Thursday, February 16, 2017

‘Twas the Season to Attack: Large Online Retailers Pummeled Over Holidays

February 16, 2017 -- London, UK -- NuData Security announced today that they had observed a 400 percent surge in automated online attacks over the 2016 holiday period.

NuData data scientists discovered an increase in maliciously scripted botnet activity of over 400 percent against many large online retail client sites during the last quarter of 2016 compared to the previous year.
  • Of the 5.6 million anomalous behaviors detected, over 1 million events were directly attributed to malicious automated activity from scripts and bots.  
  • Malicious scripted, bot and botnet activity accounted for 31% of all login activity for the month of December. 
  • Had they been successful, these automated attacks would have been used to power identity-based account takeover (ATO) and a wide array of cybercrime over the holiday period, including account information scraping, transaction fraud, coupon and reward abuse.
NuData found high levels of new account fraud in September and October of 2016, with some online merchants experiencing a record-breaking 60 percent of new accounts opened with fraudulent intent in the lead up to the holiday season.
  • Much of the increase in new account fraud was spoofing human input characters such as keystrokes and mouse movements and putting these in through scripts to look more legitimate. For a good example of how this type of attack can occur, see this rewards fraud case .
  • The fraudulent creation of new accounts waned during the last few weeks of the fourth quarter, falling to 22 percent in late December, indicating that cybercriminals switched their focus from fraudulent new account openings to scripted account-based fraud attempts over the holidays.
In 2016, attacks against the login of NuData’s clients’ sites doubled over the previous year.
  • Both the volume and sophistication of these attacks spiked, f ed by the increased availability and low-cost of stolen consumer credentials available for sale on the Dark Web, harvested from massive data breaches in 2015 and 2016.
There is a demonstrated increase in the sophistication of automation, with bad actors using legitimate GUI-like automation trying to manipulate how pages are used.
  • Fraudsters leverage volumetric spikes in activity over holiday shopping periods to circumvent detection and policies that retailers
  • deploy to lower the risk threshold to ensure good customer experience over the holidays.
  • Bad actors are using increasingly sophisticated tactics to mimic human behavior and adjust the timing of their attacks, such as using basic bots to perform velocity type functions and complex bots that are spoofing IPs, emulating devices, apps or browsers.
Account takeover continues to be a dire problem .
  • What makes ATO so dangerous is fraudsters target accounts created by real users, and use their stolen
  • credentials to access these accounts. 
ATO events in November and December 2016 on several large retailers
  • 7,620,605 total confirmed attack events
  • Equivalent to 2310 per minute or 38.5 per second
Robert Capps, VP of business development for NuData Security explains, "Cybercriminals are using bots to run automated tasks that increase the efficiency of attacks on confidential data such as login and payment details. The growing sophistication of cybercriminals is evident in the evolution of advanced attacks, their strategic timings and the use of tools such as malicious programs. These tools allow a relatively few number of technically skilled cybercriminals to conduct cybercrime on a global scale, effectively increasing the growth of cybercrime exponentially."

Wednesday, February 15, 2017

Tripwire Study: Only 3 Percent of Organizations Have Technology to Address Today’s Top Attack Types

New study from Tripwire reveals that most organizations are seriously lacking in both skills and technology to address today’s most critical attack types

PORTLAND, Ore. - February 15, 2017 - Tripwire, Inc. today announced the results of a new study conducted in partnership with Dimensional Research. The study looked at the key attack types expected to cause the biggest security problems in 2017 and evaluated how successful businesses will be at defending against those attacks. Study respondents included 403 IT security professionals at companies with more than 1,000 employees based in the U.S., U.K., Canada and Europe.

Tripwire’s study revealed that only three percent of organizations have the technology and only 10 percent have the skills in place to address today’s top attack types, highlighting a gaping hole in many organizations’ cyber defenses that can be discovered and taken advantage of by hackers. According to the study, ransomware has the potential to inflict the most significant damage to organizations in 2017, yet not even half of those surveyed have the skills (44 percent) or the technology (43 percent) to effectively address it.

"The results of this study highlight that there are very few organizations equipped to deal with all of today’s major attack types. Most organizations can reasonably handle one or two key threats, but the reality is they need to be able to defend against them all," said Tim Erlin, senior director of IT security and risk strategy for Tripwire. "As part of the study, we asked respondents which attack types have the potential to do the greatest amount of damage to their organization. While ransomware was cited as the top threat, all organizations were extremely concerned about phishing, insider threats, vulnerability exploitation and DDoS attacks."

