Month: May 2015

In the past, those who view live-streamed child sexual abuse have sometimes been given lighter sentences if the authorities could not prove a recording was made. New plans, laid out in the Queen’s speech will close the loophole in the Sexual Offences Act 2003 and will introduce sanctions for professionals who turn a blind eye to child sexual abuse.
 
Christian Berg, CEO at NetClean, expert in the tracking, alerting and analysis of child sexual abuse commented:
 
“Live-streamed child sexual abuse is a horrifying example of how abusers are hijacking the services and technologies we all use. These individuals are early adopters and are turning child sexual abuse into a sophisticated online enterprise.
 
Live-streamed abuse often occurs in countries with poor social services provision, however the crime of watching and consuming this abuse happens worldwide. Closing this loophole is a great step forward from a legal perspective, but the work to track and analyse this method of abuse is still in its infancy.
 
Live-streamed abuse is a crime that is extremely hard to detect and investigate. It is rapid, instantaneous and crimes are taking place simultaneously around the world. Already our law enforcement services are playing technological catch-up to a rapidly evolving crime type. They need greater resources, better information sharing, consistent enforcement and greater support from the technology industry.
 
As a society we need to evolve our attitude to online child sexual abuse and accept that each of these images and videos is a crime-scene. Even our terminology, ‘child pornography’, legitimises this hugely damaging victimisation and serious crime as a sexual predilection. The sanctions for those who turn a blind eye are a hugely positive step in encouraging our mutual responsibility. But in reality we can’t just look to social services, teachers and doctors to identify and stop abuse. It starts in every community.”

(437)

Auriga Consulting Ltd (Auriga), the expert data, today revealed that more than 500 complaints and concerns were raised over potential data breaches in the retail sector over the course of the past year. Of these, 312 cases classified as generic breaches of which 156 were classed as breaches of the Data Protection Act (DPA) (from April 2014 – March 2015). According to a Freedom of Information Act (FOIA) request submitted to the Information Commissioner’s Office (ICO) in April, the top three causes of generic breaches were DPA compliance and a request for assessment from the ICO (136 cases), subject access (72 cases) and disclosure of data (33 cases).
 
The FOIA results indicate the retail sector is experiencing a consistent rate of data breach incidents which breach the DPA. The number of breaches occurring on a monthly basis, averaging 13, suggests the sector could be doing more to protect sensitive data. Ecommerce and mcommerce are both seeing retailers stretched thin and a lack of good data hygiene, such as the way data is created, stored, processed, shared and destroyed, is exacerbating the situation. In addition to improving data care, retailers also need to begin to take a more proactive stance in helping customers adopt good security practices.
 

 
The retail sector currently ranks as 15th in the Data Breach Trends analysis published by the ICO (as of 28 April 2015). However, this ranking is based solely upon the number of enforcement cases and does not reflect the number of incidents reported and investigated. To date, the ICO has sought to offer assistance to offenders, although it does hold the power to issue fines of up to £500,000. The retail sector has so far escaped any monetary fines, although the ICO did issue a warning to a shoe retailer for the breach of over a million customer records last May.
 
James Henry, Consulting Practice Manager, Auriga, believes the reason breaches continue to occur, with some of the biggest names in retail numbering among the offenders, is because there is still a disconnect between good security practice and the board: “The consistent number of DPA breaches indicate the message still isn’t getting through despite numerous high profile incidents over the past year. Retailers are not doing enough to protect the data entrusted to them by their customers. Data protection is an organisation wide legal obligation. Any compromise is likely to see an erosion of customer confidence and cause damage to the reputation of the company. So it’s vital the board gets involved and deals with the protection of sensitive data as a matter of urgency.”

Auriga suggests retailers look holistically at data protection across the enterprise and consider the following action plan:

·      Understand the data landscape – conduct an information audit to document and understand the types of information that is created, processed and stored. Each information asset should be reviewed to verify if it is personal data. Outline personal roles in the creation and processing of personal data. Are you the Data Controller or a Data Processor?

·      Conduct a PIA – the Data Controller responsible for personal should conduct a Privacy Impact Assessment (PIA) screening exercise. This will help determine if a PIA is necessary for the data identified. A PIA will provide the organisation with some assurance that it is conforming to the eight DPA principles. A PIA also provides a risk based approach to identifying and capturing potential privacy issues.

