Charles Leaver – Trump Hotels Were Breached Because Of Point Of Sale Vulnerabilities That Were Not Visible

Published by:

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Trump Hotels Point-of-Sale Susceptibility Emphasize Need for Faster Detection of Anomalous Activity

Trump Hotels, suffered a data breach, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and contaminated their front desk computers, POS systems, and restaurants. However, in their own words they declare that they “did not discover any evidence that any consumer information was taken from our systems.” While it’s soothing to discover that no evidence was found, if malware exists on POS systems it is most likely there to steal details related to the credit cards that are swiped, or increasingly tapped, inserted, or waved. A lack of evidence does not suggest the lack of a criminal offense, and to Trump Hotel’s credit, they have provided free credit monitoring services. If one is to examine a Point-of-Sale (or POS) system however you’ll discover something in abundance as an administrator: They hardly ever alter, and software applications will be nearly uniform across the implementation environment. This can provide both positives and negatives when considering securing such an environment. Software changes are slow to happen, need extensive screening, and are hard to roll out.

However, since such an environment is so homogeneous, it is also a lot easier to determine Point of Sale vulnerabilities when something brand-new has actually changed.

At Ziften we monitor all executing binaries and network connections that occur within an environment the second they take place. If a single Point of Sale system started to make new network connections, or started running brand-new software, no matter its intent, it would be flagged for further review and examination. Ziften also gathers endless historic data from your environment. If you want to know exactly what took place six to twelve months earlier, this is not an issue. Now dwell times and AV detection rates can be determined using our incorporated threat feeds, along with our binary collection and submission technology. Likewise, we’ll tell you which users initiated which applications at exactly what time across this historic record, so you can learn your preliminary point of infection.

POS issues continue to plague the retail and hospitality industries, which is a shame provided the relatively uncomplicated environment to monitor with detection and response.

 

Charles Leaver – Marriott Could Have Prevented Their Point Of Sale Breach With Continuous Endpoint Visibility

Published by:

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

US retail outlets still appear an appealing target for cyber criminals looking for credit card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting consumers at 14 hotels across the nation from September 2014 to January 2015. This event follows White Lodging suffered a comparable cyber attack in 2014. The attackers in both cases were reportedly able to jeopardize the Point-of-Sale systems of the Marriott Lounges and Restaurants at a number of locations run by White Lodging. The cyber criminals were able to acquire names printed on consumers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. POS systems were likewise the focus of recent breaches at Target, Neiman Marcus, Home Depot, and more.

Traditionally, Point-of-Sale (or POS) systems at lots of USA retail outlets were “locked down” Windows devices running a minor set of applications tailored towards their function – phoning the sale and processing a deal with the Charge card bank or merchant. Modern Point of Sale terminals are basically PC’s that run email applications, internet browsers and remote desktop tools in addition to their transaction software applications. To be reasonable, they are usually released behind a firewall program, however are still ripe for exploiting. The best defenses can and will be breached if the target is valuable enough. For example, remote control tools used for management and updating of the POS systems are frequently hijacked by hackers for their purposes.

The credit card or payment processing network is an entirely different, air-gapped, and encrypted network. So how did cyber attackers manage to take the payment card data? They stole the data while it was in memory on the POS terminal while the payment procedure was being conducted. Even if retailers don’t store charge card information, the data can be in an unencrypted state on the Point of Sale machine while the payment deal is confirmed. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are utilized by the data thieves to gather the credit card info in its unencrypted state. The data is then normally encrypted and retrieved by the cyber attackers or sent to the Internet where it’s retrieved by the thieves.

Ziften’s service provides constant endpoint visibility that can discover and remediate these kinds of risks. Ziften’s MD5 hash analysis can spot new and suspicious processes or.dll files running in the POS environment. Ziften can also kill the procedure and collect the binary for further action or analysis. It’s also possible to spot POS malware by alerting to Command and Control traffic. Ziften’s integrated Threat Intel and Customized Risk Feed options allows customers to notify when Point of Sale malware communicates to C&C nodes. Finally, Ziften’s historical data enables clients to kick start the forensic evaluation of how the malware got in, what it did after it was set up, and executed and other machines are contaminated.

It’s past time for retailers to step up the game and search for brand-new solutions to secure their consumers’ payment cards.

