Home Tags Computer Network

Tag: Computer Network

The Mistakes of Smart Medicine

A technological boom in medicine both encouraged medical institutions to use exclusively information systems in processing data and led to the emergence of new types of technological equipment and personal devices that can be used to interact with traditional systems and networks.

This means that the threats that are relevant for them can also be relevant for medical systems.

Mega UK hospitals trust Barts says IT borkage was due to...

Oh, well, that's all right then Barts Health NHS Trust has blamed the disruption of its IT systems last Friday on a trojan horse infection and not ransomware. The trust, which runs five east London hospitals and is among the biggest in the UK, was forced to quarantine systems in response to the outbreak last week.
In an update on Monday, the trust said that systems are back to normal and there was no leak of confidential data. On Friday 13 January 2017 Barts Health discovered and took immediate steps to contain a virus in the Trust's computers.

The virus has been quarantined, and all major clinical systems are now up and running. No patient data was affected, there was no unauthorised access to medical records, and our anti-virus protection has now been updated to prevent any recurrence. Early reports on Friday, based on a supposed email sent out to staff, said that the trust was grappling with a file-scrambling ransomware outbreak, like many of its sister NHS hospitals before it.

Dead wrong, according to the trust. "The incident was caused by Trojan malware, not ransomware.

The particular virus has never been seen before and, whilst it had the potential to do significant damage to computer network files, our measures to contain the virus were successful," it said. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub

Switcher: Android joins the ‘attack-the-router’ club

Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan.

Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique.
Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network.

The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface.
If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking).
So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack. Clever little fakes To date, we have seen two versions of the trojan: acdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com 64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi The first version (com.baidu.com), disguises itself as a mobile client for the Chinese search engine Baidu, simply opening a URL http://m.baidu.com inside the application.

The second version is a well-made fake version of a popular Chinese app (http://www.coolapk.com/apk/com.snda.wifilocating) for sharing information about Wi-Fi networks (including the security password) between users of the app.
Such information is used, for example, by business travelers to connect to a public Wi-Fi network for which they don’t know the password.
It is a good place to hide malware targeting routers, because users of such apps usually connect with many Wi-Fi networks, thus spreading the infection. The cybercriminals even created a website (though badly made) to advertise and distribute the aforementioned fake version of com.snda.wifilocating.

The web server that hosts the site is also used by the malware authors as the command-and-control (C&C) server. The infection process The trojan performs the following actions: Gets the BSSID of the network and informs the C&C that the trojan is being activated in a network with this BSSID Tries to get the name of the ISP (Internet Service Provider) and uses that to determine which rogue DNS server will be used for DNS-hijacking.

There are three possible DNS servers – 101.200.147.153, 112.33.13.11 and 120.76.249.59; with 101.200.147.153 being the default choice, while the others will be chosen only for specific ISPs Launches a brute-force attack with the following predefined dictionary of logins and passwords: admin:00000000 admin:admin admin:123456 admin:12345678 admin:123456789 admin:1234567890 admin:66668888 admin:1111111 admin:88888888 admin:666666 admin:87654321 admin:147258369 admin:987654321 admin:66666666 admin:112233 admin:888888 admin:000000 admin:5201314 admin:789456123 admin:123123 admin:789456123 admin:0123456789 admin:123456789a admin:11223344 admin:123123123 The trojan gets the default gateway address and then tries to access it in the embedded browser. With the help of JavaScript it tries to login using different combinations of logins and passwords. Judging by the hardcoded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers If the attempt to get access to the admin interface is successful, the trojan navigates to the WAN settings and exchanges the primary DNS server for a rogue DNS controlled by the cybercriminals, and a secondary DNS with 8.8.8.8 (the Google DNS, to ensure ongoing stability if the rogue DNS goes down).

The code that performs these actions is a complete mess, because it was designed to work on a wide range of routers and works in asynchronous mode. Nevertheless, I will show how it works, using a screenshot of the web interface and by placing the right parts of the code successively. If the manipulation with DNS addresses was successful, the trojan report its success to the C&C So, why it is bad? To appreciate the impact of such actions it is crucial to understand the basic principles of how DNS works.

