STE WILLIAMS

It has been another brutal year for organizations, according to a new report summarizing data breach activity in the first nine months of 2018.

On the one hand, the number of reported data breaches this year between Jan. 1 and Sept. 30 was down 8% compared with the same point last year. In addition, the number of exposed records for the first nine months of this year was lower by a substantial 49%. Yet at the same time, the numbers still translated to 3,676 breaches and a staggering 3.6 billion records compromised.

That puts 2018 on track for having the second-most number of reported breaches in a year and the third-highest number of records exposed overall since 2005, according to Risk Based Security, which analyzed data pertaining to breaches gathered from public sources, through automated and proprietary processes, and other means.

Seven of the breaches this year exposed 100 million or more records, and the 10 largest accounted for more than eight in 10 of all records compromised. Among those suffering major data breaches this year were Facebook, Under Armour, Ticketfly, and Hudson’s Bay Company.

That there were fewer data breaches and records compromised in the first nine months of 2018 compared withthe same period last year could be that attackers were more engaged in crypto-currency mining activities in the early part of this year. There were also no catastrophic events like the WannaCry and Petya/NotPetya outbreaks as in 2017, at least through the end of September. But that does not mean the threat has become any less.

“Breaches are not going away; the problem is not getting better,” says Inga Goddijn, executive vice president of Risk Based Security. “There is still money to made by stealing sensitive and confidential data.”

Despite mounting regulatory pressures, this year saw little improvement in the interval between when organizations first discover a breach and when they publicly disclose the event. In 2017, organizations took an average 47 days to publicly disclose an event; this year the number stood at 47.5 days.

For all the investments that organizations are making in breach detection and response, most discover a breach only after being informed of it by an external party. Just 483 — or 13% —of the 3,676 publicly reported data breaches were discovered internally, according to Risk Based Security. In well more than half the reported breaches — 2,171 — the breached entity did not know about the intrusion until being informed by a third party.

“The vast majority of breaches are still uncovered by external sources, such as law enforcement or banks detecting fraudulent activity, then alerting the organization they may have an issue,” Goddijn says. “Until we get better at finding breaches in-house, I’m skeptical we’ll see much improvement [in breach reporting].”

As has been the case for several years, insiders posed the biggest threat to data. Fraud — a term that Risk Based Security uses to describe any sort of malicious insider activity or no-technical methods of illegally accessing data — accounted for nearly 36% of the records compromised.

In fact, some of the most damaging incidents this year resulted from insiders selling access to databases containing sensitive data, Goddijn says. More than 30 of 51 data breaches involving intellectual property in the first nine months of 2018 stemmed from inside the organization. In addition to malicious activity, many organizations suffered data compromises because of employees and others with insider access mishandling assets.

Email addresses, passwords, names, and, addresses were the most commonly exposed data types. But 18% of the breaches exposed Social Security numbers, 15% involved credit card data, and 11% compromised birth dates.

While insiders were responsible for the most number of records compromised, hacking by external parties continued to be the primary reason for security incidents at most organizations.

“Typically, hacking is financially motivated, whether it be to steal data that can later be monetized or leverage system access for some other operation that ultimately generates income for the actor,” Goddijn says. But there were other causes for external hacking as well, including political motivations and curiosity, she adds.

Somewhat surprisingly given current regulatory pressures, about 35% of organizations that suffered a breach this year did not or were not able to disclose the number of records impacted in the incident.

Ironically enough, many of these breaches were less significant than the refusal to disclose details might suggest Goddijn says. More than 48% of all breaches, in fact, exposed between one and 1,000 records. “We’ve become so accustomed to seeing headline-busting breaches — with hundreds of thousands or even millions of records lost — that when the number is ‘undisclosed,’ people have a tendency to assume the worst,” she notes.

Related Content:

• Where Is the Consumer Outrage about Data Breaches?
• Report: Data Breaches Hit Share Prices, Too
• 48% of Customers Avoid Services Post-Data Breach
• 7 Cool New Security Tools to be Revealed at Black Hat Europe

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/2018-on-track-to-be-one-of-the-worst-ever-for-data-breaches/d/d-id/1333252?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

With weeks to go until Black Hat Europe returns to London December 3, organizers want to ensure you don’t overlook the wide array of opportunities on offer to improve your malware-fighting know-how.

In Silent Break Security’s Dark Side Ops: Malware Dev Training you’ll spend two days learning about the goals, challenges, architecture, and operations of advanced persistent threat (APT) tooling. Participants will dive deep into source code to gain a strong understanding of execution vectors, payload generation, automation, staging, command and control, and exfiltration. In addition, participants will gain hands-on experience with techniques currently used by hackers to bypass NIDS and HIPS systems, layer 7 web proxies, next-gen antivirus, and DLP solutions!

For more hands-on experience check out Advanced Malware Traffic Analysis: Adversarial Thinking, a two-day intensive Training intended to give you the experience and methodology to recognize malicious connections, distinguish normal from malicious behaviors, recognize anomalous patterns, and deal with large amounts of traffic.

Also, the Internet Institute of Japan (IIJ) will share some malware-thwarting techniques in the Deep Impact: Recognizing Unknown Malicious Activities from Zero Knowledge Briefing. In just under an hour this Briefing will show you how to detect malicious activities via techniques like pattern-matching, blacklists, behavioral analysis, and event correlation when your resources are limited and your attackers are unknown. You’ll see how to detect unknown malicious activities from typical logs of devices which are not dedicated for attack detection such as proxies and firewalls .

Red Teaming in the EDR Age will demonstrate how well-meaning Red Team pentesters can effectively thwart sophisticated Endpoint Detection and Response (EDR) solutions adopted by modern enterprises. These EDR solutions can be extremely effective at detecting bad stuff quickly, so this Briefing will also show you how to leverage the inherent challenges faced by EDR vendors to remain hidden as well as how to misdirect the teams of hunters out to get you. Example techniques include new ways of hiding in-memory, attacking least-frequency analysis, and how to keep hunters guessing. Finally, if you absolutely can’t avoid being caught, this Briefing will suggest a whole range of deception techniques specifically targeted at flooding and crippling EDRs to overload hunters with alerts.

The Black Hat Europe Arsenal demo of SNDBOX: The Artificial Intelligence Malware Research Platform, which purports to be the world’s first Artificial Intelligence (AI) malware research platform designed to scale up research time is another must-attend Black Hat session. Developed by researchers for researchers, SNDBOX utilizes multiple AI detection vectors which work alongside a “Big Data” malware similarity engine to reduce false positive classification errors. The benefit is that, with full access to SNDBOX data, all levels of your team can leverage information necessary for complete malware remediation and new research possibilities, while sharing insights and public samples through its community platform.

If you’re more interested in studying offensive malware, consider stopping by the CoffeeShot: Memory Injection to Avoid Detection Arsenal demo. CoffeeShot is an evasion framework designed for creating Java-based malware which bypasses most of the anti-virus vendors.  If you’re looking to test the effectiveness of security measures against Java malware this demo is a big deal since Java malware like “Jrat” and “Adwind” are used by malicious adversaries who write malware in Java to be evasive and avoid security products – including those that use advanced features like machine learning.

Black Hat Europe returns to The Excel in London December 3-6, 2018. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/sharpen-your-malware-fighting-skills-at-black-hat-europe/d/d-id/1333258?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google users experienced connectivity issues yesterday when online traffic destined for Google services was rerouted through networks in Russia, China, and Nigeria. While the incident has since been resolved, Google has launched an investigation to determine its cause.

On Nov. 12 between 1PM-2:23PM PST, analysts at Internet research company ThousandEyes had problems connecting with G Suite. Closer inspection revealed everyone at ThousandEyes’ office was having the same issue, which also extended to Google Search and Google Analytics.

Traffic intended for Google, it seemed, was getting dropped at China Telecom. Several ThousandEyes vantage points around the world showed similarly strange traffic patterns, all culminating at China Telecom, writes Ameet Naik, technical marketing manager, in a blog post.

