Month: October 2015

Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.

As early as March, the hackers — alternatively known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a start-up that was acquired by Samsung in February for more than $250 million.

LoopPay executives said the hackers appeared to have been after the company’s technology, known as magnetic secure transmission, or MST, which is a key part of the Samsung Pay mobile payment wallet that made its public debut in the United States last week.

Mark Bower, global director, enterprise data security for HP Data Security advises; “No-one is free from breach risk. If you store, process and collect sensitive data, especially payments and personal data, your business is on the radar of attackers, period. Forensics are a powerful tool to discover the extent of a breach, but  by then the data is long gone. Any company today has to assume a breach will happen and take more advanced threat mitigation measures. The payments business has learned the lesson hard over the years, and embraced far more powerful approaches to data security than traditional perimeter and storage encryption provides. Today, the best-in-class businesses secure the data itself, not just the infrastructure, securing billions of transactions representing trillions of dollars in value with new technologies like Format-Preserving Encryption and stateless tokenization. The result is they don’t keep any live data anywhere it can be stolen. This is a huge shift from older perimeter or disk and database encryption approaches which simply can’t withstand advanced attacks like those reported in this case.”

(364)

An investigation is under way after Kmart Australia confirmed some of its customers’ private details have been hacked in an online security breach. In a statement published on the company’s website, Kmart Australia stated that some customers’ identity (name), email address, delivery and billing address, telephone number and product purchase details were accessed in the breach, but no online customer credit card or other payment details have been compromised or accessed. The statement also said that customers affected have been sent an email to inform them of the privacy breach.

Mark Bower, global director at HP Security Voltage commented:

“This hack underscores the need for companies to protect all of the sensitive information they hold on their customers.  Criminals are always looking for a way to exploit a system in a way that they can then turn into cold hard cash.  In this case there is a further risk in that personal information about the user such as their name, full address, phone number and email address was taken.  Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks.  Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line.  A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.

While credit card data may remain safe here, one has to ask why other personal data wasn’t protected in the same manner. With the available technologies today to protect sensitive data very easily and quickly, it’s a simple matter to cover all sensitive data bases to protect consumer trust and satisfaction. Securing sensitive personal data, which is commonly attacked to conduct fraud and irritating phone scams and phishing attacks at the expense and inconvenience of the Australian consumer, is a duty of every Australian business today and not optional without being forced to by government regulations”

Lisa Baergen, director at NuData Security:

“While Kmart may be downplaying this situation, breaches like this continue to be of extreme significance and concern. Even though it is believed financial information remained secure, hackers were able to access the names, addresses, phone numbers and emails of Kmart customers. What victims of a breach don’t always recognise is that every bit of information is important, so while they are downplaying the information leaked, consumers need to be more aware of the ramifications. Coupled with details from the rising number of breaches we continue to see, more comprehensive identities can be built and sold for a higher value to hackers on the dark web.  So while financial details may not have been compromised this time, it won’t be long before fraudsters piece together more comprehensive bundles of information with details that include credit card numbers, passwords and more.  

These ‘bundles’ contain much more complete, and increasingly dangerous information around specific individuals, meaning there are more opportunities for fraud to take place. For example, with enough data collected from separate breaches, a fraudster could gain access to financial and geographical information such as passwords and credit card numbers; they can fill out a loan application or apply for new credit cards. There is a multitude of ways to commit fraud with larger bundles of information. Fortunately, there is a means of stopping fraudsters from using their precious compiled data, before catastrophic damage can be done.

Organisations need to work harder to protect their consumers. We are still waiting to see the fallout for Kmart, but beyond the short term fines and legal costs, they stand to lose consumer confidence, driving loyal customers to competitors and suffering sometimes staggering profit losses, like Target’s post-breach profit lost of 50%. Regaining customer confidence is no easy task. It is time to stop being reactive to these breaches with free credit reports and stop fraudsters in advance.

The organisations at the forefront of protecting their brand and users are leveraging online fraud detection solutions that employ behavioural analysis. The completely passive system is able to identify suspicious activity, potentially coming from a fraudster who has procured legitimate account credentials, and stop any deceitful transactions from taking place. Without the need to interrupt a user’s experience, behavioural analysis serves as a means of understanding how legitimate users truly act, thereby predicting and preventing fraud from occurring.”

(366)

Alert Logic has recently released the 2015 edition of its Cloud Security Report. This annual and proprietary piece of research analyses more than 800,000 security incidents across the 3,000 real customer environments protected by Alert Logic.

Some key findings in the new report include the following:

Top cyberattack methods aimed at cloud deployments grew 45 percent, 36 percent and 27 percent respectively over the previous year, while top attacks aimed at on-premises deployments remained relatively flat. Alert Logic attributes this increase in cloud attacks as being driven by the overall strong adoption of cloud computing platforms.  In other words, cyber criminals are logically attempting to break into a growing number of applications being deployed in the cloud.

The type of cyber-attack perpetrated against a company is determined more by how it interacts with its customers and the size of its online presence than by where its IT infrastructure resides.  Understanding this threat profile can help a company determine which type of cyber-attack it is most vulnerable to, as well as the type and size of the security investment required to keep them safe.

Understanding the Cyber Kill Chain® can give insight into where cyber criminals are more likely to breach a company’s environment and how they can be stopped. This representation of the attack flow can help organisations target a defense strategy based on the way attackers approach infiltrating their businesses.

The report also identifies the specific cyber threats faced by different industries, including Advertising, Accounting/Management, Computer Services, Mining, Financial, Real Estate, Healthcare, Retail, Manufacturing and Transportation.  Additionally, the report provides a more detailed analysis of three industries in particular: Mining, Oil/Gas & Energy; Retail and Financial Services.

“While cybercriminals are increasingly targeting cloud deployments, on-premises deployments are still being targeted at the same frequency as they always were,” said Will Semple, Vice President of Security Services for Alert Logic.  “The key to protecting your critical data is being knowledgeable about how and where along the Cyber Kill Chain attackers infiltrate systems and to employ the right security tools, practices and resource investment to combat them.”

To access the Fall 2015 Cloud Security Report, visit here.

(345)

The risk of a serious cyber attack on civil nuclear infrastructure is growing, as facilities become ever more reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, according to a major new report from Chatham House.

‘Cyber Security at Civil Nuclear Facilities: Understanding the Risks’ is the result of an 18-month study that draws on in-depth interviews with 30 leading industry practitioners based in more than eight countries. It found that the trend to digitisation, when combined with a lack of executive-level awareness of the risks involved, means that nuclear plant personnel may not realise the full extent of their cyber vulnerability and are thus inadequately prepared to deal with potential attacks. 

Commenting on this, Tony Berning, senior manager at security firm, OPSWAT, said:

“As attacks become more sophisticated, and digital control systems increase in complexity and levels of automation, it is increasingly difficult to prevent threats from impacting the operation of critical infrastructure. As a security measure, most critical infrastructure systems are air-gapped, or isolated from external networks. Because of this, portable media is a primary vector for cyber-attack; it is often the only way to transport files to and from secure areas. As key attack vectors for malware, it is extremely important that extra attention is placed on securing the portable media devices that are brought in and out of a secure facility.

While imperative to the protection of critical infrastructure, securing portable media devices is not easily done, and there are many requirements that can impact the portable media security policies for operators of critical infrastructure. In many cases, there is no single source for an organisation’s portable media security policy, and individual facilities may require unique security policies.

Since SCADA systems control key functions in critical infrastructure, such as nuclear plants, successful attacks on SCADA systems could potentially cause disruptions in services that we all depend on every day. For this reason, SCADA attacks are often politically motivated and backed by foreign state actors with motives such as industrial espionage or military sabotage.

Many SCADA and ICS (Industrial Control Systems) systems were built decades ago when cyber security was not yet an issue. To add cyber security defences to these systems is a major task, coupled with the fact that due to their critical nature, downtime for system upgrades is virtually impossible.

Given these challenges, what can be done to improve the security of critical infrastructure? Here are five ways to improve SCADA security:

#1 Air-Gap Systems: Since many SCADA systems do not include cyber security controls, it is important to physically separate these systems from the Internet and corporate network. If the systems are connected to the network, strong firewalls, intrusion detection systems and other security measures must be put in place to protect against unauthorised intrusion.

#2 Avoid Default Configurations: Avoid using default configurations on network and security appliances. Factory passwords must be changed immediately and a system of strong passwords and regular password updating should be enforced.

#3 Apply USB & Portable Device Security: Since air-gapped systems are not connected to the network, often the only way to bring files in and out of the SCADA system is by using portable media such as USB drives or DVDs. As key attack vectors for air-gapped networks, it is very important to deploy a portable media security system that thoroughly scans portable devices for any threats before they are allowed to connect to the secure SCADA network.

#4 Defend Against Advanced Persistent Threats (APT): Attacks are becoming more and more sophisticated, with malware lying in wait undetected for a long period of time. It is important to fight APT’s at different levels; not only trying to prevent APT’s entering the network, but also detecting APT’s that have already gained entry. An effective way to detect APT’s is to use a multi anti-malware scanner that will scan files with multiple anti-virus engines using a combination of signatures and heuristics and will therefore be able to detect more threats. In addition, technologies such as data sanitization can prevent zero-day and targeted attacks that may be missed by anti-malware engines by converting files to different formats and removing any possible embedded threats and scripts. Devices should be continually monitored for any abnormal activity and files on the network should be continually scanned with multiple anti-virus engines; a threat that was previously not detected could be found by an updated signature database.

#5 Perform Penetration Testing: Regular penetration testing and vulnerability assessments, if possible conducted by a third party, are very helpful to get realistic input on the current security level and shed light on which areas still need additional security precautions.

The above measures, along with employee awareness training and continuous evaluation, will significantly boost the security of critical infrastructure systems.”

(366)

Brian Krebs recently reported that online stock brokerage Scottrade has suffered a breach that exposed the personal information of 4.6 million customers.

Scottrade officials said in an online advisory that the breach happened in late 2013 or early 2014 and exposed social security numbers, e-mail addresses and “other sensitive information.” The advisory said the attackers appeared to target client names and street addresses. The notice never made it clear if password data was also accessed, but unhelpfully, the officials said, “Client passwords remained fully encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident.”

Now that more of the details are available, @DFMag got the following opinions from security experts;

Mark Bower, global director, HP Security Voltage:

“It’s almost mind-boggling that yet another major data breach has been revealed in less than a week. In this case, while the passwords may remain safe, one has to ask if the customers’ personal data was protected in the same manner. With the available technologies today to protect sensitive data very easily and quickly, it’s a simple matter to cover all sensitive data bases to protect consumer trust and satisfaction. It’s important that businesses follow best practice of encrypting all sensitive and regulated data as it enters their ecosystems, and have the protection follow the data-at-rest, in-use and in-motion. This is especially urgent in the financial services industry and data processors.

Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line.  A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.

Once again, this underscores the need for companies to protect the sensitive information they hold on their customers. While it’s not clear who is responsible, criminals are always looking for a way to exploit a system in a way that they can then turn stolen data into cold hard cash.  In this case there is a further risk in that personal information about the user such as their name, full address, phone number and email address was taken.  Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks.”

Ryan Wilk, director, NuData Security:

“The reported breach of Scottrade continues to intensify doubts of our personal information being safe . The breach has potentially compromised sensitive data of 6.4 million customers, in a week following the report of hackers stealing data from 15 million T-Mobile customers.

The Scottrade database contains social security numbers, email addresses, and other sensitive information, but it appears, according to Scottrade, that the hackers targeted names and addresses.

The breach is of extreme concern due to 1) the expanse of the breach and 2) the personally identifiable information (PII) that was potentially compromised and 3) speculating other potential intent of the hackers.

What victims of a breach don’t always recognise is that every bit of information is important. Coupled with details from another breach, more comprehensive identities can be built and sold for a higher value to hackers. To authenticate people applying for credit, loans, mortgages and other financial services, banks will ask questions based on information in these compiled records.  Additionally, this using this information could be used to manipulate stock prices in a pump and dump scheme.

This breach is yet another indicator that the time has come for the next evolution in our game of cat and mouse with the fraudsters – and there are two potential strategies:

Put individual responsibility on each and every organisation to deploy CIA level security. (Not a realistic strategy, and even the CIA has been hacked)
Take an industry wide approach to make the data useless to the fraudsters. The second approach interests me. Even if the data is accurate, if they can’t use it because better technology prevents them there will be no economic incentive to seek it out.

Some organisations are already at the forefront of leveraging solutions that employ behavioural biometrics to uncover the true identity of the user behind the device.  This analysis of user behaviour serves as a means of understanding how legitimate users truly act. They can easily identify suspicious activity, potentially coming from a fraudster who has procured legitimate account credentials from breaches or other sources.

This breach will definitely and seriously undermine trust in Scottrade. This continues the evolution of an era in which to better protect against fraud, a “layered approach” for identity proofing is needed as recommended by Gartner.”

(380)

T-Mobile has revealed that hackers have breached Experian’s network and stolen a trove of customer data. The data stolen from those 15 million victims includes their names, addresses, and birth dates, as well as encrypted social security numbers, drivers’ license ID numbers, and passport ID numbers. 

Security experts have provided @DFMag the following commentary on this significant cyber attack;

Mike Spykerman, Vice President at OPSWAT

“Data breaches are on the rise since they are lucrative and relatively low risk. The T-mobile breach highlights the fact that attackers are now aiming for personal data instead of credit card information since identity theft brings in higher rewards. Unfortunately, as long as there is a market for stolen data, data breaches will continue to increase. Organisations should boost their defenses against a data breach by deploying several cyber security layers including device monitoring and management, scanning with multiple anti-malware engines, improved email security, and advanced threat protection.”

Ryan Wilk, Director at NuData Security

“Data breaches don’t occur in a vacuum. The repercussions are widespread and often have a ripple effect. That’s why fraud detection is so important. With detection and behavioural analysis, fraud can be stopped before it has detrimental consequences. The breach has already happened, but its still possible to prevent hackers from being able to use the data they steal in these incidents, rendering it completely useless to them and thus protecting victims of a data breach from further harm.

With a comprehensive, passive behavior profiling system, suspicious activity can be immediately identified and blocked. This could provide victims of the Experian breach with an additional layer of protection even after the fact.” 

Gavin Reid, VP of threat intelligence at Lancope

“When you type “Experian” into Google, the suggested first result is “Experian data breach”, the next results are “Experian data breach 2014” and “Experian data breach 2013”. Experian has experienced 3 major hacks in as many years! If this isn’t a wake up call to take action, I don’t know what is.”

(314)

A new survey from Lieberman Software Corporation revealed that 92 percent of IT security professionals believe that cyber security drills are a good way to prepare for cyber attacks. However, 63 percent of those surveyed admitted that their organizations never run such drills, or only do so annually.

The study was carried out at Black Hat Conference 2015, and looked at the attitudes of nearly 150 IT security professionals. It also revealed that only 11 percent of organizations carry out cyber security drills quarterly, while 26 percent conduct them every six months.

“What concerns me most about this survey is that the majority of IT security professionals fully understand the benefits of running cyber security drills, but only a small percentage actually put these drills into practice,” said Philip Lieberman, CEO of Lieberman Software. “In today’s threat landscape, organizations are attacked continuously. With this in mind, you would think companies would be doing everything they can to limit the damage of potential cyber attacks. However, our study reveals this clearly isn’t the case. And IT teams are fully aware of the consequences.”

Executive Management Does Not Heed IT Security Warnings

The survey also revealed that IT professionals often warn their superiors about pending IT security disasters, but think that executive management fails to take action. When respondents were asked about the obstacles they face trying to convince management to proactively deal with cyber threats, responses were as follows:

11 percent said they couldn’t find a way to give IT a place in the corporate board room
10 percent said they couldn’t find budget to rectify the situation
12 percent said they couldn’t convince management to understand the severity of cyber threats
45 percent said all of the above
“IT security is a companywide issue. Any CEO or corporate board who does not realize this will have a nasty shock when their company is attacked, their share price plummets and they lose customers. Corporate boards should learn  about the cyber threats targeting their companies, and should have a good understanding of the company’s IT security posture. Executive management should assume that intruders are already inside their networks. They should ensure that their organizations can contain cyber attacks by securing privileged access, and by removing shared and long-lived credentials that intruders exploit to move around the network. This will mitigate damage and protect the company’s reputation when a cyber attack does occur,” Lieberman continued.

(189)