Author Archives: leavcharl1

Charles Leaver – It Is Believed That The IRS Hack Began With Compromised Endpoints

Published by:

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

Internal Revenue Service Hackers Make Early Returns Due to Previous External Attacks

The Internal Revenue Service breach was the most unique cyber attack of 2015. Timeless attacks today include phishing emails intended to obtain preliminary access to target systems where lateral motion is then carried out till data exfiltration takes place. But the IRS hack was various – much of the data required to perform it was previously obtained. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this take place? Here’s exactly what we understand:

The Internal Revenue Service site has a “Get Transcript” function for users to recover previous income tax return details. As long as the requester can offer the proper details, the system will return past and current W2’s and old tax returns, etc. With anybody’s SSN, Date of Birth and filing status, the attackers could begin the retrieval procedure of past filing year’s info. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit history.

KBA isn’t really fool proof, however. The questions it asks can oftentimes be predicted based on other info already learned the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the following vehicles have you owned?”

After the dust settled, it’s predicted that the hackers tried to collect 660,000 transcripts of previous tax payer details via Get Transcript, where they were successful in 334,000 of those efforts. The unsuccessful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot provide the correct responses. It’s approximated that the attackers got away with over $50 million dollars. So, how did the hackers do it?

Security analysts think that the enemies utilized info from previous attacks such as SSNs, DOBs, addresses and filing statuses to attempt to obtain prior tax return details on its target victims. If they were successful and addressed the KBA questions properly, they submitted a claim for the 2015 calendar year, oftentimes increasing the withholdings quantity on the income tax return form to obtain a bigger return. As discussed formerly not all attempts were successful, but over 50% of the attempts led to significant losses for the Internal Revenue Service.

Detection and response systems like Ziften are focused on recognizing when there are jeopardized endpoints (such as through phishing attacks). We do this by offering real-time visibility of Indicators of Compromise (IoC’s). If the theories are right and the attackers utilized details gleaned from previous attacks beyond the Internal Revenue Service, the compromised businesses might have benefited from the visibility Ziften supplies and reduced against mass-data exfiltration. Ultimately, the IRS appears to be the vehicle – instead of preliminary victim – of these cyber attacks.


Charles Leaver – Comcast Customers Are At Risk From Shared Hacks And Data Exfiltration

Published by:

Written By Michael Pawloski And Presented By Ziften CEO Charles Leaver

The Consumers Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Companies

The private details of roughly 200,000 Comcast customers was compromised on November 5th 2015. Comcast was forced to make this announcement when it came to light that a list of 590,000 Comcast consumer emails and passwords could be bought on the dark web for a token $1,000. Comcast maintains that there was no security attack to their network but rather it was through past, shared hacks from other businesses. Comcast further claims that just 200,000 of these 590,000 customers actually still exist in their system.

Less than two months previously, Comcast had currently been slapped with a $22 million fine over its accidental publishing of almost 75,000 clients’ personal information. Somewhat ironically, these customers had actually particularly paid Comcast for “unlisted voice-over-IP,” a line item on the Comcast bill that specified that each client’s information would be kept private.

Comcast instituted a mass-reset of 200,000 client passwords, who might have accessed these accounts before the list was put up for sale. While a basic password reset by Comcast will to some extent secure these accounts moving forward, this doesn’t do anything to secure those consumers who might have recycled the same e-mail and password combination on banking and credit card logins. If the customer accounts were accessed prior to being disclosed it is certainly possible that other individual information – such as automatic payment info and home address – were already obtained.

The bottom line is: Assuming Comcast wasn’t attacked directly, they were the victim of numerous other hacks which contained data connected to their clients. Detection and Response solutions like Ziften can avoid mass data exfiltration and often reduce damage done when these inescapable attacks occur.


Charles Leaver – Trump Hotels Were Breached Because Of Point Of Sale Vulnerabilities That Were Not Visible

Published by:

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Trump Hotels Point-of-Sale Susceptibility Emphasize Need for Faster Detection of Anomalous Activity

Trump Hotels, suffered a data breach, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and contaminated their front desk computers, POS systems, and restaurants. However, in their own words they declare that they “did not discover any evidence that any consumer information was taken from our systems.” While it’s soothing to discover that no evidence was found, if malware exists on POS systems it is most likely there to steal details related to the credit cards that are swiped, or increasingly tapped, inserted, or waved. A lack of evidence does not suggest the lack of a criminal offense, and to Trump Hotel’s credit, they have provided free credit monitoring services. If one is to examine a Point-of-Sale (or POS) system however you’ll discover something in abundance as an administrator: They hardly ever alter, and software applications will be nearly uniform across the implementation environment. This can provide both positives and negatives when considering securing such an environment. Software changes are slow to happen, need extensive screening, and are hard to roll out.

