme example of the growing criminal interest in corporate targets,” Kaspersky Lab senior malware analyst Fedor Sinitsyn said in a statement. “We spotted this trend in 2016, it has accelerated throughout 2017 and shows no signs of slowing down.”

“Business victims are remarkably vulnerable, can be charged a higher ransom that individuals and are often willing to pay up in order to keep the business operating,” Sinitsyn added. “New business-focused infection vectors, such as through remote desktop systems, are not surprisingly also on the rise.”

Another report by Malwarebytes shows that the number of ransomware attacks in the first three quarters of 2017 is more than 2016 by 62 percent.

The report also shows that ransomware has largely replaced botnets.

“Knowledge of cybercrime and security best practices has to go across the organization, driven from the top down,” the report states. “With an endless array of potential vulnerability points, from reception to external vendors, an exchange of knowledge, awareness and insight is key to recognizing threats.”

“This idea of a CEO as a cyber security champion evokes an even bigger shift which can ultimately help businesses better protect themselves: treating cyber security as an investment in trust, rather than a way to prevent losses or costs.”

____________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted.