Monthly archives for September, 2017

New Verizon leak exposed confidential data on internal systems

Dozens of documents reveal detailed maps and configurations of internal Verizon servers.

Security researchers have found yet another data exposure at Verizon.

Confidential and sensitive documents, including server logs and several instances of credentials for internal systems, were found on an unprotected Amazon S3 storage server controlled by a Verizon Wireless customer, discovered by security researchers at the Kromtech Security Research Center.

The server contained several files, mostly scripts and server logs — some appeared to show usernames and passwords to internal systems.

Other folders contained internal Verizon documents, many of which were marked “confidential and proprietary materials,” include detailed server and infrastructure maps, server IP addresses, global router hosts, and several scripts that could be used to gain elevated privileges within the system.

A portion of the files were shared with ZDNet for verification.

The files largely appear to refer to internal Verizon Wireless systems, known as Distributed Vision Services (DVS), a middleware system that’s used to deliver data from the back-end of the company to the front-end applications used by employees and staff in stores and at call centers, such as point-of-sale services and customer data portals.

According to one of the slide decks, DVS volume averages more than one billion transactions per day.

It’s not clear why the confidential documents were stored on a public server. The employee who ran the server, who we are not naming, told ZDNet on the phone Thursday that the files were “not confidential,” and said that Verizon was fully aware of the server’s existence.

Following a private disclosure, the server is no longer accessible.

Although no customer data was involved, the information could be useful for attackers to know the layout of the company’s systems. It’s not known if anyone else beyond the security researchers accessed the bucket.

It’s another embarrassing incident for Verizon — the third known exposure in two years.

The first led to the theft of 1.5 million records at Verizon Enterprise Solutions. The second was found just a few weeks ago as a result of a similar Amazon server misconfiguration. As many as 14 million subscribers were affected — a claim Verizon disputes but has shown no evidence.

A Verizon spokesperson said the company’s security team is “aware,” but had no details to share at the time of publication.


Enterprise IT security planning: Five ways to build a better strategy

Struggling to get the boss to take security seriously? Here are some pointers that can help the board get on-board.

Those buzzwords recommended for building a successful digital business, such as flexibility, agility and openness, don’t always fit nicely with more sober requirements like the needs of a corporate security policy.

So, how can IT leaders create an approach to information security that is fit for the modern business? ZDNet speaks to five experts about the key issues CIOs face.

1. Make cybersecurity your number one priority

More than a third (36 per cent) of IT leaders say information security is their top concern for 2017, according to research by The Society for Information Management. It is a sentiment that chimes with Juan Perez, CIO at logistics specialist UPS.

“It’s top of mind for every CIO, and certainly me, and it’s an area that requires constant work,” he says. “IT leaders know it’s a priority that isn’t going to reduce. And it’s a priority that we do not take lightly.”

Perez joined UPS as an intern in 1990, working his way to the top of the business to became CIO in March 2016. He was given additional responsibility for engineering at UPS in April and manages the company’s $1.1bn annual IT budget. Information security is a key spending area for UPS.

“We continue to make investments and, ultimately, it’s an area where we will work to build our defences, support our employees and protect our customers’ data. IT leaders need to continue to push hard to ensure information security is paramount across their organisations,” he says.

2. Understand the importance of making a commitment

Jonathan Mitchell, non-executive director at recruitment firm Harvey Nash and former CIO at Rolls Royce, says cybersecurity concerns continue to increase. He points to research from Harvey Nash’s annual CIO survey, produced with KPMG, which suggests cybersecurity vulnerability is at an all-time high.

A third of IT leaders (32 percent) say their organisation had been subject to a major cyber-attack in the past 24 months, which is a 45 percent increase from 2013. “People are feeling worse year-on-year,” says Mitchell, referring to the results, which suggest the top three sectors for attacks are government, utilities and leisure.

“CIOs must take a much tighter grip of information security management,” he says. “Keeping up to date with security is the cost of doing business.”

Mitchell says it is surprising more companies are not fully committed given the high levels of attack. The good news is that security is moving up the executive agenda. He says the top things CIOs talk about in boardrooms are IT strategies, major transformation initiatives and cyber security concerns.

“There’s a growing interest in security, but my belief is that many organisations are not aware of how fast they must move to keep their systems patched,” says Mitchell. “I also think many of the core operating systems that businesses use are not designed with the adversary in mind. Organisations often have to deal with a legacy of systems that are designed to be as open as possible.”

3. Embed a culture of risk management across the business

Lisa Heneghan, global head of KPMG’s CIO advisory practice, is also concerned by the research results. “The statistics are not moving in the right direction,” she says, referring to the apparent lack of preparedness for cyber security concerns at an executive level.

Harvey Nash and KPMG’s research highlights how only one in five (21 percent) CIOs believe their organisation is “very well” prepared to respond to attacks, down from 29 percent in 2014. The survey also highlights how the biggest jump in threats comes from insider attacks, increasing from 40 percent to 47 percent during the past 12 months.

“My work with clients suggests there’s an increased focus on how the business establishes better governance, risk and control. Organisations need to remember that IT is distributed across the business,” says Heneghan.

“Executives must ensure they embed the culture of risk management across the organisation. And, thankfully, CIOs and CISOs are becoming much more broadly engaged across business functions, rather simply focusing on the IT department.”

4. Apply measures that are fit for the open world

Renaud de Barbuat, group CIO at retail giant Carrefour, recognises the key mission for modern businesses is to deal with information security, not just system security. IT leaders, who might once have focused on security tools and techniques, must take a much broader approach in the digital age.

“This realisation means security concerns are increasingly important at board level,” says de Barbuat. “The CISO and CIO are key to educating executives, explaining the challenges and addressing those information security issues in a new, open world. ”

What becomes apparent, says de Barbuat, is that the spectrum of potential security concerns is wide. He says IT leaders and their c-suite security counterparts must go beyond the traditional defendable perimeter approach to security and instead apply measures that are fit for this open world.

“Great CISOs act across the whole spectrum of information, both in terms of user behaviours and in the way information is handled. In retail, the information security stakes are high for customers and their data,” says de Barbuat, before raising the spectre of governance and the ever-increasing legislative burden.

“Businesses face increasing amounts of regulation, including the forthcoming General Data Protection Regulation. Retailers must address those rules and regulations satisfactorily, but they must also ensure they establish security around payments and fraud detection. Finally, innovation is important – and retailers must protect the intellectual capital of the business.”

5. Create a long-term strategy for system integrity

Brad Johnstone, head of ICT at Ayrshire College, appreciates the need to develop an organisation-wide approach to defence. He says information security is crucial to his educational establishment.

Johnstone and his team have implemented a virtual desktop solution, using Citrix XenDesktop, and have deployed IGEL thin client terminals. The virtual desktop solution means his team runs system updates across four basic images, rather than having to update 700 individual machines across the campus.

“We run a significant estate and we’re aware that you’re only as good as your last issue. Everything is encrypted – we make sure applications and data run in a secure virtual private network. Our approach means we can react very quickly to any alerts and to implement critical updates,” says Johnstone.

“We feel we’ve got a strategy in place to maintain our system integrity. Security must be at the core of what we do and we must ensure we don’t accidentally create a hole and give attackers an avenue into our IT environment.”


Equifax: 400,000 UK consumers could be affected by data breach

‘Process failure’ led to UK data being held in US, company said.
Equifax has provided more detail on its giant cybersecurity breach, confirming that data on around 400,000 UK consumers may have been accessed too.

Last week Equifax — one of the biggest credit rating agencies — revealed it has suffered a giant data breach. It said the details of as many as 143 million US consumers had been accessed by hackers, who exploited a flaw in the firm’s systems.

The data accessed included names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. The company also said that credit card numbers for around 209,000 US consumers, and documents with personal identifying information for approximately 182,000 US consumers, was also accessed.

At the time the company also said it had identified unauthorized access to limited personal information for certain UK and Canadian residents.

Now Equifax Ltd — the company’s UK arm — has said that while its systems were not affected and are “entirely separated” from those impacted by the Equifax Inc cybersecurity incident, data on around 400,000 UK consumers may have been accessed.

In a statement it said that a file containing UK consumer information “may potentially have been accessed”. The company said this was due to a “process failure”, which led to a limited amount of UK data being stored in the US between 2011 and 2016.

This data included customer names, dates of birth, email addresses and a telephone numbers, but Equifax said the data did not include any residential address information, password information or financial data.

Equifax said that due to the nature of the information it believes identity takeover is unlikely for UK consumers who potentially had their data accessed in this incident.

But it said it would be offering a free comprehensive identity protection service to affected consumers, which will allow individuals to monitor their personal data, including their credit information and be alerted to any potential signs of fraudulent activity.

Patricio Remon, President at Equifax Ltd. said: “We apologise for this failure to protect UK consumer data. Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward.”

The investigation is ongoing and Equifax Ltd said it is “in dialogue” with the Financial Conduct Authority and Information Commissioner’s Office.


Massive Equifax data breach exposes as many as 143 million customers

The credit rating firm said hackers exploited a bug on the company’s website.

Equifax, one of the largest credit rating and reporting firm in the US, has become the latest company to reveal a data breach.

The incident was discovered on July 29, according to a company statement released after market close on Thursday.

The Atlanta, Georgia-headquartered company said that hackers had between mid-May through July exploited a vulnerability on its website to access certain files.

The data includes names, social security numbers, birth dates, home addresses, and in some cases, driving license information.

It’s thought to be the largest data breach reported so far this year.

As many as 143 million Americans are said to be affected, the company said, representing about half of the US population.

The company said that 209,000 credit card numbers were accessed, and other personally identifiable information on 182,000 consumers were accessed by the hackers.

Some UK and Canadian residents are also affected, the statement confirmed.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Richard Smith, Equifax chief executive.

A website has been set up to help consumers determine if they are affected.

At the time of writing, the company is already down more than 6 percent in after-hours trading.


Crackas With Attitude gov’t data leaker sent behind bars

The 25-year-old has been charged with leaking information belonging to thousands of FBI agents.

A member of the “Crackas with Attitude” hacking group has been sentenced to five years in prison.

On Friday, the US Department of Justice (DoJ) said Justin Liverman, otherwise known as “D3F4ULT,” pleaded guilty to being a member of the group, as well as conducting unauthorized computer intrusions, identity theft, and telephone harassment.

As part of a plea agreement, the Morehead City, North Carolina resident admitted he was part of a scheme resulting in the leak of data belonging to roughly 31,000 FBI and DoJ agents.

Crackas with Attitude has also been linked to the compromise of CIA Director John Brennan’s AOL email account, which he used to handle government intelligence — albeit very unwisely — as well as infiltrating the personal email accounts of the former US Director of National Intelligence James Clapper and his wife.

Prosecutors say the group’s actions have caused more than $1.5 million in losses.

Liverman was involved in these attacks, but also went a step further and sent threatening text messages to victim cellphones. In addition, he paid a “phonebombing” service to flood victim cellphones with threats.

According to US law enforcement, the 25-year-old man was charged with conspiring with others to gain unauthorized access to government computer systems, as well as online accounts belonging to government officials.

In addition to the prison sentence, Liverman must also pay $145,000 in restitution.

According to The Mercury News, during sentencing on Friday in Alexandria, Virginia, Judge Gerald Bruce Lee ruled out the group’s actions as “pranks,” saying “this computer hacking, Crackas With Attitude, caused chaos. Your intent was clear, and that was to wreak havoc.”

Liverman is not the only member of the group who must serve time behind bars. In June, another member, Otto Boggs, was sentenced to two years in prison.

UK law enforcement arrested the alleged leader of the group, a 17-year-old British male who went under the nickname “Cracka” in February. The teenager is on bail, and when speaking to the media, claimed the UK and US agents were trying to “ruin his life” and that he is innocent of all charges.

In related news, two Russian hackers were jailed last week to three years in a penal colony after a court found them guilty of being members of Shaltai-Boltai and stealing information belonging to Russian officials, as well as compromising their social media accounts.


SEC admits data breach, suggests illicit trading was key

The commission says that “illicit gain through trading” may have been the key motivator.

The US Securities and Exchange Commission has admitted to being hacked in 2016, with illegal trading potentially at the root of the breach.

On Wednesday, SEC Chairman Jay Clayton said one of the financial regulator’s databases, containing corporate announcements, was compromised and may have been used to gain an advantage in stock trading.

By specifically targeting this system, the threat actors may have gained access to information which had the power to change the market, which in turn could be used to trade illicitly thanks to the stolen, “insider” information contained therein, whether they were company financial statements or merger announcements.

In a statement, SEC said the Edgar filing system data breach took place in 2016, but it is not yet known which companies may have been affected — or how much the hacker profited.

Edgar processes roughly 1.7 million electronic filings per year.

The hacker was able to take advantage of a “software vulnerability in the test filing component” of Edgar, which “resulted in access to nonpublic information.”

Once discovered, the problem was immediately patched, and an investigation has now begun into the data breach.

Clayton said the review of the incident is ongoing with help from “appropriate authorities,” but it is not so far believed that the hack went any further and compromised any other SEC systems.

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said. “We must be vigilant. We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

The breach was discovered as part of an audit ordered by the chairman. It was also discovered that staff have used private, unsecured email accounts to transfer confidential information.

SEC’s disclosure comes only two weeks after Equifax disclosed a severe data breach, resulting in private and sensitive data belonging to 143 million US consumers, as well as roughly 400,000 UK customers, being compromised.

US names, social security numbers, dates of birth, and home address were exposed and may have been stolen, but Equifax says UK client data leaked only included customer names, dates of birth, email addresses, and telephone numbers.

Equifax then blamed an Apache Struts security hole for the incident. While it is possible that a zero-day bug was to blame, it appears more likely that a patching oversight or lazy updating was to blame.


Cybersecurity specialisation status up for grabs with new ACS accreditation program

Individuals can now obtain two new cybersecurity-focused certifications from the Australian Computer Society.

The Australian Computer Society (ACS) — the association for the country’s IT sector — has launched a new cybersecurity accreditation program, allowing specialists in the security field to obtain two new certifications.

The new accreditations are an extension to the ACS Certified Professional and Certified Technologist schemes, and will see cybersecurity experts in Australia able to achieve Certified Professional (Cyber Security) and Certified Technologist (Cyber Security) accreditation.

The cybersecurity specialisation status will require applicants to demonstrate in-depth capability in a range of areas identified in the globally recognised Skills Framework for the Information Age (SFIA), ACS president Anthony Wong explained.

“A key element of cybersecurity is trust. We trust business and government to protect our private and personal data. Establishing a professional certification where applicants must commit to a code of ethics, code of professional practice, and undertake continuing professional development helps provide a level of certainty and trustworthiness,” Wong said, speaking at the ACS Cybersecurity event in Canberra on Wednesday.

The ACS expects the two new certifications to provide employers with a guarantee that the cybersecurity individuals they are hiring have the right skills for the role.

“By employing professionals with a [cybersecurity] certification, businesses and government are demonstrating to consumers that their cybersecurity professionals have undergone a rigorous assessment process, demonstrated a commitment to the highest principles, and are well placed to lift the cyber resilience of their organisation,” Wong said.

Existing Certified Professionals and Certified Technologists are able to apply to have their certification upgraded through the ACS.

According to Australia’s Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon, the accreditation program from the ACS will help remove the current seagull-like approach to hiring cybersecurity professionals, where government, the enterprise, and big business are all “fighting over the same chip”.

Addressing the ACS in Sydney on Tuesday, MacGibbon said it makes sense that as Australia grows its cybersecurity skills and capabilities, it has the right people involved.

“It’s widely recognised that there’s a skills deficit in ICT broadly, but particularly when it comes to cybersecurity,” he said, noting that the country is missing the point if only tertiary institutions are focused on.

“We also need to focus on vocational training, and indeed those that are self-taught.”

He said Australia needs to create avenues for self-taught individuals to “come to the side of goodness and light” to actually protect the communities they operate in.

“Which is why initiatives like this one are so important for us, because it tries to make sense of the skills that we have and help to standardise those somewhat,” he explained.

“A casual observer would say that there has been an awful lot of conflict, an awful lot of overlap, and often some confusion as to what certifications are best to have.

“Until we actually have the supply right of staff, the supply right of skilled people, we’re always seagulls fighting after the same chip that government will sit there and say that it will grow some skills, the private sector might come and offer more money and steal the chip from us, big business will fight over that same person next, and we have this game of inflationary wages — good for the individual, but bad for business generally — and of course we have the deficit, we just don’t have enough people to be doing the work that’s there.”

Speaking with ZDNet earlier this year, MacGibbon said he wants the understanding of cybersecurity to be a life skill children of today grow up with, which means taking the conversation to primary school classrooms.

While PhD, university, and even high school students should still be gaining powerful knowledge on the threat landscape, MacGibbon would argue that this kind of structure isn’t enough to ensure the success of Australia when it comes to cybersecurity.

“For me, being a successful person in my generation was being able to read and write and do basic maths,” he told ZDNet. “What is going to get our kids to be successful in this world is the concept of computation, coding, and communication.

“If we’re going to win when it comes to protecting the Australian way of life, in terms of cybersecurity, then it indeed starts in primary schools.”

He also wants those in IT to look at furthering their skills in the cybersecurity sector.


You deserve what you tolerate: Why companies must enforce security standards

Companies that fail to enforce security policies must be prepared to handle the consequences.

After reading through some security blogs and strategy papers, I saw what appeared to be an underlying theme across the narratives I’d read: Security tolerates failure.

It’s understandable that it happens, but I think if we are honest with ourselves, it happens because of a collective acceptance that close enough is good enough. It can be easy for any of us to offload responsibility when so many things aren’t in our control, and we can feel powerless because of it. In almost every instance I read about, I saw leadership and technical security folks pointing fingers at all kinds of issues, but I hardly ever read about any of them taking ownership — or even acknowledging that security earned this failure. The bad things did not happen through osmosis; no evil hacker just magically jumped into the network. Failures occurred because of a series of bad decisions, poor strategy, and a lack of enforcement of well-known security practices.

Let’s think about this for a second: You deserve what you tolerate. What does that message mean in the context of cybersecurity and security operations?

If companies collectively turn a blind eye to lackluster security policies and don’t bother to enforce the standards that were put in place solely to defend their networks, these organizations deserve the bad things that will inevitably occur because of those decisions. If companies do not wish to enforce a user policy because users gripe about it, again, they deserve the work and stress that comes with the imminent breach headed their way. If companies tolerate vendors selling them technology that comes with default hard-coded back doors and lack ways to technically control or patch that device, it can’t be surprising when  it becomes an IoT threat to the network and every other network on the server.

Here is the first half of the hard part of accepting failure that comes from tolerating it — this takes accountability and willpower:

Tolerating overhyped technology means we won’t get what we deserve (or what we paid for).
If we don’t enforce our policies, we let down our users, our leadership, and shareholders.
If we don’t align our strategy with the business, we can’t be surprised when we aren’t involved in decisions and our initiatives are sidelined.
We should take steps that will help us stop failing and stop tolerating anything less than victory. There is only one thing to do: raise the level of expectations.

Here is the hard part — organizations still have to actually do it. There is no AI that will help here:

If companies have a user policy that says “we monitor your activities and we are watching what you do on our network,” they must enforce it.
Don’t accept smart devices into networks without having a plan in place to track and patch that item.
Make the C-Level team realize that security is not just a part of the business: It’s critical to its success in today’s world. Don’t take a back seat.
Analyze and understand the nuances, technical needs, and implications of any technology your team is considering using. Don’t just move forward with a POC and think it’s all going to work out (it won’t).
That goes for the good and the bad. The choice of whether the results lean more toward the positive or negative are up to us and how much failure we are willing to stomach before we flip the script and move decisively away from tolerance.


System Requirements

Both OsMonitor Server and Client can work on Windows XP, Windows Server 2003/08/12/2016, Windows 7, Windows 8/8.1, Windows 10. Include 32 bit and 64 bit.

Customer Review

We are now using your monitoring software, OsMonitor. It is a great software, we are able to block non-business website, monitor activities of our users, website visited and even snap shots. Majority of our need is provided by your software.