Wednesday, October 29, 2014

Data breaches jump in California and are expected to keep climbing

Data breaches jump in California and are expected to keep climbing

BusinessCyber CrimeTarget Brands, Inc.Credit and DebtThe Home DepotKamala D. Harris
18.5 million people in California had their data stolen last year, more than a 600% jump from 2012
'Data breaches are going to continue and will probably get worse with the short term,' security expert says
Hacking victims should keep an eye on their accounts long after the data theft occurs, Consumers Union says
Data breaches soared last year in California as cybercriminals leaped over digital security gates to endanger the personal data of millions of consumers, California Atty. Gen. Kamala Harris said.
Harris, in a report released Tuesday, highlighted the effect that headline-producing data breaches had on the Golden State: two massive hacks last year at Target Corp. and daily deals website LivingSocial each hit roughly 7.5 million Californians.
In all, 18.5 million people in the state had their data stolen last year, a more than 600% jump from 2012. The number of breaches reported to Harris' office climbed 28% to 167, and is expected to rise again in 2014.
"Data breaches … threaten the privacy, the security and the economic well-being of consumers and businesses," Harris said at a news conference in Los Angeles.
California residents aren't any more prone to data hijacking than others, but an unusual state law requires businesses and state agencies to notify customers of any breach involving more than 500 accounts. That law resulted in the California Data Breach Report, which underscored the difficulties faced by companies who are constantly racing against wily thieves to secure sensitive information.
The parade of companies that has been targeted recently by hackers includes Home Depot, Michaels, Neiman Marcus and P.F. Chang's.
Security experts predict that the number of breaches, especially on a big scale, will keep growing.
"The data breaches are going to continue and will probably get worse with the short term," said Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency.
Penrose, now executive vice president at the cybersecurity start-up Darktrace, said hackers have to steal a large amount of payment card data to make their efforts worthwhile. Often, only about 3% to 7% of cards can be used before the breach is discovered and the cards are canceled, he said.
Another vulnerable sector is the healthcare industry. Stealing medical records can be more "insidious" than stealing other data because they can be used for identity theft and fraud over a longer stretch of time, Penrose said.
The attorney general laid out steps in the report that companies and consumers can take to reduce their vulnerability.
Harris said businesses need to adopt stronger encryption technologies that safeguard sensitive consumer data. And retailers must make their breach notifications to consumers more visible and should upgrade their systems to handle payment cards equipped with microchips, which make cards more difficult to counterfeit, Harris said.
Although some retailers such as Target and Home Depot have said they plan to adopt the EMV system — named for its developers Europay, MasterCard and Visa — the U.S. has fallen behind Europe and other parts of the world in embracing this chip technology.
Major credit card processors have set a deadline of October 2015 for U.S. retailers to upgrade their payment systems or risk liability over fraudulent activity. However, the enormous costs associated with making the switch have some experts forecasting that fewer than half of merchants will make the deadline.
For years, U.S. companies followed the standards set by the Payment Card Industry Security Standards Council, which was created by credit card companies in 2006 to tighten protections against data thieves.
But security experts said complying with PCI standards will not protect companies against hackers.
"Merchants are confusing compliance with security," said Matt Little, vice president of product development at data security firm PKWare. "If a good security team is trying to build a 100-foot fence, compliance for us is a 3-foot fence."
Harris also emphasized actions that lawmakers and consumers can take to curtail an explosion in data theft.
The attorney general urged legislators to provide grants to small and medium-size businesses so they can better safeguard customer data. The report also asked California lawmakers to improve the way consumers are notified once a breach occurs.
Harris asked Californians to carefully monitor their accounts for suspicious activity following a breach and promptly change any passwords and user names involved.
Norma Garcia, manager of the financial services program at Consumers Union, said hacking victims should keep an eye on their accounts long after the theft occurs.
"The fraudsters aren't going to hit necessarily right after the breach," she said at the Tuesday news conference. "They are going to wait. When you are no longer looking — that is when they are going to hit."
Twitter: @ByShanLi, @khouriandrew
Copyright © 2014, Los Angeles Times

Monday, October 27, 2014

McLaren Mercedes battles cyber attacks by nation states - and staff intent on using Dropbox

McLaren Mercedes battles cyber attacks by nation states - and staff intent on using Dropbox

