Posted by Kalyani M. on Mar 6, 2014
For many enterprises, security has become a chief concern in the light of hacking, the spread of malware, and international cyber wars. The latest in the litany of worries over data safety comes from news of 300,000 compromised routers. While many enterprises operate on a much bigger scale than the small office and home office (SOHO) routers that were recently attacked, the growing popularity of enabling mobile workforce and work from home policies jeopardizes sensitive company data, due to the relative insecurity of such commonly used routers. Instead of scaling back worker mobility, enterprises can still take advantage of on-the-go work and work from home solutions by securing important corporate and consumer data in a private cloud service.
According to a recent white paper put out by the security firm Team Cymru, man-in-the-middle attacks on SOHO routers have been traced to two IP addresses registered in the UK. In their SOHO Pharming paper, Team Cymru warns, “In January 2014, Team Cymru’s Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS [domain name system] settings in central Europe.” Furthermore, the scale of the attacks is alarming. The paper reads, “To date, we have identified 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one of which dates back to at least mid-December 2013.”
The implications of this large-scale attack are far reaching and should concern enterprises, as it could mean the presence of a new hacktivist botnet. As F-Secure security analyst Sean Sullivan says, “Until a clear business model comes to light, nothing’s off the table. Is this some type of hacktivist botnet? It seems like a possible fit.” Many enterprises are not equipped to address such a botnet attack, as Sullivan notes, “Traditional botnets are limited in usefulness as far as DDoS goes. I’ve read compelling research on the topic of servers being targeted and it seems probable that routers would also be useful.” With servers and routers both being targeted, enterprises must establish clear security protocols that protect sensitive data both onsite and offsite for remote workers.
As of yet, the reason behind such attacks is still unclear. Steve Santorelli of Team Cymru recently told BBC that as technology grows, so will cybercrime, “It’s a definite evolution in technology – going after the Internet gateway, not the end machine. We see these leaps in concepts every few years in cybercrime.” In order to stay ahead of innovations in cybercrime, enterprises must make data security a top priority. In a BitSight survey of the S&P 500, it was found that between 68% and 82% of the S&P 500 had suffered a data compromise. Only 18% had good SSL certificates and 24% had good SPF records.
What’s the reason for such negligence? For many companies, development trumps security. As shown by a Trustwave survey of 800 IT professionals, 4 out of 5 were pressured to rollout IT projects in the face of glaring security gaps. Another study by Tripwire shows that about 80% of Amazon’s top selling SOHO wireless routers have security gaps that leave them vulnerable to third party attacks. Ultimately, when rolling out security measures, enterprises should cover all bases so that data stays safe onsite and at home where mobile workers could be accessing sensitive information through insecure SOHO devices.
Router Security & Safe Mobility with SpiderOak Blue
Many enterprises have a hard time finding a private third party cloud service that can offer true data privacy. An unsecured cloud provider could leave sensitive data wide open to leaks or attacks, and in the case of the recent wave of router attacks, such unsecured clouds would open up an added danger to mobile workers or work from home employees. In a market flooded with subpar security standards, a notable option lies in the services of SpiderOak Blue. This storage and sync service for enterprises offers 100% data privacy through zero-knowledge end-point device backup, mobile syncing and sharing, as well as cloud storage. Through SpiderOak Blue, enterprises can utilize onsite deployment through their own private servers or for companies that prefer more scalable solutions, SpiderOak also offers outsourced deployment with a private cloud server.
The secured authentication system is handled with a virtual appliance that sits behind an enterprise’s firewall and signing on is simplified through an integrated Active Directory/LDAP. SpiderOak Blue is completely compatible with Mac, Windows, and Linux, as well as iOS and Android for mobile security on the go and at home. With the rising popularity of work from home solutions, enterprises can leverage competitive work benefits to a growing sector of workers that seek such mobility while keeping corporate and consumer data safe from hackers, leaks, and even insecure routers. Whatever the next cyber crime innovation may be, SpiderOak helps businesses proactively stay a step ahead.
Posted by Kalyani M. on Mar 4, 2014
For tech-savvy early adopters and enterprises seeking to stay ahead of technological innovations, Bitcoin has been presented as if it were a digital gold mine. This decentralized digital currency works through value transfers that are not yet regulated by any country, corporation, or bank. Bitcoin isn’t backed up by solid assets, so value tends to fluctuate with user investment, jumping from $150USD to $1,000USD in just a matter of months. While many enterprises have stayed away from Bitcoin use or investment until the legal issues are all cleared up, those that want to stay ahead of the curve can still take advantage of the currency while keeping their assets safe through private key storage and sync with a secure cloud service.
One of the burgeoning industries for Bitcoin is online gambling. Last July, Bitcoin gambling site Satoshidice.com was sold for 126,315 Bitcoins, or about $12.4 million US dollars. In a testament to Bitcoin’s appeal, that initial sale is now worth about $70 million USD. According to many estimates, Bitcoin’s transactions are still primarily relegated to gambling with around 50-60% of total transactions garnered by online gambling sites. One of the reasons that companies are wary of the digital currency is the recent wave of attacks and lost assets.
Last February, Mt. Gox, a Bitcoin exchange service based in Japan, froze withdrawals only to indefinitely close transactions at the end of the month due to a technical error. This error, termed “transaction malleability” boiled down to invalidated hashes resulting in modified transactions. Ultimately, users lost a total of 744,408 Bitcoins, which went unnoticed. Mt. Gox was previously notorious for its link to the underground criminal online store called Silk Road. According to Silk Road’s founder, Dread Pirate Roberts, “We’ve [Silk Road] won the State’s [U.S.] War on Drugs because of Bitcoin.” Such massive loss of assets and association with the criminal underworld have kept many enterprises at bay, but the staying power of Bitcoin means that development and IT teams should begin to discuss how they will interact with Bitcoin in the future.
As Bitcoin gains traction around the world, it will face more attacks. Uri Rivner, head of cyber strategy at BioCatch, recently told the RSA Conference, “The Bitcoin exchanges are basically sitting ducks” due to their vulnerability to broad strains of malware. According to Rivner, “if you are inside a Bitcoin exchange, you can get away with all their Bitcoin…it’s like robbing not a branch of the Bank of America, but all of Bank of America.” The ability for Bitcoin exchanges to lose everything in a single attack should give such exchanges and investing enterprises caution. When it comes to securing Bitcoin wallets and keys, only secure cloud storage should be trusted. In the words of cyber security expert Brian Krebs, “Anyone who plays in this space, you better have a plan for when an attack happens because it’s going to be a when, not an if.”
Whether it comes to the introduction of online sales or the rising popularity of Bitcoin, any new technology is bound to cause concern over security and privacy. Rather than abstaining from the benefits of Bitcoin, enterprises should consider rolling out plans to securely utilize the currency to offer users more choice, while protecting Bitcoin wallets and keys through a cloud service that offers data anonymity. Simple precautions to consider include limiting employee access to Bitcoin wallets, storing user keys offline or in a secure cloud, and backing up private copies of Bitcoin wallets in the case of server or device failure.
Bitcoin Security & Key Protection through SpiderOak Blue
For early adopting enterprises seeking to jump on board the Bitcoin train, finding a truly protected third party cloud service can be a challenge. Many “secure” services on the market have glaring security gaps that leave private data and sensitive company info wide open to third party attacks, internal leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak Blue. This service provides enterprises and large businesses with fully secure cloud storage, zero-knowledge end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud along with 100% data privacy so that companies can utilize Bitcoin without assuming the currency’s massive risk.
SpiderOak Blue is available with onsite deployment and private servers, or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android to provide comprehensive and mobile security for companies with a remote workforce. So no more worries about digital wallet breaches and lost assets; SpiderOak Blue completely covers your corporate and consumer data both onsite and offsite. And IT Admins will jump on board as SpiderOak features a convenient and secure central management console, giving your organization full control over and ownership of your data and Bitcoin keys.
Posted by Kalyani M. on Feb 27, 2014
In the wake of the stunning data breach suffered by Target late last year, proactive enterprises have already started to draft and enact better security standards to protect corporate and customer data. Such data breaches irreversibly tarnish brands by establishing a bad corporate reputation and losing consumer trust that can be incredibly hard to earn back. Congress has started to discuss legislation that would provide a federal security standard along with consumer protections, but instead of waiting around for legislation that must be responded to, the best enterprises will leverage technology in their favor by seeking out fully secure solutions to data storage and syncing. Being able to proactively protect data not only offers peace of mind, but also allows enterprises to market themselves as fierce defenders of their consumers’ privacy, earning lifelong trust and better branding.
Attorney General Eric Holder recently raised public awareness of the need for a federal data breach notification standard, in which American consumers would be legally entitled to notification of loss of consumer data within a specific time frame. This consumer data loss would include such sensitive information as credit card numbers, debit card pins, and personal information like billing addresses. According to Holder, such future legislation “would enable law enforcement to better investigate these [data breach] crimes – and hold compromised entities accountable when they fail to keep sensitive information safe.” Companies that haven’t begun the framework and planning necessary to meet such standards will have to allocate precious time and resources in a mad scramble to meet requirements once such legislation is passed. And, given recent high-profile data breaches, the passage of such legislation is almost guaranteed. According to Tom Kellermann, managing director of consumer protection at Alvarez & Marsal, “When you are a victim of attack, time is of the essence in terms of how you react…There have been many instances where corporations have waited months to report that a breach occurred, and during that time, identity theft cases have dramatically grown in number.”
For many consumers, enterprises that proactively seek to protect their data are worth fierce brand loyalty, especially as the perception is that such protections are against the norm. According to U.S. attorney for the Southern District of New York Preet Bharara, “Corporations may wait days or even weeks and months, or never disclose the attacks at all, for fear of exposing proprietary information…but doing so makes it much harder to identify the perpetrator and prevent future economic injury.” As Bharara notes, “It’s not just a law enforcement problem; it’s a corporate culture problem also.” Rather than following the crisis management wake of the mainstream, strategic enterprises will be proactive.
While there is some resistance among certain states to adopting a federal standard, the increase of data breaches assures some kind of universal protocol in the near future. Another reason to stay ahead of consumer data protection legislation is that these recent cases may be the result of organized crime. As Zscaler cybert security expert Michael Sutton asserts, “There is certainly a real element of sophistication here…There would have needed to be some reconnaissance up front to understand the network that was being targeted, the hardware and software that they were going after. They would have had to customize the malware that they used and then figured out means of exfiltrating that data and doing so without being detected…I think that we’re seeing the tip of the iceberg here. Because yes, Target was the first and now we’re starting to see other retailers, Neiman Marcus, Michael’s have also stepped forward.” In the case of Neiman Marcus, a data breach has resulted in exposed credit card information, with 9,200 already having been used fraudulently since the report of the attack. Robert Sadowski, director of technology solutions at RSA Security has noted that card-data networks and general-purpose networks should be separated, but that such standards are far from the norm when it comes to enterprise data standards.
Branding Security & Trust With SpiderOak Blue
For proactive enterprises, searching for a truly protected third party cloud service can be a challenge as many “secure” services on the market have glaring security gaps that leave private data and sensitive company info wide open to third party attacks, internal leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak Blue. This service provides enterprises and large businesses with fully secure cloud storage, zero-knowledge end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud along with 100% data privacy.
SpiderOak Blue is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android to provide comprehensive and mobile security for companies with a remote workforce. So no more worries about data breaches and damaged brands, SpiderOak Blue completely covers your corporate and consumer data both onsite and offsite. And IT Admins will jump onboard as SpiderOak features a convenient and secure central management console giving your organization full control over and ownership of your data.
Posted by Kalyani M. on Feb 25, 2014
Millennials are typically seen as the go-to generation for all things tech-related. So it may come as a big surprise that recent surveys indicate that lax generational views toward data security could jeopardize the safety of your enterprise’s data. This flies in the face of the recent trend of reverse mentoring, in which younger workers share their tech habits to older workers. When it comes to bad habits, such practices could cause entire organizations to adopt unsafe data storage and syncing techniques, leaving sensitive corporate information open to attack or leakage.
The best way to protect such data is through strong internal systems and the adoption of secure storage and sync services. A recent survey put out by Softchoice is changing the way enterprises view their Millennial workers. According to the research, 28.5% of 20-somethings have their passwords kept in plain sight. This is in comparison with 10.8% of Baby Boomers. So it’s clear that the common wisdom that younger generations are inherently more data-secure falls flat on its face. The survey also found that the lack of secure password storage went hand in hand with syncing sensitive files to unprotected devices for the convenience of working from home. As Millennials are more likely than other generations to push for mobile or work-from-home options, companies need to find secure solutions to handle this trend without putting their data at risk.