However, since such an environment is so homogeneous, it is also a lot easier to determine Point of Sale vulnerabilities when something brand-new has actually changed.

At Ziften we monitor all executing binaries and network connections that occur within an environment the second they take place. If a single Point of Sale system started to make new network connections, or started running brand-new software, no matter its intent, it would be flagged for further review and examination. Ziften also gathers endless historic data from your environment. If you want to know exactly what took place six to twelve months earlier, this is not an issue. Now dwell times and AV detection rates can be determined using our incorporated threat feeds, along with our binary collection and submission technology. Likewise, we’ll tell you which users initiated which applications at exactly what time across this historic record, so you can learn your preliminary point of infection.

POS issues continue to plague the retail and hospitality industries, which is a shame provided the relatively uncomplicated environment to monitor with detection and response.


Charles Leaver – Marriott Could Have Prevented Their Point Of Sale Breach With Continuous Endpoint Visibility

Published by:

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

US retail outlets still appear an appealing target for cyber criminals looking for credit card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting consumers at 14 hotels across the nation from September 2014 to January 2015. This event follows White Lodging suffered a comparable cyber attack in 2014. The attackers in both cases were reportedly able to jeopardize the Point-of-Sale systems of the Marriott Lounges and Restaurants at a number of locations run by White Lodging. The cyber criminals were able to acquire names printed on consumers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. POS systems were likewise the focus of recent breaches at Target, Neiman Marcus, Home Depot, and more.

Traditionally, Point-of-Sale (or POS) systems at lots of USA retail outlets were “locked down” Windows devices running a minor set of applications tailored towards their function – phoning the sale and processing a deal with the Charge card bank or merchant. Modern Point of Sale terminals are basically PC’s that run email applications, internet browsers and remote desktop tools in addition to their transaction software applications. To be reasonable, they are usually released behind a firewall program, however are still ripe for exploiting. The best defenses can and will be breached if the target is valuable enough. For example, remote control tools used for management and updating of the POS systems are frequently hijacked by hackers for their purposes.

The credit card or payment processing network is an entirely different, air-gapped, and encrypted network. So how did cyber attackers manage to take the payment card data? They stole the data while it was in memory on the POS terminal while the payment procedure was being conducted. Even if retailers don’t store charge card information, the data can be in an unencrypted state on the Point of Sale machine while the payment deal is confirmed. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are utilized by the data thieves to gather the credit card info in its unencrypted state. The data is then normally encrypted and retrieved by the cyber attackers or sent to the Internet where it’s retrieved by the thieves.

Ziften’s service provides constant endpoint visibility that can discover and remediate these kinds of risks. Ziften’s MD5 hash analysis can spot new and suspicious processes or.dll files running in the POS environment. Ziften can also kill the procedure and collect the binary for further action or analysis. It’s also possible to spot POS malware by alerting to Command and Control traffic. Ziften’s integrated Threat Intel and Customized Risk Feed options allows customers to notify when Point of Sale malware communicates to C&C nodes. Finally, Ziften’s historical data enables clients to kick start the forensic evaluation of how the malware got in, what it did after it was set up, and executed and other machines are contaminated.

It’s past time for retailers to step up the game and search for brand-new solutions to secure their consumers’ payment cards.


Charles Leaver – In Order To Learn From Their Previous Errors Experian Need To Use Continuous Monitoring

Published by:

Written By Josh Applebaum And Presented By Charles Leaver Ziften CEO

Experian Need To Learn from Past Errors And Implement A Continuous Monitoring Solution

Operating in the security sector, I’ve always felt my job was hard to explain to the typical individual. Over the last couple of years, that has actually changed. Regrettably, we are seeing a brand-new data breach announced every few weeks, with much more that are kept secret. These breaches are getting front page headlines, and I can now discuss to my friends exactly what I do without losing them after a few sentences. Nevertheless, I still question what it is we’re learning from all of this. As it turns out, many businesses are not learning from their own errors.

Experian, the worldwide credit reporting firm, is a business with a lot to learn. A number of months ago Experian announced it had actually found its servers had actually been breached and that client data had been taken. When Experian revealed the breach they reassured consumers that “our consumer credit database was not accessed in this incident, and no credit card or banking info was taken.” Although Experian made the effort in their announcement to assure their consumers that their financial details had not been taken, they elaborated further on what data actually was stolen: clients’ names, addresses, Social Security numbers, birth dates, driver’s license numbers, military ID numbers, passport numbers, and additional information utilized in T- Mobile’s own credit evaluation. This is scary for two reasons: the very first is the kind of data that was taken; the 2nd is the fact that this isn’t the very first time this has actually taken place to Experian.

Although the hackers didn’t leave with “payment card or banking details” they did walk away with personal data that could be exploited to open new credit card, banking, and other financial accounts. This in itself is a factor the T-Mobile consumers included ought to be nervous. However, all Experian consumers ought to be a little worried.

As it ends up, this isn’t really the very first time the Experian servers have been jeopardized by hackers. In early 2014, T-Mobile had actually announced that a “reasonably small” number of their customers had their personal details taken when Experian’s servers were breached. Brian Krebs has an extremely well-written blog post about how the hackers breached the Experian servers the first time, so we won’t enter into excessive information here. In the very first breach of Experian’s servers, hackers had exploited a vulnerability in the organization’s support ticket system that was left exposed without initially needing a user to confirm before utilizing it. Now to the scary part: although it has actually become widely understood that the hackers made use of a vulnerability in the company’s support ticket system to provide access, it wasn’t up until not long after the 2nd hack that their support ticket system was shut down.

It would be difficult to imagine that it was a coincidence that Experian chose to close down their support ticket system mere weeks after they announced they had been breached. If this wasn’t a coincidence, then let’s ask: exactly what did Experian find out from the first breach where consumers got away with sensitive client data? Companies who save their clients’ delicate info must be held accountable to not just protect their consumers’ data, but if likewise to make sure that if breached they plug up the holes that are discovered while examining the attack.

When businesses are investigating a breach (or possible breach) it is important that they have access to historical data so those investigating can attempt to piece back together the puzzle of how the cyber attack unfolded. At Ziften, we offer a solution that permits our customers to have a continuous, real-time view of the whole picture that occurs in their environment. In addition to supplying real-time visibility for identifying attacks as they happen, our constant monitoring system records all historic data to enable customers to “rewind the tape” and piece together what had taken place in their environment, despite how far back they have to look. With this new visibility, it is now possible to not only discover that a breach occurred, but to likewise discover why a breach occurred, and hopefully learn from past errors to keep them from happening again.


Charles Leaver – Isn’t It Time We Learned From Incidents Such As The UCLA Health Data Breach?

Published by:

Written By Craig Hand And Presented By Ziften CEO Charles Leaver

UCLA Health Data Breach Probably Down To Inferior Security

UCLA Health announced on July 17th 2015 that it was the victim of a health data breach affecting as much as 4.5 million health care clients from the four health centers it runs in the Southern California region. As stated by UCLA Health authorities, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed however no proof yet suggests that the data was stolen. This data went as far back as 1990. The authorities likewise specified that there was no proof at this time, that any charge card or financial data was accessed.

“At this time” is key here. The details accessed (or potentially stolen, its definitely hard to know at this moment) is essentially good for the life of that individual and potentially still useful past the death of that individual. The details offered to the criminals consisted of: Names, Addresses, Contact numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical procedures performed, and test outcomes.

Little is known about this cyber attack similar to many others we find out about but never ever hear any genuine details on. UCLA Health found uncommon activity in sectors of their network in October of 2014 (although access potentially started one month earlier), and instantly called the FBI. Finally, by May 2015 – a complete 7 months later – detectives specified that a data breach had happened. Again, officials claim that the assailants are probably highly sophisticated, and not in the country. Finally, we the public get to hear about a breach a full two months later on July 17, 2015.

It’s been stated numerous times previously that we as security specialists need to be certain 100% of the time, while the cyber criminals only have to discover that 1% that we may not have the ability to rectify. Based on our research about the breach, the bottom line is UCLA Health had inferior security practices. One factor is based on the easy fact that the accessed data was not encrypted. We have had HIPAA now for some time, UCLA is a well renowned bastion of Higher Education, yet still they failed to secure data in the easiest ways. The claim that these were highly advanced individuals is also suspect, as so far no genuine proof has been disclosed. After all, when is the last time that a company that has been breached declared it wasn’t from an “sophisticated” attack? Even if they declare they have such proof, as members of the public we will not see it in order to vet it properly.