By Danny Palmer
27 Oct 2014 0 Comments
When a well-known, high-tech organisation has evidence that it is under attack from "nation states", how does it handle its IT security - especially in terms of the growing number of staff from among the so-called "Facebook generation", who are not only used to sharing everything online but who will hop on the internet in a heartbeat to find a cool tool to do a particular job?
Those are the challenges facing the Formula-1 racing team McLaren Mercedes and its CIO Stuart Birrell every day. Ones that, hopefully, his organisation have successfully dealt with.
"Because of our IP [intellectual property] and profile, we're an attack target. Four weeks ago there was firewall probing by a nation state of eastern origin. We know, because our defences can see that happen, because they're working in the background," he said.
Those attacks were not only fended off, but traced to their source. However, while Birrell can do little about outside interest in the company's developments - apart from ensuring that security remains tight, and maintaining a watchful eye over firewalls, email and operational systems - he can provide staff with more secure means of collaborating on high-technology projects so that they don't resort to Dropbox.
"As the CIO, it's a constant bane of my life," Birrell said during a presentation at the team's state-of-the-art headquarters near Woking.
"How do you enable collaboration and access to the internet without compromising on security? How do you use a cloud you can control? How do you enable mobile working without losing data? How do we stop staff walking out the door with secret information and how do we deal with direct threats and attacks?" asked Birrell.
Deploying secure cloud collaboration tools from Intralinks has hopefully headed-off those staff who would otherwise use Dropbox and similar tools instead. It has enabled, said Birrell, McLaren Mercedes to securely and efficiently share files wherever in the world the team might be racing that weekend.
Birrell (left) explained that the high risk of cyber espionage, along with the challenges that accompany the need for secure collaboration within a Formula 1 team, is "the reason we have the relationship with Intralinks".
It's the job of IT, said Birrell, to address the issue of security in a way that doesn't prevent engineers from being able to work in an effective and collaborative manner. "The engineers who are designing the F1 car or the road car, they don't give a monkeys, they want to share their designs and engineering data, to hand stuff over on a memory stick. They don't want to be encumbered, they want to collaborate, they want to share," he explained.
Birrell described how this desire to share is particularly prevalent among younger employees who have grown up using social media, sharing every aspect of their lives, which has increased the challenge of preventing them from doing likewise in the workplace.
"The new generation coming in, the Facebook generation, they share. They don't get IP [intellectual property], they don't get the importance of keeping hold of that, because they share everything, they share their personal lives, so why should they not share a drawing of a widget, when actually that widget is worth a fortune? But it's that mentality, that approach," he said.

Birrell said that in order to deal with those sorts of cultural issues McLaren Mercedes tries to make sharing simple, but secure, by using an enterprise collaboration tool in Intralinks.
"Part of the relationship with Intralinks is based around how they've made it robust, and how they make it easy. All of our people could use Dropbox from Hell around the place, because it's easy, isn't it? And these guys, they want an easy way to collaborate and share information," he said.
Another key method of keeping security tight at McLaren Mercedes, Birrell said, was through formal training for all staff about how to use the Intralinks software - and why they need to use it, rather than any other collaboration tool they might find on the internet.
"One of the interesting things is the human side of this. I've mentioned that the engineers want things easy. If we put this out there, it isn't enough, why should they use it, when they've got Dropbox? How do you get somebody who's got an easy way of doing something to do something else?" he said.
"It's education, it's human nature. One of the things I've invested in behind all this is a security manager. Not a typical one who sits there and says no, but a security manager who actually tells people how they make things work, be patient, do the training, to actually persuade the engineers," continued Birrell.
"It's about education, about training, about culture and making it easy. Which is why we have that relationship with Intralinks, making collaboration and security easy to use," he concluded.
Elastica Report: ‘Shadow Data’ an Emerging Threat for Enterprises
The unsupervised use of cloud collaboration tools could result in companies' sensitive data ending up in the wrong hands, according to a recent report from Elastica. The report highlights some issues that stem from the rapid proliferation of these apps.

