Month: July 2016

 A survey conducted during Infosecurity Europe 2016 by Tenable Network Security, Inc., a global leader transforming security technology for the business needs of tomorrow, has found that the majority of IT security professionals can only measure the return on less than 25 percent of their security spend.

“It’s undisputed that security is one of the top priorities for organizations across the globe,” said Gavin Millard, EMEA technical director, Tenable Network Security. “However, our research revealed that many organizations struggle to accurately measure the return on IT investment and have little confidence that the money is being used effectively. This lack of accountability creates a gap between the security team and the c-suite, leaving the organization vulnerable.”

Survey data of 250 IT security professionals showed just 17 percent of respondents felt confident that the money being spent on security was being invested properly.

“The security team needs to understand the business needs of the organization, define and map security requirements based on those needs, collect relevant metrics and measure their success,” said Millard. “This is one of the best ways to not only demonstrate the value of IT, but also ensure security across the entire IT environment.

Tenable recently asked 33 security experts how they communicate security program effectiveness to business executives and the board. To read more about the collected recommendations and best practices, check out the Using Security Metrics to Drive Action ebook. 

For more information about how Tenable enables Chief Information Security Officers (CISOs) and other security professionals to effectively and easily communicate security metrics to the decision-makers and business leaders within their organization, download the Communicating Security Program Effectiveness white paper.

(245)

A dangerous, previously unknown security vulnerability has been discovered in LastPass which permits attackers to remotely compromise user accounts. LastPass is a password vault which pulls user passwords from a secure area and auto fills credentials for them. 

http://www.zdnet.com/article/lastpass-zero-day-vulnerability-remotely-compromises-user-accounts/

Commenting on the story, Brian Spector, CEO at MIRACL, explains: “Password managers, like LastPass, help users manage the undue burden placed upon them by requiring complex and constantly-changing passwords. But that solution does not fix the problem since it allows all of a user’s passwords to be compromised in one place at one time. The root of password-related problems are on the infrastructure side.  Storing authentication credentials in the cloud still makes them vulnerable to server side attacks.  The attack vector for cyber-criminals is not an individual user’s vault that store passwords, but the entire enterprise database on the provider side that stores all user credentials. Successfully attacked, which happens extremely frequently, the authentication credentials for every singe user is vulnerable. All efforts by individuals to protect their passwords are entirely in vain if the service itself becomes a single point of failure.

“But we don’t have to accept the weekly announcements of mass-password-breaches. Multi-factor authentication with zero-knowledge protocols do not share or send user authentication credentials across the web.  Digital enterprises need to remove the threat of passwords completely and restore trust not only in the services they provide, but in the internet itself.”

(351)

By: Josh Daniels

Cybercrime has been described by experts as a “ticking time bomb” that could soon become a major public issue if the government, police and enterprises do not pull together. Huge volumes of cybercrime are now being reported across the UK every year. The new wave of attacks from sophisticated gangs and lone hackers are particularly devastating for large corporations and SMEs as their very existence is threatened by stolen data, loss of company assets and reputational damage, plus the subsequent loss of consumer confidence. The general public are also often victims of fraud and monetary losses online due to password and other forms of identity theft.

The costs of cybercrime are estimated to be around £26 billion in the UK, and the government has already announced a £650 million programme that aims to protect both the private and public sectors. However, many enterprises are still unaware of the very real dangers they face in cyberspace and are often unwilling to invest in measures to protect themselves. College of Policing Chief Executive Alex Marshall has also admitted that “there is much catching up to be done” in regards to combating the increasing complexity of cyber issues. The government has already announced plans to bolster police numbers to tackle the more than 600,000 offences every month in England and Wales, with a focus on improving training and attracting volunteers with digital skills. However, more needs to be done.

Increase collaboration

A TechUK report has called for much-needed collaboration between the vast range of industries and police to raise the quality of cybercrime reporting, prevention and general standards. It claims that a new lexicon for these attacks would enable more accurate information to be recorded, increase the obligation for industry to report any issues and incidents, and implement safeguards via initiatives such as Cyber Essentials. 

Victim support

This culture of collaboration could also be extended to provide better support to cybercrime victims. This would see the tech industry, police, consumer groups and charities such as Victim Support come together to mitigate the potential negative impacts of online attacks. GovNet is currently playing a key role in raising the awareness of cybercrime with its Modernising Justice initiative and is ably supported by the National Cyber Crime Unit.

