STE WILLIAMS

Security Vulns in Microsoft Products Continue to Increase

The good news: Removing admin privileges can mitigate most of them, a new study by BeyondTrust shows.

A new analysis of Microsoft’s security updates in 2018 suggests the company’s long-standing efforts to build more secure products continue to be very much a work in progress.

Microsoft disclosed more security vulnerabilities — 700 — in total across its operating system, browser, and office products last year than it did in 2017.  

Since 2013, vulnerabilities in Microsoft products have, in fact, more than doubled rather than go down, with even supposedly secure technologies such as Windows 10 and Edge having a disturbingly high number of them, an analysis by BeyondTrust has found.

The one mitigating factor for enterprise organizations is that the threat from a vast majority of these flaws can be neutralized by properly managing the administrative rights available to Windows users, the security vendor said in a report Thursday.

“Eighty-one percent of vulnerabilities for 2018 can be mitigated just by removing administrative rights” on a Microsoft Windows device, says Morey Haber, CTO and CISO at BeyondTrust. “Microsoft cannot remove administrative rights by default. It is needed to initially set up and configure any new deployment of a Windows asset.” So organizations need to ensure the rights are removed or disabled after initial setup, he notes.

Of the 700 vulnerabilities that Microsoft disclosed last year, 189 were classified as being of critical severity. Though that number was lower than the 235 critical vulnerabilities disclosed in 2017, over a five-year period the number of critical flaws in Microsoft products actually increased 30%, BeyondTrust’s analysis shows.

As in previous years, remote code execution (RCE) flaws accounted for the largest proportion of vulnerabilities in Microsoft products last year. Of the 700 total flaws, 292 were remotely exploitable and 178 were rated as critical. Since 2013, the number of RCE flaws increased 54% overall.

Significantly, even Microsoft’s newer Windows 10 operating system and Edge browser continue to be riddled with security issues. Last year a total of 112 severe flaws were reported in Edge — a sixfold increase from 2015, when the browser first became available on Windows. Meanwhile, Windows 10, which Microsoft has positioned as one of its most secure, had 474 vulnerabilities, of which more than one-third was critical. On a positive note, the number of flaws in Windows 10, both critical and non-severe, was lower than in 2017. 

BeyondTrust found that most flaws in Microsoft products pose a threat only to systems where administrator rights are enabled. For example, removing administrator rights would have mitigated 84% of the critical flaws in Windows 10 last year. The same was true for 100% of Edge browser vulnerabilities, 85% of the flaws in Windows, and 83% of the flaws in Windows servers.

The situation continues to exist for two primary reasons, Haber says. Many organizations are hesitant to disable administrator privileges out of concern that doing so would disrupt the end user experience. Inertia is another big factor. “It is much simpler for organizations to grant administrative rights and allow the end user to ‘just work’ versus assigning privileges,” he says.

In reality, disabling administrator-level access on Windows devices takes little effort and can be done via Group Policy Preferences for all assets in a domain. However, when doing so, administrators need to ensure they are not degrading the experience for users who might need that access. Multiple tools are available from Microsoft and others that allow administrators to enforce a least privilege model, down to a service or registry key, Haber says.

The tools let standard users perform needed administrative asks without granting them admin rights. “All organizations should attempt to embrace these strategies to lower risk,” Haber says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/security-vulns-in-microsoft-products-continue-to-increase/d/d-id/1334546?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 25/04/2019
  • adm

Atlanta Hawks fall prey to Magecart credit card skimming group

The Atlanta Hawks basketball team is recovering after hackers planted credit card skimming code on its ecommerce site.

Researchers at Sanguine Security found the exploit on the NBA basketball team’s ecommerce site. Anyone ordering merchandise on or after 20 April 2019 had their name, address, and credit card details stolen by the malicious code, which logs victims’ keystrokes at the point of entry.

The researchers built a Magecart detection tool which scans websites for telltale code. It found obfuscated JavaScript code on the Hawks website. The team rendered it into a readable format and found instructions to log visitors’ keystrokes. Then, they checked its operation using Chrome Developer Tools, which is the developer console in the Chrome browser that shows website traffic. Alongside the regular requests you’d expect to see targeting the Hawks website, it also sent the logged keystrokes to imagesengines.com.

The researchers believe that the hackers may have gained access via a third-party component running on the Hawks ecommerce site, which uses the Adobe-owned Magento Commerce Cloud e-commerce system. It said:

Our previous research has uncovered a range of popular vectors: database management tools, marketing plugins and connected accounting software are in the top-3.

Magecart isn’t a regular hacking group; it’s a group of groups that specializes in skimming payment information from ecommerce sites. There are at least seven, according to an investigation of the group from security company RiskIQ. They all have one thing in common, though: they prey on organizations using Magento. In the past, they have attacked companies including Ticketmaster, British Airways, and online retailer Newegg.

RiskIQ says it spotted the first group in 2015, and the activities evolved from there. Some groups use the same infrastructure, but their modus operandi differs. Some of them use automated spray-and-pray attack tools to breach sites, while others are more selective, targeting large brands for big payoffs.

Some groups monetize stolen credit card data by purchasing goods fraudulently and shipping them to mules in the US. The mules, often recruited via work-from-home job scams, forward them to Eastern Europe where the cybercriminals sell them on.

The Hawks reportedly disabled all payment and checkout capabilities on hawkshop.com to prevent any further skimming, adding:

At this stage of the investigation, we believe that less than a handful of purchases on Hawksshop.com were affected.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/V5fE_js2r_0/

  • 25/04/2019
  • adm

Blochainbandit stole $54 million of Ethereum by guessing weak keys

Someone has been quietly pilfering Ethereum (ETH) cryptocurrency worth millions of dollars without anyone noticing or, apparently, caring.

The discovery was made by researchers at Independent Security Evaluators (ISE) who decided to search Ethereum’s blockchain for evidence of a surprisingly simple weakness that might allow criminals to divert funds from user wallets.

Wallets should be protected by a randomly-generated 256-bit private key, which puts the probability of their discovery at around 1 in 2256 ­­- an unimaginably vast number.

Using a computer capable of generating 100 trillion keys per second, brute forcing such an address would take so long ISE researcher Adrian Bednarek compares it to tossing grain of sand on a beach and asking someone to find it.

That’s the theory of key generation. But the problem is how the principle appears to have been implemented by fallible software.

What if that key had accidentally been generated with a value of 1? It sounds highly unlikely, however, Bednarek’s hunch that this might have happened turned out to be correct. There had once been an incredibly weak Ethereum private key corresponding to this value, as well as many other trivial equivalents.

Querying this with Etherscan.io, which records transactions, Bednarek discovered that this key identified a wallet that had received 592 transactions, the currency from which had immediately been emptied as soon as it was received.

Expanding the same principle to look for other simple keys amidst 34 billion addresses, he discovered 732 responsible for 49,060 transactions dating back to 2015.

“Blockchainbandit”

All had been emptied, around a dozen to a single address that appeared to belong to an individual or group dubbed the “blockchainbandit” which had worked out how to exploit the weakness. Says Bednarek in his video explanation:

There is a guy who was going around siphoning money from some of the keys we had access to. It’s statistically improbable he’d have guessed those keys by chance.

After falls in the value of Ethereum, today these would be worth around $7.4 million although at January 2018’s Ethereum peak it would have been over $54 million.

As intriguing as this discovery sounds – blockchain wallets are being preyed on by nearly invisible thieves – the point here is how such a phenomenon was made possible in the first place.

ISE’s researchers aren’t certain but suggest several possibilities, starting with simple coding errors that cause very weak private keys (i.e. single-number values) to be generated by accident.

Another possibility were keys generated by blockchain ‘brainwallet’ software from weak passphrases. Explains Bendarek:

Let’s say you use the passphrase abc123 to generate a private key. Another person who uses abc123 will get the same private key.

Incredibly, some wallets were even allowing people to create private keys simply by leaving passphrase fields empty and hitting the return key.

One way to undo past errors (if not return stolen currency) would be an Ethereum hard fork of the type that happened in 2016 after the infamous attack on DAO that led to the loss of $50 million.

Another would be to scan cryptographic algorithms for key generation errors, something the research suggests has not been happening.

As impressive as the ISE research is, the shame is that it happened after the damage was done. It’s not big news that blockchains have flaws but finding ones that could lead to millions of dollars of theft surely shouldn’t be left to chance discovery.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6mc9WjxauUo/

  • 25/04/2019
  • adm

ExtraPulsar backdoor based on leaked NSA code – what you need to know

A US security researcher has come up with an open-source Windows backdoor that is loosely based on NSA attack code that leaked back in 2017 as part of the the infamous Shadow Brokers breach.

The researcher, who goes by @zerosum0x0 online and Sean Dillon in real life, has dubbed his new malware ExtraPulsar, a nod to the NSA’s tool called DOUBLEPULSAR.

The code itself is intriguingly simple.

Rather than exploiting a vulnerability that wasn’t supposed to be there, it quietly makes use of an undocumented part of Microsoft’s own file server driver SRVNET.SYS.

Most Windows servers, and many Windows laptops, accept file sharing connections – if you run the command net share and you see C$ and ADMIN$ in the list, yours does.

If file sharing is active, you’ll see the the Windows kernel driverSRVNET.SYS loaded – full name Server Network Driver.

The idea is that the Server Network Driver – it’s called that even on non-server versions of Windows – looks after the open network ports and the network traffic that’s part of Windows file sharing.

This traffic-handling driver then hands off incoming packets to one or more additional drivers to deal with remote requests.

For example, the Server Network Driver will usually be accompanied by a “device extension” driver called SRV2.SYS, the Smb 2.0 Server Driver.

SMB is short for Server Message Block, Microsoft’s moniker for its file sharing protocol.

If you’ve enabled the outdated, insecure and now off-by-default SMB 1 – something even Microsoft urges you not to do – you’ll see SRV.SYS as well, listed as plain old Server Driver.

What the researcher figured out is how to persuade the Server Network Driver to load an additional kernel module built from his backdoor code, something that he denoted in his source tree with a diagram described as “slop together a graphic”:

The idea of creating malware that works way is as follows:

  • The malware code is registered to handle network packets already received by the top-level server driver. So the malware doesn’t need to open any listening network ports itself, or make any suspicious-looking network calls.
  • The malware code runs as a kernel driver, and any code it receives and launches itself acquires kernel privileges too. So this malware and any backdoor code it activates runs at what amounts to a super-admin level.
  • The malware code automatically gets woken up and activated when SMB network packets arrive. So it can easily identify its own command-and-control instructions, remove them from the network stream, and act on them.

The proof-of-concept remote code execution delivery tool in Dillon’s project is just 12 lines of Python programming that sends a single network packet of executable code to port 445 on an infected computer.

Normal SMB packets start with the bytes 0xFF 0x53 0x4D 0x42, which shows up as ■SMB when displayed as text.

The malware recognises its own shellcode payloads because they’re tagged with 0x45 0x78 0x50 0x75, which comes out as ExPu, short for ExtraPulsar.

What to do?

If you’ve seen media stories suggesting that this project could lead to “undetectable malware”, don’t panic.

Good security software can block rogue kernel drivers and their side-effects in many ways:

  • Kernel drivers are themselves Windows program files, albeit with some special characteristics. (They usually have a .SYS extension instead of .EXE or .DLL.) So they can be detected, blocked and removed by anti-virus software.
  • Kernel drivers load into memory and stay there, albeit in a different part of the operating system to regular apps. So they can be detected and ejected by anti-virus software.
  • ExtraPulsar SMB network packets could be made to have innocent-looking content, for example by encrypting them, but they have to be recognised as different by the backdoor component. So they can be detected and rejected by network filtering tools.
  • Modern Windows versions won’t load rogue kernel drivers by default. Kernel drivers need to be digitally signed, so crooks need to acquire rogue certificates to get any sort of foothold. So rogue drivers can be identified and blocked by security software.

We’re not convinced that Dillon really needed to release his proof-of-concept malware as a freely downloadable GitHub project…

…but ExtraPulsar can’t be used directly to launch an attack, and it doesn’t represent an “undetectable” threat, whatever you may have heard.

So let’s be charitable and say that Dillon’s code is informative to study if you are interested in cybersecurity.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GRhwWIR4F8M/

  • 25/04/2019
  • adm

Indeed.com: Slight Dip in Clicks on US Cybersecurity Job Listings

Meanwhile, most of the highest-paying positions pay more than $100K, according to new analysis from the job posting site.

While the number of US cybersecurity job postings on Indeed.com increased by 7% between 2017 and 2018, clicks on those listings dropped by 1.3%.

Meantime, the employment website’s first-ever analysis of trends in cybersecurity listings worldwide shows that most of the top 10 highest-paying job titles in the US come with salaries of more than $100,000. The security positions with the top salaries are application security engineer ($128,128), director of information security ($127,855), senior security consultant ($126,628), and cloud engineer ($126,365). Penetrations testing positions command an average salary of $114,431.

Raj Mukherjee, senior vice president of product at Indeed, says the dip in job-seeker traffic to cybersecurity positions may be another sign of the lack of qualified candidates to fill the positions. The demand for these positions, however, will continue to rise worldwide, he says. “This may be cause for concern for employers looking to find workers with cybersecurity skill sets, as it is likely that there will be more competition for these highly skilled workers,” Mukherjee says.

Business analytics and information systems firm Catapult Consultant posted the most jobs in the US in 2018, followed by Wells Fargo, according to Indeed.com’s data.

A recent study by industry association ISACA found that finding and hiring qualified security professionals takes an average of three to six months, and only half of or fewer applicants actually meet a position’s qualifications. And 80% of IT security pros recently surveyed by Tripwire say it’s getting harder to find skilled people to fill their open job positions.

     Top-Paying Cybersecurity Positions in the US

Application security engineer                 $128,128

Director of information security             $127,855

Senior security consultant                      $126,628

Cloud engineer                                         $126,365

Software architect                                   $117,633

Penetration tester                                    $114,431

Risk manager                                            $108,465

Chief information officer                          $103,690

Security engineer                                     $101,808

                          Source: Indeed.com

Other nations had major increases in job postings between 2017 and 2018: The number of cybersecurity job positions in India, for example, increased 39%, with the most postings from consulting and IT services firm Wipro, which reportedly suffered a major cyberattack recently. Ireland posted 18% more jobs, mostly from Apple, Amazon, and Facebook.

Indeed.com tracked how job seekers find US cybersecurity positions online by studying search terms they used. The top terms, in order of ranking, were information technology, Amazon, and engineer. Search term trends can help employers better target their listings, Mukherjee says.

“By understanding what searches are leading to job-seeker clicks on cybersecurity job postings, employers can adapt their recruitment targeting techniques,” he says. “For example, the search terms indicate there are many curious prospective candidates for cybersecurity roles who could be recruited into this high-demand field, so employers should consider a broad targeting approach.”

Mukherjee also says employers should be more “creative” in their job postings to expand their applicant pool. That includes attracting candidates with nontraditional cybersecurity backgrounds who can be trained on the job – a concept that security industry experts say is one key to closing the so-called talent gap.

“One way they can do this is through assessments, which allow job seekers and employers to understand [whether] a candidate’s skills match the needs of the open role,” he says. This allows candidates to demonstrate their skills that may not fit their work history or backgrounds, he says.

“As every company becomes a software company and the need for cybersecurity and other tech roles continues to grow, it will be even more crucial for companies of all sizes to look to solutions that will help them hire quality candidates and to close the talent gaps in tech,” he says.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/risk/indeedcom-slight-dip-in-clicks-on-us-cybersecurity-job-listings-/d/d-id/1334525?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 25/04/2019
  • adm

Ramblings of a Recovering Academic on the So-Called Lack of Security Talent

Hiring for security is difficult, as many surveys show. But what the research doesn’t explain is the “why” – and a lack of talent may not be the sole reason.

Recent reports by ISACA and Tripwire suggest that companies are having difficulty filling security jobs. Their studies stress that hiring for senior technical security roles is a particular pain point, with Frank Downs, director of ISACA’s Cybersecurity Practices, stating, “Academic organizations don’t necessarily teach all aspects of security that make an individual technically proficient.”

While I dare not speak for the entire security industry, I’d like to offer a different perspective by taking a closer look at a specific demographic: graduate students pursuing advanced security research degrees (a PhD or equivalent).