The DNS is used for resolving a human-readable name of the network resource (e.g. website) into an IP address that is used for actual communications in the computer network.

For example, the name “google.com” will be resolved into IP address 87.245.200.153.
In general, a normal DNS query is performed in the following way: When using DNS-hijacking, the cybercriminals change the victim’s (which in our case is the router) TCP/IP settings to force it to make DNS queries to a DNS server controlled by them – a rogue DNS server.
So, the scheme will change into this: As you can see, instead of communicating with the real google.com, the victim will be fooled into communicating with a completely different network resource.

This could be a fake google.com, saving all your search requests and sending them to the cybercriminals, or it could just be a random website with a bunch of pop-up ads or malware. Or anything else.

The attackers gain almost full control over the network traffic that uses the name-resolving system (which includes, for example, all web traffic). You may ask – why does it matter: routers don’t browse websites, so where’s the risk? Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network use the same rogue DNS.
So, after gaining access to a router’s DNS settings one can control almost all the traffic in the network served by this router. The cybercriminals were not cautious enough and left their internal infection statistics in the open part of the C&C website. According to them, they successfully infiltrated 1,280 Wi-Fi networks.
If this is true, traffic of all the users of these networks is susceptible to redirection. Conclusion The Trojan.AndroidOS.Switcher does not attack users directly.
Instead, it targets the entire network, exposing all its users to a wide range of attacks – from phishing to secondary infection.

The main danger of such tampering with routers’ setting is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked.

Even if the rogue DNS servers are disabled for some time, the secondary DNS which was set to 8.8.8.8 will be used, so users and/or IT will not be alerted. We recommend that all users check their DNS settings and search for the following rogue DNS servers: 101.200.147.153 112.33.13.11 120.76.249.59 If you have one of these servers in your DNS settings, contact your ISP support or alert the owner of the Wi-Fi network. Kaspersky Lab also strongly advises users to change the default login and password to the admin web interface of your router to prevent such attacks in the future.

‘I told him to cut it out’ – Obama is convinced...

And so what are you gonna do about it, Barry? Analysis Outgoing US President Barack Obama has promised to take action against Russia over its alleged interference in the presidential election campaign. American intelligence agencies have concluded that hackers linked to the Kremlin infiltrated the computer network of the Democratic National Committee as well as the email account of Hillary Clinton’s campaign chief John Podesta with the aim of influencing the November 8 outcome. Russia has dismissed these allegation as baseless (or “amusing rubbish”), a denial that cut little ice with Obama given the consensus among the US intelligence community that the Kremlin ran a dirty tricks campaign.

Even the FBI now accepts, after initial reluctance, the CIA's conclusion that Russia helped miscreants meddle with the election. "I think there's no doubt that when any foreign government tries to impact on the integrity of our elections, that we need to take action and we will, at a time and a place of our own choosing,” Obama told US public radio network NPR. "Some of it may be explicit and publicized; some of it may not be." Obama also gave a press conference today – his final one as US President – in which he discussed the hacking claims and all but pinned the blame on Vladimir Putin's government. "Mr Putin is well aware of my feelings about this, because I spoke to him directly about it ...
I told him to cut it out," said Obama. Youtube Video Republican president-elect Donald Trump dismissed the accusations against Russia as “ridiculous” and motivated by sour grapes. He questioned why the accusations – which had been circulating for months – had resurfaced with such force only after an election the Democrats lost.
In reality, the claims had been aired in the press for months, and discussed privately among diplomats and officials: it was a looming threat rather than an excuse by sore losers. President Obama's proposed “proportional” reprisals for the alleged meddling need to happen before the Democrat leaves office on January 20 – because, clearly, Trump is not interested in causing trouble for Vlad. Exactly how America will exact revenge is unclear.

