Notices
General Discussion and Debate Discuss, Debate, and Converse with other Honda-Tech members in a mature, intelligent manner.
Sponsored by:
Sponsored by:

Today in InfoSec

 
Old 11-19-2014, 08:22 AM
  #26  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Let's Encrypt — A Certificate Authority to Provide Free SSL Certificates for Entire Web

Originally Posted by Article Text
As days are passing, encryption is becoming a need for every user sitting online. Many tech giants including Google, Apple and Yahoo! are adopting encryption to serve its users security and privacy at its best, but according to Electronic Frontier Foundation (EFF), the high-tech Web security should not be limited to the wealthiest technology firms.

The non-profit foundation EFF has partnered with big and reputed companies including Mozilla, Cisco, and Akamai to offer free HTTPS/SSL certificates for those running servers on the internet at the beginning of 2015, in order to encourage people to encrypt users’ connections to their websites.

Until now, switching web server over to HTTPS from HTTP is something of a hassle and expense for website operators and notoriously hard to install and maintain it. But, after the launch of this new free certificate authority (CA), called Let's Encrypt, it will be even more easy for people to run encrypted, secure HTTPS websites.

Let's Encrypt aims to provide not just free, but also an easier way to obtain and use a digital cryptographic certificates (TLS) to secure website, and it’s necessary for every site operator as certificates provide a digital mechanism to let a browser trust a Web server's encryption.

"Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process," its official website explains. "For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update."

Let's Encrypt is a combined effort of Firefox browser maker Mozilla, network equipment maker Cisco Systems, Internet content distributor Akamai Technologies, digital-era rights advocate Electronic Frontier Foundation, certificate provider IdenTrust and researchers from the University of Michigan.

Web Developers who want to test the service can go to GitHub, where its code is available publicly. One thing to note is that its is not yet meant for production servers, and if you ignore this warning, there are chances that your users will see lots of warnings about your certificate which will always keep hiding your site from your user.

"This project should boost everyday data protection for almost everyone who uses the Internet," EFF Technology Projects Director Peter Eckersley said in a statement.

"Right now when you use the Web, many of your communications—your user names, passwords, and browsing histories—are vulnerable to hackers and others. By making it easy, fast, and free for websites to install encryption for their users, we will all be safer online."
Cliffs:
213374U is offline  
Old 11-21-2014, 07:49 AM
  #27  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Detekt — Free Anti-Malware Tool To Detect Govt. Surveillance Malware

Originally Posted by Article Text

Human rights experts and Privacy International have launched a free tool allowing users to scan their computers for surveillance spyware, typically used by governments and other organizations to spy on human rights activists and journalists around the world.

This free-of-charge anti-surveillance tool, called Detekt, is an open source software app released in partnership with Human rights charity Amnesty International, Germany’s Digitale Gesellschaft, the Electronic Frontier Foundation (EFF) and Privacy International, in order to combat government surveillance.


NEED AN EYE FOR AN EYE

The global surveillance carried out by the US National Security Agency (NSA) and other government agencies recently disclosed by the former NSA contractor Edward Snowden shed light on just how far our own government can go to keep track of citizens, whether innocent or otherwise. Therefore, such tool will help them see if their devices have been infected by any spyware.

Detekt was developed by security researcher Claudio Guarnieri, who has been investigating government abuse of spyware for years and often collaborates with other researchers at University of Toronto's Citizen Lab.

"It was intended as a triaging utility for human rights workers travelling around. It is not an AV [AntiVirus]," explained the developer Claudio Guarnieri in an online discussion about the tool on Twitter with other security researchers.

With the help of Detekt scanning tool in investigations, Guarnieri and his colleagues discovered, for example, that the Bahraini government used FinSpy, surveillance spyware developed by German firm FinFisher. Among other, FinSpy software has ability to monitor Skype conversations, take screenshots and photos using a device's camera, record microphone use, emails, voice-over-IP and extract files from hard discs.

Moreover, Guarnieri’s team also found that the Ethiopian government spied on journalists and activists in the U.S. and Europe, using a software developed by Hacking Team, another company that sells off-the-shelf surveillance tools, and similar companies.

"Governments are increasingly using dangerous and sophisticated technology that allows them to read activists and journalists’ private emails and remotely turn on their computer’s camera or microphone to secretly record their activities," Amnesty head of military, security and police Marek Marczynski said in a statement. "They use the technology in a cowardly attempt to prevent abuses from being exposed."

"Detekt is a simple tool that will alert activists to such intrusions so they can take action. It represents a strike back against governments who are using information obtained through surveillance to arbitrarily detain, illegally arrest and even torture human rights defenders and journalists."

DOWNLOAD DETEKT ANTI-SURVEILLANCE TOOL

You can Download Detekt here.

Detekt, for now, has been designed for Windows PC users to scan their machines for known surveillance spyware that its developers warn is used to target and monitor specifically human rights defenders and journalists across the globe. The tool is not yet supported on the 64-bit version of Windows 8.1.

Detekt scans computers for infection patterns associated with several families of remote access Trojans (RATs) including DarkComet RAT, XtremeRAT, BlackShades RAT, njRAT, FinFisher FinSpy, HackingTeam RCS, ShadowTech RAT and Gh0st RAT.

"If Detekt does not find anything, this unfortunately cannot be considered a clean bill of health," the Detekt software's Readme file warns.

The tool can make you aware of the presence of spyware, but it is by no means 100 percent effective, and can’t detect all types of spywares. So, the human rights group is encouraging software developers to contribute to the project.
213374U is offline  
Old 11-21-2014, 07:57 AM
  #28  
I like to party
iTrader: (1)
 
2LEM1's Avatar
 
Join Date: Mar 2008
Location: Yay Area, CA
Posts: 4,377
Default Re: Today in InfoSec

213374U I'm going to trust you and run Detekt... but this is the kind of thing you warn us against. Downloading a random file from a company I don't know, in Germany, and then running it with elevated permissions.

I mean, how do I know this isn't a remote access program you wrote?
2LEM1 is online now  
Old 11-21-2014, 08:01 AM
  #29  
I like to party
iTrader: (1)
 
2LEM1's Avatar
 
Join Date: Mar 2008
Location: Yay Area, CA
Posts: 4,377
Default Re: Today in InfoSec

... and nothing. I run the EXE file and nothing happens. (I'm sure it injected some malicious code into my registry when I executed it)

Did you try this first yourself?
2LEM1 is online now  
Old 11-21-2014, 08:37 AM
  #30  
Brrraaaap!
 
Blaze45's Avatar
 
Join Date: May 2002
Location: AZ
Posts: 3,948
Default Re: Today in InfoSec

In for results.
Blaze45 is offline  
Old 11-21-2014, 10:42 AM
  #31  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Originally Posted by 2LEM1 View Post
213374U I'm going to trust you and run Detekt... but this is the kind of thing you warn us against. Downloading a random file from a company I don't know, in Germany, and then running it with elevated permissions.

I mean, how do I know this isn't a remote access program you wrote?
I love your skepticism

Originally Posted by 2LEM1 View Post
... and nothing. I run the EXE file and nothing happens. (I'm sure it injected some malicious code into my registry when I executed it)

Did you try this first yourself?
I haven't, as I'm on my work laptop, but have no problem doing so on my home system. The German company you refer to is actually just a German privacy rights advocacy group, very similar to the EFF and others we have here in the states. Considering the backers who put this together, I have little issue with running it on my system.... after a quick scan of course
213374U is offline  
Old 11-21-2014, 10:55 AM
  #32  
I like to party
iTrader: (1)
 
2LEM1's Avatar
 
Join Date: Mar 2008
Location: Yay Area, CA
Posts: 4,377
Default Re: Today in InfoSec

Hrmm, it didn't seem to launch on my PC, i'm not sure why. I don't have any weird processes though either, so that's good.
2LEM1 is online now  
Old 11-22-2014, 12:57 AM
  #33  
The Science Guy
 
Xentropa's Avatar
 
Join Date: Jun 2008
Location: Japan, UCLA
Posts: 748
Default Re: Today in InfoSec

Utah Considers Cutting Off Water to the NSA's Monster Data Center | WIRED

Utah considers cutting water to NSA's data center.
Xentropa is offline  
Old 11-22-2014, 09:09 AM
  #34  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Bravo Utah!

I'm seeing a growing trend that pleases me. It seems that, because the federal government continues to refuse to do anything to curb the surveillance, private entities and everyone downstream is doing whatever they can to make their mission damn near impossible to achieve. If there's anything to highlight how broken our system is its the overwhelming public support to shut this crap down yet there's nothing meaningful coming out of Washington.
213374U is offline  
Old 11-22-2014, 09:16 AM
  #35  
B*a*n*n*e*d
 
Join Date: Dec 2011
Location: Off da Golden Coast!! YAAARGH!!
Posts: 402
Default Re: Today in InfoSec

^^ Vested interests and all that. We all know how that goes though...

Originally Posted by Xentropa View Post
Utah Considers Cutting Off Water to the NSA's Monster Data Center | WIRED

Utah considers cutting water to NSA's data center.
My room-mate showed that to me yesterday, it made me happy to know that they finally came to their senses about this whole situation.
JoeBlue is offline  
Old 11-23-2014, 01:41 AM
  #36  
The Science Guy
 
Xentropa's Avatar
 
Join Date: Jun 2008
Location: Japan, UCLA
Posts: 748
Default Re: Today in InfoSec

Does NSA not know about closed loop water cooling systems?
Xentropa is offline  
Old 11-24-2014, 04:24 AM
  #37  
B*a*n*n*e*d
 
Join Date: Jul 2007
Location: Arlington, Va
Posts: 130
Default Re: Today in InfoSec

"A leading computer security company says it has discovered one of the most sophisticated pieces of malicious software ever seen.
Symantec says the bug, named Regin, was probably created by a government and has been used for six years against a range of targets around the world.
Once installed on a computer, it can do things like capture screenshots, steal passwords or recover deleted files.
Experts say computers in Russia, Saudi Arabia and Ireland have been hit most.
It has been used to spy on government organisations, businesses and private individuals, they say.
Researchers say the sophistication of the software indicates that it is a cyber-espionage tool developed by a nation state.
They also said it likely took months, if not years, to develop and its creators have gone to great lengths to cover its tracks.
Sian John, a security strategist at Symantec, said: "It looks like it comes from a Western organisation. It's the level of skill and expertise, the length of time over which it was developed."
Symantec has drawn parallels with Stuxnet, a computer worm thought to have been developed by the US and Israel to target Iran's nuclear program. "

Regin, new computer spyware, discovered by Symantec - BBC News


^^^ I can see spying on Russia and SA, but why Ireland?
.coolguy is offline  
Old 11-24-2014, 09:25 AM
  #38  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Very interesting news about Regin still coming out. Looks like they're the first to exploit GSM in the manner they have as well. Very interesting stuff indeed, can't wait for a full reverse-engineered report on it.

As with all other recent attacks, it relies on abuse of Admin privs and exposed shares to get a foothold in the environment. Thankfully I've taken steps to ensure we/my employer remains immune to this avenue of attack
213374U is offline  
Old 11-25-2014, 08:54 AM
  #39  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

EXPERTS QUESTION LEGALITY OF USE OF REGIN MALWARE BY INTEL AGENCIES

Originally Posted by Article Text

The disclosure of the Regin APT malware campaign this week has spurred much speculation about the source of the attack, with many experts pointing the finger at either the NSA or GCHQ, the British spy agency. Though security researchers involved in uncovering the attack have remained mum on the attribution of Regin, privacy experts say that if one of the intelligence agencies is involved, there’s no legal basis for the operation.

Intelligence services such as the National Security Agency and England’s Government Communications Headquarters are tasked with conducting electronic surveillance and intelligence operations against foreign citizens, and for decades this has been done by tapping phone lines and intercepting other forms of communications. But those methods have given way to the broad use of exploits, malware and other computer intrusion techniques. Those tactics have been filed under the broad powers of intelligence agencies, but officials at Privacy International say that the deployment of malware such as Regin doesn’t have a specific legal authority, either in the United States or England.

