Friday, 30 September 2016

Why cyber security doesn’t work

Ilia Kolochenko, CEO and founder of High-Tech Bridge, has an interesting article in CSO Online. It’s worth reading – but I just want to consider the first part here. He examines two sets of figures: spend on cyber security; and the losses to cyber crime. Both are rocketing: Gartner predicts a rise in spend from […]

The post Why cyber security doesn’t work appeared first on ITsecurity.

from Why cyber security doesn’t work

Cryptography and quantum computing

Yes, I know I complained about it at the beginning, and I’ve dealt with it elsewhere, but I suppose I really have to address it. (There actually are a number of issues about cryptography and quantum computing that the popular media never touches on.) A good deal of confusion exists about the possibility and capability […]

The post Cryptography and quantum computing appeared first on ITsecurity.

from Cryptography and quantum computing

Preventing pass-the-hash via RDP with two-factor authentication

In researching pass-the-hash attacks, we discovered that when Microsoft implemented "Restricted Admin" mode they inadvertantly enabled pass-the-hash attacks via RDP 8.1.  This attack tool is now included in Kali Linux and probably other tools. 

This attack shows the weakness in the design of the system.  The hash exists to make the system usable.  It is a design feature.  Since MS can't remove the password from their software, they have a number of fixes, patches and configuration options that try to secure it. 

Isn't it better to get rid of, or at least minimize, the lifetime of the password?  WiKID does this with our native AD 2FA solution. The hash is only good for the life of the passcode.

If an attacker is trying to pass-the-hash while the admin is logged in, the admin will actually see the request for the RDP session!  If they wait, the hash will no longer be valid.

In the past it seems as if the market was saying that pass-the-hash was a big problem, but smart cards were not worth the effort and expense. Now you can have essentially the same functionality using your smartphone and WiKID for $24 per admin per year.





from Preventing pass-the-hash via RDP with two-factor authentication

Groundbreaking partnership between Government and tech start-ups to develop world-leading cyber security technology

A groundbreaking partnership between DCMS, GCHQ and the nation’s top tech start-ups to develop new technologies aimed at protecting the UK from cyber attacks has been announced.

Wayra UK, part of Telef√≥nica Open Future, has been chosen to run a new cyber accelerator facility with the aim of helping UK start-ups grow and take the lead in producing the next generation of cyber security systems.

The tie-up is the first step in the development of two world-leading innovation centres as part of the Government’s £1.9bn National Cyber Security Programme.

It will see start-ups gaining access to GCHQ’s world-class personnel and technological expertise to allow them to expand capability, improve ideas and devise cutting-edge products to outpace current and emerging threats.

The facility will also fast-track new firms into the booming cyber security sector which contributed £1.8 billion in exports to the UK economy last year and grew from £17.6 billion in 2014 to almost £22 billion in 2015.

Minister of State for Digital and Culture Matt Hancock MP said:
‘We are making progress in our ambitious programme to support innovation in cyber security, grow the UK’s thriving sector and protect Britain from cyber attacks and threats. Our two new Cyber Innovation Centres will bring together government, academic and business expertise, and will be invaluable in helping support start-up companies and develop world-class cyber technology’

The accelerator will be based at a new Cheltenham Innovation Centre and is due to open around the turn of the year. A second innovation centre will open in London in 2017. The Department for Culture, Media and Sport is contributing £50m over the next five years to deliver the two innovation centres.”

Gary Stewart, Director at Wayra UK and Telefonica Open Future (UK), said:

“Wayra and Telefonica Open Future are immensely proud to be working in partnership with GCHQ on bringing further growth and opportunity to the UK’s cyber security ecosystem. Our shared vision will not only safeguard the country against cyber threats but also increase opportunities for UK-based start-ups and help establish the UK as a global hub for cyber talent.”

 Chris Ensor, Deputy Director for Cyber Skills and Growth, GCHQ, said:

“I’m really excited to be working with Wayra UK and the start-ups on what is a really novel project. Combining the knowledge and experience of GCHQ staff with some of the country’s newest start-ups and most creative entrepreneurs is really powerful combination and one I’m confident will deliver benefits to the cyber security of the UK.

“Cyber security is a team sport and as threats become more prolific and more complex, we should be sharing our experiences and views because there’s so much we can learn from each other.”

David Plumb, Digital Director at O2, said: 

“This is an excellent partnership and great opportunity for all of us to work together to not only support the UK economy but also encourage businesses to take a real interest and invest further in cyber-security. We’re devoted to ensuring our customers’ lives are made easy and security is a priority here.

“We’re pleased to see government investment in security, UK business nurturing and the level of expertise being shared through this partnership and I’m looking forward to seeing the benefits realised for customers.”

The post Groundbreaking partnership between Government and tech start-ups to develop world-leading cyber security technology appeared first on IT SECURITY GURU.

from Groundbreaking partnership between Government and tech start-ups to develop world-leading cyber security technology

RiskIQ sees 130% growth in malicious mobile apps leveraging top UK brands

New research from RiskIQ, the leader in external threat management, reveals that the number of malicious apps leveraging top UK brands has grown by 130% year on year[1]. The study by RiskIQ, examined mobile apps owned by or leveraging the brands of 45 top UK companies across five vertical sectors, to give a snapshot of the threats facing UK organisations and their customers from 2015 to today[2].

RiskIQ discovered 107,367 brand-associated blacklisted apps, representing 43% of the total number of apps and found an increase of 131% over the past year. Blacklisting occurs when an app fails a virus scan by one or more of the major virus vendors or if it links to a URL or IP address that is a known source of malware.

The research was undertaken using RiskIQ’s global web crawling infrastructure and virtual user technology which inspects over 170 different mobile app stores daily, extracting and examining over 13 million mobile apps.

In addition to these malicious apps, the research also focused on the growth in the number of mobile apps, their distribution throughout the various primary and secondary app stores and the number of feral apps – mobile apps that exist on the internet but not in a recognized app store. Key findings include:

  • 248,701 brand-associated apps appeared in 2016 – the equivalent of 5,805 mobile apps on average per brand – resulting in a year on year growth of almost two-thirds (63%
  • Each brand examined had apps in an average of 80 different app stores, an increase of 32% since 2015
  • The number of feral apps increased by 165% in the past year, with the biggest growth taking place in financial services

The research exposes a significant increase in risk to both consumers and organisations. As the mobile app store ecosystem evolves, organisations across financial services, retail, travel, media and entertainment, and gambling face a challenging future when it comes to protecting their digital assets, their brand and their customers from the impact of cybercrime.

Although there are claims that many mobile app publishers are seeing their install rates slowing[3], the risk to businesses and their customers remains very real if not managed responsibly, with mobile downloads actually set to grow through to 2020[4].

Ben Harknett, VP EMEA, RiskIQ , said, “In our connected generation, we as consumers turn to our mobile apps for banking, gaming, shopping, travel advice and even to control aspects of our home such as the temperature or lights. This growing reliance comes with an expectancy that top brands will protect our digital existence. If a customer experiences malicious activity whilst using an app they think belongs to a business, the blame is sure to be placed on the brand itself – not on the rogue app. Organisations need to know what mobile apps are out there and which are putting businesses and their customers at risk,” concluded Harknett.


[1]2015 research undertaken in the month of June using the RiskIQ global crawling and virtual user infrastructure investigating the footprint of 45 of the top UK organisations across banking, retail, media and entertainment, travel and on-line gambling. [2]2016 research undertaken in the month of August using the global crawling and virtual user infrastructure investigating the footprint of 45 of the top UK organisations across banking, retail, media and entertainment, travel and on-line gambling. [3] [4]

The post RiskIQ sees 130% growth in malicious mobile apps leveraging top UK brands appeared first on IT SECURITY GURU.

from RiskIQ sees 130% growth in malicious mobile apps leveraging top UK brands

Exploiting the firewall beachhead: A history of backdoors into critical infrastructure

There is no network security technology more ubiquitous than the firewall. With nearly three decades of deployment history and a growing myriad of corporate and industrial compliance policies mandating its use, no matter how irrelevant you may think a firewall is in preventing today’s spectrum of cyber threats, any breached corporation found without the technology can expect to be hung, drawn, and quartered by both shareholders and industry experts alike.

With the majority of north-south network traffic crossing ports associated with HTTP and SSL, corporate firewalls are typically relegated to noise suppression – filtering or dropping network services and protocols that are not useful or required for business operations.

From a hacker’s perspective, with most targeted systems providing HTTP or HTTPS services, firewalls have rarely been a hindrance to breaching a network and siphoning data.

What many people fail to realise is that the firewall is itself a target of particular interest – especially to sophisticated adversaries. Sitting at the very edge of the network and rarely configured or monitored for active compromise, the firewall represents a safe and valuable beachhead for persistent and targeted attacks.

The prospect of gaining a persistent backdoor to a device through which all network traffic passes is of insurmountable value to an adversary – especially to foreign intelligence agencies. Just as all World War I combatant sides sent intelligence teams into the trenches to find enemy telegraph lines and splice-in eavesdropping equipment, or the tunnels that were constructed under the Berlin Wall in the early 1950s to enable U.K. and U.S. spy agencies to physically tap East German phone lines, today’s communications traverse the Internet, making the firewall a critical junction for interception and eavesdropping.

The physical firewall has long been a target for compromise, particularly for embedded backdoors. Two decades ago, the U.S. Army sent a memo warning of backdoors uncovered in the Checkpoint firewall product by the NSA with advice to remove it from all DoD networks. In 2012, a backdoor was placed in the Fortinet firewalls and products running their FortiOS operating system. That same year, the Chinese network appliance vendor Huawei was banned from all U.S. critical infrastructure by the federal government after numerous backdoors were uncovered. And most recently, Juniper alerted customers to the presence of unauthorised code and backdoors in some of its firewall products – dating back to 2012.

State-sponsored adversaries, when unable to backdoor a vendor’s firewall through the front-door, are unfortunately associated with paying for weaknesses and flaws to be introduced – making it easier to exploit at a later date. For example, it is largely reported that the U.S. government paid OpenBSD developers to backdoor their IPsec networking stack in 2001, and in 2004, $10 million was reportedly paid to RSA by the NSA to ensure that the flawed Dual_EC_DRBG pseudo-random number-generating algorithm be the default for its BSAFE cryptographic toolkit.

If those vectors were not enough, as has been shown through the Snowden revelations in 2013 and the Shadow Brokers data drop of 2016, government agencies have a continuous history of exploiting vulnerabilities and developing backdoor toolkits that specifically target firewall products from the major international infrastructure vendors. For example, the 2008 NSA Tailored Access Operations (TAO) catalogue provides details of the available tools for taking control of Cisco PIX and ASA firewalls, Juniper NetScreen or SSG 500 series firewalls, and Huawei Eudemon firewalls.

Last but not least, we should not forget the inclusion of backdoors designed to aid law enforcement – such as “lawful intercept” functions – which, unfortunately, may be controlled by an attacker, as was the case in the Greek wire-tapping case of 2004-2005 that saw a national carrier’s interception capabilities taken over by an unauthorised technical adversary.

As you can see, there is a long history of backdoors and threats that specifically target the firewall technologies the world deploys as the first-pass for security to all corporate networks. So is it any surprise that as our defense-in-depth strategy gets stronger, and newer technologies maintain a closer eye on the threats that operate within all corporate networks, that the firewall becomes an even more valuable and softer target for compromise?

Firewalls are notoriously difficult to protect. We hope that they blunt the attacks from all attackers with the (obviously false) expectation that they themselves are not vulnerable to compromise. Now, as we increasingly move into the cloud, we are arguably more exposed than ever to backdoors and exploitation of vulnerable firewall technologies.

Whether tasked with protecting the perimeter or operations within the cloud, organisations need increased vigilance when monitoring their firewalls for compromise and backdoors. As a security professional, you should ensure you have a defensible answer for “How would you detect the operation of a backdoor within your firewall?”

The post Exploiting the firewall beachhead: A history of backdoors into critical infrastructure appeared first on IT SECURITY GURU.

from Exploiting the firewall beachhead: A history of backdoors into critical infrastructure

Almost half of NHS Trusts do not monitor cloud app use, Netskope FOI request finds

Today Netskope, the leader in cloud security, announces the result of a Freedom of Information (FOI) request into cloud app use in the NHS, which found that almost half of Trusts do not monitor cloud app use by employees.

This new data was obtained by a FOI request, issued to 80 of the UK’s Acute NHS Trusts, with 43 organisations responding. Based on those responses, over half of NHS Trusts (53 per cent) believe all unsanctioned cloud apps are completely blocked, yet at the same time fewer than one in five NHS Trusts (19 per cent) confirmed that all cloud app use is monitored.

Taken together, these findings highlight the possibility of risk arising from a belief that all cloud app use has been blocked. Without ongoing monitoring, there is still a risk that sensitive data are being uploaded and/or shared via cloud apps being downloaded and used without IT’s permission.

This suspected lack of visibility into cloud app use was borne out by the other findings from the FOI request. For example, 30 per cent of respondents were unsure how many cloud apps – both sanctioned and unsanctioned – were used by employees. While a further 35 per cent were able to pinpoint a specific number of cloud apps in use, the figures given were extremely low at an average of just 10.4 cloud apps per NHS Trust. This is compared to the 824 cloud apps found on average in organisations across EMEA by the latest Netskope Cloud Report. The low figures given for cloud app use continue to suggest that NHS Trusts have very limited visibility into the cloud apps used by employees and therefore may also have restricted visibility into the data being uploaded/shared through cloud apps.

The findings revealed that this lack of visibility into cloud app use may be creating a certain level of complacency amongst NHS Trusts. Despite just 19 per cent of NHS Trusts monitoring all cloud app use, 35 per cent stated that absolutely no cloud apps were in use. Many Trusts assume staff are not using unsanctioned cloud apps but do not monitor use to guarantee this fact. This unfounded confidence is highlighted further by the fact that 75 per cent of the NHS Trusts that did not know whether they monitor cloud app use also stated that absolutely no cloud apps are in use.

Highlighting the potential threats posed by cloud app use, recent Netskope research found that, on average, 26 pieces of malware are found in cloud apps across a given organisation and 43.7 per cent of this malware has delivered ransomware. In addition, with the EU General Data Protection Regulation due to take effect in May 2018, Netskope research has identified that 75.4 per cent of apps in use are not GDPR ready.  Despite the potential threats of unchecked cloud app use, almost half of all NHS Trusts (47 per cent) do not monitor all cloud app use by employees while more than one third (35 per cent) do not block unsanctioned cloud apps.

Commenting on these findings, Jonathan Mepsted, managing director UK at Netskope, says:

“While the NHS has shown great commitment to digitally transforming the patient experience, our data shows a concerning lack of awareness – both in terms of the potential security threats stemming from the cloud and also the data being stored and shared by employees through cloud apps. Given the NHS deadline to go paperless by 2020 and the resulting push towards a digital-first strategy, NHS Trusts will need to ensure the correct security controls are in place in order to remain vigilant to the possible threats posed by cloud apps and take proactive measures to secure data in the cloud.

“Although apps offer significant productivity benefits, when left unchecked they can also pose serious risks for organisations such as fines for non-compliance and reputational damage. The healthcare sector in particular handles a huge cross-section of sensitive data, including large amounts of personally identifiable information relating to citizens’ health. It is absolutely vital that this sensitive data is kept secure. An appropriate strategy around cloud app use is a vital piece of this security issue.

“With a growing appetite for sensitive medical data amongst cyber criminals, the healthcare industry needs to respond by ensuring IT teams have the tools they need not only to have visibility into employee app use and activity, but also to have deeper intelligence, protection, and remediation that can help them stop malware in its tracks. As the cloud threat landscape becomes increasingly complicated, steps must be taken to ensure that patient privacy and security remain a top priority.” 


Netskope issued a Freedom of Information (FoI) request to 80 UK Acute NHS Trusts, asking the following questions:

  1. Do you block the use of cloud apps not officially purchased or sanctioned by your department’s IT team? (Cloud apps are apps such as Dropbox, Box, Google Drive, iCloud, WeTransfer, etc., which operate in the cloud and therefore do not necessarily need to be downloaded to a PC/laptop/mobile device to be used.)
  1. How many cloud apps are in use by employees in your department? Please include both those apps purchased or sanctioned by IT, and unsanctioned apps i.e. used by employees without IT’s permission. If you do not know whether/how many unsanctioned apps are in use, please state this and provide the number of sanctioned/authorised cloud apps.)
  1. Do you monitor cloud app use by employees in either sanctioned or unsanctioned apps, for example by monitoring what data are uploaded and/or shared using cloud apps?

NB: Netskope received responses from 43 of the 80 NHS Trusts.

The post Almost half of NHS Trusts do not monitor cloud app use, Netskope FOI request finds appeared first on IT SECURITY GURU.

from Almost half of NHS Trusts do not monitor cloud app use, Netskope FOI request finds

Researchers Think the Same People Hacked the DNC and MH17 Journalists

One of the security companies that claimed Russian hackers were responsible for the Democratic National Committee (DNC) email leaks has now suggested that the same hackers attacked journalists investigating the MH17 crash.

View full story


The post Researchers Think the Same People Hacked the DNC and MH17 Journalists appeared first on IT SECURITY GURU.

from Researchers Think the Same People Hacked the DNC and MH17 Journalists

Finding the Next iPhone Hack Could Net You $1.5 Million

Cracking the iPhone might be harder to do these days, but that only makes it more valuable. On Thursday, exploit vendor Zerodium announced they were tripling their bounty for a zero-day hack of Apple’s iOS 10, offering a new maximum payout of $1.5 million.

View full story


The post Finding the Next iPhone Hack Could Net You $1.5 Million appeared first on IT SECURITY GURU.

from Finding the Next iPhone Hack Could Net You $1.5 Million

Researchers Shoot Down Yahoo Claim Of Nation-State Hack

InfoArmor says the attackers who stole a half-billion Yahoo user accounts were seasoned cybercriminals who later sold the booty to an Eastern European nation-state.

View full story


The post Researchers Shoot Down Yahoo Claim Of Nation-State Hack appeared first on IT SECURITY GURU.

from Researchers Shoot Down Yahoo Claim Of Nation-State Hack

Pentagon’s 5,000-Strong Cyber Force Passes Key Operational Step

A 5,000-person Pentagon force created to bolster military computer networks and initiate cyber attacks against terror groups should be ready to carry out its mission by the end of the week, a key step in improving the U.S.’s ability to respond to hacks by overseas adversaries.

View full story


The post Pentagon’s 5,000-Strong Cyber Force Passes Key Operational Step appeared first on IT SECURITY GURU.

from Pentagon’s 5,000-Strong Cyber Force Passes Key Operational Step

Banking Trojan GozNym botnet sinkholed after infecting over 23,000 victims in UK, US and Europe

A botnet leveraged by the proliferate banking Trojan GozNym has been sinkholed, after infecting over 23,000 victims across the UK, the US, and Europe. Security researchers were able to crack the domain name generation algorithm (DGA), used by the GozNym malware to communicate with the C&C (command and control servers), which in turn allowed the botnet to be brought down.

View full story

ORIGINAL SOURCE: International Business Times

The post Banking Trojan GozNym botnet sinkholed after infecting over 23,000 victims in UK, US and Europe appeared first on IT SECURITY GURU.

from Banking Trojan GozNym botnet sinkholed after infecting over 23,000 victims in UK, US and Europe

Thursday, 29 September 2016

Does your personality make you more likely to get hacked?

Released on the eve of National Cyber Security Awareness Month, a new survey from LastPass, makers of the world’s most popular password manager, explores the intersection of consumer psychology, behaviour and attitudes when it comes to personal passwords.

Despite high-profile, large-scale data breaches dominating the news cycle – and repeated recommendations from experts to use strong passwords – the study’s findings reveal that consumers have yet to adjust their own behaviour when it comes to password reuse.

The survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits.

Password Paradox: You know it’s bad but you do it anyway

  • 95% of respondents recognise the characteristics of a strong password but 47% use their initials, friends or family names, 42% use significant dates and numbers and 26% use pet names. – This information is easily obtainable through social media sites or a casual acquaintance
  • 91% know there is a risk when reusing passwords but 61% continue to do so
  • Only 29% of consumers change their passwords for security reasons – the #1 reason people change passwords is because they forgot it (46%)
  • 69% of respondents prioritised their financial accounts over retail (43%), social media (31%) and entertainment (20%) – If passwords are being reused across accounts, cybercriminals who hack a lower-prioritised account can easily gain access to something that is more critical, like a savings or credit card account
  • More than a third (39%) of respondents said they create more secure passwords for personal accounts over work accounts

Your personality will determine why – but not how – you get hacked 

Based on extensive personality questioning, the 2000 global respondents were placed into two categories.

  • Personality types don’t seem to impact our online behaviour, but does drive our rationalisations of poor password habits:

Type A bad password behaviour stems from their need to be in control. Even though they reuse passwords, they don’t believe they are personally at risk because of their own organised system and proactive efforts


·         35% reuse passwords so they can remember them

·         49% have a personal system for remembering passwords

·         2/3 are proactive to help keep personal info secure

·         86% believe a strong password makes them feel like they’re protecting their family



Type B personalities rationalise their bad behaviour by convincing themselves that their accounts are of little value to hackers. This enables them to maintain their casual, laid-back attitude toward password security


·         45% think they’re not worth a hacker’s time

·         43% choose an easy to remember password over a secure one

·         50% limit online activity due to fear of a breach

·         86% feel other things apart from a weak password could compromise online security

Developing poor password habits is a universal problem affecting users of any age, gender or personality type,” says Joe Siegrist, VP and GM of LastPass. “Most users admit to understanding the risks but continue to repeat the behaviour despite knowing they’re leaving sensitive information vulnerable to potential hackers. In order to establish more effective defences, we need to better understand why individuals act a certain way online and a system that makes it easier for the average user to better manage their password behaviour.”

The post Does your personality make you more likely to get hacked? appeared first on IT SECURITY GURU.

from Does your personality make you more likely to get hacked?

Survey reveals only 50% of UK technology decision-makers use data encryption in their companies

PKWARE, a global leader in encryption software, today releases the results of a survey that examines the data security knowledge and best practices of UK-based technology decision-makers. The survey suggests that nearly a quarter of tech senior decision-makers in the UK don’t fully understand what encryption is. *

This number increases to 40% in the retail sector and half in the healthcare sector. Overall, only 50% of respondents said they encrypt their customer data.

“These results are mind boggling,” said Miller Newton, CEO of PKWARE. “It’s hard to believe how many companies are still scraping by with such lax security when handling their customers’ valuable data. Just being compliant with basic security regulations isn’t enough anymore. As demonstrated by numerous high profile cyber-attacks, organisations need to encrypt their data and have foolproof security measures in place.”

Additionally, the survey revealed that 40% of UK tech senior decision-makers agree with the Investigatory Powers Bill, which would allow the government to bypass encryption. This demonstrates a lack of understanding of what encryption is and why it should be used.

Additional findings from the survey include:

  • Less than half of all tech decision-makers train their staff in security measures.
  • Only 40% of companies implement a clean desk policy – a move which doesn’t require any investment.
  • Only 35% of tech decision-makers think their staff definitely knows enough about data security and encryption to avoid a cyber-attack.

*According to the results of a survey of 250 senior technology decision-makers conducted by CensusWide on behalf of PKWARE in August 2016.

The post Survey reveals only 50% of UK technology decision-makers use data encryption in their companies appeared first on IT SECURITY GURU.

from Survey reveals only 50% of UK technology decision-makers use data encryption in their companies

98 per cent hoodwinked as phishing challenge indicates SMEs at risk

Results of a survey challenging respondents to spot fake emails used for phishing have indicated that a massive 98% of respondents (including a number of IT professionals) failed to recognise email phishing attempts.

The focussed survey, ‘Real or Steal’, conducted last week by leading London-based IT services company, Conosco, targeted a group of senior individuals across a range of SME companies, to gauge how well this ‘IT savvy’ group could identify  increasingly sophisticated hacking attempts.  70% got more than half the answers right but only 6% (2 people) managed 100% success, indicating that businesses remain exposed to risk.  In fact, lack of staff awareness/training was highlighted as a significant security concern.

The Real or Steal challenge involved participants judging a series of emails and trying to decide whether or not each email was genuine. Out of the examples, most people (93%) correctly identified a PayPal email as being fake.  This suggests that either they are already wary of fake PayPal messages or that they are more suspicious when money is mentioned in an email. On the other hand, most participants were fooled by a phony LinkedIn message, with 63% getting it wrong, possibly indicating that when money is not explicitly involved barriers are lowered and complacency rises.

Phishing is an increasingly worrisome problem, particularly in the UK, as the annual Internet Security Report from Symantec (April 2016) points out.  In the report, the UK was ranked as ‘the most targeted nation for spear phishing attacks and ransomware in 2015’.  Experts believe that SMEs are fast becoming the favoured targets of phishers as they often are perceived as ill-prepared or under-trained.  This is backed up by the latest Government Security Breaches Survey, which found that nearly three-quarters (74%) of small organisations reported a security breach in the last year; an increase on both the 2013 and 2014 surveys.

Max Mlinaric, Managing Director for Conosco said, “When there is a security breach in blue chip companies you tend to hear of it, and can wrongly assume large companies are most commonly targeted.  SMEs often present easier pickings for the hackers, as IT skills, security levels, awareness and sometimes personnel training are sometimes lower than in large companies which have deeper pockets.  It is crucial that SMEs ensure their IT is as secure as possible, that complacency is battled and their staff are regularly trained in resisting phishing attempts.”

The issue of cyber security for small businesses has been given even greater focus by new European Data Protection regulations which will come into force in 2018.  Companies could be fined up to €20m or 4% of their annual turnover, whichever is greater, for allowing any security breaches to compromise their customer data.  (Although it’s worth noting that this is subject to change depending on how Brexit policies proceed.)

To view tips on how to detect potential phishing emails view

What is phishing

*CERT UK’s definition of phishing “is a particular type of email scam, whereby victims are targeted from seemingly genuine persons or services, with the aim of tricking the recipient into either providing personal details or clicking on something that will allow the attacker to do something you may not be aware of.  Spear phishing is a more targeted version of this attack and is often directed at specific people or organisations as opposed to the more blanket campaigns associated with phishing. Some examples might include:

  • An email claiming to be from a bank requesting you log in to verify your account due to fraudulent activity that has taken place; a link provided will direct to a website that looks similar to the genuine site which logs your genuine details once inputted
  • An email stating that you have been charged for a service you didn’t use, with an attached document that is supposed to be an invoice; upon opening the attachment malicious code then installs on the computer without the user’s knowledge
  • An email that appears to come from a high ranking person within your own organisation that requests a payment is made to a particular bank account; this is more commonly associated with spear phishing”

The post 98 per cent hoodwinked as phishing challenge indicates SMEs at risk appeared first on IT SECURITY GURU.

from 98 per cent hoodwinked as phishing challenge indicates SMEs at risk

NHS Digital aims to put healthcare on firm cyber security footing

NHS Digital set to work closely with National Cyber Security Centre (NCSC) to boost healthcare sector cyber security capabilities.

View full story

ORIGINAL SOURCE: Computer Weekly

The post NHS Digital aims to put healthcare on firm cyber security footing appeared first on IT SECURITY GURU.

from NHS Digital aims to put healthcare on firm cyber security footing

Yahoo CEO questioned by senators over timeline of data breach

Senate Democrats on Tuesday asked Yahoo for answers about its handling of the recently revealed data breach that resulted in more than 500 million accounts being compromised by hackers.

View full story

ORIGINAL SOURCE: Washington Times

The post Yahoo CEO questioned by senators over timeline of data breach appeared first on IT SECURITY GURU.

from Yahoo CEO questioned by senators over timeline of data breach

FBI reports more attempts to hack voter registration system

The U.S. Federal Bureau of Investigation has found more attempts to hack the voter registration systems of states, ahead of national elections. The agency had reportedly found evidence in August that foreign hackers had breached state election databases in Illinois and Arizona, but it appears that there have been other attempts as well, besides frequent scanning activities, which the FBI describes as preludes for possible hacking attempts.

View full story


The post FBI reports more attempts to hack voter registration system appeared first on IT SECURITY GURU.

from FBI reports more attempts to hack voter registration system

More privacy problems for WhatsApp

On August 25, WhatsApp published a blog post detailing its new terms of use. These types of posts rarely generate buzz, but this post detailed end-to-end encryption, exploration of business, and connecting your phone number with Facebook’s systems.

View full story


The post More privacy problems for WhatsApp appeared first on IT SECURITY GURU.

from More privacy problems for WhatsApp

Malware Uses Word Puzzles to Derive C&C Server IP Address

Malware authors can be quite creative when it comes to avoiding security researchers, but after almost three decades of malware analysis, there still are malware families that manage to surprise infosec professionals once in a while.

View full story


The post Malware Uses Word Puzzles to Derive C&C Server IP Address appeared first on IT SECURITY GURU.

from Malware Uses Word Puzzles to Derive C&C Server IP Address

Are Wikileaks and ransomware the precursors to mass extortion?

Despite Julian Assange’s promise not to let Wikileaks’ “radical transparency” hurt innocent people, an investigation found that the whistleblowing site has published hundreds of sensitive records belonging to ordinary citizens, including medical files of rape victims and sick children.

The idea of having all your secrets exposed, as an individual or a business, can be terrifying. Whether you agree with Wikileaks or not, the world will be a very different place when nothing is safe. Imagine your all your emails, health records, texts, finances open for the world to see. Unfortunately, we may be closer to this than we think.  

If ransomware has taught us one thing it’s that an overwhelming amount of important business and personal data isn’t sufficiently protected. Researcher Kevin Beaumont says he’s seeing around 4,000 new ransomware infections per hour. If it’s so easy for an intruder to encrypt data, what’s stopping cybercriminals from publishing it on the open web?

There are still a few hurdles for extortionware, but none of them are insurmountable:

  1. Attackers would have to exfiltrate the data in order to expose it.

Ransomware encrypts data in place without actually stealing it. Extortionware has to bypass traditional network monitoring tools that are built to detect unusual amounts of data leaving their network quickly. Of course, your files could be siphoned off slowly at this very moment disguised as benign web or DNS traffic.

  1. There is no central “wall of shame” repository like Wikileaks.

If attackers teamed up to build a searchable central repository for extorted data, it’d make the threat of exposure feel more real and create a greater sense of urgency.

  1. Maybe ransomware pays better.

Some suggest that the economics of ransomware are better than extortionware, which is why we haven’t seen it take off. On the other hand, how do you recover when copies of your files and emails are made public? Can the DNC truly recover? Payment might be the only option, and one big score could be worth hundreds of ransomware payments.  

So what’s preventing ransomware authors from trying to doing both? Unfortunately, not much. They could first encrypt the data then try to exfiltrate it. If you get caught during exfiltration, it’s not a big deal. Just pop up your ransom notification and claim your BTC.

Ransomware has proven that organizations are definitely behind the curve when it comes to catching abnormal behavior inside their perimeters, particularly on file systems. I think the biggest lesson to take away from Wikileaks, ransomware, and extortionware is that we’re on the cusp of a world where unprotected files and emails will regularly hurt businesses, destroy privacy, and even jeopardize lives (I’m talking about hospitals that have suffered from cyberattacks like ransomware).

If it’s trivially easy for noisy cybercriminals that advertise their presence with ransom notes to penetrate and encrypt thousands of files at will, the only reasonable conclusion is that more subtle threats are secretly succeeding in a huge way.  We just haven’t realized it yet . . . except for the U.S. Office of Personnel Management. And Sony Pictures. And Mossack Fonseca. And the DNC . . .

The post Are Wikileaks and ransomware the precursors to mass extortion? appeared first on IT SECURITY GURU.

from Are Wikileaks and ransomware the precursors to mass extortion?

UK ITDMS demand government action on STEM in Brexit wake

New research commissioned by IP EXPO Europe, Europe’s number one enterprise IT event, today reveals that 23% of UK IT decision makers (ITDMs) identified STEM and the need for young IT talent as one of the main technology issues for enterprises in 2017. Over half (55%) of respondents currently believe the lack of young talent at their organisation is an issue; a rising concern with 26% stating they are more worried about not having enough young talent in the workforce now than 12 months ago.

In light of this ITDMs are calling for Government action to help. 70% believe the UK Government should be doing more to encourage students and young people to enter technology professions. In fact, over a third (35%) are demanding more direct investment to solve the issue. With 27% claiming that the recent Brexit vote could lead to a skills shortage of qualified IT professionals, immediate action was demanded to address the situation.

Bradley Maule-ffinch, Director of Strategy for IP EXPO Europe, comments “For the last couple of years the lack of STEM skills has been a key area for debate throughout the IP EXPO series of events. The research results show that the recent Brexit vote has exacerbated the concern over the available talent pool. For all of our exhibitors at this year’s IP EXPO Europe, having access to top IT talent is critical for the evolution and success of their businesses. This year, we’re working with a number of companies, including HPE, to further the discussion on what can be done to address the skills gap, boost STEM skills in the UK and future proof the UK IT industry.”

