Author Archives: Bil

By Deborah Galea, manager, OPSWAT

2014 was dubbed as ‘the year of the data breach’. With many new data breaches dominating the headlines in 2015, including Anthem, the White House, banking attacks, and the latest employee data theft at the US federal government, one can only imagine what the name for 2015 will be: the year of even more data breaches?

According to the Ponemon Institute, 43% of companies experienced a data breach in 2014. Not only is the number of data breaches rising, the number of records stolen per breach is increasing as well as the cost per stolen record. It is apparent that current security measures are not sufficient to protect organisations from data breaches.

The SANS Institute reports that a whopping 95% of all attacks on enterprise networks gained entry through a spear phishing attack. A spear phishing attack is an email targeted at specific individuals that are engineered to look legitimate and fool even tech-savvy users. The email has a malicious attachment or link that when opened installs malware and tries to gain system access.

Clearly, spear phishing attempts are sometimes able to get past traditional spam filters and antivirus engines. No single antivirus engine will be able to block every threat. However, by deploying multi-scanning with multiple antivirus engines, the different detection algorithms and heuristics of each engine can be combined, which significantly increases the malware detection rate for known and unknown malware. Other technologies such as data sanitization and file type verification can also prevent threats that may go undetected by antivirus engines.

Below, we have highlighted the top 10 most interesting, remarkable, and troubling facts about data breaches:

Number of stolen records up 78% in 2014

According to the 2014 Breach Level Index by Gemalto, one billion records were compromised in 2014 in more than 1,500 data breaches; a 78% increase compared to 2013.

Cost of data breach rose 23% since 2013

The total cost of a data breach increased 23% since 2013, as reported in the Ponemon Institute’s Annual Cost of Data Breach Study. In 2015 the average cost per lost or stolen record is $154.

Most costly breaches in US and Germany

The Ponemon Institute reports that the most costly breaches are in the US ($217 per record stolen) and Germany ($211 per record stolen).

Healthcare highest cost per stolen record

The cost of stolen healthcare records can be as high as $363, according to the Ponemon Institute. Healthcare records are more valuable than stolen credit card details since credit cards can easily be cancelled, but fraud using a person’s medical records is much more difficult to stop.

Identity theft most common motive

Gemalto’s research shows that the majority of data breaches are now perpetrated for the purpose of identity theft rather than stealing credit card information. In 2014, 54% of data breaches were motivated by identity theft, compared to 20% in 2013. In 2014 only 17% of data breaches were for financial access, down from 50% in 2013.

Malicious outsiders behind majority of attacks

The 2014 Breach Level Index by Gemalto reports that 55% of the data breaches were perpetrated by malicious outsiders, 25% were due to accidental loss, and 15% were committed by malicious insiders.

95% of breaches start with phishing attack

According to Allen Paller, director of research at the SANS Institute, 95% of all attacks on enterprise networks gained entry through a spear phishing attack. A spear phishing attack is an email targeted at specific individuals that is engineered to look legitimate and fool even tech-savvy users. The email either has a malware-laced attachment or a malicious link that when opened installs malware and tries to gain system access.

Traditional spam filters cannot detect spear phishing attacks

Most spam filtering products detect spam by checking black lists and known spam. However spear phishing emails are composed with considerable effort and target only a small number of individuals, therefore staying under the radar of traditional spam filters.

A single anti-virus engine is not enough to protect against all threats

With 450,000 new threats emerging daily, a single anti-virus solution is no longer going to cut it. By scanning email attachments and web content with multiple antimalware engines you are multiplying the chance that known as well as unknown malware is detected, speeding up protection against outbreaks, and protecting against threats designed to exploit vulnerabilities in specific engines.

Question is not if, but when

Data breaches are becoming more prevalent and more sophisticated. Suffering a breach is no longer a question of if but when. It is important that companies start increasing their security defences.

Read more about how to protect against spear phishing attacks and data breaches: https://www.opswat.com/blog/prevent-spear-phishing-attacks-improved-email-security

(2142)

A group of sophisticated Russian-speaking hackers is exploiting commercial satellites to siphon sensitive data from diplomatic and military agencies in the United States and in Europe, as well as to mask their location. The group, which some refer to as Turla, after the name of the malicious software it uses, also has targeted government organisations, embassies and companies in Russia, China and dozens of other countries, as well as research groups and pharmaceutical firms. Security experts have commented as follow;

Ian Pratt, CEO and co-founder, Bromium:

“Whereas ISP’s can trace IP addresses associated with ADSL or cable modem connections to a within a few streets, broadband from geostationary satellites can cover whole continents, with the ISP having limited ability to locate where a particular access modem is — though techniques such as those developed in the search for Malaysia Airlines flight MH370 are potentially able to give rough areas. Hacking groups have frequently used satellite broadband for hosting key components of their infrastructure, but this has typically been done by purchasing a regular subscription under a false identity. Although there was little chance of law enforcement being able to track down the physical location of the satellite modem, once the IP address had been identified as hosting malicious content it would be straightforward for the satellite ISP to block the modem and remove it from the network. An even better covert technique is to effectively clone the access modem of an existing legitimate satellite broadband customer. Due to a lack of cryptographic authentication in most satellite broadband systems this can be done without having physical access to the victim’s modem and can be done just by listening to other traffic and then reprogramming an existing modem. Using a cloned modem makes it harder for the ISP to block the traffic since it would impact a legitimate user, and the miscreants can simply switch to cloning a different legitimate user’s device. Strong authentication of access modems using a key unique to each device is the only way to block this kind of attack, but can only realistically be done for new deployments.”

TK Keanini. chief technology officer (CTO), Lancope:

“If there was any question to the level of game play required in this day and age, here is your wake up call. We in security are always accused of spreading FUD, but this is the reality of the connected world we live in.  Even as an expert, I read news like this and it makes me anxious – and so it should. These are talented well-funded threat actors whose job it is to not make the news; so when one does, consider them the sloppy ones.”

(342)

Bromium has released “Black Hat 2015: State of Security,” a survey of more than 100 information security professionals conducted at the Black Hat Conference 2015. The survey reveals issues with Flash and security patch management, with the majority of respondents citing the endpoint as the source of greatest risk. The report also highlights the risk of cyber attacks on critical infrastructure and an initial positive reception to Windows 10.

“One reason that the endpoint is the source of the greatest security risk is because of how difficult it is to balance security and productivity. For example, 90 percent of organisations would be more secure if they disabled Flash, but 41 percent would become less productive,” said Clinton Karr, senior security strategist, Bromium. “Traditional security solutions have proven ineffective at mitigating this dilemma, putting our critical infrastructure at significant risk.”

Key findings from “Black Hat 2015: State of Security” include:

The Endpoint Is the Source of Greatest Security Risk — The majority of information security professionals cited the endpoint as the source of the greatest security risk (55 percent). The second most common response was insider threats (27 percent). Network (9 percent) and cloud (9 percent) were selected less frequently.

Security Professionals Pan Flash — The overwhelming majority of security professionals believe their organisation would be more secure if it disabled Flash (90 percent); however, 41 percent believe disabling Flash would make their organisation less productive or break critical applications.

Implementing Security Patches Is a Challenge — The majority of organisations implement patches for zero-day vulnerabilities in software, such as Flash and Internet browsers, in the first week (50 percent first week; 10 percent first day); however, 22 percent take more than a month to deploy.

Critical Infrastructure Is at Risk of Cyber Attack — The majority of Black Hat attendees cited financial services (30 percent), energy (17 percent), healthcare (17 percent) and government (12 percent) as the verticals at the most risk of cyber attacks. Interestingly, financial services was also selected as the vertical that has implemented the best security practices (60 percent).

Windows 10 Improves Security, But Not Enough — The majority of information security professionals believe Windows 10 improves security (56 percent), but many (33 percent) believe these improvements are not enough.
 

“Black Hat 2015: State of Security” surveyed 101 information security professionals at Black Hat Conference 2015, in Las Vegas, Nevada, August 5 and 6, 2015.

Download the PDF “Black Hat 2015: State of Security” at http://www.bromium.com/sites/default/files/rpt-black-hat-survey-us-en.pdf.

