How organizations can prevent vulnerability after the Equifax data breach

[vc_row][vc_column][vc_column_text]

By Jeff Lizerbram Solutions Architect, Systems Integration:

When the recent news stories broke out across the nation on the data breach at Equifax, one of three main credit reporting companies (the other two which are Experian and TransUnion), the damage was already done almost 3 months earlier. According to the top news sources, over 143 million people in the United States, Canada and the United Kingdom have had their credit data accessible by hackers as early as May 2017. This data includes Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and other private financial data.  One of the major sources of the vulnerability to blame was the main public Equifax website itself, in which there were un-hardened web application security configurations in place.

The cause of the hacking can go even deeper into the organization, where there may have been a lack of a strong IT security policy enforcement.  Can this issue happen to any organization? Of course. As a Managed Services Provider, we see instances of incomprehensible amounts of hacking attempts hitting publicly-facing firewalls all the time. And we are constantly learning that our data is at the mercy of the ever-changing best practices in Information Technology security. Can an organization work to prevent such a massive vulnerability? Absolutely, and here’s one way to accomplish this:

From my own experience in working with best-in-class cloud security solutions, there is a strong need for other factors, including human factors, to be in place, in addition to the security solution itself. A great security product protecting a company’s assets is just one small part of preventing attacks. A strong and secure organization should hold an internal policy foundation which includes 3 important pillars: Security, Audibility, and Accountability. For Security, upgrading to the best-in-breed security products will definitely help. And while most security products out in the market include auditing features, quite often the auditing portion is left in a disabled state and not used. It is crucial to enable auditing to view and alert on sensitive data going out as well as coming into the organization. And finally, security and auditing must result in holding those accountable for correcting any configuration issues that have been alerted. All in all, a good organizational IT policy should have a foundation based on these principals to stay ahead of the bad guys.[/vc_column_text][/vc_column][/vc_row]

Two things people can do right now to protect themselves after the Equifax hack

[vc_row][vc_column][vc_column_text]

By Richard Swaisgood Server Engineer, Systems Integration
Unfortunately Equifax has been extremely tight lipped about any technical information. We know that the personal information of at least 143 million Americans was stolen by an unknown group and that they are offering credit protection services for about 1 year to users affected.
The current rumors are that they were using an older API (struts) to serialize and deserialize requests from user facing java applications to their core database, allowing the hackers to inject code into the java user side app to get access to the core database and get the sensitive info. This is of course all a rumor at this point, once more data gets release we’ll have a better understanding.
There are two things people can do right now to protect themselves, sign up for credit monitoring services (preferably not with Equifax) and, if you do not plan on opening any new credit accounts, freeze your credit. Keeping a close eye on the who’s been requesting your credit reports and what accounts have been opened can save you a lot of time as you can issue a credit freeze or dispute any new accounts from being opened relatively quickly. Preemptively freezing your credit will be the best thing to protect you but can cause issues if you are in the process of buying a home, a car or applying for any kind of credit. Unfortunately, with the kind of information leaked you will need to do this for a very long time, as hackers can just wait until the free 1 year of credit monitoring services expire and with the frequency of these attacks it might be better to have the credit monitoring services going indefinitely.
As for Equifax themselves, it’s hard for me to see a way they are able to survive this breach, the effects will be long lasting to nearly half of all Americans and there is already one class action lawsuit filed against them for $70 billion dollars with much more coming their way as people start being directly affected by this breach. Hopefully this breach helps companies understand how just one breach can completely change their business or even end it outright if enough information is lost and the importance of securing your data in today’s world of constant data breaches.

[/vc_column_text][/vc_column][/vc_row]

China hacked into the federal gov network, compromising 4 million employees' info. The Post's Ellen Nakashima talks about what kind of national security risk this poses and why China wants this information.