The study’s respondents were also asked about their skills and technology, specific to each of the attack types. Tripwire found that most felt confident in their skills to tackle phishing (68 percent) and DDoS attacks (60 percent), but less confident in their abilities to address insider threats (48 percent), vulnerability exploitations (45 percent) and ransomware (44 percent). Regarding technology, the findings once again revealed more confidence in addressing phishing (56 percent) and DDoS attacks (63 percent), with less than half of the companies having the technology to address ransomware (43 percent), insider threats (41 percent) and vulnerabilities (40 percent).

Erlin added, "We can see from these results that under half of organizations have either the technology or skills in place to address ransomware, insider threats and vulnerability exploitation, which is very concerning. These are all very real threats, which almost all organizations will face at some point in time. The unfortunate reality is that today’s determined cybercriminals will target organizations with variety of different attack techniques until they are successful. Organizations need to work with security vendors that have the ability to help them address all of today’s major attack types, while also offering IT teams with training to help educate them on new trends." 

The findings of Tripwire's study indicated that foundational security controls would help address these challenges. While two out of three respondents stated they use security standards or frameworks that include a set of foundational controls, 93 percent responded 'yes' when asked if the adoption of foundational security controls would improve their readiness to protect against new security threats.

Additional key findings from the study include:

•         The enforcement of foundational security controls is challenging, with 65 percent of respondents indicating they lack the ability to effectively enforce them.
•         Sixty-four percent of respondents believe financial services will be hit hardest by cybercriminals in 2017.
•         While U.S. respondents were more concerned about the health care sector (46 percent), European respondents were more concerned about telecommunications companies (59 percent).

Monday, January 9, 2017

Three Critical 2017 Predictions for Global Cyber Security

Three Critical 2017 Predictions for Global Cyber Security
Leo Taddeo, Chief Security Officer, Cryptzone

The US will take a more aggressive position on international cyber security that will lead to cyber escalation between Nation States.

Typical to any transition of Presidential power, we’re in a honeymoon period between Nation States. Make no mistake, however: the first thing our adversaries are doing is figuring out where to “pick a fight” to see what they can get away with. 

For example, Russia has a track record of positive initial meetings with President-elects, while they test how much they can extract from them. But soon enough, Russia’s concerns will be intractable and Trump will be forced to face reality: Russia will not change its behavior.

We are already seeing Russia test Trump. Just this week, Putin said about Russia’s military,We can say with certainty: We are stronger now than any potential aggressor. Anyone!” These kinds of comments will not sit well with an aggressive President-elect, and a Cabinet full of former US military.

With relations strained between Trump and the Obama Administration, negotiations between the US and Russia have already been sent into a tailspin. All of this will lead to cyber escalation.

While Trump has been playing nice – some say too nicely – with Russia, he’ll eventually overact and take proactive measures, which is more his style.

Another “Russia intractable” is the Ukraine. Because the US having influence in Ukraine is threatening to Russia, and the US won’t leave Ukraine’s fate in Russia’s hands, both countries will use cyber tools to try and get what they want: information.

China is another example. Cyber relations with China are already unstable with the incoming US leadership. Trump is taking China head on, with regular comments on its currency devaluation, abuse of trade policies and the volatile Taiwan relationship.

In response to a new, perhaps more hostile Trade Secretary,  China has indicated that “China like every other country is closely watching the policy direction the US is going to take.” 

In September 2015, Obama agreed with China that neither side would engage in cyber espionage in business. It was a gentleman’s agreement, based on goodwill, that isn’t binding or enforceable. From detectable cyber activity, there seems to have been a decrease in cyber espionage, supporting the notion that both sides have been honoring the agreement. If that goodwill doesn’t exist with China, and it seems that it does not in the President-elect’s approach, all bets are likely off.

The world is not equipped to handle sophisticated, multi-site cyber attacks, especially against financial institutions. Stolen money will be reinvested in “hacker R&D” creating future chaos. 

Countries and corporations are not prepared to deal with advanced cyber attacks. In the February 2016 Bank of Bangladesh hack against the SWIFT system, criminals stole $81M—and most of it is still unrecovered. Hackers are already re-investing these funds to develop techniques to target lesser protected institutions, which isn’t good news for network defenders.

The IoT is becoming even more commonplace and the lack of set standards and regulations leave us with more and more unsecured devices, widening the playing field of opportunity for hackers.

DDoS is becoming sexy again because we’re entering a different era in terms of volume, in part due to the number of IoT devices now online. We should anticipate an acceleration in DDoS attacks because some of these devices simply can't be fixed or properly secured. 