·      Test the system – A PIA is often based on paper, observation, stakeholder interviews and workshop tasks. It does not provide technical assurance that technical data privacy controls are actually in operation as per design and are working properly. Frequent well scoped internal IT vulnerability assessments and independent penetration tests can be used to provide this level of technical assurance. They can establish how difficult it is to extract sensitive customer data and test the ability of the business to respond to a breach. Can the Incident Response plan limit the impact of a breach?

·      Educate staff – Don’t just focus on IT. Educate staff on data protection best practices and look at the ease with which data breach incidents can be reported. Make the business and personal impact of a privacy breach real for them. Foster a culture of open disclosure so that staff do not fear repercussions for themselves or their associates.

·      Secure the supply chain – consider how personal data is secured not just within the organisation but by third party suppliers. Weak third party management is often cited as a primary cause of security incidents and privacy risk.

·      Avoid compliance complacency – Standards-based and regulatory compliance can only go so far. The retailer should seek to identify data privacy risks unique to the business and determine proportionate and effective methods to adequately address them.

Summary of FOIA findings
 
·      Over 500 complaints/concerns submitted to the ICO about the retail sector during the period March 2014 – March 2015
·      From April 2014 – March 2015, 312 were classed as generic breaches
·      From April 2014 – March 2015, 156 were classed as breaches of the DPA although no monetary fines were imposed
·      The top reasons cited were DPA compliance and a request for assessment from the ICO (136 cases), subject access (72 cases) and disclosure of data (33 cases)

·      Conclusion: Despite an initial reduction in April last year, the retail sector continues to consistently breach the DPA and needs to look more closely at how to effectively protect personal data.

(342)

Yesterday, CareFirst became the third major health insurance company in the USA to disclose a data breach which potentially compromised customer information. It’s been reported that the attack could affect as many as 1.1 million of its customers but, according to CareFirst, the hackers did not gain access to sensitive financial or medical information such as social security numbers, credit card information or medical claims. They did, however, have access to names, email addresses and dates of birth. The company said the breach happened last June and described it as ‘sophisticated’.

Comments from the experts on this breach are;

Mark Bower, VP at HP Security Voltage:

“Healthcare entities are the new data gold mines for attackers. The data is lucrative, often unprotected, and useful for medical and identity fraud. Unfortunately, many healthcare firms do not have modern data-centric protection in place to neutralise breach risks of these kinds of attacks and are thus vulnerable to being plundered from advanced malware. One reason for this dilemma is the lack of regular enforcement of security standards like PCI DSS. Approaches that simply meet minimum compliance regulations are clearly not sufficient. Other industries like banking, payment processing and retail have learned all too painfully that being compliant means nothing when the attackers are already inside, stealing data from behind the quickly dissolving perimeter. It’s time for the healthcare entities to shift gears to modern data security defenses and join their peers in other industries who’ve already learned how to mitigate these threats and neutralise their data from advanced attacks to protect valuable data assets, enable data-rich analytic insight without risk, and prosper as a result to the delight of their customers.”

Gavin Reid, VP of threat intelligence at Lancope:

“Medical Identity theft

1) Why is this growing?

Three reasons: Large scale attacks to hospital patient record data bases, along with areas that are doing medical research, can be extremely valuable source data for pharmaceutical and other medical research. Some medical offices have unique patient records & histories spanning years that could never be recreated and have a huge research value. Secondly the patient records themselves often have very complete PII (Personal Identifying Information) sets that are easily used in the more common data theft scenarios. The last and increasingly common reason is where medical identity theft is used to create fraudulent insurance claims using a stolen identity

2) What can be done to stop it?

The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection.

3) What can a consumer do to protect him/herself?

Limit who has your personal data when possible – share only with trusted providers that have a need to know.  Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”

(328)

In a recent report from Panda Security, they provide details of stealthy cyber  attack against the Oil transport sector.  Via the use of a number of custom scripts the cyber criminals are able to evade anti-virus and were successful in stealing credentials from several unsuspecting users.

The report makes interesting reading and can be found here:

Panda Security Uncovers Ongoing Attack Against Oil Tankers

Feel free to let us here @DFMag know your comments.

(487)

In response to the recently released “Q1 Akamai State of the Internet – Security Report 2015” , Dave Larson, CTO at Corero Network Security, has given the following comment:

“There is an interesting point to note which is the increase in number of attacks with a corresponding drop in mean peak bandwidth.  This correlates quite closely with the transition Corero has been noticing, where DDoS is being used more frequently as a masking agent or security perimeter degradation tool.  The big attacks are still occurring – but the increase in lower level attacks of the type we have been highlighting would create this trend in the Akamai data. 

“Even though there is evidence of this trend in the Akamai data – you really can’t see it definitively unless you are monitoring in-line, which is how the majority of Corero customers use our SmartWall Network Threat Defense system.  The big cloud DDoS providers are great at dealing with big, super-saturating events – but they do not begin to even scratch the surface of the small security focused attacks.  

“Even with the 35% increase in unique DDoS attacks from Q4-2014 to Q1-2015, this still yields a total number of around 440 attacks during the quarter in the entire Akamai/Prolexic customer base.  Corero sees nearly this many attacks in just a single average customer (351), with several of our customers experiencing many more discrete DDoS attacks than the entire Akamai/Prolexic customer base.  This is not intended as a slight against Akamai – but it is an indication that they can only count what they can see.  An out-of-band solution, while useful for massive scale events, is limited in the granularity it can achieve.  Security conscious organizations must begin taking the security threat of low-level DDoS seriously – DDoS is no longer principally about denying service it is more about degrading security perimeters.”

(307)

Research conducted by AlienVault has shown that 20% of IT security professionals have witnessed a breach being hidden or covered up. The survey also found that in the event of a breach, only 25% of professionals would see the best course of action as telling the regulator and paying the fine.

“Information security is still a comparatively immature industry,” argues Javvad Malik, security advocate for AlienVault. He fears that the rapid growth of the industry in such a short timeframe has forced security professionals to “make up the play book as they go along, evidenced by inconsistent disclosure practices as well as the ever-changing and complex legal path to navigate.”

The survey’s findings that 20% of IT security professionals have witnessed or been part of a breach being hidden is the prime indicator of the strain placed upon the industry. Malik attributes this to the competitive nature of the technology world, saying “the time and effort it could take to recover from a breach can be significant. Particularly where sensitive data is involved.”

The survey also showed that 66% of those surveyed view a breach as an opportunity to increase the funding for their security departments. According to Malik, this shows that “despite the raised profile of security, it still takes an incident to obtain budgets and raise security.”

Statistics like these are what Malik uses to argue for a much greater support base for IT security professionals, through training and networking, saying “most organisations are coming round to the belief that along a long enough time scale, a security incident or exposure in their product is inevitable.”

When asked if they need to resort to hacker forums and working with black hats to keep abreast of the latest threats and technologies – something that isn’t always legal – over half replied yes. Malik says “support from within the security industry on emerging threat and attacks isn’t sufficient or freely available to professionals liking to access information in a timely manner.”

It is also worth the consideration that it is a case of ‘know your enemy’, and Malik has strong anecdotal evidence of many in the industry believing this is the case.

It is these kinds of attitudes which Malik says needs to be remedied, or he fears “security professionals will find themselves under more pressure to cut corners and bend rules in order to keep the show on the road.” He suggests the culture of the industry should change to one that “accepts, fixes and moves along when they [breaches] do occur.”

(This survey was conducted with 1107 respondents at RSA 2015.)

(319)

Following the news APT17 DeputyDog hackers are pushing Blackcoffee malware using TechNet, Tim Erlin, Director of Product Management at Tripwire, has commented:

“Using a legitimate website to distribute malicious data is nothing new, but the addition of obfuscation here is a twist that makes detection just that much harder. Any website that allows for public comments to be submitted is already monitoring for abuse, but they can only detect what they’re actually looking for. Now that this technique has been surfaced, website administrators will adapt to identify it, and the criminals will have to shift again to avoid detection.”

(329)

It appears that hackers from Brazil have managed to discover a new exploit for the PS4. A couple of weeks ago, a number of electronic stores in Brazil had been advertising the means to copy and run a series of ripped retail games on the console. Not a whole lot was known about the hack back then, but information gradually began to trickle out from customers and make its way around the web. Gavin Reid, VP of threat intelligence, Lancope stated;

“Vendors in this space face aggressive targeting by communities wishing to remove copy protection. The PS4 will be no different and Sony will continue to play an arms race against groups that benefit from the abilities to copy and share games. Open source groups like Homebrew with more altruistic motivations of extending the functionality of the console alongside groups selling modified consoles specifically to play  copied games and of course the resell of the games themselves at fraction of the actuals costs. This has happened  historically with all of the major consoles. It would be highly unlikely not to continue with the PS4.”

TK Keanini, CTO, Lancope commented;

“As a PS4 and Xbox gamer, I would also like to add that the integrity of the game is not only a matter of piracy but a matter of game play.  Game developers must develop advanced methods of checking the integrity of the game at runtime as a certain percentage of gamers hack the game so that they can have an unfair advantage in competition.  When this happens, most folks stop playing the game and the community moves  to another game.  Gamers don’t mind losing as long as they have lost in fairness.  These cheats sometimes allow competitors to hide in walls or aimbots give them 100% accuracy, no one like cheaters.”

(567)

Credit card hackers are targeting Starbucks gift card and mobile payment users and stealing from consumers’ credit cards. This new scam is so ingenious, the cyber criminals don’t even need to know the account number of the card they are hacking! By taking advantage of the Starbucks auto-reload feature, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, it can escalate quickly.

Brendan Rizzo, technical director EMEA, HP Security Voltage:

“This hack underscores the need for companies to protect all of the sensitive information they hold on their customers.  Criminals are always looking for a way to exploit a system in a way that they can then turn into cold hard cash.  In this case, there is a further risk in that the app stores and displays personal information about the user such as their name, full address, phone number and email address.  Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks.  Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line.  A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.”

Stephen Coty, chief security evangelist, Alert Logic comments;

“16 Million Starbucks customer who utilise their mobile payment service may have been compromised as part of a organised attack. There have been reports of the mobile app being manipulated to hijack funds once the mobile device is reloaded with funds from a credit or gift card. There has been conversations through Twitter about customers seeing fraud taking place with their Starbucks accounts. Starbucks has said that they process approximately $2 billion in mobile payments

 
The timing of this attack is very interesting since, just about a week ago, Starbucks had an issue in their stores with their payment system not allowing for the processing of credit cards. Makes you think what exactly happened to the payment system that shut down the service for a day and gave attackers an opportunity to compromise a part of their system.” 

Gavin Reid, VP of threat intelligence, Lancope:

“Nothing too new here – if you guess the username and password for an account that is backed by you bank bad things can and will follow. This highlights problems with using consumer cards &  accounts that are backed up with either a high limit credit card or even worse the current checking account. Ideally vendors would make this form of compromise harder by using multi factor authentication and the banks themselves would issue one-time-use account numbers that contain a fixed amount of cash limiting the loss. This type of small amount theft can be automated reusing already exposed credentials. Consumers can protect themselves by setting hard to guess unique passwords.”

(607)

More than three quarters of organisations are risking serious security breaches from former employees by not severing ties effectively, according to new research by IS Decisions.

Only 24% of companies follow strict post-employment processes to ensure that employees no longer have access to company-sensitive information once they have left. The findings are part of research in IS Decisions’s report, User security in 2015: the future of addressing insider threat, based on a survey of 250 IT professionals in the UK and 250 in the US.

This major security oversight tallies with research from the employee’s perspective conducted by IS Decisions in 2014, which found that over a third of users are still aware of having access to systems — with nearly 1 in 10 regularly accessing systems after having left the company.

François Amigorena, CEO of IS Decisions, said: “It’s often easy for companies to overlook post-employment processes when they’re worrying more about the behaviour of current employees.

“However, an employee on the outside with access to your systems can be as dangerous as any hacker or virus — and often your threat detection systems won’t pick up a former employee because it thinks the employee has genuine authority to access systems.

“Threats can go undetected for months, leaving a huge open window for attack. A simple employee exit checklist can help mitigate these threats.”

The new report also found that IT professionals are calling for more help to tackle the issue of insider threat. The research found that an overwhelming 91% want to see industry-wide collaboration on the issue, 78% want clearer guidelines, and only 43% see senior management taking enough responsibility for insider threat.

And while 67% state they plan to look at specific tools, technology and data to help tackle insider threat, the tools are not likely to be effective in isolation. Research found 57% of insider threat programmes will include organisation-wide training — demonstrating that a joined-up approach is essential for internal security.

The report is available to download via the IS Decisions website: User security in 2015: the future of addressing insider threat

(374)