In addition to China Telecom, researchers noticed traffic being rerouted to TransTelecom, a Russian network provider, and MainOne, a small ISP based in Nigeria. Most of the traffic was being directed to China, ThousandEyes reports. Its surveillance shows the origin of this leak was the BGP peering relationship between MainOne and China Telecom, says Naik.

“This incident at a minimum caused a massive denial of service to G Suite and Google Search,” Naik explains. “However, this also put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance.”

Google addressed the problem on its Cloud Stats Dash and reported services were not compromised in the incident. It has not found evidence this attack was malicious – and, as the Wall Street Journal points out, this could be the result of a cyberattack or an error in system configuration.

Naik says overall, this problem “further underscores one of the fundamental weaknesses in the fabric of the Internet.” BGP was designed to rely on the mutual trust between ISPs and universities to exchange information, and it hasn’t been updated to reflect the commercial and geopolitical relationships that exist between nations and service providers on today’s Internet.

He advises companies to monitor their BGP routes so they can quickly detect issues like these and minimize the effect on their business. BGP-related incidents have occurred recently, he adds, pointing to the April 2018 cryptocurrency heist involving the hijack of a DNS provider.

Related Content:

• 7 Cool New Security Tools to be Revealed at Black Hat Europe
• Cyberattacks Top Business Risks in North America, Europe, EAP
• The Morris Worm Turns 30
• 5 Things the Most Secure Software Companies Do (and How You Can Be Like Them)

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/google-traffic-temporarily-rerouted-via-russia-china/d/d-id/1333257?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Empathy is not often associated with cybersecurity. Former Facebook chief security officer Alex Stamos made reference to this idea during his 2017 Blackhat Conference keynote, noting that “we have a real inability to put ourselves in the shoes of the people we are trying to protect,” and encouraging security professionals to “have empathy for the people that use the technologies we build.”

Unfortunately, as Stamos astutely noted, both security and software professionals tend to approach problem solving with an eye toward problems that are glamorous, complex, or sexy rather than ones that are most common or affect the largest number of users.

In reality, those with the most direct exposure to serious cybersecurity challenges are also the least prepared to handle them. Think of the frontline employees who are bombarded with phishing attacks, software updates, and deadlines around the work they’re trying to accomplish. Or consider organizational executive leadership and boards, who often struggle to understand the mechanics and potential impact of today’s cyber-risks.

Cybersecurity practitioners should heed Stamos’ advice and work hard to empathize with “the people that use the technologies we build.” Technology, ultimately, should serve those who use it and empower them to achieve more than they otherwise could. Empathic approaches to technology, people, and organizational processes are critical in building operations that are both secure and sustainable. Below are three specific examples where applying empathy can enhance security.

Third-Party Risk
In recent years, third-party risk has become a pressing concern. Whether it is the torrid tale of Target’s HVAC vendor or the NY Department of Financial Services Cybersecurity Requirements, third-party risk is under the microscope like never before. Empathy goes a long way toward giving security teams a deeper understanding of third-party risk because the risk hinges on both the security posture of the third party and the relationship with the external firm and service provided. It is important for cyber professionals to remember that every third-party engagement is chosen for a business reason, which must also be accounted for in the overall risk analysis.

For example, beyond the standard approach of asking what organizational data the third-party has, we must understand how critical these resources are to business operations. Does your organization have a plan to replace their functionality on short notice? What other elements of the relationship are at play (such as strategic partnerships, regulatory drivers, etc.)?

An approach that is exclusively technology-focused will almost certainly miss important elements that must be accounted for. Empathy helps round out the risk assessment and allow a more holistic risk-based decision to be made.

