fbpx

The internet of insecure things just keeps getting murkier and more problematic. Researchers have determined that hackers are abusing a 12-year-old vulnerability in OpenSSH to attack the ‘internet of unpatchable things’.

Since anyone can now download the Mirai source code – it’s is even on GitHub – then players across the field, both botnet dabblers and researchers, are playing around with the malware that hijacks IoT devices and is responsible for the largest DDoS attack on record. 

In fact, researchers at Incapusla are already reporting new attacks that seem to be “experimental first steps of new Mirai users who were testing the water after the malware became widely available. Likely, these are signs of things to come and we expect to deal with Mirai-powered attacks in the near future.”

Is the sky really falling or is it FUD? Well, if the underground market treats Mirai malware like it has other malicious source code which has been leaked, then welcome to an IoT DDoSing nightmare. Researchers at F5 said to expect thugs “to adapt, combine, and improve the code, resulting in newer and enhanced variants.” F5 warned, “We can definitely expect the IoT DDoSing trend to rise massively in the global threat landscape.”

IoT devices being used in mass-scale SSHowDowN Proxy attacks

Add to that an OpenSSH vulnerability which has been around for 12 years and the fact that attackers are exploiting the flaw to create huge amounts of traffic for SSHowDowN Proxy attacks launched against e-commerce and other sites.

Researchers at Akamai Technologies disclosed that new targeted attacks, which use a very old flaw, are originating from IoT devices such as: DVR, NVR and CCTV video surveillance devices, satellite antenna equipment, networking devices such as routers, hotspots, WiMax, cable and ADSL modems, and Network Attached Storage (NAS) devices connected to the internet. Other devices hooked online may also be susceptible.

The IoT devices are being used to mount attacks “against a multitude of internet targets and internet-facing services, such as HTTP, SMTP and network scanning,” as well as to mount attacks against internal networks that host the devices.

In many cases, there are default login settings such as “admin” and “admin” or other lax credentials to get to the web management console. Once attackers access the web admin console, they can compromise the device’s data and sometimes even take complete control of the machine.

The attack itself is not new, but Akamai Technologies has seen a surge in SSHowDowN Proxy attacks in which IoT devices are being “actively exploited in mass scale attack campaigns.”

A new report on exploiting IoT and SSHowDowN (pdf) explained that the root causes for the vulnerability include weak factory-default administration credentials, the fact that the devices allow remote SSH connections and the devices allow TCP forwarding.

Default passwords

Default passwords have long plagued the security industry and put users at great risk. Since the Mirai source code was made public, many sites have published the 61 passwords powering the Mirai botnet which is capable of hijacking over 500,000 vulnerable IoT devices.

Double that number by adding in devices with shoddy-to-no-security which are made by the Chinese firm XiongMai Technologies. Flashpoint researcherssaid there are over 500,000 devices on public IPs that are vulnerable to the username and password combination “root” and “xc3511.”

130,000 vulnerable Avtech systems

Search Lab’s Gergely Eberhardt found 14 vulnerabilities in Avtech devices like DVRs and IP cameras; there are 130,000 Avtech devices exposed on the internet and “Avtech is the second most popular search term in Shodan.”

Eberhardt found the vulnerabilities and first attempted to contact the company back in September 2015. After more than a year and zero response from Avtech, Eberhardt published an advisory and proof-of-concept scripts for the flaws.

If you don’t want your Avtech device to end up as part of an IoT botnet, then owners should change the default admin password and go the extra safe mile of never exposing “the web interface of any Avtech device to the internet.”You should always change the default passwords to anything, but some manufacturers didn’t have enough concern for users to build in that option.

Internet of unpatchable things

“We're entering a very interesting time when it comes to DDoS and other web attacks; 'The Internet of Unpatchable Things' so to speak,” explained Ory Segal, senior director of Threat Research at Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We've been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

$50,000 for innovative IoT security solution

MITRE, on the other hand, hopes to find innovative IoT security solutions and launched the Unique Identification of IoT Devices Challenge. The winner will walk away $50,000 richer and the solution may help to save us from an IoT nightmare.

