Businesses Admit Poor Data Protection Won’t Be Fixed Before Compliance Perfect Storm Hits*:
- Businesses that continue to prioritize perimeter security over data protection will face a day of reckoning when a perfect storm of new regulations comes into effect next year.
- Fully 59 percent of the 1050 IT decision makers polled in Gemalto’s Data Security Confidence Index 2017 said they believe all of their sensitive data is secure, but 65 percent said they were not confident their data would be protected should their network perimeter be breached.
- These apparently contradictory opinions were reinforced by the finding that businesses were continuing to invest in perimeter security protections.
- Those levels of compliance bode poorly for businesses that will face new regulatory burdens as Australia’s Notifiable Data Breaches (NDB) scheme kicks in next February – followed shortly by mandatory PCI DSS compliance and then the EU’s GDPR.
- Australian businesses may be unaware of their obligations under the GDPR, which extend globally to any company holding information on EU citizens.
- Even when aware, 53 percent said they won’t be compliant with GDPR by the time it comes into effect.
- Given that the incoming regulations are focused on protection of data rather than networks, it’s surprising that so many companies continue to rely on perimeter defences that may not be protecting them properly.
- Customer data was the most likely to be protected using two-factor authentication, but only 54 percent of such data was protected in this way.
- Passwords were more widely used, protecting 69 percent of company intellectual property and 60 percent of employee data.
- The heavy reliance on passwords remains a weak spot in data protection: if these are compromised, attackers can access any information in the network that is available to the compromised user account.
- For companies that don’t get the basics in data security right, the NDB scheme is expected to generate a flood of breach disclosures in its early days, and they are expecting 20,000 data breach notifications under the GDPR scheme.
*Source: CSO, July 12, 2017
Verizon Customer Information Exposed in Data Breach*:
- A huge data leak at Verizon exposed millions of customer records, but the company blamed an outside vendor for the breach.
- Names, addresses, phone numbers and, in some cases, the security pins of millions of Verizon customers were publicly exposed online by one of the company’s vendors, Nice systems, based in Israel.
- An employee of Nice Systems put information into a storage cloud area and incorrectly set the storage to allow external access.
- The vendor was supporting an approved initiative to help Verizon improve a residential and small business wireline self-service call center portal.
- As many as 14 million customers were found on unsecured storage controlled by Nice Systems according to one report, but Verizon maintains only about 6 million unique customers were involved.
- There has been no loss or theft of Verizon or Verizon customer information according to the company.
*Source: Fox Business, July 13, 2017
Trump Hotel Guests Had Their Credit Card Information Hacked*:
- According to a new report, Trump Hotels has been hacked again – the 14 affected properties include Trump Central Park, Trump Chicago, Trump Las Vegas and Trump DC, with most of the hacks occurring between November 2016 and March 2017.
- The hack compromised credit card numbers, names, addresses and phone numbers of guests who booked using the hotel’s third-party booking system known as Sabre Hospitality Solutions.
- Trump Hotels also had its system breached with malware targeting credit cards back in July 2015 and again in early 2016, and was subsequently fined $50,000 for not notifying customers of the breach in a timely manner.
*Source: Tech Crunch, July 11, 2017
Court Rules the FBI Does Not Need a Warrant to Hack a Computer*:
- The ruling could have serious implications for how law enforcement is able to conduct remote searches.
- The case stems from the FBI's investigation of child pornography site Playpen, which the agency took over and deployed a network investigative technique (NIT) in an attempt to identify the site’s visitors.
- According to the ruling, a warrant would not have been necessary for the FBI to deploy malware in this case.
- The implications are staggering if the decision is upheld: law enforcement would be free to remotely search and seize information from your computer without a warrant.
- Some of the opinion hinges around IP addresses, and whether they are private and subject to the Fourth Amendment, or already public.
- The judge wrote that generally, people have no expectation of privacy in an IP address when using the internet.
- This argument echoes that found in other FBI hacking cases, in which judges have written that suspects have no reasonable expectation of privacy when it comes to their IP address.
- Some argue that the decision underscores a broader trend in these cases: courts across the country, faced with unfamiliar technology and unsympathetic defendants, are issuing decisions that threaten everyone’s rights.
*Source: Mother Board, June 23, 2017
A Third of Security Professionals are Unprepared for Dealing with Cyber Threats*:
- One in three security professionals lack effective intelligence to detect and act on cyber threats according to a new survey.
- In addition 24 percent believe they are at least one year behind the average threat actor, and 17 percent of respondents haven’t invested in any threat detection tools.
- Detecting a compromise at the earliest stage possible can identify suspicious or malicious traffic before it penetrates the network or causes harm, so it’s imperative to invest in technologies security teams can use to centralize and automate threat detection.
- The study shows that 80 percent of security professionals don't consult historical logs on a daily basis to investigate past exposure to threats.
- Organizations should start viewing security as a business enabler that can support and add value to the business as it transforms.
- IT purchase decisions are too often driven by budget rather than need, but implementing the bare minimum is not an option.
- Solutions such as a threat intelligence platform will enable organizations to proactively detect and respond to the modern cyber adversary.
*Source: Beta News, July 13, 2017
Telegram-Controlled Hacking Tool Targets SQL Injection at Scale*:
- A black market hacking tool has the potential to rapidly conduct website scans for SQL injection vulnerabilities at a large scale, all managed from a smartphone through the Telegram messenger.
- The Katyusha Scanner is a relative newcomer available to black hats that surfaced in early April, and it’s a blend of the Arachni Scanner open source penetration testing tool and Telegram.
- The tools is available for between $250 and $500.
- The seller is Russian speaking and is known for selling data stolen from ecommerce websites.
- The tool is simple to use, requiring only that an attacker set up a standard webserver with the version of the Arachni scanner that has been modified so it can be controlled through a linked Telegram account.
- Once the attacker has generated a list of websites they want to target, it can be uploaded through Telegram and commands can be issued to have it scan the sites for any known vulnerabilities.
- The Pro version of the tool will then use available exploits to gain a foothold on the system and access data.
- All of this is done through a simple click on a smartphone, and requires no technical knowledge.
- There may have been 12 to 15 buyers so far, which would mean thousands of websites scanned every day if not tens of thousands.
- The potential scale of these attacks is the concern, and the tool could live up to its name – Katyusha is the name of a World War II-era Soviet rocket launcher that could deliver multiple attacks simultaneously.
*Source: Threat Post, July 11, 2017