Tag Archives: site

[ISN] How Companies Can Rebuild Trust After A Security Breach

FacebookTwitterLinkedInShare

http://www.forbes.com/sites/katevinton/2014/07/01/how-companies-can-rebuild-trust-after-a-security-breach/ By Kate Vinton Forbes Staff July 1. 2014 “It’s not a question of if you will be hacked, but when,” says cybersecurity expert Joe Adams. This is bad news for companies, not only because of security risks, but also because data breaches have a significant and measurable impact on customers’ trust and spending habits, according to a study released Monday. The good news? Customers, who are generally not concerned about security until a breach happens, are looking for transparency and timely responses to breaches, something companies can provide with enough preparation and foresight. Interactions, a customer experience marketing group, released a study Monday called “Retail’s Reality: Shopping Behavior After Security Breaches.” Using the same sampling as the 2010 U.S. Census, the study looks at how security breaches impact customers’ shopping habits. Forty-four percent of survey respondents had been the victim of a data breach. A higher 60% of Millennials had had their data stolen, likely because these 18 to 24-year-olds are much more likely to share their information online and sign up for retail credit cards, according to DeMeo, Vice President of Global Marketing and Analytics at Interactions. Trust for retail is low, with 45% of shoppers saying they don’t trust retailers to keep their information safe. After a security breach, 12% of loyal shoppers stop shopping at that retailer, and 36% shop at the retailer less frequently. For those who continue to shop, 79% are more likely to use cash instead of credit cards. According to DeMeo, shoppers who use cash statistically spend less money, hurting the company. Indeed, 26% say they will knowingly spend less than before. All this paints a concerning picture for retailers looking to both keep their company secure and minimize the negative impact of a security breach if




Tags: , , , , , , , , , , , , , , , , , , , , , ,

[ISN] DoD 8570 InfoSec Training and Compliance Vendors Vulnerable to XSS

http://www.infosecnews.org/dod-8570-1-infosec-training-and-compliance-vendors-vulnerable-to-xss/ By William Knowles @c4i Senior Editor InfoSec News July 1, 2014 XSSposed (XSS exposed) is reporting that the Web sites of both the InfoSec Institute and the EC-Council are vulnerable to a Cross-site scripting (XSS) attack. Cross-Site Scripting (XSS) inserts specially crafted data into existing applications through Web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a modification to a browser script, to a different end user. XSS attacks often lead to bypass of access controls, unauthorized access, and disclosure of privileged or confidential information. Cross-site scripting attacks are listed as the number three vulnerability on the OWASP Top 10 list for 2013. According to XSSposed, the InfoSec Institute has not one, two, three, four, five, six, but SEVEN XSS vulnerabilities discovered this week. This most recent XSS vulnerability to the EC-Council is to their portal page where their customers sign in. This is not the only XSS vulnerability to their site, The Hacker News reported one back in 2011 and Rafay Baloch and Deepanker Arora discovered another in 2013. In a previous Web defacement statement the “EC-Council takes the privacy and confidentiality of their customers very seriously.” Regardless, the EC-Council Web site was compromised three times during a single week in February 2014. Since the breach, EC Council has neither confirmed nor denied allegations that the attacker exfiltrated thousands of passports, drivers. licenses, government and military Common Access Cards (CACs). [...]


Tags: , , , , , , , , , , , , , , , ,

[ISN] What If Oil Companies Apply The Same Tactics For Cybersecurity To Safety?

http://www.forbes.com/sites/lorensteffy/2014/06/30/what-if-oil-companies-apply-the-same-tactics-for-cybersecurity-to-safety/ By Loren Steffy Forbes.com 6/30/2014 The American Petroleum Institute is working with several large U.S. oil companies to assemble a team of cybersecurity specialists that would help identify and prevent malicious software attacks against the computers that control the country’s energy infrastructure. Led by an executive for Dallas-based Hunt Oil, the group will serve as a clearinghouse of sorts for threats to automated systems. By improving communication among oil companies, the group, known as the Oil and Natural Gas Information Sharing and Analysis Center, hopes to get companies working together to thwart attacks that could cripple offshore rigs, refineries, pipelines and other equipment. The approach makes a lot of sense. After all, the potential for hackers to target energy company computer systems poses a mutual threat that is best addressed when companies combine their efforts. The oil and gas industry has shown remarkable solidarity when it comes to addressing what it perceives as a common outside threat, whether it comes from hackers or new regulations the industry considers onerous. It’s been far less willing, however, to take such a collaborative approach to confront threats from within its own ranks. [...]


Tags: , , , , , , , , , , , , , , , , , ,

[ISN] Leaked: 10 Months Of The Houston Astros’ Internal Trade Talks

http://deadspin.com/leaked-10-months-of-the-houston-astros-internal-trade-1597951970 By Barry Petchesky Deadspin.com 6/30/2014 Two years ago, the Houston Astros constructed “Ground Control”—a built-from-scratch online database for the private use of the Astros front office. It is by all accounts a marvel, an easy-to-use interface giving executives instant access to player statistics, video, and communications with other front offices around baseball. All it needs, apparently, is a little better password protection. Documents purportedly taken from Ground Control and showing 10 months’ worth of the Astros’ internal trade chatter have been posted online at Anonbin, a site where users can anonymously share hacked or leaked information. Found below, they contain the Astros front office’s communications regarding trade overtures to and from other teams, as well as negotiations—a few of which actually led to trades. You will find heavy efforts to get a big haul for Bud Norris at last year’s trade deadline (before settling for very little), pushes to acquire touted young talents like Dylan Bundy and Gregory Polanco, and even evidence the Astros rejected out of hand a blockbuster deal that could have brought them Giancarlo Stanton. > From a strict baseball perspective, all of this is really interesting > just for the insight it offers into how baseball trades work on an operational level. As it turns out, it really isn’t too different from your fantasy league, with front office types kicking around ideas, making preposterous demands, gossiping, and discussing various contingencies. If this happens, we’ll be looking to do this, but then if this other thing happens, we’ll be looking to do this. All of it is worth running through, but a few of the highlights are as follows: [...]


Tags: , , , , , , , , ,

[ISN] This Site Shows Who Is Hacking Whom Right Now — And The US Is Getting Hammered

http://www.businessinsider.com/norse-hacking-map-shows-us-getting-hammered-2014-6 By Jeremy Bender Business Insider June 26, 2014 U.S.-based computer security firm Norse has released a real-time animated map that illustrates ongoing cyberattacks around the world. Without a doubt, the U.S. is getting constantly hammered by hackers. In just 45 minutes, the U.S. was the victim of 5,840 cyberattacks. Within that span of time, the U.S. suffered from 27 times more cyberattacks than Thailand, the second most targeted country. Thailand was the target of only 220 cyber attacks during these 45 minutes. The Norse map does not represent all hacking attempts in the world. Instead, according to Smithsonian Magazine, the map relies on a Norse honeypot network — a network purposefully designed to detect hacking — to provide a representative snapshot of global hacking attempts. [...]


Tags: , , , , , , , ,

[ISN] Third-Party Service Providers Scrutinized After SEA’s Reuters Hack

http://www.eweek.com/security/third-party-service-providers-scrutinized-after-seas-reuters-hack.html By Robert Lemos eWEEK.com 2014-06-25 One content provider’s lapse in spotting the odd behavior of privileged users allowed the Syrian Electronic Army cyber-propaganda group to deface Reuters.com. As popular cyber-attack targets continue to make progress in locking down access to their networks and data, attackers searching for other ways to compromise their targets have increasingly focused on another weak point—third-party suppliers and contractors. On June 23, hackers from the propaganda group known as the Syrian Electronic Army redirected visitors to some Reuters articles to a defacement page that berated the news organizations for “fake reports and false articles about Syria.” The attackers did not breach Reuters network, however, but modified a content widget provided by Taboola, which normally allows media sites to monetize their page views. The SEA fooled one company employee, which the firm refers to as a “user,” into giving up their password and then used the access to Taboola’s Backstage platform to change the header in the Reuters widget, the company said in an analysis of the attack. [...]


Tags: , , , , , , , , , , ,

[ISN] Attackers poison legitimate apps to infect sensitive industrial control systems

http://arstechnica.com/security/2014/06/attackers-poison-legitimate-apps-to-infect-sensitive-industrial-control-systems/ By Dan Goodin Ars Technica June 24 2014 Corporate spies have found an effective way to plant their malware on the networks of energy companies and other industrial heavyweights—by hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps. That’s what operators of the Havex malware family have done with aplomb, according to a report published Tuesday by researchers from antivirus provider F-Secure. Over the past few months, the malware group has taken a specific interest in the types of industrial control systems (ICS) used to automate everything from switches in electrical substations to sensitive equipment in nuclear power plants. In addition to the normal infection channels of spam e-mail, the malware operators have added a new tack—replacing the normal installation files of third-party software with tainted copies that surreptitiously install a remote access trojan (RAT) on the computers of targeted companies. “It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers,” F-Secure researchers Daavid Hentunen and Antti Tikkanen wrote. “Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.” [...]


Tags: , , , , , , , , , , , , , , , ,

[ISN] Sensitive Data Protection Bedevils IT Security Pros

http://www.informationweek.com/government/cybersecurity/sensitive-data-protection-bedevils-it-security-pros/d/d-id/1278796 By William Welsh InformationWeek.com 6/24/2014 Most organizations don’t know where their sensitive structured or unstructured data resides, says new Ponemon study. Knowing where sensitive data is located on an organization’s computer systems would seem a prerequisite for sound IT security, but the vast majority of IT security practitioners say they can’t count even on that fundamental premise, according to a Ponemon Institute study released Tuesday. Only 16% of respondents said they knew where their organization’s sensitive structured data resides, according to the State of Data Centric Security study. A mere 7% of respondents said they know the location of all sensitive unstructured data, including in emails and documents. Not knowing where their organization’s sensitive or confidential data is located was the No. 1 worry of the IT security respondents, eclipsing both hacker attacks and insider threats, according to the study. The study, which was sponsored by data integration software provider Informatica, is based on a survey of 1,587 IT security professionals whose jobs include helping protect sensitive or confidential structured and unstructured data. [...]


Tags: , , , , , , , , , , ,