13.6 C
Tuesday, September 26, 2017
Home Tags Data theft

Tag: data theft

The healthcare industry has been slow to address the dangers of hacking, and breaches are on the rise.
Security pros must be more proactive in keeping people safe.
Good day to be an attorney, or a Maserati salesman Health insurer Anthem has today agreed to pay $115m to settle a class-action suit brought on by its 2015 cyber-theft of 78.8 million records.…
Waymo lawyer: Uber and its star engineer are continuing to delay discovery.
Almost anyone can fall victim to a DDoS attack.

They are relatively cheap and easy to organize, and can be highly effective if reliable protection is not in place.

Based on analysis of the data obtained from open sources, we managed to find out the current cost of a DDoS attack on the black market. We also established what exactly the cybercriminals behind DDoS attacks offer their customers.
Experts point to stronger passwords, full-disk encryption, and multi-factor authentication as ways to stop data theft in the event a laptop is lost or stolen.
The former contractor reportedly spent 20 years pilfering government secrets and helping himself to the cream of the NSA's hacking tools library.
When I talk to IT managers, I almost always hear fears of mobile devices as conduits for sensitive corporate data to leave the company.
I don’t know why I keep hearing this.

There’s simply no evidence to support this fear.
In fact, there’s solid evidence that says mobile devices are not a significant—or even moderate—risk factor. Every year, I check the Identity Theft Resource Center’s database of personally identifying information (PII) breaches, which require disclosure by both state and federal laws.
I’m sure many losses go unreported, and the database doesn’t cover corporate information not containing PII.

But if mobile devices were a conduit to data loss, they should show up in this database. Mobile-linked breaches haven’t shown up in previous years, and they didn’t show up again in 2016—despite the fact that nearly everyone these days uses a smartphone. What does show up? Paper records, thumb drives, external hard drives, laptops, hacks into databases and storage systems, and successful phishing attempts. Many of the reported breaches involve lost papers, drives, and laptops, where a data thief probably wasn’t involved.

But many involve active hacking of IT systems where data theft is the goal.

And some involve insiders (contractors and ex-employees) steal data to use themselves, bring to new employers, or—least often—sell to others. None of the lost, stolen, or compromised devices were smartphones or tablets.

That’s probably because encrypted devices need not be reported; they’re presumed safe. iPhones and iPads have long encrypted their contents, and professional-grade Android devices have done that in recent years.
In both cases, a simple IT policy can enforce that encryption.
It doesn’t take a fancy mobile security tool; Microsoft Exchange can do the trick. Well, there was one data breach involving a smartphone: A former hospital manager, after resigning, took patient-identifying information by forwarding certain documents such as patient lists to her personal email account.
She had work email set up on her personal smartphone—a common BYOD scenario—and simply forwarded the work emails to her personal email account.

That’s not a mobile-specific issue—she could have done that from a work computer or a home computer. IT’s remedy for this case is the same no matter the device running the email app: Use restricted email accounts where possible and data loss prevention (DLP) tools where not to identify and perhaps prevent such odd email usage.

And don’t distribute PII or other sensitive information in routine documents in the first place! Also not in the breach list were the cloud storage services that IT managers fret about after they’re done worrying about mobile devices: Apple iCloud Drive, Box, Dropbox, Google Drive, and Microsoft OneDrive. But that omission may be misleading because if a lost (unencrypted) laptop has stored the access credentials for such services—which is common—then the data on that cloud drive is available to a data thief, just as the locally stored data is.

The Identity Theft Resource Center database doesn’t go into great detail of each case, but because a lost (unencrypted) laptop is presumed to be a data breach, that breach extends to any data on that laptop, including cloud-accessed data. Still, we didn’t see cases of these popular cloud storage services as the specific vector of a data breach—despite frequent IT fears to the contrary. In this day and age, IT pros have plenty of security threats to deal with.

Active hacking is the biggest threat, of course, and should get the lion’s share of the resources. The client side should be addressed but not dwelled on. Of the clients in use, mobile is the least risky.

Based on the actual risks, a good place to start is securing laptops, then external drives that people use when they don’t have access to a corporate cloud storage service.

Those devices compromise the biggest client risk.

Encryption is your main line of defense for these devices—for cloud storage, too. For the much smaller risk posed by mobile devices, mobile management tools are both mature and effective; there’s no excuse not to have them in place already.
There are all sorts of ways to curb ransomware, so why has it spread so successfully? The word "ransomware" conjures up images of dark cloaks and even darker alleys, and not surprisingly, the level of media attention has been unprecedented.