Because there isn’t really enough disclosed details about the breach, its difficult to figure out if any system would have assisted in finding the breach sooner instead of later on. Nevertheless, if the breach began with malware being provided to and executed by a UCLA Health network user, the likelihood that Ziften could have helped in discovering the malware and potentially stopping it would have been fairly high. Ziften might have likewise notified on suspicious, unidentified, or known malware as well as any interactions the malware might have made in order to spread internally or to exfiltrate data to an external host.

When are we going to learn? As all of us understand, it’s not a matter of if, but when, companies will be attacked. Smart organizations are preparing for the inevitable with detection and response services that reduce damage.


Charles Leaver – Data Leak At Adult Friend Finder Preventable With Ziften Endpoint Security

Published by:

Written By Chuck McAuley And Presented By Charles Leaver Ziften CEO

Endpoint Security Is The Best Friend For Adult Friend Finder

Adult Friend Finder, an online “dating service” and its affiliates were hacked in April. The breached information included charge card numbers, usernames, passwords, dates of birth, address details and personal – you understand – preferences. What’s frequently not highlighted in these cases is the monetary worth of such a breach. Numerous would argue that having an email address and the associated data might be of little value. Nevertheless, much the same way metadata collection provides insight to the NSA, this type of information offers attackers with plenty of leverage that can be used against the general public. Spear phishing ends up being a lot easier when assailants not only have an email address, however also area, language, and race. The source IP addresses gathered can even provide pinpoint street locations for attacks.

The attack approach released in this instance was not publicized, however it would be fair to assume that it leveraged a sort of SQL Injection attack or similar, where the data is wormed out of the back-end database through a defect in the webserver. Another possible mechanism could have been pirating ssh keys from a compromised admin account or github, but those tend to be secondary for the most part. Either way, the database dump itself is 570 Mb, and presuming the data was exfiltrated in a few big transactions, it would have been really visible on a network level. That is, if Adult Friend Finder were utilizing a solution that offered visibility into network traffic.

Ziften ZFlow ™ enables network visibility into the cloud to catch aberrant data transfers and attribute to particular executing procedures. In this case, the administrator would have had two opportunities to observe the irregularity: 1) At the database level, as the data was extracted. 2) At the webserver level, where an unusual quantity of traffic would be sent to a particular address. Organizations like Adult Friend Finder must acquire the needed endpoint and network visibility required to secure their consumers’ personal data and “hook up” with a business like Ziften.


Charles Leaver – The Preventable OPM Breach Caused Compromise Of Biometric Data

Published by:

Written By Mike Hamilton And Presented By Ziften CEO Charles Leaver


Greater Security Protection of Personal and Biometric Data Required After OPM Breach




Recently, I had to go through a relatively comprehensive background check process. At the time it was one of those circumstances where you sign into the portal, provide your social security number, a plethora of delicate info about you and your household, and trust the federal government (and their specialists) to take care of that personal data.

As I got back home the other evening and sat down to begin composing this blog post, I looked at the stack of mail laying on my desk and discovered one of those envelopes with the perforated edges that generally contain sensitive information.

Obviously, you need to open those types of envelopes. Sadly at that moment all my worst concerns had actually come to life.

Exactly what I discovered was my personal letter detailing that basically every delicate piece of details one might want to know about me – along with similar info on 21 million other Americans – was accessed during the OPM breach.




Oh, and incidentally, there’s the problem that my biometric identity was likewise compromised:




At this moment, although “federal professionals” believe that it’s not a major issue, my iPhone disagrees with them. Bruce Schneier composed an exceptional piece on this, so I will not belabor the points he makes. But at some point all of us have to ask some tough questions:

When is this going to stop?

Who is responsible for stopping it?

Who is going to in fact stop it?

Who is going to be held responsible when breaches occur?

These kinds of cyber attacks are why at Ziften we are so passionately developing our next-generation security tools. While we as a security provider may never entirely stop or prevent these kinds of breaches from occurring, perhaps we can make them so much more difficult and time consuming. When you think about it, till the community states “we can’t take anymore” this is going to continue to take place every day.

Charles Leaver – Ashley Madison Breach May Have Been Avoided With Ziften Endpoint Security

Published by:

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO


Life is Too Short to Not Execute Endpoint Security.


Ashley Madison’s tagline is “Life is short. Have an affair.” It appears security falls a bit short at the business, however, as countless customer records were blasted out for the entire world to see in a recent breach. Openly, there are only theories as to who precisely infiltrated the outrageous operation. It might have been an insider. Other possibilities, such as the notorious hacking group Impact Team, are declaring victory over the red-lettered company. However exactly what appears is the publicly-published list of thirty two million user identities. Additionally, CEO Noel Biderman lost his position, and the company is taking on an insurmountable number of lawsuits.

It has actually been discovered that bots were communicating with users, and the user population included just a small number of women. In a farcical style, the site still specifies it received a “Trusted Security Award” and offers complete discretion for its users. Their claim of “Over 42,705,000 confidential members!” on the home page is as outrageous as the service they offer. The taken list of users is so quickly accessible that 3rd parties have actually currently produced interactive sites with the names and addresses of the exposed cheaters. Per Ashley Madison’s media page, they “instantly implemented a thorough investigation utilizing leading forensics professionals and other security experts to figure out the origin, nature, and impact of this incident.” If Ashley Madison had been more proactive in their techniques of endpoint security, they could have potentially been informed of the breach and stopped it before data could have been stolen.

Advanced endpoint security and forensic applications – for example those offered by Ziften – could have potentially prevented this organization from the shame it has had to deal with. Not only could Ziften have actually notified security leads of the suspect network events in the dead of night of a cyber attack, however it could have avoided a range of actions on the database from being carried out, all while letting their security group sleep a little better. Life is too short to let security problems keep you awake at night.


Charles Leaver – Four Lessons To Be Learned From Breaches At LastPass And Behavior Analytics

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

LastPass Cyber Attacks Have 4 Lessons Everybody Can Learn From

Data breaches in 2011 and after that once again in 2015 were inflicted on password management company LastPass. Specialists advise use of password managers, given that strong passwords unique to each user account are not feasible to recall without organized help. However, positioning all one’s eggs in a single basket – then for countless users to each put their egg basket into one giant basket – creates a tempting target for cyber criminals of every stripe. Cryptology professionals who have actually studied this recent breach at LastPass appear meticulously positive that significant harm has been prevented, however there are still important lessons we can learn from this event:

1. There Is No Perfect Authentication, There Is No Perfect Security

Any proficient, patient and motivated enemy will ultimately breach any useful cyber defenses – even if yours is a cyber defense business! Regretfully, for many businesses today, it does not typically require much ability or perseverance to breach their patchwork defenses and permeate their sprawling, permeable perimeters. Compromise of user credentials – even those of highly privileged domain administrators – is also quite typical. Again, sadly, lots of businesses count on single-factor password authentication, which merely welcomes widespread user data compromise. But even multi-factor authentication can be breached, as was proven with the 2011 compromise of RSA SecurID’s.

2. Utilize Situational Awareness When Defenses Fail

When the enemies have actually breached your defenses the clock is ticking on your detection, containment, and remediation of the occurrence. Market data recommends this clock has a very long time to tick – numerous days on average – prior to awareness sets in. By that time the hackers have pwned your digital assets and picked your business carcass clean. Crucial situational awareness is vital if this too-frequent tragedy is to be avoided.

3. Network and Endpoint Contexts Are Fused With Comprehensive Situational Awareness

In the current LastPass incident detection was achieved by analysis of network traffic from server logs. The cyber criminal dwell time prior to detection was not divulged. Network anomalies are not constantly the fastest way to recognize an attack in progress. A combination of network and endpoint context provides a much better decision basis than either context separately. For example, being able to merge network flow data with the originating process recognition can shed far more light on a prospective infiltration. A suspect network contact by a brand-new and untrustworthy executable is far more suggestive taken together than when analyzed separately.

4. After An Authentication Failure, Use User Behavior Analytics

Compromised credentials regularly create chaos across breached businesses, allowing assailants to pivot laterally through the network and run largely below the security radar. However this abuse of legitimate credentials varies noticeably from typical user behavior of the genuine credential holder. Even rather simple user habits analytics can spot anomalous discontinuities in learned user behavior. Always employ user behavior analytics, specifically for your administrators and more privileged users.