Hacking, Security & Privacy News - Page 63

The Internet of Things (IoT) is expected to explode in popularity in coming years, but trying to keep a growing number of connected devices secure from cybercriminals remains a major effort. To help get a step ahead of malicious criminals, companies are embracing white hat hackers specialized in finding and exploiting potential security loopholes - and then sharing details with the company.

"Source code analysis, integrating security testing into the normal test cycle, and penetration testing at the end," said Michael Murray, director of GE Healthcare cybersecurity consulting and assessment, in a statement published by Dark Reading. "I'm [still] breaking lots of stuff. I'm just breaking it before it gets to the customer to make sure bad things don't happen to people out in the world."

Connected devices are increasing to vehicles, our homes and apartments, medical devices, and virtually everywhere else - but keeping consumers and users secure is a major effort.

Despite major ramifications from its data breach suffered last month, with Sony still seeing bulk amounts of information leaked online, the company must continue moving forward. However, hopefully some people in the movie industry can now appreciate that public figures will remain a target of interest among hackers.

Agents, actors and movie studios in Hollywood can certainly learn from Sony's glaring mistakes, understanding that those emails with snide marks about others - which they expect to be confidential - shouldn't be sent, in fear potentially being leaked.

"[T]here's going to be consequences for senior people at the studio," said Sharon Waxman, founder and editor-in-chief of TheWrap, speaking to CNBC. "The studio has to go on with its business and it's drip drip drip everyday of an unknown damage hitting the studio - and embarrassment, another piece of information."

Chinese cybercriminals are finding success using social engineering attacks to easily compromise companies, with an increased focus on universities, financial institutions, defense contractors, and critical infrastructure. Likely state-sponsored cyberattackers were able to breach the Canadian National Research Council, searching around for scientific research information and possible trade secrets.

A spear-phishing attack, with the email including an attached piece of malicious code, found its way onto the organization's network. The Canadian government didn't disclose what type of information could have been compromised from the breach, which took place earlier in 2014.

It is also unclear as to whether any personal information has been compromised," said Tobi Cohen, a privacy commissioner spokeswoman, as noted by the CBC. "We are satisfied that the organization took appropriate steps to notify employees and other parties about the cyber-intrusion and that efforts are underway to update [information technology] systems and security procedures to prevent this from happening again."

The Guardians of Peace released more information stolen from Sony, and promised a large "Christmas gift" of additional data taken in a breach Sony suffered that started late last month. The leaked content reportedly contained more email correspondence and information related to Crackle, the online video website.

Here is part of the post from hackers (via Pastebin): "We are preparing for you a Christmas gift. The gift will be larger quantities of data. And it will be more interesting. The gift will surely give you much more pleasure and put Sony Pictures into the worst state."

The cybercriminals behind the Sony breach have released seven waves of stolen data and movies to the Internet, and will continue to do so. The FBI and cybersecurity companies are helping Sony clean up the mess, but the damage has clearly already been done.

It very well could have been a symbolic victory and nothing else, after The Pirate Bay was shuttered, but digital piracy levels didn't significantly drop. Piracy torrent statistics have been made available courtesy of the anti-piracy Excipio firm, which tracks movie, TV shows, music, video games, and software torrent downloads - and on Dec. 8, the day before Pirate Bay servers were seized, there were 101.5 million IP addresses engaged in torrent downloads.

The number dropped to 99 million on Dec. 9, then down to 95 million on Dec. 10, and 95.6 million downloads on Dec. 11, according to Excipio. However, the number again topped 100 million on Dec. 12, which noted that the daily average of torrent downloads worldwide since Nov. 1 was 99.99 million.

For interested Internet users, there are dozens of other websites that allow access to torrent downloads, and Internet piracy will continue to be a thorn in the side to governments and copyright holders.

US companies need to be aware of increasingly sophisticated Iranian cyberespionage operations, according to the FBI, with targets ranging from educational institutions, energy firms, defense contractors, and additional critical infrastructure.

As part of Operation Cleaver, there have been 50 victims in 16 countries reported so far, according to cybersecurity company Cylance. The FBI's "Flash" report also included technical details about sophisticated malware and attack strategies that are likely being used by Iranian cybercriminals. "It underscores Iran's determination and fixation on large-scale compromise of critical infrastructure," Cylance CEO Stuart McClure reportedly noted.

Potential victims have been asked by the FBI to speak with them, especially if potential links point towards foreign cybercriminals.

Apple OS X users in the United States faced a large number of cyberattacks, with almost 100,000 users being targeted, according to a Kaspersky Lab report. Not surprisingly, that accounted for 39 percent of total Mac OS X cyberattacks - largely because the US has the largest number of Apple product owners - as cybercriminals pay more attention to iOS on smartphones and tablets, along with OS X on desktop computers and laptops.

AdWare programs were the most popular method of attack against OS X users, accounting for almost half of the top 20 list, according to Kaspersky.

OS X users are strongly urged to install some type of anti-virus and anti-malware software solution, as cybercriminals pay more attention to compromising Apple products.

AirWatch's on-premise mobile device management solution has recently received a major update - patching a flaw that enabled users who manage MDM solutions in multi-tenant environments to access other users data and information.

The patch was issued this week, closing the 'information disclosure hole' in its services. iTnews reported that the published security advisory VMSA-2014-0014 addressed the issue, with them claiming this was due to "AirWatch On-Premise having direct object reference vulnerabilities which could allow a manager of an MDM deployment in a multi-tenant environment to see organisational information and statistics of other tenants."

These direct object reference vulnerabilities will allow criminals to bypass user authentication and access all of your databases and sensitive files directly - rendering any security measures in place as useless. According to the Open Web Application Security Project this flaw is quite common and widespread, seeing it exploited by hackers globally in the past and present. Due to this flaw, there have been previous reports of up to 500 Dodo Power and Gas customer information being compromised two years ago, alongside Australia Post removing its Send and Click service due to a similar discovery.

The FBI is still unsure what hacker group successfully compromised Sony Pictures Entertainment, but said 90 percent of companies would likely fall victim to the same tactics. FBI officials also have reportedly met with Sony employees to explain how to protect themselves due to personal information being stolen as part of the breach.

"[T]he malware that was used would have gotten past 90 percent of the Net defenses that are out there today in private industry and [would have been] likely to challenge even state government," said Joe Demarest, assistant director of the FBIU cyberdivision, at a Senate Banking Committee hearing.

Sony is working with Mandiant, a cybersecurity forensics company, and CEO Kevin Mandia confirmed that this type of attack would be difficult to prepare for. The Guardians of Peace took credit for the attack, with purported GOP members emailing the media additional details of the breach.

Sony has been accused of launching distributed denial of service (DDoS) attacks against websites hosting its stolen content, using Amazon Web Service as a launch pad, according to unnamed sources speaking with Re/code. It would seem extremely unlikely - and easily identifiable - if Sony decided to use AWS to launch any form of DDoS attacks, with network monitoring company CloudFlare suggesting Sony didn't launch any counter-attacks.

Amazon sent the following statement to TweakTown:

"AWS employs a number of automated detection and mitigation techniques to prevent the misuse of our services. In cases where the misuse is not detected and stopped by the automated measures, we take manual action as soon as we become aware of any misuse. Our terms are clear about this. The activity being reported is not currently happening on AWS."