Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization. Together with our affiliates, Enterprise Ventures Corporation and CTC Foundation, we leverage research, development, test and evaluation work to provide transformative, full lifecycle solutions. To best serve our clients' needs, we offer the complete ability to fully design, develop, test, prototype, and build. We support our clients' core mission objectives with customized solutions and strive to exceed expectations. CTC has been named one of the World's Most Ethical Companies by Ethisphere Institute, the global leader in defining and advancing the standards of ethical business practices. In addition, CTC has been named a Best for Vets Employer by Military Times. For more information about CTC, visit www.ctc.com.
Talk about PA State Task and what we have found…
Facebook CEO Zuckerberg's Twitter, Pinterest accounts Hacked! And the Password was….
June 5, 2016
Zuckerberg's LinkedIn password was "dadada", which he also used for his other online accounts, the group tweeted.
Warning! 32 Million Twitter Passwords May Have Been Hacked and Leaked
Wednesday, June 08, 2016
The Hacker News
The world came to know about massive data breaches in some of the most popular social media websites including LinkedIn, MySpace, Tumblr, Fling, and VK.com when an unknown Russian hacker published the data dumps for sale on the underground black [...]
Over 51 Million Accounts Leaked from iMesh File Sharing Service
Monday, June 13, 2016
The Hacker News
How many more data dumps does this hacker have with him that has yet to be exposed? Well, no one knows the answer, but we were recently made aware of another data breach from Peace – the same Russian hacker who was behind the massive breaches in [...]
North Korean Hackers Steal thousands of Military files from S. Korea
Monday, June 13, 2016
The Hacker News
Hackers aligned with North Korea have always been accused of attacking and targeting South Korean organizations, financial institutions, banks and media outlets. Recent reports indicate that North Korean hackers have hacked into more than 140,000 [...]
University Pays Hackers $20,000 to get back its Ransomware Infected Files
Tuesday, June 07, 2016
The Hacker News
What's the worst that could happen when a Ransomware malware hits University? Last month, the IT department of the University from where I have done my graduation called me for helping them get rid of a Ransomware infection that locked down all [...]
Mitsubishi Outlander Car's Theft Alarm Hacked through Wi-Fi
Monday, June 06, 2016
The Hacker News
From GPS system to satellite radio to wireless locks, today vehicles are more connected to networks than ever, and so they are more hackable than ever. It is not new for security researchers to hack connected cars. Latest in the series of hackable [...]
Hacker Selling 65 Million Passwords From Tumblr Data Breach
Monday, May 30, 2016
The Hacker News
Earlier this month Tumblr revealed that a third party had obtained access to a set of e-mail addresses and passwords dating back from early 2013, before being acquired by Yahoo. At that time, Tumblr did not reveal the number of affected users, but [...]
----- Meeting Notes (6/14/16 11:48) -----
Talk about PA State Task and what we have found…
A couple of personnel experiences, Grocery Market skimmer, Wife’s hotmail account, Fathers call from someone telling he was hacked and that he needed to pay them $400
The Ideal market one made my wife not go back or only pay with cash.
What do they want; business and client financial information (credit card numbers), personal credentials information to pose as someone else on the Internet
Small businesses have more digital assets to target than an individual consumer has, but less security than a larger business.
An infographic by Towergate Insurance showed that small businesses often underestimate their risk level, with 82 percent of small business owners saying they're not targets for attacks, because they don't have anything worth stealing.
Several recent and well respected surveys have shown that our employees do not understand the value of information.
• Over half of employees don’t understand the consequence of company information loss.
• Half of employees have access to company IP that they themselves deem is above their pay scale.
• Lack of understanding is apparent by business owners and most do not see the threat.
the annual cost of cybercrime to the world economy at more than $400bn
“As the B2B digital world continues to become more entwined, large companies are requiring their vendors to interact with internal systems including procurement, logistics, marketing, human resources, payroll, and even into environmental and maintenance,” he said. “These relationships and requirements create access into the parent organization – the ultimate target.” Alex Moss, CTO and managing partner at Conventus
Symantec Security response, which in an email to CSO said, “attackers often use SMBs as stepping stones to gain access to larger corporate networks.”
small firms, with annual revenues less than $100 million, cut security spending by 20% in 2014, while medium – those with revenues of $100 million to $999 million – and large companies increased security investments by 5%.” http://www.pwc.com/gx/en/consulting-services/information-security-survey/
That study also found that compromises of mid-size firms rose 64% from 2013 to 2014. “We think threat actors are beginning to target medium-tier businesses because they typically cannot match the sophisticated cybersecurity technologies and processes of the largest companies,”
the Verizon Communications 2013 Data Breach Investigations Report found that close to 62% of data breaches that year were at the SME level.
Lack of time, budget and expertise to implement comprehensive security defenses.
No dedicated IT security specialist on the payroll.
Lack of risk awareness.
Lack of employee training.
Failure to keep security defenses updated.
Outsourcing security to unqualified contractors or system administrators
Failure to secure endpoints.
Regulators are also paying closer attention to SMEs. In the retail world, the latest version of the Payment Card Industry Data Security Standard (PCI DSS), which took effect Jan. 1, requires more rigorous security standards for third-party vendors or contractors, which have been a weak point for major companies – illustrated in a high-profile way by the catastrophic Target breach a little more than a year ago.
http://www.csoonline.com/article/2866911/cyber-attacks-espionage/why-criminals-pick-on-small-business.html
Provides the specs for both victim industries and size ranges. Don’t give much credence to the huge number for the Public sector; we have many government CSIRTs participating in this report, and they handle a high volume of incidents (many of which fall under regulatory reporting requirements). The four columns on the right filter out the noise of these incidents—many of which are rather mundane—by including only confirmed data breaches.
Statistics from Verizon report
To classify the Threats against business we bin them into untargeted and targeted threats.
On the configuration errors, many many reports show that by
Social engineering has a long and rich tradition outside of computer/network security, and the act of tricking an end user via e-mail has been around since AOL installation CDs were in vogue. Do you remember the “free cup holder” prank? Someone sending you an attachment that opened your CD-ROM drive was cute at the time, but a premonition of more malicious acts to come.
In previous years, we saw phishing messages come and go and reported that the overall effectiveness of phishing campaigns was between 10 and 20%. This year, we noted that some of these stats went higher, with 23% of recipients now opening phishing messages and 11% clicking on attachments. Some stats were lower, though, with a slight decline in users actually going to phishing sites and giving up passwords.
How long does an attacker have to wait to get that foot in the door? We aggregated the results of over 150,000 e-mails sent as part of sanctioned tests by two of our security awareness partners and measured how much time had passed from when the message was sent to when the recipient opened it, and if they were influenced to click or provide data (where the real damage is done). The data showed that nearly 50% of users open e-mails and click on phishing links within the first hour.
A favorite phishing tactic among cybercriminals is to spoof the display name of an email. Return Path analyzed more than 760,000 email threats targeting 40 of the world’s largest brands and found that nearly half of all email threats spoofed the brand in the display name.
Compromised in this sense refers to logins where we are not absolutely confident that the account’s true owner is accessing the account and we either preemptively or retroactively block access.
Because social media users usually trust their circles of online friends. The result: more than 600.000 Facebook accounts are compromised every single day! Also, 1 in 10 social media users said they’ve been a victim of a cyber attack and the numbers are on the rise. Now this is a cyber security statistic which we don’t want you to become part of.
A good example is “Newscaster” or “Charming Kitten” cyber-attack, which made headlines earlier this year. The attack, according to a report by threat intelligence provider iSIGHT Partners, originated in Iran and targeted primarily senior U.S. military and diplomatic personnel, congressional personnel, Washington D.C. journalists, think tanks, defense contractors, and United States allies overseas. This state-sponsored attack used fake personas on social networking sites (e.g., Facebook, LinkedIn, Twitter, Google+) to establish trust relationships that were later exploited to distribute malware designed to steal passwords and sensitive information. Based on the findings, the attack managed to go undetected from at least 2011, and some of the malware continues to go undetected by many signature-based security tools.
CHANGE PASSWORD
RESET PASSWORD
REVIEW APPS WITH ACCESS
Stolen usernames and passwords reached headline news again this morning. Usernames and passwords stolen from a 2012 LinkedIn security breach are being sold on the Internet. LinkedIn will begin sending “Update your security settings” messages to LinkedIn subscribers.
Using strong passwords and changing passwords regularly is a good practice but does not protect your account when a service (LinkedIn, Gmail, Twitter, Facebook, etc.) suffers a security breach. Two-Step login verification, also known as 2-factor authentication, adds a layer of security and protects accounts when the login information is stolen. Most social network applications and email accounts allow for 2-factor authentication. Today’s announcement about LinkedIn’s stolen login IDs serves as a good reminder to enable 2-factor on all of your personal accounts.
Instructions for enabling 2-factor identification on your accounts can be found here:
LinkedIn Two-Step verification instructions
Twitter Login verification instructions
Facebook Two-Step verification instructions
Gmail Two-factor authentication instructions
Yahoo Two-Step verification instructions
How to Protect Your Accounts
Because of the security breach, LinkedIn will be sending you a message saying you
should reset your password. In that email, they will probably advise you to use 2-
factor authentication. At the same time, attackers will be seeing the news stories
and will also be sending you “reset your password” notifications to distribute
viruses and malicious software. Therefore, when you get authentic messages from
LinkedIn or other legitimate social networks, do not access their websites by
clicking on the active links included in the emails. Instead, visit the sites directly
with a web browser (such as www.LinkedIn.com) or the mobile app to update your
security settings, passwords, and to enable 2-factor authentication.
staysafeonline,.org
Privacy and security settings exist for a reason: Learn about and use the privacy and security settings on social networks. They are there to help you control who sees what you post and manage your online experience in a positive way.
Once posted, always posted: Protect your reputation on social networks. What you post online stays online. Think twice before posting pictures you wouldn’t want your parents or future employers to see. Recent research found that 70% of job recruiters rejected candidates based on information they found online.
Your online reputation can be a good thing: Recent research also found that recruiters respond to a strong, positive personal brand online. So show your smarts, thoughtfulness, and mastery of the environment.
Keep personal info personal: Be cautious about how much personal information you provide on social networking sites. The more information you post, the easier it may be for a hacker or someone else to use that information to steal your identity, access your data, or commit other crimes such as stalking.
Know and manage your friends: Social networks can be used for a variety of purposes. Some of the fun is creating a large pool of friends from many aspects of your life. That doesn’t mean all friends are created equal. Use tools to manage the information you share with friends in different groups or even have multiple online pages. If you’re trying to create a public persona as a blogger or expert, create an open profile or a “fan” page that encourages broad participation and limits personal information. Use your personal profile to keep your real friends (the ones you know trust) more synched up with your daily life.
Be honest if you’re uncomfortable: If a friend posts something about you that makes you uncomfortable or you think is inappropriate, let them know. Likewise, stay open-minded if a friend approaches you because something you’ve posted makes him or her uncomfortable. People have different tolerances for how much the world knows about them respect those differences.
Know what action to take: If someone is harassing or threatening you, remove them from your friends list, block them, and report them to the site administrator.
Protect Yourself with these STOP. THINK. CONNECT. Tips:
Keep security software current: Having the latest security software, web browser and operating system is the best defense against viruses, malware and other online threats.
Own your online presence: When applicable, set the privacy and security settings on websites to your comfort level for information sharing. It’s OK to limit how and with whom you share information.
Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
When in doubt, throw it out: Links in email, tweets, posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
Post only about others as you have them post about you. The Golden Rule applies online as well.
Search your business It is a good idea to search your business name on Google and check out your profile as others see it on social networking sites. Understand where you show up and what information is available about you, and then adjust your profile, settings and habits appropriately
Small business may propagate this attack and be a means to an end…
Regardless of the motivation, a key component of a watering hole attack is the initial compromise of a trusted third-party entity, which does not represent the ultimate target. A watering hole attack is typically an early component in a broader targeted attack and occurs at the Initial Infection phase (see Figure 1). Once the victim machines are compromised, the attackers will laterally move toward their goal and ultimately exfiltrate data.
Law firms are often leveraged in targeted attacks, especially when corporate espionage is the goal, given their trusted relationships with clients.
1.) The attacker determines the sites most frequented by the targeted users (think of the software that knows what sites you shop at and then hit you with adware)
- Probably not a well know site but perhaps a small business partner with less security scrutiny
- Local small business supplying support or other services
2.) Attacker test sites for vulnerabilities
3.) Attacker compromises webserver and injects code to redirect victim
4.) victims browser lands them on site that infects or exploits system
Watering hole attacks often succeed as the infected sites are considered trusted resources and do not therefore receive the same level of scrutiny that a suspicious or uncategorized resource might. The trusted third party may even represent a resource that receives no scrutiny whatsoever and completely bypasses the security controls that would be subjected to ‘normal’ Internet traffic.
Once the user steps in the trap by visiting the watering hole they are assessed for vulnerabilities. Using drive-by downloading techniques, attackers don’t need users to click or download any files to their computer. A small piece of code is downloaded automatically in the background. When it runs, it scans for zero-day vulnerabilities (software exploits discovered by the most sophisticated cyber criminals that are unknown to the software companies) or recently discovered exploits that users have not yet patched in Java, Adobe Reader, Flash, and Internet Explorer (that software update from Adobe may be important, after all).
The user’s computer is assessed for the right set of vulnerabilities and if they exist, an exploit, or a larger piece of code is delivered that will carry out the real attack. Depending on the user’s access rights, the attacker can now access sensitive information in the target enterprise, such as IP, customer information, and financial data. Attackers also often use the access they’ve gained to plant more malware into software source code the user is developing, making the attack exponentially more threatening.
Go daddy – Westwood movie theater, employees would go out on Friday and see what movies that would be playing that weekend, planning the weekend but the site was compromised with malware as a dropper or watering hole. Errors would go off on our systems, we would call and they would say our site is fine…
Timely software updating. For watering hole attacks that employ old vulnerabilities, an organization’s best defense is to update systems with the latest software patches offered by vendors.
Vulnerability shielding. Also known as “virtual patching,” it operates on the premise that exploits take a definable network path in order to use a vulnerability. Vulnerability shielding helps administrators scan suspicious traffic as well as any deviations from the typical protocols used. Thus, this monitoring empowers system administrators to prevent exploits.
Network traffic detection. Though attackers may incorporate different exploits or payloads in their attack, the traffic generated by the final malware when communicating with the command-and-control servers remains consistent. By detecting these communications, organizations can readily implement security measures to prevent the attack from further escalating. Technologies such as Trend Micro Deep Discovery can aid IT administrators in detecting suspicious network traffic.
Correlating well-known APT activities. Using big data analytics, organizations can gain insight on whether they are affected by a targeted attack by correlating and associating in-the-wild cybercrime activities with what is happening on an enterprise’ network.
Organizations should also consider building their own local intelligence to document previous cases of targeted attacks within the company. These enable organizations to spot possible correlations and insights needed to create an effective action or recovery plan.
----- Meeting Notes (6/14/16 21:50) -----
we seen this at several of the assements we did, with companies losing whole directories or shares. No one that we know have to pay because they had backups and were able to quarentine the systems.
How Thieves Attack a POS system
1. At the card reader slot. The criminal physically installs a card skimmer to grab magnetic data as the card is swiped. This mostly occurs at card readers that are unattended at certain times, such as ATMs and gas pumps, because of the time and effort required to install the device. Often times, the thieves must return to remove the device, although more recently, Bluetooth-enabled skimmers have become available to cut out this need.
Encrypting read heads are generally invulnerable to these attacks, because a skimmer could not be installed without ruining the machine, unless the thieves could disassemble it in workshop conditions and replace microchips on the circuit board itself.
2. In the memory of the POS device itself. In an ordinary card reader, data remains in the clear for a split-second as it travels from the read head to the RAM within the card reader, where it is then encrypted before being sent on down the line. However – even though this only takes a few milliseconds – if the terminal is infected with malware, it can “get in front” of the encryption software and grab the card numbers.
This type of attack uses malware called a “RAM scraper.” One RAM scraper that you might have heard of is BlackPOS, which gained infamy for its use in the 2013 Target data breach.
It is important to note that a merchant can be in full compliance with PCI standards while still being vulnerable to this type of attack. Currently, the only way to prevent theft on a machine infected with a RAM scraper is for the card data to be encrypted even before entering the system; that is to say, at the magnetic read head itself.
Triple DES encryption provides 2^112 possible combinations3. Between the POS terminal and the register or PC. While less common, a few thieves have tried to steal card numbers over the connection from the card reader to the register. Skimmers like this one used in a thwarted attack against cash registers at Nordstrom are designed to intercept and record anything coming down the cable until they are removed. Devices like this are readily available because they do have legitimate uses in the surveillance and intelligence fields; however, in the wrong hands, they can be a danger to unsuspecting merchants and consumers.
4. In the cash register itself. Especially if you’re using a PC as a virtual cash register, it can be attacked with malware or viruses just like any other computer. If data is unencrypted at this point, you may not technically be in PCI compliance. Storing or decrypting card data for use in other programs may also open up unexpected vulnerabilities.
5. In the cloud. Once you send data out over the network, it’s out of your control. Usually, the only place it’s going is over a secure connection to a trusted processor, so it shouldn’t be an issue. But the fact is you can never be 100% sure what happens after the data leaves your network. To protect against the unknown, the best defense is always to make sure the data is encrypted when it’s sent out.
As you’ve hopefully noticed, one possible countermeasure in all of these cases is to have your data encrypted before an attack can occur. No network will ever be 100% secure from intrusions, but if you do find yourself the target of hackers, it’s better they steal something that’s useless.
It is much easier to defend data than to defend a network, not to mention much less expensive. We hope you’ve found this a useful guide to the basics of how encryption works and how it can help you protect yourself.
----- Meeting Notes (6/14/16 21:50) -----
refer back to the Ideal market issue I had..
EMPLOYEES DON’T MAKE GOOD FIREWALLS
Use VPN technology if you are using Ipad as POS systems so transmission is encrypted end to end and no one can listen in
Use VPN technology if you want to connect to your office remotely (out of the office)
We seen minimal reporting ….
Talking Points:
(If you are concluding the slide presentation):
"CTC is a true partner to its employees and clients.”
“Are there any questions you’d like to ask?”