Source : computerworld

Categorized in Internet Privacy

When hackers tried to steal nearly $1 billion from Bangladesh’s central bank, the Federal Reserve Bank of New York failed to spot warning signs and nearly let all the money go. Here's a guide of how the heist worked.

Banks are tightening the security of their SWIFT messaging networks – used by the industry to shift trillions of dollars each day – following revelations that hackers are increasingly able to get into this system to steal money.

Bankers at SWIFT’s annual SIBOS conference in Geneva said they were adopting new security tools, reviewing procedures and pressing their counterparties to do the same. Some banks are also looking at alternative technologies for transferring money, such as blockchain-type systems.

They are stepping up their efforts after the theft of $81 million from theBangladesh central bank in February and revelations of other infiltration of banks’ SWIFT terminals. These hacks have undermined confidence in SWIFT messages, which were previously accepted at face value.

“The attacks will continue and get more sophisticated,” SWIFT Chief Executive Gottfried Leibbrandt warned delegates at the conference organized by SWIFT, which is a global member-owned cooperative.

Benoit Desserre, Global Head of Global Transaction Banking at France’s Societe Generale, said his bank had already undertaken all of SWIFT’s recommended security measures but that the hacks had encouraged it to go one step further.

The bank is introducing a new layer of security whereby the staff who are approved to send SWIFT payment instructions must now sign on with a fingerprint scanner. This is in addition to passwords and a physical computer key.

“It was easier for us to make that investment knowing what has happened,” he told Reuters in an interview. “It suddenly became more important to get something like that.”

In time, SocGen may press its counterparties to use a similar system, only agreeing to fulfill payment instructions which carry a digital fingerprint, Desserre said. But he said cost could slow a broader roll-out of the technology.

Facebook Friends

In the wake of the hacks, the French bank also went through its SWIFT system to weed out redundant communications channels. SWIFT operates like Facebook in that members can only send messages to confirmed counterparties. But sometimes these links remain open even after business relationships end.

SWIFT’s Chairman Yawar Shah told delegates at the conference that such open channels were a security risk and that all banks should weed out unused channels.

Desserre said Societe Generale had removed thousands.

Cheri McGuire, Chief Information Security Officer at Standard Chartered said her bank was also conducting an internal review around its SWIFT systems.

But banks are not just looking at their own systems.

The Bangladesh Bank heist involved diverting money held at accounts at the Federal Reserve Bank of New York into accounts in the Philippines.

Bankers said to avoid this happening in the future bigger banks needed to ensure the smaller banks they work with have appropriate security procedures.

Sergio Dalla Riva, Head of Product Development, Global Transaction Banking at Intesa Sanpaolo S.p.A. said understanding the security capabilities of your clients was becoming part of customer due diligence.

Lev Khasis, Chief Operating Officer at Sberbank, Russia’s biggest bank by assets, said he expected regulators to tighten oversight of security practices but that peer pressure would also play a role.

“Some big banks will be pushing their smaller counterparties to move in that direction,” he said. Sberbank was already pushing its clients in this way, he said.

New Technology

The SWIFT hacks are also spurring interest in new technologies.

Lars Sjogren, Global Head of Transaction Banking at Danske Bank said his bank was working with technology companies to develop tools that would spot unusual and potentially fraudulent payment instructions sent via SWIFT.

“Payments of a certain size by a customer to people they normally pay should be green-lighted. But others could be yellow or red-lighted. There is a huge demand from our customers for that kind of service,” he said.

Others are looking at technologies which might one day replace the current SWIFT “FIN” message which banks send to tell another bank to move money around.

Blockchains are the most commonly touted alternative. These involve a publicly accessible ledger, which works as an electronic record-keeping and transaction-processing system and requires no third-party verification. The ledger can be checked at any time, helping to highlight fraudulent transfers.

On Wednesday, Sberbank joined the Hyperledger Project, which was formed by the Linux Foundation, a not for profit technology consortium, to develop new blockchain technologies for businesses. Khasis said such a system might be more secure than sending FIN messages.

SWIFT is also developing blockchain initiatives and its involvement could help to speed up the technology’s adoption, David Treat, Blockchain Lead at consultants Accenture, said. Nonetheless, he said that governance and privacy challenges remained.

