Remember Heartbleed, that age-old bug that only surfaced last year and left more than half of all internet servers around the world exposed? Looks like we might have yet another Heartbleed on our hands. This one has been codenamed Shellshock. Experts are already saying the Shellshock exploit could impact millions of Unix systems that operate on Linux or Mac iOS. And may even threaten consumer devices including home routers.
Category: Cyber Attacks Page 7 of 9
When Did The Need for DDoS Protection Begin?
It’s been a while since the world first started hearing about Denial of Service attacks. It was February 2000, and in the space of just one week, major websites like Yahoo!, eBay, CNN, E-Trade, and Amazon were experiencing inexplicable outages that lasted for more than an hour in some cases. And those outages were costing them millions of dollars in lost revenues.
A little investigating, combined with loose lips on the part of the offender, eventually pointed law enforcement to a 15-year-old Canadian high school student going by the handle MafiaBoy.
If you think for some crazy reason your business is too small, too obscure, or simply just too uninteresting to be of any value to a busy hacker, be prepared for a rude awakening. The one thing the all of the recent major data breaches had in common is that all the businesses involved were probably PCI compliant. And it was still no guarantee.
There has been a seemingly endless parade of massive data breaches in just the last few weeks, including UPS, Dairy Queen, Community Health, Apple’s iCloud, the 1,000 businesses the FBI said were just hacked, and, oh yes, the suspicion that Home Depot just suffered a data breach even bigger than Target’s.
As yet another series of data breaches unfolds, there’s been more focus on PCI compliance than ever before. And for good reason. Apparently the PCI Standards Council, the body that overseas PCI, thinks that too many companies are failing in their obligations.
In just the last two weeks we’ve seen major data breaches announced at firms like JP Morgan Chase, Community Health Systems (4.5 million Social Security Numbers exposed), UPS, Dairy Queen, and more than 1,000 retailers.
Going on vacation or traveling for business? One thing you can’t forget to take with you is vigilance. Hacking is a global enterprise and there are all kinds of traps and tricks just lying in wait for busy travelers.
Here are some simple tips that could improve your cybersecurity while traveling and help you avoid putting your foot in one of those traps.
Identity theft is the fastest growing crime in the history of America, and businesses are not immune. There were more than 16 million victims of identity theft in the U.S. just last year, which works out to more than one new victim every three seconds. To put that in perspective, that means there were more victims of identity theft last year than there were reported murders, attempted murders, burglaries, attempted burglaries, arsons, vehicle thefts, purse snatchings, pick pocketings, shoplifting, and check fraud combined. With so many crimes and criminals in circulation, don’t make the mistake of assuming that it will never come creeping into your business.
“There are two types of companies: those that know they’ve been breached, and those that haven’t figured it out yet.” Those were the words of a highly successful venture capitalist behind some of the most successful cybersecurity companies. And while the chances of being a victim of a security breach are very high, it’s not a forgone conclusion. There are steps every business should take in order to avoid falling victim, or at the very least limit the damage.
It’s not often we get a chance to attend a security breach postmortem — a step-by-step, hack-by-hack, mistake-by-mistake account of what went so horribly wrong. The U.S. Commerce Department recently presented their report into all the mistakes Target made, and which could have avoided, in its recent massive data breach.
The report provides what’s referred to as an “intrusion kill chain” that highlights all the places Target had a chance to spot the breach and stop it. But missed. For example:
- The hackers were able to identify a potential Target vendor or supplier to exploit because Target made such a list publicly available. That was the starting point for the hackers.
- The vendor targeted had very little security in place. The only malware defense they appeared to have used to protect their business was free software meant for personal and not business use.
- The vendor’s employees had received little if any security awareness training, and especially on how to spot a phishing email. So the hackers used a phishing email to trick at least one of those employees into letting them in the back door.
- Once in the vendor’s systems, the hackers were able to use stolen passwords without the need for authentication because Target did not require two-factor authentication for low-level vendors.
