Month: May 2016

A hacker broke into Katy Perry’s Twitter account today and sent out a number of tweets  – some that included profanity and slurs before they were discovered and taken down.

Tim Erlin, Director of IT Security and Risk Strategy says, “While there’s plenty that Katy Perry could have done differently, there’s probably not much that she should have done differently. Celebrities, with millions of followers, are always going to be attractive targets for any attacker who wants an audience.Technology companies are constantly working on ways to improve data security, including features such as mutli-factor authentication. It can be a challenge to get customers to adopt new security controls, however.”

Tim explains, “While celebrities have to be more vigilant for abuse, the best practices for securing an account are really the same for everyone. Use multi-factor authentication, strong passwords, and keep software up to date.”

(78)

Reports are surfacing that both Tumblr and MySpace have been hit by a “mega breach” , with hundreds of millions of hacked account details being advertised for sale online. In both cases, the logins appear to have been stolen several years ago, with the breach only just recently coming to light. The incident comes in the same month that it emerged a four year old database containing more than 167 million LinkedIn credentials had been traded online.  Lisa Baergen, Director at NuData Security told @DFMag;

“I sound like a broken record; but here we are again. Just as consumers start to feel secure, news of yet another breach hits the wire.  No matter how long it takes to come out, the bottom line is that you have to stop thinking “ what IF” and accepting it should be seen as “ WHEN”…  

Although usernames and passwords can be changed, victims of a breach need to understand that every bit of information exposed is important and may sit dormant for some time. These credentials are likely sold in packages on the dark web and compiled out of solid profiles of your online identity. Fraudsters are learning that information stolen from various breaches can create more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, more fraud can take place.  

As an example, if I’m a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. Where credit card fraud was all the rage a couple years ago, it is account takeover and new account fraud that is on the dramatic rise. We saw in our own database of billions of behavioural events annually a 10% month-over-month increase in new account fraud.  

Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device – and trust it is not the hacker using our identity information online.  

User behaviour analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to us, the consumers. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster using our legitimate information ripped from all these breaches.  Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring.  The only way to achieve this is by truly being able to identify the identity of the user behind the device.  

So, good luck hackers – you can keep stealing our data, but we are going to make this data invaluable to you, and you can’t steal my behaviours!“

(92)

Global technology company Nuix has released Nuix Sensitive Data Finder 2.2, an upgrade that further improves the product’s performance and adds visualizations and other analysis features to streamline common tasks and identify high-risk information sooner.

“Complying with regulations around data privacy, personal information, and data breach notification is practically impossible unless you have comprehensive insights into what data you have, where it is, who has access to it, and what obligations you have toward managing it,” said Julie Colgan, Vice President, Information Governance Solutions at Nuix. “Unauthorized and poorly protected copies of sensitive data are a serious business risk and easy pickings for cybercriminals and malicious insiders.

“With this latest release, Nuix Sensitive Data Finder has become an even more powerful tool to help corporate risk and security managers mitigate these risks by achieving Information Transparency™ across the contents of email systems, file shares, archives, databases, and other enterprise storage systems.”

New features in Nuix Sensitive Data Finder 2.2 include:

•             Faster, more secure data management. Nuix Sensitive Data Finder now stores collected text in encrypted text files rather than database table entries. This improves database performance and scalability, and avoids creating a new source of business risk.

•             Powerful visualizations. Customers can quickly identify items and areas of greatest concern using visualizations that arrange search results by names of people and other extracted entities, timelines, statistics, relationships, access permissions, and other relevant criteria.

•             Query builder. Customers can create complex search queries using a simple interface and then save and reuse those queries across time, data sets, and repositories.

•             Profiles and scripts. Nuix Sensitive Data Finder comes with metadata profiles, filter criteria presets, entity definitions, and risk profiles to simplify or automate common searches. Customers can write scripts to apply risk ranking to responsive items.

“Nuix Sensitive Data Finder extracts data and searches the results with the precision and integrity the Nuix Engine is known for,” said Colgan. “Unlike the traditional approach to locating particular kinds of information, which requires building and storing a complete index of all the data under investigation, Nuix Sensitive Data Finder scans the data in memory and, if desired, only captures and stores the responsive bits.

“Customers asked for improvements to performance, the back-end architecture, and licensing, and we delivered. It has never been easier to improve regulatory compliance, manage risks, and protect information assets against cybersecurity breaches, insider abuse, and inadvertent data loss.”

(57)

The latest Annual Fraud Indicator report, based on research from Portsmouth University, has revealed that the annual cost of fraud in the UK could be as high as £193bn a year, far higher than a government estimate of £50bn.

Lisa Baergen, director at NuData Security shared the following expert opinion with @DFMag:

“One of the largest growing fraud vectors is digital fraud. The global threat environment is rapidly changing, and the growing size and scope of breaches and exposure of personally identifiable information (PII) is concerning, because it can expose people to significant fraud. Individual point solutions for fraud prevention fail to deliver the visibility needed to protect financial institutions from threats posed by an increasingly complex world of cyber crime.

This year, we have determined that fraudsters are leveraging more sophisticated attack vectors, focusing increasingly on account takeover and account creation. In 2015 we identified 45.95% of accounts created, across our financial institution and e-commerce clients, as fraudulent attempts against customers of some of the largest banks and merchants globally. This was a 66% increase in account creation fraud since 2014, when the rate was 27% of all accounts.This shows us that thieves are beginning to value user accounts, with related details of payment information attached, more highly.

This puts an additional burden on the institution to protect their customers from fraudsters that know their customers better than the banks do.  In order to hijack an account, fraudsters often attempt to login, just like regular users, using password information gathered from highly publicised data breaches. Expecting consumers to maintain strong, non-reused passwords has proven to be ineffective. To protect their brand and customers, the banks and financial institutions must figure out how to detect fraudsters utilising this rising amount of stolen identity data. The good news is that we can now harness the power of behavioural attributes to verify the authentic users. Behavioural analysis serves as a means of understanding how legitimate users truly act without interrupting their experience, thereby predicting and preventing fraud from occurring. Becoming complacent in an age of massive data breaches is both a financial and reputational hazard.”

(45)

Black Duck, the global organisation providing automated solutions for securing and managing open source software, today released Security Checker, a free, drag-and-drop tool for users to identify known open source security vulnerabilities in their code.

Based on Black Duck’s flagship Hub open source security solution, Security Checker scans the code contained in an uploaded archive file (e.g. .tar, .jar, .zip) or Docker image and provides a report showing the identified open source and related known security vulnerabilities. 

“Applications represent the greatest level of risk on the security-threat landscape and we expect that Security Checker scan results will provide an ‘aha moment’ for many open source users,” said Black Duck CEO Lou Shipley. “Their findings will focus attention on the need to regularly review application code to ensure it’s free of known open source vulnerabilities.” 

Open source use is ubiquitous worldwide because it reduces development costs, frees developers to work on higher-level tasks and accelerates time to market. It is the way applications are developed today. “Organizations definitely want to maximize all the benefits they get from open source, and as open source usage has increased, they’re realizing that it’s imperative to secure and manage their open source more effectively,” said Shipley.

The maximum file size for a Security Checker scan is 100MB and Shipley noted that “start to finish the process takes about 15 minutes. It’s a worthwhile investment of time to get valuable insights into the security of your open source code.”

Earlier this month Black Duck released a revealing report based on data from open source security audits of 200 commercial applications, conducted by its On-Demand business unit. The report confirms the widespread use of open source in application development and also highlights persistent challenges in securing and managing the open source in use.

Among the findings: 67 percent of the audited applications contained known open source security vulnerabilities; more than one third of the vulnerabilities identified were classified as “severe”; and 10 percent of the applications contained the Heartbleed vulnerability, which was discovered in April 2014.

Security Checker is available at: blackducksoftware.com/checker .

(81)

China is launching the first quantum communication satellite in space in an effort to securely send and receive data to cut hackers out of the mix.

Commenting on this Dwayne Melancon, CTO of Tripwire told @DFMag:

“This is an interesting concept, but I think it is more of a novelty than a practical solution to the eavesdropping problem. There is a high likelihood that this satellite link will ultimately be connected to a terrestrial network, in which case the game is over. They may be able to keep it “air gapped” for a period of time to prevent cross-contamination of networks, but I think the limited utility of such an isolated network will ultimately cause China to make decisions that will result in a less secure communication link. 

Furthermore, this network still incorporates the ultimate weakness of any system: humans will use this secure network. That means attackers will likely get what they want by taking advantage of human factors if they find the technological factors too difficult to overcome.”

(41)

Hillary Clinton’s efforts to move on from a damaging email controversy suffered their biggest setback yet on Wednesday with the release of an internal report finding she broke multiple government rules by using a private server rather than more secure official communication systems.

@DFMag got several comments from industry experts on the matter;

David Gibson, VP of strategy and market development at Varonis:

“At a time when employees at all levels are accessing and communicating sensitive and confidential information from mobile devices and home offices — whether expressly authorised or not — this case should serve as a wake-up call for organisations. Security controls that apply only to networks and on-premises infrastructure leave gaping holes. Organisations should be monitoring and analysing all of their authorised users and their interaction with all potentially sensitive data, including email.  There is no telling how much damage can be done and go undetected without an inside-out approach.”

Oliver Pinson-Roxburgh, SE director EMEA at Alert Logic

“This is a challenge as, in my experience, many organisations, rather worryingly, say “oh yeah we know they send mails home to work with, or we allow them to use their own PC’s at home for work or “I couldn’t tell if they used our tools outside of the organisation”. They are often just relying on procedure to protect their data and employees. In most cases there are no controls to stop people leaking some very sensitive data online via email, or even by other means like social media. I have had experience of employees within organisations uploading content to untrusted websites with no thought for security and how it could potentially impact the company – they just have a job to-do so it’s just easy to Google a solution and use that, typically online solutions that collect data. Often this is not meant to be malicious; it’s just that they have not considered security and the potential exposure. The question is how many people would admit to doing it internally, and is the culture more aligned to brushing it under the rug so as to not be the next big scandal. It is also becoming more challenging with the way we work and our agile approach to working.

Without controls in place, or a way to validate that the user is not doing what they are not supposed to be doing, how can you really enforce procedures? Many organisations just don’t have the time or resource on their own to police it. Organisations need to think about monitoring sensitive data leakage and considering where data could be leaked and start hunting for it.”

Simon Crosby, CTO and co-founder at Bromium

“Anyone who has ever worked in a security sensitive organisation knows that email is the property of that organisation.  Clinton knew this too.  She either abused the system for convenience, or for reasons that we haven’t yet learned about.  Whatever the case, it was blatant, insecure and risked disclosure of sensitive government data.  If she is elected, I worry that cyber security will be treated with the same indifference or disregard, which is extremely concerning.”

(41)

Banks could block customers from claiming money back if they are a victim of fraud and it is found they had substandard online security, according to sources at the Financial Times.

Under proposals being discussed by Britain’s big banks, the Government, Bank of England and GCHQ, customers could be frozen out of banking services and unable to claim compensation if their account has been hacked, even if they’ve lost their life savings. Any changes would take several years to put in place according to bankers and would happen in stages.

Lisa Baergen, director at NuData Security answered the following questions for @DFMag;

Is this a good or bad move?

“Whether or not this plays out as a “good” or “bad” move may depend on how much banks want to keep their customers, but it’s not unexpected. The sheer number of compromises have driven many banks to take measures to try and recover lost funds. The prevailing thought is that consumers should be in a position to protect themselves, however, we don’t give them the tools or the knowledge to protect themselves. This has sort of been the way it’s been for some time. For the most part, the merchants have very little skin in game for fraud risk and it is felt that this should be shared risk for everyone. The problem then becomes, how do you decide responsibility and who gets to decide. There aren’t any clear answers. The banks need to take some responsibility by having the right fraud solutions and authentication solutions in place. At the same time, consumers do need to be more attentive to protecting their accounts. We work with many of the largest banks in the world and, frankly, we just expect that the consumers are using the same passwords over and over again. There are ways for banks to truly know who is behind the device with great accuracy and the password issue has become just part of a multi-layered approach many banks are taking now.”

Why should consumers be accountable? 

“I think this would be disastrous for a free flowing ecosystem, and I can’t see the regulations to this effect actually taking place. The backlash would be overwhelming. We focus totally on the customer experience, and moving in this direction goes completely against that philosophy. The hackers are so sophisticated that even the most educated consumer could fall for sophisticated phishing schemes. Federal regulations in the US say that consumers are responsible for a portion of fraud, ergo $50; yet no bank enforces it, or likely ever will. I suspect this may continue being the case since most  banks are super sensitive to customer experience and loyalty.”

Is it possible to prove that the customer is to blame for fraudulent transactions?

“This would seem impossible to prove, particularly with sophisticated ransomware and phishing schemes. Also, it should be noted that customers aren’t equipped to understand their bank’s systems, don’t have access, and are legitimately required to provide their identity for transactions to occur. This legislation puts an unfair burden on the customer to understand security interfaces he can’t be expected to have a reasonable knowledge of.  Just as chargebacks are so hard to prove, this approach would add overhead and unnecessary friction to the customer experience.  Finally, it seems to divest banks of their responsibility to protect customer accounts, particularly when they have tools at their disposal that have the right layers of protection and identity verification that prevent most of the fraud they face.” 

What is considered ‘substandard online security’?

“What would be considered the minimum? Banks need, at a minimum, several layers of security. The active biometric addition to their toolset is visual, cool, and it gives consumers a sense of security they can see. Layers of behavioural biometrics are invisible to the customer, but act as a key requirement for accurate verification of the real human behind the device. It’s notable that any security layers that rely on static data, such as active biometrics (fingerprints etc.), are all spoofable and can be mimicked. For this reason, it’s absolutely necessary to look at a holistic approach to protection. Device, geo, behaviour and passive biometrics. Anything else is substandard.”

What would you recommend customers do to better protect themselves?  

“Besides the age old statement of saying to change your password regularly and to check your statements often, the answer is that there really isn’t a whole lot more an individual consumer can do to protect themselves. This game needs to be addressed by the whole ecosystem. I don’t see that our data is going to become less valuable to fraudsters any time soon; in fact the opposite is true. However, merchants with the right tool set can make it easy to protect their genuine good users while still giving them the best experience possible and we see this as the best way merchants can protect their customers and themselves.”

Is there anything more that banks and other financial institutions can do to help consumers and prevent fraud?

“Have the right identity verification and authentication tools in place so they truly know who is behind the device. This will stop the need to bring in the kind of legislation that puts the onus on the consumers who don’t have the right tools, knowledge and access at their disposal that the banks do.” 

(69)

The 17th Info-Security Conference 2016, the largest annual gathering of risk and security practitioners in Hong Kong, attracts over 1,000 professionals each year and brings together vendors, C-level practitioners, analysts and forward thinkers to discuss what worked, what did not, and tactics you can use to reach your business goals without succumbing to your own cyber fears.

This year we will talk about how to ‘Secure a Connected World’. For over 20 years and most organizations have focused on building the “castle wall” by investing in firewalls, next generation firewalls, malware protection and etc. The reality is that regardless of how much we secure our connected world cyber criminals and attackers will succeed in their attempts to breach our walls. The impact of a cyber attack has far reaching consequences including legal, regulatory and operational and the planning required to deal with such complex and dynamic attacks requires a different and efficient mind set. Furthermore, most companies are unable to discover cyber criminals for an average of 200 days! 

 
Join the conference and find the answer! Visit us and register at www.infosecurityproject.com.

Don’t Miss the 17th Info-Security Conference 2016, the largest annual gathering of risk and security practitioners in Hong Kong
Date: Jun 28, 2016
Time: 9 am – 5:30 pm
Venue: Room N201, Hong Kong Convention and Exhibition Centre
Link: http://www.infosecurityproject.com/2016/registration.html

(82)

A recent report by the National Children’s Bureau has called for mandatory status for sex and relationships education (SRE) in all UK schools, following a youth survey which finds child safety is being ‘undermined’ by dramatic variations in what is taught.
 
The survey of over 2,000 11-25-year-olds shows that many young people are ‘left in the dark’ by gaps in their SRE lessons in school. Courses fail to address key societal issues such sexual abuse, female genital mutilation and sexual consent.
 
Additionally, figures reveal that half of those surveyed (50 per cent) do not learn how to get help if they are abused and a similar proportion (53 per cent) of respondents are not taught how to recognise signs of grooming for sexual exploitation. Worryingly, one in three youngsters (34 per cent) receive no guidance on sexual consent.
 
Calls led by campaigners from the Sex Education Forum, Association of Teachers and Lecturers, Dr Mary Bousted says the findings fully support the introduction of ‘mandatory and inclusive’ SRE in schools.
 
NetClean fully supports this view. If these stats are to be believed, then the call for mandatory status for sex and relationships education in all schools is surely prudent.
 
Our experience tells us that the volume of child sexual abuse (CSA) crime by far exceeds that which is reported to the police. If children are not aware of what it means to be abused and how to deal with it, how can we expect them to report it and ensure the culprit is stopped? We can’t.
 
We can, however, trace CSA images and people with a sexual interest in children through technology solutions, but to achieve the best results we need to work together at all levels of society.
 
We have a collective responsibility to do everything we can to ensure we are actively preventing these crimes from happening. That can start in the classroom, by educating our children on these very real issues.

(50)