Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘#databreach’


Cybersecurity Lessons Learned From ‘Panama Papers’ Breach

May 24, 2016

In the weeks since the revelation of the Panama Papers, the world of the rich and powerful has been reeling. A single cyberattack against Mossack Fonseca, a quiet Panamanian law firm, has sent a tsunami around the world, toppling one world leader so far, with more turbulence to come.
The attacker absconded with a vast trove of information, consisting of millions of documents, emails, and other information – so much information, in fact, that journalists and other investigators have been poring through it for over a year.
Still a mystery: the identity or identities of the attackers. Perhaps an insider with access to secret passwords? Or maybe a skilled attacker, well-versed in the intricacies of cyberespionage?
In all probability, neither profile is accurate, because the Mossack Fonseca attack was dead simple. So simple, in fact, that a teenager with no hacking knowledge other than basic googling skills could have done it.
Furthermore, the security mistakes Mossack Fonseca made were appallingly common. So common, in fact, that it’s fair to say most of the readers of this article work for organizations that are making at least one of the same mistakes.
Do you think the same thing that happened to Mossack Fonseca and its clients can’t happen quite so easily to your organization? Here’s your wakeup call: it already has. You probably just don’t know it yet.
What are you going to do about it?
The Mossack Fonseca Attack: Dead Simple
The attacker’s point of entry: older versions of popular open source web server software Drupal and WordPress. In the case of WordPress, a particular plugin was the likely culprit. “We think it is likely that an attacker gained access to the MF [Mossack Fonseca] WordPress website via a well-known Revolution Slider vulnerability,” according to Mark Maunder, Wordfence Founder and CEO. “This vulnerability is trivially easy to exploit.”
Fixed versions of the Revolution Slider as well as Drupal had long since been available – but Mossack Fonseca simply had not updated the software on their web server. In fact, outdated versions of software that organizations haven’t properly patched is the most common cybersecurity vulnerability today, as I wrote in an article from April 2015.
The fact that Mossack Fonseca’s web servers were many months out of date was particularly egregious, especially considering the sensitivity of their clients’ information. “They seem to have been caught in a time warp,” says Alan Woodward, a cybersecurity expert from University of Surrey and consultant to Europol’s European Cybercrime Centre. “If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”
The Revolution Slider weakness is notorious among hackers for its ease of exploit. Simply download and run a simple utility off of a hacker web site, and the utility immediately provides attackers with shell access on the web server, which means they can now navigate the server’s file system at will, uploading, downloading, and executing files however they like.
Normally, a company that hosts its own web server realizes it’s inherently vulnerable, and separates it from other, more sensitive systems and data – but not Mossack Fonseca. “Their web server was not behind a firewall,” Maunder adds. “Their web server was on the same network as their mail servers based in Panama. They were serving sensitive customer data from their portal website which includes a client login to access that data.”
In other words, Mossack Fonseca failed to take even the most rudimentary steps to protect their confidential client data. However, even if it had put their web server behind a firewall and separated it from their mail servers, the Revolution Slider weakness would still have allowed attackers to access data on internal systems – it would simply have taken them a bit longer.
Important Takeaways for Any Organization
The most urgent cybersecurity task for any organization is to ensure that admins have applied all security patches to all software, not just the software that faces the Internet. Your patching regimen should be prompt and thorough – but never count on all software to be properly patched.
The most diligent of patch regimens, after all, still have their weaknesses: there is always an interval of time between the discovery of a vulnerability and the availability of a patch, giving attackers an opening.
Secondly, automatic updates can cause their own issues, especially in complex enterprise environments and other situations that require high availability. “[Updating web site software automatically] can break your website without notice,” opines Liviu Macsen, a web programmer from Prestimedia in Romania. “And you can’t do this on corporate environment. Updates are sandboxed and tested before production.”
While keeping software up to date is an essential defensive move, organizations must also pay offense as well by minding their data lineage. Data lineage means knowing who has access to your data and when, similar to how law enforcement must handle chains of evidence. You must also know what people are doing with your information and in particular, how they are securing it.
For the firms that trusted Mossack Fonseca with their confidential information, minding their data lineage was a significant weakness – and a vulnerability attackers were only too willing to exploit. “Attacks on third parties like external law firms, contractors and the like have been the main attack vector in the high profile data breaches over the past three years,” explains Adam Boone, CMO of security vendor Certes Networks. “An external partner like a legal firm also represents a path into the IT systems of the main enterprise target itself.”
The third important takeaway from the Mossack Fonseca breach: put your eggs in multiple baskets. Never give anyone access to more than a portion of your sensitive data. Furthermore, the more sensitive the data, the more you need to divide it up.
Such compartmentalization of sensitive information has been an important governmental intelligence tool for centuries, as only people with a ‘need to know’ have access to sensitive information.
In the corporate environment, such compartmentalization requires a new level of segmentation technology. “Without modern access control and application isolation techniques, [law] firms are wide open for malicious insiders or external attackers to get access to the most sensitive data,” Boone explains.
The Importance of Segmentation
The final word of wisdom every organization should glean from the Mossack Fonseca debacle: always assume you’ve already been hacked, and that attackers can achieve at least some of their goals before you shut them down. As a result, detecting the presence of hackers and cleaning up the messes they leave are important – but always remember, damage may have already been done.
Proper segmentation of your environment is the best approach to mitigating such damage. Clearly, if Mossack Fonseca had separated their web server and email server from each other and from other confidential information, it would have contained and thus limited the damage.
From the perspective of the law firm’s clients, such segmentation is a more complex challenge. Every one of them should have ensured Mossack Fonseca had the appropriate protections in place, and they should have also divided up their confidential information across multiple law firms.
The segmentation approach that is right for your organization may look different, but remember, chances are not all of your sensitive information is locked away inside secure areas within your network. Much of it may be in the cloud or in the hands of third parties. You can’t prevent all attacks from succeeding in such complex environments, but you can mitigate the damage through proper segmentation.
By Jason Bloomberg

Tags: , , , , , , ,


The Percentage Of Health Care Data Breaches Due To Criminal Acts Has Risen From 20 to 50 Percent Since 2010

May 16, 2016

The percentage of health care data breaches due to criminals has risen from 20 to 50 percent since 2010, but health care organizations are failing on defense, according to a new study.
On average, the percentage of health care organizations hit by a data breach has stayed steady, in the high 80s and low 90s, according to Larry Ponemon, chairman and founder at Ponemon Institute, which conducted the study, but the number of breaches due to accidentally lost devices has dropped.
Most recently, ransomware and denial-of-service attacks have become top security concerns. These kinds of attacks have the potential to shut down the operations of a health care organization, putting lives at risk.
Ransomware typically encrypts all data, making patient records inaccessible to doctors and nurses.
Denial-of-service attacks shut down the tools and systems used to access those records.
“A lot of these tools now are Internet-facing or are actually in the cloud,” Ponemon explained.
“I think we’re actually in a situation where the bad guys are winning at this point,” said Rick Kam, president and co-founder at ID Experts, which sponsored the report.
One reason is finger pointing, he said. Health care providers point to third-party business associates, such as drug companies and claims processors, while the business associates point the finger back at the health care providers.
“Neither the business associates nor the health care entities are doing their job,” he said. “There’s a small increase in security budgets, but that incremental spending is not keeping up with the threat.”
Another contributing factor, he added, is that the majority of the health care organizations are regional and local hospitals, which are not flush with cash.
Health care organizations understand that they are targets.
More than two-thirds, or 69 percent, said that they are at greater risk than other industries for a data breach.
And there has been some improvements.
Sixty-three percent of respondents said they have policies and procedures that are in place to effectively prevent or quickly detect unauthorized patient data access, up from 58 percent in 2015.
And 57 percent said they have the expert personnel to be able to identify and resolve data breaches, up from 53 percent in 2015.
In addition, 71 percent have an incident response plan process in place, with involvement from information technology, information security and compliance, a slight increase from 69 percent in last year’s study.
However, slightly more than half of health care organizations, 52 percent, said that security budgets have stayed the same since last year, and 10 percent said their budgets decreased.

By Maria Korolov


Tags: , , , , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
Edward Snowden’s Autobiography Makes a Plea for the Fourth Amendment, the Right to Privacy, and Encryption
September 24, 2019

America's most famous whistleblower calls for restricting the power of government. Article by SCO...

Read more
Chinese deepfake app Zao sparks privacy row after going viral
September 3, 2019

Critics say face-swap app could spread misinformation on a massive scale A Chinese app that lets ...

Read more
Google tightens grip on some Android data over privacy fears, report says
August 19, 2019

The search giant ends a program that provided network coverage data to wireless carriers. BY CARR...

Read more
Wikipedia co-founder slams Mark Zuckerberg, Twitter and the ‘appalling’ internet
July 8, 2019

Elizabeth Schulze Wikpedia Co-Founder Larry Sanger said in an interview social media companies ...

Read more
Why America Needs a Thoughtful Federal Privacy Law
June 26, 2019

More than a dozen privacy bills have been introduced in this Congress. Here’s what it needs to do....

Read more