By Ellen Nakashima as written on The Washington Post - June 2015.
China hacked into the federal government’s network, compromising four million current and former employees' information. The Post's Ellen Nakashima talks about what kind of national security risk this poses and why China wants this information. (Alice Li/The Washington Post)
Hackers working for the Chinese state breached the computer system of the Office of Personnel Management in December, U.S., and the agency will notify about 4 million current and former federal employees that their personal data may have been compromised.
The hack was the largest breach of federal employee data in recent years. It was the second major intrusion of the same agency by China in less than a year and the second significant foreign breach into U.S. government networks in recent months.Last year, Russia compromised White House and State Department e-mail systems in a campaign of cyber­espionage.
The OPM, using new tools, discovered the breach in April, according to officials at the agency who declined to discuss who was behind the hack.
Other U.S. officials, who spoke on the condition of anonymity, citing the ongoing investigation, identified the hackers as being state-sponsored.
One private security firm, iSight Partners, says it has linked the OPM intrusion to the same cyber­espionage group that hacked the health insurance giant Anthem. The FBI suspects that that intrusion, announced in February, was also the work of Chinese hackers, people close to the investigation have said.
The intruders in the OPM case gained access to information that included employees’ Social Security numbers, job assignments, performance ratings and training information, agency officials said. OPM officials declined to comment on whether payroll data was exposed other than to say that no direct-
deposit information was compromised. They could not say for certain what data was taken, only what the hackers gained access to.
“Certainly, OPM is a high-value target,” Donna Seymour, the agency’s chief information officer, said in an interview. “We have a lot of information about people, and that is something that our adversaries want.”
The personal information exposed could be useful in crafting “spear-phishing” e-mails, which are designed to fool recipients into opening a link or an attachment so that the hacker can gain access to computer systems. Using the stolen OPM data, for instance, a hacker might send a fake e-mail purporting to be from a colleague at work.
After the earlier breach discovered in March 2014, the OPM undertook “an aggressive effort to update our cybersecurity posture, adding numerous tools and capabilities to our networks,” Seymour said. “As a result of adding these tools, we were able to detect this intrusion into our networks.”
“Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM,” Director Katherine Archuleta said in a statement.
In the current incident, the hackers targeted an OPM data center housed at the Interior Department. The database did not contain information on background investigations or employees applying for security clear­ances, officials said.
By contrast, in March 2014, OPM officials discovered that hackers had breached an OPM system that manages sensitive data on federal employees applying for clearances. That often includes financial data, information about family and other sensitive details. That breach, too, was attributed to China, other officials said. OPM officials declined to comment on whether the data affected in this incident was encrypted or had sensitive details masked. They said it appeared that the intruders are no longer in the system.
“There is no current activity,” an official said. But Chinese hackers frequently try repeat intrusions.
Seymour said the agency is working to better protect the data stored in its servers throughout the government, including by using data masking or redaction. “We’ve purchased tools to be able to implement that capability for all” the data, she said.
Among the steps taken to protect the network, the OPM restricted remote access to the network by system administrators, officials said. When the OPM discovered the breach, it notified the FBI and the Department of Homeland Security.
A senior DHS official, who spoke on the condition of anonymity because of the ongoing investigation, said the “good news” is that the OPM discovered the breach using the new tools. “These things are going to keep happening, and we’re going to see more and more because our detection techniques are improving,” the official said.
FBI spokesman Josh Campbell said his agency is working with DHS and OPM officials to investigate the incident. “We take all potential threats to public- and private-sector systems seriously and will continue to investigate and hold accountable those who pose a threat in cyberspace,” he said.
The intruders used a “zero-day” — a previously unknown cyber-tool — to take advantage of a vulnerability that allowed the intruders to gain access into the system.
[Why the Internet’s massive flaws may never get fixed]
China is one of the most aggressive nations targeting U.S. and other Western states’ networks. In May 2014, the United States announced the indictments of five Chinese military officials for economic cyber­espionage — hacking into the computers of major steel and other companies and stealing plans, sensitive negotiating details and other information.
“China is everywhere,” said Austin Berglas, head of cyber investigations at K2 Intelligence and a former top cyber official at the FBI’s New York field office. “They’re looking to gain social and economic and political advantage over the United States in any way they can. The easiest way to do that is through theft of intellectual property and theft of sensitive information.”
Rep. Adam B. Schiff (Calif.), ranking Democrat on the House Intelligence Committee, said the past few months have seen a massive series of data breaches affecting millions of Americans.
“This latest intrusion . . . is among the most shocking because Americans may expect that federal computer networks are maintained with state-of-the-art defenses,” he said. “The cyberthreat from hackers, criminals, terrorists and state actors is one of the greatest challenges we face on a daily basis, and it’s clear that a substantial improvement in our cyber databases and defenses is perilously overdue.”
Colleen M. Kelley, president of the nation’s ­second-largest federal worker union, the National Treasury Employees Union, said her organization “is very concerned” about the breach. “Data security, particularly in an era of rising incidence of identity theft, is a critically important matter,” she said.
“It is vital to know as soon as possible the extent to which, if any, personal information may have been obtained so that affected employees can be notified promptly and encouraged to take all possible steps to protect themselves from financial or other risks,” she said.
Lisa Rein contributed to this report.
Source: WashingtonPost.com

Spam Falls to Lowest Level in a Decade, Symantec Says

By Jef Cozza / NewsFactor Network
There may finally be some good news in the war against spam. The overall percentage of spam among e-mail messages dropped to 49.7 percent last month, the lowest level since 2003 and the first time the figure has been below 50 percent in more than a decade, according to a new study by Symantec.
Symantec reported its findings in its "Symantec Intelligence Report" for the month of June. Enterprises in the mining sector had the highest spam rate, at 56.1 percent, according to the report. The manufacturing sector was a close second at 53.7 percent. The finance, real estate, and insurance sectors had the lowest of any industry, at 51.9 percent.
Spammers seemed to treat all businesses pretty much the same with regard to size, however. On average, companies experienced a spam rate of between 52 percent and 53 percent no matter the number of employees. The only outlier to this pattern was companies with 251-500 employees, which experienced a 53.2 percent spam rate.

Phishing Falling

Although it may have seemed as though attacks were on the rise last month with a number of high-profile hacks, phishing and malware-based attacks actually fell slightly in June, as one in 2,448 e-mails was a phishing attack, down from one in 1,865 in May. Manufacturing was once again the biggest target for spear-phishing attacks, as 22 percent of all such attacks were directed at manufacturing organizations. Nevertheless, that number is down from 41 percent the previous month.
Phishers also continued to concentrate their efforts on both the smallest and largest companies, with enterprises with 1 to 250 employees experiencing the most attacks, and companies with more than 2,501 employees in second place.
The number of vulnerabilities also declined in June, down to 526 reports from 579 in May. There was also one zero-day vulnerability reported last month, stemming from Adobe Flash Player, the same number as in May.

Not All Good News

Despite the good news, there were several troubling developments in Symantec’s report. There was a grand total of 57.6 million new malware variants reported in June, up from 44.5 million created in May and 29.2 million in April. The increase in malware variants may indicate that hackers are changing tactics, according to Symantec.
“This increase in activity lends more evidence to the idea that with the continued drops in e-mail-based malicious activity, attackers are simply moving to other areas of the threat landscape,” Ben Nahorney, cybersecurity threat analyst at Symantec, said in the report.
In addition to the increase in malware variants, ransomware attacks were up in June, with over 477,000 detected during the month. While still below the levels seen at the end of 2014, June represented the second month in a row that ransomware attacks increased since reaching a 12-month low in April. Crypto-ransomware was also up in June, reaching the highest levels since December.
On social media, meanwhile, hackers continued to rely primarily on manual sharing attacks, which require victims to propagate the scam by sharing content themselves. In the last 12 months, manual sharing attacks accounted for more than 80 percent of social media attacks.
Source: http://www.newsfactor.com/news/Spam-Falls-to-Lowest-Level-in-Decade

Cheating site Ashley Madison breached by hackers threatening to expose users via @NakedSecurity

ashley-madison-managed solution
Posted by Lisa Vaas on July 20, 2015
Ashley Madison users, you are "cheating dirtbags" in the judgmental eyes of whoever attacked the adulterers' dating site, and, with no sympathy forthcoming from the culprits, your personal details are in danger of being published, if they haven't already.
The attackers claim that the personal, intimate data they've breached includes all customer records: secret sexual fantasies, nude photos, conversations, credit card transactions, real names and addresses, plus the dating site company's employee documents and emails.
Security journalist Brian Krebs broke the story on Sunday, and the company confirmed the breach.
Krebs published an image showing the attackers' lengthy manifesto, which was published alongside data stolen from Avid Life Media (ALM): the Toronto firm that owns Ashley Madison as well as the related hookup sites Cougar Life and Established Men.
The attackers call themselves the Impact Team, and it sounds like unmasking the site's users is merely fallout, given that they're after nothing less than the shutdown of Ashley Madison.
They say they'll keep leaking information on a daily basis until ALM shuts down both Ashley Madison and Established Men.
From the manifesto:
Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.
The other websites may stay online.
That means they're leaving alone the ALM site Cougar Life that connects older women with younger men.
In their view, only men use Ashley Madison:
Too bad for those men, they're cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver.
This assumption about gender is incorrect, but the point is moot: a female friend of mine who formerly used Ashley Madison tells me that, being a woman, she never had to pay, and she had the smarts to fictionalize all her user information:
Being a woman, [I] never had to pay so all data was erroneous. ... even separate email, [birthdays]. ... now [partner's name] on the other hand...
According to the Impact Team's manifesto, this is comeuppance for ALM having "promised secrecy" that it didn't deliver.
The attackers accuse ALM of hoodwinking users when it comes to a "full-delete" feature that Ashley Madison sells, promising "removal of site usage history and personally identifiable information from the site."
As Ars Technica reported in August 2014, Ashley Madison was charging £15 (about $20 then and about $23 now) to delete a users' data from its system.
The promise to scrub users' purchase details - including real name and address - was hollow, Impact Team claims:
Full Delete netted ALM $1.7mm in revenue in 2014. It's also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.
For its part, ALM has published a statement on AshleyMadison.com denying those accusations - the full-delete feature works just as advertised, the company said - and announced that full-delete is now offered free of charge to all members:
Contrary to current media reports, and based on accusations posted online by a cyber criminal, the "paid-delete" option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity. The process involves a hard-delete of a requesting user's profile, including the removal of posted pictures and all messages sent to other system users' email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.
As our customers' privacy is of the utmost concern to us, we are now offering our full-delete option free to any member, in light of today's news.
It's not clear how much stolen data has been published, though Krebs reports that it looks like a relatively small percentage of user account data.
Nor do we know precisely what details that data included.
Krebs writes that the published samples, at least, appear to include information on the site's 37 million users, company financial data such as salary figures, and even maps of the company's internal network.
On Monday morning, ALM announced that it had already used copyright infringement takedown requests to have "all personally identifiable information about our users" deleted from the unnamed websites where it was published.
That doesn't let users off the hook, unfortunately, given that the thieves can simply repost the stolen data elsewhere.
The Ashley Madison breach comes fast on the heels of a data breach in May of AdultFriendFinder - a similar site promising "discreet" hookups.
In the AdultFriendFinder breach about 3.9 million people had their private data, including personal emails, sexual orientation and whether they were looking to cheat on their partners, exposed on the Dark Web.
In another statement, ALM claimed there was nothing it could have done better to prevent the attack: "no company's online assets are safe from cyber-vandalism," despite having the "latest privacy and security technologies."
Impact Team agreed, apologizing to ALM's security head:
Our one apology is to Mark Steele (Director of Security). You did everything you could, but nothing you could have done could have stopped this.

Salting and hashing

Many questions remain unanswered, including how ALM stored users' passwords: were they properly salted and hashed, for example?
Hashes are the best way to handle passwords because you can create a hash from a password, but you can't recreate a password from a hash.
Properly stored passwords are combined with a set of extra characters, called a salt, and then hashed over and over again, many thousands of times (the salt is unique for each user and prevents any two users with the same password getting the same hash).
An attacker who makes off with a database full of hashes can't decrypt them, instead they have to crack them one by one with brute force and guesswork.

Did ALM store CVVs?

Another unanswered question: was ALM storing credit card security codes - also known as CVVs, CVV2, CID, or CSC - along with account information?
Let's hope not, given that it's a big no-no. Payment card regulations known as PCI-DSS specifically forbid the storage of a card's security code or any "track data" contained in the magnetic strip on the back of a credit card.

Choose a strong, unique password

The attack on Ashley Madison is only the latest example of why it's imperative that we all choose strong, unique passwords - one site, one password.
It's bad enough that Impact Team is forcing users to suffer along with the company it's displeased with.
But once your password is out there it's trivial for crooks to try it on dozens of other popular sites to see if it works on those too.
Don't make it so easy for them.
Instead, cook up a good, unique password for every online account, and do it now.
Source: https://nakedsecurity.sophos.com/2015/07/20/cheating-site-ashley-madison-breached-by-hackers-threatening-to-expose-users/