Archive for the ‘Identity and Information loss’ category

Attack on Critical Infrastructure

September 2nd, 2017

Symantec researchers recently investigated and published findings of new cyber attacks which targeted the energy sector in Europe and North America. Attack group is known as Dragonfly which is involved in such activities since 2011.

“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” the Symantec researchers wrote in a blog post.

Symantec cyber security researcher Eric Chien mentioned Reuters that many of companies have been targeted which few based in U.S.

“As it did in its prior campaign between 2011 and 2014, Dragonfly 2.0 uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software,” the researchers mentioned.

Attackers were trying to gain remote access to the system.

“Trojan.Heriplor is a backdoor that appears to be exclusively used by Dragonfly, and is one of the strongest indications that the group that targeted the western energy sector between 2011 and 2014 is the same group that is behind the more recent attacks,” the researchers wrote. “This custom malware is not available on the black market, and has not been observed being used by any other known attack groups.”

RiskVision CEO Joe Fantuzzi mentioned that there is a rise in the attack on the energy sector. “Critical infrastructure is clearly becoming more of a target for hackers as it provides access not only to sensitive information but the ability to dramatically impact and/or harm large numbers of people,” he said.

Fantuzzi added that energy sector company should do risk analysis. “Unfortunately, security defenses protecting these systems have often been neglected or routinely deprioritized, and as a result, are substandard or completely outdated, thus giving cyber criminals an easy entry into these networks,” he said.

 ___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by Check Point and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Current State of IOT

August 30th, 2017

As per the recent reports, a list of IP addresses and login credentials for more than 8,000 telnet-accessible Internet of Things (IoT) devices was posted on Pastebin. GDI Foundation chairman Victor Gevers mentioned that out of 8,233 devices only 144 has different login credentials. He also mentioned that the common credentials are root:[blank] (782 instances), admin:admin (634), root:root (320), admin:default (21), and default:.

Varonis technical evangelist Brian Vecci told that a leak as big as this one opens the door to a wide variety of infections and exploits. “Not only do consumers need to be mindful of what they put on their network and do what they can to secure their devices, but manufacturers have an obligation to make security an essential part of the design with IoT products,” he said.

Vecci said that defaults settings is an open invitation for attackers.

“Device manufacturers need to build better security into the design of their products and services to ensure that even if a consumer doesn’t take the time to customize the device, it’s not accessible and inviting abuse,” Vecci added. “Some manufacturers, for example, are beginning to minimize the risk of devices being hacked by randomizing factory default credentials and disabling remote access by default.”

As per the recent Irdeto survey, 90 percent mentioned that the cyber security should be inbuilt in IOT devices.

“Today’s connected world needs consumers to be vigilant about security threats,” Irdeto director of IoT security Mark Hearn said in a statement. “On the device manufacturer side, there must be a better ‘defense-in-depth’ approach to cyber security that integrates multiple layers of security into a system. This approach, combined with ongoing security updates to protect against the latest threats, is critical to mitigate attacks targeting IoT technologies.”

New IoT Cybersecurity Improvement Act of 2017 was introduced in the US to tackle security issues.

“My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products,” bill co-sponsor Sen. Mark Warner said at the time.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by Check Point and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

App Install Advertising Fraud

August 27th, 2017

The recent trend shows that there are new ways of online advertising today which aim for mobile apps install. As per the security firm DataVisor, the app installs advertising marketplace is a hot spot for regular attacks by fraudsters. This industry is of approximately $300 million per year.

DataVisor’s new “The Underworld of App Install Advertising” report mentioned that on average, premium ad networks had app install fraud rates of less one percent. Non-premium advertising network stands at five percent.

Ting-Fang Yen, Director of Research at DataVisor mentioned eSecurityPlanet that premium ad network doesn’t usually outsource or broker out their traffic to other channels. They either advertise on their own sites or only partner with reputable publishers they know, she said.

DataVisor Global Intelligence Network analyzed 140 million app installs and 11 billion user events to determine this report.

“We were surprised to see how much fraudsters are faking in-app activities and retention behavior,” Yen said.

Yen mentioned that fraudulent installs generated at least one in-app event.

“This means that fraudsters are becoming much more sophisticated. They are moving beyond just installs to go after the bigger payouts from cost-per-engagement (CPE) campaigns,” Yen said.