Respondents identified cyber security (27%) and coding (27%) as the STEM skills they believed would be most in-demand in the future, with AI coming in at 15%. Interestingly DevOps skills came in at just 4% and despite 22% identifying big data and data analytics as a major technology trend for 2017, only 9% thought that these skills would be in demand in the future.

It’s not simply a lack of skilled individuals which is cause for this ongoing STEM problem, 41% of ITDMs believe that today’s graduates are lacking in not only baseline experience, such as apprenticeships and work-study, but also (34%) that they arrive with obsolete knowledge and that the school curricula is failing to keep up with technology used in the enterprise. This is resulting in 30% of respondents claiming that graduates just aren’t technically minded enough. Organisations are clearly attempting to plug the gaps, with 53% of ITDMs spending between 4-10 hours on training each of their young employees.


Marc Waters, Managing Director of Hewlett Packard Enterprise in the UK and Ireland: “With the UK facing an ever-growing digital skills gap, Hewlett Packard Enterprise recognises the role that the government and the industry have to play in inspiring and educating our youth on technology. This is why we are committed to play our part through our traineeship programs in-house, but also through supporting initiatives such as TechFutureGirls, that aim to encourage more girls to develop their digital skills and consider further education or a career in technology”.

Eddy Pauwels, SVP Sales & Marketing at Clarive: “I believe over the years Europe has been following the American/specialisation model too heavily. It would be better to ensure the STEM skills contain enough level of abstraction and broad scope in such a way that students are able to easily make the translation from something they know to something new. Too much specialisation leads to silo mentality which has a negative influence on collaboration/coordination and, in the end, customer satisfaction and quality.”

Michael Hack, SVP of EMEA Operations at Ipswitch: “A recent survey that Ipswitch conducted provides some insight into a why there might be cause for concern about STEM skills for both the current IT workforce and the next generation. Survey results found that two thirds of IT professionals felt that an increasingly complex IT infrastructure was making it more difficult to do their jobs. The results also highlighted concerns about losing control of their company’s IT environment in the face of the new technologies, devices and compliance requirements. These findings potentially point to a need for more education amongst IT professionals, both those currently in the field and those entering IT, in order to help them keep up with the fast-paced changes in IT systems, laws and technologies. However, the research also highlights a need for companies to equip their employees with IT solutions that help enhance their skills and conquer the increasingly complex world of IT.”

Ojas Rege, Chief Strategy Officer at MobileIron: “If the battle for engineering talent in the technology sector is any indicator, there is a shortage of STEM skills, especially for emerging technologies such as mobile and cloud. But technical skills are only the tip of the iceberg. Entrepreneurial thinking, curiosity, and enthusiasm for innovation are what will ultimately determine whether we as an industry can solve the big, persistent challenges facing the UK and the world. Growing these skill sets starts by rethinking engagement and how problem solving is taught in the classroom. Traditional methods of teaching rote memorisation doesn’t instill curiosity and problem solving, but rather how to remember facts. There is an opportunity to flip education on its head by having students spend their “homework hours” studying and their “classroom hours” engaging with students, getting coaching, and working through how to solve problems together.”

To register for IP EXPO Europe 2016 (5th – 6th October, Excel London)  for free please visit where you can also find additional information about this year’s keynote and seminar sessions, including speaking times. Find us on Twitter and join the discussion using #IPEXPO.

The post UK ITDMS demand government action on STEM in Brexit wake appeared first on IT SECURITY GURU.

from UK ITDMS demand government action on STEM in Brexit wake

Tuesday, 27 September 2016

Nintendo NX to be a turning point for console gaming?

The last two generations of video game consoles have seen more than their usual share of controversy. Gaming is often a controversial medium socially, ethically and economically, but more recently the controversy has been coming from within; from gamers themselves. In the PS3/Xbox360 and PS4/Xbox One generations, many gamers and critics have been remarking that […]

The post Nintendo NX to be a turning point for console gaming? appeared first on ITsecurity.

from Nintendo NX to be a turning point for console gaming?

Quantum computing and access control

The posited pattern matching capabilities of quantum computing may have a couple of different applications in access control. Biometrics would likely benefit from improved abilities to match and compare. At the moment we don’t actually compare, for example, the fingerprint originally registered with the fingerprint presented. Biometric matching must be done on the basis of […]

The post Quantum computing and access control appeared first on ITsecurity.

from Quantum computing and access control

High-growth security management vendor forges ahead with new CEO at the helm

FireMon, the market leader in security management and risk assessment software, has today announced the appointment of Satin H. Mirchandani as President & CEO. Satin will lead the company as it continues to grow faster than the market and increase the already substantial enterprise customer list.

“FireMon created the network security policy management market and continues to lead through innovation and a strong focus on customer satisfaction. The talent, professionalism, and discipline I’ve seen the team demonstrate are instrumental to the ability to execute quickly and accurately.  It’s no surprise FireMon is experiencing double-digit growth in all regions and renewal rates greater than 90%.  These numbers highlight both the current momentum and the future opportunity,” said Mirchandani.

Mirchandani’s goals for global growth are focused on creating the footprint and resources of a local company in each major market, as well as a continued commitment to FireMon’s channel partners. “My first enterprise software experience was with a company that focused on the IT channel (VARs, distributors) – I learned the unique value of a trusted advisor who is a domain expert,” Mirchandani continued. “For many customers—and, in security specifically —the channel is simply irreplaceable.  FireMon is fortunate to have partnered with the best of the best.  As such, I intend to continue investing heavily in the education, enablement and growth of our channel partners.”

An industry veteran, Mirchandani credits his days with McKinsey and Company for giving him a passion for “identifying and solving complex problems that are mission critical to customers,” which is a perfect fit for FireMon’s mission and focus.  His track record as founder, CEO and technology executive includes leading MessageOne and MD Buyline to successful exits, serving as VP of Global Services at Dell, and driving the IPO process for

The post High-growth security management vendor forges ahead with new CEO at the helm appeared first on IT SECURITY GURU.

from High-growth security management vendor forges ahead with new CEO at the helm

Yahoo! data dump indicates need for web monitoring

Auriga, specialists in cyber security, technology and risk management, today warned that the time taken between detection and response, as evidenced in the Yahoo! data breach, is creating an open window of compromise. The Yahoo! data breach saw 500 million accounts compromised back in 2014 with the data then posted for sale on a dark web site called The Real Deal. Yahoo! only discovered the breach after investigating a separate incident in August and chose not to disclose the breach for two months, creating a window of opportunity for hackers to sell on and exploit user credentials. The wider application of web monitoring solutions could help lessen this threat by closing the gap between detection and disclosure and diminishing returns for the malicious parties involved.

Organisations should be monitoring both the surface and deep web for indications of compromise. The deep web accounts for 96 percent of all web traffic and is not indexed by search engines effectively hiding it from view. The dark web is a subset of the deep web and comprises unregulated community sites, websites called .onions as well as black markets accessed via TOR anonymising software.

The threat posed by web data disclosure has been acknowledged by the Information Commissioner’s Office (ICO) which broke out cyber incidents for the first time in its data security incident trends analysis in June 2016. According to ICO figures, there were 50 cyber incidents during the first quarter of 2016 making this the fourth most common type of breach. Of these, thirteen incidents were attributed to exfiltration ie the transfer of stolen data to another locale, while six were recorded where data had been detected on Pastebin. Monitoring legitimate surface sites such as Pastebin for evidence of corporate assets is a relatively simple way to increase vigilance and hackers will often use other surface web sites to publicise attacks such as in the case of the Ashley Madison attack which was announced over Reddit.

Detection and remediation of both surface and deep web sites is now possible using the next generation Security Operations Center (SOC). The Compass SOC can use various search critieria to monitor external networks such as references to company names, intellectual property and user credentials etc. but it can also factor in other variables. For instance, in the case of Yahoo!, the imminent merger with Verizon would have heightened the threat level to the company altering the search criteria. Following detection the organisation is then able to swiftly take action to minimise the effects of the attack, put security controls in place and inform and guide the user base.

“The Yahoo! data breach joins the league of mega breaches such as Home Depot, Target and eBay all of which were tardy in both detecting and disclosing the compromise of user data. There has to be both more proactive external monitoring and better systems in place internally for communicating and acting on this information and that means using intelligent security solutions that are capable of policing networks and looking for indicators of anomalous or malicious activity,” said Louise T. Dunne, CEO, Auriga. “A next generation SOC is able to search those resources but crucially it also takes into account those business activities or geopolitical events that are going to have repercussions for the organisation, helping create a context-based search that really could shorten the timeframe between discovery and disclosure.”

The post Yahoo! data dump indicates need for web monitoring appeared first on IT SECURITY GURU.

from Yahoo! data dump indicates need for web monitoring

Older and wiser? Kaspersky Lab report shows online habits of over-55s

The latest research from Kaspersky Lab and B2B International has raised concerns about the safety of over-55s online. The findings of the research, in a report entitled: ‘Older and wiser? A look at the threats faced by over-55s online’, demonstrates that this age group can behave insecurely online and often become victims of fraud.

The research, which questioned 12,546 Internet users across the globe, suggests that the older generation is a very attractive target for cybercriminals. When they are online, many over-55s shop, bank and communicate with loved ones without effectively protecting themselves, and the things that are most important to them, from cybercriminals.

Despite the fact that this age group is more likely to install security software on their computers, they are less likely to protect their mobile devices or amend their behaviour online to stay safe. For example, they use high privacy settings on social media and in their browser less than other age groups (30 per cent vs. 38 per cent). They are also unlikely to use the security functions that come with their devices (such as ‘find my device’) or VPN – 28 per cent and ten per cent respectively compared to 42 per cent and 16 per cent respectively of users across all ages. When sharing information, only 35 per cent double-check messages before sending and only 16 per cent avoid sharing information when tired (versus 44 per cent and 31 per cent among the youngest respondents).

The older generation is using the Internet for many aspects of their lives and increasing their vulnerability to cybercriminals as they continue to browse online without taking precautions. They are using the Internet to communicate with others – 94 per cent of over-55s email regularly. They are also going online to complete day-to-day tasks. This age group is more likely than others to conduct financial transactions over the Internet, with 90 per cent of over-55s shopping and banking online (compared to an average 84 per cent of users across all age groups).

Yet despite all of this, only half of over-55s (49 per cent) worry about their vulnerability when purchasing products online, and the vast majority (86 per cent) do not believe they are a target for cybercriminals. Worryingly, four in ten (40 per cent) have put themselves at risk by sharing financial details in the public domain (compared with 15 per cent across all age groups).

Their lack of cyber-savviness is making over-55s less prepared for the dangers of the online world. As a result, this generation is being victimised by cybercriminals. According to the report, 20 per cent of Internet users overall have older relatives that have encountered malicious software, and 14 per cent have older relatives that have fallen for fake prize draws online. In addition, 13 per cent have older relatives that have shared too much personal information about themselves online and 12 per cent have older relatives that have become the victim of an online scam, seen inappropriate/explicit content, or communicated with dangerous strangers online.

