Despite tight security, companies not safe from hacks

With the increasing incidents of data hack every day, companies are on a treadmill to stay ahead of hackers still they are not completely safe.

Last year, private sector companies globally spent more than $75 billion on security software to safeguard their systems and data and now the number is expected to grow by 7% annually. The percentage does not include amounts spent on fraud prevention by banks which is expected to reach into the billions annually.

But even when companies aren’t compromising on security for money, the customer data isn’t completely safe. Data breaches have soared vastly in the last two years and ransomware is one of the biggest emerging problems of the hacking world where hackers demand payment to return sensitive data they’ve stolen or locked up to the rightful owner. Hackers have huge financial incentives to resell employee personal information or corporate secrets.

Hackers are getting smarter with every passing day. They have found ways around existing security software, especially signature-based antivirus (AV) software.

The reason why data breaches are increasing is because companies aren’t deploying security analytics to detect suspicious events. The growth of cloud computing has also put sensitive enterprise data outside the more secure data center. Lack of proper monitoring the security software or setting up sufficient protective cybersecurity policies also ends up in a breach.

“Companies are worse off by 100% compared to 10 years ago because the world is more complicated now,” said Gartner analyst, Avivah Litan.

Meanwhile, Robert Westervelt of market research firm IDC seems more hopeful of the enterprise security future, even though there are many difficulties.

“I don’t think enterprises have gotten worse at cybersecurity, but they are dealing with complexities that they didn’t have to deal with 10 years ago,” said Westervelt.

Similarly many security researchers have been divided on the problem of rising company breaches.

A factor complicating the private sector's cybersecurity dilemma is that companies don’t want to talk publicly about having been hacked, in fear of losing customers or investors. Analysts believe there are much more hacks against enterprises than are being publicly reported. Companies which are performing better in terms of cybersecurity systems don’t tell their achievements in order to avoid any attacks.

Some attacks are widely discussed like the Sony Pictures hack in 2014 and the data breach of retailer Target in late 2013, where PoS malware stole credit and debit card information on more than 70 million customers.

Many other hacks of private sector companies are not detailed in public. A new survey conducted by the Ponemon Institute, an independent research and education group researched on 3,027 IT workers and end-users at U.S. and European organizations found 76% had been hit by the loss or theft of important data over the past two years, a sharp increase from 67% in a similar survey done in 2014.Out of 1,371 end users in the survey, 62% had access to company data that they probably shouldn’t see. IT workers in the survey said negligence by insiders was more than twice as likely to cause the compromise of insider accounts as compared to other factors like external attacks, or actions by disgruntled workers or contractors.

The survey found that data loss and theft was largely due to compromises in insider accounts exacerbated by a far wider employee and third-party access to information than is necessary.Companies continue to fail to monitor and access activity around email and file systems where most of the sensitive data lives.

The level of security varies by industry segment. Healthcare institutions, specifically hospitals mostly have bad monitoring. IDC said in a recent report that hospitals, universities and public utilities rank worst in their security capabilities and practices mostly due to lack of manpower and money.

There is some good news, however, on the front to thwart cyberattacks from nations competing with the U.S. Analysts and companies, such as Duke Energy and Verizon, were encouraged recently when U.S. intelligence officials said they would soon share supply chain threat reports to critical U.S. industries in telecommunications, energy and financial businesses.

Those threat reports will go beyond some of the conventional software means of tracking existing hacks into other companies and locations and hopefully will reveal information about human actors and their potential targets, Litan said.

Keeping up with the ever-evolving, constantly changing cybersecurity is a process private sector will have to keep up with to protect themselves and their customer’s data. Even though companies don’t focus on security, but basic technology must be put in place because all of us live in a really bad world where locks are necessary.

Cybersecurity industry shakes with NSA leak

After an unknown hacking group released hacking tools from National security agency, top notch tech companies in the world are scrambling to patch their systems and software to protect themselves and customers from attacks.

An unknown group of hackers, Shadow Brokers dumped data online last weekend and claimed to steal it from the Equation Group, a top-of-the-line APT believed to be associated with the NSA. The data dump affected firewall makers, Cisco and Fortinet’s products.

While the anonymous group’s origin is unknown, cyber security experts have authenticated the cache of NSA hacking tools of what appeared to be developed by the NSA for its more controversial activity: surveilling, spying and hacking. Computer Security analysts who have studied the files are mostly convinced they came from the agency.