The fact that news stories measure the affect of ransomware in terms of cash helps grab the public's attention. (One analysis estimates more than $1 billion in ransoms were paid out in 2016). The most frightening thing about ransomware is that its success is built on trust. Ransomware often gains access by way of a clever email designed with the sole intention of winning the victim's confidence. "My skill is in my ability to get a bunch of people to click on the attachment," explains a malicious actor in a YouTube primer. Ransomware perpetrators have even started copying incentive tactics from legal industries.

There's the Christmas discount for victims who pay up, and a pyramid scheme offer, described in the press as "innovative": "If you pass this link and two or more people pay, we will decrypt your files for free!" This sophistication and business savvy speaks to ransomware's growth as an industry, and IT has had to take notice.

A recent survey of IT professionals from around the globe found that more than 50% of IT staff and more than 70% of CIOs see defending against ransomware as their #1 priority for 2017. What made ransomware into such a strong threat? Is it really a greater malice than traditional security threats or data theft? Or is it just more buzzworthy because the consequences are more dramatic? What's enabling the epidemic, and what produced the conditions for ransomware to flourish? The Patching ConundrumIn a way, the rise of ransomware in 2016 was in the works for a long time.
Vulnerability patching has been a significant IT challenge for several years — among industrial control systems, 516 of 1,552 vulnerabilities discovered between 2010 and 2015 didn't have a vendor fix at the time of disclosure.

A full third of known "ways in" had to wait for a patch to be developed, providing ample time for criminals to do their worst. Reliance on distributed security appliances has only exacerbated the problem.

Even after patches become available, there's still a significant lag.

A combination of staff shortages, the volume of devices deployed across today's business networks, and distance has dramatically lengthened patch rollout times.
Varying reports put the gap between 100 days to 18 months. Before ransomware even became a trend, the stage had been set for adversaries to gain access. It Should Be Easy to StopFrom an IT perspective, one of the most aggravating things about ransomware is that even after the attack gains a foothold, it should be relatively easy to stop.

The file encryption — which actually does the damage — is the final stage of a multistep process.
In fact, there are several opportunities to block the attack before it affects valuable data.

First, if the attack is caught by URL filters or secure Web gateways, it will be averted. The second step is where the initial malware "drop" downloads the ransomware program.

To do this, it must connect back to the attacker's server from within the compromised network.
It's only after the ransomware program itself deploys inside the victim's environment that it encrypts local and network server files.

And still, before the process can launch, most ransomware must connect to a command-and-control server, to create the public-private key pair that encrypts the data. At any point in the process, a network security stack has ample chance to block the malicious program from making these connections, and data lockdowns would never happen. With all these opportunities to stop the attack, how has ransomware been so successful? Complexity upon ComplexityIn November, security researchers discovered a mutation to exploit Scalable Vector Graphics (SVG), and this may provide a clue.
SVG is an XML-based vector image format supported by Web-based browsers and applications.

Attackers were able to embed SVG files sent on Facebook Messenger with malicious JavaScript, ostensibly to take advantage of users' inclination to view interactive images. The way these files were manipulated is of much greater concern than either the app that was targeted, or the breach of users' trust: The SVG file had been loaded with obfuscated JavaScript code (see Figure 1).

These files automatically redirect users to malicious websites and open the door to eventual endpoint infection.

The obfuscation tricks detection engines, and signature-based detection will always fall behind as code morphs to new signatures for the same threat. Figure 1: The string "vqnpxl" is the obfuscation function.Source: Cato Networks The above attack spotlights an urgent need to simplify. Modern networks see their vulnerability go up thanks to a patchwork of point solutions.
It's not sustainable to expect IT pros to update each point solution, and patch every existing firewall, when each new attack vector comes about.
Skilled attackers will always build new threats faster than IT can defend against them.

For ransomware, the critical test is, "how fast can you roll defenses out?" Higher StakesWhen prevention is the only true cure, it's no wonder ransomware goes to the front of CIOs' agendas for 2017.

But the predominant trend toward cloud-based security and the promise of a "patch once, fix all" model are starting to correct the problem.

Cloud defenses promote quicker adaptation to ransomware mutations.

The idea is to consolidate all traffic from physical locations and mobile users, and integrate a single firewall service as a permanent "line of sight" between any given user, any given device, and a potential threat source.
In this respect, the cloud is not just about saving work, but also about improving speed to security. 2016 was the year that IT's reluctance to use the cloud backfired, and it played right into ransomware's hands.

Familiarity, comfort, and experience with using the cloud to keep networks safe may improve outcomes in 2017. Related Content:   Gur is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a cloud-based Web applications security and acceleration company.

Before Incaspula, Gur was Director of Product Development, Vice President of Engineering and ...
View Full Bio More Insights
Security researchers report a massive uptick in the number of MongoDB databases hijacked and held for ransom. On Monday, researcher Niall Merrigan reported 28,000 misconfigured MongoDB were attacked by more than a dozen hacker groups.

That’s sharp increase from last week when 2,000 MongoDB had been hijacked by two or three criminals. A wave attacks was first spotted on Dec. 27 by Victor Gevers, an ethical hacker and founder of GDI Foundation.

That’s when he said a hacker going by the handle “Harak1r1” was compromising open MongoDB installations, deleting their contents, and leaving behind a ransom note demanding 0.2 BTC (about $220). Victims would discover they were hit with the data theft only when they accessed the MongoDB and came across a top database field with the ransom demand that read, “Contact this email with your IP of your server to recover your database.” Escalation of the attacks happened fast jumping from 200 14 days ago to 2,000 the following week. On Friday the numbers were at 10,000, and by Monday Merrigan said there was a huge spike in attacks via his Twitter account reporting 27,000 servers compromised representing 93 terabytes of data gone. WHOA… Latest #mongodb download from @shodanhq massive jump in ransomed databases 93TB gone (snapshots taken at 1530 and 2130 CET) pic.twitter.com/MakOlrbptt — Niall Merrigan (@nmerrigan) January 8, 2017 Merrigan and Gevers have been tracking both the number of attacks and the number of groups behind them via a spreadsheet with the latest updates.

As of this writing, close to 28,332 victims have been reported. Since identifying “Harak1r1” as the original attacker, they say more than a dozen additional hackers are now actively targeting MongoDB installations as well. Researchers said that in many cases, data stored in the MongoDB now is simply being destroyed and when victims pay the ransom they do not receive their data back. Last week, Gevers told Threatpost attackers were battling among themselves. He said, when one hacker would leave a ransom note, another hacker would target the same database, delete the original ransom note and leave their own.

This further complicates a victim’s ability to retrieve data even if a ransom is paid, he said. The problem stems from companies that have used the default installation configuration for MongoDB, which does not require authentication to access the database. Researchers say hackers using a Shodan query or scanning the Internet for vulnerable installations can easily find MongoDB servers online. Gevers said a recent scan using Shodan revealed 46,000 open MongoDB ripe for attack. He added that an uptick in victims is due to the fact attackers have automated attacks via scripts. He added that because the MongoDB configurations require no credentials, the script used in the attacks is simple to write and execute. Representatives at MongoDB did not return calls for comment. However, last week when initial reports of MongoDB databases being compromised began to surface, the company published instructions on how admins can secure their databases and respond to attacks.
Security researcher Victor Gevers, co-founder of the GDI Foundation, a non-profit dedicated to making the internet safer, is urging administrators to check their MongoDB installations, after finding nearly two hundred of them wiped and being held for ransom. On Monday morning, Gevers said he’d discovered 196 instances of a MongoDB installation exposed to the public that’s been erased and held for ransom. UPDATE: The count reached nearly 2,000 databases as of 4:00 p.m. The person behind the attacks is demanding 0.2 BTC ($202.89) as payment, and requiring system administrators email proof of ownership before the files are restored.

Those without backups are left in a bind. Gevers has sent dozens of notifications to affected victims and on Twitter has responded to at least two requests for assistance after administrators learned of the issue. In each observed attack, the message remains the same – pay up or lose your data.
It’s possible the attacker is finding open MongoDB installs via basic scanning or Shodan, Gevers said.
It’s also possible they’re finding MongoDB installs that are vulnerable to various exploits, including one that allows remote authenticated users to obtain internal system privileges. Victor Gevers / SRAGAN If so, then administrators are caught in the middle of a rat race between Gevers and “Harak1r1” - the person responsible for the attacks.

Asked for his thoughts and advice, Gevers shared the notification letter he is sending to identified victims. In it, he advises that they protect the MongoDB installs by blocking access to port 27017 or limit access to the server by binding local IPs.

Administrators can also chose to restart the database with the “–auth” option, after they’ve assigned users access. In addition, he offers the following tips: Check the MongDB accounts to see if no one added a secret (admin) user. Check the GridFS to see if someone stored any files there. Check the logfiles to see who accessed the MongoDB (show log global command). “Criminals often target open databases to deploy their activities like data theft/ransom.

But we also have seen cases were open servers like these are used for hosting malware (like ransomware), botnets and for hiding files in the GridFS,” the notification letter explains. In late 2015, there were approximately 35,000 MongoDB installations on the internet. Most of these installations were insecure and publicly available, and combined stored nearly 700TB of data. Configuration errors in MongoDB have led to a number of major data breaches, including the Hello Kitty data breach that exposed 3.3 million people. A short time later, CSO Online was the first to report on the existence of an exposed MongoDB that contained 191 million voter records with the help of researcher Chris Vickery and Databreaches.net. This was followed by a story detailing the existence of a second voter database a week later. Last April, a poorly configured MongoDB installation exposed the personal details on 93 million Mexican voters. MongoDB is a favorite among some IT professionals, but if it isn’t configured properly and secured, this popular platform can be the source of a lot of pain within an organization.

The official documentation for MongoDB contains a security checklist, and administrators are encouraged to follow it completely. This story, "Exposed MongoDB installs being erased, held for ransom" was originally published by CSO.
Russian Embassy responds with pic of 'LAME' duck, says move is 'Cold War deja vu' President Barack Obama has ordered the expulsion of 35 suspected Russian spies in response to "malicious cyber activity and harassment" by Putin's government for attempts to undermine the 2016 election. In a statement issued on Thursday, Obama ordered a number of actions in response to "the Russian government’s aggressive harassment of US officials and cyber operations aimed at the US election." Under an executive order, the Obama administration has provided additional authority for responding to the cyber threats. It has sanctioned nine entities and individuals: including the GRU and the FSB, two Russian intelligence services; four individual officers of the GRU; and three companies that provided material support to the GRU’s cyber operations. He said the decision was a "necessary and appropriate response" to efforts to harm US interests in violation of established international norms of behavior. In addition, the Secretary of the Treasury is designating two Russian individuals for using cyber-enabled means to cause misappropriation of funds and personal identifying information. The State Department is also shutting down two Russian compounds, in Maryland and New York, used by Russian personnel for intelligence-related purposes, and is declaring “persona non grata” 35 Russian intelligence operatives. Obama said the Department of Homeland Security and the Federal Bureau of Investigation are also releasing declassified technical information on Russian civilian and military intelligence service cyber activity "to help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities." In a statement he said: "All Americans should be alarmed by Russia’s actions." Incoming president Donald Trump, responded in a statement that it is time to “move on to bigger and better things.” He added: "Nevertheless, in the interest of our country and its great people, I will meet with leaders of the intelligence community next week in order to be updated about the facts of this situation." The Russian Embassy in London responded with a tweet of a picture of duck with the word LAME written across the bottom. "President Obama expels 35 🇷🇺 diplomats in Cold War deja vu. As everybody, incl 🇺🇸 people, will be glad to see the last of this hapless Adm," it Tweeted. In October, the Obama administration found that Russia took actions intended to interfere with the US election process. "These data theft and disclosure activities could only have been directed by the highest levels of the Russian government," said Obama. Obama said the actions are not the sum total of its response to Russia’s aggressive activities. "We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicised. "In addition to holding Russia accountable for what it has done, the United States and friends and allies around the world must work together to oppose Russia’s efforts to undermine established international norms of behavior, and interfere with democratic governance. "To that end, my Administration will be providing a report to Congress in the coming days about Russia’s efforts to interfere in our election, as well as malicious cyber activity related to our election cycle in previous elections." ® Sponsored: Flash enters the mainstream. Visit The Register's storage hub
Many mobile bankers can block a device in order to extort money from its user.

But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data.
In addition to that, this modification is attacking more than 2,000 financial apps around the world. We have managed to detect several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016.

According to our information, the number of this banker’s victims exceeds 16,000 users in 27 countries, with most located in Russia, Ukraine, Germany and Thailand. Trojan-Banker.AndroidOS.Faketoken is distributed under the guise of various programs and games, often imitating Adobe Flash Player. Preparing the groundwork The Trojan is capable of interacting with protection mechanisms in the operating system.

For example, it requests rights to overlay other apps or the right to be a default SMS application.