- The hackers are suspected of gaining further access from the vendor by using a default password in the billing software the vendor used. If the default password had been changed, the attack might have stopped right there.
- There were few controls in place to limit access the vendor had on the Target network. Once the vendor had been compromised, Target’s entire networks were exposed.
- When the hackers installed their Point of Sale malware on Target’s networks and began testing the malware, that activity was detected by Target’s security systems but the alarms were simply ignored.
- When the hackers created an escape route and began moving the stolen data off Target’s networks, that activity triggered alarms too but once again, the alarms were ignored.
- Some of the data was moved to a server in Russia, an obvious red flag for Target security which once again was missed.
- The login credentials of the vendor were used throughout the attack, yet Target’s security system wasn’t able to detect that those credentials were being used to perform tasks they weren’t approved for.
We keep saying that every business large and small has important lessons to learn from Target. Don’t waste the opportunity. Double-check your own security and see if there are any obvious gaps you haven’t spotted but need to be sealed. Need help? Give SiteLock a call any time, 24/7/365, at 855.378.6200.
Cybercrime is often little more than a battle of wits, and much of that battle is focused on the bad guys finding and exploiting vulnerabilities in an web application that the good guys missed. Poorly or hastily written code can leave weak points for hackers to exploit, often to great effect. While a developer’s goal is usually to create a great app, sometimes security takes a backseat to style and function. Even the best and most security-conscious developers can still miss things, which is why the option of being able to automate a 100% comprehensive review of every app on your website is invaluable.
The Devil is in the Details
The security landscape is littered with massive security exploits that were traced back to simple mistakes in coding. Even the recent massive Heartbleed exploit, which affected the security of almost the entire internet, was traced to a few mistakes years ago by one of the many volunteers who helped create the open source technology.
Even more troubling: it now appears that hackers were aware of and actively exploiting that mistake for nearly two years before security experts discovered it. And who knows how much damage and havoc they managed to cause.
That’s why protecting your code from exploits is so critical. Most websites are really just a collection of different apps and plugins developed by third parties, and the security of your website depends on how careful and skilled those third parties are.
Identifying Your Vulnerabilities
To tackle this problem and shut down yet another point of attack, SiteLock recently added something called TrueCode to its arsenal. TrueCode uses Static Application Security Testing, or SAST, to peer as deeply as possible into the source code of the applications you use on your website, and then map what it finds. Those results are then delivered to you in a simple report that outlines the severity of any findings and what you can do about them.
It’s a powerful and important way to see how your applications are currently working, what other applications they interact with, and what vulnerabilities they could be creating. And it can even identify critical vulnerabilities and mistakes before you even launch the app, denying hackers the opportunity to exploit it.
As SiteLock put it “TrueCode is like having a hacker proofread your code.” And that’s a fundamental pillar of all security. Most vulnerabilities are small, isolated, and hidden from the untrained eye. But when you have experts go through that code, line by line, from the perspective of a hacker, you have a much better chance of finding and fixing that tiny error that could blow a massive hole through your security. And your business.
And it’s not as if TrueCode has to interrupt your business or website to complete this detailed probe. TrueCode actually takes a copy of the application code and does all the testing in its own cloud-based lab. Exactly how security should be – an enabler and not a disrupter or inconvenience. Your customers and your website will never notice the difference, but they will definitely appreciate it.
There are many simple rules to security – it should always consist of multiple layers, it should never stand still, and we should always try to look at website security from the perspective of the hackers. TrueCode hits on all counts. Contact SiteLock today and learn how to integrate TrueCode into your web development workflow.
Update: SiteLock has been recognized by Gartner as part of its magic quadrant for Application Secuirty Testing. Get the full report and learn what makes TrueCode so noteworthy.
We hope that your business is never victim of a security or data breach. But, with some studies suggesting [updated for 2017] that not only are data breaches increasingly common, but increasingly expensive as well, it’s important to prepare. And part of that preparation includes knowing what to say — and what not to say.
Here are some Dos and Don’ts that might help guide your response: