Cybercriminals

Phishing Attack Prevention: What is Phishing?

What is Phishing?

Phishing is the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information, or to install malware on the victim’s machine. Phishing is a common type of cyber attack that everyone should learn about in order to protect themselves.

Phishing Attack Prevention:

Why are so many companies vulnerable to phishing? not having the right tools in place and failing to train employees on the role they play in information security.

Employees possess credentials and overall knowledge that is critical to the success of a breach of the company's security. One of the ways in which an intruder obtains this protected information is via phishing. The purpose of phishing is to collect sensitive information with the intention of using that information to gain access to otherwise protected data, networks, etc. A phisher's success is contingent upon establishing trust with its victims. We live in a digital age, and gathering information has become much easier as we are well beyond the dumpster diving days.

How do I protect against phishing attacks?

User education

One way to protect your organization from phishing is user education. Education should involve all employees. High-level executives are often a target. Teach them how to recognize a phishing email and what to do when they receive one. Simulation exercises are also key for assessing how your employees react to a staged phishing attack.

Security technology

No single cybersecurity technology can prevent phishing attacks. Instead, organizations must take a layered approach to reduce the number of attacks and lessen their impact when they do occur. Network security technologies that should be implemented include email and web security, malware protection, user behavior monitoring, and access control.

How does phishing work?

Phishing starts with a fraudulent email or other communication that is designed to lure a victim. The message is made to look as though it comes from a trusted sender. If it fools the victim, he or she is coaxed into providing confidential information, often on a scam website. Sometimes malware is also downloaded onto the target’s computer.

What are the dangers of phishing attacks?

Sometimes attackers are satisfied with getting a victim’s credit card information or other personal data for financial gain. Other times, phishing emails are sent to obtain employee login information or other details for use in an advanced attack against a specific company. Cybercrime attacks such as advanced persistent threats (APTs) and ransomware often start with phishing.

Types of Phishing

Deceptive Phishing. The term "phishing" originally referred to account theft using instant messaging but the most common broadcast method today is a deceptive email message. Messages about the need to verify account information, system failure requiring users to re-enter their information, fictitious account charges, undesirable account changes, new free services requiring quick action, and many other scams are broadcast to a wide group of recipients with the hope that the unwary will respond by clicking a link to or signing onto a bogus site where their confidential information can be collected.

Malware-Based Phishing refers to scams that involve running malicious software on users' PCs. Malware can be introduced as an email attachment, as a downloadable file from a web site, or by exploiting known security vulnerabilities--a particular issue for small and medium businesses (SMBs) who are not always able to keep their software applications up to date.

Keyloggers and Screenloggers are particular varieties of malware that track keyboard input and send relevant information to the hacker via the Internet. They can embed themselves into users' browsers as small utility programs known as helper objects that run automatically when the browser is started as well as into system files as device drivers or screen monitors.

Session Hijacking describes an attack where users' activities are monitored until they sign in to a target account or transaction and establish their bona fide credentials. At that point the malicious software takes over and can undertake unauthorized actions, such as transferring funds, without the user's knowledge.

Web Trojans pop up invisibly when users are attempting to log in. They collect the user's credentials locally and transmit them to the phisher.

Hosts File Poisoning. When a user types a URL to visit a website it must first be translated into an IP address before it's transmitted over the Internet. The majority of SMB users' PCs running a Microsoft Windows operating system first look up these "host names" in their "hosts" file before undertaking a Domain Name System (DNS) lookup. By "poisoning" the hosts file, hackers have a bogus address transmitted,taking the user unwittingly to a fake "look alike" website where their information can be stolen.

System Reconfiguration Attacks modify settings on a user's PC for malicious purposes. For example: URLs in a favorites file might be modified to direct users to look alike websites. For example: a bank website URL may be changed from "bankofabc.com" to "bancofabc.com".

Data Theft. Unsecured PCs often contain subsets of sensitive information stored elsewhere on secured servers. Certainly PCs are used to access such servers and can be more easily compromised. Data theft is a widely used approach to business espionage. By stealing confidential communications, design documents, legal opinions, employee related records, etc., thieves profit from selling to those who may want to embarrass or cause economic damage or to competitors.

DNS-Based Phishing ("Pharming"). Pharming is the term given to hosts file modification or Domain Name System (DNS)-based phishing. With a pharming scheme, hackers tamper with a company's hosts files or domain name system so that requests for URLs or name service return a bogus address and subsequent communications are directed to a fake site. The result: users are unaware that the website where they are entering confidential information is controlled by hackers and is probably not even in the same country as the legitimate website.

Content-Injection Phishing describes the situation where hackers replace part of the content of a legitimate site with false content designed to mislead or misdirect the user into giving up their confidential information to the hacker. For example, hackers may insert malicious code to log user's credentials or an overlay which can secretly collect information and deliver it to the hacker's phishing server.

Man-in-the-Middle Phishing is harder to detect than many other forms of phishing. In these attacks hackers position themselves between the user and the legitimate website or system. They record the information being entered but continue to pass it on so that users' transactions are not affected. Later they can sell or use the information or credentials collected when the user is not active on the system.

Search Engine Phishing occurs when phishers create websites with attractive (often too attractive) sounding offers and have them indexed legitimately with search engines. Users find the sites in the normal course of searching for products or services and are fooled into giving up their information. For example, scammers have set up false banking sites offering lower credit costs or better interest rates than other banks. Victims who use these sites to save or make more from interest charges are encouraged to transfer existing accounts and deceived into giving up their details.

CEOs and Cyber Security: are they the road block?

CEOs and cybersecurity: are they the road block?

