by titanadmin | Dec 31, 2017 | Internet Security, Network Security |
2017 has been a bad year for data breaches, but what were the worst data breaches of 2017? We have compiled a list of the largest and most serious cyberattacks that came to light this year.
The Worst Data Breaches of 2017
Equifax – 143 Million Records
The Equifax data breach was discovered in September and ranks first in our list of the worst data breaches of 2017, not just for the size of the breach, but also due to the nature of data stolen by the attackers. Equifax reports that the breach impacted as many as 143 million consumers – That’s 44% of the population of the United States.
The data stolen in the attack including highly sensitive information – the types of data cybercriminals seek in order to commit identity theft and fraud. Social Security numbers and driver’s license numbers were stolen along with names, addresses, dates of birth, and credit card numbers. The breach was the result of an unpatched software vulnerability.
Deep Root Analytics – 198 Million Records
The data breach at Deep Root Analytics was massive, involving almost 200 million records. Deep Root Analytics is a marketing firm that was contracted by the Republican National Convention to gather political information on U.S voters.
The data were stored in an Amazon AWS S3 bucket that could be accessed without the need for a password for two weeks before the lack of protection was discovered. During that time, voter records could be accessed, including names, addresses, dates of birth, and phone numbers.
Uber – 57 Million Records
The Uber data breach may not have been the most severe in terms of the types of data exposed, but it certainly ranks as one of the worst data breaches of 2017, affecting some 57 million riders and drivers.
What really makes this one of the worst breaches of 2017 is the discovery that Uber attempted to keep the breach quiet. Uber paid the attacker $100,000 to keep quiet and not publish the data, which included names, addresses, email addresses, and in some cases, driver’s license numbers. The breach occurred in October 2016, but it was not disclosed for more than a year.
Verizon – 14 Million Records
As with many other data breaches in 2017, this security breach was due to an unsecured Amazon AWS S3 bucket that was controlled by NICE systems – A partner of Verizon. It is unclear whether Verizon customer data was stolen, but the records of 14 million customers were exposed. Those records included names, PIN numbers, and phone numbers in the form of logs from Verizon customers that had called its customer service department. Potentially, the information could be used to access customers’ accounts. The data were stored in an unprotected Amazon AWS S3 bucket
Dun & Bradstreet – 33.7 Million Records
The data analytics firm Dun & Bradstreet created a marketing database containing 52 GB of data, including 33.7 million email addresses and contact information. While Dun & Bradstreet maintains its systems were not compromised, one of the companies that the database was sold to certainly was. The database contained the records of millions of employees of major companies including Wal-Mart and CVS Health, as well as the U.S Postal Service and the Department of Defense.
America’s JobLink – 4.8 Million Records
A misconfigured application was exploited by a hacker to gain access to the records of 4.8 million individuals. The data were maintained by America’s JobLink – a firm that connects employers and job seekers
The breach was detected in March 2017, although an analysis revealed the code error was introduced in October 2016. The hacker exploited the vulnerability in February and had access to the data for a month.
The breach was particularly bad as it involved names, dates of birth and Social Security numbers, placing the breach victims at a high risk of identity theft and fraud. It is unclear whether the hacker managed to steal all 4.8 million records.
Deloitte – 350+ records
In the list of the largest data breaches of 2017, the Deloitte breach would come in very close to the bottom; however, in terms of the potential severity of the breach it ranks near the top. An estimated 350 clients were impacted when a hacker gained access to Deloitte’s email server and email conversations between the firm and its clients. Those clients included government departments – including Homeland Security and the Department of Defense – the National Institutes of Health, FIFA, and the U.S Postal Service.
The breach was discovered this year, although the hackers reportedly had access to its systems for several months. The email server was breached using an admin account, with the breach preventable had two-factor authentication been used.
River City Media – 1.4 Billion Records
A massive illegal spam operation run by River City Media was uncovered this year by security researchers, who discovered more than 1.4 billion records had been left exposed online. An analysis of the data showed there were 393 million unique email addresses in the database, along with names, IP addresses, and real addresses.
The investigation into River City Media revealed the group was sending as many as a billion emails a day, and was masquerading as a legitimate marketing company. The files were exposed due to poor RSync backup practices, which ensured a disaster would not result in data loss, but the firm inadvertently left its data exposed online.
Onliner Spambot – 711 Million Records
Another massive data breach to affect spammers involved the operator of the onliner spambot, which harvested email addresses to send spam emails. A database of some 711 million email addresses was left exposed online after the server on which the data were stored had been left unprotected. It is unknown how many people discovered the database and are now using it to plague those 711 million individuals with email more spam email. The breach was largely limited to email addresses, but in terms of size, it certainly ranks as one of the worst data breaches of 2017.
by titanadmin | Dec 29, 2017 | Internet Security, Network Security |
Every December, a list of terrible passwords is published by SplashData, and this year the list of the worst passwords of 2017 contains the same horrors as years gone by. Passwords that not only would take a hacker next to no time to guess, but in many cases, could be cracked at the first attempt.
The list of the worst passwords of 2017 is compiled from databases of leaked and stolen passwords that have been published online throughout 2017. This year, SplashData compiled its list from more than 5 million leaked passwords.
The minimum password length on many websites has now been increased to eight characters; however, it is still possible to use passwords of six characters in many places. This year, the worst password is six characters long and is the extremely unimaginative: 123456. A password so easy to guess, it is barely worth setting a password at all.
In second place is an eight-character password, which is similarly not worth using at all: password. In third place is 12345678. Those three passwords retained the same positions as last year.
Each year, the same passwords appear on the list, with slight fluctuations in their positions in the list. However, there are some new entries this year. The rebooting of the Star Wars saga has spurred many people to choose Star Wars related passwords, with starwars featuring in 16th position on the list.
An interesting entry makes it into 25th place – trustno1. Good advice, but even with the addition of a number, it is still a poor password choice. At first glance, number 24 in the list appears to be reasonable, but qazwsx is the first six characters on the left-hand side of the keyboard.
Using the passwords letmein, passw0rd, admin, master, and whatever, are all equally bad. All of those words make the top 25 in the list of the worst passwords of 2017.
Top 25 Worst Passwords of 2017
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- letmein
- 1234567
- football
- iloveyou
- admin
- welcome
- monkey
- login
- abc123
- starwars
- 123123
- dragon
- passw0rd
- master
- hello
- whatever
- qazwsx
- trustno1
The list of the worst passwords of 2017 reveals many people are extremely unimaginative when choosing a password to secure their email, social media, and online accounts.
SplashData estimates 3% of people have used the worst password on the list, while 10% have used one of the first 25 passwords to “secure” at least one online account.
Most people know that strings of consecutive numbers are bad, as is any variation of the word password, but changing to a dictionary word or a pop culture reference is just as bad, as Morgan Slain, CEO of SplashData, Inc., explained, “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”
That means using football (or any other sport) or starwars will not prevent a hacker from gaining access to an account for very long.
What Makes a Bad Password?
Brute force attacks, those where repeated attempts are made to guess passwords, does not involve a hacker sitting at a computer typing bad passwords until the correct one is guessed. Those attacks are performed by bots, and it doesn’t take long for a bot to guess a poor password.
Without rate limiting – setting a maximum number of failed attempts before access is temporarily blocked – to slow down the process, the bots can cycle through the list of the worst passwords of 2017 quickly, followed by those used in other years and other dictionary words.
Hackers also know the tricks that people use to keep passwords easy to remember, while meeting the strong password requirements set by IT departments, such as adding an explanation mark to the end of an easy to remember word or replacing certain letters with their numerical equivalent: An A with a 4, or an O with a zero for instance.
What Makes a Good Password?
A good password should contain upper and lowercase letters, numbers, and special characters, and should preferably be a random string of 10 or more characters. That of course makes passwords very difficult to remember. Writing the password down so you don’t forget it is also a very bad idea, as is reusing passwords on multiple sites and recycling old passwords.
In 2017, NIST revised its advice on choosing passwords as its research showed that forcing people to choose upper and lower-case passwords and special characters did not always ensure people chose strong passwords. Instead, they get around the technology by simply changing the first letter to a capital letter and adding a special character and number to the end, for instance.