The Softchoice survey also showed that regardless of generation, workers who utilize the cloud tend to be less stringent about keeping data secure than those that are cloudless. Surprisingly, this goes for IT staff as well. This shows a massive need for services that can leverage the cloud while providing data security both in-house and on mobile devices. Simply relying on strong passwords has shown to be widely ineffective against data breaches, attacks, and leaks. In a Fortinet survey of Generation X (those between 33 to 48) and Millennials (those between 18 and 32), it was found that about 40% of respondents across generations never changed their password unless required to do so by company protocol. This negligence, combined with the ability to breach data through hashing and salting, shows that strong and regularly changed passwords are not enough to truly secure sensitive company data.
Millennials do rely on technology more than other generations and demand greater mobility, as current work trends indicate. Many enterprises have jumped onboard for the sake of convenience and morale, although many times without doing the work of keeping their data safe in the process. As work moves increasingly to networks and mobile devices, it’s important not to lose sight of the true cost of a data breach. As Nick Stamos, CEO of nCrypted Cloud, cautions, “The enterprise needs a network-agnostic, device-agnostic, app-agnostic approach.” Furthermore, he claims that company networks “should be considered untrusted, and open to anyone onsite.” This level of caution keeps companies from relying on generational tech-savvy employees to keep their data safe and brings information security into a new era of proactivity. But concern should translate into fear that keeps enterprises from leveraging good technology. Instead, as Dan Dearing, vice president of marketing at MobileSpaces, points out, there is a need for a strategy that “focuses less on the device and more on applications and data. That will provide the enterprise with the security that it requires while giving workers the freedom and flexibility that they want.” The best way to achieve this is through a secure cloud storage and sync service that protects mobile users as well as in-house data.
A Solution With SpiderOak Blue For most enterprises, finding a truly protected third party cloud service can be a challenge, as many “secure” services on the market have glaring security gaps that leave private data and sensitive company info wide open to third party attacks, internal leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak Blue. This service provides enterprises and large businesses with fully secure cloud storage, zero-knowledge end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud along with 100% data privacy. SpiderOak Blue is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android to provide comprehensive and mobile security for companies with a remote workforce. So no more worries about oversight or lax security attitudes with Millennial workers, SpiderOak Blue covers your data completely both onsite and offsite. And IT Admins will jump onboard as SpiderOak features a convenient and secure central management console giving your organization full control over and ownership of your data. Sign up today to try SpiderOak.
Posted by Kalyani M. on Feb 20, 2014
Recently we have examined both the conveniences and concerns regarding cloud services, and the conversation is most likely far from over. National Security Agency surveillance has definitely raised concerns about privacy of user data in cloud services. Documents leaked by Edward Snowden indicate that the NSA has been collecting huge amounts of user data by cracking encryption technologies, using backdoor methods, and in some cases providing legal notice. As enterprises are using well-known cloud services like Amazon or Google, the PRISM revelations might lead to a negative impact on U.S. cloud storage companies, as the surveillance activities of the spy agency have taken a toll on the reputation of technology companies. People are becoming increasingly concerned about the privacy and security of their data stored in the cloud.
The NSA is basically devising all possible ways to break the security controls on the web to track and collect huge amounts of user data. The news about the NSA cracking encryption of common online security products and placing secret doors at the access points can further undermine the confidence of foreign businesses. The NSA has been successful in cracking the majority of the encryption codes on the Web, by using supercomputers, technical trickery, court orders, and behind-the-scenes persuasion. Apart from deciphering the encryption of online products, the NSA has devised programs to deliberately insert vulnerabilities in commercial products, so that they may collect more information by exploiting those vulnerabilities. The NSA asks these companies to deliberately make changes to their products in undetectable ways like leaking encryption keys, making random number generator less random, adding a common exponent to a public-key exchange protocol, and so on.
According to research done by the information technology and innovation foundation (IITIF), NSA surveillance may end up costing U.S. cloud service companies $22 billion through 2016. The prediction by IITIF assumes that the U.S. might lose about 10% of its cloud computing market to European and Asian competitors. The United States is considered a leader in cloud computing usage and innovation, but PRISM revelations might cause a shift away from leading data storage providers like Google, Yahoo, and IBM. Salesforce.com recently lost one of their major clients due to government surveillance activities. This is just one example showing the negative impact of surveillance on cloud services. In the future, if the government does not take a stand on reforming the surveillance programs, cloud service companies in this country might have to bear huge loss.
Taking all of the security concerns into consideration, many companies have requested the government to allow them to publish a transparent report of mass data collection requests made my the NSA. In order to gain the trust of their customers, it is extremely important for cloud service providers to be transparent regarding the storage and sharing of sensitive user information. The government needs to take action towards reforming the surveillance program, and allow companies to reveal more details about what data has been requested of them by the government. It also needs to establish international transparency to gain the trust of foreign customers.