Andrei Mochola, Head of Consumer Business at Kaspersky Lab, says, “On the one hand, it’s great to see that so many over-55s are using the Internet to shop, bank and stay connected with loved ones. The report clearly shows that this generation is embracing a connected life and all of the opportunities that come with it. On the other hand, however, it’s clear that the over-55s are not doing enough to protect themselves properly. Worryingly, they don’t even believe they are a target for cybercriminals, but they are putting themselves in danger time and again.

“At Kaspersky Lab, we are urging older Internet users to become more aware of the dangers they face online and to act in a more cyber-savvy manner. We are also encouraging younger Internet users to help their older relatives and friends to better protect themselves from the very real threats posed by cybercriminals. Being vigilant online, as well as installing reliable security solutions and ensuring high privacy settings on all devices used to access the Internet, will ensure a happy and healthy connected life,” he concludes.

The post Older and wiser? Kaspersky Lab report shows online habits of over-55s appeared first on IT SECURITY GURU.

from Older and wiser? Kaspersky Lab report shows online habits of over-55s

Research Shows Digital Hoarding Behaviour is Pervasive, with Employees Willing to Give up Almost Anything but Their Data

Veritas Technologies, the leader in information management, today released research showing that 82 per cent of IT decision makers admit they are hoarders of data and digital files. Following its Data Genomics* project that analysed tens of billions of files and their attributes from many of its customers’ unstructured data environments, Veritas conducted a study to analyse the data storage habits of IT decision makers and global office professionals.

The research, commissioned by Veritas, was conducted among 10,022 global office professionals and IT decision makers to look into how individuals manage data. Significant concerns regarding data hoarding were highlighted, with 73 per cent of all respondents indicating that they store data that could be potentially harmful to their organisations. These include: unencrypted personal records, job applications to other companies, unencrypted company secrets and embarrassing employee correspondence.

Major issues highlighted in the research include:

The Digital Hoarding Struggle is Real

The findings highlighted that IT decision makers are hoarding their digital files and saving 54 per cent of all the data they create. In addition, 41 per cent* of all digital files created go unmodified for three or more years. While this indicates that data hoarding behaviour is common across organisations, many office professionals (48 per cent) admit that they wouldn’t trust a data hoarder to turn in a project on time. Respondents are also willing to do the unexpected in order to keep the files they’ve hoarded, giving up their clothes and weekends rather than deleting their files. Almost half (45 per cent) would rather work weekends for three months than get rid of all of their digital files. Meanwhile, 46 per cent would rather throw out all of their clothes than all of their digital files. 

Employees Overwhelmed by the Deluge of Data

A significant majority of IT decision makers were overwhelmed by the extent and amount of data that they are hoarding. About three quarters of IT decision makers frequently take time away from their daily responsibilities to deal with data hoarding. In addition, 69 per cent of office pros admit to abandoning efforts to organise and delete their old digital files because it’s too overwhelming.

Employees struggle to determine if data has long-term importance or value. As a result, 47 per cent of ITDMs have heard employees say they are afraid they’ll eventually need to refer to the data again.

IT Decision Makers Admit to Storing Items that could be Harmful to the Company

The amount of data their company stores would increase the time it takes to respond to a data breach, according to 86 per cent of IT decision makers. Moreover, what is being retained could itself be harmful, with 83 per cent of IT decision makers and 62 per cent of office professionals admitting they retained items that could be detrimental to their employer or their own career prospects. These include: unencrypted personnel records, job applications to other companies, unencrypted company secrets and embarrassing employee correspondence. Personal files make up quite a bit of the “junk” saved, with 96 per cent of IT decision makers admitting to saving unnecessary personal files.

Data Hoarding Behaviour could mean GDPR Compliance Failure

In May 2018, the European parliament will implement the European General Data Protection Regulation (GDPR), a set of EU-wide laws designed to harmonise data protection across the region. Both EU-based companies and those outside doing business within are affected. With a focus on protecting EU citizens and their data from misuse and lax data security, the consequences for non-compliance are potentially huge. Maximum non-compliance fines are the higher of $22.3 million USD (€20 million) or four per cent of worldwide turnover.

“In today’s digital age, virtually every organisation struggles with the challenges brought on by exponential data growth. As a result, office professionals and IT departments have reacted by hoarding data for ‘potential’ use in the future,” said Chris Talbott, solutions leader at Veritas Technologies. “To make matters worse, employees are downloading everything from personal music and photos, to shopping lists on the same servers, which could lead to serious brand integrity issues, hefty fines and regulatory inquiries if not properly managed by the IT department.”

This research was conducted by Wakefield Research on behalf of Veritas Technologies across 13 countries and more than 10,000 office professionals and IT decision makers.


* Veritas’ 2016 Data Genomics Index here. The Data Genomics Index is the first data benchmark that accurately details real environments – from the file type composition and average age distribution, to the size proportions of their individual files. Veritas analysed tens of billions of files and their attributes from many of our customers’ unstructured data environments in 2015 to get a better understanding of what their environments really consist of. Over 8,000 of the most popular file type extensions were considered in the analysis. Generally, this data is a representative subset of the entire file system environment of a respective customer.

The post Research Shows Digital Hoarding Behaviour is Pervasive, with Employees Willing to Give up Almost Anything but Their Data appeared first on IT SECURITY GURU.

from Research Shows Digital Hoarding Behaviour is Pervasive, with Employees Willing to Give up Almost Anything but Their Data

UK plc wants tougher cyber regulation and more punishment for failings

71% of UK board directors want companies to be penalised for failing to meet basic cyber security requirements, according to new research from global cyber security and risk mitigation expert NCC Group. 

In what appears to be a sea change in business opinion, over three quarters (77%) believe that regulators should take a tougher stance against companies that are found to have insufficient cyber defences. 

NCC Group commissioned research consultancy ComRes to survey 200 board directors from UK companies with over 500 employees. The Group has released its ‘Elephant in the Boardroom’ report on the day its CEO, Rob Cotton, delivers a keynote at the Institute of Directors Annual Convention on the growing cyber threat to businesses. 

Commenting on the findings, Cotton said: “Cyber security is the greatest risk facing modern business. For years it hasn’t been taken seriously enough in boardrooms across the country and while these results don’t prove that it’s now being managed appropriately, they do show that directors are realising that greater scrutiny and oversight from regulators and government will stimulate the necessary action and help drive-up standards. This can only be a good thing for businesses and consumers alike.”

Elsewhere in the research, 48% of respondents see cyber threats as a bigger risk to business than market volatility. In this post-Brexit landscape this underlines that cyber security is being taken more seriously than in the past, but it still doesn’t go far enough, according to Cotton.

He continued: “We work with thousands of organisations and see up close how they manage cyber risk. Only the most mature have true board-level ownership and focus their efforts on resilience – knowing that attacks will happen and prepare accordingly. Too many companies are still adopting an ‘it won’t happen to us’ attitude and passing the risk to the IT department or outsourcing it to third parties. That could amount to negligence.”

Other findings in the report provide insight into how much directors in the UK truly engage with cyber risk. One in five respondents have not conducted a table-top cyber scenario, and 30% haven’t used or read the Government’s resources and schemes to help businesses defend against cyber attacks – such as the 10 Steps To Cyber Security guide, the Cyber Essentials scheme or the Cyber Streetwise campaign.

Cotton concluded: “Board directors educate themselves on health and safety, audit and CSR. They become experts in these areas because ultimately the responsibility lies with them. But this isn’t yet the case with cyber security, and that’s ultimately where we need to get to. Unfortunately we’re still a long way off.”

The post UK plc wants tougher cyber regulation and more punishment for failings appeared first on IT SECURITY GURU.

from UK plc wants tougher cyber regulation and more punishment for failings

Windows 10 just hit another MAJOR milestone

Windows 10 is now on more devices across the world than ever before. Microsoft says that over 400 million active devices, including phones, tablets and desktop computers, are now running its Windows 10 software, making it the fastest-adopted release in history.

View full story


The post Windows 10 just hit another MAJOR milestone appeared first on IT SECURITY GURU.

from Windows 10 just hit another MAJOR milestone

Hate spam emails? This man built a bot to annoy spammers until they give up

Two years ago, Brian Weinreich, the co-founder and head of product at Density, an Internet of Things (IoT) sensor startup, got so fed up of receiving spam emails from his business email account that he decided to teach a lesson to all future spammers who tried to contact him.

View full story

ORIGINAL SOURCE: International Business Times



The post Hate spam emails? This man built a bot to annoy spammers until they give up appeared first on IT SECURITY GURU.

from Hate spam emails? This man built a bot to annoy spammers until they give up

Russian Cyberspies Use “Komplex” Trojan to Target OS X Systems

Researchers at Palo Alto Networks have come across an OS X Trojan they believe has been used by a notorious Russia-linked cyber espionage group in attacks aimed at the aerospace industry.

View full story


The post Russian Cyberspies Use “Komplex” Trojan to Target OS X Systems appeared first on IT SECURITY GURU.

from Russian Cyberspies Use “Komplex” Trojan to Target OS X Systems

Spamhaus Warns of a Rise in IPv4 Network Hijacks

Spamhaus, the organization that runs one of the Internet’s largest, most accurate and up-to-date spam list, is warning against a spike in network hijacking events.

View full story


The post Spamhaus Warns of a Rise in IPv4 Network Hijacks appeared first on IT SECURITY GURU.

from Spamhaus Warns of a Rise in IPv4 Network Hijacks

Security man Krebs’ website DDoS was powered by hacked Internet of Things botnet

Internet of Amazingly Insecure Tat? That’s the one. The huge distributed denial of service (DDoS) attack which wiped security journalist Brian Krebs’ website from the internet came from a million-device-strong Internet of Things botnet.

View full story


The post Security man Krebs’ website DDoS was powered by hacked Internet of Things botnet appeared first on IT SECURITY GURU.

from Security man Krebs’ website DDoS was powered by hacked Internet of Things botnet

Saturday, 24 September 2016

Security architecture and quantum computing

Computer and system architectures have security implications. Any new technology needs to be assessed in terms of the risk it may present. A completely new architecture means that there will be new vulnerabilities. And quantum computer architectures will be novel indeed. Many fundamental concepts of computing will have to be rethought in regard to quantum […]

The post Security architecture and quantum computing appeared first on ITsecurity.

from Security architecture and quantum computing

Yahoo! hack – Industry reactions

Yahoo has confirmed that  more than 500 million account holders’ details have been compromised in a data breach. The breach occurred in late 2014, and was likely carried out by a state-sponsored actor, Yahoo said in a statement. Personal information compromised in the breach includes usernames, email addresses, telephone numbers, dates of birth and hashed passwords, as well as encrypted and unencrypted security questions and answers.  Though there is no evidence to suggest the hackers responsible are still in its network, Yahoo has encouraged users to change their passwords and security questions and answers.

The Guru was inundated with thoughts from security experts, so we decided to publish them all!