A range of options – explicit and covert – are on the table and may involve economic sanctions or the release of sensitive data about the hidden wealth of Russian political and business figures, according to various former diplomats and foreign policy pundits. Similarly worded cyber-threats were made against North Korea after the country was blamed for the Sony Pictures mega-hack. By leaking emails stolen from servers, miscreants threw the Democratic Party and the Clinton campaign off balance at crucial points in the election campaign cycle.

The two biggest bombshells were the DNC emails that sparked the resignation of party chairwoman Debbie Wasserman Schultz in July and the online dumping of the John Podesta emails, through WikiLeaks, in October. The release of the messages was likely designed to cast doubt on the legitimacy of US political processes and its leaders in general. Weakening the Clinton campaign by portraying Hillary – a Putin critic – as elitist and out of touch was an obvious goal.

The American administration's indignation is not focused on the hack itself – all intel agencies target foreign political and business leaders – but that the resulting intelligence was “weaponised” through selective leaks. US spies concluded that the Russians also hacked the Republican National Committee (RNC) as well as the DNC but decided not to leak the Republican data trove. The CIA reckoned Russia was motivated by a desire to tilt the election in favor of Putin-friendly and easily manipulatable Donald Trump. Private intelligence biz Crowdstrike attributed the DNC ransacking to two state-backed elite Russian hacker crews – Fancy Bear and Cozy Bear – which are linked to attacks on the German Bundestag and other campaigns. A previously unknown hacker using the moniker Guccifer 2.0 claimed responsibility for the DNC attack.
Infosec experts and the US intel community have dismissed these claims as a “smokescreen.” Uncle Sam's snoopers have "high confidence" that the Russian government hacked the DNC. In October, the US Department of Homeland Security and Office of the Director of National Intelligence had this to say about election security: The US Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of emails from US persons and institutions, including from US political organizations.

The recent disclosures of alleged hacked emails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.

These thefts and disclosures are intended to interfere with the US election process.
Such activity is not new to Moscow — the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities. The substance of the allegations isn’t in itself new but has been given fresh currency by Obama’s decision to order the intelligence community to review “malicious cyber activity” during the 2016 election process. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub

DoD Warns Contractors About Iran-Linked Malware

Shamoon, a piece of malware that tries to turn infected computers into unusable bricks, is back. Earlier this month, a number of cybersecurity firms reported that hackers had used the malware against thousands of computers in Saudi Arabia's civil aviation agency and other government bodies. According to Bloomberg, the attacks, like previous ones involving Shamoon, seemingly originated from Iran. Now, the Defense Security Service (DSS), part of the US Department of Defense, has issued a bulletin to cleared contractors warning them of the threat. “Between 2 and 7 December 2016, DSS was given information from another government agency regarding Indicators of Compromise (IOC) associated with a Shamoon malware variant and may be used in computer network exploitation attempts,” the bulletin, distributed on Thursday and obtained by Motherboard, reads. It does not specify the government agency that provided the information. These bulletins are sent to contractors to alert them to threats from foreign intelligence entities (FIEs), and in particular, FIEs' infrastructure, malware, tactics, techniques or procedures. “This information is being shared by DSS in order to enable potential targets of possible espionage activity to detect, disrupt or deny FIE's exploitation of cleared contractor information systems, networks or personnel,” it reads. In 2012, the “Cutting Sword of Justice,” a suspected Iranian hacking group, used Shamoon to aggressively wipe tens of thousands of computers belonging to Saudi Aramco. Aramco is the state-owned oil company of Saudi Arabia. In the wake of the attack, Armaco had to take itself entirely offline. “No emails, no phones, nothing,” Chris Kubecka, a consultant who worked with Aramco, told an audience at the Black Hat hacking conference last year. The hackers also replaced emails and documents with a picture of a burning American flag, according to The Register. The new version of Shamoon, however, displays a picture of a Alan Kurdi, the 3-year-old Syrian boy who drowned while trying to cross from Turkey to Greece, according to a report from security company Symantec. Neither the FBI or the Department of Defense provided comment in time for publication, and the NSA did not respond to a request for comment.

Holiday Shopping Season Offers Rich Pickings for Cyber-Criminals

NEWS ANALYSIS: You’re not paranoid.

Cyber-criminals really are after your company’s money and its data and they won’t stop at anything to get it. For cyber criminals, the holiday shopping season offers what we used to call a “Target Rich Environment” back when I was in the military.During the holiday seasons there’s a lot of the kind of activity that cyber-criminals love.

There are more customers buying things and that means that there are more credit card numbers floating around, there’s more personal information being stored in company databases and there’s less time for customers and companies to verify what’s real and what’s not.In their haste to make sales, some companies may become careless about the purchase information they collect and they may collect information they don’t need. Worse, with the added load of higher than normal volume, IT departments may be forced to cut corners just to keep up.Add to the overall frantic pace of holiday shopping the change in credit card security technology and you have even more opportunity for fraud.

This year, now that most credit card users have EMV chips in their cards, the instances of counterfeit cards is already dropping. But in its place, is something called “card-not-present” fraud.

This is when criminals use stolen credit card information to order products online or over the phone.

They will then sell those products, or in some cases return them for cash reimbursements. For your business, the overall environment is one in which you’re under attack from all directions.

Criminals are using stolen credit cards on one hand while other criminals are trying to break into your network on the other.

Adding to the excitement, there are new tools in the hands of cyber-criminals that are making their jobs more lucrative—at your expense of course.Jeremy Manning, threat intelligence support manager at SecureWorks, tells me of a Remote Access Trojan (RAT) that appeared this fall, just in time for shopping to start.This Trojan is delivered a company’s computer network through a phishing email and inserts itself into the Notepad application in Windows. Once there it captures and sends out the Track 1 and Track 2 credit card data if a card is read, but it can also send out other card data and it includes a key logger.Manning said that the malware is based on the Netwire tool that some administrators still use, but in this case it’s been modified. “It was hiding itself in the Notepad application,” he explained. “There was a child process that was running there.” Finding the malware is relatively easy, Manning explained in a blog entry.Then the threat actors sent a phishing email that was relevant to the company and the employees, showing that they had spent some effort in researching their target.Unfortunately, that’s only one type of attack and there are plenty of others. Worse, it’s essentially impossible to protect your company against every possible attack.

This means that as business ramps up it’s also necessary to ramp up your efforts to fend them off.“The needs for best practices are amplified over the holidays,” said Dana Simberkoff, chief compliance and risk officer at AvePoint, a company that supports migration and management of Microsoft cloud services.

Because of this, she advises her clients to protect customer data so that the bad guys can’t get it, even if they manage to penetrate network security.Simberkoff listed areas where she encourages her customers to tighten their security.

The first is to collect as little data as possible from consumers. “If you have it, you have to protect it,” she explained.
Simberkoff said that while there’s often a push to collect as much data as possible for possible future use, that’s really not the best idea.“Remember that less is more,” she said. “You’re responsible for the data.”The next step is one that’s been a best practice basically forever, but one that’s frequently ignored, which is to limit what your employees can access. “Make sure that you provide your employees the minimum access to data that they need to do their job” she said. “Every person in the company doesn’t need to have access to sensitive data.”Simberkoff said that this broad access to unnecessary data is often the result of an overworked IT staff that doesn’t have time to figure out which employee needs access to what data.Simberkoff also noted that companies aren’t always clear about the purpose for data collection and they aren’t clear about the requests for consent. “You need to have layered consent,” she added, pointing out that you can’t collect someone’s data for one purpose and then use it for something else.You also need to know about the data flow within your company and you must know what data transfers between your company, credit and debit card processors and vendors. Ultimately, she said, you’re responsible for what happens to your data even when it’s in a business partner’s possession.All of this will help your company take reasonable steps to protect the data that you’ve been entrusted with, but she also noted that it’s vital for employees to understand that security is everyone’s job.Now that the holiday shopping season is in full swing, so is the threat level.
In addition to protecting your bottom line against cyber-criminals, you also need to protect your customers and your partners.

And yes, the bad guys really are out to get you.“Data is like money.