Mark Buitenhek, Global Head of Transaction Services at ING, said he was doubtful blockchain or other technologies were a silver bullet.

“Fraud is a constant and fraud will remain there if we move to the next digital generation or not,” he said.

Source : http://globalnews.ca

 

Categorized in Internet Privacy

Upon discovering that it had been hacked by China, the Canadian government’s scientific-research body did digital damage control on an enormous scale. Firing up its vintage fax machines, it jettisoned scores of computer servers, bought its staff hundreds of new laptops and drew up a list of about 20,000 corporate partners in Canada whose secrets risked being collateral damage.

Records newly released to The Globe and Mail reveal these and other details about the extensive fallout from this nightmare at the National Research Council. The hack of the NRC was highlighted in July 2014, when the then-Conservative government blamed China, making it the only cyber-espionage campaign that Canada has ever pinned on a specific state adversary.

While hacks of government departments occur relatively routinely, the NRC could be considered a more valuable target than most. For decades, it has been routing tax dollars to fund cutting-edge research in agriculture, engineering and computer science. Placing bets on Canadian companies helps the NRC work to ensure future prosperity, and its staff gets a glimpse of emerging technologies and proprietary business plans. 

That’s why the Canadian government was alarmed when federal officials announced two years ago that they had “detected and confirmed a cyber intrusion” within the NRC by “a highly sophisticated Chinese state-sponsored actor.”

But while prime minister Stephen Harper's government took the unprecedented step of allowing officials to make the controversy public, it remains unknown how or when Chinese hackers first infiltrated the NRC’s computer systems, or what drew them to it in the first place.

The records released to The Globe under the Access to Information Act show only the aftermath. Job No. 1 at the agency was to warn the “clients” – corporations, academics, entrepreneurs – via phone calls and mailed letters that they were at risk. “The NRC has been the target of a cyber intrusion. As a result the information held in our systems from your organization may have been compromised,” one form letter reads.

One version of this letter in the NRC files was accompanied by a spreadsheet of more than 20,000 Canadian firms, most of them apparently engaged in government-sponsored research.

“As a precautionary measure, NRC informed all clients and research partners involved in business relationships and research activities of the cyber intrusion,” spokesman Guillaume Bérubé said in reply to questions about this list.

Several of the companies that were contacted by The Globe said they felt that the fallout was minimal because they were careful, even before the hack, about sharing trade secrets with the agency. Their biggest gripe with the NRC was that correspondence and payments became frustratingly slow in 2014. “It wasn’t back to the buggy, but it was pretty close,” said one entrepreneur, who asked not to be named.

This was because staff at the scientific agency had been told not to use computers to communicate. E-mail “must not be used to transmit secure, sensitive or confidential information,” one memo read. “The preferred way of transferring confidential information … is paper (fax, mail, courier),” another said.

Clients were to be told that “if you must share sensitive information with the NRC, the best practice is to do it via physical media” – meaning on paper or via USB sticks.

As the hack was announced publicly, one enterprising NRC employee wrote that he found a stash of safe digital devices. “I’ve dug up a box of brand new McAfee USB keys that we bought a few years ago,” he told colleagues in an e-mail. Calling them “state of the art” for their encryption capability, he said they could serve as a “stopgap, at least until NRC gets in more for everyone.”

Even the act of plugging a smartphone into an NRC computer was deemed risky. “Instead of using your computer to charge your phone, charge it through a wall outlet,” one memo says.

The agency started to pull the plug on almost all of its existing computer architecture as it created the data equivalent of an airlock. The hope was to move electronic files from the NRC’s legacy “black” environment to a blank slate of new machines dubbed the “green” environment.

The in-between step was the “grey zone,” a locked-down “scrubbing” station with no external network connectivity and which banned unfamiliar digital devices and outsiders. “The process of scrubbing data to be taken out of the Grey Zone can take a long time. We have seen up to 40 minutes to scrub 1 GB [gigabyte] of data,” one employee complained.

The NRC’s initial hope was to have fully rebuilt systems within a year. Most are in now place, but the Canadian Press recently reported that some parts will not be ready until July 2018.

Early this summer, the NRC announced that it had embarked on a partnership with its scientific counterparts in a foreign country.

That country is China. This new joint venture with Guangdong province aims to better fund collaborative Canadian and Chinese research projects.

The NRC was asked by The Globe why it would want to do business with a country that allegedly stole from it just two years ago.

Mr. Bérubé said simply that “global collaboration is a competitive necessity to generate new business opportunities.” The NRC spokesman added in his e-mailed reply that “the government of Canada is committed to deepening our trade relationships with established and emerging markets, including China.”

Over the years, the NRC has engaged in several foreign partnerships, and has done business with China before.

But Peter Phillips, a University of Saskatchewan professor who specializes in agriculture and innovation, suggests that several motivations could be at play in the new partnership.

“There’s an old adage that if you can’t beat them, join them,” he quipped.

He added that 2014 will be remembered as a painful year at the NRC. “Everything was down to hard copy, paper, and fax machines at best,” he said. “And this is our largest research organization in the country.”

Source : http://www.theglobeandmail.com/news/national/records-show-extensive-fallout-from-chinese-hack-of-national-research-council/article31695327/

Categorized in Science & Tech

FACIAL RECOGNITION MAKES

sense as a method for your computer to recognize you. After all, humans already use a powerful version of it to tell each other apart. But people can be fooled (disguises! twins!), so it’s no surprise that even as computer vision evolves, new attacks will trick facial recognition systems, too. Now researchers have demonstrated a particularly disturbing new method of stealing a face: one that’s based on 3-D rendering and some light Internet stalking.

Earlier this month at the Usenix security conference, security and computer vision specialists from the University of North Carolina presented a system that uses digital 3-D facial models based on publicly available photos and displayed with mobile virtual reality technology to defeat facial recognition systems. A VR-style face, rendered in three dimensions, gives the motion and depth cues that a security system is generally checking for. The researchers used a VR system shown on a smartphone’s screen for its accessibility and portability.

Their attack, which successfully spoofed four of the five systems they tried, is a reminder of the downside to authenticating your identity with biometrics. By and large your bodily features remain constant, so if your biometric data is compromised or publicly available, it’s at risk of being recorded and exploited. Faces plastered across the web on social media are especially vulnerable—look no further than the wealth of facial biometric data literally called Facebook.

facerecognition

Other groups have done similar research into defeating facial recognition systems, but unlike in previous studies, the UNC test models weren’t developed from photos the researchers took or ones that the study participants provided. The researchers instead went about collecting images of the 20 volunteers the way any Google stalker might—through image search engines, professional photos, and publicly available assets on social networks like Facebook, LinkedIn, and Google+. They found anywhere from three to 27 photos of each volunteer. “We could leverage online pictures of the [participants], which I think is kind of terrifying,” says True Price, a study author who works on computer vision at UNC. “You can’t always control your online presence or your online image.” Price points out that many of the study participants are computer science researchers themselves, and some make an active effort to protect their privacy online. Still, the group was able to find at least three photos of each of them.

The researchers tested their virtual reality face renders on five authentication systems—KeyLemon, Mobius, TrueKey, BioID, and 1D. All are available from consumer software vendors like the Google Play Store and the iTunes Store and can be used for things like protecting data and locking smartphones. To test the security systems, the researchers had the subjects program each one to detect their real faces. Then they showed 3-D renders of each subject to the systems to see if they would accept them. In addition to making face models from online photos, the researchers also took indoor head shots of each participant, rendered them for virtual reality, and tested these against the five systems. Using the control photos, the researchers were able to trick all five systems in every case they tested. Using the public web photos, the researchers were able to trick four of the systems with success rates from 55 percent up to 85 percent.

facerecognition-3

Face authentication systems have been proliferating in consumer products like laptops and smartphones—Google even announced this year that it’s planning to put a dedicated image processing chip into its smartphones to do image recognition. This could help improve Android’s facial authentication, which was easily spoofed when it launched in 2011 under the name “Face Unlock” and was later improved and renamed “Trusted Face.” Nonetheless, Googlewarns, “This is less secure than a PIN, pattern, or password. Someone who looks similar to you could unlock your phone.”