Ryan Wilk, VP at NuData Security:

“Once again, more news of a big breach hits the wire. A blockbuster breach, with staggering size and scope which has actually been baking since 2014 when the original breach occurred and was reported on. Still, 500 million records lost will likely make this one of the biggest on record. Sadly, while that number may be what Yahoo is aware of today, we can probably expect this number to rise. With this attack of a half a billion user accounts, we are likely to see well over a billion accounts breached this year alone compared to about 800 million in 2015.

Clearly, hacks are getting bigger and more impactful. Like a snowball gaining speed and momentum hacks are gaining in scope, sophistication and impact. All while feeding a fraud engine that leads to identity theft, account fraud and a myriad of other crimes that can be stopped.

This breach will rattle consumers badly. First, we all have to start accepting that breaches are an unhappy fact of life and our personal records are being shared on the dark web – sometimes years after the breach occurs. This one, in particular, hits everyone hard. Yahoo has a lot of long standing and trusted accounts. After all, who doesn’t have a Yahoo account? Even an old one sitting around might have emails and other personal information in it that could be used by a hacker later on.

You’ll hear a lot in the next few days about changing your password, and yes, while it’s good practice to change your usernames and passwords often and make them complex, it’s just not enough on its own. Data breaches continue to build upon each other, with each breach adding additional intelligence to achieving the goal of complete profiles of identities for a large segment of our population up for sale on the dark web. Access to this data in particular, can allow the bad actors to reset passwords on banking and e-tailer sites linked to Yahoo accounts, or use the data to apply for a new credit card, or even more frighteningly, gain access to your work credentials, where the damage could be colossal. 

Where credit card fraud was all the rage a couple years ago, it is this kind of account takeover and new account fraud that is on the painful and dramatic rise. We saw, in our own database of  81 billion of behavioural events annually, a 10% month-over-month increase in new account fraud.

There are behaviour-based methods that online merchants, banks, and providers, are going to need to deploy that will help keep consumer accounts safe, even if valid credentials are presented. These solutions give true insight into who sits behind the device – and provide near-perfect trust that it is the consumer, and not a fraudster using our identity information online. You can and should start expecting these multi-behaviour based solutions from those providers that protect your online accounts. 

Knowing that we haven’t been able to stop these breaches from happening, and accepting the fact that much of our identity information is already on the dark web, is the first step that responsible providers need to take. The second step is putting into place security systems designed to protect their customers from the nefarious use of these stolen identities. And systems that stop these fraudsters in a completely passive and non–intrusive way to us, the consumers. The only way to achieve this is by truly being able to identify the identity of the user behind the device.  

 It’s time to make these breaches irrelevant by devaluing the data that hackers like “Peace” use. So even if they keep trying to steal “pieces” of our data, the data can become irrelevant, because no matter how sophisticated they get, they can’t steal our behaviour!”

Richard Cassidy, UK cyber security evangelist at Alert Logic:

“Overall this is a considerable data breach, especially if initial reports citing circa 500million records leaked, are indeed accurate. Furthermore, the data seems to have already been monetised (in part) and firmly distributed via various cybercriminal networks. It is indeed very unfortunate; service providers such as Yahoo will always be a high-value target for bad actor groups on the DarkWeb, especially those looking to prove credibility and stamp their name in the data heist record books (per say). Naturally such a breach will cause concern at board level for those involved in the M&A process and eventual purchase of Yahoo; with IT systems to be integrated between both parties, this breach will add a considerable delay to convergence efforts between both parties’ infrastructures and ultimately affect operational capability. Furthermore, the knock on effect financially as worried shareholders seek to exit to safer stocks, will create short to medium term fiscal unrest, however, it’s how Yahoo now communicate the details of the breach, helping users (who have been identified as having had their data breached) put in place expedited account security measures, not just at Yahoo, but across all personal accounts where passwords and/or usernames may be similarly used.

Without a doubt however, anyone who has ever signed up to Yahoo services, shouldn’t wait to hear from Yahoo on whether they may have been directly affected (or not), steps should be taken immediately to reset shared passwords across other online accounts and monitor financial transactions closely for signs of nefarious activity. Unfortunately, stopping every threat is a panacea that many argue is impossible to achieve. Regardless of organisation size or security capabilities in-house, there needs to be a paradigm shift in how we view susceptibility to threats and how we architect our current security framework around threat detection and early warning of nefarious activity. Relying on legacy layered security solutions, with no correlation on activity from application to network layer, can leave organisations at greater risk of a data breach. It’s herein that we need to shift our thinking and architecture; organisations need to assess their risk status to data breaches, understand the market they operate in, their competitors and of course the threat vectors most likely to be seen, architecting security capabilities that reduce that risk profile and enable better trust relationships between 3rd parties and customers, all with the aim of keeping key data security assets as protected as current technology capabilities permit.

Furthermore, reliance on automated security scanning functions can lead to key indicators of compromise going undetected; the human expert analysis approach ensures a level of assurance around protection from even the most advanced malware threats or zero day activity that may be targeted against the organisation.

If initial reports that Yahoo experienced this particular breach back in 2014, and its only now coming to light, then this raises serious concerns for consumers of Yahoo products or services, and questions need to be answered on why external communication has been withheld for so long. Overall what has to be learned from this event, is that data breaches can (and do) occur across organizations of all types and sizes. Well defined incident response plans that communicate the details of the breach in an effective, directed and reassuring manner both internally and externally, is the key to maintaining consumer and market confidence, not least providing users who have been affected, with the best possible chance of containing further breaches to other online accounts where passwords or usernames may have been similarly used.” 

Ryan Kalember, SVP, cyber security strategy Proofpoint:

“Your email credentials are the single most sensitive piece of information you have. News of the Yahoo breach is yet another indication that email accounts are a prime target among criminals. Email is the top way cybercriminals are breaking into the world’s most sophisticated organizations and they target personal inboxes with the same aggressiveness.

Email is a necessity in our digital society and attackers are constantly working to exploit it. It provides a direct link between an attacker and a victim. If your personal email is compromised, and an attacker assumes your identity, that exposes all of your contacts to an immediate threat and allow the attacker to reset all of your other account passwords. By taking advantage of email accounts, hackers are exploiting the digital trust that exists between the email sender and receiver. This trust is the basis for how our digital society operates. Whether it is personal or enterprise emails, the result is the same, trust is broken and information is at risk.”

Leo Taddeo, CSO at Cryptzone:

“The loss of unencrypted security questions and answers creates a risk for enterprises that rely on this technique to enhance security for traditional credentials.  The best defence is to deploy access controls that examine multiple user attributes before allowing access. This type of “digital identity” makes it much harder for a hacker to take advantage of the type of information lost by Yahoo.”  

Gavin Millard, EMEA Technical Director, Tenable Network Security:

“With the complex, data rich, IT environments organisations run today, there is always a high possibility of yet another breach with customer data making its way onto the dark web. As we continue to add more technologies to our networks and as attackers become more sophisticated, it’s important that organisations have a rapid process for determining the impact of the breach and a robust approach in addressing the ensuing post-breach fallout.

If you have a Yahoo! account and have re-used the password anywhere, it would be wise to create new ones now to stop any further personal data from being exposed. To reduce the impact from the next inevitable breach of this type, users should protect themselves by having individual passwords per service rather than the one or two most use now. Modern browsers have the ability to generate and store complex passwords, as do the many password managers available.

One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted. Most users would have used valid responses to questions like mother’s maiden name, first car, and first pet, which could lead to further exploitation and account misuse.”

Alex Mathews, EMEA Technical Manager, Positive Technologies:

“Almost every year we see reports of “millions of leaked accounts of Yahoo / Hotmail / Gmail / iTunes / etc”. We would even suspect that some of this news is “designed” especially for certain events. Yahoo’s sale to Verizon sounds like an interesting occasion to make such a brouhaha, but it would appear that this time the allegations were founded.
The elephant in the room is Yahoo’s admission that ‘encrypted or unencrypted security questions and answers’ might be amongst the hackers haul. If the investigation determines that this extremely sensitive information were stored unencrypted then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.
Any Yahoo customers would be prudent to change their passwords – although, given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age.
Despite many warnings, millions of users will still use very simple passwords like 1111, “qwerty”, or their own names. According to Positive Technologies research, the password “123456” is quite popular even among corporative network administrators: it was used in 30% of corporate systems studied in 2014.  Hackers use the dictionaries of these popular passwords to bruteforce the user accounts so perhaps now is the time to employ a little creativity.
Yahoo! does offer additional protection in the form of Account Key and it would be prudent for any users that decide to continue using its service employ this as a matter of urgency.”

Troy Gill, Manager of Security Research at AppRiver:

“The fact that Yahoo has now confirmed the breach is no surprise – the scale however is. The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers’ data, and I don’t think we’ve seen the last confession yet. In fact as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be both more frequent and by all likelihood more impactful.
Yahoo users should be particularly concerned that the stolen information includes security questions and answers as this could leave them open to far more than just their Yahoo email account being compromised. It raises the potential for accessing other accounts, including those with sensitive personal and financial information. Identity theft is a very valid concern for all the victims.
I would be interested to know the findings by Yahoo when they allegedly investigated the 200million records that were for sale on the dark web.  Where those able to be confirmed as valid? If so why did it take this long to inform users of the breach and why were no forced password resets issued prior?
Keeping customers’ data secure should be a top priority for all enterprises. A determined hacker can be quite difficult to detect but organizations need to commit to hardening themselves to these types of attacks. This breach serves as a stark warning to all organizations that no company is too big or too small a target.
Yahoo users should change their passwords immediately and monitor activity closely. Also, they need to make sure they are utilizing a new password that is complex, lengthy and most importantly “unique”. Since we know that password reuse across multiple accounts is very common, Yahoo users need to also ensure that they are not using the same password [as their Yahoo account} on other accounts as well.”

Stephen Gates, chief research intelligence analyst at NSFOCUS:

Although the breach was originally reported back in July of 2012, the size of the breach apparently was incorrectly reported.  In 2012, the number of potentially compromised user credentials was estimated to be around 450 thousand. However, the hacker known as Peace is claiming to have up to 500 million user credentials he/she is now attempting to sell online.  That’s a huge difference.

Yahoo users, who have not changed their passwords since then, really need to do so now.  In addition, if users have used the same username/password combination on any other online accounts, they’re at risk of hackers gaining access to those other online accounts; if hackers can determine what other online accounts a user may have.

The Verizon purchase apparently comes with some “baggage” that they most likely do not want to be associated with.  The likelihood of this beach affecting the purchase is however, quite small.   The responsible thing to do it to force all users to update their passwords; however, that action most likely will not be well received by Yahoo’s user community for a breach that happened over four years ago.

Although the number of breaches on this scale have been reduced over the years, they are far from over.  Today, organisations of all sizes are taking measures to ensure a breach does not happen to them.  Unfortunately, it has not stopped hackers from succeeding on a global scale. 

Enterprises must first assess what hackers would likely want to steal from them.  Once identified, enterprises must use all measures at their disposal to protect that data – at all costs.  If an organisation does not practice due diligence, then they can be accused of alleged negligence.  Being found guilty of negligence is never good for anyone’s career.