When I earned my PhD, I had long discussions with my advisers to evaluate job opportunities. Over the years I’ve mentored numerous PhD students myself and have found my job search experience as a student matches the opinions of my mentees today: There are very few attractive security jobs available — or so was our impression. A lack of talent distresses the industry at large, while experienced researchers fail to find relevant jobs to apply for. We seem to have two views in stark contrast.

It’s easy to dismiss the situation as “academic snobbery” and accuse academics of being out of touch with practical problems. Of course, this is not true. Academic researchers comprise some of the most highly specialized and hands-on security talent. Alternatively, one could assert that industry jobs offer little challenge and therefore no intellectual fulfillment, especially since academic researchers work on cutting-edge security problems. This, too, is a misconception.

In reality, the false impression that available jobs are unattractive may be a symptom of miscommunication between candidates and employers, and misunderstandings about an academic researcher’s skills and interests, which run deep in the industry. In turn, the inability to source candidates from academia may be leading to a perceived lack of senior technical talent in the field.

Based on the feedback from my mentees, here are three common factors that alienate PhD prospects in their job search.

Prescribed Experience Requirements
A recurring complaint of graduating PhDs is that their applications are immediately rejected due to a lack of work experience, or they are positioned for entry-level roles before they get an opportunity to talk to technical teams.

First of all, pursuing a PhD is a full-time job. Researchers are charged with the onerous task of creating knowledge. They independently identify novel problems, invent solutions, engineer systems, and disseminate the knowledge to the rest of the security community.

Unfortunately, many recruiters are unfamiliar with this structure; they are under the false impression that a PhD is an extended period of classroom education. In contrast, even new graduates will have made significant code, data, and know-how contributions to the security field. Instead of relying on an arbitrary years-out-of-school metric, it’s a lot more meaningful to objectively evaluate candidates in light of job requirements.

Failure to Advertise Intellectual Gratification
Academia offers a versatile environment for researchers to pursue their professional interests, yet many academics still step into the corporate world. An important driver for that is access to data or technologies that would otherwise be out of reach. In my case, the opportunity to work for a leading content delivery network provider was a major attraction; access to an infrastructure of that scale wasn’t a possibility in academia.  

Security is an overarching problem, but certain industries are at a disadvantage because they lack that immediate intellectual gratification appeal to draw talent from academia. The banking industry is an example. Although banks will remain a prime target for sophisticated attacks, they carry the stigma of being dull work environments using aged technology. This perception has a noticeable negative impact on job search behavior, and many candidates won’t even entertain the thought of sending a résumé.

Promoting intellectual gratification is essential to attracting senior technical talent, especially in today’s vibrant IT world. All businesses have important security problems to solve. The burden of advertising what unique challenges and learning opportunities a job offers falls on employers.

Poorly Calibrated Job Requirements
Another trend I observe with graduating PhDs is that they have difficulty judging from job descriptions the expected seniority, or otherwise they are puzzled by the rudimentary requirements listed for a “principal” or “lead” role. This confusion often results in them skipping positions without further consideration.

Job descriptions play an important ancillary role, especially in attracting senior talent. They signal the maturity of an employer’s security team and the level of support it gets from management. A consistent description, explicitly listing the required skills and with the proper terminology matching the expected depth of knowledge, is key to establishing the trust that employers understand the problem they want to solve on a technical level and can provide the resources and recognition to help employees prosper.

For instance, an enduring grievance of data scientists is about jobs requiring “artificial intelligence” expertise, as opposed to listing specific machine learning and statistical methods necessary for the task. Similarly, jobs that ask for familiarity with “OWASP Top 10” instead of naming specific classes of web application attacks and analysis techniques are often a turnoff for seasoned vulnerability researchers. These often raise red flags that the employer may not have a technical understanding of its security goals or a clear direction for its security program.

As I conclude, I stress that the points I raise here are the ramblings of a recovering academic, based on observations and feedback and focusing on a narrow demographic in the security talent pool. The fact remains that hiring for security is difficult, as the survey data shows. What those surveys don’t explain is the “why,” and hopefully this piece hints that a lack of talent may not be the sole reason. Investigating the cause in a scientific framework is essential to closing the security talent gap.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kaan Onarlioglu is a researcher and engineer at Akamai who is interested in a wide array of systems security problems, with an emphasis on designing practical technologies with real-life impact. He works to make computers and the Internet secure — but occasionally … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/ramblings-of-a-recovering-academic-on-the-so-called-lack-of-security-talent/a/d-id/1334478?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 25/04/2019
  • adm

Regulations, Insider Threat Handicap Healthcare IT Security

Healthcare IoT is expanding opportunities for hackers as the sector struggles to keep up security-wise.

Securing healthcare IT and IoT systems entails balancing legacy technology, regulation, and organizational challenges, and two recent reports show that the industry is falling short in its security efforts.

These issues include the architecture of hospital networks and their use: namely, a lack of segmentation is part of the legacy IT infrastructure that is the source of many vulnerabilities within healthcare.

“Data is moving in and out of hospitals very freely and they’re very unsegmeneted,” says Chris Morales, head of security analytics at Vectra and principal author of the 2019 Spotlight Report on Healthcare. “We have customers who are still using Windows 95. That’s insane … And we’ve been told that, since they’re saving lives 24/7, they never patch. They’re afraid of rebooting the system or messing it up.”

Beyond the legacy systems healthcare organizations are unwilling to patch, there are many medical IoT edge devices, from diagnostic tools to systems that administer medicines, that IT staff are forbidden by regulation to patch, update, or modify — even with tasks considered essential such as installing a security or monitoring agent on the device.

“The first thing is that they [IT security] can’t do endpoint security,” explains Morales. “The regulations are such that they can’t modify a device by installing an agent.”

Endpoint agents, meanwhile, can help with basic tasks for security, says Morales. “You need visibility inside the network to see, not what attackers are doing, but just what’s happening.”

And the unsegmented nature of many healthcare networks means that those unprotected devices are on the same networks as medical records and sensitive patient information.

Compliance

CynergisTek’s recently released 2019 Annual Report, meanwhile, studied progress made by organizations regulated by NIST CSF (The NIST Cybersecurity Framework) and HIPAA rules. The study found that, while progress has been made year-over-year, the average healthcare organization has met less than half of the compliance requirements of NIST CSF.  

Given that healthcare saw roughly 14 million patient records exposed in attacks last year, “It remains clear that as an industry we continue to lag in our ability to address cyber threats or incidents when they occur,” the report said.

Healthcare organizations specifically are only 47% compliant with the NIST CSF, out of 100% possible compliance, the report found. The report found that there are differences in the degree of average compliance based on the size of the organization, with larger organizations (measured by number of beds, revenue, or staff size) complying more completely than smaller organizations.

For example, organizations with less than $50 million annual revenue complied with only 27% of NIST CSF in 2018, while organizations with more than $2 billion in annual revenue complied with 76% of the framework.

Even in those organizations with stronger compliance, that doesn’t mean they are necessarily secure, either, CynergisTek CEO and president Mac McMillan wrote in the report.

In particular, detection capabilities lag behind other core functional areas of NIST CSF. It’s possible that’s because many detection systems look in the wrong direction, focusing on finding external attackers when the greatest threats to healthcare systems come from the institutions own employees, contractors, and suppliers. “Insiders continue to be at the center of many of the breaches we see in healthcare, from curious workers to malicious criminals,” McMillan wrote.

Vectra’s Morales says that’s one of healthcare’s unique set of challenges. “Healthcare is the one industry that doesn’t have to worry about the attacker on the outside as much as the attacker on the inside,” he says. “They have a much bigger problem with human error than with outside attacker.”

The combination of challenges faced by healthcare, and the difficulties in remediating them, means that healthcare organizations are spending significant money on efforts to become more secure. According to a report by Allied Market Research, the global healthcare cyber security market generated $5.21 billion in 2017, and is expected to reach $12.46 billion by 2023, growing at a CAGR of 15.6% from 2017 to 2023.

Fortunately for healthcare organizations, dramatic attacks such as ransomware have decreased in frequency in the last 18 months, according to Morales. That’s largely because hospitals and healthcare organizations refused to pay ransom.

