It’s Time To Get Tested or Why You Should Test Your Website For Vulnerabilities

It's Time To Get Tested or Why You Should Test Your Website For Vulnerabilities

Our reliance on technology and the growth of the social web brings with it its own unique set of concerns. Security is at the forefront of everything you do online, whether you realize it or not. Go ahead: “meh” security all you want. Just know that every time you login to Google; every time you hop on Facebook; and every time you make a purchase online, security plays an important role in how your data is handled, and who has access to it.

If your website collects information from your visitors, security has to be paramount to the operation of your website. All it takes is one breach to receive all the bad press in the world. Look what just happened to Target. Look at the vulnerability discovered in SnapChat. These our prefect examples of how security guffaws damage trust with consumers and weaken the appeal of your product.

(more…)

Continue reading

NSA Gets Ousted For Tapping Into Google Datacenters

New NSA spying revelations are ramping up the intensity of the spy debate, and have angered quite a few people in high places. One of them is the CEO of Google, who recently went on record to say that the NSA spying on Google’s datacenters is “outrageous”.

Perhaps I should back up a bit.

The outrage started when new leaks from Edward Snowden alleged that the NSA found a way to suck up large amounts of data moving between the datacenters of Google and Yahoo!. Where the outrage came from (beyond the obvious lack of transparency), is that the slides that were leaked point to the fact that the NSA may have actually “broke in” to Google servers.

The slide below reveals proprietary Google code. This is unpublicized code that is used internally by Google to communicate between servers.

Google Cloud Exploitation

One of the slides released by ex-NSA contractor Edward Snowden detailing how the NSA can access data from Google.

This is an unprecedented move by the NSA, and a glaring breach of trust — not to mention illegal. According to Google, this has to be an unauthorized breach; they were never served a warrant. If in fact the latest leaks are true, the NSA breached Google’s systems, much like an attacker would. If this was a regular “hack”, it would be referred to as an Advanced Persistent Threat.

So, how did they do it without a warrant?

There really isn’t a lot of information to go on due to how non-transparent the Administration has been when addressing issues of government snooping. The riding theory is that the breaches occur overseas, where the data is considered “in transit” — open to surveillance and not protected under the laws of the United States. The law is being interpreted to allow mass data collection, including information on Americans, because the data is collected outside U.S. soil.

With an ever digital society, and the world more connected than ever, this presents a whole new set of challenges for laws and governance.

How was the information collected?

There are quite a few theories, but overall they point to the NSA’s ability to somehow tap into Google’s internal network, most likely through physically tapping the fibers that transfer data across the world.

This infographic explains quite a bit:

How The NSA Spies On Google

What does it all mean?

It’s hard to say for sure. Since the Snowden leaks were first revealed the privacy debate has erupted around the world. We’re all beginning to see the bigger picture of how our data is used, and the implications of mass amounts of data being stored on each and every one of us.

Is it troubling? Absolutely.

If you are a student of history you will understand the underlying implications of any government operating in the ‘grey area’ of legality, and holding a concentration of power, with little oversight. As Lord Acton once said:

“Power tends to corrupt and absolute power corrupts absolutely.”

It’s time to weigh in on the debate. What do you think?

BTW: Here are the thoughts of one Google employee on Google+

Continue reading

96% Of Businesses Are Not Prepared For A Cyber Attack

96% Of Businesses Are Not Prepared For A Cyber Attack

What happens when you ask 1,909 executives if they think their business is ready for a cyber attack?

You find out that 96% see their business as unprepared.

It’s a surprising number, no doubt. The reality is that when you look at the volume of successful cyber attacks, and the number of companies that are being breached by hackers, this number begins to make sense.

Ernst & Young, who compiled the report, had this to say:

As many organizations have learned, sometimes the hard way, cyber attacks are no longer a matter of if, but when. Hackers are increasingly relentless and often politically motivated.

So, why do businesses feel they are vulnerable to attacks?

The main driver came down to budget constraints, with 65% of those who responded to the survey citing financial reasons being the largest hurdle to meeting security needs.

Small businesses felt the impact of budget constraints even more — 71% of SMBs with an annual revenue under $10 million felt their security was not up to par due to financials.

