Deloitte Breach of Email and...
- Details
- Written by: CyberFreek
- Category: Breach and Disclosure
Announced recently happens to be another breach of security, this time at Deloitte. Supposedly through an email server that exposed confidential emails and details of clients. For one thing, if details are discovered, the breach was not contained within the Email Server. Most likely the attacker utilized the email server as a jumping point to gain more control and information within their systems.
There are a ton of things that can be said about this. The most important is that there was a lapse in Security. Who's fault is this ? Security? Management? Employees? Most likely all of them and also managers that held the purse strings of Security people. This is a classic situation where there was a slightly lower "due diligence" on protecting emails and the server(s) than what should have been.
Let's face it. Security is an ever present, ever persistent requirement in any and all companies. Even for home users or employees that utilize their personal email accounts for business. Everything is hackable, right? This is a true statement. You can lock down all of your systems to the Nth degree, but tomorrow there will be a new vulnerability found. A new technique to break something. This is just the way things are when you utilize computers and have Internet facing systems. Expect to be broken in to. Expect a breach. Plan for the catastrophe that may or may not ensue. But if you are a business that relies heavily on the Internet, expect this.
Never give up your diligence. Never give up your dedication. Never give up learning and training. Build a lab at home or at work (with permission that is) to test various security of applications, programs, internet facing devices, etc. Never ever let your guard down.
Just one link can be found here on an article concerning the possible email attack vector that his Deloitte.
Intel fixes AMT flaw that allows Hackers access
- Details
- Written by: CyberFreek
- Category: Breach and Disclosure
Really?! I'm shocked.
Intel fixes a flaw in the AMT that would allow a hacker to bypass security and gain access to a system on or off. But supposedly this flaw has been out there for over 10 years, based upon what the article states.
3.6 Million Tax Payers Records stolen
- Details
- Written by: CyberFreek
- Category: Breach and Disclosure
It was announced that the State of South Carolina had 3.6 million Tax Payer records including Social Security and 387,000 Credit Card information stolen. It seems, according to the article, that anyone who files a tax return since 1998 may want to continuously check their credit ratings to ensure that everything is safe. The State is also giving free a years worth of Identity Fraud. 1 free year! Wow! The depth of this could be far reaching due to lax security and they only give 1 free year?!
What stands out to me, is that there are only 3.6 million tax payers in South Carolina since 1998? That's an average of 257.143 tax payers per year ? So who is not paying their taxes in South Carolina ? But seriously, a breech of data and PII information is no laughing matter. Anyone, any organization, company or government is responsible for keeping data secure. Especially when it contains information that could directly effect your consumers, constituents, tax payers and population. Everyone should be diligent in ensuring that this information is protected. How can this be done with ever dwindling shrinking resources and funding? As CISO and ISO of your organizations point out the huge risks that are associated with this kind of breech. There are those that slough off the importance of this by purchasing Breech Insurance. I kid you not! There is now available, Breech Insurance to help protect organizations against the massive cost of handling these incidences. But are we getting lazy when this type of insurance is available ? Are we backing off on doing our due diligence of protecting our network and data because the insurance, "has our back" ?
There are dangers in this form of thinking and this type of insurance. When I first heard of this form of insurance about 3 years ago, I laughed and then quickly realized the dangers of this. Since the insurance is there to protect the investments, there will be those within management that deliberately cut back on security services. I've said it before and will continue saying it, "Security is an intangible asset that can only be measured after a breech". Since it is an intangible asset, how do you know what level of costs are and are not acceptable? How do you budget for something that is intangible? Everyone wants this or that technologies, but we all know a patchwork is not as effective as a strong cohesive defense. How can you budget and protect assets that many people are unaware of or don;t want to know about ?
Security in some cases will be degraded to a (sorry stealing a line from Ross Perot) "crazy aunt that no one wants to deal with"? The chicken little of business is what Security is degraded to when you opt for insurance that covers your back moreso than the technology that is available. We can protect your systems and data today. But IT security is always evolving because the bad guys don't sleep. How do you plan and protect against this, with insurance?
We as an industry needs to step back a little and re-evaluate the correct paths and directions instead of suggesting a patchwork of products. A cohesive plan that can evolve as threats do.
Stay safe, protect your ASSets !
Yahoo Voices Hacked, Change your Password!
- Details
- Written by: CyberFreek
- Category: Breach and Disclosure
Well again another giant hit with a simple SQL injection vulnerability. This time it seems that Yahoo Voices, formally known as "Associated Content" which Yahoo purchased and changed the name to Yahoo Voices. Before reading further, we strongly suggest that you CHANGE YOUR PASSWORD if you use this service!
We get a little complacent about changing our passwords periodically. While some large institutions employ a "change your password every "XX" days, a lot more just ignore this. They keep passwords forever because they just do not want to hear people screaming at them "I don't want this" or "I don't think it helps". It doesn't matter how loudly they scream, its a fundamental keystone to Cyber Security, changing your passwords periodically. In some instances people even reuse their usernames or email addresses across everything they touch on the Internet. Sounds dangerous? IT IS !! Let me explain why...
