|
Other Interesting Stories...
|
Businesses still value speed of data over security
According to a new study by McAfee, enterprises are turning off firewall features so security doesn't slow down their network. Read More...
|
About 95% of companies are struggling to secure mobile devices
A free Android app has been released that lets managers assess mobile security risks from Android devices.
Learn More...
|
Stay Connected
|
|
|
We are now into the final week of October, which is National Cyber Security Awareness Month (NCSAM). Hopefully, you (or your organization) have had a chance to do something that improves your awareness of cyber security risks. If not, there's still l time! ( See the September SSN issue.)  Stories are the key to engaging and educating people of all levels of responsibility and technical comprehension. I'd love to hear your own experiences, or even any stories you come across. So let's help others to learn about cyber security by sharing these stories with your family, friends and associates. I hope you enjoy this October 2014 issue of the Streetwise Security News.
See the list of topics on the left for a quick view of this issue's stories and content.
If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that has links and source info for the tools I use on a daily basis. 
Cheers,
Scott Wright
|
 |
|
Could your bank be next? - Attackers gained complete control of JP Morgan customer accounts
|
 What happened to JP Morgan bank?In early October, we learned that JP Morgan, the largest bank in the USA had been successfully attacked, resulting in the compromise of 76 million household accounts and 7 million business accounts. The good news is, no money was stolen, according to JP Morgan. But this is NOT a good news story.
According to the website threatpost.com (click HERE for the story), the attackers penetrated as many as 90% of JP Morgan's computer servers and gained complete privileges to do whatever they wanted. Then, they left. This pattern seems to have repeated a number of times between June and August of 2014.
How did the breach occur?
JP Morgan has not yet reported on how this security lapse occurred. In fact, the only reason it was reported at all seems to be due to a regulatory technicality. According to the Threatpost.com article, the FBI may also be investigating potential breaches at several other US financial institutions.
Why didn't the attackers steal anything?
One of the most disturbing things to me about this story is the fact that they are reporting that nothing was stolen.
A quote from the above article states:
"Attackers took full control of millions of personal and business accounts - meaning that they could transfer funds, disclose information, close accounts, and do whatever they want to the data," Jeff Williams, the CTO of Contrast Security, also said yesterday.
But if they had such control, why didn't the attackers steal funds? What this could mean is that foreign organizations or countries are simply looking for weak points in the North American financial systems. I'm not usually a conspiracy theorist, but the one of the first objectives in an all-out cyber war would surely be to knock out or disrupt financial systems in an enemy's country.
Let's hope all banks learn from this breach, and act fast to protect their computer systems and networks. From my experience, financial institutions have some of the best security compared to virtually all industries. But this incident shows us that it's time to put pressure on the banks to step up to meet these clearly escalating threats. Otherwise, we may soon wish we'd put all our savings under our mattresses.
|
|
Terminology - "Malvertising"
|
T he term "Malvertising" refers to online ads that try to infect visitors with malware or computer viruses. See the article in the Blog Posts section of this issue for a good example of malvertising.
The image below is courtesy of the website, securityaffairs.co. Note the block at the bottom with the highlighted red box. The ad has a comment that says, "Play Online Game".
| |
Scott's Recent Blog Posts
|
 Here's a recent extract from my Security Views blog...
Not only is Malvertising hard to say, it's hard to recover from
It's an ugly word, and not one you want to say often. But you will be hearing more about malvertising in the future. It's a type of attack that takes advantage of banner ads you see in many legitimate websites like Yahoo, Match.com and AOL.
What happens with a malvertising campaign is that bad guys buy legitimate ad space from advertising networks, and when people click on their ads, they get attacked. This can happen on any trusted website, and there are some high profile cases that have been in the news lately. The worst so far is one called CryptoWall that can lock up the hard drive and all the files on your computer, and hold them for ransom.
|
Social Media Security
|
The Social Media Security Podcast - Episode 37 - Managing your digital footprint online
Having a lot of online friends and posts may seem like a good way to boost your ego. But it can be risky. This past month, Tom Eston, Kevin Johnson and I recorded a special podcast episode that discusses the risks of having too much information online, how to assess your own risks and what you can do to manage your digital footprint online.
You can listen to this episode (and past ones) online by clicking HERE. Or you can subscribe to the podcast series on iTunes by clicking HERE. |
A Cyber Security Challenge Question
|
Which type of attack listed below targets an average employee in a specific organization with a message that contains a dangerous link or attachment?
a) Whaling attacks
b) Spear-phishing attacks
c) Bulls-eye attacks
d) Sniffing attacks
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
| Streetwise Security Tip - When big news stories or world events occur, be ready for new phishing attacks. |
|
It seems that we always get fooled, and should know by now. But whenever a big news story occurs anywhere in the world, scammers and attackers will try to take advantage of it, no matter how sick or low the idea of it is. One of the more popular scams is to start a " fund-raising" initiative to help victims. Click HERE for an example based on the recent shooting of a soldier at the National War Memorial in Ottawa, Canad  a.
When big news events happen, people are so desperate to learn more, and to help, that they will click on almost anything with the promise of more details. Please stay tuned-in to the very high likelihood of scammers trying to make a buck from somebody's misfortune or spectacular news. This includes seasonal campaigns like Christmas sales and sporting events like the baseball's World Series championship. So, one of your first reactions to any big news story now should be, "How will the scammers use this story?"
|
| What's with all the retail store credit card breaches? |
There has definitely been an increase recently in the number of security breaches where criminals are stealing credit card numbers from large retail companies. In the past month, Home Depot was one of the big stories, along with Dairy Queen and Kmart. Now, Staples appears to be in the news regarding a credit card incident. Click HERE for more details, and HERE for a nice column from Forbes that summarizes the past week's various data breaches.  Are these companies just getting more sloppy, or are the bad guys just finding smarter ways to break in?
I think it's a little of both, actually. There is a set of security standards called the Payment Card Industry Digital Security Standard (PCI DSS), which anyone processing credit card numbers must follow. If the retailers don't follow the standard, and maintain proper security of their networks and systems, the credit card companies can refuse to process transactions coming from them.
The problem seems to be that many retailers just implement the bare minimum of security, as they interpret the standard, while the bad guys are finding the weak points and exploiting them very effectively. According to a recent analysis (click HERE), where Home Depot's costs for their latest breach are expected to reach $240 million, the analyst explains how the Home Depot credit card breach could have been avoided with an investment of $25 million in "software whitelisting" safeguards on their point of sale systems. When will the madness end?I think we'll see at least a few more stories of huge amounts of damage to retail businesses before the standards are tightened, and it becomes harder for attackers to break into retail systems. But it would be a good time for all business enterprises to start reviewing their network vulnerabilities and start doing a better job of managing risks posed by very capable and innovative hackers. Until they do, we will continue to see our favorite brands being hit, one by one, with criminal cyber attacks for financial gain. It may be time to start paying for purchases using the cash you stashed under your bed (from the first story above).
|
Answer to the Cyber Security Challenge Question (from above)
|
Question - Which type of attack targets an average employee in a specific organization with a message that contains a dangerous link or attachment?
Answer: (b) Spear-phishing. For an average employee, a spear-phishing attack is often used. When the attack targets an executive, it's called "Whaling" because the potential reward for tricking a senior manager could be much larger.
|
If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.P.S. Once again, if you haven't signed up, please click HERE to make sure you get all future issues of the SSN. |
|
|
