Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘#securemail’

panama-papers-the-biggest-financial-leak-in-history-3-638

Cybersecurity Lessons Learned From ‘Panama Papers’ Breach

May 24, 2016

In the weeks since the revelation of the Panama Papers, the world of the rich and powerful has been reeling. A single cyberattack against Mossack Fonseca, a quiet Panamanian law firm, has sent a tsunami around the world, toppling one world leader so far, with more turbulence to come.
The attacker absconded with a vast trove of information, consisting of millions of documents, emails, and other information – so much information, in fact, that journalists and other investigators have been poring through it for over a year.
Still a mystery: the identity or identities of the attackers. Perhaps an insider with access to secret passwords? Or maybe a skilled attacker, well-versed in the intricacies of cyberespionage?
In all probability, neither profile is accurate, because the Mossack Fonseca attack was dead simple. So simple, in fact, that a teenager with no hacking knowledge other than basic googling skills could have done it.
Furthermore, the security mistakes Mossack Fonseca made were appallingly common. So common, in fact, that it’s fair to say most of the readers of this article work for organizations that are making at least one of the same mistakes.
Do you think the same thing that happened to Mossack Fonseca and its clients can’t happen quite so easily to your organization? Here’s your wakeup call: it already has. You probably just don’t know it yet.
What are you going to do about it?
The Mossack Fonseca Attack: Dead Simple
The attacker’s point of entry: older versions of popular open source web server software Drupal and WordPress. In the case of WordPress, a particular plugin was the likely culprit. “We think it is likely that an attacker gained access to the MF [Mossack Fonseca] WordPress website via a well-known Revolution Slider vulnerability,” according to Mark Maunder, Wordfence Founder and CEO. “This vulnerability is trivially easy to exploit.”
Fixed versions of the Revolution Slider as well as Drupal had long since been available – but Mossack Fonseca simply had not updated the software on their web server. In fact, outdated versions of software that organizations haven’t properly patched is the most common cybersecurity vulnerability today, as I wrote in an article from April 2015.
The fact that Mossack Fonseca’s web servers were many months out of date was particularly egregious, especially considering the sensitivity of their clients’ information. “They seem to have been caught in a time warp,” says Alan Woodward, a cybersecurity expert from University of Surrey and consultant to Europol’s European Cybercrime Centre. “If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”
The Revolution Slider weakness is notorious among hackers for its ease of exploit. Simply download and run a simple utility off of a hacker web site, and the utility immediately provides attackers with shell access on the web server, which means they can now navigate the server’s file system at will, uploading, downloading, and executing files however they like.
Normally, a company that hosts its own web server realizes it’s inherently vulnerable, and separates it from other, more sensitive systems and data – but not Mossack Fonseca. “Their web server was not behind a firewall,” Maunder adds. “Their web server was on the same network as their mail servers based in Panama. They were serving sensitive customer data from their portal website which includes a client login to access that data.”
In other words, Mossack Fonseca failed to take even the most rudimentary steps to protect their confidential client data. However, even if it had put their web server behind a firewall and separated it from their mail servers, the Revolution Slider weakness would still have allowed attackers to access data on internal systems – it would simply have taken them a bit longer.
Important Takeaways for Any Organization
The most urgent cybersecurity task for any organization is to ensure that admins have applied all security patches to all software, not just the software that faces the Internet. Your patching regimen should be prompt and thorough – but never count on all software to be properly patched.
The most diligent of patch regimens, after all, still have their weaknesses: there is always an interval of time between the discovery of a vulnerability and the availability of a patch, giving attackers an opening.
Secondly, automatic updates can cause their own issues, especially in complex enterprise environments and other situations that require high availability. “[Updating web site software automatically] can break your website without notice,” opines Liviu Macsen, a web programmer from Prestimedia in Romania. “And you can’t do this on corporate environment. Updates are sandboxed and tested before production.”
While keeping software up to date is an essential defensive move, organizations must also pay offense as well by minding their data lineage. Data lineage means knowing who has access to your data and when, similar to how law enforcement must handle chains of evidence. You must also know what people are doing with your information and in particular, how they are securing it.
For the firms that trusted Mossack Fonseca with their confidential information, minding their data lineage was a significant weakness – and a vulnerability attackers were only too willing to exploit. “Attacks on third parties like external law firms, contractors and the like have been the main attack vector in the high profile data breaches over the past three years,” explains Adam Boone, CMO of security vendor Certes Networks. “An external partner like a legal firm also represents a path into the IT systems of the main enterprise target itself.”
The third important takeaway from the Mossack Fonseca breach: put your eggs in multiple baskets. Never give anyone access to more than a portion of your sensitive data. Furthermore, the more sensitive the data, the more you need to divide it up.
Such compartmentalization of sensitive information has been an important governmental intelligence tool for centuries, as only people with a ‘need to know’ have access to sensitive information.
In the corporate environment, such compartmentalization requires a new level of segmentation technology. “Without modern access control and application isolation techniques, [law] firms are wide open for malicious insiders or external attackers to get access to the most sensitive data,” Boone explains.
The Importance of Segmentation
The final word of wisdom every organization should glean from the Mossack Fonseca debacle: always assume you’ve already been hacked, and that attackers can achieve at least some of their goals before you shut them down. As a result, detecting the presence of hackers and cleaning up the messes they leave are important – but always remember, damage may have already been done.
Proper segmentation of your environment is the best approach to mitigating such damage. Clearly, if Mossack Fonseca had separated their web server and email server from each other and from other confidential information, it would have contained and thus limited the damage.
From the perspective of the law firm’s clients, such segmentation is a more complex challenge. Every one of them should have ensured Mossack Fonseca had the appropriate protections in place, and they should have also divided up their confidential information across multiple law firms.
The segmentation approach that is right for your organization may look different, but remember, chances are not all of your sensitive information is locked away inside secure areas within your network. Much of it may be in the cloud or in the hands of third parties. You can’t prevent all attacks from succeeding in such complex environments, but you can mitigate the damage through proper segmentation.
By Jason Bloomberg
www.forbes.com