He says he’s more worried about privacy, however, than disruption in healthcare. “Hospitals are really good at saving lives. The question is, if I go to the hospital, will everyone know about it?” he asks.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/regulations-insider-threat-handicap-healthcare-it-security/d/d-id/1334528?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 25/04/2019
  • adm

Sensitive Data Lingers on Used Storage Drives Sold Online

Four in 10 used hard drives sold on eBay found to contain sensitive information.

A startling number of used hard drives sold on eBay expose sensitive information from their previous owners, a new study shows. The information disclosed by these drives includes everything from scanned passports and information from workers with a high level of government clearance to detailed logistics records and internal memos from private companies.

The study, conducted by data erasure company Blancco Technology Group and data recovery company Ontrack, examined some 159 drives sold on eBay’s secondary markets in the US, UK, Germany, and Finland. Researchers purchased used hard drives from leading brands including Samsung, Dell, Seagate, HP, and Hitatchi at random. As a part of the study, they asked the sellers whether they had performed proper data sanitization to ensure no data was left behind. Though every seller said they had erased everything, the results told a different story. 

“This demonstrates that sellers are attempting to permanently wipe data and see the importance of this process,” the report explained. “However, many are failing to use a fully effective solution.”

Using its proprietary data recovery tools, Ontrack was able to recover sensitive information from 42% of the drives. More than 15% of them contained personally identifiable information, including Microsoft Word and Excel files, photos, personal documents, and email files.

The report explained that, for the most part, these sellers erased data by formatting the drive, often passing up on a full format in favor of a quick format, which only overwrites the drive’s index but leaves everything else in place. In both cases, quick and full, the formatting process will overwrite data with zeros to remove data, but there’s no way to verify that the data is truly gone after formatting. That means data can linger undetected. 

The results from this study were actually encouraging compared with another study: Rapid7 senior security consultant John Frantz bought a variety of devices from regional refurbishing and donation businesses in the Wisconsin area to see how much data was left behind. He found a scant 3% of drives were properly wiped.

The wide range of proper erasure rates shows how inconsistent practices are in the data erasure business. For enterprises, the disposal or recycling of old equipment can be a massive problem of scale. In many cases, enterprises outsource the disposal and recycling of their equipment to refurbishing or reseller outfits. The lesson here is buyer beware: These sellers may be using only rudimentary wiping practices or may not attempt to erase data at all.

“When donating or selling your technology, you should be sure to wipe it yourself rather than relying on the seller to do it for you,” Frantz wrote in a March blog post.

Related Content:

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/risk/sensitive-data-lingers-on-used-storage-drives-sold-online/d/d-id/1334534?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 25/04/2019
  • adm

Teen sues Apple for $1 billion over Apple stores’ facial recognition

In March 2018, 18-year-old high schooler Ousmane Bah got a learner’s permit to drive in the city of New York. Then, he lost it.

No biggie, right? It had his name, address, date of birth, sex, height, and eye color, but it didn’t have his photo. These things are just printed receipts, issued as interim permits until an official permit arrives in the mail.

As far as identity theft goes, Bah didn’t worry about it. The license said on its face that it wasn’t meant to serve for identification purposes. He’d get an actual permit in the mail shortly, so he didn’t file a police report.

Unfortunately, there was more for Bah to worry about than he realized. He got a summons to appear in Boston municipal court. He had been accused of larceny over $1,200 for allegedly ripping off multiple Apple pencils, each of which retail for $99, from an Apple store in Boston.

Bah says he’s never been to Boston before the 27 June arraignment. What’s more, on the date of the alleged theft, he’d been at his senior prom in Manhattan. That wouldn’t be the only criminal charges he’d face, either.

According to a lawsuit Bah filed on Monday in the US District Court for the Southern District of New York, he’s been charged with similar crimes in multiple jurisdictions, including Delaware, Massachusetts, New Jersey and New York, all for allegedly ripping off Apple stores. Three of the cases have been dropped, the suit said, but the one in New Jersey is still pending.

Bah is suing Apple for $1 billion for what his suit says is Apple’s reliance on facial recognition software to identify a suspect, who, the suit says, must have gotten his hands on Bah’s photo-less interim license. That permit was never supposed to be used as identification, yet Apple allegedly failed to use anything else to verify the true suspect’s identity. From the suit:

The irony here is that Defendant [Apple] relied heavily on one method of identification – facial recognition software – and failed to use a more labor-intensive form of verifying the true suspect’s identity. The latter method is similar in many ways to multi-step authentication; it requires the use of information from various, reliable sources, such as a driver’s license photograph or a government-issued identification card that contains a photograph, to confirm a particular individual’s identity. Given the number of individuals who provide false identification when suspected of committing a crime, it is remarkable that Defendant blindly accepted the photograph-less learner’s permit as a valid form of identification.

Does Apple really use facial recognition to identify shoplifters? As the Washington Post reports, the company declined to comment on the lawsuit itself, but it did say that it does not, in fact, use the technology in its stores.

How in the world did Apple finger Bah for the crime?

According to the lawsuit, Bah, who was arrested at his home in November, was served a warrant that had somebody else’s photo on it. The suit claims that a New York detective who viewed surveillance video from the Manhattan store concluded that the alleged thief “looked nothing like” Bah.

The suspect’s height, in fact, didn’t match what was listed on Bah’s learner’s permit.

Similar to the detective’s conclusion, the Boston district attorney, after looking at surveillance footage, dismissed the case against Bah.

Bah’s suit claims that none of these charges should have been made against him. They were because Apple allegedly accepted an interim permit, without a photo, that never should have been used for identification purposes, as a valid form of identification.

Bah has been forced to travel to multiple states to fight these spurious charges, the suit claims, was subject to a “shocking and traumatic” arrest at his home at 4:00 am, has been shamed and humiliated, and was forced to miss multiple days at school, which has brought down his grades.

Besides the $1 billion, the suit seeks a declaration that Apple “wrongfully and baselessly damaged” Bah’s reputation, and a court order compelling Apple to “address the mistake in the stored data” that links Bah’s identifying information to the company’s facial recognition technology.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OMAzlv7AqsE/

  • 25/04/2019
  • adm

It’s your what in a box? Here’s a thing to make your bosses think about malware responses

Cyber UK 2019 Ever-exciting Cabinet Office minister David Lidington has put his name to a new infosec response testing tool developed by the NCSC, called (wait for it) Exercise in a Box.

In a speech due to be delivered to the Cyber UK conference in Glasgow later today, Lidington will inform the world: “This new free online tool will be critical in toughening the cyber defences of small businesses, local government, and other public and private sector organisations.”

Exercise in a Box, or so Lidington will say, “provides scenarios based on common cyber threats facing the UK, which organisations can practice in their own time, in a safe environment, as many times as they want”. You can pick from a technical simulation or a tabletop discussion.

“Just like having a fitness tracker, the tool enables players to monitor their progress,” burbled the Cabinet Office in its explanation of the tool.

We do not yet know if it’s available on Xbox or Apple Watch but doubtless readers will want to seek further information for themselves about that.

Gentle mockery aside, the idea is to get organisations large and small thinking about what to do if when Something Bad Happens to their IT infrastructure, whether as a result of drive-by ransomware or a targeted attack. Although the version currently available from the NCSC website was developed for SMEs and the emergency services, we are told the general concepts can be applied to most other organisations too.

“By practising your defence and response mechanisms, you can understand how effective they really are and where there are areas for improvement,” said NCSC chief exec Ciaran Martin in a canned quote. “We’re committed to building the UK’s cyber resilience and continuing our work to make the country the hardest possible target for our adversaries.”

As NCSC tech director Ian Levy expressed the underlying problem while talking to the press yesterday about industrial control malware: “There’s kind of a mantra in the cybersecurity community that says [people working on safety critical systems] will never patch because they’re just too scared to ever patch anything. There’s a mantra in the [Operational Technology] world that says cybersecurity are cowboys because they patch instantly. It’s about bringing them together and having that conversation.”

It might not be as exciting as Stuxnet or zero-day vulns (“Why use a zero-day if you can spearphish an admin and log in from the internet?” asked Levy, rhetorically) but getting the less security-aware parts of the UK more savvy about infosec practices can only be a good thing. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/25/exercise_in_a_box/

  • 25/04/2019
  • adm