Elastica Report: ‘Shadow Data’ an Emerging Threat for Enterprises

Cloud-based collaboration platforms have made it remarkably easy for people to sync and share files with others inside and outside the enterprise, but risky usage practices could undermine many of the benefits and lead to costly data exposures for unwary companies.
Cloud security vendor Elastica recently analyzed 100 million files being shared and stored by its customers in public cloud file-sharing applications and discovered that about 20 percent of the files contained protected or regulated data.
Of the files with sensitive data, nearly 60 percent contained personally identifiable information. Some 30 percent contained protected health data, while the rest held payment card information.
Elastica discovered that in many cases, employees are using cloud applications to share sensitive files far more broadly than they should. The company ran scans of high-risk files and discovered that 68 percent of the files that contained sensitive data were shared with the whole company, even if only a small subset of users actually needed to view the file.
Worse, 20 percent of the files were shared with external users, while 13 percent of them were shared publicly.
The numbers point to the disturbing proliferation of “shadow data” within enterprises that have integrated cloud collaboration platforms into their infrastructure, according to Rehan Jalil, president and chief executive officer of Elastica.
Most of the data-sharing in the cloud is happening outside the information technology (IT) department’s control, so they often have little idea of what exactly is being exposed in the cloud, Jalil said.
With a cloud-based collaboration tool, a user can share a document with someone else simply by providing a link to that document. In most cases, all the recipient has to do to view a shared document is click on the link pointing to it.
There is often no authentication required to access a shared document, even when the access is taking place from outside the enterprise or by someone not authorized to view the document, Jalil noted.
Traditional data-leak prevention tools that prevent files containing specific keywords from leaving the enterprise network are not of much use with cloud file-sharing applications because usually only a link is actually being shared, according to Jalil.
So IT managers face a challenge of keeping track of the data-sharing that is going on in the cloud even with approved applications, he said.
“People talk about shadow IT and about not knowing what employees are doing [with technology],” Jalil said. “Shadow data exposes companies to a whole different kind of risk.”
The large volume of sensitive data being shared in the shadows places companies at risk for major data breaches and potential compliance violations, he added.
The Elastica cloud security study highlights some of the problems that companies can face from the rapid proliferation of cloud-based sync and share applications. Over the past two years, numerous vendors, including Dropbox, Box, IBM and EMC, have rushed to market with cloud enterprise file-sharing platforms designed to enable easier collaboration in the cloud.
These products, with their consumer-oriented interfaces and easy-to-use functions, have made it much easier for users to sync files and data across multiple devices and to access and share file with few restrictions. However, like many other technologies that have migrated to the enterprise from the consumer market, most of the adoption of cloud-based file-sharing applications has occurred outside of IT’s direct control, resulting in some of the problems highlighted in the Elastica report.

Wednesday, October 22, 2014

Staples becomes the latest US retailer to investigate a potential data breach by hackers

By Danny Palmer
21 Oct 2014 0 Comments
Staples, the office supplies store is, the latest major US retailer to become the suspected victim of a data breach as a result of a cyber attack by computer hackers.
A number of well-known American retail firms have been victims of data breaches in the past year, including Target, which saw details about 70 million customers stolen after an attack by cyber criminals. The results were so catastrophic that they eventually led to the resignation of Target CIO Beth Jacob.
The possible Staples breach was disclosed by cyber crime expert Brian Krebs, who revealed on his Krebs on Security blog that "multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach".
Staples has also released a statement admitting that it's investigating a possible data breach and is working with the authorities.
"Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement," said Staples spokesperson Mark Cautela.
"We take the protection of customer information very seriously, and are working to resolve the situation," he continued, before adding that if Staples has been the victim of a data breach, then its customers won't be shouldering the costs.
"If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis."
Speaking about the possibility of a data breach at Staples, Charles Sweeney, CEO of web security firm Bloxx, said that cyber criminals are increasingly attacking retailers as they're viewed as an easy target.
"Staples is possibly the next in a long list of US retailers to have fallen victim to a hack that would see its customers' card details compromised. There appears to be a definite trend emerging, with hackers clearly viewing the retail industry as easy pickings," he said.
"Cyber criminals constantly adapt their attack strategies. It is therefore very important that retailers ensure they are creating a dynamic and responsive security environment that can stand up to sustained and persistent attacks," Sweeney added.
While a breach has yet to be confirmed, Mark Bower, VP product management at Voltage Security argued that if Staples has been the victim of a cyber attack, malware that has infiltrated company networks could be to blame.
"Perhaps this is another situation where POS [point of sale] malware has been pushed down to a few stores during a POS patch to add new features, or software upgrade cycle, resulting in compromise," he said
"This seems to be a possible common thread among recent breaches, enabling attackers to propagate malware to many endpoints, though of course this is speculative based on limited data on this particular scenario," Bower continued.
He went onto add that if Staples has been the victim of a data breach, it's likely such a mishap could have easily been avoided.

"In all probability, I would hazard a guess it was quite avoidable through contemporary encryption measures," Bower concluded.

Sunday, October 19, 2014

Cost of cybercrime continues to increase for US companies

by Pierluigi Paganini on October 19th, 2014

cost of cybercrime Ponemon Institute 2014 logo

The Ponemon Institute as published its fifth report on the cost of cybercrime which provides interesting data on impact on the US companies.

Which is the cost of cybercrime suffered by US companies? The fifth annual report published by the Ponemon Institute and titled “2014 Global Report on the Cost of Cyber Crime” reveals that cyber attacks against large US companies (the Ponemon Institute focused on companies having more that 1,000 employees) result in an average of $12.7 million in annual damages.
cost of cybercrime Ponemon Institute 2014
The report, sponsored this year by Hewlett Packard’s Enterprise Security division, confirmed an increase of 9.7 percent from the previous year, the research has discovered that the economic losses are mainly related to business disruption and data breaches information loss account for nearly three-quarters of the cost of cybercrime incidents.
The sectors that suffers the higher cost of cybercrime according to the Ponemon Institute are energy and utility companies and the financial industry, the number of the attacks against both industries is increasing at a worrying trend.
The security posture of companies is significant in the evaluation of the cost of cybercrime they suffer, as explained in the report organizations that invest in security result lower costs associated with security incidents. Analyzing the economic benefit for the adoption of an efficient security policy, the expert at the Ponemon Institute observed a reduction of cost of cybercrime by an average of $2.6 million.
“Business disruption, information loss and the time it takes to detect a breach collectively represented the highest cost to organizations experiencing a breach,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement.
An alarming data published in the report is the average company took detect a cyber attack against its systems, 170 days to detect an attack and 31 days on average to apply necessary mitigation actions. The most dangerous attacks are related to the activity of insiders, these attacks are more difficult to be detected and took about two months to resolve.
cost of cybercrime Ponemon Institute 2014 3
As explained in the Ponemon Institute, the cost of cybercrime depends on the size of the victims, the largest firms had greater cost of cybercrime, meanwhile smaller firms had higher damages per employee ($1,601 per worker).
Web-based attacks are most expensive incidents for smaller companies, followed by malware based attacks and denial-of-service attacks, meanwhile large enterprises mainly suffers denial-of-service attacks.
cost of cybercrime Ponemon Institute 2014 2
I consider very difficult to evaluate the overall cost of cybercrime for a company, the data proposed could give us an idea of the trends on the topic, but in my opinion probably the real cost for companies is significantly higher.
Anyway I suggest you the reading of this interesting report.
Pierluigi Paganini
(Security Affairs – cost of cybercrime, Ponemon Institute)

Obama Uses Executive Order To Push Chip and Pin

Obama Uses Executive Order To Push Chip and Pin

Posted by: Paul Roberts   October 17, 2014 17:570 comments
Add data security to the long list of issues on which U.S. President Barack Obama has resorted to unilateral action in order to push the government forward on a crucial matter.
President Obama used an Executive Order to promote chip and PIN technology for government issued credit cards.
President Obama used an Executive Order to promote chip and PIN technology for government issued credit cards.
On Friday, President Obama signed an Executive Order directing the government to require the use of so-called “chip and PIN” technology for any newly issued or existing government debit and credit cards.
The Order was intended to make the federal government “lead by example in securing transactions and sensitive data,” the White House said in a statement.
The new BuySecure Initiative will provide consumers with more tools to secure their financial future by assisting victims of identity theft, improving the Government’s payment security as a customer and a provider, and accelerating the transition to stronger security technologies and the development of next-generation payment security tools.
The Order launches a new initiative dubbed “BuySecure” intended to “drive the market towards more secure payment systems” by putting the weight of the federal government behind secure payments technology for government employees. Newly issued and existing government credit cards, as well as debit cards like Direct Express will be required to use chip and PIN technologies. Retail payment card terminals at Federal agency facilities will also be upgraded to accept chip and PIN-enabled cards.
According to the White House, leading chain retailers have signed on to the initiative including Home Depot and Target (both recent victims of wide scale data theft), Walgreens, and Walmart. Those stores will roll out secure chip and PIN-compatible card terminals in all their stores by January 2015.
Card issuer American Express said it is launching a program to support small businesses as they upgrade their point of sale terminals to more secure standards. Visa said it will launch a national public service campaign to educate consumers and merchants on chip and other secure technologies by sending experts to 20 cities as part of the BuySecure program.
The Order also includes efforts to help consumers affected by data- and identity theft. MasterCard said it will provide its customers with free credit monitoring services and Citi will offer free credit report available to its card customers monthly, in cooperation with FICO. Finally, the Federal Trade Commission (FTC) is working on a web site,, intended to be a “one-stop resource” for victims of that crime.
Finally, the White House will host a Summit on Cybersecurity and Consumer Protection later this year to promote partnership and innovation. It is inviting “major stakeholders on consumer financial protection issues” to discuss ways to “work together to further protect American consumers and their financial data, now and in the future.”
In a statement, the American Bankers’ Association said it “applauded the President for highlighting the challenges facing American companies and consumers.”
However, the ABA said it was already working with banks, payment networks and retailers to “make chip cards and readers widely available in advance of the October 2015 implementation deadline.”
“This initiative is part of an ongoing effort to use innovative technologies to better secure the system. Criminals are always looking for ways to exploit the payment system, and we will continue to adapt security measures to meet evolving threats,” the ABA said.
Writing for The SANS Institute, Director John Pescatore noted that pushing chip and PIN is “a good thing,” but will only help stem breaches linked to point of sale systems. (POS systems have been targets in many of the recent retail breaches.)

Thursday, October 16, 2014

5 Things Boards Should Do About Cybersecurity Now

 The Wall Street Journal sat down with two top-tier experts in cybersecurity and risk management. Raj Samani, CTO EMEA at McAfee; and Stephen Bonner, Partner in the Information Protection and Business Resilience team at KPMG, laid out the key issues boardrooms need to look at to secure their company’s data and reputation.

  • 1 Understand the Problem

    Cybercrime is a murky business. The cybersecurity industry itself is not very transparent. It’s very difficult to get a handle on what the dangers are, and the size and cost of the problem. Still, many organizations have cybersecurity tucked away in their IT departments. It’s time to bring it up and dust it off.
  • 2 Know Your Risk

    If you are hacked, what are some obvious operational losses that will have a tangible impact on your business? What happens to your business if it becomes unavailable to your customers for a period of time? What about strategic plans and M&A pricing data: What if you don’t know if this information has been compromised? Manage these risks now.
  • 3 Decide What Your 'Crown Jewels' Are

    What are you trying to protect? Is it customer data? Is it financials? Is it just your consumer-facing website? Or does it go much deeper than this, to intellectual property and patents? Decide what’s crucial to you, and build security architecture around that.
  • 4 Know The Regulation

    New regulations coming through the European Parliament, which are likely to come into force at the end of 2015, will make breach disclosure mandatory. There will be huge fines for companies who actively fail to disclose breaches of their systems. It’s a good idea now to begin discussing your companies’ compliance to data privacy and breach notification regulations.
  • 5 Know Where To Spend It

    Once you have a clearer picture of the risk to your critical information assets, decide how to deploy resources. If you are breached, you will need to deal with a fast-developing crisis with lots of moving parts. Consider now the costs you might need to lay out, including any losses the breach may cause, consulting costs, potential liability, potential court cases, and insurance. Practice your response now.

Tuesday, October 14, 2014

Chase Breach: 5 Lessons for Europe

Key Security Takeaways for European Financial Institutions

By Mathew J. Schwartz, October 13, 2014. Follow Mathew J. @euroinfosec  
Chase Breach: 5 Lessons for Europe

The breach of financial giant JPMorgan Chase in the United States poses difficult questions for the financial services industry. Namely, if hackers can infiltrate Chase, is any financial institution safe?
JPMorgan Chase has confirmed that the breach affected personal information, such as e-mail addresses, tied to 76 million U.S. households as well as 7 million businesses.

Beyond that, however, getting solid details about the breach continues to be difficult. The incident appears to have begun in early June, but reportedly wasn't detected by the bank until late July. Various, anonymous sources have discussed the possibility that Russian attackers were involved, and also suggested the same gang probed or exploited a total of 10 financial services firms, including Chase.
With news of the breach still trickling in, information security experts weigh in on the Chase breach implications for financial services firms located in Europe:

1. Everyone is a Target

One breach fact - for any financial institution, anywhere in the world - is that they're a potential target, says Alan Woodward, a professor in the Department of Computing at the U.K.'s University of Surrey, as well as a cybersecurity adviser to Europol. "The U.K. banks have recognized for some time that this is the case - the Bank of England has been running simulations with the banks to test out defenses. But sadly, as we all know, the bad guys only need to get through once to cause a problem."
Dublin-based cybersecurity consultant Brian Honan, who heads Ireland's computer security incident response team, notes: "No matter how effective your security program is, there will always be risks."
So information security experts recommend businesses focus resources on preventing hacks as well as quickly detecting intrusions, rapidly remediating breaches, and always staying abreast of the latest changes - both offensive and defensive. "Banks, and all organizations, should conduct regular risk assessments taking into account the latest developments in threats and cybercrime capabilities," Honan says.
That's especially important for financial institutions around the world, given the preponderance of legacy systems in their IT environments, says London-based Gavin Millard, the European, Middle East and Africa technical director at Tenable Network Security. "It is also critical that organizations continuously monitor their infrastructure for vulnerable and weakly configured systems to identify any springboard into the network that could be utilized to gain further access and exfiltrate sensitive data," he says. "If a legacy system - of which there are many at banks and financial institutes - can't be upgraded, appropriate compensating controls have to be in place to protect them."

2. Remediate Phishing Vulnerabilities

Unconfirmed details of the JPMorgan Chase investigation suggest the financial institution got hacked after the PC of an employee who was working remotely was exploited (see: Alleged Bank Hack Tied to Phishing). One takeaway from that scenario is that businesses should make sure that employees are not reusing their work username and password on third-party sites. That's because those sites could get hacked, with the credentials obtained and then put to use by attackers to break into corporate environments.
"Organizations need to do more in understanding their extended attack surface and never assume that 'user@CorporateEmail' and 'CorporatePassword' haven't been used elsewhere to create accounts on third-party systems or spear-phished," Millard says. "Pro-actively banning the use of corporate e-mail addresses to sign up to any third party Web services and enforcing good password best practices should be standard for all organizations."

3. Breach Regulations Will Change Awareness

To date, the majority of breaches - and especially massive data breaches - have involved U.S. organizations, leading some commentators to assume that European organizations are simply more secure. Currently, however, European financial services firms are under no obligation to publicly disclose when their networks get breached. But the EU is considering a new data breach notification law, which would require any business that suffers a breach involving customer data to notify regulators and consumers "without undue delay" (see EU Prepares Tough Breach Notification Law).
But if the law does pass, expect it to reshape notions of how secure - or insecure - financial firms are in Europe, says Jeremy King, international director of the PCI Security Standards Council. "For too long, we've sort of swept the problem under the carpet. It's very interesting - and maybe it's no coincidence - that because of the breach notification rules in the U.S., we hear about these big breaches, and people have this strange thought that it's not happening over here, and that's really because the breaches are happening, but they're not being reported, because we can hide them," he says.

4. Beware of the Blame Game

Who hacked JPMorgan Chase? Numerous "sources" - all speaking anonymously - have been cropping up in U.S. media coverage of the Chase breach.
Ignore it, says Jeffrey Carr, CEO of threat-intelligence firm Taia Global. "Public attribution by cybersecurity vendors is usually nothing more than a marketing play where the vendor is hoping to get his company's name mentioned by The New York Times or another major paper by claiming that China or Russia is behind the attack," he says. "Public attribution by U.S. government officials may be done to push their political agenda. Regardless of who is doing it, ill-informed guesswork at who's responsible is always a bad idea because it serves no constructive purpose and provides cover for attackers from other parts of the world who want investigators to look East while they're attacking from the West."

5. Market-Crashing Attacks Remain Unlikely

To date, no JPMorgan Chase breach commentators have been able to answer this crucial question: What were the Chase hackers seeking? President Obama repeatedly asked this question of his briefing team, and no one could provide him with a solid answer, The Times reports.
But Carr says the hackers likely were not trying to crash financial markets. "JPMorgan and other international banks are vulnerable to attack in countless ways much more serious than this one - attacks by insiders, by trusted vendors, by finding zero-days in hardware, firmware, and software, etc. - and many of those ways would be invisible to their respective security teams," he says. "The fact that the world's biggest banks have avoided any major financial disruption is not because they aren't vulnerable. It's because it's in no one's interest to conduct a breach big enough to start a global panic, which a successful attack against JPMorgan would have done."

Sunday, October 5, 2014

Why cyber criminals are winning: The secret weapon of the black hats

Why cyber criminals are winning: The secret weapon of the black hats

Why cyber criminals are winning: The secret weapon of the black hats
Another day. Another hack. One day it’s black hats making headlines with a massive hack on Home Depot. The next, it’s the theft of 4.5 million U.S. hospital records or 1.2 billion web credentials. The connected world is under siege and the current cyber security approach is falling woefully short — as evidenced by the headlines.
Why are cyber criminals winning?
Today’s cyber security paradigm is a reactive cycle: when a threat is exposed, it is analyzed and a counter-solution is designed with response times varying from weeks to years. The trouble is that attackers can easily reuse pieces of previous malware, modify them, and create a brand new threat, bypassing the newly updated security measures.
Attackers can simply copy pieces of code from previous malware, such as exploitsdecryptors or modules (keyloggersbackdoors etc.), and incorporate them into the new malware they are developing. Alternatively, attackers can imitate the operational methods performed by other malware, needed for the success of the operation (persistence methods for example).
By reusing code and methods, hackers gain the upper hand. New malware is cheaper and easier to develop, while the tools needed to locate and disable it are only becoming more expensive. All the while, defenders need to cover a growing array of potential targets, each with their own set of weaknesses. For every dollar spent by cyber attackers, hundreds of dollars are being spent by the IT security industry. This economic imbalance is the springboard from which cyber-crime, cyber-terrorism and cyber-warfare are launched. Thus, code and method reuse has become an intrinsic part of the DNA structuring of malware development today.
A number of malware used in prominent cyber attacks over the past year, both in espionage program Advanced Persistent Threats (APTs) and in cybercrime, serve as prime examples of reuse of both code and methods – BlackPOSMask, Snake,and Zberp to name a few.

Notorious, but not original cyber attacks

BlackPOS is the malware responsible for stealing credit card information from the Target and Neiman-Marcus department stores in December 2013. The attackers reused the entire code of an earlier variant of the BlackPOS malware, modifying it slightly to deal with the specific PoS software used in Target. Yet another variant of the BlackPoS model returned in April-May 2014, stealing an even bigger number of credit cards from the Home Depot retail chain.
Mask, revealed in February 2014, is a large (and possibly state-sponsored) malware operation that attacked 31 countries, covering more than 380 unique victims. The malware uses a complex implant that performs a large number of surveillance functions on the target. Mask reuses known vulnerabilities in the Java Runtime Environment and Adobe Flash Player.
The Snake (AKA Turla, Uroburos) APT was revealed in March 2014 to have been targeting government and military organizations in countries of the Former Soviet Union, the European Union, U.S.and U.K.  Based on several similarities, the malware is assumed to be the work of the creator of Agent.BTZ, that infiltrated the US Department of Defense network in 2008.
A very recent example of the reuse phenomenon is Zberp, which attacked some 450 financial institutions around the world during the first half of 2014. Zberp enables attackers to steal information such as SSL certificates and FTP account credentials, and allows attackers remote access to the infected target. It reuses code and methods from Zeus, the infamous banking malware, and Carberp, another major banking malware discovered in 2010. The reused methods include Steganography, which hides malicious code in pictures, and API Hooking, whose code was copied from Carberp with only slight modifications.
The bottom line is that as long as we give cyber criminals the opportunity to reuse and recycle code, hacking makes financial sense. Until hackers are forced to create attack chains from scratch they will continue to win. And therein lies the challenge.
Shlomi Boutnaru is CTO of CyActive and has a decade of cyber security experience. Formerly manager of COE (Center of Excellence) Cyber & Security at Matrix, he managed Matrix’s entire cyber security operation, including development and integration of security products, analysis of malicious code, and penetration-testing. Prior to that, he served in elite Israeli military units (Intelligence and IAF). He is a lecturer on information security in leading institutes in Israel and abroad.