Senior executives may be the weakest link in the corporate cyber security chain and are a primary target of hackers, fraud and phishing scams, says report. it also should be know that the are the road block to approve budget for information security, and most often security takes back sit to profit.

Report by many source and research done by many firm identity senior executive has the road block to good security within their firms, Many CEOs think they are immune to hackers, at least that’s what a new report According to the report, these findings are ironic given that CEOs are the ideal victim.

Senior Executive Are You the Weakest Link?

According to the report, Are You the Weakest Link? How Senior Executives Can Avoid Breaking the Cybersecurity Chain, many senior executives ignore the threat from hackers and cyber criminals and often feel that security policies in their respective organisations do not apply to their unique position.

In reality, their often privileged access to company information makes their personal accounts extremely valuable to exploit and heightens the need for extra care.

Professional hackers and adversaries will usually do a thorough investigation into a senior executive or board level director, including full analysis which could entail in-depth monitoring of the company website and associated social media accounts (including employees and their extended networks).

It appears that many CEOs commonly view cyber security as a responsibility for the IT department only. In reality, IT security has now become a remit for all individuals.

“All employees — especially those at the top of the corporate ladder — need to realise that cybercriminals use social engineering, email phishing and malware to access personal accounts, and C-level staff especially need to avoid becoming the weakest link in the cybersecurity chain by adhering to regularly updated, company-wide security policies regarding data sharing and backup,”

“Reviewing corporate policies, with a focus on people, premises, processes, systems and suppliers will provide valuable insights into which areas to improve, and by championing a ‘security first’ corporate culture, organisations and their senior executives will be well positioned to avoid the high financial costs, reputation damage and unexpected downtime that could result from a cyberattack or data breach.”

Cyber Insurance - Is a must have - you will need it

Cyber Insurance - Is a must have - you will need it.

It’s every healthcare organization’s nightmare to get the call that their data has been breached or hacked. As a result, many have turned to cyber insurance to protect assets and business operations.

As cyber policies and carriers lack a universal policy, there’s an even greater worst case scenario: An organization is breached, and the policy doesn’t cover what the leaders thought it did. Now, not only is the healthcare provider strapped with the burden of the breach, it wasted money on a useless cyber insurance policy.

To get a better grasp on how to choose the right policy, Healthcare IT News asked attorney Matthew Fisher, partner with Mirick O’Connell, and Jane Harper, Henry Ford Health System’s director of privacy and security risk management, to outline the biggest policy mistakes -- and how to avoid them.

Mistake #1: Rushing the process

When buying a policy, a carrier will provide a questionnaire that will evaluate your organization’s security posture, program, tools and policies. The biggest mistake is to rush the pre-policy process to see the rates and what the carrier will cover, explained Fisher.

Organizations need to be conservative with how they answer the questions, as “it could be a ground for denial, if you don’t have the policies you said you have in place,” said Fisher. “You have to make sure you’re not unintentionally misleading the insurance company when it comes to coverage.”

Often these questionnaires attempt to create a black and white policy and “it can be tough to answer correctly,” explained Fisher.

“Your ability to be as transparent and truthful upfront is critical to the nonpayment discussion,” said Harper. “If you tell the insurance company that you have everything in place and are compliant, if you tell them that and then you have an issue, and you weren’t truthful, it ends up being a legal battle.”

“When you submit your checklist that they have you fill out, meet with the underwriter to make sure you understand what you’ve documented,” she added. “You also need the copy that was provided to the insurance company because it will come back into play when you submit the final documents.”

For example, if you say you have a specific control in place, and you actually don’t, Harper explained that can create a situation where “they thought they had an understanding of something, but they didn’t.”

“Be honest, transparent and accurate -- because they can deny your policy if you were inaccurate or misleading in your responses,” she said.

Mistake #2: Lax, incomplete risk assessment

It’s easier to prevent a misleading or false statement to an underwriter, when an organization has a strong assessment and inventory of the processes and tools on the system. But far too often, hospitals “don’t know everything about the control environment,” explained Harper.

“When you talk about protecting an system and preventing a cyber incident, you have to have a good understanding of the organization’s overall control environment,” Harper said. “It’s key, as the longer it takes you to identify that you’ve had an incident, it leads to more exposure and the longer it takes to recover.”

But it’s also important to remember to update this inventory or assessment when buying new tools, merging with other organizations, hiring new staff and the like, Harper explained.

“Think about all of the activities and operations that happen,” she said. “And every three years, you’re updating a cybersecurity checklist -- that may not be frequent enough.”

For example, Harper explained that an organization filling out the policy questionnaire may have all of the right elements in place. But if another tool was purchased and the controls weren’t updated or the control was removed and the underwriter was not notified, there could be a problem.

“If those controls played into how the underwriter rated you: that can be key,” said Harper. “Think about your own home: you get additional discounts when you have a burglar alarm. So if you get one, and let them know, you may get a lower rate…  But if you no longer have that control, you have to tell the carrier.”

“It’s the same kind of practice that we want to get into when we get into cyber insurance for our organization,” she added.

Mistake #3: Failing to involve the right people

Many organizations understand that security needs to exist outside of the IT team. In the same vein, it’s crucial when buying a cyber insurance policy that the same mentality is applied to make sure all of your bases are covered.

“Make sure you are talking to the right individuals,” Harper said. “The appropriate key stakeholders are not only involved with the evaluation process - how many patients, how much data, etc. -- but also the responses to the questions the policy is going to ask.”

“Risk folks typically talk about it as it relates to patients,” she continued. “Those folks are key, but in addition, you need your privacy and security risk professionals, security officers, IT leader, your key business leaders/owners and those driving the data. It’s key.”

Also crucial? Making sure the facilities team is involved, as there can sometimes be a cyber incident based on a physical issue. Harper explained that “often people tend to focus on things like electronic PHI, but there’s physical PHI. If there’s a break in at a warehouse and data is stolen, OCR considers that a breach.”

Mistake #4: Failing to understand coverage

Far too often organizations make large assumptions as to just what cyber insurance will cover. Fisher explained that these leaders are often shocked to learn that they did not receive the full spectrum of coverage they wanted.

“Relying on blind faith on those terms, or what the broker or agent is telling you is a major mistake,” said Fisher. “It’s always up to up to you to go into something with eyes fully wide open to make sure you know what you’re actually buying.”

Harper took it a step further and laid to rest a common misconception when it comes to coverage: “Insurance will not cover fines and penalties associated with noncompliance. If you’re not complaint, and you didn’t do risk assessments, cyber insurance won’t protect you from that, so don’t expect it.”

Cyber security IT skills in-demand in US

There’s no doubt that demand for the technologically skilled will only increase in the upcoming years, as practically every company becomes a software-driven enterprise. A survey by the jobs site Monster found that in the US, jobs in the digital sector have multiplied at more than twice the rate of other non-digital tech sectors, and are predicted to grow by 20% in the next decade.

However, which skills will be particularly in demand? While it’s unlikely that the IT skills demanded by the jobs market today will become redundant within our lifetimes, the field is constantly evolving, and there are certainly growth areas on the horizon that IT professionals would do well to educate themselves in.

Cyber security

Cyber security is an area set to grow exponentially in importance in the upcoming years. Every time a breach is suffered by an organisation, there is a huge cost both in terms of financial loss and loss of reputation and brand value.

A recent study carried out by jobs site Indeed indicated that the US is dangerously short on cyber security skills and that the number of cyber security jobs advertised in the US is the third highest globally, meaning demand exceeded candidate interest by more than three times.

Development

Demand for skills in development is here to stay (for the time being anyway – this could change as soon as AI is more widely used to code). In 2017, the demand for software developers and engineers increased by 13% in the UK.

Devops

Another important area of growth is the trend for companies to take a devops approach to their IT departments, meaning that developers well versed in this outlook will be the most employable.

Cloud computing

It’s widely recognised that cloud computing is the future, and every IT professional should feel comfortable using these systems. Demand for cloud infrastructure specialists is increasing across the board.

Machine Learning and AI

These are two obvious areas of increasing growth. In the US, demand for AI jobs increased threefold between 2015 and 2018, even surpassing the UK in terms of demand.

What is Botnet - Cybercriminals #1 Weapon

The word Botnet is formed from the words ‘robot’ and ‘network’. Cybercriminals use special Trojan viruses to breach the security of several users’ computers, take control of each computer and organise all of the infected machines into a network of ‘bots’ that the criminal can remotely manage.

Botnet Prevention- What is Botnet   

Botnet Prevention- What is Botnet   

 

How Botnets can impact you
Often, the cybercriminal will seek to infect and control thousands, tens of thousands or even millions of computers – so that the cybercriminal can act as the master of a large ‘zombie network’ – or ‘bot-network’ – that is capable of delivering a Distributed Denial of Service (DDoS) attack, a large-scale spam campaign or other types of cyberattack.

In some cases, cybercriminals will establish a large network of zombie machines and then sell access to the zombie network to other criminals – either on a rental basis or as an outright sale. Spammers may rent or buy a network in order to operate a large-scale spam campaign.

How to prevent your computer becoming part of a Botnet
Installing effective anti-malware software will help to protect your computer against Trojans and other threats.

Botnet.gif

YAHOO To Pay $35 Millions, Massive CyberSecurity Breach

Altaba, the company formerly known as Yahoo, agreed to pay the Securities and Exchange Commission a $35 million fine for failing to disclose to investors a massive data breach for two years, the regulator announced Tuesday.

yahoo-cybersecurity-breach.JPG

Altaba agreed to pay the fine without admitting nor denying any wrongdoing.

According to the SEC, Yahoo learned of an intrusion by Russian hackers in 2016 just days after it occurred. The incident resulted in the theft of sensitive information and credentials of 500 million users. And while news of the breach circulated within the company, Yahoo didn’t properly investigate the breach or consider whether to inform its investors, the SEC said. News of the incident only became public when Yahoo was in the midst of being acquired by Verizon.

“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” said Jina Choi, director of the SEC’s San Francisco regional office, in a statement. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

The SEC notes that Yahoo could have disclosed its breach in several quarterly filings during the two years between the breach and its public revelation. But the company said that it faced “only the risk of, and negative effects that might flow from, data breaches,” the SEC said.

The regulator said that Yahoo did not have proper procedures in place to make sure that information from its information security team was vetted for potential disclosure.

Sen. Mark Warner, D-Va., the ranking member on the Senate Banking Subcommittee on Securities, Insurance, and Investment, tweeted in vindication, saying that breaches like Yahoo’s can’t be swept “under the rug.”

In February, the SEC issued guidance telling companies to be transparent with investors when it comes to cybersecurity incidents and risks.

Sentencing proceedings for one of the hackers implicated in the 2014 incident began Tuesday in federal court. Canadian citizen Karim Baratov pleaded guilty in November to assist in the attack.

Yahoo the web service continues to operate by the same name under Oath, Verizon’s digital media division. Yahoo the corporation became Altaba, a holding company, after the Verizon sale in 2017.

Small Business Benefits from Cybersecurity Consulting Services

Cybersecurity news stories are becoming more and more prevalent, especially over the last few years. Whether the stories are about stolen emails or huge data breaches, it has been virtually impossible to ignore them.

While the major stories about compromised corporations and hacked email accounts make the news, cybersecurity is something that concerns everyone who uses a computer. Even small business owners can become victims of cybercrime. In fact, small business owners, in particular, need to be concerned with cybersecurity so they can protect their intellectual property. No matter whether the intellectual property is research or recipes, it is one of the greatest assets a small business has. Intellectual property is a prime target for hackers, whether they are stealing information for a competitor or running a ransomware scheme where a hacker demands something in return for the stolen information.

The trouble is that protecting that intellectual property and keeping other sensitive information, such as client and customer data, isn’t cheap. Many small business owners may not have the available capital to afford a cybersecurity system. Although this puts an owner in a tough spot, you can’t put a price on peace of mind, and neither can a small business owner afford the losses associated with becoming the victim of a cybercrime.

As with most things for small-business owners, cybersecurity comes down to a cost analysis. A cybersecurity system can be a big expense. On the other hand, a small business owner has to consider the cost of not having their systems protected from hackers. It’s hard enough for a large corporation to recover from a cyber attack, even with all the resources and infrastructure they have. According to the U.S. National Cyber Security Alliance, 60 percent of small businesses fold within six months of a cyber attack.

Ultimately, each business owner has to decide if and when a formal data security protection plan is necessary. A consultation with an expert may help you better weigh the pros and cons of taking on this type of business expense. Start with this list of Cybersecurity Consulting Providers as a jumping off point for your research. After comparing the benefits of these companies’ plans, set up a few consultations to see if and how these providers can best help protect your business, and what it costs to do so. You may find that it’s worth the investment.

 

Botnets Gamarue Cyber Criminals - Cybersecurity Report

Botnet-Cybersecurity.JPG

 

The past year has shown us the significant impact of the Gamarue botnet on computers worldwide; cyber criminals leveraging less sophisticated methods to infect machines and in some cases, extort ransoms from victims; and ransomware being used in a wide range of cybercrime activity, including email phishing campaigns and destructive attacks like WannaCrypt. Organizations that adopt security hygiene methods, security solutions, and best practices, have cyber resilience and incident response plans and employ the right mix of people and processes for dealing with the various threat scenarios and attacks described could at least minimize damage and impact from them.

CyberSecOP is a trusted security advisor and partner to large global organizations. To learn more about our security offerings, visit www.cybersecop.com and check out the Security News Section for our perspectives on additional trending threats and topics.

 

Breaking Botnets

Cyber criminals are continuing to relentlessly infect computers and engage in botnet activity with the intention to have a large infrastructure that they can then mine for sensitive data and possibly monetize, as is the case with ransomware threats. Defending against botnet activity is not a simple task and, as in years past, takes a massive effort by both private and public organizations working together.

A bot is a program that allows an attacker to take control of an infected computer. A botnet is a network of infected computers that communicate with command-and-control servers. Cybercriminals use botnets to conduct a variety of online attacks, such as send spam, conduct denial-of-service attacks on websites, spread malware, facilitate click fraud in online advertising, and much more.

There have been several botnet disruptions coordinated by the Microsoft Digital Crimes Unit (DCU) going back to the November 2008 Conficker botnet disruption. On November 29, 2017, the Microsoft Digital Crimes Unit (DCU) coordinated the disruption of the Gamarue botnet (also known as Andromeda).

 

·         1,214 domains and IP addresses of the botnet’s command and control servers

·         80+ associated malware families

Impact of the disruption operation

Worldwide coordination of research and investigation efforts is key to disrupting a malware operation with the magnitude of Gamarue. As a result of such complexities, public/private partnerships between global law enforcement agencies and private industry partners are essential to a successful outcome.

A significant aspect of the Gamarue disruption was the kill chain effect that the operation had on the distribution of 80 additional malware families. By disrupting a major malware family like Gamarue, we are able to stop potential harm being caused to millions of users worldwide and begin the restoration of victims’ devices.

Since the botnet disruption operation in November 2017, the sinkhole Microsoft created has experienced a 30% decrease in Gamarue victims worldwide, as shown in Figure 6.

Microsoft continues to collaborate with public and private industry partners to identify affected devices through the Microsoft Digital Crimes Unit Cyber Threat Intelligence Program to accelerate the remediation process.

 

To detect and protect computers from Gamarue and other malware, use security solutions that apply advanced machine learning models as well as generic and heuristic techniques. CyberSecOP is continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their employees and customers.

As the cost of circumventing security measures increases, hackers are taking advantage of “low-hanging fruit”, such as infrastructure and apps used by organizations and consumers, with the intention of infecting computers and gaining access to sensitive data such as credentials. In this section, we share three of the low hanging fruit routes employed by cyber attackers: social engineering, poorly secured cloud apps, and legitimate software platform features.

Congress cyber security accountability and transparency

Less than two months after Intel and other technology companies disclosed the Spectre and Meltdown speculative execution vulnerabilities, the Securities and Exchange Commission (SEC) published updated guidelines instructing public companies on how and when to disclose cybersecurity vulnerabilities and incidents that could potentially cause risk to the public. These significant security lapses have once again brought data security to the attention of the U.S. government, businesses and consumers around the world, but far too little has been done to hold companies accountable for when and how security concerns are disclosed to the shareholders and the public.

More concerning, there has been a troubling pattern recently of company executives apparently dumping shares before publicly disclosing a known cybersecurity incident. For example, the Equifax breach, which exposed the personal data of almost 145.5 million Americans, made news when three company executives were alleged to have sold shares worth a collective $2 million just days after the breach was discovered, but over a month before it was disclosed.

Within one week of the breach, the company lost nearly $4 billion in market value. That scandal reportedly has resulted in a Department of Justice investigation. Similarly, it has been reported that Intel CEO Brian Krzanich sold millions of dollars’ worth of company stock after his company became aware of the Spectre and Meltdown security vulnerabilities, but before they were publicly disclosed.
 

We take our roles in the fight against cybercrime seriously. We understand that investigating a data breach or other cyber security incidents properly and thoroughly can take weeks or even months. We further understand that it’s imprudent to release information about a suspected data breach without first conducting a proper investigation. But it is reckless and inappropriate for executives to delay steps to reveal and remedy cyber security incidents from shareholders and the public while they continue to trade securities — even if those trades are made on an automated plan.

Enterprises’ insufficient and dilatory responses following high-profile cyber incidents not only jeopardize corporations, but also increase public distrust and anxiety regarding the security of their personal data.

In the new guidelines issued on Feb. 21, the SEC warned that security breaches and vulnerabilities could constitute “material” information, noting that it’s illegal under U.S. securities laws for insiders to trade stocks based on such information before it becomes public. Such sales may also violate companies’ ethics and insider-trading policies.

The SEC’s action, even if it is primarily responding to the concerns of shareholders, is a positive early step towards creating accountability and transparency in the wake of headlining breaches that have become so familiar. Cyber risk affects virtually every kind of enterprise. It is not a matter of if, but when. Companies should start with the presumption that they will be attacked and have a comprehensive incident response plan in place. An incident response plan should include a consumer notification process especially when sensitive data such as Social Security numbers and financial information is corrupted. Regulation or industry standards should be put in place to protect consumers and relevant stakeholders from experiencing material damage and ensuring transparency from company officers.  

Another step in the right direction are proposed laws such as the Data Security and Breach Notification Act, which would create the first federal standard for penalizing companies that do not disclose a breach. The Data Security and Breach Notification Act would require companies to notify consumers that they have had a security breach within 30 days, institute a maximum five-year prison sentence for intentionally hiding such a breach, and create financial incentives for companies or organizations utilizing technologies that make consumer information unreadable in the event of a breach. Regulation such as this would be a strong deterrent to companies acting intentionally in bad faith against consumers and shareholders.

 There’s more to be done by the SEC and Congress with respect to cyber guidelines on disclosure and insider trading rules, but this move represents necessary progress on a critical issue. The guidelines issued last week are neither perfect nor a comprehensive solution, but the SEC’s latest effort represents a needed push to ensure corporate transparency and a well-regulated response to cyber incidents.

 Michael Chertoff was secretary of the Department of Homeland Security from 2005 to 2009. He is executive chairman of The Chertoff Group, a security and risk-management advisory firm, and author of the forthcoming book, “Exploding Data: Reclaiming Our Cyber Security in the Digital Age.”

 Bill Conner is the president and CEO of SonicWall, an internet security firm in San Jose, California., and chairman of the board of Comodo CA, an internet security firm in Clifton, New Jersey. He has more than 30 years of experience in high-tech industries, is a corporate turnaround expert, and a global leader in security, data and infrastructure.

Social Security numbers exposed in data breach California state workers

Social Security numbers for thousands of state employees and contractors were exposed in a recent data breach at the Department of Fish and Wildlife, according to a memo that the department sent to its workers this week.

The department discovered the data breach on Dec. 22, but did not disclose the breach to employees until this week. The California Highway Patrol has been investigating the incident for the past two months.

According to the memo, a former state employee downloaded the data to a personal device and took the records outside of the state’s network. The memo does not say when or why the former employee downloaded the information to an unsecured network.

The data included names and Social Security numbers of people who worked at the department and the state’s wildlife conservation board in 2007. The data also included personal information for vendors who worked with the department and with the conservation board between 2007 and 2010.


About 2,300 people worked for the department in 2007, according to the state budget from that year. The memo encouraged employees to obtain more information about monitoring identity theft from the Attorney General’s Office, or to contact one of the three credit bureaus: Equifax, Esperian and TransUnion.

The department has not yet seen evidence that cyber criminals are trying to profit from the data, department spokeswoman Jordan Traverso said. She said the department discovered the improper download when supervisors discussed other work-related issues with the employee. The memo said the former employee did not appear to have had malicious intent in downloading the data to a personal device.

The department did not say when the former employee downloaded the data.

A 2015 report by the state auditor encouraged California government agencies to tighten up their cyber security precautions. Last year, one department drove home the message with a fake phishing message that played on its employees’ anticipation for bonuses they received in a new contract.

CEOs and Tech Exes CISOs, CIOs, and CTOs Divided on Security

 

Survey shows 60% of CEOs plan to invest the most resources in malware prevention, but CISOs, CIOs, and CTOs are on a different page.

More than 60% of CEOs believe malware is the biggest threat to their organization, but just one-third of CISOs, CIOs, and CTOs agree. 

It's just one data point in a new study by identity management company Centrify that shows a major disconnect on this and many other security issues between CEOs and their technical officers (TOs), which include CIOs, CTOs and CISOs. 

CEOs and TOs also diverged on whether they knew if their organization had experienced a breach. Only 55% of CEOs say their organization experienced a breach, while 79% of TOs say so. On the technology front, 62% of CEOs say two-factor authentication technologies are difficult to manage, while only 41% of TOs concur with that statement. 

"Part of the problem is that the technical people tend to try to keep the breach quiet," says Tom Kemp, CEO at Centrify. "I think overall, the TOs need to do a better job managing up, because with SEC regulations and various state breach notification regulations, organizations really do have to report if they have been breached today."

