Top News

Grid List

FOR HACKERS LOOKING for fraud victims, few targets are as tempting as the data brokers that make a business out of assembling millions of people's private information. That's a lesson T-Mobile is learning now that its partnership with one such data collector, Experian, has resulted in the theft of 15 million T-Mobile customers' private details.

Half a decade into the cloud-first initiative, adoption in the federal government continues to be way behind schedule mostly due to security concerns. Vendors argue that those concerns are exaggerated.

Virginia State Police (VSP) launched a project to test the resilience to cyber attacks of police cars (models 2012 Chevrolet Impalas and 2013 Ford Tauruses)

Here's what popular services like Apple, Google, Facebook, and Microsoft collect -- and what you can do about it.

Apple and Microsoft are both taking steps to better explain how they handle customers' personal information

Apple hasn't changed its privacy policy in over a year -- but on Tuesday morning the company updated its website with a fresh explanation of what that policy means, product by product, service by service.

The update comes just a day after Microsoft chose to reexplain its privacy policy and how it relates to Windows 10.

When British spies gave their Internet surveillance program the codename Karma Police they may have given away a little too much about its epic purpose: "To build a web-browsing profile for every visible user on the Internet."

Companies in the healthcare sector are three times more likely to encounter data theft than the average firm, according to a report released this morning.

Cyber attacks against healthcare systems are likely to increase and students investigated the feasibility of breaching a medical training mannequin.
Security experts are warning the medical industry about the hacking of any medical equipment implanted in the human body such as pacemaker and insulin pump.

Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey by KPMG.

The KPMG report also states that only half of those executives feel that they are adequately prepared to prevent future attacks. The attacks place sensitive patient data at risk of exposure, KPMG said.

The 2015 KPMG Healthcare Cybersecurity Survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans.

screen shot 2015 08 26 at 5.00.13 pm

Sixty-six percent of the IT executives at healthcare plans who were surveyed said they were prepared to fend off attacks. Based on revenue, larger organizations are better prepared than smaller ones, KPMG said.

Compared with past KPMG polls, the one released Wednesday showed that the number of attacks on healthcare IT systems has increased, with 13% of respondents saying they are targeted by external hack attempts about once a day and another 12% seeing about two or more attacks per week.

"More concerning, 16% of healthcare organizations said they cannot detect in real-time if their systems are compromised," the report said.
Malware, which is designed to disrupt or gain access to private computer systems, was the most frequently reported line of attack during the past 12 to 24 months, according to 65% of survey respondents. Botnet attacks, where computers are hijacked to issue spam or attack other systems, and "internal" attack vectors, such as employees compromising security, were cited by 26% of respondents.

The areas with the greatest vulnerabilities within an organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%).

The KPMG survey found that spending to prevent cyberattacks has increased at most institutions, but it has to be on the right initiatives and fit the organization's strategy, said KPMG's Gregg Bell. "There are no cookie-cutter approaches to security. An organization with a mobile workforce may have a far different technology need from an organization that processes healthcare claims, for example."

"The vulnerability of patient data at the nation's health plans and approximately 5,000 hospitals is on the rise and health care executives are struggling to safeguard patient records," Michael Ebert, who runs KPMG's Healthcare & Life Sciences Cyber Practice, said in a statement. "Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed."

KPMG listed five main reasons healthcare organizations are facing increased security threats:
The adoption of digital patient records and the automation of clinical systems.
The use of antiquated electronic medical records (EMRs) and clinical applications that are not designed to securely operate in today's networked environment -- and software vendors who push that problem to the provider.
The ease of distributing electronic personal health information both internally (via laptops, mobile devices, thumb drives) and externally (third party firms and cloud services).
The heterogeneous nature of networked systems and applications (i.e. network-enabled respirator pumps on the same network as registration systems that can browse the Internet).
The evolving threat landscape, where cyberattacks today are more sophisticated and well-funded, given the increased value of the compromised data on the black market.
Healthcare organizations not experiencing an increase in cyber attacks are also more likely to underestimate the threat, according to Bell, who leads KPMG's Cyber Practice.

"The experienced hackers that penetrate a vulnerable health care organization like to remain undetected as long as they can before extracting a great deal of content, similar to a blood-sucking insect," Bell said.