Phishing and Social Engineering Attacks
Business email compromise —  the term for fraudulent emails designed to get corporate financial custodians to send money to bad actors under the guise of helping the CEO —  is fundamentally an empathy issue. Attackers are leveraging psychological and organizational weaknesses to the tune of about $12.5 billion in profit. Adding empathy helps solve this security challenge in two specific ways involving policy and processes:

An open-door policy from executive leadership encourages employees to approach executives directly any time something doesn’t feel right, or they want to check on the legitimacy of a request. This policy has the added benefit of generating interaction between leaders and engaged and aware employees.

A business process requiring confirmation with the CFO either in-person or via direct-dialed voice for any transaction over a certain threshold should also be encouraged. Instead of trying to respond as fast as possible for fear of looking inattentive, this practice would motivate employees  to double-check such a request in a way that is difficult to spoof.

Penetration Testing
Penetration testing stands out as an example where technology solutions can be immensely enhanced by empathy. There are many software tools and platforms that perform automated scans, one-click exploits or other similar functionality. Indeed, utilizing a pre-configured penetration testing tool like Burp or Nessus is table stakes in 2018, and most organizations should already be performing this level of self-analysis.

A human-centered approach to this problem looks more like BugCrowd or HackerOne. According to a recent report from HackerOne, the humans powering their platform discovered and reported over 72,000 vulnerabilities (as of May 2018), with more than 27,000 of those discovered and resolved within the last year alone. While there’s no doubt that these hackers are using technology tools to help them find vulnerabilities, it is the human element that creates effective penetration testing practices at scale.

Ultimately, the next “killer app” for cybersecurity won’t be a matter of doing more, faster. Instead, we must empower humans to make better decisions — including those at the front desk all the way up to those in the corner office. The most effective thing we can do as security professionals is double down on the human element and develop empathetic solutions to these fundamentally human problems.

Related Content:

• 7 Non-Computer Hacks That Should Never Happen
• ‘CARTA’: A New Tool in the Breach Prevention Toolbox
• Microsoft, Amazon Top BEC’s Favorite Brands

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Shay Colson, CISSP, senior manager, CyberClarity360, joined Duff Phelps from the US Department of the Treasury to lead the assessment team for CyberClarity360. He has over a decade of experience in cybersecurity and information assurance, with a focus on designing and … View Full Bio

Article source: https://www.darkreading.com/risk/empathy-the-next-killer-app-for-cybersecurity-/a/d-id/1333248?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you’re in cybersecurity, you’ve likely heard of Magecart, the threat operation that’s quickly gaining notoriety as it ramps up financial data theft across the Internet.

Magecart is an umbrella term for at least seven cybercriminal groups that have been installing digital credit card skims onto e-commerce websites for years. Over the past few months, the operation has gone from relatively unknown to nationally recognized as its victims have expanded from consumers to global brands including British Airways, Ticketmaster, and Newegg.

Researchers from RiskIQ and Flashpoint teamed up to build a timeline of Magecart’s evolution and detail the threat groups and commercial infrastructure driving its growth. Their report, “Inside Magecart: Profiling the Groups Behind the Pivotal Credit Card Breaches and the Criminal Underworld that Harbors Them,” covers past and ongoing Magecart attacks.

RiskIQ threat researcher Yonathan Klijnsma says they’ve been keeping an eye on Magecart since 2015, when the threat grew out of a single group’s activities and began putting skimmers on vendor websites. Magecart flew under the radar, infiltrating more than 800 e-commerce sites with card skimmers, until it breached Ticketmaster UK with a supply chain attack in July 2018. Shortly after, it was linked to the British Airways hack that affected 380,000 customers.

These attacks on large companies put Magecart in global headlines and could have broader implications among the criminal community as they “lower barriers of entry and raise excitement for other criminal groups,” explains Vitali Kremez, director of research at Flashpoint. He calls these high-profile breaches “pivotal” and “fuel for the underground economy.”

The researchers have tracked each criminal group that makes up Magecart. While groups in this report are well-defined, many more groups and individuals add to the web-skimming threat.

An Introduction to Magecart’s Groups
Group 1 was first spotted in 2015 and so far has more than 2,500 victims. It cast a wide net with its skimmer, likely using automated tools to compromise websites and upload skimmer code. The original skimmer was made up of JavaScript embedded into e-commerce pages. When someone entered payment card data into a form, the skimmer copied it and sent it to a drop server.

In late 2016, Group 1 began to mimic the activities of Magecart Group 2; now, researchers have combined them into a single entity. Their victims include several thousand stores, the National Republican Senate Committee, and Everlast.

Group 3 has been on researchers’ radar since 2016 and has compromised more than 800 victims. Like some of the other groups, it aims for high attack volume and to snag as many cards as possible. However, it steers clear of high-end web retailers.

Group 3’s skimmer takes a different approach: Instead of checking the URL to see if the skimmer is running on a checkout page, attackers instead check if any forms on the page hold payment data. If they do, the skimmer steals that information. Its goal is to ensure it has the names and addresses of customers and exfiltrate all of it.

Group 4 is an advanced group that “is extremely careful” with skimmer placement, researchers report. It’s focused on high volumes of compromise with the goal of getting as many cards as possible without specifically targeting anyone. Group 4 tries to blend in with normal Web traffic and registers domains by copying ad providers, victim’s domains, and analytics providers.

(Image: Makistock – stock.adobe.com)

“It’s a different approach to setting up the infrastructure, setting up the skimming,” says Klijnsma of Group 4. Researchers believe this group stems from another criminal operation involved with malware distribution and hijacking online banking with web injects.

Group 5, which was implicated in the Ticketmaster breach, primarily targets third-party suppliers to maximize its reach. It was first seen in 2016 and so far has 12+ victims. The web supply chain is unique, researchers say, because any service that provides ads, content, analytics, or other functionality can be targeted — which makes it appealing to Group 5. With one compromise, the group can hit thousands of sites without targeting individual merchants.

“Something not a lot of companies are realizing is there’s a supply chain to websites,” Klijnsma points out. “Whenever you have a third party executing script on your website, that’s a risk.”

Related Content:

• Google Traffic Temporarily Rerouted via Russia, China
• 7 Non-Computer Hacks That Should Never Happen
• Sophisticated Campaign Targets Pakistan’s Air Force
• 2018 On Track to Be One of the Worst Ever for Data Breaches

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/getting-to-know-magecart-an-inside-look-at-7-groups/d/d-id/1333260?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft today released patches for 63 vulnerabilities as part of its November Patch Tuesday update. Twelve of the bugs were deemed Critical, two were publicly known at the time of release, and one is reportedly under active attack.

The bug being exploited is CVE-2018-8589, a Windows Win32k elevation of privilege vulnerability. It was reported by researchers as Kaspersky Labs, a sign attackers are using it in malware, notes Dustin Childs of Trend Micro’s Zero-Day Initiative. Malware leverages kernel elevation bugs to escalate to admin mode, which gives them full control of a target system.

Two publicly known vulnerabilities are CVE-2018-8584, a Windows ALPC elevation of privilege vulnerability, and CVE-2018-8566, a BitLocker security feature bypass vulnerability. The former affects Windows 10, Server 2016, and Server 2019, says Tenable CTO Glen Pendley, and it could let non-admins access and delete files on systems normally limited to adminstrators.

“This flaw is serious, as an attacker could leverage it to perform a number of functions, including DLL [dynamically link library] hijacking,” Pendley says. “In this attack scenario, a cybercriminal can delete and input their own DLL that contains malicious code.” He advises security teams to apply the patch immediately.

Nine of the 12 Critical bugs are remote code execution (RCE) vulnerabilities in the Chakra scripting engine in Microsoft Edge. All RCE bugs exist in the way the engine handles objects in memory. The additional three Critical bugs exist in the Windows Deployment Services TFTP Server, Microsoft Graphics Components, and Windows VBScript Engine.

Because Microsoft Edge is the default Web browser in Windows 10, Pendley recommends companies that rely on Edge to apply patches in a timely manner.

Read more details here.

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/microsoft-patch-tuesday-recap-12-critical-bugs-fixed/d/d-id/1333263?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple