STE WILLIAMS

Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites.

The new Hack the Air Force contest builds on the Defense Department’s Hack the Pentagon bug bounty effort by opening the contest to security specialists from Australia, Canada, New Zealand, and the United Kingdom, in addition to contestants from the US.

“That’s an important part of this program: the fact that we are extending the program out to some of our close allies,” says Peter Kim, CISO of the US Air Force. “When this opportunity came up, we realized that we needed to do this, we need a wider lens with a fresh set of eyes.” 

Kim announced the Hack the Air Force program this afternoon at the San Francisco headquarters of HackerOne, the bug bounty security firm contracted to run the contest.

Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit.

Staley notes that the DoD’s Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government’s first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid $75,000 in bounties.

“In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities,” Staley explains. “For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown.”

Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. “While the money is a draw, we’re also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer,” he says.

Kim said the Air Force also hopes Hack the Air Force will be a way for the Air Force to find and develop new cybersecurity talent.

“The competition for technical talent in both the public and private sectors is fiercer than it has ever been,” he says. “The Air Force must compete with companies like Facebook and Google for the best and brightest, particularly in the science, technology, engineering, and math fields.” 

HackerOne co-founder and CTO Alex Rice says Hack the Pentagon has helped advance DoD’s vulnerability disclosure and coordination efforts. “One quick lesson learned from Hack the Pentagon was that it pointed out the deficiency of vulnerability disclosure and coordination practices,” Rice says. “It showed us all that there are bugs to be found, and coordinating resolutions with different parties can be difficult if it’s not done every day. As a result, we launched an ongoing vulnerability disclosure program [for DoD] not tied to bounties.” 

Registration for the Hack the Air Force kicks off on May 15 on HackerOne‘s website, and the contest runs from May 30 to June 23. Military and government employees can participate but are not eligible for compensation.

Related Content:

• Hack The Pentagon: DoD Launches First-Ever Federal Bug Bounty Program
• A Bug Bounty Reality-Check
• US Army Challenges Security Researchers To ‘Bring It On’
• US Army Bug Bounty Program Fixes 118 Flaws

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/usaf-launches-hack-the-air-force-/d/d-id/1328736?_mc=RSS_DR_EDT

The US Department of Health and Human Services penalized CardioNet with a $2.5 million settlement fee, after a data breach exposed health data on 3,610 CardioNet clients, according to a resolution agreement reached between the parties this month.

Back in January and February 2012, CardioNet notified HHS of the breaches, the agreement states. The breaches occurred after an unencrypted laptop with clients’ “protected health information” was stolen from a vehicle outside of a CardioNet employee’s home, according to a report in InfoRisk Today.

An arm of HHS launched a federal investigation, which found indications that CardioNet failed to set security procedures in place to prevent, detect, contain, and correct security violations, as well as conduct risk analysis to determine potential vulnerabilities and risks. The company also appeared to have lacked security policies and procedures to move electronic media and hardware in and out of its facilities, such as ensuring media was encrypted, according to the agreement.

Under the agreement, there is no “admission of liability by CardioNet,” and it is “not a concession by HHS that CardioNet is not in violation of the HIPAA Rules and not liable for civil money penalties.”

Read more about CardioNet’s agreement here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/hhs-hits-cardionet-with-$25m-hipaa-settlement-fee/d/d-id/1328742?_mc=RSS_DR_EDT

Call center fraud is rising at an astronomical rate, as technical weakness becomes one of the three key contributors to its rapid rise, according to the 2017 Call Center Fraud Report released today by Pindrop Labs. 

Based on a review of more than 500 million calls last year, Pindrop found fraud rates soared 113% over the previous year. That has resulted in a fraud rate of 1 in 937 calls in 2016, compared to 1 in 2,000 calls in the previous year. And this problem has morphed from being a responsibility of the call center operations to one of IT security.

“When we first started the company [Pindrop]…, it was a call center operations headache. As the attacks have increased, losses continue to increase, and the phone is being used as part of a multichannel attack, the CISO is becoming more and more involved,” says David Dewey, director of Pindrop Labs.

One of the catalysts for this growth comes from attackers’ enhanced skill in social engineering to coax information, or inadvertent nefarious action, out of call center employees, as well as the discovery of new spoofing and voice distortion technologies to give criminals more options when using the phone, according to the report.

Additionally, as digital methods for pilfering information becomes harder to crack, fraudsters are moving onto the path of least resistance rather than get smarter in figuring out workarounds for these digital challenges, Dewey says.

“Reaching a call center and speaking with an agent provides the fraudster with an upper hand. A call center agent’s job is to provide quality customer service and not stop fraud,” he added.

The report identifies three key areas where call centers are particularly weak, one of which is technical.

“Caller ID Spoofing coincided with the advent and popularity of VoIP in the mid-2000s. We are seeing more and more fraudsters discover how easy this is to do and we expect this to continue to grow. Heck, there’s even an Android app out there that will spoof calls for you,” Dewey says.

With the advent of VoIP, users have access to the caller ID field and can set it to whatever they want, Dewey noted. This allows fraudsters, some with minimal technical skills, to be able to spoof their calls. In the case of Skype or Google Voice, the same Caller ID is applied to tens or hundreds of thousands of subscribers with the recipient having no idea who they are speaking too, Dewey explained.

When it comes to fraudsters who are developing software to reset pins, access accounts, etc., most interactive voice recognition (IVR) systems are available to the public and most go unprotected and unmonitored.

Going forward, Dewey noted new techniques and technologies are being tested by attackers.

“We are starting to see attacks where fraudsters are calling victims to record their voices and then using those recorded voices to pass as the real person,” he said. “On top of that, we are seeing technology that allows fraudsters to generate speech based on a minimal recording and use that to make statements that the person never originally said. Getting the audio of the victims is no longer a problem because so much exists on all of us in our social channels like Facebook Live, on Youtube, etc.”

Related Content:

• Call Centers In The Bullseye
• Misdial Trap’ Phone Scam Hits Financial Services
• Financial Institution Call Centers Targeted By Social Engineers

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: http://www.darkreading.com/endpoint/call-center-fraud-spiked-113--in-2016/d/d-id/1328733?_mc=RSS_DR_EDT

In our Q1 2017 Tactics and Techniques report, Cerber beat all the competition by a wide margin and achieved the top position as the most distributed ransomware via spam and drive-by downloads.

This happened while Locky mysteriously disappeared, in part because of a slow down with the Necurs botnet. But just like that, it is back in full swing thanks to the botnet’s wide scale distribution.

The first samples that came through were malicious PDF files used as a springboard to launch the now all too famous Word macros. Why insert an additional step into the attack chain? It seems threat actors have users just where they want and have mastered the art of social engineering to the point where one or two additional tasks are not a problem. 

Yet, for defenders these little changes can create issues, especially when automating the analysis of spam via sandboxes. Also, was it pure coincidence that the Necurs spam run was launched just before the weekend? 

Necurs is a resilient botnet which has distributed a variety of payloads over the years, from banking Trojans to ransomware. More recently it even did non-malware spam with pump-and-dump scams. Takedowns have only slowed down the botnet operators who can count on their malware to remain buried deep into systems, and avoid detection from major antivirus scanners.

Now that Locky is back, there is no doubt it will slowly climb back up to take the market shares that were once his. At 0.5 BTC ($623) a pop, the crooks are bound to make enough money to reinvest in the distribution channels and keep the wheel moving.

The best protection against ransomware is by performing backups on a regular basis so that in times of trouble, you can roll back your systems to a previous clean state and recover your data. However, backups are not always done regularly – if at all – or perhaps without due precautions, for example, leaving a plugged USB storage that gets infected.

IT admins will want to watch for various file types coming as attachments and, most importantly, to establish global group policies that disable certain risky features in Office (i.e. macros, OLE objects) that prevent social engineered users from making bad choices.

Locky – like any other malware – can also be mitigated in different ways, for example by blocking access to its command and control center, or simply based on its encrypting behavior. A layered defense is a strong security posture to deal with a threat that can come in different disguises.

Read the full digest on Malwarebytes Labs here.

Jérôme Segura is a senior security researcher at Malwarebytes Labs where his duties range fromstudying web exploits to tracking down online scammers. He spent over five years cleaning malware offpersonal computers using existing tools and writing his own … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/malwarebytes/locky-returns-with-a-new-(borrowed)-distribution-method/a/d-id/1328723?_mc=RSS_DR_EDT

The digital advertising industry is getting socked with a new ad fraud campaign that’s operating millions of fully qualified domain names (FQDN) and thousands of IPs to steal online ad revenue with shady ads and sham traffic-brokering.

In a report released today by digital threat management firm RiskIQ, researchers dug into the campaign run by a threat actor it calls NoTrove that demonstrates the lengths to which cybercriminals will go to steal from digital advertising networks – and the inherent weaknesses of the online ad ecosystem.

Unlike traditional malicious advertising, NoTrove isn’t dropping malicious files on users’ systems. Instead, it’s making money by fraudulently redirecting clicks and in some cases downloading potentially unwanted programs (PUPs) that perpetuate more scam traffic so that NoTrove perpetrators can broker in sham advertising traffic.

“Traffic is critical to the giant exchanges in the online advertising space and to the very many niche affiliate network programs that exist, with organizations of all kinds tasked with monetizing and, ultimately, squeezing every last fraction of a penny of indirect marginal pro t of each URL visited,” the report explains. “To monetize their traffic collecting, scammers like the one outlined in this report may participate in shady traffic affiliate programs or sell traffic to traffic brokers.”

The researcher behind the report says the ubiquity of NoTrove is what sets the threat apart from other scammers and malware distributors taking advantage of vulnerable ad networks.

“NoTrove is literally everywhere,” says William MacArthur, threat researcher for RiskIQ. “We’ve seen NoTrove burn through just under 2,000 domains and over 3,000 IPs. Combined with the 78 variations of campaign-specific middle word variants and randomized hostnames, we’ve seen NoTrove operate across millions of FQDNs.”

Attackers go to extreme lengths like these because of the sheer amount of money at stake in online advertising fraud. According to eMarkter, digital ad spending is expected to hit $83 billion by the end of the year and $129 billion by 2021. It’s a huge target of opportunity for fraudsters and has spawned a dizzying array of fraud campaigns like this one.

For example, last year researchers with ad fraud detection firm WhiteOps reported finding one of the largest ad fraud botnets ever, called MethBot, which it estimated was able to steal $3 million a day from programmatic video ad networks.

“Instead of the more traditional malware botnet structures, which involve attacks on existing IP addresses and piggybacking on residential computers, Methbot operators farm out their operations across a distributed network based on a custom browser engine running out of data centers on IP addresses acquired with forged registration data,” WhiteOps explained in the report.

RiskIQ’s MacArthur explains that NoTrove has been able to grow so large because it operates in a grey area of maliciousness that makes it possible for it to fly under the radar of many technologies that look for malicious advertising. With malvertising scams, the goal is to infect users with some sort of malware that can be used as a beach head for further attacks against each individual victims. Malwarebytes Labs researchers last week reported a new malvertising campaign called Binary Options that was delivering a Gozi banking Trojan payload through the RIG exploit kit in order to carry out a traditional malware assault against online users.

But with scams like NoTrove, the fraudsters are just trying to manipulate users’ traffic in order to steal from digital advertising networks and publishers.

“This makes it different from normal malvertising as the content actually being delivered is not an injection leading to an exploit kit or a particular binary that people often track, so it’s a lot easier to operate compared to the more common Exploit Kit Threat operation,” MacArthur says. “As a result, scammers are left unchecked and can balloon to outrageous sizes. Unfortunately for ad networks and publishers, the effect of scams and exploit kits can be the same: ad blocking by end users.”

This is a big risk for the advertising industry–according to Jupiter Research, ad blocking will cost it $27 billion by the end of the decade. But MacArthurs says that security professionals from any industry can stand to observe NoTrove’s tactics to keep apprised of evolving attack techniques.

“NoTrove is spread so far and wide that blocking one piece of its infrastructure is akin to playing whack-a-mole—no matter how many you hit, another will pop up. If left unchecked, NoTrove and threat actors like it will continue to balloon to even greater size, encompassing more domains, IPs, and other infrastructure,” he says. “Threat actors of all kinds are taking a page from this playbook, accumulating massive swaths of infrastructure to carry out their campaigns and essentially overwhelm traditional security controls.”

He recommends using machine learning and automation to identify subtle variances in payloads, and automatically blocking such nefarious infrastructure.

Related Content:

• Bad Bots Up Their Human Impersonation Game
• Russian Hackers Run Record-Breaking Online Ad-Fraud Operation
• Google Adwords Malvertising Campaign Targets Apple Macs
• 6 New Security Startups Named to MACH37 Spring Cohort

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/new-ad-fraud-campaign-uses-millions-of-domain-names-to-bilk-advertising-networks/d/d-id/1328734?_mc=RSS_DR_EDT

Image Source: Robert Half 2016

With roughly 1 million-plus IT security jobs out there in the market, approximately 5% of them are cloud security positions, estimates Eddie Borrero, chief information security officer and enterprise information security and head of global customer support for recruiting firm Robert Half International.

And hiring for these cloud security positions is tough, especially when you consider the steep shortage of cybersecurity workers overall, Borrero notes. For example, cybersecurity training organization ISC2 forecasts a global shortfall of 1.8 million cybersecurity professionals by 2022.

“Traditional security needs to do an uptick in skills, as companies move their data and technologies to the cloud,” he says.

In a 2016 Robert Half survey of UK CIOs, 51% of respondents listed cloud security as the No. 1 technical security skill that is in the most demand, yet 32% of survey respondents noted it was the most challenging to fill.

But as CISOs and hiring managers feel the pressure to find what they believe to be a need for a team of cloud security experts, Borrero offers a different perspective to address the problem and potentially create an easier workaround. Here are six actions he recommends.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: http://www.darkreading.com/6-steps-to-find-your-next-dozen-cloud-security-experts/d/d-id/1328727?_mc=RSS_DR_EDT

For well over a decade, the security industry has debated what role Internet service providers (ISPs) should take in cybersecurity. Should they proactively protect their customers with upstream security controls and filters (e.g., intrusion prevention systems, IP/URL blacklists, malware detection, etc.), or are customers responsible for their own security?

ISPs can have a much wider impact on overall state security because of their advantageous position in the network (that is, acting as our doorway to the Internet). Still, there are good arguments against ISPs taking too much of a security role — many of which I agree with. Ultimately, I believe there is one thing IPSs must do to improve everyone’s security, but before we get into that, let me start with the arguments against ISPs taking too strong of a role.

1. Badly managed security controls can disrupt business or legitimate activities. If you’ve ever used an intrusion detection or prevention solution, you know they occasionally have false positives. These false positives can block legitimate traffic from paying customers. Although a normal business can manage these, doing so for thousands if not tens of thousands of customers would be a logistic nightmare.

2. Some security can invade privacy. Many security controls not only monitor where you go on the Internet but also deeply analyze the content of your traffic and log all activity for later forensic analysis. This opens up the possibility of ISPs using this data for other reasons (although technically, they could be doing this anyway). Still, giving ISPs access to more information about people’s Web browsing worries Internet privacy supporters.

3. Certain security comes off as censorship. What’s the difference between an inappropriate site and a dangerous site? Sometimes that’s a gray area. Sometimes a website you want to visit may have had a malicious ad on it in the past and been blacklisted. Would you accept ISPs blocking it? Many kinds of ISP controls would feel like censorship because they take away freedom of choice.

4. ISPs can’t take liability for your mistakes. Simply put, we can’t hold ISPs liable for our security because they can’t control their customers. Even if an organization has the best security controls in the world, its people can still do dumb things that get them infected. For ISPs to get involved in security at all, we have to allow them to do so without liability for all our security issues.

5. Where does ISPs security stop? Should ISPs just monitor our traffic for known bad stuff? Should they firewall us? Should they enable intrusion prevention to block exploits? Should they filter bad sites? Should they scan our networks for vulnerabilities and block devices that haven’t been patched? Setting up regulations to keep ISPs from going too far down this slippery slope would be another serious logistical challenge.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

As far as preventative security controls go, I think ISPs can offer optional security services, but ultimately should leave it to their customers to decide whether to protect themselves or not. However, there is one thing all ISPs should do to protect everyone today: block IP address spoofing.

IP address spoofing is a very old and simple attack in which a malicious computer sends a network packet with a false source IP address. IP spoofing offers limited value in normal attacks, because when you send packets claiming to be from another computer, that other computer gets the replies, not you. However, IP spoofing does play a big role in one type of attack: distributed denial-of-service (DDoS) attacks. A reflective DDoS attack sends queries to particular services pretending to be the IP address of its victim. Those services will send large replies back to the victim, overwhelming them with traffic.

By definition, ISPs have full knowledge of the public IP addresses we all receive, and know which ones belong on their networks. With this information, IP spoofing is dead simple to detect and block.

In fact, for decades there have been common Internet standards and best common practices that detail exactly how network providers can prevent IP address spoofing by configuring routing devices to validate source addresses and block spoofed traffic. Some examples include RFC 2827, BCP 38, and the updated BCP 84. Most network gear, from routers to security appliances, offer simple features and filters to do just that. If all ISPs followed these long-held best practices, they could greatly lessen certain types of DDoS attacks, without adversely affecting their customers’ networks.

The good news is that many ISPs already do this. According to the Center for Applied Internet Data Analysis (CAIDA), around 70% of IP space is unspoofable, meaning many ISPs must be doing some filtering. The problem is that if even a few ISPs continue to allow spoofing, attackers can leverage those stragglers against others. If there is one thing we need to demand of all our ISPs, it’s to implement this one well-known common best practice.

So, while I don’t believe that ISPs should get too involved in security for the reasons listed above, IP spoofing is a network operator problem that could be easily fixed if the industry required all ISPs to follow best practices. Let’s make BCP 38 and 84 mandatory. 

Related Content:

• The Implications Behind Proposed Internet Privacy Rules
• Google Won’t Trust Symantec and Neither Should You
• In Cyber, Who Do We Trust to Protect the Business?

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, … View Full Bio

Article source: http://www.darkreading.com/endpoint/what-role-should-isps-play-in-cybersecurity/a/d-id/1328716?_mc=RSS_DR_EDT