 

Charles Leaver – In Order To Learn From Their Previous Errors Experian Need To Use Continuous Monitoring

Published by:

Written By Josh Applebaum And Presented By Charles Leaver Ziften CEO

Experian Need To Learn from Past Errors And Implement A Continuous Monitoring Solution

Operating in the security sector, I’ve always felt my job was hard to explain to the typical individual. Over the last couple of years, that has actually changed. Regrettably, we are seeing a brand-new data breach announced every few weeks, with much more that are kept secret. These breaches are getting front page headlines, and I can now discuss to my friends exactly what I do without losing them after a few sentences. Nevertheless, I still question what it is we’re learning from all of this. As it turns out, many businesses are not learning from their own errors.

Experian, the worldwide credit reporting firm, is a business with a lot to learn. A number of months ago Experian announced it had actually found its servers had actually been breached and that client data had been taken. When Experian revealed the breach they reassured consumers that “our consumer credit database was not accessed in this incident, and no credit card or banking info was taken.” Although Experian made the effort in their announcement to assure their consumers that their financial details had not been taken, they elaborated further on what data actually was stolen: clients’ names, addresses, Social Security numbers, birth dates, driver’s license numbers, military ID numbers, passport numbers, and additional information utilized in T- Mobile’s own credit evaluation. This is scary for two reasons: the very first is the kind of data that was taken; the 2nd is the fact that this isn’t the very first time this has actually taken place to Experian.

Although the hackers didn’t leave with “payment card or banking details” they did walk away with personal data that could be exploited to open new credit card, banking, and other financial accounts. This in itself is a factor the T-Mobile consumers included ought to be nervous. However, all Experian consumers ought to be a little worried.

As it ends up, this isn’t really the very first time the Experian servers have been jeopardized by hackers. In early 2014, T-Mobile had actually announced that a “reasonably small” number of their customers had their personal details taken when Experian’s servers were breached. Brian Krebs has an extremely well-written blog post about how the hackers breached the Experian servers the first time, so we won’t enter into excessive information here. In the very first breach of Experian’s servers, hackers had exploited a vulnerability in the organization’s support ticket system that was left exposed without initially needing a user to confirm before utilizing it. Now to the scary part: although it has actually become widely understood that the hackers made use of a vulnerability in the company’s support ticket system to provide access, it wasn’t up until not long after the 2nd hack that their support ticket system was shut down.

It would be difficult to imagine that it was a coincidence that Experian chose to close down their support ticket system mere weeks after they announced they had been breached. If this wasn’t a coincidence, then let’s ask: exactly what did Experian find out from the first breach where consumers got away with sensitive client data? Companies who save their clients’ delicate info must be held accountable to not just protect their consumers’ data, but if likewise to make sure that if breached they plug up the holes that are discovered while examining the attack.

When businesses are investigating a breach (or possible breach) it is important that they have access to historical data so those investigating can attempt to piece back together the puzzle of how the cyber attack unfolded. At Ziften, we offer a solution that permits our customers to have a continuous, real-time view of the whole picture that occurs in their environment. In addition to supplying real-time visibility for identifying attacks as they happen, our constant monitoring system records all historic data to enable customers to “rewind the tape” and piece together what had taken place in their environment, despite how far back they have to look. With this new visibility, it is now possible to not only discover that a breach occurred, but to likewise discover why a breach occurred, and hopefully learn from past errors to keep them from happening again.

 

Charles Leaver – Isn’t It Time We Learned From Incidents Such As The UCLA Health Data Breach?

Published by:

Written By Craig Hand And Presented By Ziften CEO Charles Leaver

UCLA Health Data Breach Probably Down To Inferior Security

UCLA Health announced on July 17th 2015 that it was the victim of a health data breach affecting as much as 4.5 million health care clients from the four health centers it runs in the Southern California region. As stated by UCLA Health authorities, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed however no proof yet suggests that the data was stolen. This data went as far back as 1990. The authorities likewise specified that there was no proof at this time, that any charge card or financial data was accessed.

“At this time” is key here. The details accessed (or potentially stolen, its definitely hard to know at this moment) is essentially good for the life of that individual and potentially still useful past the death of that individual. The details offered to the criminals consisted of: Names, Addresses, Contact numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical procedures performed, and test outcomes.

Little is known about this cyber attack similar to many others we find out about but never ever hear any genuine details on. UCLA Health found uncommon activity in sectors of their network in October of 2014 (although access potentially started one month earlier), and instantly called the FBI. Finally, by May 2015 – a complete 7 months later – detectives specified that a data breach had happened. Again, officials claim that the assailants are probably highly sophisticated, and not in the country. Finally, we the public get to hear about a breach a full two months later on July 17, 2015.

It’s been stated numerous times previously that we as security specialists need to be certain 100% of the time, while the cyber criminals only have to discover that 1% that we may not have the ability to rectify. Based on our research about the breach, the bottom line is UCLA Health had inferior security practices. One factor is based on the easy fact that the accessed data was not encrypted. We have had HIPAA now for some time, UCLA is a well renowned bastion of Higher Education, yet still they failed to secure data in the easiest ways. The claim that these were highly advanced individuals is also suspect, as so far no genuine proof has been disclosed. After all, when is the last time that a company that has been breached declared it wasn’t from an “sophisticated” attack? Even if they declare they have such proof, as members of the public we will not see it in order to vet it properly.

Because there isn’t really enough disclosed details about the breach, its difficult to figure out if any system would have assisted in finding the breach sooner instead of later on. Nevertheless, if the breach began with malware being provided to and executed by a UCLA Health network user, the likelihood that Ziften could have helped in discovering the malware and potentially stopping it would have been fairly high. Ziften might have likewise notified on suspicious, unidentified, or known malware as well as any interactions the malware might have made in order to spread internally or to exfiltrate data to an external host.

When are we going to learn? As all of us understand, it’s not a matter of if, but when, companies will be attacked. Smart organizations are preparing for the inevitable with detection and response services that reduce damage.

 

Charles Leaver – Data Leak At Adult Friend Finder Preventable With Ziften Endpoint Security

Published by:

Written By Chuck McAuley And Presented By Charles Leaver Ziften CEO

Endpoint Security Is The Best Friend For Adult Friend Finder

Adult Friend Finder, an online “dating service” and its affiliates were hacked in April. The breached information included charge card numbers, usernames, passwords, dates of birth, address details and personal – you understand – preferences. What’s frequently not highlighted in these cases is the monetary worth of such a breach. Numerous would argue that having an email address and the associated data might be of little value. Nevertheless, much the same way metadata collection provides insight to the NSA, this type of information offers attackers with plenty of leverage that can be used against the general public. Spear phishing ends up being a lot easier when assailants not only have an email address, however also area, language, and race. The source IP addresses gathered can even provide pinpoint street locations for attacks.

The attack approach released in this instance was not publicized, however it would be fair to assume that it leveraged a sort of SQL Injection attack or similar, where the data is wormed out of the back-end database through a defect in the webserver. Another possible mechanism could have been pirating ssh keys from a compromised admin account or github, but those tend to be secondary for the most part. Either way, the database dump itself is 570 Mb, and presuming the data was exfiltrated in a few big transactions, it would have been really visible on a network level. That is, if Adult Friend Finder were utilizing a solution that offered visibility into network traffic.

Ziften ZFlow ™ enables network visibility into the cloud to catch aberrant data transfers and attribute to particular executing procedures. In this case, the administrator would have had two opportunities to observe the irregularity: 1) At the database level, as the data was extracted. 2) At the webserver level, where an unusual quantity of traffic would be sent to a particular address. Organizations like Adult Friend Finder must acquire the needed endpoint and network visibility required to secure their consumers’ personal data and “hook up” with a business like Ziften.

 

Charles Leaver – The Preventable OPM Breach Caused Compromise Of Biometric Data

Published by:

Written By Mike Hamilton And Presented By Ziften CEO Charles Leaver

 

Greater Security Protection of Personal and Biometric Data Required After OPM Breach

 

 

opm1

Recently, I had to go through a relatively comprehensive background check process. At the time it was one of those circumstances where you sign into the portal, provide your social security number, a plethora of delicate info about you and your household, and trust the federal government (and their specialists) to take care of that personal data.

As I got back home the other evening and sat down to begin composing this blog post, I looked at the stack of mail laying on my desk and discovered one of those envelopes with the perforated edges that generally contain sensitive information.

Obviously, you need to open those types of envelopes. Sadly at that moment all my worst concerns had actually come to life.

Exactly what I discovered was my personal letter detailing that basically every delicate piece of details one might want to know about me – along with similar info on 21 million other Americans – was accessed during the OPM breach.

 

 

opm2

Oh, and incidentally, there’s the problem that my biometric identity was likewise compromised:

 

opm3

 

At this moment, although “federal professionals” believe that it’s not a major issue, my iPhone disagrees with them. Bruce Schneier composed an exceptional piece on this, so I will not belabor the points he makes. But at some point all of us have to ask some tough questions:

When is this going to stop?

Who is responsible for stopping it?

Who is going to in fact stop it?

Who is going to be held responsible when breaches occur?

These kinds of cyber attacks are why at Ziften we are so passionately developing our next-generation security tools. While we as a security provider may never entirely stop or prevent these kinds of breaches from occurring, perhaps we can make them so much more difficult and time consuming. When you think about it, till the community states “we can’t take anymore” this is going to continue to take place every day.