The concern doesn’t end there: half of the respondents found that another barrier to improving security was a lack of awareness within their organization.

The short version is that security is taking a backseat in most organizations due to budget constraints and lack of knowledge. This may seem like a wealth of work for the security industry (which is growing leaps and bounds), but most businesses never see a need for security — until they need it.

It’s the catch 22 of online security for organizations: when it’s working it is seen as a burden on revenues. It’s only until after something catastrophic happens; like a DDoS attack or network breach, that the need is realized.

Online threats are growing each year. From malware to DDoS attacks, to APTs, the threats are real. In fact, over half of the companies that responded to the survey said that they seen an increase in threats over the last 12 months.

The director of information security at Ernst & Young, Mark Brown, had this to say:

This year’s results show that while businesses are faced with a rising number of security breaches, budget constraints and talent shortages mean that they fail to put in place those systems that match their needs.

You don’t have to feel that it’s all doom and gloom ahead: 70% of the businesses were happy to report that all information security policies were managed at the top level of their organization, with 1 in 10 reporting directly to the boss.

What This Means For Businesses

The important thing to take from this report is that although threats are on the rise, and more spending is being allocated to information technology and security, awareness of the threat landscape is crucial. The only way your business will be able to adequately respond to attacks is if there is a team in place to respond, or the necessary planning has been put in place.

Concerned about DDoS attacks? Talk with an expert.

 

Continue reading

Security Bytes: This Week In Security

Security Bytes: This Week In Security

Welcome to our first installment of Security Bytes: you’re quick news source for security news each week, where we distill the facts on the latest in vulnerabilities, malware, and “the internet of things”.

Senator Demands More Info From Experian

If you haven’t heard, Experian is in hot water for selling full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans — to criminals. Fraudsters operated a website where this information was bought and sold, and used to defraud Americans. Now, Senator Jay Rockefeller from Virginia is demanding answers… [read more]

North Korea Seeds Online Games With Malware In Fiendish DDoS Plot

The National Police Agency is Seoul has warned South Koreans not to download unofficial video games due to the risk of malware infections used in DDoS attacks, with evidence pointing to this malware being used to launch distributed denial of service attacks on the Icheon Airport in South Korea… [read more]

Irish Privacy Boss Hauled To Court For NOT Probing Facebook For Spook Links

The top data protection watchdog in Ireland will have his day in court soon. An Austrian student has filed a claim that alleges that the privacy regulator didn’t live up to his duties when it comes to investigating how the NSA spy scandal impacted Facebook users in the EU… [read more]

Obamacare Website Security Questioned

On October 24th, the House Energy and Commerce Committee held a hearing to field questions with contractors regarding the technical issues that have plagued the launch of HealthCare.gov since its launch. A valid concern that arose during the talks was a peculiar disclaimer that caused Rep. Joe Barton, R-Texas to speak up… [read more]

Super Creepy: Retailers Track Smart Phone GPS For ‘Anonymous’ Data

Like having all your calls and emails recorded wasn’t enough, retailers are now experimenting with tracking movement through shopping malls and the street with new technology that records anonymous data. The technology works by hijacking your wifi or bluetooth signal. It’s being used on London trash cans and other places, but will undoubtedly be coming to a store near you… [read more]

LinkedIn Intro: A Juicy Target For Hackers, Cyber Criminals, And Nation-States

LinkedIn’s new app, called Intro, has been met with criticism over its architecture, which requires your email to be routed through LinkedIn’s servers for its features to work. The app integrates with Apple’s iOS native mail application to add details (much like Rapportive) to the people you connect with. Unlike Rapportive, the app duplicates the MITM (man in the middle) attack method (in a sense), making it a juicy target for bad actors… [read more]

Continue reading

Why You Should Measure The Need For Security Spending

Why You Should Measure The Need For Security Spending

There is always a tradeoff when it comes to security, especially in large organizations. On one side of the aisle you have the people concerned with cost. These are usually the people that are responsible for making sure the balance sheets are looking like they should.

On the other side of the aisle sits the IT department. Now, under ideal situations, both management and IT understand that they both have a duty to protect the business, albeit in different ways. Where one side counts success with dollars, the other measures success with security.

Often times these two departments don’t see eye to eye for the single fact that when nothing happens —when no threats impact business— security spending is simply seen as an expense. The sad part of this story is that it is usually this budget that is the first to go, either through reduced spending, or outsourcing organizational security to the cheapest bidder.

Like I mentioned: security is nearly always a tradeoff. That tradeoff may mean higher spending, or it may mean less convenience. Either way, as the value of security goes up, some other value goes down.

Security Is A Trade-Off: More Expenses Mean Less Profit, But Less Security Means Lost Confidence

When you put down a budget outlay for costs associated with protecting your website, undoubtedly the first thing you notice is that profit goes down. This is simply because you are adding more expenses to your organization. The more you spend on security, the more security you get — but you also end up with less profit.

How To Do A Risk Assessment For Your Business

If you are preparing to make a large expenditure when it comes to security or DDoS protection, you should first try some risk analysis.

Ask yourself these questions:

  • What would X minutes of downtime cost your company?
  • Would downtime affect clients? How much money would they stand to lose?
  • What would a complete server compromise (or partial) cost to fix?

These are but a few of the questions you need to ask. There are also other variables like brand reputation: would downtime or a significant breach cost you customers? Would it have irreparable damage? Could it negatively impact your customers? You have to get your team involved in these discussions and find out where your organization sits. From there, you’ll be able to take the appropriate steps, and the right steps for your business.

A Few More Questions You Should Be Asking About Security

While this final step is more of a guessing game, it’s important nonetheless: try to guess how likely the above scenarios actually are. Be generous. You do not want to skimp on security, but at the same time you do not want to spend more than necessary.

If your business does involve clients you should bring them in on the conversation. Talk to them and find out what threats they have faced. This should all be factored into any security spending decision.

Another good thing to include is downtime due to unintentional DDOS. If you have a marketing campaign that goes viral or a news item that brings in a huge increase in traffic you want to be able to deal with this. Why? Because in a situation where you are getting tons of exposure, or sales are going through the roof, you don’t want to go offline because your server or systems are not up to the task.

Once you know your expected losses, you can spend money and time trying to mitigate them.

Continue reading

The Holidays Are Here: Don’t Get Phished

The Holidays Are Here: Don't Get Phished

The holiday season is a busy time for most businesses. In fact, it’s a busy time for most of us. We have to worry about what we’ll wear for Halloween, the long Thanksgiving dinner with family — and the game face you have to put on for the in-laws. Let’s not forget Christmas. Whether you are the religious type or not, you typically have to buy presents.

Unless you want to look like a jerk.

So, because I am trying to skate by this year without a lump of coal in my stocking, I figured now is the time to warn you about the other activities the holidays bring: scams.

Yes, the holidays are not all fun and cheer. Lurking just beyond the shadows are cyber thieves hoping to ensnare you in one of countless schemes that occur every year with about the same regularity as my good ol’ Uncle Frank drinking himself under the table during Thanksgiving.

I suppose the holidays are funny like that.

Tips To Keep You Safe From Online Scams During The Holidays

1) Ruses To Get You To Click Suspicious Links
Persistence and smart social engineering is what crooks bank on come the holiday season. Some scams will use compromised Facebook accounts to get you to click. Think twice before clicking a link that seems out of place. Better safe than sorry.

2) Secret Santa Spamming ‘Secret’ Gift Links
Who knows? Maybe you do have a secret admirer. Just be aware that scammers use phishing emails claiming you have received a secret Santa gift. If you click, the only thing you receive is malware.

3) iTunes Gift Card Trojan Horse
“Oh, cool! I got a free iTunes card!” …Right. What you think is a free iTunes gift card attached to that email is actually a malware payload.

4) Gift Card Survey Scams
You may just be lucky, but the likely reason you are receiving an “offer” on Facebook to receive a free gift card can be something else entirely. Often times, scammers will use social media to perpetuate the scam, encouraging people to share with their friends to further promote their attempt at gaining your personal details.

5) PayPal Phishing Emails
I see these all the time: Emails that appear to come from PayPal warning that your account is at risk of being suspended, or that you have received a huge payment. The trick is to get you to click the email to go to PayPal, versus visiting the site in your browser.

