Monthly Archives: January 2017

Over 4.2 Billion Records Exposed In 4,149 Breaches In 2016

Over 4.2 Billion Records Exposed In 4,149 Breaches In 2016

Survey says US and UK witnessed more than half of 2016 global breaches; 52% of attacks compromised Social Security Numbers.

A survey by Risk Based Security reveals that 2016 saw a significant rise in worldwide breaches and data theft with incidents in US (1,971) and UK (204) accounting for more than half of them, NBC News reports. Most alarming, says another study, is the increase in theft of Social Security Numbers (SSN) because 52% of all 2016 breaches involved SSNs – up from 44% in 2015 – carried out through spear-phishing.

Last year, over 4.2 billion records were exposed in 4,149 cyber incidents which is around 3.2 billion more records from the previous high of 2013, with Yahoo breaches contributing majorly to the increase. While businesses were prime targets, accounting for 55% of all attacks, severity of breach had increased, too, with an average severity score of 9.96 out of 10 reported among the 10 biggest breaches of 2016.

Hackers appear to be getting better with sophisticated methods of attacks and more precision, says an Online Trust Alliance report.

“They’re targeting specific companies and industry sectors and not just for consumer data, but for business data, data regarding acquisition and mergers, data that may also harm a company’s reputation,” it adds.

Read full report on NBC News.


Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2koq22d
via IFTTT

Google Paid $3 Million To Bug Hunters In 2016

Google Paid $3 Million To Bug Hunters In 2016

Search engine giant an example of the growing number of organizations benefiting from bug bounty programs.

Despite warnings about relying too heavily on crowdsourced bug bounty programs, these vulnerability discovery initiatives are proving successful for some companies, judging from the payouts to security researchers in recent years.

One example is Google. New data from the company this week shows that in 2016, Google paid some $3 million in rewards to 350 bug hunters from 50 countries who discovered more than 1,000 security vulnerabilities in Android, Chrome, and other Google products.

The payout was about 50% higher than the $2 million that Google handed out in similar rewards in 2015, and double the $1.5 million it paid out in 2014. Counting last year’s awards, Google has so far awarded $9 million in bug bounties since it first introduced the Vulnerability Rewards Program (VRP) in 2010.

Google is not alone in making payouts to researchers who find vulns in their products. As of last October, Facebook had paid upwards of $5 million in rewards to bug hunters, with a majority of them in India, the US, and Mexico. In the first half of 2016 alone, Facebook received over 9,000 bug disclosure reports and paid more than $610,000 to 149 researchers.

Bugcrowd, which coordinates bug-hunting programs for enterprises, last year delivered over 9,000 validated vulnerabilities to its clients, who include the likes of Fiat Chrysler Automobiles, Western Union, and Fitbit. The actual number of bug submissions was much bigger: since January 2013, Bugcrowd has paid over $2.1 million in bounties for about 7,000 validated vulnerabilities on client networks and services.

Currently, more than 500 companies have managed bounty programs under which they offer rewards and recognition to security researchers who find security bugs in their websites and services. While some large companies like Google and Facebook manage the programs independently, many others have tapped the services of firms like Bugcrowd and HackerOne to do it for them.

A growing number of organizations have begun turning to crowd-sourced bug hunting because of their effectiveness, says John Pescatore, director of emerging security threats at the SANS Institute.

“One factor is that security consultancies had gotten lazy,” Pescatore says. Many of them conduct their app testing engagements using medium-skilled consultants who run off the shelf tools, add very little value and produce a cut-and-paste, largely boilerplate report.

“For the same dollars spent, [bug bounty] programs are getting much higher levels of satisfaction because they are showing more value,” Pescatore says.

The most successful bounty programs are the well-managed ones that use a vetting approach to create a pool of specially picked researchers. Such programs ensure that talent from the pool is assigned to go after vulnerabilities in applications and platforms that match their individual skillsets.

“Just saying ‘pound on my website, if you find something I’ll give you a prize’ leads to some vulnerabilities being found, but many false positives,” Pescatore notes.

With so-called hack-a-thons and ill-managed programs, there is little guarantee that discovered vulnerabilities will also not be sold to other bidders, including organized crime. “The well-managed ones have been very successful, from the point of view of both quantity of meaningful vulnerabilities found per dollar spent,” Pescatore says.

In a blog post this week, Eduardo Vela Nava, technical lead of Google’s vulnerability rewards programs, pointed to the company’s continuing success with the program as a reason for expanding it. Last year, for example, Google opened up its previously invitation-only Chrome Fuzzer Program to all security researchers. The program gives security researchers an opportunity to run specific fuzzers at massive scale across Google’s hardware platform and receive rewards starting at $500 for discovering bugs in them. Some of the rewards that Google has awarded under the Chrome Fuzzer Program have exceeded $30,000.

More Google products and service are now also eligible targets for bug hunting, including Nest and Google OnHub, Nava said.

“I think it is great that companies see this as essentially an extension of their security quality assurance programs,” says Pete Lindstrom, an analyst with UDC. “Any opportunity to manage and contain the disclosure process is more beneficial than ad-hoc public disclosure.”

Related Content:


 


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2jsiYSB
via IFTTT

Shopping for W2s, Tax Data on the Dark Web

The 2016 tax season is now in full swing in the United States, which means scammers are once again assembling vast dossiers of personal data and preparing to file fraudulent tax refund requests on behalf of millions of Americans. But for those lazy identity thieves who can’t be bothered to phish or steal the needed data, there is now another option: Buying stolen W-2 tax forms from other crooks who have phished the documents wholesale from corporations.

A cybercriminal shop selling 2016 W-2 tax data.

A cybercriminal shop selling 2016 W-2 tax data.

Pictured in the screenshot above is a cybercriminal shop which sells the usual goods — stolen credit card data, PayPal account logins, and access to hacked computers. But hidden beneath the “other” category of goods for sale by this fraud bazaar is an option I’ve not previously encountered on these ubiquitous, cookie-cutter stores: A menu item advertising “W-2 2016.”

This particular shop — the name of which is being withheld so as not to provide it with free advertising — currently includes raw W-2 tax form data on more than 3,600 Americans, virtually all of whom apparently reside in Florida. The data in each record includes the taxpayer’s employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.

Each W-2 record costs the Bitcoin equivalent of between $4 and $20. W-2 records for employees with higher-than-average wages in the 2016 tax year cost more, ostensibly because thieves stand to reap a higher tax refund from those W-2’s if they successfully trick the Internal Revenue Service and/or the states into approving a fraudulent refund in the victim’s name.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

Tax data can be phished directly from consumers via phony emails spoofing the IRS or employers. But more often, the information is stolen in bulk from employers. In a typical scenario, the thieves target people who work in HR and payroll departments at corporations, and spoof an email from a higher-up in the company asking for all employee W-2 data to be included in a single file and emailed immediately.

Incredibly, this scam tricks countless organizations into giving away all employee W-2 data directly to identity thieves who use it (or, in this case, sell it) for tax refund fraud. Earlier this month, solar panel maker Sunrun disclosed that a spear phishing attack exposed W-2 tax form data on more than 3,400 employees.

In this case, however, it does not appear the cybercrime shop obtained the W-2’s through phishing employers. It cost roughly $25 worth of Bitcoin to reveal the likely common thread among all 3,600+ Floridians being exploited by this shop: A local tax preparation firm that got hacked or phished.

Two tax records that a source purchased from the shop listed Kirai Restaurant Group LLC in Fort Lauderdale, Fla. Kirsta Grauberger, managing partner of that organization’s physical property — the Market 17 & Day Market Kitchen — confirmed that the two W-2 records were tied to two employees.

But Grauberger said her company has employed fewer than 150 employees total since it opened for business six year ago. So which other company or companies account for the remaining 3,450 employees whose W-2 are for sale by this shop?

Grauberger told KrebsOnSecurity that her firm doesn’t even handle employee tax forms, and that her company outsourced that entire process to a local tax preparation firm called The Payroll Professionals.

W-2 information also was on sale for employees of a doctor’s office in Boca Raton, Fla. The medical office told KrebsOnSecurity that it, too, managed its payroll through the same third-party payroll management firm.

A man answering the phone at Payroll Professionals who would only give his name as “Robert” said the company was “aware of the potential hacking” and was in the process of informing its clients.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints in 2015. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can.

See last year’s Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache. But here are the main takeaways from that story:

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here. However, note that neither a credit freeze nor credit monitoring will stop ID thieves from filing a fraudulent refund request with the IRS in your name. Again, your best bet to prevent this is to file your taxes before the fraudsters can do it for you.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.

from Krebs on Security http://bit.ly/2jsa2fP
via IFTTT

Outsider Attacks Give Nightmares To CIOs, CEOs, CISOs

Outsider Attacks Give Nightmares To CIOs, CEOs, CISOs

Cyberattacks via mobile devices, physical security and malware top the list of threats that US companies are not ready to handle, according to a recent Bitdefender study.

Outsider attacks, data vulnerability and insider sabotage are the main threats companies aren’t ready to handle, according to a Bitdefender survey of 250 IT decision makers at US companies with more than 1,000 PCs.

CIOs know that cybercriminals can spend large amounts of time inside organizations without being detected; Advanced Persistent Threats (APTs) are often defined as threats designed to evade detection.

Accessing any type of data, whether stored in the private or public cloud, needs to be done via multiple authentication mechanisms, Bitdefender’s security specialists recommend. This should involve more than just usernames and passwords. For access to critical data, two-factor or biometric data offers additional control and authorization of qualified and accepted personnel. This is especially significant in organizations where access to critical and sensitive data is restricted, and only then under strict security protocols and advanced authentication mechanisms.

Image Source: Bitdefender

Image Source: Bitdefender

Insider sabotage is the third threat IT decision makers can’t yet handle
“To limit the risks of insider sabotage and user errors, companies must establish strong policies and protocols, and restrict the ways employees use equipment and infrastructure or privileges inside the company network,” recommends Bogdan Botezatu, Bitdefender’s senior e-threat specialist. “The IT department must create policies for proper usage of the equipment, and ensure they are implemented.”

In the past two years, companies witnessed a rise in security incidents and breaches, with a significant increase in documented APT type of attacks targeting top corporations or government entities (such as APT-28). This type of attack intends to exfiltrate sensitive data over a long period, or silently cripple industrial processes. In this context, concerns for security are rising to the top, with decisions taken at board level in most companies.

IT decision makers, CISOs and CEOs are all concerned about security, not only because of the cost of a breach (unavailable resources and/or money lost), but also because their company’s reputation is at risk when customer data is lost or exposed to criminals. The more media coverage a security breach receives, the greater the complexity of the malware causing it. On top of this, migrating corporate information from traditional data centers to a cloud infrastructure has significantly increased companies’ attackable surface, bringing new threats and more worries regarding the safety of the data.

The demand for hybrid cloud, a mix of public cloud services and privately owned data centers, is estimated to be growing at a compound rate of 27% a year, outpacing overall IT market growth, according to researcher Markets and Markets. The company said it expects the hybrid cloud market to reach $85 billion in 2019, up from $25 billion in 2014. (Read the full white paper here.)

This survey was conducted in October 2016 by iSense Solutions for Bitdefender on 250 IT security purchase professionals (CIOs/CEOs/ CISOs – 26 percent, IT managers/directors – 56 percent, IT system administrators – 10 percent, IT support specialists – 5 percent, and others), from enterprises with 1,000+ PCs based in the United States of America.


Razvan, a security specialist at Bitdefender, is passionate about supporting SMEs in building communities and exchanging knowledge on entrepreneurship. A former business journalist, he enjoys taking innovative approaches to hot topics and believes that the massive amount of … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2kOTZZZ
via IFTTT

Report Says Death Of The Password Greatly Exaggerated

Report Says Death Of The Password Greatly Exaggerated

Passwords are far from dead – thanks to the Internet of Things, the traditional authentication mechanism will explode in the next decade,

By 2020, the exchange of data between systems will require more than 300 billion human and machine passwords to authenticate, according to a new report out today that concludes that the growth of internet of things (IoT) devices and online accounts will drive this password explosion.

In spite of some hopeful technologists’ predictions of a password-free future, the report’s authors posit that this won’t come to fruition anytime soon if at all. And in the meantime, they believe the password situation will continue to mushroom. 

“Passwords are not dead, in fact, the footprint of passwords will significantly grow over the next four years,” says Joseph Carson, a cybersecurity expert with Thycotic, which with Cybersecurity Ventures co-authored the report.

Carson points to failed predictions such as one from IBM back in 2011 that there would be no more passwords by 2016 as completely off the mark when it comes to maintaining authentication over systems today. “Some companies have supplemented with multifactor authentication such as biometrics; however, they’ve never replaced passwords,” he says. 

As Carson explains, biometrics were once lauded as the ultimate password replacement, but the more analysis that is done, the more clear it becomes that these authenticators are not a good out-and-out replacement for shared secrets.

“Biometrics will never, ever replace passwords. The main challenge is that passwords can be changed. they can be rotated, managed, and protected,” Carson says. “But if a biometric authenticator is ever compromised, you can’t ever replace it.” 

Given that and the fact that passwords are on track to continue to accumulate, it is crucial for enterprises to take stock of their password threat exposure. Just in the Fortune 500 alone, the report predicts that employees will be juggling a total of 5.4 billion password-protected accounts by 2020, with about 1.35 million privileged accounts. 

As users increasingly deal with dozens of accounts at a time, it can be easy for them to look for shortcuts in how they manage and maintain their password portfolio. Carson warns that good password hygiene is essential and that users need to be mindful of risks that they may not have considered. For example, the “social factor” of single-sign-on systems through social media accounts is putting out a tremendous volume of additional passwords that are vulnerable to theft but opaque to the user.

As Carson explains, many people mistakenly believe that when they use a social account to sign in somewhere else, this is just a one-time use password being generated. 

“However, it is actually creating a continuous connection between that vendor and your profile. and that account continues,” he says. “Those passwords are unmanaged, unchanged, and not clearly transparent to the human who owns them. That’s something that definitely needs to be addressed.

Related Content:


 


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2jROsjs
via IFTTT

Ugly Password Gaffe Plagues Cryptkeeper Encryption App

A longtime Debian developer has recommended that the Cryptkeeper Linux encryption app be removed from the distribution. The advice came after the disclosure of a bug where the app sets the universal password “p” to decrypt any directory created with the program.

Simon McVittie, a programmer at Collabora, confirmed the findings of researcher Kirill Tkhai, who disclosed the bug Jan. 26. McVittie said he was able to reproduce the bug in the Stretch version (Debian 9, in testing), but not in the Jessie version (Debian 8).

“I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all,” McVittie said in response to the original bug report. Francesco Namuri, another Debian developer, agreed the Cryptkeeper packages should be yanked from Debian.

Tkhai’s advisory said Cryptkeeper version 0.9.5-5.1 is affected. The problem appears when Cryptkeeper calls encfs, a command line interface for the encrypted file system. Encfs simulates a ‘p’ keystroke but the uses it instead as a universal password.

“It looks as though cryptkeeper makes assumptions about encfs’ command-line interface that are no longer valid,” McVittie said. “I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.”

From Tkhai’s report:

I’ve looked into cryptkeeper code and found, it calls encfs with -S option:

execlp (“encfs”, “encfs”, “-S”, crypt_dir, mount_dir, NULL);                 exit (0);

While the password is passed to encfs using pipe in this way:

// paranoid default setup mode

//write (fd[1], “y\n”, 2);

//write (fd[1], “y\n”, 2);

write (fd[1], “p\n”, 2);

write (fd[1], password, strlen (password));

write (fd[1], “\n”, 1);

But it seems it’s wrong. When I’m executing encfs program from console $ encfs -S crypt_dir mount_dir and I’m passing “p\n”, encfs exits and doesn’t wait for a password itself.

“I do not know, who is blame, cryptkeeper or encfs, and even nothing about if the interface above exists (“p\n” before the password),” Tkhai said. “But decrypting using ‘p’ password works for any encrypted directory, created using cryptkeeper. This obviously mustn’t work such way.”

from Threatpost – English – Global – thr… http://bit.ly/2kdd1WM
via IFTTT