Improve skills

TechUK claims that a Managed Services Provider (MSP) model would allow police forces to source the specialist skills they require, while developing the College of Policing to accredit providers and establish national standards would improve cybercrime training courses. It has also urged the government to provide more funding so that law enforcement can deal with the ongoing threat. BT Chief Executive of Cybercrime Mark Hughes has admitted that a lack of skilled graduates has hampered the industry’s efforts to react effectively to threats and issues, and has also called for a closer relationship between law enforcement and businesses to “disrupt” criminal organisations.

City of London Police Commissioner Adrian Leppard welcomed the recommendations in the report, saying: “Creating structures that work nationally to facilitate this will be challenging but we should wrestle with these issues as the threats we face are significant. Just as technological innovation helped the public and police win the battle against other crime types it has great potential to assist law enforcement in investigating and designing out cybercrime.”

(399)

VISITOR PROFILE

15% of our visitors* come from the energy & oil and gas sectors. Meet your target customers, show off your products, keep your business moving forward!
Ministry of Energy of the Russian Federation, Russian Railways, Rosneft, Gazprom and many others will participate in InfoSecurity Russia Conference Program and visit the exhibition.

TOPICS TO BE DISCUSSED:

• Information Security of ACS & critically important facilities
• Targeted attacks: character, scheme, design and methods of protection
• Peculiarities of the transition of industrial systems on virtual platforms
• Industrial Internet of Things and Information Security
• Security Operation Center
• Fraud in the industrial sector
• Modern aspects of information security management in the enterprise

Book a stand to give Your Solution to these issues!
Contact InfoSecurity Russia Project Coordinator Anna Zabora for further details.

Book a stand – http://www.groteck.com/infosecurity_russia2016/book_now

Contact Anna Zabora – zabora@groteck.ru
InfoSecurity Russia 2016 – http://www.groteck.com/infosecurityrussia

(326)

The Office for National Statistics has revealed that there were more than 5.8m incidents of cybercrime in the last year, with 3.8m of these incidents attributed to online shopping scams, virus attacks, theft of bank details and other online offences. The figure is much higher than an initial ONS estimate in October last year.
Gerry Carr, commercial direct at Ravelin, a UK fraud-detection company said: 

“3.8M card fraud offences reflects the reality we are seeing with our customer base of online businesses. But the cost of this crime is being borne not so much by individuals, although there is huge inconvenience, but by online businesses up and down the country in the form of chargebacks. The only option for these merchants is to take all the precautions they can to ensure transactions are legitimate, while still making for a pleasant online shopping experience for its customers. It’s a tricky balance in a next day delivery and on-demand world and we can see that many are struggling to do so.”

(328)

Reports started surfacing saying that a hacker has targeted the official forum of popular mobile game “Clash of Kings,” making off with close to 1.6 million accounts. The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user’s location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted. LeakedSource has now added the total 1,597,717 stolen records to its systems.

Ryan Wilk, director at NuData Security offered the following comment;

“This hack illustrates that the software industry, as a whole, needs to stay vigilant because PII data continues to be targeted wherever it may live and that hackers aren’t taking the summer off.

We’ve pointed out time and time again that data breaches don’t occur in a vacuum. Hackers are making a living by selling this data on the Dark Web, they do it because they can pay the bills doing it, and what everyone should be asking themselves is why are folks buying it? Because, that data — your data, my data and everyone’s data, gets bought for pennies, bundled up into bigger packages (identity sets) called “fullz”, and used as fuel. Fuel for a much more lucrative project that is making people even more money, and putting their kids through school. These folks work for Fraud Inc., and they don’t give a hoot about you, your privacy and your accounts. They’ll use your stolen credentials and take them over, apply for loans in your name, grab your refund from the IRS, and order that new Vitamix from your Amazon account without even thinking about it. Once you’ve fixed that, they’ll do it again because they know your mom’s middle name and your hometown high-school. And, most of the time, it goes back to the breach. The infinite feed source.

That’s why behavioural biometrics analysis is so necessary. Using this intelligence, fraud can be stopped at any point where there is an authentication test because the software is so good at determining who’s a real user and who is a fraudster. Companies using these tools have a much more accurate understanding of the user, and a lot more options. Fraudsters logging in with your valid credentials just don’t get through because they don’t behave like you. Period.

Breaches may not be 100% preventable, but it is possible to prevent hackers from being able to use the data they steal in these incidents, effectively making it worthless. At the very least, behavioural biometrics and analysis would prevent fraudsters from taking the Clash of Kings data and leveraging it elsewhere.”

(298)

Paul Bischoff, security and privacy advocate for Comparitech.com is warning users about a new Facebook app from Hillary Clinton’s presidential campaign that invites users to “Trump Yourself”, as it could have privacy implications for users.

