The FBI recently notified the University of Virginia of a data breach following a law enforcement investigation, which resulted in suspects overseas involved in the incident being taken into custody. The attack was done via a phishing email scam, which asked users to click on a link and provide their user name and password.
The cybercriminals were able to gain access to the University's HR system and the W-2s of 1,400 employees as well as direct deposit banking information of 40. Further investigation revealed that the attackers gained access to the system in November of 2014, with the last suspected intrusion being in February 2015.
Chairman and Founder of IDT911, Adam Levin stated, "While
we don't have intimate knowledge of the specific security protocols at
UVA, it is clear that even if their IT and Information Security
departments did everything right, one or more employees who click on a
malicious link can be unwitting co-conspirators in the compromise of a
database holding the personal information of countless individuals.”
This article proves once again the importance of Information Security Awareness in an organization. In this case, the employees who fell for the phishing attack could have prevented the hack. But they can't be completely at fault. I'd also raise a few questions to the organization's Chief Information Security Officer (CISO) or Security Manager. What type of Infosec Awareness training is in-place?; How often are employees required to go through the training?; What can be done to minimize or even prevent an incident like this from happening again? Employees and users in general must understand that security starts with them.
Reference:
http://www.securityweek.com/hackers-breach-university-virginia-hr-system
Monday, January 25, 2016
Tuesday, January 19, 2016
Week 6 - Struggling With Privacy Tradeoffs in Digital Era
A Pew Research Center survey released Thursday found no consistent pattern on decisions to give up privacy in return for discounts, rewards, or other benefits:
- A majority (52 percent) of those surveyed said they would allow their medical data to be uploaded to a secure site in order to allow their doctor to keep track of their health.
- But only 27 percent said it was acceptable for a thermostat sensor to monitor movements in the home to potentially save on energy costs.
- 47 percent said it was OK for retailers to keep track of shopping habits to offer discounts, while 32 percent said it was not acceptable.
- A majority (54 to 24 percent) said it would be acceptable for employers to install monitoring cameras following a series of workplace thefts.
- Asked about a scenario in which a free social media platform allows people to connect with friends in exchange for sharing data to deliver advertisements, just one in three said this was acceptable, and 51 percent disagreed.
Pew researcher, Lee Rainie stated, "These findings show how people's decisions are often context-specific and contingent. A phrase that summarizes their attitudes is, 'It depends.' Most are likely to consider options on a case-by-case basis, rather than apply hard-and-fast privacy rules."
This was a great article to read since privacy and technology have become a huge topic in recent years. I thought the results were very interesting. People are okay with uploading personal information to a site that could be vulnerable to hacking, but uncomfortable with a SENSOR that tracks their movements in their own home? From an IT security perspective, I'd think it would be the other way around. What about Smart TVs that have motion control or the XBOX Kinect, which both connect to the Internet? These are common household products and most likely used by those who oppose the thermostat sensor as well. I think many of us don't realize how much privacy they're already giving up like the use of social media or apps that have access to your personal information, phone contacts, and location.
Also, more people are okay with having their shopping habits tracked for possible discount offers. Personally, I feel that's invasion of my privacy. There's no need for anyone to know what my browsing habits or history is even if it's only for advertising a product. If I wanted to purchase something from a site, I'll do it on my own free will. I don't need ads popping up trying to tempt me. It's more of a nuisance than anything.
As the article stated, acceptance of losing some privacy with technologies and services will depend on what it is. There are just too many sides and opinions on it to come up with mutual privacy rules. It will be interesting to see how everything plays out as more issues like this come up.
References:
http://www.securityweek.com/struggling-privacy-tradeoffs-digital-era
- A majority (52 percent) of those surveyed said they would allow their medical data to be uploaded to a secure site in order to allow their doctor to keep track of their health.
- But only 27 percent said it was acceptable for a thermostat sensor to monitor movements in the home to potentially save on energy costs.
- 47 percent said it was OK for retailers to keep track of shopping habits to offer discounts, while 32 percent said it was not acceptable.
- A majority (54 to 24 percent) said it would be acceptable for employers to install monitoring cameras following a series of workplace thefts.
- Asked about a scenario in which a free social media platform allows people to connect with friends in exchange for sharing data to deliver advertisements, just one in three said this was acceptable, and 51 percent disagreed.
Pew researcher, Lee Rainie stated, "These findings show how people's decisions are often context-specific and contingent. A phrase that summarizes their attitudes is, 'It depends.' Most are likely to consider options on a case-by-case basis, rather than apply hard-and-fast privacy rules."
This was a great article to read since privacy and technology have become a huge topic in recent years. I thought the results were very interesting. People are okay with uploading personal information to a site that could be vulnerable to hacking, but uncomfortable with a SENSOR that tracks their movements in their own home? From an IT security perspective, I'd think it would be the other way around. What about Smart TVs that have motion control or the XBOX Kinect, which both connect to the Internet? These are common household products and most likely used by those who oppose the thermostat sensor as well. I think many of us don't realize how much privacy they're already giving up like the use of social media or apps that have access to your personal information, phone contacts, and location.
Also, more people are okay with having their shopping habits tracked for possible discount offers. Personally, I feel that's invasion of my privacy. There's no need for anyone to know what my browsing habits or history is even if it's only for advertising a product. If I wanted to purchase something from a site, I'll do it on my own free will. I don't need ads popping up trying to tempt me. It's more of a nuisance than anything.
As the article stated, acceptance of losing some privacy with technologies and services will depend on what it is. There are just too many sides and opinions on it to come up with mutual privacy rules. It will be interesting to see how everything plays out as more issues like this come up.
References:
http://www.securityweek.com/struggling-privacy-tradeoffs-digital-era
Tuesday, January 12, 2016
Week 5 - Privilege Escalation Flaw Found in VMware Tools
VMware has released their first security advisory of 2016 regarding an important guest privilege escalation vulnerability in VMware Tools
The Share Folders (HGFS) feature running on Windows is plagued by a memory corruption flaw that can be exploited by an attacker to escalate their privileges in the guest operating system. VMware has confirmed that the vulnerability cannot be exploited to escalate privileges from the guest operating system to the host, and host memory cannot be manipulated from the guest.
The vulnerability can be patched with 201512102-SG patches. Once the patches are applied, the VMware Tools in all Windows guests that include Shared Folders feature need to be updated. A workaround for this vulnerability is to remove the Shared Folders feature to prevent exploitation.
This short article caught my attention because I manage multiple VMware ESXI hosts at my job and will be looking into mitigating this vulnerability this week. This is a great example of why we should be keeping up with security patches in order to keep the network and devices safe especially when it affects the servers. Hacks on large companies like the SONY PSN hack could have been prevented if their servers were patched with the latest updates. With enough time and resources a hacker will get into a network, but to allow them in due to unpatched servers would be unacceptable. It's up to the system administrators to keep an eye out for these things.
The Share Folders (HGFS) feature running on Windows is plagued by a memory corruption flaw that can be exploited by an attacker to escalate their privileges in the guest operating system. VMware has confirmed that the vulnerability cannot be exploited to escalate privileges from the guest operating system to the host, and host memory cannot be manipulated from the guest.
The vulnerability can be patched with 201512102-SG patches. Once the patches are applied, the VMware Tools in all Windows guests that include Shared Folders feature need to be updated. A workaround for this vulnerability is to remove the Shared Folders feature to prevent exploitation.
This short article caught my attention because I manage multiple VMware ESXI hosts at my job and will be looking into mitigating this vulnerability this week. This is a great example of why we should be keeping up with security patches in order to keep the network and devices safe especially when it affects the servers. Hacks on large companies like the SONY PSN hack could have been prevented if their servers were patched with the latest updates. With enough time and resources a hacker will get into a network, but to allow them in due to unpatched servers would be unacceptable. It's up to the system administrators to keep an eye out for these things.
Wednesday, January 6, 2016
Week 4 - Samsung Launches Security Solution for Smart TVs
Last week, Samsung revealed they will be implementing a three-layer security solution to all of its Tizen-based Smart TVs called GAIA. The solution is designed to protect the consumer's personal data in three ways. The first is called Secure Zone, a virtual barrier designed to create a secure space and to protect the core service operations. It also includes a Secure Keypad, which works as the virtual data input mechanism displayed on a TV, which safeguards consumers' personal information, including credit cards and passwords.
GAIA will have the capability of encrypting important data being transmitted between a Smart TV and Internet of Things (Iot) service servers. It will also have a built-in anti-malware system. The security level is also improved by leveraging hardware-based security. The Tizen OS has been divided into two parts, the main and the security space, and data for each of them is secured separately. The public key used for verification of personal information will be included in a hardware chip.
Just like the smart phone, Smart TVs will follow the trend and eventually become almost a necessity in our households. It may not sound like a big deal now, but these Smart TVs are devices that connect to the Internet and they are just as vulnerable as computers and smart phones. It actually IS a computer as it runs on its own OS and stores and transmits data to other devices or servers over the Internet. It's definitely a recipe to being vulnerable to hacking. Raising awareness on the importance of securing it is critical and hopefully it prompts other Smart TV manufacturers to start implementing the same solutions.
References:
http://www.securityweek.com/samsung-launches-security-solution-smart-tvs
GAIA will have the capability of encrypting important data being transmitted between a Smart TV and Internet of Things (Iot) service servers. It will also have a built-in anti-malware system. The security level is also improved by leveraging hardware-based security. The Tizen OS has been divided into two parts, the main and the security space, and data for each of them is secured separately. The public key used for verification of personal information will be included in a hardware chip.
Just like the smart phone, Smart TVs will follow the trend and eventually become almost a necessity in our households. It may not sound like a big deal now, but these Smart TVs are devices that connect to the Internet and they are just as vulnerable as computers and smart phones. It actually IS a computer as it runs on its own OS and stores and transmits data to other devices or servers over the Internet. It's definitely a recipe to being vulnerable to hacking. Raising awareness on the importance of securing it is critical and hopefully it prompts other Smart TV manufacturers to start implementing the same solutions.
References:
http://www.securityweek.com/samsung-launches-security-solution-smart-tvs
Subscribe to:
Posts (Atom)