That’s why companies get hacked,” Simberkoff explained. “The more data you hold, the bigger target you are.”

Why Blockchain’s growing pains will be worth it

Experts at a recent technology conference agreed that blockchain has a bright future, but warned it may be a rocky ride until that future arrives.

Blockchain is a distributed database that uses a secure digital ledger of transactions that users can share across a computer network. It's also the technology behind virtual currency bitcoin.       "When you are at the leading edge there will be mistakes. People will get a lot wrong in the next five years.
I think of it kind of like running with scissors," says Constellation Research analyst Steve Wilson at the Oct. 26 Connected Enterprise conference hosted by his company. Constellation Research Connected Enterprise conference From left to right: Shawn Wiora, CEO of Maxxsure, Silicon Valley Product Exec Chirag Mehta, and Aron Dutta, Global Head of Blockchain at IBM But blockchain enthusiast Richie Etwaru, chief digital officer at IMS Health, had a different take. He started by pointing to the colorful pair of sneakers he was wearing and noted he bought them using bitcoin, the controversial digital currency that's been plagued by security issues. "I think blockchain is the biggest thing I've seen in my life," says Etwaru. "I work in healthcare and bitcoin to blockchain is like what AOL chat was to the internet, and bitcoin is only one substantiation of blockchain." Blockchain can help the healthcare industry build trust In the healthcare industry Etwaru says blockchain can help establish new business models that overcome what he describes as the massive absence of trust that exists today among patients, doctors, the pharmaceutical industry and the government. "We started thinking of how we can engineer trust into the network and the distributed ledger (i.e. blockchain) is a great way to solve the trust issue because the information is owned by everyone and no one, and can be seen by everyone and no one," he says. "It's immutable, you can't reverse it, it's pretty decently encrypted and it can be permissions-based." One example Etwaru points to is that trials for new drugs are often flawed because patients don't trust how their information is going to be used. "With blockchain you could do things like citizen research for healthcare.

There could be autonomous organizations like a Wikipedia of research on cancer based on an abundance of trust enabled by blockchain," said Etwaru. Blockchain can disrupt the cybersecurity landscape Mike Kail,chief innovation officer at Cybric, a company that's looking to "disrupt the cybersecurity landscape" with new services, says blockchain has got people thinking differently about what's possible. Kail says blockchain technology promises to change the status quo of having to trust a broker to complete financial transactions to a system of automated, verifiable transactions that eliminates the middleman.
Speaking more broadly, he says blockchain can bring more efficiency to every company with a supply chain challenge. For companies looking to test the blockchain waters he suggests figuring out a small use case where you can apply blockchain methodology and monitor the results. Another speaker, Shawn Wiora, cofounder and CEO of Maxxsure, a cybersecurity and cyber insurance company, is using blockchain to offer new kinds of services. "We're able to offer things like variable premiums for a cyber insurance policy that changes as your cyber profile changes," said Wiora. "Does anyone else offer that?" he asked rhetorically. But even with some companies already innovating, veteran Silicon Valley product executive Chirag Mehta says blockchain's best days are clearly ahead of it. "Blockchain looks like what the cloud looked like 10 or 15 years ago," says Mehta, a former executive at SAP and adjunct professor at Santa Clara University where he teaches such topics as web services and cloud computing to graduate students. One difference he sees vs. the cloud though that's surprised him, is that companies big and small seem to be interested in exploring blockchain's potential. "Big companies weren't as interested in the cloud in the early days," says Mehta. "They weren't as ready to jump in." What blockchain does really well, he adds, is provide the technical integrity necessary to let you trust a series of events. "But don't confuse that with security," he emphasized. If blockchain needs a blue chip, big name advocate it has one in IBM.

Aron Dutta, global head of blockchain at IBM, says he's already running blockchain technology globally across industries. He sees blockchain as giving companies a way to rethink business models and make more money. Dutta says he has over 4,000 PhDs and 100,000 consultants he can call on to aid his work at IBM, so stay tuned. "It's not about use cases," he emphasizes. "It's about business models." David Needle is a technology journalist based in Silicon Valley. This story, "Why Blockchain’s growing pains will be worth it" was originally published by CIO.

Read the damning dossier on the security stupidity that let China...

How hackers broke into millions of US govt personnel files The congressional investigation into the hacking of the US Office of Personnel Management has shown how a cascade of stupidity that allowed not one but two hackers access to critical government secrets. The 227-page report [PDF] details how two hacking teams, both thought to be state-sponsored groups from China, managed to swipe paperwork for security background checks on 21.56 million individuals – including the fingerprint records for 5.6 million of them – and the personnel files of 4.2 million former and current US government employees. Those stolen documents essentially contained chapter and verse on the lives of millions of Americans who have or had access to sensitive government materials – a goldmine for foreign hackers to target. The infiltrations, carried out between 2012 and early 2015, were so severe and wide-ranging that they forced the resignation of the then-head of the OPM Katherine Archuleta and the creation of a new agency, the National Background Investigations Bureau (NBIB), to carry out sensitive background checks and to keep the information secure. The OPM had been warned repeatedly by government inspectors since 2005 that its IT systems weren't secure.
In 2012, US-CERT warned the department that the Hikit malware was operating on its servers. Late the following year, it also found evidence that one or more hackers were active on those servers. CERT warned again in March of 2014 that a hacker had managed to get information out of the OPM servers – primarily computer network specifications and IT administrator files.

This set off warning signals, since – as the head of the NSA's hacking squad contends – this is the first stage of any serious hacking attack. The two organizations hatched a plan to get rid of the hackers in an operation called Big Bang.

They kept a close eye on what the intruders were doing and – when the attackers loaded a keylogger onto several machines used by people with access to sensitive servers – moved in for the kill on May 27 by shutting down servers and scrubbing the infected machines. Unfortunately, a second hacker was already loose on the system and hadn't been spotted. Later analysis showed the attacker got into the OPM's servers by stealing the credentials of one of its contractors.

Because two-factor authentication wasn't required, this gave free access to the agency's servers and the hacker installed the PlugX malware. In July, the OPM went public with the news that it had been attacked, but said that only computer manuals had been stolen and no personal information was missing.

But in December, the second attacker managed to download 4.2 million personnel files from the OPM's servers and stashed them online. Around March 26 the hackers came back, this time taking millions of fingerprint files and other data.
In mid-April a contractor notified his bosses that there were unusual types of traffic on the network, and the agency hired security firm Cylance to have a look around.

Cylance's scanning tool "lit up like a Christmas tree" when it found the servers laced with malware. A week later, the OPM informed Congress that a major hack had taken place – which it is required to do by law – and quarantined its servers the day afterwards.
It was only when a full forensic investigation was carried out that the true extent of the theft became apparent and the shit hit the fan. The report said that the initial attack was executed by a group called Axiom Threat Actor Group (the only hacking group to use Hikit) and the second by a team called Deep Panda – who are thought to be linked to the Anthem data theft carried out the same year.

Both have links with the Chinese government and it's possible they coordinated their attacks. They were also comedians – two domains were set up to channel the attacks and these were registered to Tony Stark (Iron Man), Steve Rogers (Captain America), and Natasha Romanoff (Black Widow).

The visual effects director of the movie Iron Man was also referenced. The report recommends that the OPM and other government departments hire CIOs who know what they are doing, and tie them into multiyear contracts so they can get stuff done.

They need to introduce a "zero trust" regime on OPM's servers – meaning those inside the firewall are treated with the same caution as those outside. Other recommendations include better authentication controls (well, duh), investing in better security systems, and increasing the amount it pays security staff, so that it can get the best talent and improved training for staff. ®

Improvements In Cybersecurity Require More Than Sharing Threat-Intelligence Information

Interoperability and automation are keys to defining success in computer network defense. I read a recent article covering the cybersecurity marketplace that says the sharing of threat intelligence data could significantly disrupt malicious cyberactivity.

The author continues to use “could” in every sentence in the rest of that paragraph.

Cybersecurity professionals need more than” could.”  Timely detection and responses in the face of advanced targeted attacks are major challenges for security teams across every sector. Most organizations rely on a multivendor security infrastructure with products that rarely communicate well with one another.

The shortage of trained security staff and lack of automated processes result in inefficiencies and protection gaps. Interoperability and integration improve effectiveness.

The active sharing of data makes it practical and possible for every security control to leverage the strengths and experiences of the other tools in the security infrastructure. Rather than treating each malware interaction as a standalone event, adaptive threat prevention integrates processes and data through an efficient messaging layer.

This approach connects end-to-end components to generate and consume as much actionable intelligence as possible from each contact and process. Tear Down The Fences The shift to adaptive threat prevention helps overcome the functional fences that impede detection, response, and any chance of improved prevention.
Silos of data and point products complicate operations and increase risk.

The actions of each security control and the context of each situation are poorly captured and seldom shared within an organization, let alone among a larger community of trust. Unintegrated security functions keep organizations in firefighting mode, always reacting and pouring human resources into every breach. Process inefficiency exhausts scarce investigative resources and lengthens the timeline during which data and networks are exposed to determined attackers.

The length of time from breach to detection has a direct correlation to extent of damage.
Separate islands of security products, data sets, and operations provide sophisticated attackers with ample space and noise that they can use to their advantage while their malicious code enters, hides, and persists within and throughout an organization. Intel Security’s DXL is the foundation for enabling the ideal adaptive security ecosystem.
It is a near real-time, bidirectional communications fabric that allows security components to share relevant data among endpoint, network, and other IP-enabled systems.
It provides command and control options for otherwise inaccessible systems, and benefits organizations by enabling automated response, vastly reduced response time, and better containment. The goal of DXL is to promote open collaborative security, enable active command and control, forge interoperability (plug-and-play) among distributed elements from disparate vendors, and ensure consistency and speed of outcomes.

The interactions among these components can use their own (standardized) layered application protocols, depending on the use case.

DXL acts as the foundational service -- just as standardized roads and transportation are foundational to commerce or HTTP and browsers are foundational to the internet. Traditionally, communication between security products has been application programming interface (API)-driven, resulting in a fragile patchwork of communicating pairs.

As threats have grown more sophisticated, this model is simply no longer acceptable, as the time from detection to reaction to containment can take days.

To accelerate this process and keep up with the enormous volume of sophisticated threats, security architectures must undergo a significant evolution and be able to respond in minutes or seconds. Shared threat information and synchronized real-time enforcement are necessities, not luxuries. Until now, this has been utilized only for specific products or single point-to-point integrations.
Intel Security’s DXL supplies a standardized communication solution to this real-time problem. Ned Miller, a 30+ year technology industry veteran, is the Chief Technology Strategist for the Intel Security Public Sector division. Mr. Miller is responsible for working with industry and government thought leaders and worldwide public sector customers to ensure that ...
View Full Bio More Insights

Hacker who stole 2.9 million credit card numbers is Russian lawmaker’s...

Wikipediareader comments 6 Share this story On Thursday, a federal jury in Seattle found Roman Seleznev guilty of stealing millions of credit card numbers and selling them online to other fraudsters.
Seleznev, 32, is the son of Russian Parliament member Valery Seleznev. Seleznev, who occasionally went by the moniker “Track2” online (a reference to one of the information strips on the back of a magnetic stripe card"), had been hacking into restaurant and retail Point of Sale (PoS) systems since at least October 2009 and continued until October 2013. According to a 2014 indictment (PDF) from the Department of Justice, Seleznev and potentially others who are unknown to the investigators “developed and used automated techniques, such as port scanning, to identify computers and computer systems that were connected to the Internet [and] were dedicated to or involved with credit processing by retail businesses.” The hacker identified vulnerable PoS systems around the country (although specifically in Washington state, in this instance) and had them download malware from servers that he maintained.

The indictment continued: The malware that Roman Seleznev and others unknown to the Grand Jury caused to be downloaded to the victim business’ computers monitored the traffic within the business’ computer network and intercepted the communications between the point of sale terminals and the back of the house compared.