In a blog on the subject, available here: https://www.comparitech.com/blog/vpn-privacy/trump-yourself-facebook-app-hands-your-email-over-to-clinton-campaign/, Bischoff states, “The email permission is toggled on by default and, if switched off, won’t allow the game to function. Small print at the bottom of the Trump Yourself page reads, “By using Trump Yourself, you’ll be opted in to Hillary for America’s emails.”

He continues in a comment to press: “Though a Facebook app that collects data on users is nothing new, but what is troubling is Hillary for America’s fast and loose privacy policy.

“The policy states that information gathered through social media can be used to “Help connect you with other supporters, and to solicit volunteers, donations and support for HFA and for candidates, issues and organizations that we support.” If a user submits to the terms of Trump Yourself, they can also be targeted with advertisements.

“The policy goes on to say HFA’s data can be used to “Personalize and improve the Sites and provide advertisements, content or features that match user profiles or interests or that are based on the information you provide or the actions you take.”

“To make matters worse, HFA seems to have no qualms with sharing users’ data with third parties, according to the privacy policy. This could mean someone who decided to play Trump Yourself one time is added to a voter database shared with consultants, vendors, other candidates, political groups, and more.”

(297)

PerimeterX researchers have discovered a widespread affiliate marketing fraud attack. A centrally controlled bot net is targeting thousands of web sites infecting millions of users. The attack uses malicious browser extensions to collect un-earned affiliate and referral fees against all of an affected user’s browsing and buying activity.  Some of those extensions have a 1/2 millions installs each. Researchers found sites paying thousands of dollars to fictitious affiliates due to this attack.

This specific browser extension performs targeted affiliate fraud by falsely associating all of the user’s activities and eventual purchases on a website to an affiliate that never actually referred the user. These malicious browser extensions appear legitimate at first glance. They are highly rated in their browser’s “extension stores” and in many cases perform real functions (either by duplicating some legitimate extension or by actually providing such a capability).
Running quietly in the background, this extension watches every site with which the user interacts, checks a database of thousands of sites to see if the currently viewed site is being targeted, and then applies a method of fraudulently associating a referral ID to the user’s session that is accepted by the site. In this way, money is drained from the affiliate program budget for each of the targeted websites, and the analytics of the effectiveness of the marketing spend are skewed, losing track of the actual contributors.

Please find the full details at: https://blog.perimeterx.com/hijacking-users-affiliate-fraud/

(363)

Artem Vaulin, the alleged mastermind behind KickAss Torrents, was arrested in Poland earlier this week and it now appears that the site may have been shut down for good with US authorities seizing the KickAss domain. Commenting below on this news is Lee Munson, Security Researcher for Comparitech.com.

“Torrents, as we all know, are hugely popular for their ability to allow quick and easy peer-to-peer downloading of large Linux distros, but a few mischievous people have subverted that original intent to distribute copyrighted material, including movies, games and music. 

One such person is Artem Vaulin, the mastermind behind KickAss Torrents who now faces extradition from Poland to the US in return for accumulating a significant amount of ill-gotten gains through his site. 

I’m sure all affected copyright owners and legal representatives will say that this is a victory for the authorities, though one person and one site constitute a mere drop in the ocean of torrented material found across the internet today. 

As any movie buff with an aversion to paying for their content will tell you, newsgroups are the best way to find the latest releases and many offer the tools required to stay anonymous too, even if a VPN isn’t already being used. 

That said, high profile cases do have their advantages – casual copyright infringers may be put off by this news – and other criminals may think twice before starting their own, overly visible service. 

The demise of KickAss Torrents will likely also silence those who claim such a closure affects freedom of speech. After all, if you associate with such a site in the first place, chances are the only topic of conversation on your mind will be that of copyright theft, something best left unsaid when the lawyers are circling.”

(311)

New flaws that could be exploited by hackers have been uncovered in the Common Gateway Interface (CGI) widely used by web sites. According to the site https://httpoxy.org/ the httpoxy set of vulnerabilities affect application code running in CGI, or CGI-like environments, including PHP, Go, Python and others.

 According to Christopher Fearon, director of security research at Black Duck Software, which helps organisations to identify, secure and manage open source software in the enterprise:

“It’s extremely likely that these flaws will lead to attacks since the flaw is easy to exploit. But mitigation is quick to perform, although many separate pieces of open source software are affected and must be patched separately.”

“Simply block or remove the ‘Proxy’ request headers as early as possible, preferably on the application firewall or directly on the webserver. All external requests from any webserver should be locked down and monitored. Outward access should be granted on a whitelist basis. The good news is that vendors (such as lighttpd) are already implementing updates.”

He continued:  “Sites running over HTTPS are not vulnerable, which is yet another reason why all sites should implement HTTPS.”

(321)