The Shadow Brokers said they had more such files, which they would sell to the highest bidder. So far, the Shadow Brokers have released about 300 megabytes of data comprising a total of over 50 attack tools that would let attackers bypass firewalls that organizations rely on to defend against external attacks.

A former NSA employee recognized details in the leaked files.

The revelation has once again raised the tension between the two sides of NSA's dual mission: breaking into computer networks overseas in search of useful intelligence about foreign governments and terrorists and helping protect America's networks against foreign spies and other hackers.

After the custom-made malware has been made online, American corporations are relying on cyber security against digital attacks from criminals and spies.

Now, many cyber security experts are asking why the NSA would stockpile so many of these kinds of security vulnerabilities without telling the affected companies.

"The policy question we have to ask ourselves is what's an acceptable amount of time for the NSA to keep these exploits exclusively, before being legally compelled to disclose them," says Jeremiah Grossman, head of security strategy at cyber security firm SentinelOne.

The leak also raises questions about the nature of nation-state hacking, and how much spy agencies know about flaws in software that they aren't revealing to tech companies and the public.

Healthcare sector hard hit by Locky Ransomware

The healthcare sector in United States, Japan, Korea and Thialand  are hard hit by a massive Locky ransomware campaign that is spotted this month.

The researchers at FireEye said that they used .DCOM attachment that can be easily macro-enabled Office 2007 Word documents.

According to the researcher Ronghwa Chong,  macro-based Locky ransomware is a new tactic for cybercriminals, it is distributed via spam campaigns with the payload delivered via JavaScript attachments.

“These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits,” Chong wrote. “Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.”

In  this June only  researchers found a new version of the Locky ransomware being distributed via a resurgence of the Necurs botnet.

“Each email campaign has a specific ‘one-off’ campaign code that is used to download the Locky ransomware payload from the malicious malware server,” Chong noted.

Healthcare sector is not the only sector which is affected by the Locky,  telecom, transportation and manufacturing industries are also affected by this.

Hidden costs of cyberattack

Cyberattacks have many adverse affects both physically and financially on any organization and the impacts vary on the nature and severity of the event.
CFO insights has recently released a report in which they have included seven costs which are not so apparent but are important in the calculation of total cost of a cyberattack.
While common perceptions of financial loss in a cyberattack include the loss of company by theft of personally identifiable information, payment data, and personal health information, discussions in this report focus on customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties.

Below the surface costs

Cases of intellectual property (IP) theft, espionage, data destruction, attacks on core operations, or attempts to disable critical infrastructure have more significant impact on organizations than they seem and they often lead to additional costs which are more difficult to quantify and often hidden from public view.
In a recent Deloitte study, “Beneath the surface of a cyberattack: A deeper look at business impacts,” the report identified 14 business impacts of a cyber incident as they play out over a five-year incident response process. The direct costs commonly associated with data breaches accounted for less than 5% of the total business impact in these impacts.

1. Insurance premium increases

Insurance premium increases are the additional costs an insured entity might incur to purchase or renew cyber risk insurance policies following a cyber incident.
As not much data was available on premium increases after a cyberattack, Deloitte conducted its own informal research among providers of cyber insurance and found that it was common for policyholder to face 200% increase in premiums for the same coverage and at times even denied coverage until stringent conditions are met following a cyber incident.
The research found that future costs is influences vastly by willingness and depth of information provided by the policyholder upon review of the incident, the policyholder’s plans to improve incident handling or other aspects of its security program, anticipated litigation and assumptions concerning the company’s level of cybersecurity ‘maturity’.

2. Increased cost to raise debt

Cost to raise debt is directly proportional to credit rating. When credit rating drops, cost to raise debt increases. The victim’s organization faces higher interest rates for borrowed capital either when raising debt or when renegotiating existing debt. During the months when cyber incidents are prevalent, organizations are perceived as higher-risk burrowers. During the research Deloitte analysed the credit rating of nine public companies and observed an average Standard and Poor’s credit rating of ‘A’, and assessed these companies against companies that had recently suffered a cyber incident. The research came to the conclusion that a cyber attack incident downgraded the credit rating by one level.

3. Operational disruption or destruction

Impact of operational disruption or destruction includes losses tied to manipulation or alteration of normal business operations and costs associated with rebuilding operational capabilities which includes need to repair equipment and facilities, build temporary infrastructure, divert resources from one part of the business to another or increase current resources to support alternative business operations to replace the function of systems that have been temporarily shut down. It could also include losses associated with the inability to deliver goods or services.

4. Lost value of customer relationships

Loss of customers immediately after a breach affects an organization adversely. Economists and marketing teams track the customer loss by attaching a “value” to each customer or member to quantify how much the business must invest to acquire that customer or member. Then the particular customer or member is analysed on the amount of revenue he will generate for the business over time. These numbers are then evaluated per industry and organization to take out an estimate of the investment needed to attract and acquire new customers.

5. Value of lost contract revenue

Value of lost contract revenue includes revenue and ultimate income loss, as well as lost future opportunity associated with contracts that are terminated due to a cyber incident. Deloitte estimated the value of the contracts in test cases both before and after the cyberattack was assessed. Following a cyberattack, if the company were to lose contracts, there would be a decrease in revenues. Then the present value of cash flows that the company would earn over the term of the contracts was determined.

6. Devaluation of trade name

Devaluation of trade name is cost category referring to the loss in value of the names, marks, or symbols an organization uses to distinguish its products and services. While a brand name is associated with the name of a specific company or a specific product; a trade name relates to an organization as a whole. To determine the financial impact on the value of trade name, the likely value of the trade name both before and after the cyber incident has to be assessed. To value the trade name, Deloitte employed the relief-from-royalty method. The relief-from-royalty method, commonly used to value IP assets estimates the value by analyzing what another entity would have to pay to license the company’s trade name. Analysis involved establishing a reasonable “royalty fee” for similar types of IP, and the analysis of profit margins across the industries to which the text cases belong.

7. Loss of intellectual property

Loss of IP is cost associated with loss of exclusive control over trade secrets, copyrights, investment plans, and other proprietary and confidential information that can lead to loss of competitive advantage, loss of revenue, and lasting and potentially irreparable economic damage to the company. The value of IP is estimated by approximating how much another party would pay to license that IP.

Pokemon Go Ransomware attacks as Windows 10 app

Attackers have unleashed new ransomware to take advantage of those unable to download the widely popular mobile game, Pokemon Go. Ransom_POGOTEAR.A was recently discovered by Trend Micro masquerading as a Pokemon GO application for Windows 10 app. It was originally spotted by Michael Gillespie, a security researcher who has identified and decrypted plenty of other locker programs.

The malware is an updated version of the Hidden Tear, an open-sourced piece of ransomware released last August 2015, with the intention of educating people. The ransomware scans a victim’s drive and encrypts any file with a certain extension – as per usual.

The Hidden Tear ransomware isn’t new. In January 2015, Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. The website was compromised by a Brazilian hacker and that the ransomware was created using a modified Hidden Tear code. Prior to this discovery, when the source code of Hidden Tear was made public for educational purposes, the creator was very specific about not using Hidden Tear as ransomware.

The ramsomware is designed to create a ‘Hack3r’ backdoor account in the victim’s Windows machine. Once the user downloads and installs the ransomware, it creates a user account and adds it to the Administrator group. It then hides the account by configuring a Windows registry key from the login screen. Another feature creates a network share on the victim’s computer which attempts to spread itself via removable media. Once the executable is copied to removable drives, it creates an autorun file so the ransomware runs each time someone accesses the removable drive. The executable is also copied to the root of other fixed drives. This way, the Pokemon GO ransomware will run when the victim logs into Windows.

The ransomware is currently targeting Arabic-speaking users, following the move by many Arab countries to ban or limit the game. It locks a user’s files, presenting them with a Pikachu themed ransom note. In addition, the screensaver executable is also embedded with an image of “Sans Titre”, which means ‘Untitled’ in French which can be the developer's origin.

The ransomware has a static AES encryption key of “123vivalalgerie”. Additionally, the command & control server (C&C) uses a private IP address which means it cannot connect over the Internet. This shows the ransomware is still under development. Once it is fully released, the purpose of the shared network will become clear.

“While most ransomware infections encrypt the data, delete themselves, and then display a ransom note, leaving no traces; this ransomware’s developers only encrypt the files so that the victim pays the ransom. Inlike others, it creates a backdoor account in WINDOWS so that the developer can gain access to a victim's computer at a later date,” said Lawrence Abrams of Bleeping Computer who analyzed the PokemonGo ransomware.

