Hacking, Security & Privacy - Page 29

Companies are under cyberattack, and a single distributed denial of service (DDoS) attack could cost companies from $52,000 up to $444,000 depending on how large the company is. Enduring downtime due to a DDoS cyberattack also hurts the company's public relations image, with disclosures made to customers and federal regulatory bodies.

Following a DDoS attack, 61 percent of victims lost access to critical business information, while 38 percent were unable to conduct day-to-day business operations. As cybercriminals are becoming more organized - and finding new strategies to launch cyberattacks - volumetric attacks tend to be increasing, outnumbering application-layer attacks.

"A successful DDoS attack can damage business-critical services, leading to serious consequences for the company," said Eugene Vigovsky, head of the Kaspersky DDoS protection at Kaspersky Lab. "For example, the recent attacks on Scandinavian banks caused a few days of disruption to online services and also interrupted the processing of bank card transactions, a frequent problem in cases like this."

The Drug Enforcement Agency (DEA) is currently engaged in a widespread license plate reader program nationwide, and millions of license plates have been collected, according to a report from the American Civil Liberties Union (ACLU). The campaign started in 2008 and focused on taking pictures of vehicles, occupants and license plates, in an effort to identify and better track suspected criminals smuggling drugs and money to and from Mexico.

"It's not the kind of information government should be compiling," said Jay Stanley, a policy analyst for the ACLU, in a statement to the media. "Location data is very powerful information."

The following states were targeted, based on popular drug smuggling routes on highways: California, Arizona, New Mexico, Nevada, Texas, Georgia, Florida and New Jersey. Once collected and archived, the DEA shared information with local and state policy officials. Data was stored on record for two years until 2012, when program officials dropped it down to six months, the ACLU report found.

Hackers hijacked Taylor Swift's Twitter and Instagram accounts today, threatening to release naked pictures of the popular singer. Swift has bitten back, announcing on her Twitter that there are no 'nudes' to be had and the only way they could 'uncover' anything would be to use Photoshop.

After stating that her Twitter had been compromised though Tumblr, she later announced that her Instagram had also fallen victim. People are questioning if the superstar has been using the same password for multiple social media accounts, as it's uncommon to see a small amount of accounts compromised like this - usually its a singular service taken or its everything in one go.

The hacker-made tweets have now been deleted from her account and everything has gone back to normal. Seemingly Swift has been able to shake it off quite well - laughing in the face of the hackers.

Launching cyberattacks against targets once was a time intensive, difficult and costly effort, but it has become easier and inexpensive to launch distributed denial of service (DDoS) attacks.

Groups such as Anonymous and Lizard Squad are able to launch devastating attacks against large corporations and major targets using botnets of hijacked computers and routers. However, companies are becoming better at identifying these types of cyberattacks, but prove to be hugely inconvenient when the attacks succeed.

"There's been a massive jump in the number of very large attacks going on out there," said Darren Anstee, senior analyst at Arbor, while speaking to BBC. "In 2014 we saw more volumetric attacks, with attackers trying to knock people offline by saturating their access to the Internet."

The US government is no stranger to casting a large net in hopes of catching a few fish, so news of a new vehicle tracking database isn't entirely surprising. The Justice Department has a sophisticated database to track vehicle movements, and several other agencies are already using the data.

Several US law enforcement agencies already use automated license plate scanners mounted to police vehicles, and there also stationary systems that monitor highways and also take pictures of the vehicles. Some of these systems can actually be used to identify individuals inside of the vehicles.

The Justice Department has noted that there are already 343 million records in the database. This data includes the vehicle, time, and direction of travel. The primary intention is to find trafficking offenders for the DEA, but the Justice Department plans to expand the system to search for vehicles involved in rapes and murders. There is no word if the system will be expanded to encompass even more types of crime.

Companies have struggled against cyberattacks and distributed denial of service (DDoS) attacks, while mobile devices remain "the perfect target for attackers," said Thomas Tschersich, Deutsche Telekom's computer security chief.

Cybercriminals are able to easily compromise mobile devices, and with connection speeds via mobile topping many home broadband connections, can be exploited to launch attacks against targets. To counter this threat, Deutsche Telekom informs around 20,000 German subscribers per month about malware infection - and urges them to remove the malware.

Despite Deutsche Telekom's proactive efforts, attack bandwidth is estimated at several gigabytes per hour from these mobile devices. For just a couple hundred euros, criminals are able to launch attack and generate an impressive return on investment (ROI) for their efforts.

Business leaders need to become more computer literate so they are better able to understand evolving threats posed by cybercriminals. Criminals are using the digital equivalent of an F-16 fighter jet to launch attacks against governments and corporations, finding surprising levels of success, according to an Israeli cybersecurity expert.

"The breakers in cyber are one step ahead of the makers... we're out of equilibrium," said Nadav Zafrir, former Israel Defense Force tech commander and founder of Team8 Cyber Security Venture Creation, during a recent meeting with corporate leaders. "You have to redefine control. You have to let go, and it's scary. It's too important to leave it to the cyber experts. You [the CEO] have to become cyber literate."

Business leaders are confused in their efforts to defend against cyberattacks, often unsure how to prevent data breaches - and what to do if one occurs. However, analysts and experts recommend companies focus on preventing insider attacks, try to clamp down on outside threats, and have a recovery plan in case a breach does take place.

Dennis Rodman doesn't believe North Korea is responsible for attacking Sony Pictures, with the former NBA champion thinking Pyongyang wouldn't lash out against Sony Pictures just for making "The Interview."

"If the North wanted to hack anything in the world, anything in the world, really, they are going to go hack a movie? Really?!" Rodman recently said in an interview with The Hollywood Reporter. "How many movies have there been attacking North Korea? And they never hacked those. North Korea is going to hack a comedy, a movie that is really nothing? I can't see that happening. Of all the companies... really? Over a movie?

It's worth noting, however, North Korea has been blamed for attacking South Korean infrastructure, including financial institutions - and has a budding cybercriminal unit that is well-trained and financed by Pyongyang. Furthermore, if North Korea actually is responsible for breaching SPE, it was likely done to further develop its cyberespionage abilities that could be used against future targets.

Reports were published within the past week that more than 1,800 Minecraft accounts were hacked, with passwords leaked online - but the company has defended itself, and it looks like phishing attacks are to blame.

"No! We haven't been hacked," said Owen Hill, Chief World Officer at Mojang, in a published blog post. " No one has gained access to the Mojang mainframe. Even if they did, we store your passwords in a super encrypted format. Honestly, you don't need to panic."

Affected Minecraft players have been emailed and will now need to reset their passwords. If you want to change your password just in case, head to Minecraft.net/resetpassword.

Business leaders are paying attention to cybersecurity more than they were in recent years, but struggle to find methods to keep networks secure. Trying to determine what steps to take remains a complicated issue, especially with some companies discovering data breaches months after the initial incident occurs.

There are a number of potential problems for companies trying to keep their networks secure, as potential attacks originate from a variety of sources. Much focus is dedicated to preventing a breach, but business leaders also need to focus on the likelihood that a cyberattack was successful:

"The role of organized crime and government-sanctioned hacking will continue to thwart cybersecurity efforts [in 2015]," said JF Roy, CTO of TIBCO LogLogic, in a statement to TweakTown. "Breaches will continue to be discovered after the fact, which means that businesses must update their security and risk management plans to include incident response policies with contingencies for involvement of federal law enforcement."

It appears the serial ports of automated tank gauges (ATGs) of almost 5,300 gas stations and fuel depots in the United States are vulnerable because they aren't password protected. ATGs are used to more accurately track fuel tank inventory levels, raise alarms, track fuel deliveries, and conduct leak tests - but people with access to the interfaces could cause problems, according to the Rapid7 Security Street blog.

It doesn't look like there have been any incidents of actual breaches, but shows the importance of password protecting connected technologies. ATGs can be accessed via serial port, plug-in serial port, TCP/IP circuit board, and fax/modem.

Rapid7 was made aware of the issue by Jack Chadowitz, founder of the Kachoolie security firm, and started investing ATG vulnerabilities since Jan. 9.

Despite previous reports claiming the Lizard Squad was hacked, which would be a public relations nightmare for the hacker group, it appears the list could have just been distributed. Members of the group were sharing the list with trusted contacts, plotting attacks against specific accounts that piqued their interest. Seems a trusted source received the list and decided to publicly release it, according to an unnamed Lizard Squad member.

"We've got a fairly good idea who handed it over to Krebs & co. though," a supposed Lizard Squad spokesman told Forbes. "I didn't look into it much but from what I heard there were some pretty well known Twitter users in there for example and gamers. There were some interesting people who signed up... and considering most users were stupid enough to reuse their passwords..."

The Lizard Squad still seems mainly interested in attacking gaming-related services and servers, and while several members have been arrested, continue to pose a threat.

Thirty-two percent of users who share an Internet-enabled device, such as smartphones or tablets, with relatives, colleagues or friends don't take precautions to protect their information, according to a survey from Kaspersky Lab and B2B International.

Many people use PCs, smartphones, tablets and other devices with at least one other person, with one in three users saying they share devices - but don't have proper security protocols in place while sharing technology.

"Sharing a computer or smartphone increases the risk of malware infection, data loss or account theft, so it is important to take precautions," said Elena Kharchenko, Head of Consumer Product Management at Kaspersky Lab. "Always keep backup compies of important files; delete information that should not fall into the wrong hands, especially by disabling form autofill; try to control user access rights on the device - and most importantly - use programs that provide protection against cyber threats."

Attention on cyberattacks typically tends to focus on data breaches, but nonprofit groups likely face a higher risk of ransomware attacks. These types of attacks typically begin with a phishing attempt that gets an employee to unknowingly install custom malware designed to encrypt files - and hold critical data for ransom, or the files will be left permanently compromised.

As nonprofits are adjusting efforts to reach fundraising goals, people donating to these groups expect a certain level of security while contributing money - and a ransomware attack can be extremely detrimental.

"In 2015, the number of unique cybersecurity threats has surpassed the 300 million mark, growing at a steady rate of almost 40,000 new threats a day," said Catalin Cosoi, global security strategist of Bitdefender. "But it's not only the sheer number of malware that poses an immediate risk to nonprofits across the United States. Some of these viruses now specialize in extorting businesses by encrypting data and then asking for money in return... for the decryption key."

High-profile cyberattacks and data breaches in 2014 indicated the serious need for improved security efforts, but 2015 could be even worse, noted Cisco CEO John Chambers. Data breaches sometimes take months to detect, and improving security remains a difficult process that causes headaches for business leaders and IT staff.

Of specific concern is the growing number of connected devices now access the Internet, with cybercriminals interested in exploiting these products.

"There is no data center or network in the world that hasn't been hacked," said Chambers, speaking to CNBC during the World Economic Forum. "If you watched the number of attacks, they're going up exponentially this year, this year's going to be much worse than last year."

Sony will delay releasing its third quarter earnings report because of Sony Pictures continuing to struggle with repair of its crippled computer systems. Company officials want to release Sony's earnings report on March 31, and have asked regulators for additional time to get its IT situation sorted.

It will take until early February until SPE systems are fully restored and operational because of the "amount of destruction and disruption that occurred, and the care necessary to avoid further damage by prematurely restarting functions," according to Sony.

Despite The Interview bringing it close to $50 million from the box office, online rentals and sales, it has been a constant headache for the film studio. During CES, Sony CEO Kazuo Hirai said current and former employees suffered "one of the most vicious and malicious" cyberattacks to target a company - and applauded them for their continued resolve.

Companies suffered relentless cyberattacks and data breaches in 2014, and that trend is expected to continue in 2015. Business leaders need to streamline their efforts to improve cybersecurity protocols to prevent outside breaches, along with defending accidental and intentional insider threats posed by employees.

"Because of the multitude and sophistication of both internal and external attack vectors, cybersecurity is perhaps the most daunting operational challenge facing organizations today," said JF Roy, CTO of TIBCO LogLogic, in a statement to TweakTown.

As companies and government departments scramble to fix potential security problems, they are throwing money at the problem - but that can be a futile effort if they don't understand why these incidents occurred in the past.

Barrett Brown, a writer and activist linked to the Anonymous hacker group, has been sentenced to five years in prison for sharing stolen data and threatening an FBI agent. Brown pleaded guilty to obstructing the execution of a search warrant, accessory to an unauthorized access of a protected computer and making Internet threats.

Brown's tweets and posted YouTube videos helped generate unwanted attention by federal investigators, and the 33-year-old was blamed for sharing data stolen from the Stratfor private defense contractor. He originally could have faced more than 100 years if convicted - and after time served in custody already - must serve three more years.

"If I criticize the government for breaking the law, but then break the law myself in an effort to reveal their wrongdoing, I should expect to be punished just as I've called for the criminals at government-linked firms to be punished," Brown said before he was sentenced. "When we start fighting crime by any means necessary, we become guilty of the same hypocrisy as law enforcement agencies throughout the history that break the rules to get the villains, and so become villains themselves."

Police in Israel have reportedly arrested a hacker accused of stealing unfinished songs from Madonna's latest album. Adi Lederman, a 38-year-old Israeli, will face charges related to intellectual property theft and aggravated fraud, and has allegedly stolen and sold other music online.

Madonna's album "Rebel Heart" is scheduled for release in March, but songs were leaked online in December. Not surprisingly, the musician asked fans not to listen to the stolen songs, pleading to music fans that the song theft was the equivalent of a personal and professional violation.

"I am profoundly grateful to the FBI, the Israeli Police investigators and anyone else who helped lead to the arrest of this hacker," Madonna wrote on her Facebook page. "I deeply appreciate my fans who have provided us with pertinent information and continue to do so regarding leaks of my music. Like any citizen, I have the right to privacy. This invasion into my life - creatively, professionally, and personally remains a deeply devastating and hurtful experience, as it must be for all artists who are victims of this type of crime."

A whopping 93 percent of organizations are vulnerable to insider threats, and the problem continues to be confusing for business leaders, according to Vormetric's "2015 Insider Threat Report." The threat report also discovered 59 percent of respondents believe privileged users pose the biggest threat to their organization, and preventing a data breach is a major priority for IT security spending.

Trying to keep companies secure from insider threat - both accidental and malicious - is a problem that only seems to be getting worse, as companies are unsure how to address evolving security problems. As such, experts are concerned the number of massive data breaches, which captured headlines in 2014, will continue in 2015 while companies remain flustered.

"As the past year demonstrates, these threats are real and need to be addressed," said Alan Kessler, CEO of Vormetric. "Organizations wishing to protect themselves must do more than take a data-centric approach; they must take a data-first approach. Although we are heartened that 92 percent of organizations plan to maintain or increase their security spending in the coming year, our larger concern is about how they plan to spend that money."