Yen mentioned ways to limit the risk by detecting fraud. Techniques involve the use of heuristics such as device identification, IP filtering, or click-to-install-time anomalies to distinguish fake installs from genuine users.

“Fraudsters are constantly exploring new ways to take advantage of loopholes and avoid detection,” Yen said. “This dynamic nature of fraud means that advertisers must remain vigilant and select the right partners and targeting criteria for each campaign they run.”

Advanced fraud detection solutions which can adapt to constantly changing attack patterns should be implemented.

“As fraudsters become increasingly sophisticated at faking installs, we expect more advertisers to adopt cost-per-engagement user acquisition models to avoid fraudulent traffic,” Yen said.

“Fraud is dynamic, and fraudsters are always on the look out for vulnerable points of entry,” she said. “If an ad network scrutinizes their traffic and deploys anti-fraud solutions, fraudsters will move to another channel that is less vigilant about traffic quality.”

____________________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data Breach at Tewksbury Hospital

August 23rd, 2017

Tewksbury Hospital which is based in Massachusetts recently found out that there was unauthorized EHR access. The incident may have potentially led to a data breach.

As per the statement by a former Tewksbury Hospital patient, the electronic medical record was accessed inappropriately by an unauthorized individual.  After the investigation, a hospital found out that an employee may have accessed the data without proper justification.

It also found out that 1,000 other current and former patients information was accessed. Affected information included patient names, addresses, phone numbers, dates of birth, gender, diagnoses, and other information regarding medical treatment.

The employee has been terminated by the facility. The person no longer has access to the hospital’s HER system. Tewksbury Hospital also mentioned that there is no evidence of information misuse.

Patients are notified of the current incident. The Massachusetts Attorney General’s Office, the Massachusetts Office for Consumer Affairs and Business Regulation, and OCR are also notified.

“To reduce the chance of future incidents like this occurring, we are reviewing our policies regarding access to the electronic medical records system,” read a statement on the Massachusetts Health and Human Services website. “We are also reassessing how we review our workforce members’ use of the electronic medical records system, and we will be reviewing the training we provide to all workforce members regarding the privacy and security of confidential information.”

Affected individuals are encouraged to call toll free number for any further information about the incident. They can also take following steps –

  • Request initial fraud alert
  • Order a Credit Report and review the account (look for inquiries listed on the credit report from businesses that accessed your credit without a request)
  • Request a security freeze

If you are affected by the data breach you have the right to file a police report and obtain a copy of it. Massachusetts law gives you right to obtain any police report filed in regards to the incident.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. 

Ukraine’s Postal Service Hit

August 11th, 2017

Ukraine’s national postal service website Ukrposhta was hit by DDoS attacks for two days. The facility mentioned that it was able to start the service after the first day attack. On the second day, the service was slowed down by the attack.

Igal Zeifman Imperva director of marketing said that its not unusual to see such repeat attacks. “Recently, such tactics had become more common due to their ability to disrupt some security measures and cause fatigue to the people in charge of the attack mitigation, forcing them to stay alert even in the quiet time between attacks,” he said.

“In the first quarter of the year, we saw the number of such repeat assaults reach an all-time high, with over 74 percent of DDoS targets attacked at last twice in the span of that quarter,” Zeifman added.

Ukposhta was attacked earlier by hackers. In the late June it was impacted by NotPetya attacks.

As per Kaspersky Lab Q2 2017 DDoS Intelligence Report this quarter saw a 277-hour DDoS attack and 131 percent longer than the longest DDoS attack in Q1 2017.

It also mentioned that DDoS attacks hit 86 countries, up from 72 countries in Q1 2017. The most affected countries were China, South Korea, the U.S., Hong Kong, the U.K., Russia, Italy, the Netherlands, Canada and France.

Kaspersky also said that there is an increase in Ransom DDoS or RDos attacks

“Nowadays, it’s not just experienced teams of hi-tech cybercriminals that can be Ransom DDoS attackers,” Kaspersky Lab head of DDoS protection Kirill Ilganaev said in a statement. “Any fraudster who doesn’t even have the technical knowledge or skill to organize a full-scale DDoS attack can purchase a demonstrative attack for the purpose of extortion.”

“These people are mostly picking unsavvy companies that don’t protect their resources from DDoS in any way and therefore can be easily convinced to pay ransom with a simple demonstration,” Ilganaev added.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Complex Malware Installed by Simple Phishing Attacks

August 9th, 2017

A new JScript back door called Bateleur distributed by the FIN7 (a.k.a Carbanak) hacker group through phishing emails targeting U.S.-based restaurant chains has been identified by Proofpoint researchers.

The modus operands is simple. The receiver gets the email containing document which contains macro. The message of the email is “here is the check as discussed.”

The executed macro creates a scheduled task to run Bateleur which then sleeps for three seconds and then again executes Bateleur and then sleeps for 10 seconds. Finally, it deletes the scheduled task.

“The combined effect of these commands is to run Bateleur on the infected system in a roundabout manner in an attempt to evade detection,” the researchers note.

The JScript macro contains anti-sandbox and anti-analysis functionality.

“We continue to see regular changes to the tactics and tools used by FIN7 in their attempt to infect more targets and evade detection,” the researchers state. “The Bateleur JScript back door and new macro-laden documents appear to be the latest in the group’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines.”

Simon Taylor, vice president of products at Glasswall, mentioned that though the software is complex, a method of installing it is very straight forward through phishing email.

“Phishing is a tried and true method for attackers — largely because it is predictably and repeatedly successful,” he said.

“Historically, the security industry has attempted to change employee behaviour,” Taylor added. “But while education helps, cyber criminals are continuously adjusting their techniques and the authenticity of their messages in order to stay several steps ahead of their victims.”

“Humans are and always will be the weakest link in an organization, and going forward, defense and detection strategies must change to address these inevitable challenges,” Taylor said.

Cyber Resilience

____________________________________________________________________________________________

Alertsec is based on the 256-bit AES encryption algorithm and has the highest security certifications.

Breach at Italy’s Biggest Bank

July 29th, 2017

The leading bank in Italy, UniCredit mentioned that approximately 400,000 of its customers’ data were affected after third party provider was hacked. The name of the third party is withheld. It is one of the major attack on Italy’s financial institution as per the Reuters.

The bank mentioned that data was stolen in two different breaches.

“UniCredit has launched an audit and has informed all the relevant authorities,” the bank said in a statement. “In the morning, UniCredit will also file a claim with the Milan Prosecutor’s office. The bank has also taken immediate remedial action to close this breach.”

Paul Norris, senior systems engineer for EMEA at Tripwire mentioned that these two breaches occurred in a year.

“Basic security hygiene needs to be adopted by all enterprises, not just financial institutions, and this includes secure configurations and vulnerability management, as well as performing specific threat assessment and countermeasures, which will reduce the overall risk of future attacks,” Norris said.

Evident.io CEO Tim Prendergast mentioned that customers expect that their information should be secured. “Enterprises, therefore, must demand that their partners operate according to the same security rules and protocols they abide by when it comes to customer data,” he said.

“It should be a requirement that all partners use continuous security monitoring of their cloud environments, and adhere to rigorous security protocols if they want to work with a vendor,” Prendergast added.

Matt Walmsley, EMEA director at Vectra Networks, mentioned that the breach reminds companies to take extra care to handle sensitive data.

“In an effort to save costs, businesses often outsource functions to third-party providers and external contractors,” he said. “However, businesses have a duty of care to protect personal information regardless of whether they manage it in-house or out-of-house.”

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by Check Point and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Data Breach at Swedish Citizens’ Data Points

July 27th, 2017

Unscreened third-party IT workers were provided full access to the information of vehicles including police and military by the Swedish Transport Agency. Management of the operations were outsourced to IBM administrators without security checks in 2015.

According to the reports, as the data is handled in time pressure for this activity, there was no option to transfer bypassing standard security protocols.

Affected information included vehicle registration data for every Swedish citizen, data on all government and military vehicles, weight capacity of all roads and bridges — and the names, photos, and home addresses of air force pilots, police suspects, elite military operatives, and people under witness protection.

As per the Swedish Pirate Party founder Rick Falkvinge the breach is the “worst known governmental leak ever,” noting, “Sweden’s Transport Agency moved all of its data to ‘the cloud,’ apparently unaware that there is no cloud, only somebody else’s computer.”

“Many governments have had partial leaks in terms of method (Snowden) or relations (Manning) lately, but this is the first time I’m aware that the full treasure chest of every single top-secret governmental individual with photo, name, and home address has leaked,” Falkvinge wrote.

The entire register was sent to marketers which also included people in the witness protection program.

When that happened, Falkvinge wrote, “the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these:e records themselves. This took place in open clear text email.”

RiskVision CEO Joe Fantuzzi mentioned the risk of third party vendors.

While understanding your own risk environment is an important step in improving your risk posture, Fantuzzi said, it’s far from the only step.

“Organizations that fail to assess third party vulnerabilities will be left with gaping blind spots that will leave them susceptible to breaches and cyber attacks down the road,” Fantuzzi said.

“Ultimately, organizations need to truly consider third party environments as an extension of their own, and treat them as such from a security and risk perspective.”

____________________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leader’s quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.

Corelight Rises Series A Funding

July 21st, 2017

A San Francisco-based technology startup Corelight had raised $9.2 million in a Series A round of funding led by Accel Partners. Other participants include Osage University Partners and Dr Steve McCanne, co-founder of Riverbed Technology.

Corelight Sensor is the company product which uses Bro, an open-source network analysis framework to check even the most advanced or stealthy network attacks. Dr Vern Paxson, a professor of computer science at UC Berkeley, who co-founded the company and serves as its chief scientist.

Corelight mentioned that it uses specialized hardware to provide four times the data processing output. It also features high-performance network interface card to quickly generate results.

“Since all data, no matter what the threat vector, travel over networks, the Corelight Sensor is a powerful tool to understand threats” Alan Saldich, CMO of Corelight, told e-security Planet. Those threats include malware infections port scanning, denial of service attacks, unauthorized access, misconfigurations, abuse, exfiltration of data, insider threats, advanced persistent threats, phishing or other email-based attacks, he said.

“While Bro-Corelight is not always the tool that detects incidents–in many cases, it is end users who detect unusual emails or behaviour, or report ransomware–it is the fastest way to resolve them and get clarity about exactly what happened and why to get to the root cause,” continued Saldich.

Corelight Sensor provides output in easy to understand manner.

“Understanding those alerts is a laborious and time-consuming job because there are many systems involved, each with different data, logs, user interfaces, formats and they are not necessarily correlated or organized in a way that is useful to [incident responders],” said Saldich.

“That means that advanced persistent threats can linger undetected or unresolved for hours, days or weeks because dealing with them is so challenging.”

Corelight present the security threat data in a format so that security personals take the action.

“Corelight helps companies resolve cyber security incidents much faster than they can today. We do that by providing clarity and detailed information about all network traffic, summarized and structured specifically for cybersecurity pros and incident responders,” added Saldich.

____________________________________________________________________________________________

Alertsec encryption is powered by Check Point and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Kaspersky Lab Defends Allegations

July 18th, 2017

Kaspersky Lab is accused of deep connections with Russia-based hacking efforts. The U.S. government has removed the firm from its vendor list which can be used for federal government. The step was taken after U.S. officials, including Adm. Mike Rogers, director of the National Security Agency and Cyber Command leader, testified before a Senate committee mentioning potential risks from Kaspersky Lab software.

Kaspersky Lab has denied the accusations.

“Regardless of how the facts are misconstrued to fit in with a hypothetical, false theory, Kaspersky Lab, and its executives, do not have inappropriate ties with any government,” the company stated. “The company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime.”

Allegations were also made against Kaspersky Lab that it took active participation in raids with Russian law enforcement officials and ‘hacked back’ against organizations.

“Hacking back is illegal, and Kaspersky Lab has never been involved in such activities,” the company stated. “Instead we are actively participating in joint shut-down of botnets led by law enforcements of several countries where the company provides technical knowledge.”


Kaspersky Lab mentioned that it only provides technical expertise throughout the investigation to help catch cybercriminals.

“Concerning raids and physically catching cybercriminals, Kaspersky Lab might ride along to examine any digital evidence found, but that is the extent of our participation, as we do not track hackers’ locations,” the company stated.

“I want to reassure you, our valued partner – there is no evidence because no such inappropriate ties exist,” he wrote in reference to the Russian government allegations. “While Kaspersky Lab regularly works with governments and law enforcement agencies around the world to fight cybercrime, the company has never helped nor will help, any government in the world with its cyberespionage efforts.”

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by Check Point and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.