Tags: , , , , , , ,

proxyl

The Percentage Of Health Care Data Breaches Due To Criminal Acts Has Risen From 20 to 50 Percent Since 2010

May 16, 2016

The percentage of health care data breaches due to criminals has risen from 20 to 50 percent since 2010, but health care organizations are failing on defense, according to a new study.
On average, the percentage of health care organizations hit by a data breach has stayed steady, in the high 80s and low 90s, according to Larry Ponemon, chairman and founder at Ponemon Institute, which conducted the study, but the number of breaches due to accidentally lost devices has dropped.
Most recently, ransomware and denial-of-service attacks have become top security concerns. These kinds of attacks have the potential to shut down the operations of a health care organization, putting lives at risk.
Ransomware typically encrypts all data, making patient records inaccessible to doctors and nurses.
Denial-of-service attacks shut down the tools and systems used to access those records.
“A lot of these tools now are Internet-facing or are actually in the cloud,” Ponemon explained.
“I think we’re actually in a situation where the bad guys are winning at this point,” said Rick Kam, president and co-founder at ID Experts, which sponsored the report.
One reason is finger pointing, he said. Health care providers point to third-party business associates, such as drug companies and claims processors, while the business associates point the finger back at the health care providers.
“Neither the business associates nor the health care entities are doing their job,” he said. “There’s a small increase in security budgets, but that incremental spending is not keeping up with the threat.”
Another contributing factor, he added, is that the majority of the health care organizations are regional and local hospitals, which are not flush with cash.
Health care organizations understand that they are targets.
More than two-thirds, or 69 percent, said that they are at greater risk than other industries for a data breach.
And there has been some improvements.
Sixty-three percent of respondents said they have policies and procedures that are in place to effectively prevent or quickly detect unauthorized patient data access, up from 58 percent in 2015.
And 57 percent said they have the expert personnel to be able to identify and resolve data breaches, up from 53 percent in 2015.
In addition, 71 percent have an incident response plan process in place, with involvement from information technology, information security and compliance, a slight increase from 69 percent in last year’s study.
However, slightly more than half of health care organizations, 52 percent, said that security budgets have stayed the same since last year, and 10 percent said their budgets decreased.

By Maria Korolov

www.csoonline.com

Tags: , , , , , ,

16204695599_b09d910e26_k-1-980x654

FBI Director Warns That Feds Will Bring More Encryption-Related Cases

May 12, 2016

The head of the FBI said Wednesday that the government will bring more legal cases over encryption issues in the near future.
Speaking with reporters at FBI headquarters in Washington, FBI Director James Comey specifically said that end-to-end encryption on WhatsApp is affecting the agency’s work in “huge ways.” However, he noted the FBI has no plans to sue Facebook, the app’s parent company.
He also said that since October 2015, the FBI has examined “about 4,000 digital devices” and was unable to unlock “approximately 500.”
The FBI paid gray hat hackers at least $1.3 million for a way to get into the seized iPhone used by Syed Rizwan Farook, the now-dead terrorist involved in the December 2015 attack in San Bernardino, California. At the last minute, the Department of Justice canceled a highly anticipated court hearing over the issue in March 2016.
However, Comey said that the hackers’ identities are so closely held inside the government that even he doesn’t know who they are, according to Reuters.

