Dec 16, 2015 | Cybersecurity News, Internet Security News
The latest data breach predictions by IDC analysts do not make for pleasant reading. If the data breach predictions turn out to be true, 1.5 billion individuals will be affected by data breaches in the next 5 years.
Companies being targeted by cybercriminals looking to steal consumer data
U.S. companies are being increasingly targeted by foreign cybercriminals. European businesses are similarly suffering more cyberattacks. In fact, companies all over the world are being attacked by criminals looking to gain access to consumer data. It is now no longer a case of whether a data breach will be suffered. It is now just a case of when a data breach will occur.
Companies must therefore be prepared. They must implement a host of security defenses to prevent cyberattacks from occurring, and need to make it harder for hackers and other cybercriminals to gain access to sensitive data. Failure to take action and implement multi-layered cybersecurity defenses will see a data breach suffered sooner rather than later. A breach response plan must also be devised to limit the damage caused when an attack is successful.
Data breach predictions for the next 5 years
The number of data breaches being suffered by companies all around the world has grown considerably in recent years, and the situation is unlikely to change. Based on the current levels of attacks, and the volume of data now being stolen by cybercriminals, IDC analysts made some bleak data breach predictions this month.
They expect that by the year 2020, a quarter of the world’s population will have had data exposed as a result of cyberattacks. That’s 1.5 billion individuals!
IDC also predicts that consumers will increasingly take action when their data are exposed. In fact, we are already seeing consumers boycott brands that have suffered major cyberattacks. Many consumers who previously shopped at Target for instance, have switched retailers following the massive data breach suffered in 2013.
In the UK, many consumers are switching broadband and mobile phone provider after TalkTalk was hacked by a group of teenagers this year. In the United States, there has been considerable fallout as a result of the massive data breaches suffered by Anthem Inc., and Premera Blue Cross. Customers have switched their health insurance to companies that they believe will take better care of their health data.
Data Breach predictions for healthcare organizations
Many cybercriminals have switched from targeting retailers for credit card data to healthcare providers and insurers for Social Security numbers and health information. The value of health data is much higher than credit card information. Once a credit card has been stolen, consumers rapidly shut down their accounts. Credit card companies are on the lookout for suspicious activity and block cards quickly. Healthcare data and Social Security numbers on the other hand can be used for months or even years before identity theft and fraud are discovered. Cybercriminals can use healthcare data and SSNs to defraud individuals and obtain tens of thousands of dollars before fraud is even detected.
The value of healthcare data, combined with the relatively poor defenses put in place by many healthcare organizations, has seen cybercriminal activity increase. The volume of healthcare data breaches has grown considerably over the past few years. Those data breaches are unlikely to stop in the foreseeable future. IDC’s healthcare data breach predictions for next year are bleak. Its analysts expect one in three Americans to have their healthcare data stolen in 2016.
113 million healthcare patients had their data exposed in 2015
The company’s data breach predictions are unlikely to be far off the mark. According to figures from the United States Department of Health and Human Services’ Office for Civil Rights, the agency charged with policing healthcare organizations, over 154 million healthcare patients and health insurance subscribers have had their healthcare data exposed since data breach reports were made public in 2009.
Almost 113 million of those healthcare records were exposed this year. That’s 73% of the total number of breach victims created in the last 7 years! If anything, IDC’s healthcare data breach predictions are overly conservative!
Dec 14, 2015 | Cybersecurity News, Internet Security News
A Twitter cyberattack has prompted the social media network to issue warnings to some users of the social media site. It would appear that attackers have attempted to gain access to the accounts of a limited number of individuals, but those attacks do not appear to have resulted in a breach of user data.
Twitter cyberattack prompts warnings to be sent to site users
The warnings appear to have only been sent to certain United States based users of the website. The emails warn users that foreign government-backed hackers are targeting the site and are attempting to steal user data. According to the warnings, user account data is not believed to have been obtained and, if it has, only a small amount of personal data would have been revealed.
Twitter has offered some suggestions to any users that have been targeted to allow them to take action to reduce risk. They have been told they can switch to the Tor network to access their accounts, or it was suggested they tweet under a pseudonym.
It would appear that the attackers responsible for the Twitter cyberattack are attempting to get the phone numbers, email addresses, and IP addresses. It is conceivable that the individuals were targeted to allow the hackers to send out tweets from the users’ accounts.