Facial authentication spoofing attacks can use 2-D photos, videos, or in this case, 3-D face replicas (virtual reality renders, 3-D printed masks) to trick a system. For the UNC researchers, the most challenging part of executing their 3-D replica attack was working with the limited image resources they could find for each person online. Available photos were often low resolution and didn’t always depict people’s full faces. To create digital replicas, the group used the photos to identify “landmarks” of each person’s face, fit these to a 3-D render, and then used the best quality photo (factoring in things like resolution, lighting, and pose) to combine data about the texture of the face with the 3-D shape. The system also needed to extrapolate realistic texture for parts of the face that weren’t visible in the original photo. “Obtaining an accurately shaped face we found was not terribly difficult, but then retexturing the faces to look like the victims’ was a little trickier and we were trying solve problems with different illuminations,” Price says

If a face model didn’t succeed at fooling a system, the researchers would try using texture data from a different photo. The last step for each face render was correcting the eyes so they appeared to look directly into the camera for authentication. At this point, the faces were ready to be animated as needed for “liveness clues” like blinking, smiling, and raising eyebrows—basically authentication system checks intended to confirm that a face is alive.
facerecognition-2

In the “cat-and-mouse game” of face authenticators and attacks against them, there are definitely ways systems can improve to defend against these attacks. One example is scanning faces for human infrared signals, which wouldn’t be reproduced in a VR system. “It is now well known that face biometrics are easy to spoof compared to other major biometric modalities, namely fingerprints and irises,” says Anil Jain, a biometrics researcher at Michigan State University. He adds, though, that, “While 3-D face models may visually look similar to the person’s face that is being spoofed, they may not be of sufficiently high quality to get authenticated by a state of the art face matcher.”

The UNC researchers agree that it would be possible to defend against their attack. The question is how quickly consumer face authentication systems will evolve to keep up with new methods of spoofing. Ultimately, these systems will probably need to incorporate hardware and sensors beyond just mobile cameras or web cams, and that might be challenging to implement on mobile devices where hardware space is very limited. “Some vendors—most notably Microsoft with its Windows Hello software—already have commercial solutions that leverage alternative hardware,” UNC’s Price says. “However, there is always a cost-benefit to adding hardware, and hardware vendors will need to decide whether there is enough demand from and benefit for consumers to add specialized components like IR cameras or structured light projectors.

Biometric authenticators have the potential to be extremely powerful security mechanisms, but they’re threatened when would-be attackers gain easy access to personal data. In the Office of Personnel Management breach last year, for instance, hackers stole data for 5.6 million people’s fingerprints. Those markers will be in the wild for the rest of the victims’ lives. That data breach debacle, and the UNC researchers’ study, captures the troubling nature of biometric authentication: When your fingerprint–or faceprint–leaks into the ether, there’s no password reset button that can change it.

Source : https://www.wired.com/2016/08/hackers-trick-facial-recognition-logins-photos-facebook-thanks-zuck/#slide-2

Categorized in Internet Privacy

 

The cyberattack that knocked hundreds of school networks offline in Japan last week had at least one novel feature: It was allegedly instigated by a student.A 16-year-old high school student who said he was frustrated with his teachers unleashed an attack on the Osaka Board of Education server that took 444 elementary, junior high and high school networks offline, investigators said.

The student monitored the attack from his cellphone and later told authorities that he wanted to join hacktivist group Anonymous, according to the investigators.

 

Unusual until recently, student-launched attacks are becoming more common, said Radware security researcher Daniel Smith. The firm issued a threat advisory alert this week.

Like the rest of the world, schools and universities are increasingly reliant on cloud-based infrastructure to function, making them more vulnerable to attack. At the same time, the widespread availability of free or inexpensive hacking software and services means malicious students no longer need special skills to cause trouble.

"We have been getting approached by education institutions or regional IT firms who say they are starting to see some increased attack activity," said Smith.

 

Aggression toward a school or staff member is one of several common motivations for the attacks. Others include delaying tests, changing grades and manipulating the registration process to gain an advantage over other students.

In the U.S., Rutgers, Arizona State University and the University of Georgia have had denial-of-service attacks in the past year. These attacks are often so effective that they completely overwhelm networks and prevent students, teachers and administrators from being able to log on. This wreaks havoc on large administrations and results in delays, for example, in class registration and final exams.

The Rutgers attacker, who has not been caught but is believed to be a student and reportedly goes by the name "Exfocus", carried out six attacks over the course of a year, starting in November 2014."He wanted to show the vulnerabilities inside the college network," said Smith. "It was very simple for him to topple the network, and it caused a lot of issues for students and staff members."

Attackers are taking aim at student portals, admission processing sites, mail servers and sensitive databases holding personal information. They are also targeting educational platforms connecting students and institutions including Blackboard and Moodle. One such example took aim at Janet, a research and educational network connecting 19 regional universities in England, which has fallen victim to several DDoS attacks over the past year.

 

Of course, just because these attackers are often still in high school does not mean they will get off lightly. A 15-year-old in Adelaide, Australia, could face 10 years in prison for allegedly launching one for the largest DDoS attacks the country has ever witnessed. The attack was directed at several organizations, including Reynella East College, and was so widespread that it impacted around 10,000 customers of internet service provider NuScope.

Source:  http://www.cnbc.com/2016/05/20/whos-hacking-schools-now-the-students.html

 

 

 

 

Categorized in Online Research

As the number of reported data breaches continues to blitz U.S. companies — over 6 million records exposed already this year, according to the Identity Theft Resource Center — IT budgets are ballooning to combat what corporations see as their greatest threat: faceless, sophisticated hackers from an outside entity.

But in reality, a bigger danger to many companies and to customers' sensitive data comes from seemingly benign faces inside the same companies that are trying to keep hackers out: a loan officer tasked with handling customers' e-mail, an attendant at a nursing home, a unit coordinator for the main operating room at a well-regarded city hospital.

According to Verizon's 2015 Data Breach Investigations Report, about 50 percent of all security incidents — any event that compromises the confidentiality, integrity or availability of an information asset — are caused by people inside an organization. And while 30 percent of all cases are due to worker negligence like delivering sensitive information to the wrong recipient or the insecure disposal of personal and medical data, roughly 20 percent are considered insider misuse events, where employees could be stealing and/or profiting from company-owned or protected information.

Often, that translates to employees on the front lines stealing patient medical data or client social security numbers, which can then be sold on the black market or used to commit fraud like collecting someone else's social security benefits, opening new credit card accounts in another's name, or applying for health insurance by assuming the identity of someone else.

"The Insider Misuse pattern shines a light on those in whom an organization has already placed trust," Verizon said in the report. "They are inside the perimeter defenses and given access to sensitive and valuable data, with the expectation that they will use it only for the intended purpose. Sadly, that's not always the way things work."

For the first time since 2011, Verizon found that it's not cashiers involved with most insider attacks, but many "insider" end users — essentially anyone at a company other than an executive, manager, finance worker, developer or system administrator — carrying out the majority of such acts. Most are motivated by greed.

"Criminals have a different motivating factor," said Eva Velasquez, CEO and president of Identity Theft Resource Center, a non-profit charity that supports victims of identity theft. "There are a number of jobs that pay minimum wage where individuals have access to this type of information, and so the incentive may be 'this isn't a job that is paying me enough to support myself.'"

Velasquez cites workers in an assisted living facility tasked with caring for patients, a job in close proximity to medical records that can be accessed by a few keyboard taps. According to the Bureau of Labor Statistics, such healthcare support occupations see mean annual wages hovering around $25,000, a salary that might make workers more vulnerable to stealing for self gain. Or, maybe worse, they fall prey to acting as a conduit for some type of organized crime ring looking to make big money by selling or manipulating stolen personal data.

"There are a number of jobs that pay minimum wage where individuals have access to this type of information, and so the incentive may be 'this isn't a job that is paying me enough to support myself."

According to the Verizon report, the public sector, health care and financial services — like credit card companies, banks, and mortgage and lending firms — were the industries hit hardest by insider incidents in 2015.

In one recent cases a Baltimore man is facing federal charges of identity theft and bank fraud after he used personal information of at least three nursing home residents to open multiple credit card accounts without their permission. A former employee of Tufts Health Plan pleaded guilty to stealing names, birth dates and social security numbers that were eventually used to collect social security benefits and fraudulent income tax refunds. A former assistant clerk at Montefiore Medical Center in New York who was indicted in June 2015 for printing thousands of patients' records daily and selling them. The information in the records was eventually used to open department store credit cards at places like Barneys New York and Bergdorf Goodman; the alleged actions are estimated to have caused more than $50,000 in fraud, according to the New York County District Attorney's Office.

While the number of breaches and hacks by outsiders has skyrocketed since 2007 in tandem with the surging digitization of information, the occurrence of insider jobs can be a read on the overall economy. It tends to peak during recessions and drop off when times are good, according to the Identity Theft Resource Center. In 2009, the percentage of insider attacks hit a high of roughly 17 percent; after a three-year slide, the amount today (about 10 percent) is slowly creeping back up.

"When the economy isn't doing well, you'll see people that are feeling stressed and taking advantage of opportunities they might not take advantage of otherwise," said attorney James Goodnow from the Lamber Goodnow team at law firm Fennemore Craig.

With the defining characteristic of an internal breach being privilege abuse — employees exploiting the access to data that they've been entrusted with — the best way to mitigate such attacks is to limit the amount of information allotted to workers.

"As business processes have started to rely more on information and IT, the temptation, the desire is to give people access to everything [because] we don't want to create any friction for users to do their jobs," said Robert Sadowski, director of marketing and technology solutions at security firm RSA.

Terry Kurzynski, senior partner at security firm Halock Security Labs, said that smart entities perform enterprise-wide risk assessments to find where their systems are most vulnerable and to spot aberrations in user behavior.

But sophisticated analytics does little to assuage situations where employees are using low-tech methods to capture information. "Most systems will not handle the single bank employee just writing down on paper all the bank numbers they see that day — that's difficult to track," said Guy Peer, a co-founder of security firm Dyadic Security.

Clay Calvert, director of cybersecurity at IT firm MetroStar Systems, said communication with employees in a position to turn rogue is key. "That's a big deterrent in identity theft cases; if an employee feels like the company cares for them, they're less likely to take advantage of the situation."

Hackers hiding in plain sight

Preventing the display of sensitive data in plain sight — say an employee seeing a confidential record as they walk by a colleague's computer — is the focus of Kate Borten, founder of Marblehead Group consultancy and a member of the Visual Privacy Advisory Council. She recommends companies institute a clean desk policy (ensuring that workers file away papers containing customer data before they leave their desk), implement inactivity time outs for any tech devices, and switch to an e-faxing system, which eliminates the exposure of sensitive patient data on paper that's piled up around traditional fax machines.

Experts also say that tougher penalties for and more prosecution of inside hackers would also be a disincentive for such crimes. "On a general level, there can be practical barriers to pursuit of a criminal case, such as the victim company's fear of embarrassment, reputational damage, or the perceived risk — real or not — that their trade secrets will be exposed in a court proceeding," said Brooke French, shareholder at law firm Carlton Fields.

But she added, "The DOJ and local authorities prosecute these cases all the time, despite what are seen as common barriers. The barriers are low when the actions are clearly wrong, such as a hospital employee stealing electronic medical records and selling them on the black market."

While the price tag for stolen information on the black market can translate to a lucrative sales career for some crooked employees, it's a costly phenomenon for organizations once they have realized it has occurred, which is often "during forensic examination of user devices after individuals left a company," said Verizon.

That's usually too late to enact damage control. According to the Ponemon Institute, the average cost of a breach is $217 per record.

"That's just the hard costs, what you have to pay for notifying customers or any type of remediation services," said Velasquez. "The bigger, broader cost is the reputational damage that shows itself not just to the entity that suffers the damage, but to the industry."

Source:  http://www.cnbc.com/2016/05/13/a-surprising-source-of-hackers-and-costly-data-breaches.html

Categorized in Internet Privacy
Page 4 of 4

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media