Hacking, Security & Privacy - Page 26

Companies nervous about their cybersecurity defenses are relying on white hat hackers to test systems and help identify security flaws. Offering a bounty allows additional skilled users outside of a company's software and IT team to help track down anything that may have unknowingly fallen through the cracks.

"We're curious, we want to test our skills, we want to help these companies," said Mike Santillana, white hat hacker for Bugcrowd, in a statement published by CBS News. "I've found several bugs where you can completely compromise another user's account."

Additional companies are paying security experts and programmers as part of increasingly lucrative bug bounty programs. These hackers enjoy the monetary incentive and the challenge of identifying security flaws that could pose problems for companies and their customers.

Former NSA contractor Edward Snowden would have liked to come forward sooner regarding NSA surveillance, but had to wait until the appropriate time.

"I would have come forward sooner... [but] these programs would have been a little less entrenched, and those abusing them would have felt a little less familiar with and accustomed to the exercise of those powers," Snowden said during a Reddit "Ask Me Anything" session. "This is something we see in almost every sector of government, not just in the national security space, but it's very important. Once you grant the government some new power or authority, it becomes exponentially more difficult to roll it back."

Snowden knowingly sacrificed himself to help reveal NSA surveillance and spying activities, which has opened an international debate. In addition, Apple, Google and other companies are modifying their behaviors, including adding encryption and other technologies, to help keep user data more secure from outside snooping.

The National Security Agency (NSA) is under fire for claims it used sophisticated spyware loaded on hard drives for surveillance, with the head of the agency saying his agency complies with national law.

"Clearly I'm not going to get into the specifics of allegations," said US Navy Admiral Michael Rogers, refusing to speak out regarding NSA spyware accusations, while at the Washington forum. "But the point I would make is, we fully comply with the law."

The latest controversy stems from a Kaspersky Lab report that says the NSA embedded spyware on Western Digital, Toshiba and Seagate hard drives, giving them the ability to eavesdrop on users.

Distributed denial of service (DDoS) cyberattacks have plagued consumers and businesses for quite some time, but the rising number of DDoS attacks available as a paid service is troubling. Clients can pay from $2 up to $5 per hour to launch DDoS attacks, or pay a subscription for prices as low as $800 per month.

The Lizard Squad hacker group helped draw increased scrutiny to the underground cybercriminal activity - demonstrating its LizardStresser DDoS service in successful attacks against the Sony PlayStation Network and Microsoft Xbox Live. Meanwhile, the Gwapo DDoS service has been publicly advertised via social media and YouTube posted videos, with attacks starting at $2 per hour.

"Since their inception in 2010, DDoS-for-hire capabilities have advanced in success, services and popularity, but what's most unnerving is booters have been remarkably skilled at working under the radar," according to the "Distributed Denial of Service Trends" report from Verisign. "Given the ready availability o DDoS-as-a-service offerings and the increasing affordability of such services, organizations of all sizes and industries are at a greater risk than ever of falling victim to a DDoS attack that can cripple network availability and productivity."

Tech executives aren't impressed by President Obama's current efforts to streamline cybersecurity, with a strong lack of trust after increased knowledge of government surveillance operations. It's a fragile relationship that must be improved, especially if Obama is serious about Silicon Valley companies sharing threat data with the US government.

"I think we missed an opportunity," said Jason Healey, former director of cyber infrastructure protection for the White House, in a statement published by The Hill. "Real leaders focus on privacy and they don't compromise on that."

There will need to be an open discussion from the Obama Administration regarding encryption, privacy, and other matters - but trying to boost cybersecurity efforts appears to be a more pressing matter.

Ransomware cyberattacks are on the rise, and businesses must be ready to address the threat head on, with law enforcement constantly one step behind.

The FBI previously issued a warning regarding ransomware attacks, especially as cybercriminals tweak their malware code. Similar to statements issued by cybersecurity experts, the FBI says users should be extremely careful when opening email attachments - the most popular infection method to compromise business users.

The authors of the CryptoLocker ransomware were able to quickly generate at least $3 million in revenue from ransomware attacks, collecting hundreds of dollars in ransom at a time. Cybercriminals are opportunistic and will continue to rely on ransomware attacks as long as they easily find victims installing the malware on PCs and laptops.

The Midlothian Police Department paid $500 after being compromised with the Cryptoware ransomware, encrypting files on one computer. A spear-phishing email likely is the culprit behind the Cryptoware infection, with Midlothian Police Chief Harold Kaufman confirming a cybersecurity incident.

The police department spent a total of $606 to rid itself of the infection, following the addition of bank fees and subsequent surcharges.

Cybersecurity experts recommend business users routinely back up their data - and that is often left to IT administrators - with urgent need to train employees so they can spot social engineering attempts.

Hunter Moore, 28, the founder of revenge porn website IsAnyoneUp.com, has pleaded guilty and faces years in prison. Moore pleaded guilty to identity theft, unauthorized access to a computer, and aiding and abetting unauthorized access of a computer. Unlike other revenge porn website operators, Moore paid a hacker to access email accounts looking for photos to steal.

Each charge carries a maximum prison sentence of two to five years, and Moore should be sentenced in a few months. Moore was once called "the most hated man on the Internet" for creating IsAnyoneUp.com, which served as one of the most popular revenge porn websites.

The infamous revenge porn website generated up to $10,000 per month in advertising revenue - and featured nude images and videos of ex-boyfriends and ex-girlfriends. The person's full name, city of residence, social media profile and profession were prominently listed on the website.

Company executives have observed Target, JPMorgan Chase, Home Depot, Anthem, and other major companies suffer devastating data breaches - and understand they need stronger cybersecurity protocols - but actually deploying new methods has been rather slow.

Seventy eight percent of company tech executives have not been briefed regarding internal security strategies within the past 12 months, according to a Raytheon survey. In addition, 75 percent said cybersecurity is a necessary cost, but only 25 percent of survey respondents said security is a strategic priority.

"The Target hack was very interesting," said Jack Harrington, VP of cybersecurity and special missions of Raytheon, in a statement published by the Christian Science Monitor. "It raised awareness across the entire retail industry certainly," but demand for chief information security officer (CISO) positions wasn't' a priority. "That tells you they felt they didn't even need that position. They just didn't feel at risk."

It took several high-profile data breaches before the United States publicly discussed the need for improved cybersecurity protocols. Democrats and Republicans agree that something must be done, but security experts hope politics don't get in the way of necessary change.

However, cybersecurity efforts could receive bipartisan support from the Obama Administration and the Republican-led Congress - and politics hopefully won't get in the way.

"In order to improve cybersecurity, it is critical to facilitate the sharing of cyberattack information," said Sen. Ron Johnson (R-Wisc), in the GOP weekly address. "By sharing threat signatures, vulnerabilities and other indicators of network compromise, within and between the private sector and government, many cyberattacks can be prevented."

There were 1,500 global data breaches in 2014, with the number rising almost 50 percent year-over-year, according to the Gemalto Breach Level Index (BLI) report. Of the 1 billion total compromised records, almost 800 million of them belong to US companies - a frightening figure that cybersecurity experts believe will rise.

Companies remain unsure how to address these sometimes sophisticated cyberattacks, while consumers are frustrated that their personal information is seemingly up for grabs. Banks and credit card companies are becoming more proactive in identifying - and informing customers - of fraud, but it can still be a chaotic process.

"Not only are data breach numbers rising, but the breaches are becoming more severe," said Jason Hart, VP of cloud services, identity and data protection at Gemalto. "Identity theft could lead to the opening of new fraudulent credit accounts, creating false identities for criminal enterprises, or a host of other serious crimes. As data breaches become more personal, we're starting to see that the universe of risk exposure for the average person is expanding."

Millions of Anthem customers are at risk from the Anthem data breach, including tens of millions of children impacted from the data breach. Personal information ranging from names, date of brith, Social Security numbers and health care ID numbers were stolen, and some children could be at risk for decades, according to cybersecurity experts.

Information on children is tied to their parents, so attacks against adult account holders are expected to accelerate in the future as well. However, personal information of children is especially lucrative to criminals, as the data hasn't been tied to a credit file - so the government and credit reporting agencies aren't expecting fraud-related activities.

"Every terrible outcome that can occur as the result of an identity theft will happen to the children who were on that database," said Adam Levin, chairman and founder of IDentityTheft911, in a statement published by NBC News. "Criminals will use those stolen Social Security numbers to open accounts, get medical treatment, commit tax fraud, you name it."

The National Security Agency (NSA) believes North Korea is behind the Sony Pictures attack because of software used to breach the company. SPE was targeted in November by a group calling itself the "Guardians of Peace," with emails, employee personal information, movies, and other data stolen - and posted online.

"We ultimately ended up generating the signatures to recognize the activity used against Sony," said NSA Director Admiral Michael Rogers, in a statement during a security conference in Canada. "From the time the malware left North Korea to the time it got to Sony's headquarters in California, it crossed four different commanders' lines or areas in the US construct."

Cyberattacks are causing confusion for government agents, unexpectedly spending more time investigating breaches against private sector companies - as attacks mount against critical infrastructure and government agencies.

The US Department of Homeland Security (DHS) recommended Lenovo customers remove the Superfish adware from their computers and laptops. The Chinese electronics company installed the software on machines beginning in 2010 until January 2015, and Lenovo is no longer installing it on consumer products.