The warning alerted users to a “small group of attackers” who are targeting the site. If another Twitter cyberattack is attempted, the social media site will send out a warning email to advise the affected party or parties of the attempted attack.
Latest Twitter cyberattack appears not to be random
The Twitter cyberattack appears to have targeted specific users of the website. The individuals and companies that the attackers have targeted are security experts or activists. Coldhak, a not-for-profit company dedicated to improving privacy, security, and freedom of speech, was one of the organizations that the hackers attacked.
Twitter is currently conducting a full investigation into the attempted hacking of Twitter accounts. The warning indicates that the social media microblogging platform is being ultra-cautious and is alerting users as a proactive step to prevent a breach of customer data, as well as reducing the potential damage caused by an attack.
Both Facebook and Google have recently sent out warnings to users of their services alerting them to suspicious account activity. Those warnings alerted users to activity by foreign government-backed hacking groups. It would appear that Twitter is taking a leaf out of their books.
This is not the first Twitter cyberattack of course. In February 2013, Twitter reset the passwords of 250,000 users after hackers compromised accounts and gained user names, passwords, and other sensitive data. In 2010, the social media site was attacked and Japanese users of the site were directed to porn websites when attempting to access their Twitter accounts.
Dec 10, 2015 | Cybersecurity News, Internet Security News
According to the latest cybersecurity report from Osterman Research, retail industry cybersecurity risk is being seriously underestimated. There is false confidence in cybersecurity protections, and the risk of consumer and business data being exposed is considerable.
Assessing retail industry cybersecurity risk
The retail industry cybersecurity risk assessment was conducted on 125 large retailers during the month of November. The report indicates that even though security vulnerabilities have been identified, the retail industry is not taking the necessary steps to deal with those risks.
Many security holes remain unplugged. In particular, risks associated with temporary workers are not being dealt with. Retailers bring in temporary workers at busy times such as in the run up to Christmas. However, they are introducing a considerable amount of risk when the do so because they are not monitoring the activity of those workers effectively. Many actually believe they are – which is even more worrying.
Temporary workers are often provided with login credentials which are shared instead of giving each temporary worker a separate login. This eases the administrative burden on the IT department. Why create hundreds of new logins that will only be required for a short period of time? Simply give those workers low level privileges and any risk that is introduced will be minimal. Unfortunately, that may not necessarily be the case.
The study showed that 61% of temporary retail floor workers were using shared logins. It is not known whether this is a short cut taken and the risk is known, or whether retailers are unaware of the dangers that the activity involves. Even temporary workers must be given access to some data assets, yet it is impossible for some retailers to identify assets that each of those workers are accessing.
Furthermore, it is not only temporary workers that are being allowed to share login credentials. 21% of permanent workers are also sharing their login credentials.
Retail industry cybersecurity risk is being seriously underestimated
The research indicates that 62% of retailers believe they know everything their permanent workers are doing, and 50% claimed to know what data their temporary workers are accessing. Worryingly, when asked if their IT departments can identify specific systems that individual permanent employees have accessed, 92% said they could. This is clearly not the case in reality.
The study indicated that 70% of retailers gave access to corporate systems to permanent members of retail floor staff. 7% said that permanent workers had accessed systems they were not supposed to and 3% said temporary workers had done the same.
Those figures may actually be much higher as 14% of respondents didn’t know if their permanent workers had inappropriately accessed data. 26% couldn’t tell if their temporary workers were accessing data they shouldn’t. Given the potential gains to be made from gaining access to retail networks, criminals may even be tempted to take a holiday job simply to access to retail systems.
Security awareness training is also not being provided frequently enough. 60% of respondents only conducted training once or twice a year. If workers are not being kept abreast of the retail industry cybersecurity risk, they will not be able to take action to reduce that risk.
Even with the major data breaches and cyberattacks that have recently been suffered by major U.S. retailers, security vulnerabilities persist. Unfortunately, it would appear that retail IT professionals actually appear to believe they are doing a good job. If the measure of how well retail industry cybersecurity risk is being managed is whether or not a retailer has suffered a major data breach, then the industry is in pretty good shape. Unfortunately for the retail industry, if risk is not effectively managed, data breaches are likely to be suffered sooner rather than later.
Dec 9, 2015 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
Just over a month ago, researchers at Heimdal identified Cryptowall 4.0 ransomware; the latest incarnation of the nasty malware first discovered in September 2014. Since then, the malware has been further developed, with the third version discovered in January 2015.