Say you use a password of "pa$$w0rd" on all of your accounts. Banking, GMAIL, YAHOO, credit cards, office, etc all using the same password. You never change this password because, you just don't want to exercise the grey matter between your ears to come up with a new password. One of these accounts, the parent company has been hacked and your email address or username with your password is now out in the public. Ok, so what? right ?
Well there are areas and software packages that can trace all of your footsteps and find out where you frequent, what sites, location, etc that you surf to or utilize on a regular basis. A simple search by a "bad guy" finds all of your sites you log into with the same username, email address and your password. NOW they have everything, your bank account, email access, etc. All because you allowed people to scream at you who are too lazy to secure their information by changing their password and NOT reusing passwords across the whole Internet. Or even reusing your email address or username on every site you log into. Now how do you feel when your boss or contacts gets a nasty email from you, your bank account has just transferred out all of your savings or all of your credit cards are cancelled because some malicious person decided that YOU didn't need them anymore.
This this does not happen ? Pull your head out of the sand!! It happens every day. This is just one form of Identity Theft. Masquerading as you to do whatever they want.
Ok, back to the SQL Injection vulnerability. How long has this vulnerability been around ? 10 years? More ? Yet the some of the most simple of Vulnerabilities are STILL doing damage out there. Why? We add on all sorts of gizmos, doodads and boxes to protect our network. In some instances all of these technologies CAUSE the problem by accidentally opening a hole. The more layers you put on, the more chance of an opening occurring. Or worse, multi-vendor solutions do not address everything you need and cause you to miss vulnerabilities or holes due to a false sense of security. Many people decide its a waste of time to continue to install Application Security measures OR even worse, hire in so called AppSec experts that are never as thorough as they should be.
Maybe 5 years ago, this software was checked by never periodically rechecked. I call it a slice in time vulnerability assessment. By todays standards, an application is secure, but tomorrow or in 3 months a new technique is discovered that CAN exploit a vulnerability that was once found secure.
One very important phrase to remember.... The bad guy never sleeps and is always replaced by more when they stop for a little bit. THEY NEVER STOP. So why does your security department stop ? Why do YOU stop changing passwords or stop reusing email addresses or reusing user names ? Why do YOU continue to make it easy for these sort of things to happen to you ?
Because we are all lazy and in some ways "set" in our ways or habits. We need to break this and focus on Security, not listen to the screamers. We need to be diligent and pro-active. Not re-active!
Stay safe, stop reusing email addresses as user names and using the same passwords!! Just remember to periodically change your password, maybe once a month!
6 Data breaches of 2012 or Can we come out of Panic Mode yet?
- Details
- Written by: CyberFreek
- Category: Breach and Disclosure
Dark reading has just posted an interesting article about the "6 Biggest Breaches of 2012, so far". First off, before you continue to read what I have to say, I suggest reading the article.
Ok, so you are back from reading the article, great!
What is the trend you are starting to see here ? Is there a trend ? what can YOU deduce from the following:
I'll get to my point on trend in a second. however, I want to talk about something that is a fact no matter how you look at it. Anyone that knows of me, knows of my philosophy that I push of "Security is an Intangible" fact. You can spend money on tangible items such as:
- Employees
- HealthCare
- Computer & Networking Equipment
- Office supplies
- Cell Phone and plans
- the list goes on and on and on.... ad nauseum.
You can touch or see the benefits of these items, aka, Tangible items. However you can not see or touch the benefits of Data, Infrastructure, or lump everything together into the term "Cyber Security". You can't realize how important it is until you have a catastrophic event occur.
You've heard the higher ups say "we are spending too much, we need to cut back" or even "we can't keep up with it, outsource it". this all works well if the Vendor you selected is above board on everything. But none really are. They all hide certain facts, especially if they can't handle it themselves.
When and if there is a Breach, then it's a full blown Panic Mode to patch and get the right things in place. Remember this one important fact. No one will stand behind the budget cuts they imposed when a Breach does occur.
Hmm, doesn't this resemble a "head in the sand" Management philosophy?
Side note, a vendor during the 20010 Black Hat Event in Las Vegas placed a perfect example of this. I wrote a small article on this here.
What are the right things when each vendor screams their product is better? Do you also realize that many "solutions" cause their own idiosyncratic problems ? "But we need something in place NOW!" Blank Checks are written to plug the hole in the dike with silly putty. There is no other words for it. Silly Putty.
Panic Mode is a killer and makes organizations do extremely rash and foolish things. See article here on Zappos response last year. Besides, it makes "experts" cringe.
Panic Mode can be described as:
The lack of ability to function in a normal capacity due to an event that triggers panic attacks.
Dictionary Dot Com labels Panic as: