Category: Cyber Attacks Page 7 of 9

Anatomy Of A Security Breach: Target

Target security breach 2013It’s not often we get a chance to attend a security breach postmortem — a step-by-step, hack-by-hack, mistake-by-mistake account of what went so horribly wrong. The U.S. Commerce Department recently presented their report into all the mistakes Target made, and which could have avoided, in its recent massive data breach.

The report provides what’s referred to as an “intrusion kill chain” that highlights all the places Target had a chance to spot the breach and stop it. But missed. For example:

  • The hackers were able to identify a potential Target vendor or supplier to exploit because Target made such a list publicly available. That was the starting point for the hackers.
  • The vendor targeted had very little security in place. The only malware defense they appeared to have used to protect their business was free software meant for personal and not business use.
  • The vendor’s employees had received little if any security awareness training, and especially on how to spot a phishing email. So the hackers used a phishing email to trick at least one of those employees into letting them in the back door.
  • Once in the vendor’s systems, the hackers were able to use stolen passwords without the need for authentication because Target did not require two-factor authentication for low-level vendors.
  • The hackers are suspected of gaining further access from the vendor by using a default password in the billing software the vendor used. If the default password had been changed, the attack might have stopped right there.
  • There were few controls in place to limit access the vendor had on the Target network. Once the vendor had been compromised, Target’s entire networks were exposed.
  • When the hackers installed their Point of Sale malware on Target’s networks and began testing the malware, that activity was detected by Target’s security systems but the alarms were simply ignored.
  • When the hackers created an escape route and began moving the stolen data off Target’s networks, that activity triggered alarms too but once again, the alarms were ignored.
  • Some of the data was moved to a server in Russia, an obvious red flag for Target security which once again was missed.
  • The login credentials of the vendor were used throughout the attack, yet Target’s security system wasn’t able to detect that those credentials were being used to perform tasks they weren’t approved for.

We keep saying that every business large and small has important lessons to learn from Target. Don’t waste the opportunity. Double-check your own security and see if there are any obvious gaps you haven’t spotted but need to be sealed. Need help? Give SiteLock a call any time, 24/7/365, at 855.378.6200.

Google Author: Neal O’Farrell

Security at the Source: Static Application Security Testing

application security testingCybercrime is often little more than a battle of wits, and much of that battle is focused on the bad guys finding and exploiting vulnerabilities in an web application that the good guys missed. Poorly or hastily written code can leave weak points for hackers to exploit, often to great effect. While a developer’s goal is usually to create a great app, sometimes security takes a backseat to style and function. Even the best and most security-conscious developers can still miss things, which is why the option of being able to automate a 100% comprehensive review of every app on your website is invaluable.

The Devil is in the Details

The security landscape is littered with massive security exploits that were traced back to simple mistakes in coding. Even the recent massive Heartbleed exploit, which affected the security of almost the entire internet, was traced to a few mistakes years ago by one of the many volunteers who helped create the open source technology.

Even more troubling: it now appears that hackers were aware of and actively exploiting that mistake for nearly two years before security experts discovered it. And who knows how much damage and havoc they managed to cause.

That’s why protecting your code from exploits is so critical. Most websites are really just a collection of different apps and plugins developed by third parties, and the security of your website depends on how careful and skilled those third parties are.

Identifying Your Vulnerabilities

To tackle this problem and shut down yet another point of attack, SiteLock recently added something called TrueCode to its arsenal. TrueCode uses Static Application Security Testing, or SAST, to peer as deeply as possible into the source code of the applications you use on your website, and then map what it finds. Those results are then delivered to you in a simple report that outlines the severity of any findings and what you can do about them.

It’s a powerful and important way to see how your applications are currently working, what other applications they interact with, and what vulnerabilities they could be creating. And it can even identify critical vulnerabilities and mistakes before you even launch the app, denying hackers the opportunity to exploit it.

As SiteLock put it “TrueCode is like having a hacker proofread your code.” And that’s a fundamental pillar of all security. Most vulnerabilities are small, isolated, and hidden from the untrained eye. But when you have experts go through that code, line by line, from the perspective of a hacker, you have a much better chance of finding and fixing that tiny error that could blow a massive hole through your security. And your business.

And it’s not as if TrueCode has to interrupt your business or website to complete this detailed probe. TrueCode actually takes a copy of the application code and does all the testing in its own cloud-based lab. Exactly how security should be – an enabler and not a disrupter or inconvenience. Your customers and your website will never notice the difference, but they will definitely appreciate it.

There are many simple rules to security – it should always consist of multiple layers, it should never stand still, and we should always try to look at website security from the perspective of the hackers. TrueCode hits on all counts. Contact SiteLock today and learn how to integrate TrueCode into your web development workflow.

Update: SiteLock has been recognized by Gartner as part of its magic quadrant for Application Secuirty Testing. Get the full report and learn what makes TrueCode so noteworthy.

Google Author: Neal O’Farrell

Five Dos and Six Don’ts for Responding to a Data Breach

data breachWe hope that your business is never victim of a security or data breach. But, with some studies suggesting [updated for 2017] that not only are data breaches increasingly common, but increasingly expensive as well, it’s important to prepare. And part of that preparation includes knowing what to say — and what not to say.

Here are some Dos and Don’ts that might help guide your response:

Read More

Data Privacy and the Cybercrime Economy

data-privacySpeaking in a recent interview on CBS’ 60 Minutes, Tim Sparapani, a former privacy lawyer for the American Civil Liberties Union, commented “Most retailers are finding out that they have a secondary source of income, which is that the data about their customers is probably just about as valuable, maybe even more so, than the actual product or service that they’re selling to the individual.”

It was a chilling admission that the world has changed in ways most of us never expected, and that there may be more value in private data about people than in selling goods and services to those people. Or stealing from them.

Read More

11 Things You Should Know About the Heartbleed Bug

heartbleed bugIt won’t actually make your heart bleed and you can’t catch it. But it has caused a lot of heartburn since it was announced and probably caused lots of websites to bleed valuable data. Here is a list of eleven things you should know about the Heartbleed bug.

  1. It’s an exploit in OpenSSL, a type of security that protects a user’s communications with a website (the s in https) and around half a million secure web servers may have been affected.
  2. “Open” means it’s open source and free for anyone to use. It also means all the code is freely available and has been since Open SSL was first introduced more than 15 years ago.
  3. It’s a very big deal. According to Bloomberg “Heartbleed appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites.”
  4. It was discovered just recently by a security firm. But it’s apparently been known to the criminal community for a couple of years, and they may have been quietly exploiting it all that time.
  5. Heartbleed is not actually a virus or malware or a hack but simply a mistake in software coding made, probably innocently, by one of the many contributors to the Open SSL project.
  6. It can steal user passwords and credit card numbers – things that are most often protected by SSL.
  7. Some of the biggest sites on the web have been affected, from Gmail and Yahoo, to Facebook, Instagram, Pinterest, Google, Amazon, Netflix, and YouTube. However, it’s unlikely your bank’s website has been affected because few banks actually use Open SSL.
  8. A number of news outlets say that criminal weren’t the only ones who knew about Heartbleed and were quietly exploiting it. Some are accusing the NSA of knowing about Heartbleed for nearly two years and using the flaw as a spying tool.
  9. If in doubt, change passwords for all your important websites, then change them again in a few weeks. Some websites are slow to fix the flaw, so it might be safer to change passwords more than once.
  10. If you want to check whether or not a website is still unpatched and vulnerable to Heartbleed, there are plenty of places to do so. Try https://filippo.io/Heartbleed/.
  11. If you host a website, make sure you apply the security update. You can get more information at http://www.openssl.org/.

To help keep your website protected, all SiteLock plans SecureSpeed and higher include daily vulnerability scanning that detect Heartbleed and similar issues. To learn more call 855-378-6200.

Was 2013’s Target Security Breach Really Just The Work Of A Teenager?

grounded_for_lifeWhat’s worse than being recognized as the biggest data breach in history? How about finding out that the culprit responsible for a major hit on your brand and reputation that will eventually cost you billions of dollars was a teenager?

That’s exactly the news Target is dealing with, as security researchers suggest that at least one of the hackers behind the malware used to attack Target is barely 17 years old. Yet this teen was apparently able to develop a pretty sophisticated piece of malware, known as BlackPoS, that was used to infiltrate Target’s systems undetected. And in spite of his young age he’s reported to have already earned a reputation for developing lots of advanced malware. It’s not believed that the teenager is personally responsible for the attacks on Target, but instead sold his malware to dozens and possibly even hundreds of hackers and criminal groups. And one of those groups was behind the Target breach.

Read More

POS Malware Hits Target in Data Breach

Data breachIt’s been less than a month since mega retailer Target announced that a little more than 40 million customer debit and credit cards had been stolen by hackers. Not long after that, we saw the first of those cards being sold a few hundred thousand at a time, in a variety of underground hacker forums. Although not that underground, since I was able to register on the most notorious hacker sites and see for myself how easy it was to buy an identity.

Read More

Cybercrime Year in Review: 2013

cybercrimeOh, what a year it was for insecurity, and especially for the small business. It wasn’t as though we didn’t already know – that small businesses were firmly in the crosshairs of hackers. But early in the year Verizon put the final stamp on it. In its annual Data Breach Investigations Report, published at the beginning of 2013, Verizon revealed that businesses with fewer than 100 employees made up the single largest group of victims of data breaches. That conclusion was supported by other security studies around the same time that found small businesses suffered the most cyber attacks.

Perhaps the single biggest and most dangerous change in threats came in the world of malware delivery. For years, hackers and malware authors had used the same ways to deliver and spread their malware. Email and spam were by far the most popular. It was easy to buy hundreds of millions of email addresses, pack them with phishing messages, and attach a nasty malware payload.

And even if most users didn’t fall for the scam, even a small percentage of hundreds of millions was enough to make the attacks very lucrative for criminals. But as more users got the message, and began to grow more reluctant to open email attachments they weren’t expecting, many thought the malware industry was on its last legs. After all, how else could you get the goods to market?

So hackers had to choose a new way to deliver and spread malware. And they found it in small business websites. Every month, thousands of poorly protected websites are hijacked by hackers who use vulnerabilities in these sites to install malware. That malware is then spread to visitors to those websites, as well as attack other websites, and so continue the spread of malware.

And if you think that simply relying on antivirus software will get you through safely, there’s some more bad news. Some reports have suggested that today’s antivirus software can detect very few of the most dangerous types of malware – the stuff you really want to avoid. And the New York Times can testify to that. Early in 2013, Chinese hackers were easily able to breach the extensive defenses the Times had in place. Out of 45 different types of malware the Chinese used to attack the newspaper, the Times’ own security and virus protection detected only one.

But Chinese hackers weren’t just targeting big businesses like the New York Times. In September, the Huffington Post reported that Chinese hackers were actively targeting small businesses in the U.S., from pizza restaurants to medical clinics.

According to the Huffington Post, “The hackers find computer systems to take over by using tools that scan the web for Internet-connected PCs with software vulnerabilities they can exploit. Small businesses are popular targets because they often have lax security.”

And the year didn’t end too well either. When security researchers discovered more than 2 million stolen passwords on a hacker server in December, a piece of malware called a keylogger was suspected. That very same week, other security researchers found that out of 44 popular antivirus products tested, only one was able to detect a keylogger.

Which probably explains why an estimated $5 billion was siphoned from U.S. bank accounts in 2012 by cybercrooks using malware like keyloggers. And if any of those were business accounts, the business owners were probably on the hook for all the losses.

So safe to say (no pun intended) that 2013 was not a good year for business security, and especially for small business security. And we don’t predict much improvement over the next twelve months. It’s now clear that small businesses are the favorite target for the worst kinds of hackers. Whether it’s to steal your personal and customer information, break into your bank account, or use your website to host a variety of very dangerous malware, your small business may be getting all the wrong attention from all the wrong visitors.

So let’s make 2014 the year you take back your security and peace of mind. Security isn’t hard, no matter how sophisticated hackers and their tools have become. There are plenty of ways you can protect your business and your website, and make it just hard enough for hackers to decide that you’re just not worth the effort and that they should move on to small businesses that are doing little about security. It’s like locking your car and closing the windows while being parked next to a convertible with the top down. The easy target gets attacked first, and you’re at least lower on the radar by showing your security awareness.

If you make just one security choice this year, make it your website. Securing your website is simple and affordable, and yet it’s the single best way to protect your business, your customers, and any visitors to your site. And you’ll also help slow the spread of malware to other users and sites, which is one in the eye for the bad guys.

And remember that as a SiteLock customer you get more than prevention. SiteLock will work with you to address any website security issues that crop up, including malware removal, if any is detected on your site. And as always, our security advice – the best in the business – is always free, and we are here around the clock whenever you need support.

If you’re a frequent reader of this blog, then you’ll know that our expertise and advice goes far beyond just protecting your website. All good security has to be holistic, which is why we offer no-nonsense advice on a variety of security topics that can impact your business, from security policies and planning, to employee education, malware prevention, data privacy and security, and much more.

Our goal for 2014 is to be the best security partner for online businesses. We hope that, even if SiteLock is not your chosen security provider, website security is on your list of goals for 2014 as well. To get started on meeting this goal call SiteLock at 855.378.6200.

Google Author: Neal O’Farrell

SiteLock Website Security

SiteLock’s Rendition of the The Twelve Days of Christmas [Video]

At SiteLock, we see the biggest shopping season of the year as one of the biggest risk seasons too — at least for online threats. Let’s face it – most of us shop (and many of us sell) online to avoid the long lines and hustle of the crowds, and to make it easy for our customers.

In sticking with the theme of online shopping (and keeping your business and customers safe while doing so), being protected from hackers, and even hearing the website’s story in its letter to Santa practically begging for some attention, we are introducing a fun and informative video about some very real risks that website owners face, and what they mean for their online business. At a time when they can least afford to be exposed.

The content in this custom rendition of “The Twelve Days of Christmas” video is created entirely for educational purposes, taking the approach that even in risky times, awareness is the best form of prevention. A little fun never hurt (so we use that too), but what you don’t know can hurt you, so please be safe!

Enjoy the video! And caring is sharing – so tell your friends!

12days

 

 

 

 

To protect your website this holiday season, call our SiteLock security experts at 855-378-6200 and ask for a free risk assessment.

Happy Cybercrime Monday!

cybercrimeHappy Cyber Monday! If your website has survived the Thanksgiving rush, let’s hope it doesn’t suffer from a post-Thanksgiving malware hangover. Because in the usual run up to Christmas, the only people busier than elves are hackers. And their favorite tool this year appears to be malware. What’s a website to do without trusted malware removal?

We took a look at many of the top security stories to hit the headlines in just the last couple of weeks, and it’s not surprising that most of them were about malware.

Security firm Symantec says that hackers have recently been very successful in delivering a nasty gift of malware to unsuspecting users by blasting out emails pretending to be antivirus software updates. What makes the emails so convincing, according to Symantec, is that they look very authentic and incorporate logos from most of the popular antivirus products – probably even those that you use. Because most users are likely to be familiar with the brands and use at least one of them, it makes the email appear more personal and genuine. And therefore more likely to be opened. And clicked – which is what causes the most damage.

Security firm Trusteer also announced that it discovered some of the most advanced financial malware yet, malware that not only has more features than any previous malware, but also creates a private and secure communications channel back to the hackers behind it. According to Trusteer, the malware can steal information entered into web forms as well as steal log-in credentials from dozens of the most popular FTP clients.

And this is especially dangerous to small businesses in the U.S. If this malware is able to steal the login and password for your business bank account, it will very quickly empty that account. And small business accounts are not protected by zero liability. So if the thieves steal every last dime you have in the bank account, you’re out of luck. And maybe even out of business.

To add to the misery, Trend Micro also reported that it discovered more than 200,000 different types of malware targeted at online banking in just the third quarter of this year, with at least 25% of them targeted at U.S. banks.

One of the most dangerous pieces of malware in circulation right now is Cryptolocker. This is ransomware. Once it infects your computer, it will encrypt or lock your files and then demand a ransom to unlock them so you can use them again. The ransom can vary, from $300 to more than $3,000. And even if you pay the ransom, chances are you still won’t get your data back. And thousands of users have fallen victim. Even one police department admitted that Cryptolocker had managed to kidnap their data.

And not to be left out, researchers have discovered that even the NSA has turned to malware to do their job, infecting at least 50,000 with a botnet that will allow them to spy on those computers.

To add website malware scanning and defense to your holiday to-do list call SiteLock at 855.378.6200.

Page 7 of 9

Powered by WordPress & Theme by Anders Norén