Charles Leaver – Ashley Madison Breach May Have Been Avoided With Ziften Endpoint Security

Published by:

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO

 

Life is Too Short to Not Execute Endpoint Security.

 

Ashley Madison’s tagline is “Life is short. Have an affair.” It appears security falls a bit short at the business, however, as countless customer records were blasted out for the entire world to see in a recent breach. Openly, there are only theories as to who precisely infiltrated the outrageous operation. It might have been an insider. Other possibilities, such as the notorious hacking group Impact Team, are declaring victory over the red-lettered company. However exactly what appears is the publicly-published list of thirty two million user identities. Additionally, CEO Noel Biderman lost his position, and the company is taking on an insurmountable number of lawsuits.

It has actually been discovered that bots were communicating with users, and the user population included just a small number of women. In a farcical style, the site still specifies it received a “Trusted Security Award” and offers complete discretion for its users. Their claim of “Over 42,705,000 confidential members!” on the home page is as outrageous as the service they offer. The taken list of users is so quickly accessible that 3rd parties have actually currently produced interactive sites with the names and addresses of the exposed cheaters. Per Ashley Madison’s media page, they “instantly implemented a thorough investigation utilizing leading forensics professionals and other security experts to figure out the origin, nature, and impact of this incident.” If Ashley Madison had been more proactive in their techniques of endpoint security, they could have potentially been informed of the breach and stopped it before data could have been stolen.

Advanced endpoint security and forensic applications – for example those offered by Ziften – could have potentially prevented this organization from the shame it has had to deal with. Not only could Ziften have actually notified security leads of the suspect network events in the dead of night of a cyber attack, however it could have avoided a range of actions on the database from being carried out, all while letting their security group sleep a little better. Life is too short to let security problems keep you awake at night.

 

Charles Leaver – Four Lessons To Be Learned From Breaches At LastPass And Behavior Analytics

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

LastPass Cyber Attacks Have 4 Lessons Everybody Can Learn From

Data breaches in 2011 and after that once again in 2015 were inflicted on password management company LastPass. Specialists advise use of password managers, given that strong passwords unique to each user account are not feasible to recall without organized help. However, positioning all one’s eggs in a single basket – then for countless users to each put their egg basket into one giant basket – creates a tempting target for cyber criminals of every stripe. Cryptology professionals who have actually studied this recent breach at LastPass appear meticulously positive that significant harm has been prevented, however there are still important lessons we can learn from this event:

1. There Is No Perfect Authentication, There Is No Perfect Security

Any proficient, patient and motivated enemy will ultimately breach any useful cyber defenses – even if yours is a cyber defense business! Regretfully, for many businesses today, it does not typically require much ability or perseverance to breach their patchwork defenses and permeate their sprawling, permeable perimeters. Compromise of user credentials – even those of highly privileged domain administrators – is also quite typical. Again, sadly, lots of businesses count on single-factor password authentication, which merely welcomes widespread user data compromise. But even multi-factor authentication can be breached, as was proven with the 2011 compromise of RSA SecurID’s.

2. Utilize Situational Awareness When Defenses Fail

When the enemies have actually breached your defenses the clock is ticking on your detection, containment, and remediation of the occurrence. Market data recommends this clock has a very long time to tick – numerous days on average – prior to awareness sets in. By that time the hackers have pwned your digital assets and picked your business carcass clean. Crucial situational awareness is vital if this too-frequent tragedy is to be avoided.

3. Network and Endpoint Contexts Are Fused With Comprehensive Situational Awareness

In the current LastPass incident detection was achieved by analysis of network traffic from server logs. The cyber criminal dwell time prior to detection was not divulged. Network anomalies are not constantly the fastest way to recognize an attack in progress. A combination of network and endpoint context provides a much better decision basis than either context separately. For example, being able to merge network flow data with the originating process recognition can shed far more light on a prospective infiltration. A suspect network contact by a brand-new and untrustworthy executable is far more suggestive taken together than when analyzed separately.

4. After An Authentication Failure, Use User Behavior Analytics

Compromised credentials regularly create chaos across breached businesses, allowing assailants to pivot laterally through the network and run largely below the security radar. However this abuse of legitimate credentials varies noticeably from typical user behavior of the genuine credential holder. Even rather simple user habits analytics can spot anomalous discontinuities in learned user behavior. Always employ user behavior analytics, specifically for your administrators and more privileged users.

 

Even The Most Prestigious Hackers Require Vulnerability Monitoring – Charles Leaver

Published by:

Written By Josh Harriman And Presented By Ziften CEO Charles Leaver

Hacking Team Impacted By Absence Of Real Time Vulnerability Tracking

These days cyber attacks and data breaches remain in the news all of the time – and not just for those in the high value industries such as healthcare, financing, energy and retail. One especially intriguing incident was the breach against the Italian business Hacking Team. For those who don’t remember Hacking Team (HT) is a business that specializes in surveillance software catering to government and police agencies that want to conduct concealed operations. The programs created by HT are not your run-of-the-mill push-button control software application or malware-type recording devices. One of their crucial products, code-named Galileo – better called RCS (Remote Control System)– claimed to be able to do pretty much whatever you needed in regards to “controlling” your target.

Yet as skilled as they were in developing these programs, they were not able to keep others from entering into their systems, or find such vulnerabilities at the endpoint through vulnerability monitoring. In one of the most prominent breaches of 2015, HT were hacked, and the material taken and consequently launched to the general public was huge – 400 GB in size. More notably, the material included very destructive info such as emails, client lists (and prices) that included countries blacklisted by the UN, and the crown jewels: Source code. There was likewise in-depth paperwork that included a couple of very effective 0-day exploits against Adobe and Flash. Those 0-days were used soon after in cyber attacks against some Japanese businesses and United States federal government agencies.

The big concern is: How could this happen to a company whose sole presence is to make a software application that is undetectable and finding or producing 0-day exploits for others to use? One would believe a breach here would be next to impossible. Undoubtedly, that was not the case. Currently there is not a lot to go on in regards to how this breach took place. We do know however that someone has actually declared responsibility and that individual (or team) is not new to getting into places similar to HT. In August 2014, another security company was hacked and delicate files were released, similar to HT. This consisted of client lists, prices, code, etc. This was against Gamma International and their software was called FinFisher or FinSpy. A user by the name of “PhineasFisher” released on Reddit 40 GB worth data and revealed that he/she was responsible. A post in July this year on their twitter handle discussed they likewise attacked HT. It seems that their message and function of these breaches and theft where to make people familiar with how these companies run and who they sell to – a hacktivist attack. He did upload some information to his approaches and some of these techniques were most likely used against HT.

A final question is: How did they break in and exactly what safety measures could HT have implemented to prevent the breach? We did understand from the released documents that the users within HT had extremely weak passwords such as like “P4ssword” or “wolverine.” In addition, one of the main employee systems where the theft might have happened made use of the program TrueCrypt. Nevertheless, when you are logged in and using the system, those concealed volumes are accessible. No information has been launched as of yet as to how the network was breached or how they accessed the users systems in order to download the files. It is apparent, though, that companies need to have a service such as Ziften’s Constant Endpoint Visibility running in their environment. By monitoring all user and system activity alerts might have been generated when an activity falls beyond regular behavior. Examples are 400 GB of files being uploaded externally, or understanding when vulnerable software is operating on exposed servers within the network. When an organization is making and selling advanced monitoring software – and possessing unknown vulnerabilities in business products – a better plan must have been in place to minimize the damage.

 

Charles Leaver – Prevention Of The Anthem Healthcare Data Leak Could Have Been Possible With Endpoint Visibility

Published by:

Written By Justin Tefertiller And Presented By Charles Leaver Ziften CEO

Continuous Endpoint Visibility Would Have Improved Healthcare Data Leak Avoidance

 

Anthem Inc discovered a big scale cyber attack on January 29, 2015 against their data and IT systems. The health care data leakage was believed to have taken place over a numerous week period beginning around early December 2014 and targeted individual data on Anthem’s database infrastructure as well as endpoint systems. The stolen information included dates of birth, complete names, health care identification numbers and even social security reference numbers of consumers and Anthem staff members. The specific number of people impacted by the breach is unknown but it is approximated that almost 80 million records were stolen. healthcare data has the tendency to be among the most rewarding sources of income for hackers selling records on the dark market.

Forbes and others report that opponents used a process-based backdoor on clients linked to Anthem databases in addition to compromised admin accounts and passwords to slowlysteal the data. The actions taken by the hackers presenting and running as administrators are exactly what eventually brought the breach to the attention of security and IT teams at Anthem.

This kind of attack illustrates the need for continuous endpoint visibility, as endpoint systems are a constant infection vector and an avenue to delicate data saved on any network they might link to. Easy things like never ever before seen procedures, new user accounts, weird network connections, and unapproved administrative activity are typical calling cards of the onset of a breach and can be quickly recognized and notified on given the ideal monitoring tool. When notified to these conditions in real time, Incident Responders can catch the intrusion, discover patient zero, and ideally alleviate the damage rather than permitting attackers to roam around the network unnoticed for weeks.