Instead, NIST recommended using a passphrase rather than a password. A phrase that only you would know.
A list of four or five unrelated words would work well. Dogforkliftmonkeyhousecar would be a strong password phrase to use (other than the fact it has now been published online). It would be difficult to crack but easy to remember with a mnemonic.
To keep your accounts secure, make sure you choose strong and complex passwords, ideally long passwords of at least 15 characters. However, remembering the 20 or so unique passwords you are likely to need will still be hard.
The solution is to use a password manager, and to secure that account with a strong hard to guess password. Then only one complex password must be remembered.
by titanadmin | Dec 27, 2017 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Advice |
Digimine malware is a new threat that was first identified from a campaign in South Korea; however, the attacks have now gone global.
Ransomware is still a popular tool that allows cybercriminals to earn a quick payout, but raised awareness of the threat means more companies are taking precautions. Ransomware defenses are being improved and frequent backups are made to ensure files can be recovered without paying the ransom. Not only is it now much harder to infect systems with ransomware, rapid detection means large-scale attacks on companies are prevented. It’s harder to get a big payday and the ability to restore files from backups mean fewer organizations are paying up.
The surge in popularity of cryptocurrency, and its meteoric rise in value, have presented cybercriminals with another lucrative opportunity. Rather than spread ransomware, they are developing and distributing cryptocurrency miners. By infecting a computer with a cryptocurrency miner, attackers do not need to rely on a victim paying a ransom.
Rather than locking devices and encrypting files, malware is installed that starts mining (creating) the cryptocurrency Monero, an alternative to Bitcoin. Mining cryptocurrency is the verification of cryptocurrency transactions for digital exchanges, which involves using computers to solve complex numeric problems. For verifying transactions, cryptocurrency miners are rewarded with coins, but cryptocurrency mining requires a great deal of processing power. To make it profitable, it must be performed on an industrial scale.
The processing power of hundreds of thousands of devices would make the operation highly profitable for cybercriminals, a fact that has certainly not been lost on the creators of Digimine malware.
Infection with Digimine malware will see the victim’s device slowed, as its processing power is being taken up mining Monero. However, that is not all. The campaign spreading this malware variant works via Facebook Messenger, and infection can see the victim’s contacts targeted, and could potentially result in the victim’s Facebook account being hijacked.
The Digimine malware campaign is being spread through the Desktop version of Facebook Messenger, via Google Chrome rather than the mobile app. Once a victim is infected, if their Facebook account is set to login automatically, the malware will send links to the victim’s contact list. Clicking those links will result in a download of the malware, the generation of more messages to contacts and more infections, building up an army of hijacked devices for mining Monero.
Infections were first identified in South Korea; however, they have now spread throughout east and south-east Asia, and beyond to Vietnam, Thailand, Philippines, Azerbaijan, Ukraine, and Venezuela, according to Trend Micro.
A similar campaign has also been detected by FortiGuard Labs. That campaign is being conducted by the actors behind the ransomware VenusLocker, who have similarly switched to Monero mining malware. That campaign also started in South Korea and is spreading rapidly. Rather than use Facebook Messenger, the VenusLocker gang is using phishing emails.
Phishing emails for this campaign contain infected email attachments that download the miner. One of the emails claims the victim’s credentials have been accidentally exposed in a data breach, with the attachment containing details of the attack and instructions to follow to mitigate risk.
These attacks appear to mark a new trend and as ransomware defenses continue to improve, it is likely that even more gangs will change tactics and switch to cryptocurrency mining.
by titanadmin | Dec 20, 2017 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News |
A Q3 malware threat report from McAfee charts the continued rise in malware threats throughout the year. Malware variants have now reached an all time high, with the volume of threats having risen each quarter in 2017.
In 2016, there were high levels of malware in Q1, rising slightly in Q2 before tailing off in Q3 and A4. That trend has not been seen this year. The malware threat report shows Q1 figures were higher than the previous two quarters, with a massive rise in Q3 and a continued increase in Q3. Malware threats rose 10% quarter over quarter, rising to a quarterly total of 57.6 million new samples of malware: The highest quarterly total detected by McAfee. That averages out at a new malware sample detected every quarter of a second!
The ransomware epidemic has also got worse in Q3, with new ransomware variants increasing by 36% last quarter, fueled by a sharp increase in Android screen lockers. In total, new mobile malware variants increased by 60% in Q3.
In its Q3 Malware Threat Report, McAfee noted that attackers were continuing to rely on spam email to distribute malware, with the Gamut botnet the most prevalent spamming botnet in Q3, closely followed by the Necurs botnet. The latter was used to spread ransomware variants such as Locky. Mac malware rose by 7% in Q3, and macro malware increased by 8%.
Technologies such as PowerShell are still commonly used to install malware, along with Office macros. New PowerShell malware variants doubled in Q3, 2017, and while new JavaScript malware declined by 26% quarter over quarter, the level of new JavaScript malware is still substantially higher than the level seen in 2016.
Vulnerabilities in software and operating systems were also extensively exploited, even though patches to address those vulnerabilities were released promptly.
McAfee notes that employees and organizations are making it far too easy for attackers. Employees are responding to phishing emails, are visiting malicious links and are opening attachments and enabling the content. Employers are no better. Patches are released, yet they are not being applied promptly, opening the door to attackers. In many cases, patches have still not been applied several months after they have been released.
One of the most commonly exploited vulnerabilities in Q3, 2017 was CVE-2017-0199 which affected WordPad and Microsoft Office. An exploit for the vulnerability was made available through GitHub, making remote code execution attacks easy; provided employees could be convinced to open specially crafted files. Many employees fell for the scam emails.
The McAfee Q3 Malware Threat Report highlighted several continuing malware trends, including the increase in the use of fileless malware. PowerShell malware increased by 119% in Q3 alone.
Q3 saw a new Locky variant released – Lukitus. Lukitus was spread via spam email, with more than 23 million messages delivered in the first 24 hours since its release. That, combined with other new ransomware threats, have contributed to a 44% increase in ransomware samples in the past 12 months.
Q3 also saw the release of a new variant of the Trickbot Trojan, which incorporated the EternalBlue exploit that was also used in the WannaCry and NotPetya attacks.
While no industry is immune to attack, it is the healthcare and public sectors that are taking the brunt of the attacks, accounting for 40% of all reported security incidents in Q3. In the United States, healthcare was the most commonly attacked industry.
The extensive use of spam and phishing emails to spread malware highlights the importance of using an advanced spam filtering solution such as SpamTitan, especially considering how employees are still struggling to identify malicious emails. Blocking these threats and preventing malicious messages from being delivered will help organizations prevent costly data breaches.
The high level of infections that occurred as a result of exploited vulnerabilities also shows how important it is to apply patches promptly. McAfee notes that many of the exploited vulnerabilities in Q3 were patched as early as January. If patches are not applied promptly, they will be exploited by cybercriminals to install malware.
by titanadmin | Dec 19, 2017 | Industry News, Network Security, Spam Advice, Spam Software |
In this article we explore the cost of HIPAA noncompliance for healthcare organizations, including the financial penalties and data breach costs, and one of the most important technologies to deploy to prevent healthcare data breaches.
The Health Insurance Portability and Accountability Act (HIPAA)
In the United States, healthcare organizations that transmit health information electronically are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was introduced in 1996 with the primary aim of improving healthcare coverage for employees between jobs, although it has since been expanded to include many privacy and security provisions following the introduction of the HIPAA Privacy and Security Rules.
These rules require HIPAA-covered entities – health plans, healthcare providers, healthcare clearinghouses and business associates – to implement a range of safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). Those safeguards include protections for stored PHI and PHI in transit.
HIPAA is not technology specific, if that were the case, the legislation would need to be frequently updated to include new protections and the removal of outdated technologies that are discovered not to be as secure as was initially thought. Instead, HIPAA leaves the actual technologies to the discretion of each covered entity.
In order to determine what technologies are required to keep PHI secure, covered entities must first conduct a risk analysis: A comprehensive, organization-wide analysis of all risks to the confidentiality, integrity, and availability of PHI. All risks identified must be managed and reduced to an appropriate and acceptable level.
The risk analysis is one of the most common areas where healthcare organizations fall afoul of HIPAA Rules. Healthcare organizations have been discovered not to have included all systems, hardware and software in the risk analysis, or fail to conduct the analysis on the entire organization. Vulnerabilities are missed and gaps remain in security controls. Those gaps allow hackers to take advantage and gain access to computers, servers, and databases.
When vulnerabilities are exploited, and a data breach occurs, HIPAA-covered entities must report the security breach to the Department of Health and Human Services’ Office for Civil Rights (OCR): The main enforcer of HIPAA Rules. OCR investigates data breaches to determine whether they could realistically have been prevented and if HIPAA Rules have been violated.
What is the Cost of HIPAA Noncompliance?
When healthcare organizations are discovered not to have complied with HIPAA Rules, financial penalties are often issued. Fines of up to $1.5 million per violation category (per year that the violation has been allowed to persist) can be issued by OCR. The cost of HIPAA noncompliance can therefore be severe. Multi-million-dollar fines can, and are, issued.
The cost of HIPAA noncompliance is far more than any financial penalty issued by OCR, or state attorneys general, who are also permitted to issue fines for noncompliance. HIPAA requires covered entities to notify individuals impacted by a data breach. The breach notification costs can be considerable if the breach has impacted hundreds of thousands of patients. Each patient will need to be notified by mail. If Social Security numbers or other highly sensitive information is exposed, identity theft protection services should be offered to all breach victims.
Forensic investigations must be conducted to determine how access to data was gained, and to establish whether all malware and backdoors have been removed. Security must then be enhanced to prevent similar breaches from occurring in the future.
A data breach often sees multiple lawsuits filed by the victims, who seek damages for the exposure of their information. Data breaches have a major negative impact on brand image and increase patient churn rate. Patients often switch providers after their sensitive information is stolen.
On average, a data breach of less than 50,000 records costs $4.5 million to resolve according to the Ponemon Institute and has an average organizational cost of $7.35 million.
The 78.8 million-record breach experienced by Anthem Inc. in 2015 is expected to have cost the insurer upwards of $200 million. That figure does not include lost brand value and reputation damage, and neither a HIPAA fine from OCR.
A summary of the cost of HIPAA noncompliance, including recent fines issued by attorneys general and OCR has been detailed in the infographic below.
The Importance of Protecting Email Accounts
There are many ways that unauthorized individuals can gain access to protected health information – via remote desktop applications, by exploiting vulnerabilities that have not been patched, accessing databases that have been left exposed on the Internet, or when devices containing unencrypted PHI are stolen. However, the biggest single threat to healthcare data comes from phishing.
Research from PhishMe indicates more than 90% of data breaches start with a phishing email, and a recent HIMSS Analytics survey confirmed that phishing is the biggest threat, with email ranked as the most likely source of a healthcare data breach.
Protecting email accounts is therefore an essential part of HIPAA compliance. OCR has already fined healthcare organizations for data breaches that have resulted from phishing emails.
Healthcare organizations should implement a solution that blocks malicious emails and scans for malware and ransomware. In addition to technology, employees must also be trained how to identify malicious emails and taught to be more security aware.
How TitanHQ Can Help with HIPAA Compliance
TitanHQ developed SpamTitan to keep inboxes secure and prevent email spam, phishing messages, and malware from being delivered to inboxes. SpamTitan blocks more than 99.9% of spam email, and dual anti-virus engines ensure emails with malicious attachments are identified and quarantined. With SpamTitan, your organization’s email accounts will be protected – an essential part of HIPAA compliance.
WebTitan compliments SpamTitan and offers an additional layer of protection. WebTitan is a web filtering solution that allows you to carefully control the websites that your employees visit. WebTitan will prevent employees from visiting malicious websites via emailed hyperlinks, general web browsing, malvertising or redirects, protecting your organization from web-based attacks, drive by downloads of ransomware and malware, and exploit kit attacks.
For more information on TitanHQ’s cybersecurity solutions for healthcare, contact the TitanHQ team today.