Kemp points out that 42% of TOs point to identity breaches as one of the primary threats to their organizations. And 68% of executives whose companies experienced significant breaches indicate it would most likely have been prevented by either privileged user identity and access management or user identity assurance. Only 8% of all executives whose companies experienced a significant breach say that anti-malware technology would have prevented the more significant breaches with serious consequences.

Frank Dickson, an IDC analyst who focuses on identity and access management, points out that the 2017 Verizon Data Breach Investigations Report found that 81% of hacking-related breaches leveraged stolen and/or weak passwords.

"Our goal is not to eliminate malware, our goal is to eliminate breaches," Dickson says. "By strengthening authentication, it lets us build security into the network," and potentially eliminate the vast majority of breaches.

Lawrence Orans, a research vice president at Gartner who focuses on network security, says he doesn't think it's helpful to set security up as a choice between identity management versus malware detection.

"For example, malware could be used to steal credentials and execute an even broader attack," he says. "And it actually makes sense that there would be a disconnect between the CEO's understanding of new security technologies versus the TO's: that's what the CEO has the technical people for in the first place."

Centrify's Kemp maintains that TOs need to educate their CEOs on identity management issues, citing the three main tenets of so-called zero trust security:

  • Verify users. Companies can do this with single sign-on software that's layered in with two-factor authentication.
  • Validate devices. Have a procedure for determining if the devices are enrolled with the IT department with the right OS versions, patch levels, and antivirus software. IT must also check past usage, including a user's geography. (A user can't be in New York one minute, then San Jose five minutes later).
  • Limit access and privileges. Companies should move to a least-privilege model in which users only gain access to a system if they need it for their jobs, and only for a defined time period.

The study was based on a survey of 800 senior executives conducted in November 2017 by Dow Jones Customer Intelligence, a unit of the Wall Street Journal/Dow Jones Advertising Department. More than 75% of the executives surveyed are CEOs, CTOs or technical officers such as CIOs, CTOs and CISOs; the rest are their direct reports.

Source: darkreading.com

GDPR Rush, may lead to more security risk

GDPR Rush, may lead to more security risk

Companies around the globe are scrambling to comply with new European privacy regulations that take effect a little more than three months from now. But many security experts are worried that the changes being ushered in by the rush to adhere to the law may make it more difficult to track down cybercriminals and less likely that organizations will be willing to share data about new online threats.

On May 25, 2018, the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires technology companies to get affirmative consent for any information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.

 

In response, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — is poised to propose changes to the rules governing how much personal information Web site name registrars can collect and who should have access to the data.

Specifically, ICANN has been seeking feedback on a range of proposals to redact information provided in WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges (IP addresses).

Under current ICANN rules, domain name registrars should collect and display a variety of data points when someone performs a WHOIS lookup on a given domain, such as the registrant’s name, address, email address and phone number. (Most registrars offer a privacy protection service that shields this information from public WHOIS lookups; some registrars charge a nominal fee for this service, while others offer it for free).

In a bid to help domain registrars comply with the GDPR regulations, ICANN has floated several proposals, all of which would redact some of the registrant data from WHOIS records. Its mildest proposal would remove the registrant’s name, email, and phone number, while allowing self-certified 3rd parties to request access to said data at the approval of a higher authority — such as the registrar used to register the domain name.

The most restrictive proposal would remove all registrant data from public WHOIS records, and would require legal due process (such as a subpoena or court order) to reveal any information supplied by the domain registrant.

 

ICANN’s various proposed models for redacting information in WHOIS domain name records.

The full text of ICANN’s latest proposed models (from which the screenshot above was taken) can be found here (PDF). A diverse ICANN working group made up of privacy activists, technologists, lawyers, trademark holders and security experts has been arguing about these details since 2016. For the curious and/or intrepid, the entire archive of those debates up to the current day is available at this link.

WHAT IS THE WHOIS DEBATE?

To drastically simplify the discussions into two sides, those in the privacy camp say WHOIS records are being routinely plundered and abused by all manner of ne’er-do-wells, including spammers, scammers, phishers and stalkers. In short, their view seems to be that the availability of registrant data in the WHOIS records causes more problems than it is designed to solve.

Meanwhile, security experts are arguing that the data in WHOIS records has been indispensable in tracking down and bringing to justice those who seek to perpetrate said scams, spams, phishes and….er….stalks.

Many privacy advocates seem to take a dim view of any ICANN system by which third parties (and not just law enforcement officials) might be vetted or accredited to look at a domain registrant’s name, address, phone number, email address, etc. This sentiment is captured in public comments made by the Electronic Frontier Foundation‘s Jeremy Malcolm, who argued that — even if such information were only limited to anti-abuse professionals — this also wouldn’t work.

“There would be nothing to stop malicious actors from identifying as anti-abuse professionals – neither would want to have a system to ‘vet’ anti-abuse professionals, because that would be even more problematic,” Malcolm wrote in October 2017. “There is no added value in collecting personal information – after all, criminals are not going to provide correct information anyway, and if a domain has been compromised then the personal information of the original registrant isn’t going to help much, and its availability in the wild could cause significant harm to the registrant.”

Anti-abuse and security experts counter that there are endless examples of people involved in spam, phishing, malware attacks and other forms of cybercrime who include details in WHOIS records that are extremely useful for tracking down the perpetrators, disrupting their operations, or building reputation-based systems (such as anti-spam and anti-malware services) that seek to filter or block such activity.

Moreover, they point out that the overwhelming majority of phishing is performed with the help of compromised domains, and that the primary method for cleaning up those compromises is using WHOIS data to contact the victim and/or their hosting provider.

Many commentators observed that, in the end, ICANN is likely to proceed in a way that covers its own backside, and that of its primary constituency — domain registrars. Registrars pay a fee to ICANN for each domain a customer registers, although revenue from those fees has been falling of late, forcing ICANN to make significant budget cuts.

