TweakTown NewsRefine News by Category:
The United States wants to make it more politically uncomfortable for China to launch so many cyberattacks, with various retaliatory options on the table if China doesn't better behave with its numerous cyberespionage activities. Earlier in the year, China was blamed as the leading source of cyberattacks, and the attacks are increasingly towards stealing intellectual property - or disrupting critical infrastructure.
China has recently talked about improving its own Web security practices, in an effort to defend against U.S. and British spying. The Department of Justice filed charges against several Chinese Army officials, signaling a stronger response to foreign-based cyberattacks:
"Criminal charges can justify economic sanctions from our colleagues in the Treasury Department, sanctions that prevent criminals from engaging in financial transactions with U.S. entities and deny access to the U.S. financial system," said John Carlin, Justifice Department national security division head, when discussing the current state of foreign cyberaffairs. "They can facilitate diplomacy by the State Department."
The high-profile eBay data breach has already led to a multi-state investigation, and now cybercriminals are trying to exploit the breach for their own personal gain. A person claiming to have the stolen database of all compromised users and passwords online for 1.45 (about $760) bitcoin isn't providing a legitimate information, according to eBay.
The 3,000-row file has Asia-Pacific usernames, addresses, phone numbers and dates of birth for users - but that doesn't appear to be true. A "free sample" with reportedly extracted names of more than 12,000 accounts "are not authentic eBay accounts," according to eBay.
"It is always tough to tell whether the data is genuine in situations like this," said Rik Ferguson, Trend Micro global VP of security research. "The email addresses I have tested so far do not appear to be sourced from previous breaches."
Even though companies are becoming increasingly aware of cyberattacks and the rising threat they pose, many decision makers are hesitant to spend money to improve security - until a data breach or theft occurs. If an attack doesn't lead to massive financial losses, cybersecurity experts warn, cyberattacks are still being shrugged off. Unfortunately, companies don't think the cost of building a stronger cybersecurity defense is a worthwhile expense, instead focusing on more pressing business matters.
"Until it hits them at home, it won't matter much," said Scott Goldman, security company TExtPower CEO, in a statement. "The very fact that people are becoming numb to the constant stream of breaches indicates the pathetic level of security provided by most online services."
U.S. defense contractor Lockheed Martin said the attacks it faces has quadrupled since 2007, and public utilities also are being caught up in the chaos. Security typically won't lead to increased revenue or profit, and despite looming cyberthreats, it will continue to take a major incident before change is made.
Even though western cybersecurity experts confirm China is a major threat for cyberattacks, the Communications Security Establishment Canada chief was warned not to say China participates in cyberespionage. It's a difficult situation for John Forster and his staff, as public discussions over Chinese-based cyberattacks are becoming more commonplace.
This decision was made in February, and had nothing to do with the U.S. government charging five Chinese Army officers with cyberespionage charges earlier in the week. Meanwhile, the Canadian government has been targeted by likely Chinese attacks, at a time when government agencies are struggling to defend against organized cyberattacks.
"There are now more than 100 nations that possess the capability to conduct cyberoperations on a persistent basis," Forster noted, adding that "our government systems are probed millions of times a day and there are thousands of attempts to compromise these systems every year."
Following its massive data breach, eBay is now reportedly being investigated in at least three U.S. states and an investigation is opening up in Europe. So far, Florida, Connecticut and Illinois are the first, though other states will most likely begin to investigate the breach and how it happened. Consumers are still urged to change their passwords as soon as possible, and not rely on any state or Federal Trade Commission (FTC) investigations just yet.
"The magnitude of the reported eBay data breach could be of historic proportions, and my office is part of a group of other attorneys general in the country investigating the matter," said Pam Bondi, Florida Attorney General, in a press statement.
Media reports indicate UK officials also plan to investigate the massive breach, which compromised more than 100 million users. After the breach was disclosed earlier in the week, eBay confirmed it is currently working with law enforcement officials already.
So much news focuses on end-user security practices, and choosing a password is a very important step to try and keep data secure. Cybercriminals are becoming increasingly savvy in compromising users, relying on a mix of malware and social engineering to steal information.
Instead of a password, choosing a "passphrase" is a good first step; for example, "SantaMonicaBeach," or something that doesn't just rely on a single-word password. Users should also forget about relying on names of pets or family members, as social engineering leads criminals to troll social media accounts to gain additional information on users.
As users tend to have even more passwords, using some type of password manager is a good method to keep passwords under control. If possible, using two-step verification, whenever offered, is an important additional layer of security for users.
The House today clamped down on the National Security Agency's bulk phone surveillance techniques, marking the first time former NSA contractor Edward Snowden's disclosures have led to a government change. It's an important step forward, with a 303-121 vote, as politicians on both sides don't want the NSA being able to collect bulk surveillance information on U.S. citizens.
The USA Freedom Act will now go to the Senate, though some are concerned that this is simply a "watered down" version of the bill - and could still allow the government to weasel through loopholes.
"This legislation was designed to prohibit bulk collection, but has been made so weak that it fails to adequately protect against mass, untargeted collection of Americans' private information," said Nuala O'Connor, Center for Democracy and Technology president and CEO, in a statement.
Although companies are learning of malware infections and other security breaches faster than previous years, very few companies are able to detect these issues on their own, according to a study by security firm Trustwave. It took an average of 134 days from intrusion until the breach was detected, which is two and a half months faster than what it took in 2013 - but with malware becoming increasingly sophisticated, this is still a rather worrisome trend.
Malware self-detection is just 29 percent, according to the study, with third-party companies informing those exposed of the security breaches.
"That's just a horrible statistic in general," said Karl Sigler, Trustwave manager of threat intelligence, in a statement to CSO. "That's a phenomenal statistic compared to in the past. Sometimes breaches would take months to actually contain."
The University of California, Irvine student health center was reportedly compromised, with a form of keylogger malware running for at least six weeks. In the breach, student ID numbers, contact information and bank numbers of up to 1,800 students and a small number of others at risk, according to UC Irvine spokespeople.
No UC Irvine medical records were compromised, with the malware operating from February 14 to March 27, according to officials.
Universities are having a hard time trying to keep their networks secure, with cybercriminals finding large amounts of information that is increasingly easy to compromise. The University of Pittsburgh Medical Center was recently hit by a data breach, while Iowa State University also suffered a data breach as criminals tried to mine for bitcoins. University of California at San Francisco also suffered a breach, and University of Hawaii officials are warning of increasingly clever phishing attacks.
Security experts cannot seem to agree whether or not anti-virus software today is adequate to defend against sophisticated malware attacks, with another industry leader saying most anti-virus simply isn't effective. Lastline Labs researched malware samples for one year from May 2013 to May 2014, using 47 anti-virus signatures, and found that no solution detected every malware sample on any of the test days.
Also of note, the first day of testing, just 51 percent of anti-virus software products detected malware samples - and took two days, on average, for an AV scanner to alert to malware that slipped by in previous tests.
Here is what Engin Kirda, co-founder of Lastline Labs said: "I heartily encourage further testing and analysis of advanced malware detection techniques - by CIOs, CSOs and the broader security community in addition to my own team - in order to battle test detection technology. In order to protect our organizations, our people and our resources, we have to collaborate, integrate and share intelligence in order to begin to close the gap."