After displaying ‘.locked’ on each infected file, a ransom message in Arabic is displayed unto the screen instructing the user to contact ‘’ for payment procedure.

The backdoor could allow a hacker to remotely connect to a victim’s computer at a later stage to perform other malicious tasks.

This isn't the first time researchers have run into fake copies of the popular smartphone virtual reality game.

At the time of Pokémon Go's release back in early July, researchers came across an APK that claimed to be a copy of the game available on a non-Google URL which turned out to be a malicious program that loaded the DroidJack remote access trojan (RAT) onto users' Android devices.

This is, however, the first documented case of ransomware that has taken on the hit smartphone game's identity.

To avoid ransomware, users are encouraged to regularly back up files and to have an updated security solution. With the introduction of game in new regions and increasing craze around it, cybercriminals will find more ways to capitalize on it. Users should remain vigilant of threats that may ride along the popularity of such games.

UK Tops Europe's Online Drug Sales

(pc-Google Images)
Drug dealers in UK earn more than their European counterparts and make huge profits from the global online drugs market. In a research by Rand Europe, UK drug dealers made £1.7m in online sales and grabbed a 16% share of the global online drugs market. The US has the largest market share with 35.9 per cent.

Commissioned by the Netherlands government, Rand Europe trawled the eight largest drug marketplaces on the dark web. Rand acknowledged that the most common drug sold on the dark web is cannabis, which accounts for 33 per cent of sales. It is followed by prescription medication such as Xanax, stimulants, ecstasy- type drugs and psychedelics.

The study noted that the transactions were dominated by drugs commonly only bought for recreational use at parties, with the likes of heroin and crack cocaine not popular online.

"A possible explanation for these differences between online and offline markets may be that crypto-market purchases typically require an element of planning, which may not suit the daily use of dependent users of, for instance, heroin," the report said.

The online drug bazaar was pioneered by Silk Road, which was shut down in 2013. Users were able to use untraceable encryption programmes and Bitcoin to purchase a wide range of narcotics and other goods.

Thailand Proposes Special SIM Card To Track Foreign Tourists

(pc- Google Images)
Thailand is considering a plan to issue a special SIM card to foreign tourists that would allow authorities to track their mobile phones. The plans have been approved in principle by National Broadcasting and Telecommunications Commission, the country’s telecommunications regulator, which intends to catch those who overstay their visa.

The commission said the plan would apply to tourists only, backtracking on an earlier announcement that it would cover all foreigners, including residents on long-term visas, the Bangkok Post and other media reported.

The commission’s Secretary General, Thakorn Tanthasit, suggested that the plan would not only help catch terrorists and criminals but also help find travellers who were in trouble or had gone missing.

“We are not limiting any rights. The National Broadcasting and Telecommunications Commission has no authority to check on the location of users,” said Tanthasit. “But if tourists commit wrong, or there is a court warrant, we will then forward the warrant to a mobile phone operator and seek cooperation.”

The commission, however, did not say how the special sim cards would differ from standard ones, which can already be tracked. Nor did it explain how it would overcome logistical hurdles, such as distributing to such huge numbers of people or dealing with visitors who have access to cards registered to Thai nationals.

While the proposal has been approved by the NBTC, Tantasith said the organisation would consult with police, tourism authorities and tour operators before deciding whether to implement it.

Personal Data Of Democrats Hacked And Posted Online

(pc- google images)
A hacker going by the name “Guccifer 2.0” is claiming credit for the release of personal cell phone numbers and private email addresses of Democratic House members.

The hacker believed to be linked to Russian military intelligence agency 'Fancy Bear', also breached the contact information for staff members, campaign aides and former congressional Democrats, including House Minority Leader Nancy Pelosi.

“Guccifer 2.0” also uploaded files to a blog post that contains login information to subscription services used by the Democratic Congressional Campaign Committee, including Lexis-Nexis and Washington newspapers.

The Guccifer 2.0 Twitter account said that it would provide “the major trove” of stolen information from the DCCC, including emails, to WikiLeaks, which has already published information from a similar breach of the Democratic National Committee. The same Twitter account sent a message to The Wall Street Journal that said the hacker had acted alone, not as part of a team.

Hours after the information was posted online, an email list-serve run by the Democratic Caucus sent a notice to recipients informing them to “change passwords to all email accounts that you use” and also to “strongly consider changing your non-House email addresses if possible.” The mail also asked them to “be extremely suspicious” before opening any emailed links or attachments and to consider changing passwords for banking accounts, among other things.

A number of US intelligence officials believe the most likely culprit for stealing the DCCC data, as well as a large batch of records from the Democratic National Committee, are hackers backed by the Russian government.

Cisco acknowledges two vulnerabilities of NSA hack to be real

Firewall maker, Cisco has provided a workaround for one of two vulnerabilities that was disclosed in the Shadow Brokers data dump and issued an advisory on the other which was patched in 2011 in order to raise awareness among its customers. There was no fix available presently for the other flaw.
An unknown group of hackers, Shadow Brokers dumped data online this weekend and claimed to steal it from the Equation Group, a top-of-the-line APT believed to be associated with the NSA. The data dump affected Cisco and Fortinet’s products.
In a security advisory Cisco said both the flaws listed in the archive directory as EPICBANANA and EXTRABACON could be used to breach its Adaptive Security Appliance (ASA) software used in its firewalls; both of the vulnerabilities enable remote code execution.
The data being offered for sale by the Shadow Brokers is dated between 2010 and 2013, so unpatched programming blunder has been lingering in Cisco hardware for years. Whoever knew about the hole, didn't tell the manufacturer of the vulnerable gear.
Fortinet also said that some of its products released prior to August 2012 contained a vulnerability that would allow an attacker to take execution control over a firewall. It also urged users of versions lower than 4.x to upgrade to 5.x immediately.
Most of the exploits in dump are for high-end enterprise networking gear, including Cisco, Juniper and Fortinet firewalls.
Researchers at Kaspersky Lab confirmed a connection between the available tools up for auction and previous exploits and malware frameworks belonging to the Equation Group.
The new flaw, EXTRABACON uses a buffer overflow vulnerability in Cisco's ASA, PIX, and Firewall Services Module. The exploit would allow an attacker to take full control of the firewall system. The target device should be set up with the snmp-server enable command, the attacker must know the SNMP community string, and the devices are only vulnerable to IPv4 traffic. Once the exploit is successful, it would allow malware to be installed and all traffic monitored.
The EPICBANANA exploit can be used to bring down Cisco's ASA Software (version 8.4.1 or earlier) using invalid commands, and then run code on the system. The attacker must be locally authenticated on the system and must know the telnet or SSH password for the software. However, once that's been achieved, typing in certain invalid commands will allow the exploit to work.
Cisco said it has not yet released software updates for ASA that address the zero-day vulnerability; there are workarounds as well that Cisco recommends until patches can be applied.
The Shadow Brokers also claim that their exploits will work on firewalls from Juniper Networks and TopSec, but neither company has publicly acknowledged the leak. The Shadow Brokers say they have additional yet-to-be-released exploits and are offering the data for sale in a Bitcoin auction. The group is asking for 1 million bitcoin (around $568 million at current rates), but the auction has yet to receive any significant bids.
If the auction is unsuccessful, the vulnerabilities contained in the data may come to light. Wikileaks has claimed to have access to the data and says it will publish a “pristine copy” soon.
“We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course,” read WikiLeaks tweet.
There are less chances of anyone bidding on it if WikiLeaks releases it.

Hackers claim they hacked NSA-Linked group

A group of mysterious hackers calling themselves "Shadow Brokers" claims to have hacked  is the source code to a vaunted, likely state-sponsored hacking group many believe is hacked a group linked to the NSA and dumped a bunch of its hacking tools.

The Shadow Brokers are auctioning source code purportedly from the Equation Group and are  asking for 1 million bitcoin to release more files.

“Attention government sponsors of cyber warfare and those who profit from it,” writes the Shadow Brokers in an auction notice, which journalist Brian Krebs said, "reads like a script."

“How much you pay for enemies cyber weapons? Not malware you find in networks… We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.”

The auction will hold in a very usual method, they told all the interested parties to send their max offer in bitcoin. The group will keep all the funds, and says it will send the highest bidder the code. 

If the action raises 1 million bitcoin — about half a billion dollars — Shadow Brokers promises to put even more files out for sale.

The files were initially posted to the code-sharing site GitHub, which has since disabled access.