TrapX, a renowned security providing delivery of deception based cybersecurity defense uncovered a security flaw in medical field dubbed as medical device hijack, or simply put MEDIJACk. The flaw can allow attackers to exploit main healthcare systems by breaking into the unpatched and outdated medical devices.
Let it be Anthem hack or CareFirst BlueCross BlueShield, this year has already experience a decent number of breaches within healthcare organizations. While various attacks and causes have been pointed out as the compromises by these providers, it never got stated as a prominent news that medical devices could be the true causes of breaches that took place and the ones that are going to be discovered sooner or later.

Trapx found that most of the medical organizations are vulnerable – if not a victim to MEDIJACK already, or simply put medical device hijack. The main networks of healthcare systems are initially exploited when hackers get to break into unpatched and outdated devices, like blood gas analyzer or X-ray scanner. The company wrote, the attackers build their backdoors into systems via such devices that are connected to the Internet.

General Manager at TrapX, Carl Wright wrote in an email to SCMagazine,

"Our scientists have observed that you could manufacture an attack, designed specifically for several models of a specific medical device, and then launch that attack". "That, combined with the difficulty in diagnosis and remediation, and the very high value of healthcare data, create a near perfect target for organized crime."
Various case studies have been conducted by TrapX where they found, most of the hospitals take good care of their IT departments with solid firewalls and other security solutions, while on the contrary – such devices are left without patching most of the times.

medjack schemeTypically, as the machines run for many days continuously, it never gets disconnected or even the security team remains unable to completely review the operating system console of the devices.

"Every malware infection that connects a network to an outside attack, in the United States, is a serious event and most likely would be categorized by that healthcare institution as a security event under their HIPAA operating procedures," Wright said. "Given that patient data is at risk, the medical device manufacturer needs to indicate exactly how they will respond to mitigate the situation so that a data breach can be contained or stopped, and normal hospital operations can resume."
All of the organizations who get aware of MEDIJACK threat, should devise a better security strategy, suggests Wright. Moreover, the professionals must ask device vendors how the devices support and invite them to aid in mitigating these attacks. The life cycle of each device should also be determined, and vendors should confirm if they make use of digitally signed software or not.

The software needs to be digitally signed, and life cycle will help a long way as the organizations will have a clear picture in mind as to when they should replace the old devices with new ones.

The authors of the Stegoloader malware are exploiting digital steganography to target companies worldwide, mainly US Healthcare companies.
A couple of weeks ago, the security researchers at Dell SecureWorks discovered a new strain of malware dubbed Stegoloader, that exploits steganography as an evasion technique. Once infected the victim's machine, a specific loader module loads a PNG file that contains the malicious code from a legitimate website.

Stegoloader, which is active since 2012, was used to compromise systems of companies operating in various industries, including healthcare, education, and manufacturing.

"Looking at recent victims of the Stegoloader malware, we observed that majority of the infected machines counted for the last three months came from the United States (66.82%), followed by Chile (9.10%), Malaysia (3.32%), Norway (2.09%), and France (1.71%)." states a report from Trend Micro.

2 Pie Chart

The experts speculate that Stegoloader could be a powerful weapon in the arsenal of hackers that are targeting healthcare organizations with the intent to compromise medical records.

"The reemergence of TROJ_GATAK and its apparent focus on certain regions and industries show that cybercriminals continually experiment with the creative uses of steganography for spreading threats." continues the post.

The experts discovered several strains of the Stogoloader over the time, the malware is evolved across the months, but the routines from variants of past years remain the same.

The experts highlighted that victims were mainly infected by downloading key generators or keygens from third-party sites instead phishing attacks or by using malicious exploit kits.

Once downloaded, it poses as a legitimate file related to Skype or Google Talk and downloads the photo containing its routines.

The Stegoloader malware implements various evasion techniques to avoid investigation from law enforcement and security firms, it checks for example that its code isn't running in an analysis environment.

Below the SHA1 hashes related to the Stegoloader malware:








Health care providers are increasingly using smartphones and tablets for tasks such as accessing and transferring medical records, and submitting prescriptions, but these devices may not be secure enough to protect sensitive medical information from hackers.

That's the conclusion of the U.S. National Institute of Standards and Technology, whose cybersecurity center released a draft guide Thursday to help health IT professionals shore up the mobile devices.

"Mobile devices are being used by many providers for health care delivery before they have implemented safeguards for privacy and security," the agency said.

The guide provided thorough explanations on how to implement security procedures across a health care organization's entire IT system. For example, there are sections that describe how to connect Apple and Android mobile devices to a commercial mobile device management cloud platform. Step-by-step directions are provided on setting up a Linux-based firewall as well as on creating mobile device certificates, among other security technologies. The guide doesn't endorse a specific product and mentions open-source and proprietary technologies. The center used products that are readily available and can easily be integrated with an organization's existing IT infrastructure.

Another section of the guide looked at what security risks posed the greatest threat to keeping patient data confidential. Hackers gaining access to an IT system by exploiting weak passwords ranked as one of the top issues, followed by network sniffing and, perhaps unsurprisingly, stolen mobile devices.

The cybersecurity center also subjected a mock IT system to various security attacks and offered advice on how a health care organization could react to them. In one scenario, a mobile device that could access an EHR (electronics health records) system was lost. To mitigate the threat, the device was blocked from tapping into the hospital network and its data erased via a remote wipe.

Other scenarios showed how implementing access control for different systems could prevent hackers from getting to patient information even after they infiltrated a hospital network. In one example, a phishing attack was used to obtain system passwords and remotely log in to a desktop. In the second case, an unauthorized person, like a hacker or a rogue employee, obtained the password to an EHR system.

In both incidents, the credentials allowed intruders to see a network diagram. However, accessing the systems where sensitive data was stored wasn't possible since that action required administrator passwords and the attackers lacked those credentials.

Encryption was cited as a way to protect data even if an attacker gains physical access to a data center and taps into the network traffic.

The guide pointed out that implementing security must be balanced with making sure health care workers can easily use the technology to perform their duties. In emergency situations, work-around access controls maybe introduced so staff have immediate access to data.

Although Advanced Persistent Threats and Targeted Attacks are often confused, in their core these are two different things in the field of online security. Most businesses out there need only worry about one of these two types of attacks, focusing their efforts to remain thoroughly protected against both enemies and threats.

Extroverts and introverts - does it matter?

The concepts of introversion and extroversion are often confused as a measure of connection. People consider extroverts outgoing and introverts as reserved.

This is a limiting view.

Instead, ask "Where do I get my energy?"

A CISO who just started a new job for one of the top 10 cable companies in the US recently lamented how he does not have a cybersecurity budget to purchase tools from FireEye, Palo Alto Networks, and Cylance like his peer CISOs get too.

Computer incidents today are a far cry from those of the past. Computer incidents involving data breaches today can take down businesses and leadership, in much the same way or greater than an earthquake or fire can destroy a company through a physical business outage. Data breaches such as that at Target have shown that having the ability to recognize an incident quickly and escalate up to appropriate leadership is a critical business competency.

The information security skills gap may have become a huge issue for Chief Security Offices (CSOs) and Chief Information Security Officers (CISOs), but there are a number of ways InfoSec teams can work around the shortage so to protect their networks and stay ahead of the attackers.

Over the past two years, risk management has gained a lot of attention in the media and among practitioners. Even though it has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted a pro-active approach to addressing risks. What are the inhibitors to risk management and how can companies overcome them?

The researchers at Security Intelligence announced that Shifu banking trojan is officially spreading to the UK targeting Banks and Wealth Management Firms.

A few weeks ago researchers at Security Intelligence announced the discovery of the sophisticatedbanking Trojan Shifu, the malicious code has been used to target the customers of more than a dozen Japanese banks.

Security researchers have discovered a new malware program that infects automated teller machines (ATMs) and allows attackers to extract cash on command.

Three times as many credit cards will be chip-enabled by the end of the year as debit cards, making the slower banks bigger targets for cybercriminals.

According to the malware researchers at FireEye Labs Suceful is the first multi-vendor ATM malware threatening the banking industry. Experts at FireEye have discovered a new strain of malware dubbed Suceful (Backdoor.ATM.Suceful) specifically designed to target ATMs. Malware designed to hack ATMs are not new, in the past security experts have already detected malicious codes used to make ATMs dispense cash, such as Ploutus or Tyupkin.

For someone working in the security area, it's known that many companies have red teams to attack their own system, but this information is never recognized by the company.

Barclays did exactly the opposite and confirmed that it has created a red team to attack the company systems in order to assess their resilience to cyber attacks.

In late 2013, at the height of the holiday shopping season, Target Corporation's point-of-sale payment network was breached, and over 70 million customers had their card payment information stolen, including this author, creating a mass issuing of new cards, limits on purchases for some customers, and various actions by banks who attempted to protect accounts from theft.

After staying quiet for several weeks, Target finally acknowledged the breach a few days before Christmas, causing a loss of several percent in holiday sales. The fallout continued for months with the resignation of the President and CEO, Gregg Steinhafel, and the layoffs of nearly 500 employees. (Clark, 2014) If Target had been the only large retail corporation to be breached with POS malware the story might have died, but others would follow including Neiman Marcus, Michaels, PF Changes, Home Depot, Staples, and others. (Hardekopf, 2015)

The Target fiasco should have been enough to convince other retailers to make immediate changes, but corporations move slowly, and because credit card numbers can be sold on the black market, criminals adapted faster than the corporations. Attacks would adapt and more customers would have their card numbers stolen, thus costing banks and merchants millions of dollars.

How Point-of-sale (POS) Works

To better understand the areas of vulnerability we will review the payment process. For the user of a payment terminal or other payment tool, paying with a debit or credit card feels seamless and simple, but for every payment made multiple parties are involved. Like anything, more entities equal greater risk, and the more access points for a hacker to attack. In a standard card transaction, there is the payment terminal – or Point-of-sale device, then there are one, two, or more banks involved – the issuer, acquirer, and merchant bank. Then there is the payment processing network – most often Visa or MasterCard.

The path that only takes seconds is listed below.

  1. Customer swipes a card at the merchant
  2. The Merchant's POS sends the transaction through to the processor
  3. The Processor encrypts the payment and sends it from the POS device to the payment processing network (Visa, MasterCard, Discover, etc.)
  4. The payment processing network verifies that funds are available from the card issuing bank
  5. The card issuing bank then releases the funds back to the processor
  6. At the end of the day or a sales cycle, the merchant runs a batch with the processor
  7. The processor then authorizes the release of the funds to the merchant's bank
  8. Later the customer receives a statement from the card issuing bank noting that funds were removed from a debit account, or that payment is due for credit card purchase.Point-of-sale transaction process semplified

It is easy to see, from the list above and the simplified transaction process graphic, that there are multiple places for malware to attack or for a criminal using social engineering to manipulate the process.

PCI and Payment Safeguards

When a data breach occurs it can cost businesses and banks anywhere from a few dollars per customer to hundreds of thousands to millions for a large breach with thousands of victims. The actual costs vary depending on the source, but whatever the total numbers, the cost is staggering and is costing everyone, including card holders. Target finally figured their losses at $162 million. (Lunden, 2015) The Ponemon research project noted in their 2015 annual study on the cost of a data breach, that the costs were 15% higher than the year before. (Ponemon, 2014) The total estimate cost of credit card theft to banks in 2014 was around 11 billion. (Vlachos, 2015)

Even with the high numbers of breaches it could be much worse if not for payment security standards set by the Payment Card Industry Data Standard (PCC DSS), which is a security standard set by the Payment Card Industry Security Council (PCI SSC). This organization was formed as a partnership between the leading payment companies including MasterCard, Visa, JCB, Discover, and American Express. (PCI, 2015)

The PCI council provides a standard and safety measures for merchants about the security of their payment systems, and it provides a standard for companies providing payment services at any phase of a transaction. The PCI standard has twelve requirements to follow to receive PCI certification. They are:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for employees and contractors

Current POS Threats

There are multiple and ever evolving threats to the payment landscape. The threats below are only a review, and it is advised that anyone working in payment security watch daily for new vulnerabilities. And it is advised that the security teams protecting point-of-sale networks have a security strategy in place before an attack occurs so that the incident response team can respond quickly.

A common threat is caused by a well-meaning group, the integrators of POS systems. Integrators are companies that manage POS systems by configuring and maintaining the systems. Many small businesses do not have resources or technical skills to maintain their own payment systems, and rely on these integrators to keep their systems running. To access the systems integrators will often use remote access tools like Microsoft Remote Desktop, VNC, and PCAnywhere. These are valuable tools when used correctly, but it has been found that they are sometimes configured incorrectly. This allows for access by cyber criminals who can install malware to steal data and even track keystrokes. (Visa, 2015)

By following the latest PCI standard (PCI-DSS 3.1) known security issues can be mitigated, but if a system is not current malware like RAWPOS can be a threat. This malware is a memory scraper that has infected lodging merchants since 2008. This malware targets the memory dump, where payment information may be temporarily stored, and that data is staged on a network and removed later by a separate process.