Some critics of the WHOIS privacy effort have voiced the opinion that the registrars generally view public WHOIS data as a nuisance issue for their domain registrant customers and an unwelcome cost-center (from being short-staffed to field a constant stream of abuse complaints from security experts, researchers and others in the anti-abuse community).

“Much of the registrar market is a race to the bottom, and the ability of ICANN to police the contractual relationships in that market effectively has not been well-demonstrated over time,” commenter Andrew Sullivan observed.

“Much of the registrar market is a race to the bottom, and the ability of ICANN to police the contractual relationships in that market effectively has not been well-demonstrated over time,” commenter Andrew Sullivan observed.

In any case, sources close to the debate tell KrebsOnSecurity that ICANN is poised to recommend a WHOIS model loosely based on Model 1 in the chart above.

Specifically, the system that ICANN is planning to recommend, according to sources, would ask registrars and registries to display just the domain name, city, state/province and country of the registrant in each record; the public email addresses would be replaced by a form or message relay link that allows users to contact the registrant. The source also said ICANN plans to leave it up to the registries/registrars to apply these changes globally or only to natural persons living in the European Economic Area (EEA).

In addition, sources say non-public WHOIS data would be accessible via a credentialing system to identify law enforcement agencies and intellectual property rights holders. However, it’s unlikely that such a system would be built and approved before the May 25, 2018 effectiveness date for the GDPR, so the rumor is that ICANN intends to propose a self-certification model in the meantime.

ICANN spokesman Brad White declined to confirm or deny any of the above, referring me instead to a blog post published Tuesday evening by ICANN CEO Göran Marby. That post does not, however, clarify which way ICANN may be leaning on the matter.

“Our conversations and work are on-going and not yet final,” White wrote in a statement shared with KrebsOnSecurity. “We are converging on a final interim model as we continue to engage, review and assess the input we receive from our stakeholders and Data Protection Authorities (PDAs).”

But with the GDPR compliance deadline looming, some registrars are moving forward with their own plans on WHOIS privacy. GoDaddy, one of the world’s largest domain registrars, recently began redacting most registrant data from WHOIS records for domains that are queried via third-party tools. And it seems likely that other registrars will follow GoDaddy’s lead.

ANALYSIS

For my part, I can say without hesitation that few resources are as critical to what I do here at KrebsOnSecurity than the data available in the public WHOIS records. WHOIS records are incredibly useful signposts for tracking cybercrime, and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities. I also very often rely on WHOIS records to locate contact information for potential sources or cybercrime victims who may not yet be aware of their victimization.

In a great many cases, I have found that clues about the identities of those who perpetrate cybercrime can be found by following a trail of information in WHOIS records that predates their cybercriminal careers. Also, even in cases where online abusers provide intentionally misleading or false information in WHOIS records, that information is still extremely useful in mapping the extent of their malware, phishing and scamming operations.

Anyone looking for copious examples of both need only to search this Web site for the term “WHOIS,” which yields dozens of stories and investigations that simply would not have been possible without the data currently available in the global WHOIS records.

Many privacy activists involved in to the WHOIS debate have argued that other data related to domain and Internet address registrations — such as name servers, Internet (IP) addresses and registration dates — should also be considered private information. My chief concern if this belief becomes more widely held is that security companies might stop sharing such information for fear of violating the GDPR, thus hampering the important work of anti-abuse and security professionals.

This is hardly a theoretical concern. Last month I heard from a security firm based in the European Union regarding a new Internet of Things (IoT) botnet they’d discovered that was unusually complex and advanced. Their outreach piqued my curiosity because I had already been working with a researcher here in the United States who was investigating a similar-sounding IoT botnet, and I wanted to know if my source and the security company were looking at the same thing.

But when I asked the security firm to share a list of Internet addresses related to their discovery, they told me they could not do so because IP addresses could be considered private data — even after I assured them I did not intend to publish the data.

“According to many forums, IPs should be considered personal data as it enters the scope of ‘online identifiers’,” the researcher wrote in an email to KrebsOnSecurity, declining to answer questions about whether their concern was related to provisions in the GDPR specifically.  “Either way, it’s IP addresses belonging to people with vulnerable/infected devices and sharing them may be perceived as bad practice on our end. We consider the list of IPs with infected victims to be private information at this point.”

Certainly as the Internet matures and big companies develop ever more intrusive ways to hoover up data on consumers, we also need to rein in the most egregious practices while giving Internet users more robust tools to protect and preserve their privacy. In the context of Internet security and the privacy principles envisioned in the GDPR, however, I’m worried that cybercriminals may end up being the biggest beneficiaries of this new law. 

Source: krebsonsecurity.com

GDPR a risk to your organization

Security concerns are twice as likely to drive cloud strategy than even the business’ core objectives, according to Calligo, a world-leading cloud solution provider. Even regulatory compliance and data privacy – the strategic themes of doing business in 2018 – receive a similarly low ranking.

Whereas security is the chief driver behind cloud strategy for 34% of 200 UK IT decision-maker respondents, the business’ core objectives, compliance and data privacy are each only the top consideration for 17%. This is despite the imminent implementation date of the European General Data Protection Regulation (GDPR) – May 25th 2018.

“Driven by media-fueled fears of severe fines and reputational damage, IT leaders have over-compensated in their cloud strategies and become almost myopically focused on security,” said Julian Box, CEO, Calligo. “This is to the enormous detriment of more strategic aims such as supporting the business’ objectives, and vital compliance with the GDPR’s data privacy requirements.”

“The great irony is that while these organisations fear and mitigate the consequences of a security breach, the consequences of regulatory non-compliance are identical – and yet they are not being defended against,” Box continued. “This probably stems from a mistaken belief within the IT industry that their role in GDPR adherence is centered on data security, leading organisations into compliance complacency and all kinds of non-compliant behavior. They are effectively erecting walls around data they are not entitled to hold.”

Calligo also found that security considerations are similarly influential in cloud provider selection. Regardless of the platform chosen, security was either the first or second most important consideration. For example, more than half (52%) of those who had chosen IBM Softlayer said they had done so primarily because of security, while 48% said the same for both Microsoft Azure and Google Cloud.

However, respondents also admitted their over-compensation for security has been detrimental to the business. More than four in ten (44%) said cost efficiencies were knowingly sacrificed in their cloud strategy, while 43% consciously compromised their ability to comply with regulatory requirements. Another 41% of cloud platform selections undermined data privacy.

Even worse, having committed their organisations to poorly-conceived cloud strategies, respondents said they feel trapped and unable to fix the problem. Some 39% said cost is a barrier to migrating to a new provider, while the fear of downtime is a major factor for 34%.

“The takeaway from these cloud strategy findings is not that security’s importance needs to be reduced – rather that the importance of data privacy and business objectives needs to be elevated,” added Box. “Organisations in this predicament need to seek out cloud service providers with the necessary experience to put their cloud strategy back on track. In particular, they need to ensure their cloud deployment meets the strategic necessities of doing business in 2018 – regulatory compliance and data privacy.”

BitCoin Crashing, what is going on? Cybercriminals ditched Bitcoin

Cybercriminals are increasingly moving away from bitcoin as their preferred digital currency in favor of lesser-known cryptocurrencies because of prolonged transaction delays, surging transaction costs and general market volatility, experts tell CyberScoop.

Although cybercriminals have been slowly moving away from bitcoin for months, researchers say a noticeable shift towards alternative coins — such as Monero, Dash and ZCash — occurred when bitcoin’s value skyrocketed over $19,000 for one bitcoin in mid-December. The price has drastically fluctuated between $12,000 and roughly $19,000 since then.

“Many cybercriminals emulate the operational best practices of legitimate businesses in order to minimize their overhead costs and maximize returns, and in the case of high transaction costs with bitcoin, it makes perfect sense to look at other coins with smaller overheads,” said Richard Henderson, a global security strategist with endpoint cybersecurity firm Absolute.

Experts say this shift does not necessarily mean that hackers have abandoned bitcoin altogether, but instead current conditions in the criminal underground may be forcing them to change their behavior.

“We’ve seen [dark web] sites pop up in recent months that market themselves on only accepting alternative cryptocurrencies —“Monero Only” in the case of currently-down Libertas Market,” said Emily Wilson, director of analysis at Maryland-based dark web intelligence firm Terbium Labs. “Markets being able to operate and advertise based on alternative cryptocurrencies speaks to a slow but visible change in the system … Slow is key here, though. Market admins aren’t adjusting or reacting at the same pace as avid traders.”

The first sign of dissatisfaction from cybercrime syndicates with bitcoin’s performance began around mid-2017, according to Andrei Barysevich, director of advanced collection with Recorded Future.

“Ease of exchange into cash around the world, anonymity and almost instantaneous speed of transactions of even the smallest amounts led to bitcoin’s acceptance as a de-facto currency for the entire criminal underworld,” said Barysevich, but things have changed, challenging these same strengths.

The current situation, Barysevich explained, is different from just six months ago, when far less people were paying attention to bitcoin, pushing transactions through the blockchain and therefore filling up the market with demand.

The emergence of newer, privacy-focused technologies associated with Monero, Dash and ZCash, which make the funds extremely difficult to track has further attracted use by some cybercriminals. One digital payment option, known as Ether, for example, gained popularity recently for its obfuscation capabilities, experts said.

“We are starting to see Ether as a preferred payment option of some members primarily because of blockchain.info service support, which allows entirely anonymous registration, as well as the mixing infrastructure that helps criminals to further obfuscate transactions,” Barysevich told CyberScoop. “This said, we see Dash, ZCash and to some extent Monero as bitcoin’s likely successor [for cybercriminals], because several high-profile vendors of compromised credit cards have already migrated or will do so in the next few weeks.”

Recorded Future and Terbium Labs are far from the only firms to notice Monero’s rise.

“[We’ve noticed that] Monero is becoming increasingly prevalent,” Vitali Kremez, director of research with Flashpoint, told CyberScoop.

The rapid adoption of Monero by hackers is perhaps most evident through its implementation in various online, illegal marketplaces, said Kremez.

“Flashpoint’s has been closely tracking the shift in leveraging Monero as one of the leading currency for trading on various deep and dark web communities due to its advanced payment origin obfuscation algorithms,” Kremez said.

In July, international law enforcement partners including the FBI shut down AlphaBay, the largest dark web marketplace. AlphaBay allowed people to sell drugs, weapons, malware and other illegal material in exchange for cryptocurrency.

As part of the AlphaBay take down, police collaborated with various bitcoin exchange platforms to identify payments relating to illegal activity. While bitcoin was fundamentally designed to be anonymous, certain exchange platforms store data about users and their transactions.

Some say that working relationship may provide another reason for criminals to shy away using bitcoin.

“The lack of cybercriminal trust in bitcoin exchanges also leads to cybercriminals utilizing bitcoin less as a preferred currency,” said Kremez. “In 2017, the collaboration between bitcoin exchanges and law enforcement contributed largely to the major law enforcement wins – from the AlphaBay takedown arrests and the Dream administrator arrest.”