“Although we know more than ever before about the capabilities of British and American security services to conduct network exploitation and attacks, we still don’t know on what legal authority GCHQ and the NSA purport to act. There is no clear legal framework in either country that sanctions and regulates the deployment of these kinds of intrusive tools,” Eric King, deputy director of Privacy International, wrote in an analysis.

“The malware at issue here, such as Regin, clearly impairs the operation of the target computers in multiple ways, including by draining battery life and using bandwidth and other computer resources. As such, the Computer Misuse Act means at least to the extent that such activities occur in England and Wales, any GCHQ activities that impair the operation of a computer are prima facie unlawful.”


One of the aspects of the Regin campaign that has drawn much of the attention is the attackers’ compromise of a Belgian telecom. The incident resulted in the attackers compromising a GSM base station controller and having the ability to execute commands. The Intercept has identified the attack as an incident last year at Belgacom that, at the time, was played as a typical malware attack. The Belgacom compromise was an interesting incident, as the company is responsible for handling some of the undersea cables that carry voice and data communications.

Belgacom officials made no mention of who they might have suspected as the attackers, but the company’s statement at the time now looks slightly different. “Belgacom strongly condemns the intrusion of which it has become a victim. The company has filed a complaint against an unknown third party and is granting its full support to the investigation that is being performed by the Federal Prosecutor,” the statement said.

Earlier this year Privacy International filed a lawsuit, along with seven telecoms, against GCHQ for computer exploitation and phone hacking. King said that without clear legal authorization, deployment of malware such as Regin is beyond the bounds of what GCHQ is allowed to do.

“There are no authorising powers in the UK sanctioning the deployment of malware like Regin that meet the Weber standards for authorisation, nor are there the safeguards in statute,” he said.
Cliffs:
- It's the wild ******* west until Washington sets some ground rules
- There's very good reason Washington isn't necessarily anxious to introduce legislature to curb the surveillance
213374U is offline  
Old 12-01-2014, 10:36 AM
  #40  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Brian Krebs appeared on 60-Minutes last night to discuss the recent CC breaches at major retailers. Skip ahead to the 16 minute mark for that segment.

213374U is offline  
Old 12-01-2014, 11:06 AM
  #41  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

F.B.I., MANDIANT, INVESTIGATING SONY PICTURES BREACH



Originally Posted by Article Text
Sony Pictures Entertainment (SPE) is continuing to investigate a potentially massive breach that last week compromised most of the company’s systems and leaked several films online, some which haven’t even been released in theaters yet.

Officials from the FBI and experts with Mandiant, FireEye’s incident response firm, are looking into the case, according to reports this morning.

News of the hack first broke last Monday but it wasn’t until Tuesday that that scope of the attack became clearer.

SPE’s systems were apparently left paralyzed when messages popped up on its machines last week that claimed it had been “Hacked By #GOP,” a hacker group named Guardians of Peace. The notice, alongside a red skull, went on to warn the company that it had “obtained all your internal data including your secrets and top secrets” and that it would release it unless the company obeyed the group.

Flash forward to this past weekend, when it was discovered that several Sony Pictures films – presumably in the form of screeners – had begun to make the rounds on file sharing sites. According to Excipio, a piracy research firm, those titles include the forthcoming “Annie” remake, due out on Dec. 19, and two other films slated for release later this month, “Mr. Turner” and “Still Alice.” “To Write Love on Her Arms,” a film that’s not scheduled for release until 2015 and “Fury,” a Brad Pitt WWII drama that was released in October but not yet been released on DVD, are also being distributed and downloaded, according to the firm.

SPE hasn’t directly acknowledged the breach but has gone on record, telling Variety that “the theft of Sony Pictures Entertainment content is a criminal matter, and we are working closely with law enforcement to address it.”

While some experts theorized last week that the attack might be a ransom demand from a former employee, other reports, including one at Re/Code, a technology news website, are speculating that the attack may have emanated from North Korea as the form of a response to the forthcoming Sony Pictures film, “The Interview.”

The plot of the film, scheduled to be released on Dec. 25, revolves around a fictional attempt by the CIA to assassinate North Korea’s leader Kim Jong Un. When details regarding “The Interview” were first announced, back in June, a spokesman for the North Korean Foreign Ministry condemned the film, calling it a “blatant act of terrorism and war.”