Now, Cryptowall 4.0 ransomware is threatening consumers and businesses alike. The latest version of the malware is even sneakier and more difficult to detect, and its file encryption goes much further. To make matters worse, Cryptowall 4.0 ransomware has been packed into the Angler exploit kit, making it easier for the vicious malware to be downloaded to devices.
The Angler exploit kit takes advantage of vulnerabilities in browsers, making drive-by downloads possible. Any organization that has not installed the latest browser and plugin updates is at risk of having its files encrypted.
Cryptowall 4.0 ransomware – The malware keeps on evolving to evade detection
Last month, the Cyber Threat Alliance released new figures on the cost of Cryptowall infections. The criminals behind the malware have so far managed to extort $325 million from victims around the world. The latest version of the ransomware will see that extortion will continue. The bad news is, the latest version is likely to result in a much higher rate of infection. The money being ‘requested’ has also increased. Victims are no longer being asked for $300 to unlock their files. They are being urged to pay out $700 to unlock their files and keep their systems protected.
Victims are given less choice with the latest version of the malware. Not only will their files be encrypted, in order to make it harder for victims to restore encrypted files from backups, the latest version also encrypts filenames. The aim is to confuse victims even more. It is, after all, hard to restore files if you don’t know which files need to be restored.
Angler exploit kit used to infect computers with Cryptowall 4.0 ransomware
The Angler exploit kit is particularly nasty. First of all, it is not only Cryptowall 4.0 ransomware that will be installed. Visitors to malicious websites will have a host of malware installed on their computers. The network security threat is therefore considerable.
First of all, victims have to deal with Pony. Pony is installed and gallops around gathering information. It will steal login credentials and transmit the data back to the hacker’s command and control center. Attackers are looking for more than just a $700 ransom. What they are really after is access to content management systems and web servers.
A redirect will result in Angler being dropped, which will identify security vulnerabilities that can be exploited. Angler can incorporate new zero-day vulnerabilities and has been designed to be particularly difficult to detect. Angler will then install Cryptowall 4.0 ransomware.
Greater need to install a powerful web filter to prevent infection
Unfortunately, the use of the Angler exploit kit means end users do not need to download and install Cryptowall 4.0 ransomware manually – or open a malicious email attachment. Drive-by downloads will install the malware automatically if the user visits a website infected with malicious code.
Organizations can spread the news of the latest incarnation of Cryptowall to the workforce, and issue instructions to end users to instruct them to take greater care. However, since casual Internet surfing could result in computers being infected, greater protection is required.
Some end users will take risks and will ignore instructions. It is therefore a wise move to install software solutions to minimize the risk of infection by drive-by downloads. The cost of doing so will be much lower than the cost of dealing with multiple Cryptowall 4.0 ransomware infections.
WebTitan web filtering solutions are an ideal choice. They offer system administrators a host of powerful controls to prevent end users from visiting malicious websites and unwittingly infecting computers and networks. The software offers highly granular controls, allowing individuals or groups to have Internet access controlled. Protection against malware can be vastly improved without impacting critical business processes. WebTitan allows sys admins to block web adverts from being displayed, limit access to social media networks and certain website types, as well as sites known to contain malware and malicious code.
The inclusion of Cryptowall in the Angler exploit kit makes the installation of a web filtering solution less of an option and more of a necessity.
Essential security controls to reduce the risk of a Cryptowall 4.0 infection:
Conduct regular backups of your data – If you are infected, you must be able to restore all your files or you will have to pay the ransom.
Never store usernames and passwords on a computer – These can be read and transmitted to hackers.
Do not open unfamiliar email attachments – Even if an attachment looks safe, unless you are 100% sure of its authenticity, do not download or open it.
Install a spam filtering solution – make sure all email spam is quarantined and not opened.
Keep anti-virus solutions up to date – Virus definitions must be 100% up to date. Ensure that an AV solution is used that will detect Cryptowall 4.0 ransomware.
Install patches as soon as they are released – Your system must be kept up to date. It will be scanned for vulnerabilities that can be exploited.
Dec 4, 2015 | Cybersecurity News, Internet Security News, Web Filtering
The true cost of phishing attacks is difficult to calculate accurately, but the recent Target data breach settlement gives an indication of just how costly phishing attacks can be. The U.S. retailer has recently agreed to pay $39.4 million to resolve class-action claims made by banks and credit unions to recover the costs incurred as a result of the 2013 target data breach.
The claims were made to try to recover some of the cost of re-issuing credit and debit cards to the 40 million or so customers that had their data stolen by hackers. The banks were also required to issue refunds to customers whose credit or debit cards had been fraudulently used after the 2013 Target data breach.
The Target hack was financially motivated. The perpetrators of the crime sold data or fraudulently used credit card information and the personal details of customers. Approximately 110 million customers of Target may have suffered financial losses or had their identities stolen as a result of the 2013 Target data breach.
The settlement will see Mastercard retailers paid $19.11 million, while $20.25 million will be paid to credit unions and banks. This is not the only Target data breach settlement reached this year. The retailer agreed to pay Visa card issuers $67 million in the summer, bringing the total card issuer settlement to $106.4 million; more than the $100 million paid Visa and Mastercard issuers by Heartland Payment Systems Inc. Heartland suffered a massive data breach in 2008 that exposed 100-million+ credit card numbers. The company had to pay out around $140 million in total to resolve the breach.
The True Cost of Phishing Attacks
The settlement could have been considerably higher. Target’s figures suggest that approximately 40 million credit card numbers were stolen by hackers in 2013. The settlement is therefore lower than $1 per credit card number exposed.
In addition to paying $10 million to customers, Target also had to cover the cost of implementing a swathe of additional security measures after the cyberattack to prevent similar attacks from being suffered. One of the most expensive measures was the introduction of microchip-enabled card readers in its nationwide stores.
Then there was the damage to the company’s reputation. Many consumers have stopped using Target and have switched to other retailers. The total cost of the 2013 data breach may not be known for some months or years.
The 2013 Target data breach started with employees responding to phishing emails. Those employees did not even work for Target, at least not directly. The individuals who fell for the phishing scam worked for a contractor: an HVAC company used by the retailer.
Small to Medium Sized Businesses Face a High Risk of Phishing Attacks
Heating, ventilation, and air conditioning subcontractor, Fazio Mechanical Services, was the company hackers used to gain access to Target’s network. Login credentials were stolen from the company that allowed the attackers an easy route into Target’s network.
Organizations often give limited network access to subcontractors to allow them to remotely access IT systems, either to perform maintenance, firmware or software upgrades, monitor performance, or check energy consumption and tweak systems.
If hackers can break through the defenses of the smaller companies, they can steal login credentials that will allow them to gain a foothold that can be used to attack the systems that subcontractors remote into. That is where the big prize is: a database containing hundreds of thousands – or even millions – of confidential records.
Don’t Cover the Cost of Phishing Attacks: Pay for Anti-Phishing Solutions!
Regardless of the size of your organization, it is essential to put protections in place to make it as hard as possible for hackers to penetrate defenses. Phishing is one of the commonest techniques used to steal login credentials, so it is therefore essential that controls are put in place to limit phishing risk.
Anti-phishing measures include anti-spam solutions that block phishing emails from being delivered to inboxes. If malicious attachments are identified and quarantined, less reliance is placed on staff to spot phishing campaigns. Not all attacks come via email. Malicious websites may be visited by employees and malware can be downloaded. Implementing a web filtering solution will help employers to manage phishing risk and prevent these websites from being visited by the staff. Malicious adverts can also be prevented from being displayed to employees. They are increasingly being used by hackers to direct people to phishing sites.
The cost of phishing attacks is considerable, but those attacks can often be blocked. It is much more cost-effective to implement anti-phishing solutions than to cover the cost of phishing attacks when they do occur; and occur they will.
Dec 2, 2015 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
Point of sale malware is not new. Cybercriminals have been using point of sale malware to steal credit card numbers from consumers for many years. Unfortunately for retailers, the threat of POS malware is growing. Highly sophisticated malware is being developed and used to obtain a wealth of information from retailers about their customers. That information is being used to commit identity theft and fraud. POS malware is also being used to obtain corporate data.
Point of Sale Malware – The biggest data security threat for retailers
Retailers are at risk of having point of malware installed throughout the year, but in the run up to Christmas the threat is greatest. It is the busiest time of year for shopping and hackers and other cybercriminals step up efforts to get their malware installed. Hackers are hoping for another big payoff before the year is out, and they are likely to get it.
Over the Thanksgiving weekend, some of the most sophisticated malware ever seen was discovered. In some cases, the point of sale malware had been blocked. Many retailers were not so lucky. Unfortunately, identifying malware once it has been installed can be incredibly difficult, especially with the latest ModPOS malware. It is already responsible for providing millions of credit card numbers to hackers, and has caused millions of dollars of damage. The full extent of the infection is not yet known due to the stealthy nature of this new malware.
ModPOS – The most worrying point of sale malware to be seen to date
The new malware has been named ModPOS – short for Modular Point of Sale malware – and it is particularly dangerous, stealthy, and fiendishly difficult to identify once installed. Security experts have been surprised at the level of sophistication. An incredible amount of skill was required to produce malware as complex as ModPOS. It shows the level that criminals will go in order to obtain data and avoid detection.
The malware has been developed to make it exceptionally difficult to identify, and it has clearly been designed with persistence in mind. Once installed, it can perform a wide range of functions; not only serving as a keylogger and card reader, but also a tool for network reconnaissance. It is not just large U.S. retailers that will be affected. This point of sale malware may be used to infect multiple targets. If protections are not put in place to prevent infection, the potential for damage is considerable.
Security analysts first saw elements of this POS malware three years ago, but it has been subsequently developed further. It is difficult to even estimate the extent of infection due to the nature of the malware. The level of obfuscation is impressive.
It has taken some of the world’s leading cybersecurity analysts a considerable amount of time to identify this point of sale malware, and even longer to reverse engineer it. It is, to put it simply, the most complex and sophisticated point of sale malware ever discovered. iSight Partners’ senior director Steve Ward has been reported as saying it is “POS malware on steroids.” ModPOS is the result of an extraordinary amount of time, money, and development. Every aspect of the malware has been painstakingly developed to avoid detection. Every kernel driver is effectively a rootkit.
Investment by criminals in this malware is unprecedented but, then again, the rewards for that investment are likely to be as well. If a major retailer is infected, and many will be, every one of their customers’ data could potentially be obtained. The potential gains for investors in the development of this malware are likely to be off the chart.
Highly functional malware that reads cards, steals corporate data, and much more
The malware can act as a keylogger, recording all data entered by employees. It will serve as a card scraper and will read the credit and debit card details of every customer who pays via point of sale systems. The malware will simply read the card details from the memory. Even EMV terminals may not offer protection.
Data are exfiltrated to hackers’ command and control centers, but it is not even clear what data are being transmitted. The malware encrypts each transmission twice, with 128 bit and 256-bit encryption. As if that wasn’t enough, the data of each customer require a different security key to decrypt them.
The shell code used is virtually a full program in itself. According to one iSight security expert, the shell code contained approximately 600 different functions. And that is just one piece. There are many more than one in this malware. All of the different modules operate in kernel mode, making them exceptionally difficult to identify. Furthermore, the malware is not being sold via darknet marketplaces. It is being kept secret and used by the criminal gang that paid for its development. The gang behind ModPOS has effectively paid for a license to print money.
The methods being used to distribute this point of sale malware are not known, and there is no fix for the threat actor. At the present time, there is a high risk of infection, and no single defense mechanism that can be employed to prevent an attack. So far, approximately 80 major retailers have been warned to be on high alert.
Reducing the risk of point of sale malware infections
Since the threat actor is not known, retailers and other organizations should be ultra-cautious and supplement their defenses to prevent attacks from being successful. Additional measures to enhance security include:
Conversion to EMV terminals – If data is not encrypted it can be read by the malware. The memory must also be encrypted, not only stored data.
Protect all systems, not just POS – The malware contains many modules, and its full capabilities are not fully known. It is not just credit card details that are at risk. All corporate data must be protected.
Implement email filtering solutions – The malware may be delivered via spam and bulk email. Infected attachments and phishing links may be used. It is essential that robust anti-spam solutions are implemented to prevent infection.
Web filtering is essential – The executable file responsible for installing the malware must not be downloaded to any device. Blocking known malware websites and potentially malicious website adverts will help to reduce the risk of ModPOS attacks.
Instruct staff to be highly vigilant – Regardless of the software systems used to improve security defenses, employees will always be a weak link. Staff should be trained and warned to be ultra-cautious, and instructed how to spot potentially malicious emails, websites, and phishing campaigns.