By Cyrus Farivar

www.arstechnica.com

Tags: , , , , ,

info-hacks-2

Health care records frequently targeted by anonymous hackers

May 5, 2016

For 10 days in February one hospital’s records hung in limbo. At Hollywood Presbyterian Medical Center in California, a ransomware attack kept health care records in control of anonymous hackers, until hospital officials paid $17,000 to take back their system.
Data ransom attacks are today’s technological version of kidnapping. It’s anonymous, more cost-effective and more appealing to criminal enterprises than taking physical hostages. And it’s the reason health care institutions today are taking steps to ensure security.
As part of an ongoing conversation, health care professionals and government agencies will meet on May 1-11 in Washington D.C. to discuss health data as part of the Health Datapalooza event presented by Health Data Consortium.
At Creighton University, law professor Edward Morse is researching the technological and legal limitations for paying data ransom.
“If you can deny access to patient care records, you shut down hospital operations,” Morse said. “With HIPAA, a patient’s electronic records are protected under law. But, a patient’s medical information is only as strong as an institution’s weakest link.
It can be as simple as a disgruntled employee; someone who is willing to give up a password to a potential hacker, so hospitals are working to increase security and limit the number of employees who can access sensitive data.
Adam Kuenning, attorney with Erickson | Sederstrom and a Creighton law professor, teaches HIPAA privacy and security.
“Patient care comes first for any medical professional,” Kuenning said. “The importance of keeping the information secure, may sometimes be lost while the medical professional is focused on the patient’s care.”
Any HIPAA breach of more than 500 patients must be reported to the media, and the Department of Health and Human Services keeps a record of these cases online. Since 2009, more than 1500 cases have been recorded. For cases affecting less than 500 patients, only a letter sent to affected persons is required.
To ensure HIPAA compliance, HHS is conducting audits healthcare companies, but often carelessness is the root cause of a breach. A frequent problem are laptops and thumb drives with private medical information left in an employee’s car.
“Data that’s not encrypted is being stolen somehow,” Kuenning said. “People are breaking into your office, stealing your computer, your servers when you didn’t encrypt your records that evening.”
In the California hospital case, an outside hacker stole records by taking over the computer system. In these cases, it’s common that patient information isn’t actually stolen; rather, hackers freeze the system, making the records inaccessible to medical personnel who need the information to properly care for the patients.
Last June, President Barack Obama stated while the U.S. government won’t pay ransom for hostages, American families have never “been prosecuted for paying a ransom.” In most health care cases, private ransom payments often go unnoticed. Few cases like Hollywood Presbyterian Hospital are publicized. According to Morse, thousands of attacks are attempted, but it’s unknown how many are successful.
“With this crime, it’s embarrassing to institutions, that their systems aren’t secure,” Morse said.
Payouts to criminal enterprises are relatively inexpensive. The black market values each patient’s record at $50 or $60, Morse found. According to a Ponemon Institute Survey, hackers only earn about $28,000 annually, but Morse notes that this wage could equate to a lot more with hackers coming from developing countries.
Without patient’s records, the hospital reaches a standstill, creating the need to comply and pay ransom.
“If you can pay, you would do it in a New York minute,” Morse said.
As the health care industry becomes more invested in technological innovations, institutions must keep privacy in mind, as a data breach can “ultimately, sully the reputation of an institution,” Morse said.

Source: Creighton University

Tags: , , , , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
telegram-3m
Your Privacy Is Our Business
April 30, 2019

Let us reassure you: You’re worried only because you don’t understand anything about anything. ...

Read more
pr
Coffee with Privacy Pros: Three Constants of Privacy
April 23, 2019

A look behind the career and privacy theology of the law-lovin’ CPO of Uber, Ruby Zefo Jared Cose...

Read more
privacy-coins-and-bitcoin-dominance-guide
We’ve Stopped Talking And Searching About Privacy
April 15, 2019

Kalev Leetaru Contributor AI & Big Data I write about the broad intersection of data and soci...

Read more
private
Rebiton Allows You to Buy Bitcoin and Keep Your Privacy
April 8, 2019

by Kai Sedgwick Purchasing bitcoin ought to be quick and easy, but over the years, encroaching KY...

Read more
20190323_fbd001
Big tech faces competition and privacy concerns in Brussels
March 25, 2019

And the sector may be the better for it Print edition | Briefing Mar 23rd 2019 | PARIS Around 19 ...

Read more