Similarly, cloud service providers also need to implement strong security controls to ensure better safety of their customers from surveillance programs. It would be wide for them to construct strong encryption standards such as 256 bit-AES for better security. Encryption has time and again proved to be the most secure method for protecting data in the cloud. The keys used for encrypting sensitive customer data should be managed effectively by periodic key rotation and re-encryption of data with new keys. Employees should be not be given more access than what is needed to complete their tasks. Cloud storage companies should require strong passwords, longer keys, or complex hash algorithms to make it difficult for anyone to access user data.
I believe by implementing security measures and being transparent data usage, companies can gain the trust of their customers, and those who have been enjoying the benefits of U.S. cloud services might think twice before moving to alternate services. Under the light of NSA surveillance, cloud startups whose prime goal is to secure their customer data will see a huge growth in their business in the near future.
Protect your personal data from NSA surveillance with SpiderOak: SpiderOak encrypts the files in your computer before uploading them to the server. As a result, you, and only you, have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belong to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.
Posted by Kalyani M. on Feb 18, 2014
Cloud services are becoming increasingly popular these days, both among the public and business enterprises. While convenient, Cloud services can be extremely vulnerable to Denial of Service attacks (DoS). As more organizations are relying on cloud computing technology for their business operations, denial of service attacks, one of the most common forms of attack on the cloud, can prove extremely damaging. A DoS attack makes your network or machine unavailable to the intended users by flooding them with connection requests. Within the eighth annual Worldwide Infrastructure Security Report from security provider Arbor Networks, it was revealed how cloud services increase the risk of attacks. The report indicated: “94% of data center operators reported security attacks, 76% had suffered distributed denial of service (DDoS) attacks towards their customers, while just under half (43%) had partial or total infrastructure outages due to DDoS and yet only 14% of respondents had seen attacks targeting any form of cloud service.”
Posted by Kalyani M. on Feb 13, 2014
With healthcare data doubling every year, it can be extremely difficult for medical institutions to manage such a huge amount of information using traditional IT systems. This is one of the reasons why the healthcare industry is gradually moving towards the use of cloud services. A cloud storage system allows organizations to place data on a centralized electronic system that can be accessed anytime from anywhere. Cloud services can help the healthcare industry to access and manage health records effectively in order to provide better patient care. A properly implemented cloud storage system allows hospitals to process tasks effectively and quickly, without causing a drop in performance. Cloud computing has proven extremely beneficial and cost effective for patients and healthcare providers.
Posted by Kalyani M. on Feb 11, 2014
Cloud computing has become the driving force of today’s IT industry. More and more enterprises are moving towards this technology because of its flexibility, cost effectiveness, and easy deployment. According to the technology researchers at Gartner, the cloud services are expected to grow to $210 million by 2016. However, cloud computing is vulnerable to several security breaches and cyber attacks. The fact that the cloud hosts a tremendous amount of data makes them an attractive target for the cyber criminals. It is also extremely difficult to track or investigate cyber attacks on cloud services because of an ever changing set of users and data centers.
Posted by Kalyani M. on Feb 7, 2014
Security researchers have devised a unique method to trick the hackers trying to crack encrypted information. As you may know, encryption is one of the most effective methods of protecting data. However, it is seen that in many cases intruders are successful in getting into the system by trying different encryption-cracking methods. There are several sophisticated pieces of software that are capable of deciphering secure data. Keeping these security concerns in the forefront, two security researchers, Ari Juels and Thomas Ristenpart, from the University of Wisconsin Madison, have come up with a new encryption system called “Honey Encryption”.
Posted by Kalyani M. on Feb 4, 2014
The Point-of-Sale (PoS) malware attacks seem to be on the rise since last year. Many retailers like Target and Neiman Marcus became victims of such attacks. Recently, the RSA brought into light another PoS malware called “ChewBacca”. In the past three months, this Trojan has stolen credit and debit card information from dozens of retailers. While the majority of the retailers are based in the U.S., the attack has also been noticed in few other countries like Russia, Canada, and Australia. Due to lack of security controls on the PoS machines, they have become the easy target of financially motivated attacker, who is able to access millions of customer’s data. Let’s take a look at how the ChewBacca malware works. Continue reading…