The Easiest Way To Protect Yourself From Phishing Scams

There are more phishing scams than I could reasonably cover in one blog post. The easiest way to protect yourself from falling victim to a phishing attack is to never click links in an email that appears to come from your bank or PayPal. Instead, go to your browser and type in the url to your bank and login from there. If it was a legitimate notice you will have a notification in your account.

Continue reading

38 Cyber Security Blogs You Should Be Reading

38 Cyber Security Blogs You Should Be Reading

Cyber security is a growing industry and the focus of many in this digital age. If you have an interest in the world of information security, these cyber security blogs will help educate you to the threats that exist online.

Threatpost

A Kaspersky Labs security news resource, this blog posts entries daily and covers a broad selection of news all relating to cyber security and the internet.

Krebs On Security

A prolific writer and renowned security blogger, Brian Krebs stays on the forefront of advanced threats and has some of the most in-depth coverage found online.

Naked Security

Naked Security is a Sophos Labs creation and an award-winning threat newsroom that combines opinion and facts to shed light on some of the newest threats.

CERIAS / Spaf

This is Gene Spafford’s blog, found on the Purdue University website. His blog is the face for the Center of Education and Research in Information Assurance & Security, the world’s leading centers for research and education in the field of information security.

Contagio Malware Dump

This blog has been around for ages (still hosted on Blogger!) and covers everything from advanced persistent threats to zero-day malware research.

Cyber Crime & Doing Time

Gary Warner blogs about cyber crime and the related justice issues that go hand in hand in today’s digital landscape.

Cyveillance Blog

This security blog covers the recent news items and security research that appear in the headlines.

DHS Daily Report

A U.S. Army Retired Chief Warrant Officer with almost four decades in information security experience is the brain behind this blog. You’ll find daily updates and links to security news items.

ESET Threat Blog

Once called the ESET Threat Blog, it’s new name is We Live Security. Their goal is to produce content that is informative — and they do an incredible job of it. We Live Security is staffed by a team of security professionals who all contribute regularly.

F-Secure Blog

This is F-Secure Labs’ security blog, which covers (obviously) security, but they also feature plenty of interesting content that relates to the field.

FireEye Malware Intel Lab

Covering everything from advanced persistent threats to zero days, FireEye runs an informative blog that touches base on all of the security news you should be aware of.

Fortinet Blog

Fortinet does a good job of providing content for that will appeal to the pro or novice. Their categories range from “Security 101”, to covering the latest threats.

Rivalhost Security Blog

On the Rivalhost blog we focus on covering everything from security to cyber threats, business and the internet. As a DDOS protection provider, we stay up-to-date on the latest exploits and threats.

Fox-IT International

Fox-IT provides information on cyber defense, IT security, and digital forensics. They definitely have a wealth of information available on all topics relevant to security.

GFI Labs

Threat Track Security talks about everything security on their blog; including news and opinions on the latest cyber threats and malware.

Google Online Security Blog

Owned and operated by Google, this blog dives into web threats and covers the information you need to know to stay secure online.

Imperva Blog

You’ll find blogs, white papers, and as much threat analysis as you can read on Imperva. If you are a security researcher or have an interest in data security, you’ll find plenty of information here.

Kaspersky Blog

Another Kaspersky web property, Securelist covers a wide range of security topics by a number of researchers and security experts.

Malcovery Security

Want to learn about phishing? How about the latest opinions and news on information security? The Malcovery blog takes these topics and illustrates them in an entertaining and engaging way.

DDoS Protection & Security

The DDoS Protection & Security Blog is home to expert DDoS mitigation specialist who share their expertise and knowledge on DDoS attacks. They also have an expansive top cyber security blogs list.

Malware Don’t Need Coffee

This security blog takes you down the rabbit hole into the latest zero day threats and malware exploits being used online.

Microsoft Malware Protection Center

Authored by the security team at Microsoft, this blog will keep you up-to-date with all of the latest security threats.

Red Tape Chronicles

This blog is a NBC news technology blog that chronicles the convergence of web threats and information security.

SANS Internet Storm Center

The ISC provides free analysis and warning service to thousands of internet users and organizations. They also cover all of the latest threats and issue warnings for new zero days.

Schneier on Security

Bruce Schneier is an opinionated, knowledgeable cryptographer and security expert that is someone to watch if you work within the security space.

SecureWorks

This blog is powered by Dell and covers (like everything else on this list) security, malware, and internet safety. Their research team sheds light on the newest threats and they

Securing the Human

A Sans Institute blog that covers security research, zero day threats, and vulnerabilities.

Securosis

The Securosis blog stakes their claim on totally transparent research and continuously publishes their work, welcoming comments and debate.

StopBadware

Based in Massachusetts, StopBadware is a nonprofit anti-malware organization that helps protect people from malware threats. Their blog covers security and research on malware.

Symantec Response Blog

Symantec keeps their thumb on the pulse of cyber security and their blog reflects that. You’ll find insight on the newest threats and scams being used online.

TaoSecurity

Richard Bejtlich has been in the infosecurity space for a long time. His blog, TaoSecurity, focuses on digital security, global adversaries, and the global challenges that come with staying secure.

TrendMicro Blog

The SImply Security blog by Trend Micro has topics that range from cloud security to industry news to security intelligence.

Unmask Parasites Blog

Black hat rich snippets hacks, FTP brute force attacks, cloaking, cyber scams — you’ll learn about it all here. Denis (the author recently joined Sucuri as well.

Sucuri Blog

The folks at Sucuri know WordPress security. You’ll find everything you need to know to secure your WordPress site and stay informed on the latest threats.

US CERT

The United States Computer Emergency Readiness Team has plenty of news and updates on all the vulnerabilities you should be aware of.

Websense

The Websense Security Labs blog does a great job at highlighting the most recent zero day threats facing the internet.

Wired.com’s Threat Level

The Threat Level blog from Wired covers privacy, crime and security online. They post plenty of updates and it offers a consistent stream of the latest security news.

Xylitol

Their tagline says it all: “Tracking and Demystification of Cybercrime”.

 

Continue reading

What Are Advanced Persistent Threats?

What Are Advanced Persistent Threats?

An advanced persistent threat (APT) is an attack on a network that attempts to gain undetected network access. Unlike DDoS attacks, APT attacks focus more on covertly stealing data, rather than taking down a network. It’s in this way that a hacker (or hackers) work to secretly steal financial information or other valuable information; such as can be found in the manufacturing and national defense industry.

In its simplest form, an attacker launching an APT attack will work to infiltrate the network, moving laterally across the network to siphon any user credentials or high-value information that can be obtained. These forms of attacks are done with care as the attacker’s goal is to remain undetected for a long period of time. The longer they can stay on the network, the more possibility they have of obtaining even more valuable information.

Intrusion Detection Systems

Intrusion detection systems (IDS) are at the center of the defense against these forms of attacks, however a sophisticated APT attack can bypass some of these systems and not trigger any alarms when breaching the network. Often times, in order to continue to remain undetected, the attacker will have to continuously edit the code of the malware to fly under the radar and not set off alarms.

The Growing Threat: APT Attacks Increased In 2013

An earlier study this year by the Ponemon Institute found that 67 percent of organizations admit that their current security activities are insufficient to stop a targeted attack. And to further illustrate the point, Trend Micro found that 55 percent are not even aware of intrusions, and fewer know the extent of the attack or who exactly is behind it.

How Advanced Persistent Threats Have Evolved

Before attacks evolved into advanced persistent threats, most attacks relied on quickly infiltrating a network, grabbing what information was possible, and leaving before the network administrator had time to respond. These attacks were simplistic in nature and not as effective for the long-term: once an attacker successfully breached a network, the attack would be detected and the network hardened — usually making any sort of second attack near impossible.

And then came advanced persistent threats.

Social Engineering and Phishing

We’ve spoke in the past about how social engineering can be damaging to your business. You should note that most APT attacks rely on spear phishing and social engineering to gain access to systems. Most of these attacks rely on the natural human tendency to trust.