Despite Lenovo saying there were no cybersecurity issues, the National Cyber Awareness System said customers are vulnerable to SSL spoofing attacks. "Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken," the DHS said in a statement published by Reuters.

"We should have known about this sooner," said Brion Tingler, Lenovo spokesman, in a statement to Reuters. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on."

US State Department officials confirmed the agency temporarily shut down its unclassified email system because of hacker activity three months ago - and it looks like security experts still haven't been able to boot the unwelcome guests from its network.

It remains unknown where the attacks originated, but specialists suggest it could be from Russia. No classified data has been accessed, but there is growing concern the hackers will be able to write false emails, delete emails and find a way to access classified networks.

"We have robust security to protect our systems and our information, and we deal successfully with thousands of attacks every day," said Marie Harf, State Department spokeswoman, in a statement to Bloomberg. "We take any possible cyber intrusion very seriously."

Google doesn't like the idea of the FBI being able to easily access Internet-connected devices owned by consumers, with the company sending a 14-page letter to officials.

"Law-abiding citizens who were the target of an unconstitutional search but are not charged with a crime will almost certainly never learn of the search and therefore will not be able to challenge the search," said Richard Salgado, director of information security and law enforcement for Google, in a letter to the US government.

Not surprisingly, the federal government thinks it needs access to user data to bust criminals and for better national security:

Just days after we reported that the NSA had backdoor access to the firmware level of major HDD manufacturers in Seagate and Western Digital, Edward Snowden is back with new information that the National Security Agency (NSA) and its British partner GCHQ hacked into Gemalto. Gemalto, is a Netherlands SIM card manufacturer, the largest in the world.

Gemalto makes two billion SIM cards each year, with the NSA hacking into the company and stealing its encryption keys, giving them access to secretly monitor both voice calls and data. The Intercept reported on the news, which has reportedly provided spy agencies with the ability of secretly monitoring gigantic portions of the world's cellular communications, which experts have said is a major violation of international laws. Considering Gemalto makes SIM cards for companies like AT&T, Sprint, T-Mobile and Verizon, you can begin to see the scope of this hack by the US government agency. Gemalto itself operates in some 85 countries around the world, providing SIM cards to over 450 wireless network providers.

With the NSA having these encryption keys in its hands, it has the power to monitor mobile communications "without the approval of telecom companies and foreign governments", reports The Guardian. This is something I talked about in my last OpEd, where the Obama administration needs to address it, and as I said "The NSA needs to be ripped apart, and its powers neutered". Most people think that 3G and 4G mobile networks have their calls encrypted, and while they might be, but with the keys that the NSA and GCHQ have, it's like they are living "in the phone".

Following news of which films are up for Oscars, online piracy of nominated movies increased 385 percent since January 15, according to the Irdeto piracy monitoring firm.

Irdeto uses a crawler to monitor torrent downloads, and saw increased interest following the Oscar nominations - largely due to increased media coverage - with screener films sometimes leaked online.

"Hollywood screeners specifically accounted for a substantial 31 percent of the total illegal downloads tracked between January 15 and February 14," according to Irdeto, as published by TorrentFreak. "Six nominated movies currently unavailable for retail purchase on Blu-ray, DVD, VOD or legal streaming/download sites saw the majority of piracy coming directly from these screeners: American Sniper, The Imitation Game, Wild, Selma, Whiplash and Still Alice."

Computer manufacturer Lenovo will no longer pre-install the controversial Superfish adware on PCs and laptops, due to growing public backlash from customers. Cybersecurity experts warned Superfish potentially left them vulnerable, after injecting advertisements to browsers.

"The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert ads," said Eric Rand, researcher for Brown Hat Security, in a statement to Reuters. "This amounts to a wiretap."

Lenovo must now answer questions regarding its use of Superfish, including how long it was pre-installed, and how much data was collected by the software. Superfish was installed on consumer PCs and notebooks only.

Swedish citizen Alex Yucel, 24, has pleaded guilty for his role in being co-creator of the BlackShades malware, which infected more than 500,000 PCs across the world. Yucel pleaded guilty to one count of distribution of malicious software, and faces a maximum sentence of 10 years.

In exchange for his guilty plea, there is a stipulated agreement that will see Yucel receive a sentence ranging from 70 to 87 months. "I do actually want to plead guilty," Yucel said in his court appearance. "I knew that the program would be used to cause damage."

Yucel was arrested in November 2013 while in Moldova, and was extradited to the United States. As the operator of the criminal organization, Yucel hired administrators, marketing and customer support staff to interact with customers - generating upwards of $350,000 in revenue.