Business & the Cloud Archives - The Privacy Post

2

“Heartbleed” Security Flaw Affects Millions of Users and Sends Internet into Panic Mode

Posted by on Apr 15, 2014

heartbleed

Security bug “Heartbleed” allows hackers to access sensitive user information. Image from Wikimedia Commons

A major security bug, “Heartbleed”, has been making major headlines recently. The security vulnerability has infiltrated many well-known websites, and affected millions of users. It was discovered in some versions of OpenSSL, utilized by thousands of websites. OpenSSL is an encryption technology that uses TLS/ to secure communication over the Internet, and protect sensitive user information like usernames, passwords, credit card numbers, and financial data. Therefore, the exploitation of this critical bug allows cyber criminals to gain access to personal details of millions of Internet users. More information makes an attacker stronger, and opens the door to many more intrusions.

The bug was identified by a group of security engineers at Codenomicon while they were working on improving the security features of the company’s security testing tools. Heartbleed could be considered as one of the biggest security threats in Web security, because it exposes the contents of a server’s memory, where most sensitive user data is stored. This vulnerability allows anyone on the Internet to read the memory of systems protected by vulnerable versions of OpenSSL. It can compromise the private keys used for encrypting communication and identifying trusted sources on the Internet. The most worrisome aspect of this news is that this vulnerability existed for two years and was not detected until recently.

OpenSSL handles a service of TLS called Heartbeat, an extension to TLS added in 2012. German programmer, Robin Seggelmann, introduced the new feature “Heartbeat” to OpenSSL. His intention was to improve some features of the encryption technology, and enable the“Heartbeat” feature for better security in OpenSSL, the software package used in nearly half of all web servers. Open SSL is used to protect Apache and nginx Web servers, email servers (SMTP, POP, and IMAP), chat servers, VPNs, and other client-side software. According to the research of security experts, a mere coding “oversight” led to a coding error that created the  “Heartbleed” vulnerability. In an interview with The Guardian, Seggelmann said, “I am responsible for the error because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.” Segglemann submitted the code on the New Years Eve 2011, which means OpenSSL used in Websites and other client-side software has contained this vulnerability since that time.

It has also been discovered that Juniper and Cisco routing gears also have this vulnerability that might allow the hackers to capture passwords or personal user data while passing over the Internet. The way HeartBleed works is very simple. The Heartbeat extension is used by two computers to make sure if the other is alive or not. The client sends its heartbeat to the server to check its status, and the server sends it back to the client to give an indication that it is listening. The packet simply contains random chunks of data and a note saying how much data it sent. The server receiving the data returns exactly the same amount to the client. If by chance either one of them is down and does not respond, the other will know by the heartbeat sync mechanism.

With Heartbleed, the attacker exploits this mechanism by lying about the amount of data it has sent to the server. For example, even if only one byte of data was sent, it will tell the server that it sent 64KB of data. In doing this, the server makes a note that it has to send 64KB of information to the client in order to establish communication. If the server does not have 64KB of data, then it fills the packet with any other information it has in its memory at that time. This means that anything in the memory, like encryption keys, user keys, passwords, usernames, emails, and business documents, can be compromised by an attacker. Sending more Heartbleed requests allows the attacker to fetch even more memory. The good news is that there is no evidence so far that the bug has been exploited by anyone. Also, the issue has been fixed in OpenSSL v1.0.1g. However, users will still need to take protective measures to ensure protection against Heartbleed vulnerability. In my next post, I will be discussing about different security measures that users can take to protect themselves against Heartbleed.

Protection against cyber attacks with SpiderOak: HeartBleed is a major security vulnerability, having the potential to be exploited by hackers to access a massive amount of user data. However, strong security practices always make it difficult for intruders to easily access sensitive information. SpiderOak implements strong security controls to ensure protection of sensitive user data from cyber attacks.  SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff do not know the names of your files and folders. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. Sign up for this product today.

Business & the Cloud Archives - The Privacy Post

1

The Impact of Internet of Things on Enterprise Security

Posted by on Apr 10, 2014

internet of things

The Internet of Things
Image from www.thomasvanmanen.nl/

The  “Internet Of Things” (IoT)  was once an emerging term in the technology market, but it’s safe to say we’ve reached a point in which many, households and businesses are significantly affected by this concept. IoT gives you the power to control anything in your home or office from anywhere. Whether adjusting the light or temperature of your living room or managing daily chores, these things are now easily manageable with minimal human interaction. The concept of integrating millions of devices into a virtual world, and communicating with them at anytime from anywhere, makes IoT an attractive technology for enterprises as well. There are huge expectations for the IoT in terms of solving business challenges, increasing productivity, and improving customer experience.

In the past few months, we have seen many examples of companies embracing this new technology to improve their businesses. Google acquired the maker of the Nest Learning Thermostat for 3.2 billion dollars. IBM and AT&T joined hands to develop IoT solutions for municipalities and medium-sized utilities. They will focus on integrating and analyzing data collected from transport vehicles, cameras, and other connected devices. Many tech companies have also taken new initiatives toward the development of IoT by creating a foundation called AllSeen Alliance to encourage adoption of new standards to be used in devices and services for IoT. Cisco predicts that by 2020, over 50 billion devices will be connected to the Internet. This does not include just computers, Smartphones, and tablets, but cars, watches, vending machines, and many more devices. Cisco has already started working on developing new technologies and services to adapt to this new trend, creating an entirely new department dedicated to IoT.

The day is not far when all the appliances within our households will be communicating with each other via the Internet. In the near future, Internet of Things will generate revenue of about $19 trillion dollars, and will have a huge impact on businesses and society. Internet of Things brings people, processes, and data together, and as a result, will help businesses to accomplish their goals easily. For example, in the healthcare sector, IoT will allow doctors and caregivers to access patient records anytime from anywhere, and provide better care. Similarly, in the transportation sector by connecting vehicles and subsystems to the Internet, the management of traffic becomes easier. The biggest impact that the Internet of Things will have on enterprises is the need to develop applications to control and monitor these connected devices. Secondly, these connected devices will generate a huge amount of data. Enterprises need to come up will new technologies and applications to analyze the data being produced.

Given all the benefits of IoT, it is certainly easy to imagine the amount of damage that will be caused if any connected devices are attacked or corrupted. As we very well know, adoption of any new technology opens the doors to new security risks. Similarly, enterprises have to seriously consider certain privacy and security issues as they move towards Internet Of Things. Here are some of the security risks that come with IoT:

  • Data tracking: As consumers move towards adopting sensor-based gadgets or wearable devices, the risk of being tracked by companies also increases. They can monitor each and every move and send targeted advertisements. Similarly, if a hacker takes control of any connected devices, they can gain access to a ton of personal information. The more information attackers have in their hands, the more powerful they become. 
  • The collection and sharing of personal data with third parties: Another risk with IoT is access of consumer data by third party vendors. Even if you agree to share your data explicitly with a company, there is a possibility that your data might get merged with the IoT data that the same company secure from a third party. As a result, your data will be accessed by third parties, and used for advertising purposes.
  • Lack of security controls: A vast majority of these connected devices will have less protection and will be prone to cyber attacks. Some of the technologies that IT systems are accustomed with, like operating systems, firmware, and patches will not be available on these devices. IoT devices typically lack anti-malware and anti-virus protection, and don’t have IT teams to monitor and track security issues. As a result, new attacks might evolve to compromise the individual device or gain access to the enterprise network.
  • Security risks to the enterprise network: No matter what network segmentation strategy an enterprise might establish, there will be some security gaps within the system that will allow IoT to intersect with enterprise network. These points of intersection will be highly vulnerable to attack.

Enterprises need to take care of these security concerns early on, before moving to Internet of Things. As we have discussed earlier, IoT has a lot of positive potential for businesses and there is no reason to hold back from moving in this direction. However, the challenge is for consumer electronics corporations to provide smart, connected, and secure appliances that simplify the user’s life, while not compromising on the security of such devices.

Protect your personal data with SpiderOak

SpiderOak Blue provides enterprises and large businesses with fully secure cloud storage, zero-knowledge, end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud, along with 100% data privacy. SpiderOak Blue is available with onsite deployment and private servers, or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android, to provide comprehensive and mobile security for companies with a remote workforce. Sign up today to try SpiderOak.

Business & the Cloud Archives - The Privacy Post

1

Protection Against Phishing Attacks in the Cloud

Posted by on Apr 8, 2014

Implement strong security practices to protect your critical resources from phishing attacks.
Image from Flickr user Richzendy

With the growth in Internet, there has been an increase in security attacks. It is almost safe to say that these days nothing is secure in the electronic medium. “Phishing attacks” are one of the major security issues that lead to massive data breaches. In a phishing attack the attacker attempts to gather sensitive user information such as usernames, passwords, or credit card details by pretending as a legitimate entity in the electronic communication. Phishing attacks are typically carried out by spoofing a legitimate website or an email, and it directs the user to provide details to the fake website or email. Attackers usually spoof popular banking sites, online payment processors, or social networking sites. According to security experts, generally twenty to thirty thousand phishing attacks occur everyday. The widespread adoption of cloud computing by enterprises has made it one of the attractive targets for phishing attacks. Phishing attacks are conducted on enterprises in order to allow hackers to gain access to confidential corporate data, like trade secrets or financial information. Phishing messages usually appear to come from trusted source like employees within the organization or from a legitimate website. In most cases, due to ignorance or lack of security awareness training, employees end up providing confidential information to phishing sites. Last year, Dropbox became a victim of major phishing attack. The attack phished for Dropbox user passwords by sending fake emails as a way to infect their computer with malware. Security firm Appriver discovered this attack, which steals victim’s financial information by using a Trojan from Zeus family. According to Appriver, hackers are able to steal user information by sending a legitimate email requesting for password reset. When the user clicks on the password reset link, they are prompted to download an update for their browser, and ultimately end up downloading the Trojan. “The Zeus Trojan remains the popular botnet family on the net, according to a report by security firm McAfee, accounting for more than 57% of bot attacks”It is extremely important to be careful before clicking on any password reset link. You need to thoroughly check  to see if the email is from a trusted or legitimate source. The cloud platform is vulnerable to many cyber attacks, such as password theft, redirecting users to fake websites, or infecting websites with malware. Similarly, another cloud-based phishing attack took place at defense company Raytheon. An email was sent to the employees of the company asking them to access an application via a certain link, which was through a cloud service. The attack targeted approximately 20 people, with two of the employees ultimately clicking on the phishing link. Fortunately, Raytheon detected the attack through sophisticated threat detection tools and no data was compromised. Networking monitoring is a very effective method of detecting malicious activities on your network. The use of firewalls, intrusion detection, and prevention tools can filter out unauthorized network traffic, and send alerts upon encountering any malicious activities. In a cloud environment, many security loopholes goes unnoticed that are later on exploited by attackers to access sensitive information. These are some of the steps enterprises can take to protect their cloud environment from phishing attacks:

  • First and foremost, identify critical resources of your organization. This might include your employee login details, financial records, customer credit card numbers, etc. Once you have identified the critical resources of your organization, the next step is to develop strong security policies to protect them from cyber attacks.
  • Strong security policies should be in place in terms of accessing sensitive user data. Information should be given to employees on a need-to-know basis. Only key members of the staff should be given access to sensitive user data.
  • Employees should use strong, complex, and hard-to-guess passwords. They should be at least 8 characters long and should be a combination of letters numbers or special characters. Additionally, passwords should be changed on a monthly basis.
  • Use of encryption is another effective way of preventing phishing attacks. By encrypting your private company emails and corporate records you can ensure better protection against cyber attacks. Implementing encryption also improves your reputation among users. A secure symbol on your website tends to make users more comfortable to share their personal data with your website.
  • Lastly, train your employees to treat social emails and messages with suspicion, even if they appear to be coming from a trusted source. Create awareness about phishing attacks, and train your employees on how to handle such attacks.

Protect yourself from phishing attacks with SpiderOak: Encryption is an effective method of protection against cloud based phishing attacks. SpiderOak implements strong encryption standards for protecting customer data in the cloud. SpiderOak encrypts the files in your computer before uploading them to the server. As a result, you, and only you, have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belong to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. Sign up for this product today.

Business & the Cloud Archives - The Privacy Post

2

Newly Discovered Vulnerability in Microsoft Word May Allow for Remote Cyber Attacks

Posted by on Apr 3, 2014

The zero day vulnerability of Microsoft word targets RTF files.
Image from Trirat P’s photobucket

Microsoft Word is a widely used application. For many of us, a day does not go by without typing in something in the word document. Whether we are working on a school project or developing a report for office presentation, we tend to use this popular word processing program. Just imagine if the security of such a widely used application came under question. Recently, a vulnerability was found in all versions of Microsoft Word which allows attackers to take control of user’s computer remotely. The attack is triggered my maliciously crafted Rich Text Format (RTF) document in Microsoft Word or by opening a document in Outlook. The attacker can take advantage of this flaw to execute random codes on the targeted machine. Although Microsoft Word has some security features, like password protection, that  prevents unauthorized users from opening, modifying, and editing a word document, it is not enough to protect users against this new form of attack.

Microsoft disclosed this vulnerability during its monthly Patch Tuesday. The opening of the booby-trapped document allows the attacker to gain the same privileges as a logged-in user and compromise the targeted computer. According to Microsoft, versions of Microsoft Word 2003, 2007, 2010, 2013, and Office for Mac 2011 are vulnerable to this form of attack. Besides that, Microsoft Office Web Apps, Automation Services on SharePoint Server 2010 and 2013, and Outlook 2007, 2010, and 2013 (when using Word as the email viewer) are also affected. A team of security experts from Google- Drew Hintz, Shane Huntley, and Matty Pellegrino- first discovered the RTF memory corruption bug, and named it as CVE-2014-1761.

Microsoft has explained in details about this vulnerability on their security advisory blog . It seems there is a possibility of exploiting the RTF vulnerability by opening Outlook mails in a preview pane. By reducing usage of the preview pane feature, we can reduce the chances of attack to a greater extent.

After going through the Microsoft Security Advisory blog, it looks like the attack is very limited and targeted in nature. As mentioned earlier, through an exploitation of this vulnerability the attacker can get the same privileges as a logged in user, so users with minimal rights on the system are likely to be less affected by this attack. Similarly, in a web-based scenario, an attacker can send an email with a maliciously configured RTF document or host a web page with malicious data. However, it cannot force the user to click on an infected link or open a document. These are some of the things you need to be careful about before opening an attachment or clicking on a link.

Here are some of the steps that you can take to prevent your systems from this attack:

  • Do not open any file with .rtf extension. It’s already helpful that .rtf is not the default extension for Microsoft Word. It is usually .doc or. docx. So, if you are a little more careful and examine the extensions, then you can help protect yourself from this attack.
  • Microsoft is recommending that its users disable the opening of all RTF files. They have developed an automated tool, called Fix It, to help users block the RTF files. Fix It uses the Office’s file block feature and adds some registry keys to disable the RTF files. Some enterprises do not have the option of blocking RTF files, in which case they can choose “Open selected file types in Protected View” instead of “Do not open selected file types” within Trust Center settings. Enterprise admins also have the option of creating their own customized protection in the Trust Center instead of using Fix It.
  • To protect yourself from being infected via email, you might want to consider reading emails in plain text format.  Outlook 2003, Outlook 2007, Outlook 2010, and Outlook 2013 all provide such an option. It makes reading certain messages, such as marketing emails or newsletters, difficult, but reduces the risk of attack.
  • You might also consider using Microsoft’s Enhanced Mitigation Experience Tool Kit (EMET) to help prevent exploitation of Microsoft Office. It reduces the risk of unpatched vulnerabilities from being triggered.
  • Lastly, use your best judgment: do not open any malicious emails or click on any suspicious links. If you get an email from someone you do not know (and even if it is from someone you know), exercise caution in opening the message. Unless you are positively certain about the source, do not click on any attachments. One click can infect your system, but it can be avoided if you practice caution. Delete any emails that appear suspicious, in order to completely eliminate any possibility of the infection, making its way into your system.

Ensure protection of your data with SpiderOak: SpiderOak ensures protection of its users from viruses or malicious attacks by implementing strong security practices. SpiderOak Blue provides enterprises and large businesses with fully secure cloud storage, zero-knowledge, end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud, along with 100% data privacy. SpiderOak Blue is available withonsite deployment and private servers, or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android, to provide comprehensive and mobile security for companies with a remote workforce. Sign up today to try SpiderOak.

 

 

 

Business & the Cloud Archives - The Privacy Post

1

Access Control Issues in a Cloud Computing Environment

Posted by on Apr 1, 2014

It is imperative that enterprises have secure access to data in the cloud.
Image from res.sys-con.com

Cloud computing allows enterprises to scale resources up and down as their needs require. The “pay-as-you-go” model of computing has made it very popular among businesses. However, one of the biggest hurdles in the widespread adoption of cloud computing is security. The multi-tenant nature of the cloud is vulnerable to data leaks, threats, and malicious attacks. Therefore, it is important for enterprises to have strong access control policies in place to maintain the privacy and confidentiality of data in the cloud. The cloud computing platform is highly dynamic and diverse. Current access control techniques, like firewalls and VLAN, are not exactly well-suited to meet the challenges of cloud computing environment. They were originally designed to support IT systems in an enterprise environment. In today’s cloud computing platform, thousands of physical and virtual machines are added and removed every day, and the current access control mechanisms are not enough to handle this dynamic environment.

Weak access control mechanisms in the cloud lead to major data breaches. A few years back a massive data breach took place on the servers of Utah Department Technology Services (DTS). A hacker group from Eastern Europe succeeded in accessing the servers of DTS, compromising 181,604 Medicaid recipients and the Social Security numbers of 25,096 individual clients. The reason behind this massive breach is believed to be a configuration issue at the authentication level when DTS moved its claims to a new server. The hacker took advantage of this busy situation and managed to infiltrate the system, which contained sensitive user information like client names, addresses, birth dates, SSNs, physicians’ names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes. The Utah Department of Technology Services had proper access controls, policies, and procedures in place to secure sensitive data. However, in this particular case, a configuration error occurred while entering the password into the system. The hacker got access to the password of the system administrator, and as a result accessed the personal information of thousands of users. The biggest lesson from this incident is that even if the data is encrypted, a flaw in authentication system could render a system vulnerable. Enterprises should be sure to limit access to control policies, enforcing privileges and permissions for secure management of sensitive user data in the cloud.

Last year, two data breaches took place at Oregon Health and Science University due to inappropriate handling and storage of unencrypted patient medical records in the cloud. In these two incidents, personal information for about 3000 patients were posted in unencrypted spreadsheets using Google’s cloud-based email and storage service. This incident highlights the importance of security practices that must to be followed by cloud vendors. An insider attack or access to personal records by an employee is the biggest threat in cloud computing. This is where the need of proper access control policies comes into picture. In this particular case, the data stored in Google cloud was not encrypted therefore unauthorized users accessed it. However, as we learned in Utah Medicaid data breach, encryption alone does not ensure that your data is secure in the cloud. Information stored in the cloud should be protected with strong passwords. Strong passwords are at least eight characters long and contain a combination of letters, numbers, and special characters. Additionally, employees should be receive training on how to properly manage and handle sensitive personal data. With the use of cloud services within the healthcare industry becoming more popular and widespread, it will become more important than ever for companies to establish the strongest security measures possible.

When information is stored in the cloud, sometimes providers have access to the data, and can control access to it by outside entities. When this is the case, the challenge is to maintain the confidentiality of data and limiting privileged user access to it. This can be achieved by encrypting the data before storing it in the cloud, and enforcing legal agreements and contractual obligations with the cloud service provider to ensure protection of data. Also, the cloud service provider should have security access control policies and technical solutions to prevent malicious insider activities.

Anyone considering moving their resources to the cloud should determine who is managing their data and what security controls they have in place for protection of their data. Cloud services need to adopt a user-centric approach for effective access control, in which every user request is bundled up with the user identity. This approach provides users access and control over their data. Lastly, there should be strong authentication and identity management for both cloud service providers and the clients.

Secure access control to your data in the Cloud with SpiderOak

SpiderOak is one of the few cloud storage companies that enforces a user-centric approach for better security of user data. SpiderOak encrypts the files in your computer before uploading them to the server. As a result, you, and only you, have access to your unencrypted data. Even SpiderOak cannot read your data, because the keys used for encryption only belong to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. Sign up for this product today.

 

 

 

 

Business & the Cloud Archives - The Privacy Post

2

The Ploutus Predicament: New ATM Malware Allows Hackers to Remotely Access Cash

Posted by on Mar 27, 2014

Ploutus malware

Ploutus malware allows attacker to take control of  ATM machines remotely.
Image source: symantec.com

The recent major data breach at Target has been an eye-opener that showed how malware infected Point-Of-Sale (PoS) devices can be exploited to gather huge amounts of credit and debit card data. Malware attacks are on the rise these days. The reason why most of these attacks are successful is because most of the malware being used is new and unknown, and no defense mechanisms are in place to counter it. Another new form of malware, called Ploutus, is targeting ATM machines and allowing cyber criminals access cash. In order to install this malware, the hacker needs to be able to physically access the ATM machine. Therefore, in the majority of cases it is seen that standalone ATM machines, especially the ones in convenience stores, become victims of data breaches. The ATM machines in banks are usually more secure than standalone ATM machines, and have a heavy physical shield protecting them from unauthorized access.

Security vendor Symantec initially identified this new form of malware. They carried out research on a standalone ATM machine to determine exactly how the Ploutus malware works. The standalone machines allow hacker can access all parts of the machine with only minimal effort. The latest version of the malware allows the hacker to control the malware remotely via text messages. They must first set up a mobile phone within the ATM machine to connect and infect it with malware. To effectively connect with the ATM, the hackers use a method called USB tethering. Since the phone is connected to the ATM through a USB port, it continually draws power from the connection to keep the phone battery recharged. Once the phone is connected to the ATM, the hacker will send an SMS message to the phone attached to the ATM. The phone will detect the message, convert it into a network packet, and forward it to the ATM via USB cable.

According to Symantec, “the network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM. As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet, and search for the number “5449610000583686” at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus”. The Ploutus malware has proven to be extremely effective for the cyber criminals to carry out fraudulent activities. It allows  them to control the machine remotely and withdraw as much cash as they want.

Ploutus ATM malware exploits standalone machines, using USB tethering and text messages to retrieve information.
IMage source: symantec.com

The security researchers at Symantec believe the reason behind these kinds of attacks is the vulnerability in Windows XP operating system, which the majority of ATMs run on. This vulnerability is exploited by cyber criminals to install malware on ATM machines. Microsoft has already announced the risk of “zero day forever”. Once Windows XP retires, Microsoft will not be releasing any patches for upcoming security vulnerabilities, and as a result, these systems will only become more vulnerable to cyber attacks. Besides Ploutus, the Symantec security team has also found out several different forms of malware that target ATM machines for several other reasons. There are different kinds of sophisticated malware designed to carry out different types of attacks, like stealing PIN numbers or Man-in-the-Middle attacks.

These days, many ATM machines have better security features, like encrypting data on a hard disk, ensuring protection against malware installation. However, with older versions of ATM machines running on Windows XP, it is challenging to ensure protection against malware attacks. Still, a few things can be done to enhance the security on older version, such as upgrading to Windows 8, implementing full disk encryption for protection against tampering, and enhancing physical security by constantly monitoring the ATM machines using CCTV. By taking all these security measures into account, we can protect ATM machines from massive data breaches.

Shielding Private Data with SpiderOak

A great way to shield sensitive consumer and corporate data from any snooping eyes is through storing and syncing with a private cloud service provider. For enterprises looking for a truly private cloud service, SpiderOak Blue offers fully private “public” and onsite server deployment options for full flexibility. Choosing the right third party cloud service can be a challenge, as many services on the market have security gaps which leave private data vulnerable to third party attacks, malware, and legal snooping. But SpiderOak sets itself apart from the rest of the market by providing a fully private cloud service featuring all of the benefits of cloud storage along with 100% data anonymity.

SpiderOak protects sensitive enterprise data through 256-bit AES encryption so that sensitive files and passwords stay private. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices, as SpiderOak never hosts plaintext data. SpiderOak Blue’s private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, making this one of the only cross-platform solutions on the market. You can sign up for this product now

 

 

 

Business & the Cloud Archives - The Privacy Post

1

Cloud Security: Efficient and Reliable Encryption Key Management Crucial for Data Protection

Posted by on Mar 25, 2014

security in the cloud

It is important to manage encryption keys securely in the cloud.
Image from Flickr User FutUndBeidl

In our modern day and age, many enterprises are embracing cloud computing. However, one of the major concerns regarding cloud computing has always been security. Encryption in cloud computing is still in a state of flux and infancy. Some vendors provide encryption, while others don’t. There are different kinds of encryption schemes for securing data in the cloud, sometimes integrated within a system. Whenever a company decides it move its applications to the cloud, it considers several pros and cons before doing so. These are some of the questions that come to our minds before storing our data in the cloud- How the data is protected? Can we encrypt the data? How the encryption keys are managed? Who will have access to those keys?

The goal of encryption is to ensure that data stored in the cloud is protected against unauthorized access. Access to sensitive user data by third parties is a violation of privacy, and should never occur. In the light of PRISM revelations and major data breaches, like the recent Target breach, it is extremely important for enterprises to bolster cloud security. The surveillance programs by the U.S government have raised security concerns among many people. One of the things that worries end users the most is possible access to their personal data by parties without their knowledge or permission. Even globally, companies outside of U.S. have expressed security and privacy concerns regarding U.S.-based cloud companies. In order to restore the trust of their customers, companies need to take strides to strengthen their cloud security practices.

Encryption is not a foolproof method, and while encryption is the most effective way of data protection, it does come with certain drawbacks. Even if a cloud service provider provides encryption, there is a possibility that the keys can be accessed by them. In order for encryption to work effectively, it is extremely important to manage the encryption keys securely. In other words, when encrypted data is stored in the cloud, the keys used for encryption should be kept separate and should only be accessed by the end user. Key management involves the creation, use, distribution, and destruction of encryption keys. Key management is the toughest part to manage in cryptosystems. Let us take a look at some of the issues with encryption key management in the cloud.

  • In the cloud platform, there is always a possibility of insider attack. Keys can be accessed or stolen by employees without the knowledge of end users.
  • Encryption keys are vulnerable to data breaches. If you are using the same key pairs on all your machines, then a hacker compromising just one of those machines can pretty much gain access to all your cloud resources.
  • The keys for all accounts need to be managed properly. The challenge is to index proper accounts with their respective keys, quickly and effectively.
  • Another issue with key management is availability. If a system goes offline, then how the keys will be accessed? There needs to be key cache in order to retrieve keys, even in the event that a system goes offline.
  • The use of a weak passphrase to protect your account increases the risks of security attacks. If the attacker gets access to the username, then they can carry out a brute force attack in an attempt to guess all possible passwords and access your account.

In order to manage the encryption keys securely, enterprises need to employ encryption in their cloud environment, while maintaining secure off-site storage of their encryption keys. The best way to protect your data in the cloud is to give end users access to the encryption keys to secure their data. This way only the end user, and nobody else, has the access to his personal data. Never store the keys used for encryption in the same place as encrypted data. The keys used for encrypting sensitive customer data should be managed effectively by periodic key rotation, and re-encryption of data with new keys. Employees should be not be given more access than what is needed to complete their tasks. Cloud storage companies should require strong passwords, longer keys, or complex hash algorithms to make it difficult for anyone to access user data.

Secure Key Management with SpiderOak: Most online storage systems only encrypt your data during transmission, and do not encrypt the data while it is resting on their servers. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff do not know the names of your files and folders. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. When you first run the SpiderOak software on a computer, a series of strong encryption keys are generated. The keys themselves are encrypted with your password and stored (along with your backup data) on SpiderOak servers in their encrypted form. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

Business & the Cloud Archives - The Privacy Post

0

Managing Disaster Recovery in the Cloud

Posted by on Mar 18, 2014

Cloud based disaster recovery is the most efficient and cost effective approach for data back up.
Image from www.clearpathsg.com.

Cloud computing is attracting many enterprises because of its easy deployment, cost effectiveness, and flexibility. One of the major advantages of cloud computing is its disaster recovery approach. With this system, enterprises have a cost effective disaster recovery plan in place, and do not have to worry about deployment and maintenance of IT infrastructure or resources for disaster recovery. Cloud computing gives a completely different approach to disaster recoveryIn this approach, the operating system, data and applications are integrated into a single software bundle or virtual server. This virtual server can be easily copied and backed up on an off-site data center within minutes. In comparison to the conventional disaster recovery approaches, this is extremely beneficial because it is hardware independent and therefore it is easy to transfer information from one data center to another without the burden of installing every component of the server. Cloud-based disaster recovery approach is extremely cost effective and dramatically reduces recovery time compared to traditional approaches.

Beyond easy deployment and cost effectiveness, there are a few other benefits of a cloud-based disaster recovery approach:

  • The cloud platform manages the disaster recovery servers and storage devices effectively and reduces the impact of failure at the disaster site.
  • With the cloud it is possible to add resources on an as-needed basis with fine granularity, and optimum costs.
  • The cloud-based approach completely eliminates the hardware dependencies, and reduces the hardware requirements at the back up site.
  • It can be easily automated, lowering recovery times after a disaster.

Given the benefits of cloud disaster recovery, it definitely looks like an attractive alternative for enterprises searching for reliable data storage and back up. Before implementing cloud disaster recovery, you do need to take several things into consideration. Like any traditional disaster recovery, there is no blueprint for cloud disaster recovery. Different organizations have different needs and priorities depending on the business they are in.

  • First and foremost, identify and prioritize the critical resources of your organization. Determine how much downtime is acceptable before there is a significant impact on the business. Prioritizing critical resources and determining recovery method is the most important aspect during this process. Ensure that all your critical apps and systems are included in the blueprint.
  • Once you have determined the critical resources, the next step is to identify a cloud provider who is equipped to fulfill your needs. There are different cloud providers that offer different facilities. If you want to build a cloud-based disaster recovery site, then you need to find a provider with specific capabilities. Similarly, if you want to replicate data to the cloud, then you should sign up for a storage plan only and avoid paying expenses for other services.
  • After all the above-mentioned tasks are taken care of, you need to determine the cost of your cloud-based disaster recovery plan. The pricing model is comprised of various factors, like monthly subscription, the amount of bandwidth used, storage space used, and the number of VMs.

Additionally, one of the most important aspects that an enterprise needs to take into consideration is security. The cloud is vulnerable to many security attacks and breaches. Therefore, while moving to a cloud-based disaster recovery plan, enterprises should focus heavily on the security practices of cloud service provider.

According to John Morency, research vice president at research firm Gartner, Inc. in Stamford, Connecticut, “You still see with some major events, such as the lightning strike in Dublin [in 2011] that took out the cloud services, of Amazon and Microsoft, that there can be some temporary loss of service. The cloud shouldn’t be considered 100% foolproof. If organizations do need that 100% availability guaranteed they need to put some serious thought into what they need to develop for contingencies.” There are several  aspects of security that the enterprises should take into account before moving to cloud disaster recovery: Determine how security data is transferred, stored and managed in the cloud. What  access control mechanisms are in place? What security controls are used to protect data from unauthorized access? Apart from passwords, what extra layer of security is used to protect your data? Lastly, make sure that the cloud service provider complies with all the security rules and regulations required to maintain the privacy of data. With strong security practices and controls in place, the cloud disaster recovery approach is one of the most efficient and cost effective approaches for modern enterprises.

SpiderOak and Disaster Recovery

SpiderOak provides makes it easy to backup existing data and provides disaster recovery. It allows users to create and sync their local documents with a cloud version, which they can later access from any device. These systems even save revisions of documents so users can go back if they make a mistake and retrieve a previous version. SpiderOak Blue provides enterprises and large businesses with fully secure cloud storage, zero-knowledge, end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud, along with 100% data privacy. SpiderOak Blue is available with onsite deployment and private servers, or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android, to provide comprehensive and mobile security for companies with a remote workforce. Sign up today to try SpiderOak.

 

 

 

 

 

 

Business & the Cloud Archives - The Privacy Post

3

A United Front: Credit Unions & Congress Fight Back Against Data Theft

Posted by on Mar 13, 2014

Capitol building

Congress is working on legislation for stronger data security standards.
Image Courtesy of Glyn Lowe Photoworks

When it comes to enacting new protections and punishments for massive data breaches, like the sort recently suffered by Target stores, Congress and credit unions are joining forces to fight back. Data theft threatens virtually every industry, from online gambling and alternate currencies like Bitcoin, to established healthcare providers and insurance companies. So when it comes to protecting customer data, everyone has a hand to play and a vested interest in the outcome. Major credit unions and their representatives are pushing for stronger penalties for data breaches so that they won’t have to keep recouping the costs of identity theft that is most often the direct result of such breaches. And congressional leaders are forging ahead to enact tougher laws and disclosure requirements to take advantage of the public’s wave of frustration over lost credit card information. While pushing for strong legislation is definitely a great step towards stronger universal data security standards and consumer protections, enterprises shouldn’t wait around for Congress to decide on a final plan. Instead, proactive businesses should stay ahead of the curve while gaining fierce brand loyalty by keeping consumer data private and anonymous through secure cloud storage and sync solutions.

As if the well-publicized case of Target wasn’t enough to turn the tide of industry standards towards strong data security, a recent breach of records at the University of Northern Iowa has added fuel to the flame. Hackers were able to breach the school’s system to retrieve federal tax return refunds from faculty and staff. To date, around 200 UNI workers have suffered tax-filing complications due to the breach, which indicates fraudulent use of their data. According to UNI secretary Darnell Cole-Taylor, “With my information out there, who’s to say that somebody, two years from now, a year from now, won’t use that to do something illegal?” Such are the inherent complications of identity theft; the victim suffers for years, having to keep a vigilant eye on all financial activity in the case of a breach, as records are often sold around the world numerous times.

Many times, such breaches are due to lack of strong security standards on the part of the victims. In an interview, Bryan Sartin, Director of the Verizon Research, Investigations, Solutions, and Knowledge Team said, “With respect to brick-and-mortar retailers, 86% of the points of intrusion are through desktop sharing technologies. If simple two-factor authentication was used across the board on those technologies, 86% of those breaches wouldn’t happen. It’s security common sense.” Unfortunately, many enterprises have yet to enact even basic common sense security principles. In just the Target breach alone, credit unions have had to cover upwards of $30 million dollars in theft. This imbalance in responsibility has led B. Dan Berger, President and CEO of the National Association of Federal Credit Unions, to write to Congress requesting a more comprehensive national security standard. One of the most notable points requested in a federal consumer protection law would be to place the responsibility for paying for breaches entirely in the hands of negligent merchants.

Another step in the right direction is the standard set forth by the NIST (National Institute for Standards and Technology). The NIST’s “Framework for Improving Critical Infrastructure Cybersecurity” specifically provides tiered requirements for data centers revolving around five key elements: identify, protect, detect, respond, and recover. A bulked up standard based on these principles would compliment breach notification laws, which alone, are largely ineffective. As an anonymous financial sector representative stated to RollCall, “Breach notification laws can be a useful tool to – potentially – raise awareness about data security issues, incentivize companies to invest in security and empower consumers. But the reality is that notification is after the fact. The key to data security is to prevent breaches in the first place and notification does nothing to prevent breaches except in a very indirect way.” While Senate Judiciary Chairman Patrick J. Leahy, D-Vt., spearheads efforts to offer criminal penalties to companies that fail to disclose breaches, enterprises must be proactive in the meantime. As Randy Vanderhoof, president of the Smart Card Alliance, says, “I really think the industry needs to do a better job in how it protects its information.” Such proactivity on the part of industry leaders will preempt any drastic legislation, so that companies won’t have to scramble in a mad dash to bring standards up to federal compliance. Rather, those enterprises that can show that consumer data is fiercely protected will earn loyal customers for life. They’ll also be poised to rise above their competitors that simply lie in wait for Congress to dictate security standards to them. As companies wait and figure out next steps, IT teams should look to secure cloud solutions as a feasible option for providing data privacy for sensitive information like consumer credit cards.

Protecting Customers With SpiderOak Blue

One great option available to enterprises for cloud storage is  SpiderOak Blue. This secure cloud service offers 100% data privacy and user anonymity through easy storage, convenient sharing, remote syncing for a mobile workforce, and zero-knowledge end-point device backup solutions. With availability on Mac, Windows, Linux, iOS, and Android, SpiderOak provides flexible solutions to meet any company’s demands.

 

Business & the Cloud Archives - The Privacy Post

2

Protecting Medical Records in a New Era of Health Insurance

Posted by on Mar 11, 2014

Courtesy of Greg Harbaugh/Feature Photo Service

With the healthcare system undergoing numerous changes, it’s important to make sure medical data is secure.
Courtesy of Greg Harbaugh/Feature Photo Service

Enterprises have scrambled to stay ahead of new regulations brought about by the Affordable Care Act, otherwise known as ObamaCare. The healthcare industry, however, is the most directly impacted by the law, as healthcare providers and insurance companies must prepare for an influx of new patients and a more widely insured populace. But as the insurance pool broadens, risk will be compounded as medical records and sensitive data becomes a brighter target for hacking and leaks. The best way to protect medical data in this new era of mandatory health insurance is through secure cloud storage and sync services that offer 100% data privacy and user anonymity. Anything less than full data privacy and security for medical records could result in damaged brands, exploited information, and increasingly costly HIPAA fines.

According to Norse, a cyber security firm based in St. Louis, the health care industry is a prime target for cyber attacks. In a recent study conducted by Norse, about 60% of malicious web traffic targeted healthcare providers, associates, and insurance companies. The reason for such a wide prevalence of attacks is the relative lack of proper data security in the industry. Proactive enterprises should take note and guard data well beyond HIPAA expectations to ensure that sensitive data stays private and that medical records are kept fully secure. Not only is it the ethical thing to do, but such precautions also maintain brand loyalty, especially in an age of massive public distrust in the health care industry. Larry Ponemon, chairman of the Ponemon Institute, says, “With the Internet of Things expanding the attack surface, and current HIPAA and HITECH compliance not nearly providing enough security, healthcare organizations are falling further and further behind in their efforts to secure patient data.”

This concern echoes the findings of the Ponemon Institute’s “2013 Cost of a Data Breach Study”. According to the study, 94% of healthcare providers and affiliate organizations like insurance companies had experienced some sort of data breach from 2011 to 2013. In 2013’s first quarter, over 875,000 private records were exposed due to a breach. With the HIPAA Omnibus rule, which demands up to $1.5 million per lost record in penalties, these sorts of breaches are just too costly for enterprises to ignore. A severe breach could permanently damage a provider through large HIPAA penalties and severed public trust. Even with Google’s recent announcement of HIPAA compliance through the Business Associate Agreement, products like Gmail and the Google Drive simply don’t provide medical enterprises with the securities needed to truly keep records and data private.

In a recent report put out by the Office of the Inspector General, it was found that state Medicaid databases could be highly vulnerable to attack. In light of such revelations, enterprises that deal with Medicaid must be highly cautious when moving forward and sharing sensitive information in order to avoid leaks and data breaches. According to Mac McMillan, CEO of the CynergisTek consulting firm, “We have seen these reports over and over again. It all stems from a lack of a good, solid framework for security and an accreditation process to ensure there is accountability.” For McMillan, vulnerabilities are established because “Poor security, inadequate controls, [and] lack of proactive monitoring all create a welcoming playground for the would-be identity thief and fraudster.” Many enterprises hastily rush out big data projects to leverage technology and stay one step ahead of competitors. In the rush, proper security measures are neglected or outright abandoned. But development teams should remember that projects must be fully secure before rollout, otherwise, all of the time and effort invested into an unguarded project could be wasted in the likely event of a data breach.

In an attempt to save a sliver of funds on proper security investment, some enterprises try to forgo secure cloud services in favor of encrypting data onsite. But history shows that trying to protect sensitive information can be difficult for even the largest organizations. AOL, Netflix, and the State of Massachusetts’s Group Insurance Commission have all suffered data breaches despite attempts at securing private data. According to Ed Felten, Princeton professor of computer science and public affairs, “A decade of computer science research shows that many data sets can be re-identified. Removing obvious identifiers is not enough to prevent re-identification. Removing all data about individuals may not be enough.” This means that even if such security measures are initially successful, a savvy hacker could undermine them by piecing together bits of scrambled data to find something exploitable. Instead of implementing disproven methods for securing data onsite, enterprises in the medical and healthcare fields should opt for tried and true protections through private cloud solutions. This will ensure that patient data is truly kept safe from external breaches and even internal leaks.

Securing Medical Records With SpiderOak Blue

Medical businesses and enterprises must keep records private in order to thrive and stave off costly HIPAA penalties. But finding a cloud service that can provide 100% data privacy and user anonymity can be difficult in a market flooded with subpar providers. A truly secure service must close off any security gaps so that data can never be leaked, attacked, or breached in any way. A great option can be found with SpiderOak Blue. This secure cloud provider offers enterprises storage, sharing, remote syncing, and zero-knowledge end-point device backup solutions. Businesses can offer their employees popular mobile and work from home opportunities while ensuring that offsite data stay safe.

SpiderOak offers IT admins a convenient central management console so that your enterprise keeps control of all of your data. Deployment is available onsite with private servers or through secured public cloud servers that provide scalable solutions. A virtual appliance positioned behind your firewall resolves authentication and offers a single sign-on through integration with your Active Directory/LDAP. SpiderOak Blue is available with Linux, Mac, and Windows operating systems along with mobile options through Android and iOS. Sign up today!