The malware would extract and copy data the included credit card track data and, every five minutes, compile the stolen credit card track data and transmit and upload it to a server identified by a specific IP address. In some cases, the victim’s security practices were startlingly deficient as well. “In the case of the Broadway Grill, in particular, every credit card number that had been swiped at the restaurant between December 1,2009, and October 22, 2010, (over 32,000 unique credit card numbers) had been saved to a text file that was stored on the business’ back of the house computer,” the 2014 indictment noted.
Seleznev was then accused of placing additional malware on the restaurant’s POS to capture subsequent credit card numbers. Seleznev then placed the stolen card numbers on so-called “carding” websites and forums, where he sold the numbers with a 95 percent guarantee of validity for $20 to $30. He also sold numbers with a 65 percent chance of validity for around $7. Using his preferred carding websites and forums, he sold approximately 140,000 credit card numbers and raked in $2 million.

But the scheme apparently was far more vast than that.
Seleznev was arrested in 2014 in the Maldives with his girlfriend.

According to the DoJ, “[Seleznev’s] laptop contained more than 1.7 million stolen credit card numbers, some of which were stolen from businesses in Western Washington.  The laptop also contained additional evidence linking Seleznev to the servers, e-mail accounts and financial transactions involved in the scheme.” US prosecutors estimate that Seleznev stole 2.9 million credit card numbers over the years. According to Reuters, Russia at the time called Seleznev’s arrest a “kidnapping.” The defendant’s lawyer, John Henry Browne, says that his client will appeal this week’s guilty verdict on the grounds that he was arrested illegally.

Browne also took issue with a ruling that allowed prosecutors to use “evidence from a corrupted laptop seized at the time of his arrest,” according to Reuters. Seleznev will be sentenced December 2. His lawyer told Reuters that his client faces a mandatory minimum of four years of jail time.

Russian Hackers Target New York Times

The newspaper's Moscow bureau was the recent victim of an attempted cyber attack. The New York Times appears to be the latest target of Russian hackers. The US-based newspaper on Tuesday reported that its Moscow bureau was the recent victim of an attempted cyber attack, though it does not appear that the hackers, believed to be Russian, were successful. "We have seen no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised," Times spokeswoman Eileen Murphy said in a statement. "We are constantly monitoring our systems with the latest available intelligence and tools," she added. A series of cyber breaches carried out on various US news organizations, CNN reports, are under investigation by the FBI.
Security agencies believe the hackers are part of the same Russian group that infiltrated the Democratic Party over the summer.

The FBI did not immediately respond to PCMag's request for comment. In June, Russian government hackers gained access to the computer network of the Democratic National Committee; DNC emails were later posted online by Wikileaks.

All signs point to two separate hacking cells with known ties to the Russian government: Cozy Bear had access to the Committee since last summer, while Fancy Bear breached the network in April. That led to speculation that the Russian government is trying to influence the current US presidential election and get Donald Trump elected.

The Republican nominee in July even went so far as to call on the Russians to pursue Hillary Clinton and "find the 30,000 emails that are missing"—a reference to the messages on Clinton's server. The Times hack comes shortly after it published a story that said Paul Manafort, then Trump's campaign chairman, was named in a Ukranian ledger that showed $12.7 million in undisclosed cash payments to Manafort, who previously advised pro-Russian former Ukranian President Viktor F. Yanukovych. Manafort recently resigned from the Trump campaign. This is not the first time the New York Times has come under attack, meanwhile.

Chinese hackers targeted the paper in 2013, reportedly to find details about sources to whom Times' reporters spoke to for an October 2013 story about the wealth of China's prime minister, Wen Jiabao.

20 Top US Hotels Hit By Fresh Malware Attacks

A new swathe of US hotels has fallen prey to point-of-sale (PoS) malware which may have exposed customer financial data. 20 US hotels operated by HEI Hotel & Resorts on behalf of Starwood, Marriot, Hyatt and Intercontinental may have leaked the fin...