The October 2016 DYN DDoS attack is a good example of the above two trends. And the IoT botnet (Mirai) used in this attack shows signs of evolving as its source code was released publicly.

Companies will soon make the official transition to cloud, as they’ll stop viewing it as a risk and more of a sanctuary. They’ll also start establishing a “TSA-type security pre-check in line” to services for approved clients that will isolate channels for customers (i.e., they won’t be public facing) in order to avoid the Internet cesspool. 

Context is the next evolution of identity and people will, finally, stop caring about giving up privacy in order to prevent attacks. 

We’ll see identity finally move beyond a username and password: things like what device you’re on, why or what’s the context, enterprise vs. mobile origination, etc. that are seamless (invisible to the user) will take precedent and they’ll be embedded in use, and travel wherever users do.

The resource (device, company, network, app, etc.) will care about who you are in the move to cloud and BYOD environments. As part of this, users will give up privacy to access the resource.

This trade-off is fair. You must provide enough proof of who you are when asking for access to a valuable, shared resource. Users already sign end user license agreements, which most don’t read, and scroll as fast as possible to click accept, granting necessary access. The vast majority of the population views this as a fair and acceptable trade.

About the Author
Leo Taddeo, former Special Agent in Charge of the FBI's NY cybercrime office, is now member of the Citizens Crime Commission of NYC and CSO at Cryptzone.

Tuesday, December 20, 2016

Hackers Can Access Flight Controls through Entertainment System

Just in time for your Christmas and holiday travel!

12/20/2016 - Eskenzi PR Ltd. - IOActive recently did some research into a flaw in an in-flight entertainment system used by major airlines including Emirates, Virgin and Qatar that could let hackers access a planes' controls.

Commenting on this, Art Swift, president of the not-for-profit prpl Foundation that aims to make the IoT more open, interoperable and secure, said, "Travellers this holiday season will be horrified to hear that in-flight entertainment systems could be used to help hackers gain access to their favourite airline’s flight control system, but the truth is it’s something which prpl has been talking about publicly since the flaw was first disclosed - and it’s not just airplanes that are at risk. Technology plays an important role in getting us from here to there, but without separation of critical aspects within the systems that keep things like critical controls such as steering, braking or heating and cooling that could potentially cause damage apart from less critical aspects like entertainment. Hackers can worm their way around systems and potentially cause real devastation. For this reason, the prpl Foundation has come up with its free "Security Guidance for Critical Areas of Embedded Computing" for developers, manufacturers and engineers that outlines exactly how this security separation is possible."

What’s Ahead for 2017: The RSAC Advisory Board Industry Predictions

If you’re wondering where things are headed in the coming year, you’re not alone. RSA reached out to its RSA Conference Advisory Board to find out what they expect will happen in the world of cybersecurity as we enter 2017. From intergovernmental cyber-conflicts to a rocky road for the Internet of Things, read what’s potentially around the corner.

Thursday, December 1, 2016

Top 10 Rock and Roll Cybersecurity Predictions for 2017

It's that time of year again. Time for information security predictions for 2017. This year, we have an interesting twist on predictions by tying them to classic rock lyrics. It's interesting how prescient the lyrics are.

Monday, November 7, 2016

Hacking the Elections

Quick key take aways from Hacking the Elections by Ian Gray

-- The U.S. election landscape is made up of approximately 9,000 different state and local jurisdictions, providing a patchwork of laws, standards, processes, and voting machines. This environment is a formidable challenge to any actor -- nation-state or not -- who seeks to substantially influence or alter the outcome of an election. Doing so would require mastering a large number of these disparate cyber environments and finding a multitude of ways to manipulate them. An operation of this size would require vast resources over a multi-year period -- an operation that would likely be detected and countered before it could come to fruition.

-- WikiLeaks founder Julian Assange continues to claim objectivity and transparency in his reporting; however, recent events have shown that WikiLeaks may be a pawn -- witting or unwitting -- that has been leveraged by the Russian government as an outlet for stolen information damaging to the Democratic National Party

-- While Guccifer 2.0’s sources are debatable, the hacker has indeed been effective in launching an information and propaganda campaign that has, at least to some degree, disrupted the track of the U.S. election.

-- Aside from the various political-influence campaigns, the FBI has confirmed that malicious actors have been scanning and probing state voter databases for vulnerabilities. Though the actors were operating on servers hosted by a Russian company, those attacks are not, for the moment, being attributed to an actual Russian state-sponsored campaign.

Click here to read the entire article.