The malware used to steal data from infected registers running on Windows at Target was BlackPOS. A few months later, a variant of BlackPOS was used to steal card data from point-of-sale systems at Home Depot. When this memory grabber finds what it's looking for it uploads the data via FTP to a remote server. (Dell SecureWorks CTU TI, 2013)

Chewbacca POS malware is another malware that runs on Windows and scrapes the memory for data. It is not currently widespread. To mitigate Chewbacca POS malware the use of TOR should be prevented and administrative rights should be tightly controlled as administrator permissions are needed to perform the malicious functions of this malware. (Visa, 2014)

A threat that is very simple, and different from the above threats in technology and approach, is the use of skimmers. While these are known to be used at gas pumps and ATMs they can also be used by waiters in restaurants who skim a customer's card out of site of the customer and other employees. By using chip-and-pin technology, and not allowing anyone to take one's card out of site, this crime will be reduced. The new technology will also reduce this crime when magnetic strips with a reusable number are no longer ubiquitous.

As noted above, these are not all of the threats to Pont-of-Sale systems, and new threats are being created daily.

The Chip and Pin Solution

By the end of 2015 a majority of credit cards will be chip-and-pin capable, also known as EMV (an acronym for Europay, MasterCard, and Visa). With the transition to chip-and-pin cards in the U.S. this will become the international standard for securing cardholder data. This is done by using a microprocessor inside of the card. Because of the microprocessor – or chip – the card generates unique data every time the card is used. This is much more secure than the magnetic strip cards we are accustomed to in the U.S. that contain a static number that can be stolen and reused. But, the first generation of chip-and-pin cards will keep the magnetic strip because the transition is not complete.

Starting in October of 2015 the liability will move wholly to the merchant if they do not have chip-and-pin enable terminals, and any banks that haven't issues chip-and-pin cards will be liable if fraud occurs and the terminal is up-to-date. This is to encourage businesses and banks to upgrade their equipment and cards. Magnetic strip cards will still be accepted, but in the next few years these old cards will be phased out.

There are those who believe that chip-and-pin won't stop criminals, and they are correct because criminals will always adapt to the latest technology, and they will always exploit new vulnerabilities. But the new chip-and-pin technology will reduce credit card theft substantially. (Schwartz, 2014) Merchants should always select a vendor that holds the latest PCI certification, as this will reduce many instances of successful POS attacks on their system, but everyone involved must also follow precautions that include being cautious with remote access tools, and maintaining updates and the latest anti-virus software. And, as before, merchants must be vigilant and continue to watch for fake cards and other card scams.

Another step that will improve cardholder security is consumer education. With the introduction of chip-and-pin consumers will be confused. This may be a time of increased social engineering attacks, when criminals attempt to gain the trust of consumers by posing as bankers or other parties that "need" their cardholder information, or worse. Banks and issuers must improve their communication to consumers, and while there have been some efforts, not enough has been done. And, beyond education, as high as 42% of merchants have taken no steps to move to the technology. (Amato-McCoy, 2015) But this author believes that merchants and banks will continue to update to the new technology over the next few years.

Criminals have not stopped robbing banks, despite improvements in security, and criminals will continue to look for vulnerabilities in cards because, like banks, that's where the money is. But, all involved with the processing and issuing of cards must continue to improve security.

Subscribe to our email list and stay up-to-date with all our awesome news and latest updates.

Be our Friend

ISC2 Study Guide for the CISSP Exam

Security Professionals

JobSeekers, upload your resume and get the security job you want

For Employers

Employers, post your jobs and get hte talents you need

Tools & Methodologies

Grid List

The US Air Force is using a modified  EC-130 Compass Call aircraft to demonstrate how to hack into enemy networks.

Information warfare is overlapping traditional military domains, in order to conduct a fight in the air it is possible to used new hacking techniques as the US Air Force demonstrated.

Zerodium is an Exploit trader and it's offering a million dollar prize to any person that finds unknown, unpatched bug in iOS 9 with the main purpose to jailbreak iThings.