You must protect your data.  It is what hackers are after.  This is all about monetary gain, and people will go to almost any length to achieve it.  Hacker’s understand how to erode your defenses, consume your resources, control your systems, and eventually steal your data.  Taking an Intelligent Hybrid Security approach will help protect what hackers are after.”

David Gibson, VP of strategy and market development at Varonis:

“Hopefully Yahoo! will force password resets for all its users, even ones that it believes have not been affected. Dropbox learned this lesson the hard way. Users should also reset passwords for other accounts that share the same password as their Yahoo account and consider using a password manager going forward.

It’s hard to say for sure whether the breach will upset the pending acquisition by Verizon—publishers of the renowned yearly Data Breach Investigation Report—but it certainly could. If witnessing a data breach capsizes a $4.8 billion acquisition doesn’t shock CEOs and CSOs into investing more in security, what will? 

There will certainly be financial repercussions for Yahoo!, if not by way of fines and lawsuits, certainly in terms of time and effort to recover, perform an investigation, and further invest in bolstering security.

Breaches of this magnitude won’t slow until incentives are re-aligned. Dark Reading released a report recently stating that 80% of CSOs cite a lack of funding as being the #1 barrier preventing them from addressing cybersecurity challenges and 51% of CSOs cite a lack of available cybersecurity pros. The two go hand-in-hand. Until organisations are willing to invest more in security technology and pay a higher price tag to attract top security talent, they can expect similar results.

Organisations need to invest more in cybersecurity teams, follow security best practices and make security a top priority if they want to stop hacks on this scale.

The same lessons we learned from Target, Sony, OPM, etc. apply to Yahoo. It’s just too easy for hackers to get their hands on critical data.

Businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs.

When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.

Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”   

Gubi Singh, Chief Operating Officer at Redscan:

“There is never a good time to be hit by a cyber-attack but the reported breach, appears to have happened at the worst possible moment for Yahoo and that’s unlikely to be a coincidence. Criminals will spend months planning and implementing attacks on companies of this size, with attackers biding their time to avoid detection. 

For companies undergoing a merger or acquisition, a comprehensive cyber security assessment can reduce risk for all parties involved and has become a key part of the due diligence process.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:

“Every single Yahoo user should be turning on Yahoo’s two factor authentication immediately. Yahoo has been prompting users to do this for months and most have ignored the call for extra security. If a headline like this can’t motivate them to take Yahoo’s good advice and use the extra security they’re offering, I’m not sure what could.

Many breach headlines evoke vague awareness – a company you’ve heard of, or something that sounds important. Yahoo is Internet royalty. The message everyone should take from this is truly anyone can be cracked. Apparently it’s a state level actor, which isn’t surprising the amount of effort and resources it likely took to break security at one of the Internet’s biggest names.”

Amichai Shulman, CTO and Co-Founder of Imperva:

“The ease of getting tons of stolen credentials, with the fact that users will always continue to reuse passwords simply because they are human, make brute force attacks more effective than ever and force application providers to take proper measures to protect their users.

Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other.

To prevent brute force attacks, security officers should not rely on password policies only, but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treat with caution logins from unexpected countries and anonymous sources, and compare login data to popular passwords and stolen credentials.

As we point out in our blog, there is a concerning pattern of breaches which occurred in 2012, but their severity was underestimated and under reported. Organisations must not become complacent in the face of 2016’s lack of mega breaches. As it turns out, those who don’t carefully monitor their networks today may well regret it in 2020.”

Michael Patterson, CEO of Plixer:

“It is interesting that – Peace – the alleged hacker who claimed to have access to 200 million user accounts and was selling them online just prior to the Verizon purchase of Yahoo. It may be just a hack or someone with a hidden agenda that designed the timing to try and disrupt a billion dollar transaction.  Yahoo has been investigating this hack since August and should have immediately asked users to change their passwords while they look into the claims.”

Michael Callahan, VP at FireMon:

“Given the size of Yahoo and the scale of this data breach, it is a good reminder that attackers are just waiting for organisations to slip up in their security measures before they seize the opportunity with both hands.  Yahoo no doubt has a huge, complex array of security technology in place to try and prevent cyber attacks and the leaking of any customer data.  The trouble is, this complexity is becoming increasingly common in organisations that seek to do the “right” thing by bolstering security with more solutions. But without the right intelligent tools to help make sense of the technology, policies and access permissions under one umbrella, it becomes almost impossible to manage.  Therefore, we keep seeing these types of breaches happening and will keep seeing them happen until proper security management is addressed.”

Mark James, Security Specialist at ESET:

“500million accounts is huge by any standards, we sometimes get a little blas√© as the numbers get higher but let’s not make any mistakes here, that’s a lot of customers’ information stolen here.

Data breaches are on the up, it’s almost a daily occurrence but the damage it causes is massive. The data may be used for immediate financial gain or used later along with more information to enable identity theft or phishing attacks either way it could be very damaging for the victim.

As always in these cases it’s the end user that ultimately pays the price, of course from a PR point of view it’s never good for the company that was breached but for the individual it could have long term financial implications if things go badly wrong. It could also mean accounts may be temporally unavailable and for some, emails are a lifeline. Changing email address if you move to another provider is not as easy as it sounds because of the nature of how email works you still need access to the old email in case of older websites that may require password resets or account recovery with the original email address.

As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data. Because the ramifications of data breaches are often felt in the future they will have to consider the implications of any customers who can prove identity issues caused as a result of this particular breach if they are the new owners.

Although it seems an easy task, stopping data breaches is not as easy as it sounds. Doing all you possibly can to stop it in the first place, ensuring that if it does happen then the data is stored in such a way it’s impossible to do anything with it and having a good contingency plan in case it happens is what organisations need to be doing.

What other businesses can learn from this is, where possible, being proactive with your user base; the users need to be kept in the loop. If there has been a breach then find out how, where and why. Ensure your systems are now clean if malware is involved, reset passwords, inform your users and keep them up-to-date. We all understand data breaches are a factor of modern day computing but the impact can be cushioned with the correct flow of information.”

Brian Spector, CEO of MIRACL:

“This is a modern-day mega breach, and demonstrates how data theft and identity fraud is a multi-billion dollar business on the dark Web. 

It is still too early for more detailed analysis, but the attack vectors commonly used to initialize attacks of this magnitude are to gain access by stealing employee or insider credentials. The credentials are still all too often simply user name and password. What the attacker knows: when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information – and steal it all.

The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today. By contrast, new, secure methods of multi-factor authentication can provide much stronger security, and make database hacks, password reuse, browser attacks and social engineering a thing of the past.”

 Matt Walmsley, Director, EMEA at Vectra Networks

“While this breach has undoubtedly rocked Yahoo to its core, and public notification took a long time, the company is lucky to have even spotted the breach. Under stringent upcoming data legislation such as GDPR, which comes into force in May 2018, the way this breach came to light and was handled would have left EU organisations at risk of a potential fine of four per cent of global turnover. If any of the Yahoo user data compromised by this hack is connected to EU citizens, uncovering the situation now does at least avoid that scenario – this time.

It’s extremely concerning just how many organisations are still blissfully unaware of huge data breaches taking place within their network infrastructure. Research shows that only about two out of 10 data breaches are detected internally – leaving around 80 per cent of data breaches detected by external discovery and third party agencies. The huge delay in this breach coming to light, and more shockingly the lack of awareness that anything even happened until an external party alerted Yahoo, clearly shows the growing challenge of maintaining visibility across increasingly large and complex networks alongside physically unmanageable data centres. In this case, it’s reasonable to assume that the breached user account data was held in Yahoo’s data centres, an area of diverse, and in many cases, under protected security risks. 

There are plenty of opportunities to catch a hacker in-progress when an organisation is penetrated, before they can achieve their goal. For example, during the attacker’s reconnaissance, escalation, data corruption or exfiltration. Each of these phases of the attack often occur over an extended period of time. This offers ample chance to identify the infiltrator’s behaviour, and make an early and effective intervention before the intrusion becomes a full blown critical incident involving 500 million users’ data. As network infrastructure continues to expand, it will only be the automation of such detections, using innovation like artificial intelligence, that can ensure these subtle indicators of in-progress attacks can be searched for 24/7/365 at scale and in real–time.”

Rob Reid, COO and Founder at StayPrivate:

“The Yahoo hack serves as the greatest warning yet that personal email accounts are easy targets for hackers, putting their users at considerable risk of being subjected to cybercrime. The wider public is only just becoming wise to the fact that the more we use our personal webmail accounts for sending information about ourselves, the more information exists on the open internet that can be used against us by cyber criminals. This hack highlights how cyber criminals aren’t just after big companies, but individuals.”

“The scariest thing in this case is that as yet neither Yahoo, nor its users, are sure about what information has been compromised. We need greater awareness to the threats that consumers face and education about what solutions exist to best protect ourselves by keeping our personal data safe. At StayPrivate we work hard to inform both the business community and consumers about how easy it is for people to be a victim of cybercrime and provide the solutions to protect people.”

Andersen Cheng, CEO at Post-Quantum:

“To date there is no clear evidence about the mechanism used by the hackers in what is one of the largest data thefts in history. We can only assume it was due to unauthorised access to Yahoo’s database, which is known to have suffered security lapses in the past.

I understand from intelligence sources that there have been similar breaches to other databases, not necessarily in terms of size but in terms of significance, which have not yet been reported by other entities.

The Yahoo! breach is yet another case of how organisations handle access control to the large swathes of personal data they hold. At present very few companies have proper processes in place to manage segregation of duties in the digital world. All operating systems we use today have not been designed with such processes in mind – which is a major concern.

In fact, current access management tools are outdated, not effective and certainly won’t be in coming years, when computers and hackers alike become more sophisticated. This is because the focus of these systems is on detection, rather than prevention. As this Yahoo! theft shows, such an approach is useless, particularly when such a theft can go undetected for years.

Ben Harknett, Managing Director EMEA at RiskIQ:

“Reports of the Yahoo cyber-breach this morning calls into question organisations’ ability to know how vulnerable their digital assets are, and how exposed customer data could be if it was to fall into the wrong hands. With increased sophistication of cyber-crime, state-sponsored or not, the emphasis on cyber security needs to shift from cure to prevention. As a business, knowing what your entire attack surface looks like from the moment of design to implementation and throughout its lifespan is crucial. No matter what size, the digital footprint needs to be constantly monitored so organisations know exactly which digital assets they have, where they are and if there are any weaknesses which could be exploited. Acting in a state of planned defence helps to reduce the likelihood of attack, where the consequences can be potentially devastating to the business, but most of all, the customers whose data is trusted to them.”

Justin Feir, Director of Cyber-Intelligence and Analysis at Darktrace:

 “While there is very little data on this breach, likely because of potential impact on the Verizon merger, it could possibly serve as a herald to increasing ‘trust attacks’ – attacks that have the potential to degrade credibility or public confidence.

 This could be the first time we see an attack aimed at directing economic influence vs political. Also, we may see, similar to the LinkedIn hack which happened a couple of months ago, major ramifications in terms of what’s good cyber hygiene. Ultimately, organisations need to accept that these hacks will only continue to happen. It is critical to adopt a fundamentally new approach to security.”

Justine Cross, Regional Director at Watchful Software:

 “The unprecedented scale of the Yahoo breach should be a watershed moment in the way businesses protect customer data.

 While it appears that customer passwords were encrypted, large amounts of other personally identifiable information, including names, email addresses, dates of both, and phone numbers were apparently unprotected. This is still more than enough information for cyber criminals to cause serious harm through fraud and phishing attacks.

 If all customer data is classified and labelled as restricted, it will be encrypted and rendered unusable by any unauthorised user, greatly reducing the impact of a breach like this. Classification should be an automatic process the moment any personally identifiable data concerning a customer is created on the system. With this incident likely to cost millions of dollars, no organisation can afford to leave anything concerning their customer data to chance.”

Paul German, VP EMEA at Certes:

“As Yahoo deals with the fall out of the biggest cyber theft of customer information to date, this should set alarm bells ringing for businesses around the globe. Even heavyweights like Yahoo and LinkedIn have a problem protecting consumer data, pointing to an inherent flaw in the way cyber security is being approached.

 The problem lies in the face that once hackers cross a company’s carefully laid out cyber defences, the network, and the treasure trove of data within it, is their oyster. Moving laterally, they are able to siphon off huge swathes of valuable information difficulty until they are detected, often months after the initial breach. 

The problem lies in the current cyber security model which takes a, ‘protect’, ‘detect’, ‘react’ approach. There is a significant lag between the protection being sidestepped and the criminal being detected. Currently this leaves a hacker free rummage through a company’s most sensitive data, wreaking havoc. There is a fundamental step missing – at whatever point a hacker enters a network they must be contained, restricting the data they can access and the damage they can inflict before they are detected.   

Most businesses now see a security breach as a ‘when’ rather than an ‘if’ situation, and it is vital that they take steps limit the damage and protect the data of thousands, if not millions of consumers.”

Richard Parris, CEO at Intercede:

“Given the numerous high profile data breaches already revealed this year, are we really surprised by the news from Yahoo? The real problem is not in the hack itself but in service providers like Yahoo relying on a fundamentally insecure, username and password based, user authentication. If a hack does happen, those details, and other identifying information, can be exposed and they are invariably used to access other services and defraud consumers.

In my view, we are fast reaching the point at which the industry will have to be compelled to take action. If the first duty of any government is to protect the public, establishing and protecting identity in a digital world ought to be high on the list of priorities. Solutions are available and it’s surely time we locked the stable door with secure authentication and identity management before the digital horse has bolted.”

Jeff Kukowski, COO at SecureAuth:

“Yahoo’s data breach is an important reminder for organizations to move beyond the simplistic username and password authentication model – as evidenced by the fact that the company itself is now asking users to implement Yahoo Account Key. We know the reality is that users not only keep passwords simple, they continue to reuse them across multiple sites and since these compromised passwords are also associated with an email address the threat of major data loss for consumers is very real.

Smart organisations are already moving to stronger methods of user authentication, including adaptive access control techniques and multi-factor authentication as a way of safeguarding credentials. It is imperative that more organizations take this lead and look to implement adaptive access in a way that, in addition to the credentials, performs risk-analysis as part of the authentication process. This helps render stolen credentials completely worthless across the breached site.”

Paul Farrington, manager of EMEA solution architects at Veracode:

“2016 will live long in the memory of those who helped to create the Internet giant Yahoo. The company is being sold for a fraction of what it was once worth, and now is linked to one of the largest data breaches on record. The company tells us that hack was performed by a state-sponsored actor. It’s interesting that this is given prominence in the press release whilst other details remain undisclosed. Almost, a plea for clemency from the court of public opinion.

 Regardless of the motives of the hacker in the Yahoo breach, businesses should take immediate action to safeguard assets and protect customer data. This means investing in encryption, testing apps for vulnerabilities and building a comprehensive security strategy for the long term. CIOs and CISOs should be ready to answer the question from above… could this happen to us? in way too many cases, we believe it could.”

David Navin, Corporate Security Specialist at Smoothwall:

“Data breaches are becoming increasingly common, with Yahoo the latest to suffer with the largest breach ever seen. This should be a wakeup call for companies as in today’s digital era; no one is immune and they need to be ‘Prepared’ for when a breach will happen. It is imperative that companies ensure that they have a robust security system in place to mitigate these risks and to safeguard their data should a breach occur.

 “With recent research showing only 13% of businesses believe they could lose customers in the event of a breach, there is still clearly a naive mind-set from those who don’t think a breach will affect their reputation. It needs to be hammered home that every company is vulnerable and will suffer the repercussions should a breach occur.

 “The importance of security needs to be at the top of every boardrooms agenda, with the CEO, CFO and CTO, ensuring they are educated to the risks and understand the importance of having strong enterprise grade security measures in place, beginning with firewalls, encryption and good security software. Security needs to be taken seriously at all points of the organisation, to ensure that all employees understand the risks of their actions and know the security processes in place should an incident occur, in order to mitigate the risks in the event of a breach.”

Chris Hodson, EMEA CISO at Zscaler:

The most burning questions following the Yahoo hack disclosure is how and why? – how did they get in and what were the motives of these criminals?

 With no technical details included in Yahoo’s report about how the data was exfiltrated, just that it was, it’s impossible to assess credibility of the ‘state sponsored’ claim without this. In this instance, we can only speculate that the ‘state sponsored actor’ claim was made with a view to placating the general public. The act of stealing heaps of personal information but leaving financial credentials untouched, also highlights the motives of the assumed ‘state sponsored actors’ was not immediate financial fraud.

 It might well be that Yahoo has had support from government departments and that attribution has been possible but equally, ‘state-sponsored’ is often prefixed to ‘actor’ in an effort to suggest sophisticated and surreptitious means of data exfiltration. We simply do not know.

 Fast forward to 2018 with the General Data Protection Regulation in place here in Europe, how would Yahoo have responded if such requirements were imposed on them?  The timing of this revelation is poor from a business perspective – Verizon is in the process of purchasing Yahoo and this breach will not do anything to expedite the process and please customers.

 To mitigate risks in the short term, consumers should avoid using the same password across multiple sites. Instead they should consider using a password vault to store a variety of different, and more complex passwords without becoming reliant on the security of corporate enterprises, such as Yahoo!”

John Madeline, CEO at RelianceACSN:

“Another signature event breaks as Yahoo! discloses a data breach thought to be the largest in history. Unfortunately, this will have resulted from the usual weaknesses in basic security hygiene, a result of “check box” exercises, poor product purchases, and the main decision makers not fully caring or understanding. However, the notable difference is the changing mood around this breach. The media and industry are holding CEO Marissa Meyer to account, questioning why she’s still in charge, making this one personal. In business, when things are personal, people start to care.

 Secondly this breach has happened at an interesting time, in the window between the announcement of the acquisition from Verizon and its consummation. This will be an acid test for valuing the impact of an incident like this at a time when risk experts, lawyers, accountants and M&A specialists are engaged and scrutinising every detail with their pencil sharpeners out.”

John Bambenek, threat intelligence manager at Fidelis Cybersecurity:

“Yahoo! users have been kept on tenterhooks over the last few days with rumours circulating that their information may have been compromised.  With Yahoo! now confirming the sheer scale of the breach, and that it happened back in 2014, millions of its users will likely feel extremely unsettled that their information – including names, email addresses, dates of birth, telephone numbers and encrypted passwords – has been in the wrong hands for some time now.  What’s worrying is that additional data could have been compromised in the meantime.  With this being the second data breach being investigated by Yahoo! within the last year, this will be a huge blow for the company in terms of reputation and user confidence.

 Despite the sophistication and capabilities of those responsible, attacks such as the Yahoo! breach often involve relatively simple and well-known lures to trick users into giving attackers the foothold they need.  For instance, many nation state-sponsored breaches involve ‘password reset’ emails to get users to give up their passwords.  While there is very little an enterprise can do after sensitive information goes out the door, a system-wide password reset is a routine best-practice adopted almost everywhere to mitigate further damage. It certainly raised a few eyebrows when Yahoo! didn’t take that step the first time, but the fact it is reversing course is a good thing. 

 Ultimately, when it comes to email communication, it’s not only insecure, but its insecurable.  To put it simply, the more sensitive the information is, the more likely it shouldn’t be put into an email.”

 Chris Petersen, CTO and Co-Founder at LogRhythm:

 “Breaches are damaging and expensive as Yahoo will soon find.  The ramifications of a successful attack are far reaching, and could potentially impact their deal with Verizon. In addition, they’ll suffer from lost productivity, inconvenience to customers, and potentially the permanent loss of data and credibility. An organisation’s success in defending against a data breach is largely dependent on its level of preparation to respond to a successful intrusion.  Attackers will successfully compromise systems, but a resulting data breach can be avoided if the company detects the intrusion quickly.  For companies to do so, and avoid a data breach, they must invest in modern technology that optimally aligns people and process with advanced analytics and workflow automation  Bottom line: Every organisation needs to prepare for a successful attack and be able to respond quickly.  Every Yahoo user would be well advised to change their password and to be prepared for malicious emails coming their way.”

 Jacob Ginsberg, Senior Director at Echoworx:

“Unfortunately, this yet again demonstrates that “good enough” is not good enough when it comes to security. Data persists, so even if you’ve taken steps to protect that information, hackers may have the tools to negate these defences six months, one year or three years down the line. If you do the bare minimum now, this won’t do you any good in six months’ time. Simple hashing of passwords isn’t enough – using strong encryption and salting passwords should be prerequisites for any organisation handling account information.”

Rob Norris, Director of Enterprise & Cyber Security in EMEIA at Fujitsu:

 “It seems that not a week goes by that we don’t see a data breach of one type or another. Yahoo is once again under the spotlight for a breach that has been named the largest in history. The fact that 500 million users have been affected is worrying. But let’s not forget, it isn’t the first company to be affected. And it won’t be the last.

 Many businesses, and consumers, are still failing to see the reality of the situation we are now facing. The effort required to combat breaches is industrial. Companies are no longer fighting against individuals, but a sophisticated criminal industry, designed solely to access and exploit their data.

 To remain ahead of their competitors – and trusted in the eyes of the consumer –organisations need to take a proactive approach when it comes to security. Organisations should focus on the integration of threat intelligence and other information sources to provide the context necessary to deal with today’s advanced cyber criminals. There must also be a clear and well-rehearsed crisis management plan for a breach, addressing internal and external communication. Whereas consumers need to ensure they use different passwords for different applications and are aware of the security risks when using payment information. As the number of these threats continue to increase exponentially, no businesses nor consumer can afford for cyber-security not to be their number one priority.”

 Tyler Moffitt, Senior Threat Research Analyst at Webroot:

“Half a billion records of just emails would be impressive but half a billion names, email addresses, telephone numbers, birthdays, hashed passwords, and (the icing on the cake) “unencrypted security questions and answers” is astounding. These constant breaches only prove that the connected world we live isn’t secure. It also reaffirms the need for one to heavily consider what info they hand off, regardless of how secure the site’s reputation is.

On the bright side, no financial data was breached.”

The post Yahoo! hack – Industry reactions appeared first on IT SECURITY GURU.

from Yahoo! hack – Industry reactions