This allows Faketoken to steal user data even in the latest versions of Android. Once the Trojan becomes active, it requests administrator rights.
If the user denies the request, Faketoken repeatedly refreshes the window asking for these rights, which leaves the victim with little choice. The Trojan imitating “Yandex.Navigator” to request administrator rights Once it has received administrator rights, Faketoken starts requesting the necessary permissions: to access the user’s text messages, files and contacts, to send text messages and make calls.

These requests will also be repeatedly displayed until the user agrees to provide access. The Trojan then requests the right to display its windows on top of other applications.

This is necessary to block the device and steal user data by displaying phishing pages. The Trojan requesting the right to display its windows on top of other applications The final request at the preparatory stage is for the right to be the default SMS application – this allows Faketoken to covertly steal text messages on the latest versions of Android.

The Trojan integrates the options necessary for the user to work with SMS. However, on some Android devices and versions when the user attempts to send an SMS via Faketoken it returns an error.

As a result, the user cannot send SMS messages until they manually change the SMS application.

The Trojan doesn’t like that, and will start requesting the right again. Manipulations with application shortcuts can also be added to the preparatory stage.

After launching, Faketoken starts downloading an archive containing file icons of several applications (the version being analyzed here has eight) related to social networks, instant messengers and browsers.

Then it tries to delete the previous shortcuts to these applications and create new ones. On the test devices the Trojan failed to remove the previous shortcuts which eventually led to the appearance of duplicates It is not clear why it does this because the shortcuts created by Faketoken lead to the original applications. Data theft Once the shortcuts are installed, the next stage of the Trojan’s work begins – the theft of user data.

Faketoken downloads a database from the server containing phrases in 77 languages for different device localizations. Screenshot of the database with phrases in different languages Using these or other phrases from the database, depending on the operating system language, the Trojan will show the user various phishing messages. Examples of phishing messages displayed by the Trojan If the user clicks on the message, the Trojan opens a phishing page designed to steal passwords from Gmail accounts.
In addition to that, the Trojan overlays the original Gmail application with this page for the same purpose – to steal the password. Phishing page imitating the login page of the Gmail mail service However, the Trojan doesn’t limit itself to Gmail. Like most modern mobile Trojans, Faketoken overlays the original Google Play app with its phishing window to steal the victim’s bank card details. Phishing page used by the Trojan to steal credit card details The Trojan can also get the list of applications for attack and an HTML template page to generate phishing pages for the attacked applications from the C&C server.
In our case, Faketoken received a list of 2,249 financial applications from around the world. Example of the Trojan’s phishing pages designed for different applications It should be noted that the Trojan integrates functionality enabling it to call some of the methods from the HTML page it received from the C&C server.

As a result, in addition to the phishing functionality, the pages described above can get certain information about the device including the address of the Gmail account and, even worse, reset the device to factory settings. What’s more, Faketoken can perform the following actions upon command from the C&C server: Change masks to intercept incoming text messages; Send text messages to a specified number with a specified text; Send text messages with a specified text to a specified list of recipients; Send a specified text message to all contacts; Upload all text messages from the device to the malicious server; Upload all the contacts from the device to the malicious server; Upload the list of installed applications to the malicious server; Reset the device to factory settings; Make a call to a specified number; Download a file to the device following a specified link; Remove specified applications; Create a notification on the phone to open a specified page or run a specified application; Start overlaying specified applications with a specified phishing window; Open a specified link in its own window; Run an application; Block the device in order to extort money for unblocking it.

This command may include an option indicating the need to encrypt files. Ransomware banker As mentioned above, the ransomware functionality in mobile banking Trojans is now commonplace, after being pioneered by Svpeng in early 2014. However, the new Faketoken version can not only extort money by blocking the screen but also by encrypting user files. Screenshot of the Trojan code that renames and then encrypts files. Once the relevant command is received, the Trojan compiles a list of files located on the device (external memory, memory card) corresponding to the given list of 89 extensions and encrypts them.

The AES symmetric encryption algorithm is used, which leaves the user with a chance of decrypting files without paying a ransom.

The Trojan receives the encryption key and the initialization vector from the C&C server.

The encrypted files include both media files (pictures, music, videos) and documents.

The Trojan changes the extension of the encrypted files to .cat. In conclusion, we would like to note that file encryption is not that popular with the developers of mobile ransomware (at least currently), which may be because most files stored on a mobile device are copied to the cloud.
In other words, demanding a ransom in return for decrypting them is pointless.