“If the U.S. administration allows and defends the showing of the film, a merciless counter-measure will be taken,” the statement, via the republic’s Korean Central News Agency, read.


While it’s unclear exactly what else – in addition to the films – may have been leaked by the hack, a Reddit thread that’s dissected the hack claims corporate files including passwords, actors’ passports and a slew of other sensitive text, may have been implicated. Some in the thread estimate that up to 11TB of data may have been leaked by the hack.

Emails to SPE’s media contact were not immediately returned Monday but last week, before Thanksgiving, email requests for comment were kicked back, claiming that the company’s “email system is currently experiencing a disruption.”
Cliffs:
- Unreleased SPE movies in the wild.... TO THE TORRENT ENGINES!!!!
213374U is offline  
Old 12-01-2014, 11:42 AM
  #42  
The Science Guy
 
Xentropa's Avatar
 
Join Date: Jun 2008
Location: Japan, UCLA
Posts: 748
Default Re: Today in InfoSec

North Korea stealing our movies?

Send in the taepoDONGS.
Xentropa is offline  
Old 12-03-2014, 07:44 AM
  #43  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

The breach at Sony Pictures is no longer just an IT issue

Originally Posted by Article Text
I'm going to make a prediction.

The breach at Sony Pictures has nothing to do with North Korea, aside from the fact that the destructive malware believed to be present on Sony's network is similar to the malware used in South Korea in 2013 - an incident that was blamed on North Korea.

Furthermore, I predict there will be an insider aspect to Sony's breach. The first part of the attack on Sony centered on compromising records, once done, the attackers planted malware that was timed - based on the FBI memo - to activate just before Thanksgiving. The easiest way to accomplish this task - assuming I'm right - is by having someone on the inside with just enough access that everything looks normal with a passive glance at the logs.

The second part of the attack on Sony is the aftermath, including the financial burden of dealing with box office losses, employee issues, as well as any fines that are sure to be levied. Sony's just starting to enter this phase.

On Monday, GOP (Guardians of Peace), the group claiming responsibility for the attack on Sony, pushed 25GBs worth of data to the public domain. They say this is only a fraction of the data they were able to compromise, suggesting to one media outlet that they were harvesting records for more than a year before making themselves known.

A year.

That's a long time when it comes to a data breach.

The thing is - this incident is no longer about IT or Information Security. This breach impacts every business unit at Sony and teaches an important lesson that stresses a major sticking point: any asset can be compromised.

Sony didn't just lose PII or financial records. Sony lost their business models and their revenue generating assets. It's bad enough that employee records and financial data was compromised, but compounding that is the loss of sales and marketing plans the core of their bottom-line.

Worse, because yet-to-be-released movies were compromised and leaked to the Web, Sony has another significant loss to deal with. This loss is one that not only impacts the bottom-line, but also becomes a serious corporate issue, because they'll have to answer to the shareholders if the movies tank when actually released.

All last week, and over the weekend, I talked to various C-Levels who were watching the Sony news cycle. Discounting the North Korea rumors, most of them were interested in how this would impact overall operations.

In some cases, data breaches are expected, but seeing the sales funnels leak to the public, followed by strategies, internal policies, and IP Sony's problems became a serious sit-up and take notice type of event.

Sony has their network back, but that's not the end of the situation. We're going to see the fallout from this incident last long into 2015.

To give a better idea of what was compromised at Sony; here's a brief overview of just some of the documents released this week:

There are more than 30,000 HR documents. Most of them are what you'd expect to see from HR, including rules and regulations, records of meetings and day-to-day management stuff, but there's also a number of highly sensitive records.

PII:

The HR documents contain personal and internal employee information including names, addresses, phone numbers, birthdays, Social Security Numbers, and email addresses.

There are also criminal background checks, offer letters (salary and job details), as well as records related to personnel reviews and opinions within HR. There are termination letters too; not many, but enough to learn that managing union and non-union employees can be a headache.

Financial:

The HR documents include a number of financial records, from accounting and expense reports, to wire transfer requests. Financial details include account and routing numbers, institution name, and employee name.

There are also records of promotion requests, salary requirements, salary caps, etc. Given the files, it looks as if a majority of the records related to payroll and compensation for FY14 / FY15, and some previous years, has been compromised and leaked.

Healthcare:

There are hundreds of healthcare forms within the collected HR documents. However, it isn't clear if these are enrollment only, or if PHI has been compromised as well. Sony has Business Associate Agreements with at least six different companies, so there's hope the group responsible for the attack didn't get access to PHI. If they did, it wasn't leaked on Monday.

(Sony falls under HIPAA, and has extensive training documentation enforcing the importance of protecting healthcare data.)

Active Global Employee:

There are several lists of employees with internal data among the documents downloaded. Depending on how current the records are, a social engineer has everything needed to launch an attack especially when the HR templates are added to the equation.

This brief list doesn't even scratch the surface of the data published by GOP. Again, this is no longer an IT / Information Security issue, the entire company has been touched by this attack.

This is a chaotic nightmare. It's the worst possible outcome for an enterprise during a security event. (Yes Raf, I said it. You were right, I just waited a few days before reality kicked in.)

Think about it - any plans that were on the network for new business, existing business, staffing, talent, etc. Sony has to assume those are all compromised, and if they were business critical, they'll need to be altered immediately.

How do you recover from something like this? I mean, truly recover? Is it even possible?
Cliffs:
- While Sony may have it's network back, it may never fully recover from this breach due to the information stolen
213374U is offline  
Old 12-03-2014, 08:32 AM
  #44  
I've quit using this account
 
Kelly.'s Avatar
 
Join Date: Mar 2003
Location: southern colorado
Posts: 2,277
Default Re: Today in InfoSec

wow -
i would hate to be the security guy there.

a year is a pretty long time - either their IT team is totally incompetent or there was some inside influence. a few days is an eternity in network breech time - if the year is true, then the probably did get the motherload

and slowly the facade of a truly "secure network" crumbles....
Kelly. is offline  
Old 12-03-2014, 08:41 AM
  #45  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Originally Posted by Kelly. View Post
a few days is an eternity in network breech time - if the year is true, then the probably did get the motherload
The AVERAGE time between breach and detection right now is 288 days..... 2-HUNNIT and 80Eight motherfucking days!!!!
213374U is offline  
Old 12-03-2014, 08:43 AM
  #46  
I've quit using this account
 
Kelly.'s Avatar
 
Join Date: Mar 2003
Location: southern colorado
Posts: 2,277
Default Re: Today in InfoSec

Originally Posted by 213374U View Post
The AVERAGE time between breach and detection right now is 288 days..... 2-HUNNIT and 80Eight motherfucking days!!!!
wow -really?
im glad i stayed out of the security realm. seems those guys always have to keep their resume up to date - lol never know when youll be breached and on sabbatical
Kelly. is offline  
Old 12-03-2014, 09:59 AM
  #47  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Originally Posted by Kelly. View Post
wow -really?
Yes, primarily because companies don't want to spend the money needed for the tools to meet the next-generation threats that we're facing today. It's hard to convey ROI to the C-level with regard to security purchases, they simply don't contribute to the bottom line. Historically, security was concerned with the perimeter, but 95% of attacks today come by way of a legitimate users credentials. If you're not actively monitoring both your internal and external network, setting a baseline and looking for any deviations from it, many modern attacks will simply go unnoticed until a third-party makes you aware.

I just spend $500K to ensure my company doesn't become a statistic. It was a hard sell, but we can all sleep easier at night knowing we're ahead of the curve.
213374U is offline  
Old 12-05-2014, 11:44 AM
  #48  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

BANKS GET GREEN LIGHT IN TARGET BREACH SUITS

Originally Posted by Article Text
A Minnesota District Court ruling this week related to the 2013 Target data breach has opened the door for banks to pursue damages from retailers victimized by a data breach.

Judge Paul A. Magnuson ruled that Target was negligent in ignoring and, in some cases, turning off security features that the court said would have stopped the 2013 holiday shopping season breach. In a 16-page explanation, Magnuson concluded that financial institutions pursuing compensation from Target in court can continue with class-action lawsuits.

This opens the door to a legal precedent that if you get breached, you’re now automatically responsible for all the bank costs they can think of,” said Gartner vice president and distinguished analyst Avivah Litan. “Now what governs rules of liability are Visa and Master Card rules, and those are not law, they’re rules of the card brands. Now, those rules are becoming law.”

The bone of contention in the Minnesota ruling is that Target ignored alerts set off by a FireEye malware detection system installed months prior to the breach. Target’s contention is that the system fired off thousands of alarms, and that it was impossible to distinguish between less important alerts, false positives and the more serious indications that an intrusion had occurred.

The Target hackers were able to access the giant retailer’s network by using the compromised credentials of a HVAC vendor contracted by Target. The hackers were able to use those credentials to burrow deep into the retailer’s network, install point-of-sale malware on terminals in many of its locations in the U.S., and then siphon off 40 million payment card numbers and security codes, and the personal information of 70 million customers. The data was stored on servers inside the Target network until it was exfiltrated by the hackers, investigators have revealed.

Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” Magnuson wrote in his ruling. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”

Litan questioned the ruling from the sense that Target’s difficulties in properly analyzing alerts from its detection systems are not unique.

“It’s not fair at all. I’m sure the alarms went off at Chase as well,” Litan said, referring to a massive breach at JP Morgan Chase this summer. “These systems put out hundreds of thousands of alerts a day and it’s difficult to know which are important. It’s wrong to pull out the FireEye alerts and say Target didn’t listen to them. This demonstrates the difficulty in keeping up with security monitoring. Target is not alone; they’re not the only institution that can’t keep up with 100,000 alerts an hour. Look what happened with JP Morgan Chase, and they’ve got a $250 million budget allocated to cyber.

Data breaches have been a fairly regular occurrence for close to a decade. The response of banks in the early hey-day of ChoicePoint, CardSystems, Heartland and other massive breaches was to roll out the Payment Card Industry Data Security Standard (PCI-DSS) and shift responsibility for securing payment systems onto the retailers. Next October, chip-and-PIN rollouts are expected to accelerate in the U.S. as a shift in liability happens where the party with the lesser standard of care becomes responsible in the event of a breach. For example, if mag stripe data is stolen from a retailer that supports chip-and-PIN cards, for example, the card-issuing bank assumes liability.

Retailers, meanwhile, have argued that they too have borne tremendous costs because of breaches. In a letter from a number of prominent retail associations, including the National Retail Federation and the Retail Industry Leaders Association, to the Credit Union National Association and National Association of Federal Credit Unions, retailers argue that costs are borne equally with financial institutions and that retailers do contribute to the costs of issuing new cards to consumers post-breach.

Retailers also pointed out in the letter dated Oct. 30 that merchants collectively spend $6 billion annually on data security and are proactively leading the charge for chip-and-PIN deployments. They back up their case, demonstrating that outside the U.S., 70 percent of merchants support chip-and-PIN point-of-sale terminals (40 percent of consumers carry upgraded chip cards), whereas in the U.S., 20 percent of merchants have upgraded terminals, but fewer than one percent of cards have chips rather than mag stripes.

“The most unfair part of this is that the banks saw this coming in 2006 and their response was PCI and to put security problems on the retailers,” Litan said. “And only now are they moving to chip-and-PIN. Target would not have happened. Home Depot would not have happened if they’d acted quickly then. You cannot rely on millions of retailers to secure insecure payment systems.”
Cliffs:
- A nasty precedent has been set that could spell the end for a company that suffers a breach
213374U is offline  
Old 12-05-2014, 01:43 PM
  #49  
Honda-Tech Member
 
raceACCORDingly's Avatar
 
Join Date: Jan 2002
Location: socal, usa
Posts: 2,707
Default Re: Today in InfoSec

Home Depot next?
raceACCORDingly is offline  
Old 12-05-2014, 01:49 PM
  #50  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

The precedent opens the door for banks to go after ANY institution that gets breached resulting in credit card fraud whereby the banks must take action. It's carte blanche to pass the blame/liability when the system is flawed from the word go at behest of the banks.
213374U is offline  

Thread Tools
Search this Thread
Quick Reply: Today in InfoSec


Contact Us - About Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service

© 2019 MH Sub I, LLC dba Internet Brands

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.