(331)

A survey of over 200 IT professionals at this year’s InfoSecurity Europe has found that, while almost 80% of organisations have a process for employees to report phishing emails to the IT/security department, most don’t. In fact, over half of those spoken with (52%) estimated employees report less than 25% of dodgy emails. Digging a little deeper revealed only 8% think that more than 75% of suspicious messages are reported.

This surprising statistic comes in the wake of countless recent phishing incidents surfacing in the media, with some incurring personal costs of almost £50,000. The study, conducted by Phish’d by MWR InfoSecurity – a fully managed phishing assessment service designed to maintain a heightened level of security awareness across an organisation, found that organisations are all too aware that email offers a passage into an organisations’  infrastructure with 64% believing it’s the weakest entry point that could result in the compromise of internal systems.

“I’m reassured by the high percentage of organisations that have a reporting process for phishing messages but somewhere along the line something is going wrong as employees simply aren’t using these reporting processes. The sad reality is that, while spam filters and anti-phishing software will prevent some of the nuisance messages landing in people’s inboxes, more targeted phishing messages are purposefully designed to avoid detection and usually get through to the intended recipient, even in companies using the latest technological controls. Ultimately, it comes down to employees to report targeted phishing attacks; so organisations need to ensure their workforce is educated and empowered enough to use the correct reporting process,” explains James Moore, senior security consultant of Phish’d.

James continues “Our experiences tell us that, if a phishing message does manage to coerce the individual into either clicking or downloading a payload, the malware it delivers will almost certainly slip in and then conceal itself. Once on the network, malware can allow an attacker to start spreading out across a network; turning the compromise of one users’ workstation into a much larger issue. Of course, the ideal is for users not to be tricked in the first place but, assuming someone will be fooled, if other colleagues have reported the message the IT team can at least be aware that something may have got in and start tracing other likely points of entry to contain the damage and eradicate the infection.”

Even companies that have effective tools for reporting scam e-mails tend not to train their employees how to spot them, as only 45% of the companies questioned during this survey regularly train their staff to spot friend from foe in their inboxes. Organisations are often quick to assure their clientele that they keep data secure and stringently maintain their defences against cybercriminals – however this survey highlights that even businesses that have plans and processes to prevent phishing being used as an attack vector, the lack of implementation weakens defences.

To find out more about Phish’d, visit https://www.phishd.com/

(292)

News broke just a few short hours ago that mobile phone giant, Carphone Warehouse, has been victim of a data breach where hackers gained access to the bank details of 2.4 million customers. Customers with accounts at OneStopPhoneShope.com, e2save.com and mobiles.co.uk may also be affected.

Commenting on this, Mike Spykerman, VP at OPSWAT, said: 

“The reality is that data breaches are no longer a question of if, but when. At least some of the information at Carphone Warehouse was encrypted, but still a lot of personal data was not. Data breaches often start with a spear phishing attack that evades detection from regular spam filters and single anti-virus engines. By using multiple anti-virus engines, the possibility that a spear phishing attack is detected is considerably higher. To avoid cyber attacks being successful, companies should prepare their defences by deploying several cyber security layers including device monitoring and management, scanning with multiple anti-malware engines, and advanced threat protection.”

Mark Bower, Global Director at HP Security Voltage further stated that:

“It’s a clear signal that contemporary data encryption and tokenization for all sensitive fields, not disk or column level encryption for credit cards, is necessary to thwart advanced attacks that scrape sensitive data from memory, data is use, as well as storage and transmission. Disk encryption protects data at rest, but it’s an all or nothing approach that leaves exploitable gaps: applications needing data have to decrypt it every time. Yet advanced attacks steal data in use and in motion. Another problem is that, while firms may focus on credit card data to meet basic PCI compliance, attackers will steal any sensitive data like account data, contact information and so on as they can repurpose it for theft. There are effective defences to this. Today’s new-breed of encryption and tokenization techniques can render data itself useless to attackers, yet functional to business needs. This technology, such as Format-Preserving Encryption, is proven in leading banks, retailers and payment processors who are constantly bombarded and probed by attackers. By securing customer and card data from capture over the data’s journey through stores, branches, databases and analytic systems, businesses can avoid unnecessary decryption required by older generation disk or database encryption techniques. Data can stay protected in use, at rest, and in motion, and stays secure even if stolen. Modern vetted and peer reviewed data encryption is infeasible to break on any realistic basis. Its a win-win for business, as it can be retrofitted to existing systems without complications and business change. Attackers who steal useless data they can’t monetize quickly move on to other targets.”

(396)

Shahaf Rozanski, Director of Forensic Products at Cellebrite

Cloud data represents a virtual goldmine of potential evidence for forensic investigators. Together with mobile device data, cloud data sources often present critical connections investigators need to solve crimes. However, there are a number of challenges that investigators face when it comes to data retrieval from the cloud.

The overarching challenge is private data in the cloud. Private data in the cloud, as the term suggests, is private user data (i.e. data that the user has actively chosen to refrain from sharing publically) and there is, for good reason, a significant amount of ‘red tape’ that surrounds private user data. But what happens when the user in question is suspected of committing a crime?

To add to this, more and more data is being stored in the cloud as many companies, and indeed individuals, look to virtual methods of data storage, with enhanced flexibility and ease of access. This also correlates with the amount of users now on social media and with 38 million social media users in the UK – a staggering 59 per cent of the population – it is evident that during a criminal case, investigators simply cannot afford to neglect social data that is inevitably stored in the cloud.

Out of the 38 million UK social media users, 30 million of them (79 per cent) are using social media on their mobiles, which further highlights the importance of mobile phones in the retrieval of crucial evidence in criminal investigations.

Investigators need to be able to access this data when it is of paramount importance to a criminal investigation. The problem is that investigators may need to go to the service provider if they don’t have the permissions or capabilities to access the username and password to request this data, which can take time.

If you’re an investigative force requesting private data in the cloud from a company located in the same country as the investigation is taking place then it can take a few weeks to a few months to obtain this data. However, if you’re requesting the data from another country, bearing in mind the investigation is taking place in Europe, when most of the world’s major service providers are based in the US, then it can take up to a year to retrieve the data.

The time that it takes to request data relevant to a particular criminal case is a challenge in the sense that the actual timeline of an investigation is extremely important to the outcome of the case. The retrieval of evidence needs to be executed in the shortest possible time to ensure that nothing is missed in the evidence gathering process, and to ensure that the investigative team doesn’t run out of time when retrieving evidence.

There is also an issue with the records production rate of the cloud service providers due to the limited resources that these companies have to handle the large number of requests from law enforcement. In the UK, during the first half of 2014, Facebook and Google’s response rate was 70 per cent, while Twitter’s response rate was only at 40 per cent.

Another challenge is that of forensic data preservation. It is of vital importance that the case team retrieves and handles all private data sources with the upmost care and consideration. In the case of extracting evidential data from the cloud, investigators should feel confident that the information that was extracted from the cloud service provider is authentic, traceable and thus defensible in court.

However, the problem of accessing private cloud data in a timely manner for criminal investigations can be rectified with the use of mobile forensic technology. When a mobile phone is seized in criminal investigations, law enforcement can use technology such as the UFED Cloud Analyser, to access private-user cloud data by utilising login details that have been extracted from the mobile device of the suspect or victim. This private-user cloud data is extracted under the appropriate legal authority, be it a search warrant, written consent, or other authority as defined by legal counsel in the relevant jurisdiction.

The investigative process when using such technology to retrieve private-user cloud data involves a five step process:

1.     Seize the mobile device and begin a forensic extraction of data

2.     Decode cloud services login information from the extracted forensic copy of the device

3.     Forensically preserve private user data using login information from the mobile device or manually provided credentials

4.     Analyse and report data from different cloud data sources in a unified format

5.     Deliver data to additional relevant law enforcement and justice officials

The analysis and reporting of retrieved data in a unified format is a very significant step in this process. The data that is retrieved has to be understood by a range of investigators and legal personnel, many of who may not be well-versed in mobile forensic data retrieval.

This data may also have to be presented in a courtroom, where a jury might be present that will have to understand and digest the data that is being put in front of them. Again, the data must be in a format that can be understood easily so that people with little or no understanding of mobile data forensics can easily make a decision based on the evidential data that has been displayed to them.

The importance of cloud data in so many areas of everyday life means that law enforcement agencies simply must consider the pool of evidence that is stored in the cloud during criminal investigations. A failure to contemplate this data could easily result in missed opportunities to convict, and during live investigations the consequences could be far worse.

The ever-increasing use of mobile phones to conduct criminal activity in correlation with the vast numbers of social media users worldwide, is a clear indication that criminal investigators must be equipped with the latest technology to timely retrieve cloud data and react to all types of criminal; who use and abuse different channels to exercise their criminal activity.

(451)

On the evening of July 26th, New York Magazine published what some may believe to be a controversial article regarding the alleged sexual assault victims of Bill Cosby. This particular piece included interviews from 35 women who have stepped forward with their allegations against the actor.  A few hours after the article was published online, DDoS attacks rendered the publication’s website unavailable for about a 12 hour time period. 

New York Magazine resorted to social media outlets to share the story in wake of their website inaccessibility.  The magazine is guessing to have lost about 500,000 unique visitors to their site due to the take down.

For those familiar with the world of digital media this is a major blow to traffic, clicks and ultimately online advertiser revenues. 

Also this last month we’ve seen reports that PlannedParenthood.org has also fallen victim to a DDoS attack, stemming from controversial videos published by anti-abortion hactivists. Today, visitors to PlannedParenthood.org are met with a static page with a message that reads: “our site is not available to due a hack by extremists.” Visitors looking for additional information and resources are directed to visit other Planned Parenthood web properties, including their official facebook page as an alternative. 

DDoS attacks are in no way a ‘new’ cyber threat that organizations should be wary of. In fact DDoS has been utilized as an attack tool for a decade or more for a wide range of motivations.  Ramifications of the damage are just as wide ranging as the attacks themselves: 

Revenue loss – Downtime affects the bottom line, directly and indirectly, and in principle, all types of damage could be rolled into this one. Effects vary widely across industries, and among firms within industries. 

Operational/Productivity loss – Network problems impact IT staff directly, and may impact some or all of the non-IT divisions. During full outages, workforce productivity comes to a halt. Troubleshooting, mitigation, and disaster recovery procedures are notoriously resource-intensive.  

Reputation damage – Your brand suffers if customers and business partners cannot access your site, become casualties of a breach, or simply experience diminished function or performance when interacting with your digital properties or online tools and assets. 

(301)

NBC broke the news last night that Russia launched a “sophisticated cyberattack” against the Pentagon’s Joint Staff unclassified email system, which has been shut down and taken offline for nearly two weeks.

Andy Heather, VP EMEA at HP Security Voltage, commented:
 
“Cyber attacks are a real and present danger, whatever the source. The sophistication in advanced malware renders traditional security virtually impotent.
 
Current, traditional security technologies are ineffective, and both businesses and government agencies have to do more to protect sensitive information.These traditional technologies, including access and authorisation, AV and endpoint protection technologies, are not enough to protect information across its entire life-cycle, from the moment it’s created to the moment is consumed and deleted.  These current technologies are not providing the necessary means to actually protect data as the data moves throughout and across an organisation.
 
The only way that companies and government agencies can ensure that any sensitive data is comprehensively protected, is through a data-centric security program. This protects the actual data levels, rather than these traditional security technologies which focus on protecting the perimeter, which has long since failed to exist.
Organisations should be using data encryption as a means to protect their information.  Encryption should be used as a key mechanism within a data-centric approach, but encryption needs to be applied at the data level itself – not only on the database, or disk level, which are again simply point solutions.
 
Public and private sector organisations are leveraging cloud-based services, mobility and big data initiatives to manage, move and analyse sensitive data like never before.  Protecting the data itself through a data-centric strategy is the only way that these organisations can leverage these initiatives in a secure and protected way. 
The ongoing use of only traditional security technologies will simply lead to more data breaches, especially as cyber attacks increase in volume and malware sophistication A data-centric approach including encryption and, tokenization, is the only way for any organisation to secure the data from these continued attacks.”

(340)