An attacker will typically start their campaign by researching everything they can about their target online. They will then find out who is working for the company, and in what capacity. Social media makes this easy. Most large companies have a presence on social networks like LinkedIn, so an attacker will simply pull what information they can to formulate their plan. Often times, they may even spoof a company email and mail it to multiple recipients in hopes that someone will take the bait. If the campaign is a success, malware (in the form of a rootkit or keylogger) will be downloaded onto one of the targets’ machines and from there it will usually self-replicate and infect more hosts on the network.

The theft of data can never be completely hidden. A good sysadmin or network security administrator will have systems in place to detect anomalies in outbound data.

Fortunately, there are options for protecting your business from Advanced Persistent Threats. You can start by scanning your website for malware or enrolling in website malware protection.

Continue reading

What Is Remote DDoS Protection?

What Is Remote DDoS Protection?

Remote DDOS protection is a solution that can help you stop DDOS attacks without moving your host, or making any drastic changes to your current system or servers.

Distributed denial of service is on the rise. Organizations large and small are being targeted with cyber attacks for a myriad of reasons: business disruption, extortion, political reasons — the list goes on. 2013 shows no sign of slowing down and the focus on both the digital economy, and cyber warfare in particular, will only fuel the already growing trend of DDoS attacks launched on businesses.

What Happens During A DDoS attack?

There are different types of DDOS attacks, but almost all of them rely on overwhelming the target machine with countless information requests until it goes offline. First, an attacker will target a website and begin sending connection requests. Normally, when two machines communicate over the interent, a SYN (“synchronize”) packet is sent to another machine to request to connect. This request is acknowledged with an SYN/ACK packet. Once that packet is send the machine that initiated the connection request will send one last ACK (“acknowledge”) packet. Once it is received the connection is closed and the two machines are able to communicate back and forth.

(more…)

Continue reading

Is Privacy Dead?

Is Privacy Dead?

Privacy has been in the back of many people’s minds for quite some time, but since the revelations of mass surveillance and top secret government programs this topic has risen to the forefront, and has its roots in technology and the cloud.

Companies use our data. Whether you use a social network, or use a free email service, that data is being collected and recorded by companies to build holistic profiles on your life in order to sell that data to advertisers, or bundle it into their own marketing plans.

This is common knowledge. All it takes to understand this is to send an email through Gmail, or search for something on any Google property. Once you enter a keyword, this information is used to target you with ads everywhere you use the service: Google Search, Google Maps, Gmail… the list goes on.

You get the picture.

Of course, Google is not the only company that does this. Nearly all companies are doing this in some way, so it is in the consumer’s best interest to understand what you are agreeing to when you “accept” any privacy policy. You should opt out if you disagree, because any compromise is typically left on with the consumer — you either accept the conditions, or don’t use the product or service.

But is that the right way to do business?

Perhaps this is a time for companies doing business online to give the power of privacy back to the consumer. What’s troubling is there is no way to do this on a governmental level. Since programs like PRISM and XKeyscore have surfaced, the world is beginning to understand just how valuable “big data” truly is. Nearly every corporation or government entity is scrambling for pieces of information, and the means in which they have gone to acquire this data is shocking, to say the least.

How This Affects The U.S. Hold On Cloud Technology

All of the most well-known internet companies are U.S. businesses. From Facebook to Google, they call America home. The implication to this is that they are bound by U.S. laws. What this means is that our laws, our government — and any unconstitutional programs our government chooses to operate, impacts the entire world. When you take in the fact that the U.S. only represents 5% of the world population, you can see how this can cause mistrust amongst other countries — and indeed it has.

The thing is, the brunt of this fallout rests on the shoulders of American cloud providers. According to Salon, PRISM may end up costing U.S. firms $35 billion.

We have even had a customer want to move due to an enacted corporate policy within their company that disallowed data being hosted in the States.

Fortunately, we were able to provide a solution, as our services are available in Germany, Ireland, Romania and the UK. We were able to accommodate the client, but the fact remains: U.S. confidence around the globe is on the decline. There is a lot of mistrust at this point, as I suppose it should be considering all of the media coverage we’ve seen so far, and the evidence that these programs are operating with no oversight.

People are beginning to question things, and rightly so.

What are your thoughts on data privacy?

Continue reading

© 2017 RivalHost. All Rights Reserved. Site by Comtech.