Cover pic

Hackers Want to Know What Your Sexual Kinks are, and Dating Sites are Telling Them

If you are a frequent user of online dating platforms, be warned: the way they are getting relentlessly hacked, soon the only thing you’ll be kissing is your sensitive data goodbye.

It’s no coincidence that popular dating sites, such as Ashley Madison, OKCupid, and BeautifulPeople.com are being constantly attacked by hackers.

Private data really doesn’t get any more private than the stuff you share on dating websites. Could you imagine having your list of sexual fetishes leaked? Or maybe all the cringey, flirty messages you’ve sent over the years?

It is clear that dating websites have data security systems in place that are greatly disproportionate to the sensitivity of the data their users trust them to safeguard.

So what can dating websites, or any business tasked with the protection of sensitive data, do to keep their customers’ data secure?

 

header 1

 

In the recent Rosebuttboard.com hack, more than 100,000 members’ accounts were exposed.

Rosebuttboard is a forum for people who partake in the devastation of the derriere. Can you imagine how crappy it would be to have the world know about your private desires?

Rosebuttboard used out-of-date software and security strategies with known vulnerabilities, making them easy picking for cybercriminals.

What you should do: Avoid being the butt of hackers’ jokes by keeping all of your software patched, and up-to-date, ensuring that the versions you use have no known flaws. This instantly makes it harder for hackers to breach your system.

 

header 2

 

In addition to using an out-of-date forum system, Rosebuttboard also used an archaic and easily-crackable encryption method to store their users’ personal information.

And in OKCupid’s big hack of 2014, it was revealed that users’ passwords were saved in plain text.

Using outdated encryption methods (or not using any at all) is about as safe as leaving the key to your house under the doormat on your front porch.

What you should do: Encrypt all your sensitive data! That way, even if hackers somehow find their way into your network and steal your encrypted data, they will have the equivalent of a safe they don’t know the combination to.

 

header 3

 

Adult dating site Fling.com has also been a victim of a data breach, with information such as sexual preferences, emails and old passwords being hawked on the dark web. Mysteriously, even the personal information of people who had deleted their accounts was found amongst the data.

Even worse is the now-infamous Ashley Madison hack. It aired the dirty laundry of 32-million cheating spouses, and even lead to multiple suicides.

 

Ashley Madison’s story is a classic example of why data security should be taken seriously: post-breach, their web traffic plummeted by 82%, and they are still fighting against a $567 million lawsuit.

 

Among Ashley Madison’s poor security practices, the worst was their “Full Delete” option that didn’t even work. The option promised complete removal of users’ traces on the site, for a small fee of $19.

Ashley Madison reportedly netted $1.7 million USD from this service. Yet, from the data leaked, even sensitive information from those that had paid for this service was found.

What you should do: If you don’t need it, fling it! Preventing data buildup will ensure that there is less data for hackers to steal.

 

The Business-As-Usual Approach

All these tips point to the importance of engaging in BAU security practices. In today’s data-centric world, integrating security tactics in your everyday business is critical in ensuring that your company stays safe from prying eyes.

Vulnerabilities must be patched as soon as they are discovered, network intruders have to be detected quickly, and data must be carefully monitored and safeguarded.

Keeping an eye on your company’s sensitive data buildup is no small feat, ordinarily. Extraordinarily, Ground Labs’ Enterprise Recon software helps customers manage sensitive data across their entire network, and aligns perfectly with the goal of making security a BAU process.

Real-time scanning, role delegation, scan scheduling — these features make it incredibly easy for any business to take control of their data, and ensure that no sensitive data goes undiscovered. It’s both the easiest and the safest way to ensure that even if hackers break into your network, there will be nothing for them to steal.

Sign up for a free trial of Enterprise Recon today for a first-hand look at how easy it can be to manage sensitive data across your entire company.

verizonhack

Data Breach of Verizon a Grim Reminder To Us All: No One’s Bulletproof

To your everyday man on the street, Verizon Communications is an American broadband and telecommunications company. But to those of us in the IT security line, Verizon is also one of the frontliners in the fight against cybercrime, responsible for helping many Fortune 500 companies respond to massive data breaches.

But in a tragic turn of events, Brian Krebs reported last week that Verizon has suffered a data breach, resulting in the theft of 1.5 million records of their customers’ information. Read more

ransomware

Ransomware Attacks On The Rise: What Are You Doing To Protect Your Business?

“We do not negotiate with terrorists”. Except, most of us have, or would.

A relatively new breed of malware, dubbed “Ransomware”, is holding computer systems hostage and demanding payment for their safe release.  

What’s surprising is that these underhanded tactics often see a payout for cybercriminals — according to one study, about 50% of ransomware victims paid their extortionists, and another 40% of people said that they would pay the ransom too if it happened to them.

It’s estimated that at least $5 million is extorted from ransomware victims each year.

Cybersecurity experts are encouraging ransomware victims not to pay the extortionists for two reasons: firstly, there’s no guarantee you’ll get your data back, and secondly, because it only further encourages cybercriminals to continue running ransomware attacks.

This, of course, includes re-runs on your environment they know is not only easy to get into, but one that is likely to cave to their demands.

It’s a non-issue as long as no ransomware makes its way onto your systems, but the odds of that actually happening are ever increasing.

As far as we know, there are currently more than 4 million samples of ransomware in existence, where there were only 1.5 million samples in 2013. Hackers can’t get enough of the stuff.

Hackers are also finding new ways to bring ransomware to a system near you. It has been reported that a disproportionately large number of websites that run on the WordPress CMS are being hacked to deliver ransomware to end users.

All you need to do to catch the bug is visit one of these booby-trapped websites with an out-of-date version of Adobe Flash Player, Adobe, Reader, Microsoft Silverlight, or Internet Explorer, and you may be looking at a ransom amount of $500 (or a few bitcoins) in exchange for your computer back.

 

ransomware 2

 

Beating Ransomware

There are basically two different types of defense strategies against ransomware attacks — making sure you don’t get infected in the first place, and staying safe post infection.

User and staff education is a key data security practice. Making sure that you and your staff are well aware of possible online hazards like phishing emails or insecure websites goes a long way into making sure ransomware never reaches your systems.

Patching your systems and making sure that all your applications are up-to-date is also textbook good practice. Ransomware can find its way into your systems through vulnerabilities, so make sure that your network has no holes for cyberattacks to slip through.

Additionally, running anti-spam software that can detect malicious links in emails will definitely go a long way to helping you ensure that no one in your business will be opening any “uh-oh” links.

 

Hit me. Whatever. I’m over it.

Perhaps you won’t be nearly that stoic, but the best way to beat ransomware is to take away their leverage. This means making sure that there is no data on your systems that would be of value to hackers.

This works for two reasons — one, hackers are a lot less likely to hold your network at a high ransom price if they search your systems and find little or nothing of value. Secondly, should they still try and hold your network hostage, starting over will be a significantly cheaper endeavor than paying the ransom amount (which doesn’t guarantee you will get anything back).

There are two basic ways to go around this. The first method is simple — backup your data. Using removable storage is a cheap and simple solution for small businesses, and a surefire way to make sure that all your eggs are not in the same basket.

The second way is simply removing sensitive data from your systems. Many companies store large amounts of sensitive data, like credit card numbers, healthcare information and personal information, without any real business justified reason to do so. Often, they are not even savvy to the fact that they are storing all that data that hackers are after.

Keeping your systems clean is a form of risk mitigation. It ensures that even if you do get hit by ransomware, you will be in a good position to recover from the attack as quickly and painlessly as possible.

Removing sensitive data from your systems is easier than you think, using Ground Labs’ line of data discovery software. Regardless of the number of systems on your network, Ground Labs has a solution tailored to help you find and lock down your sensitive data. Visit our website to find out more, and sign up for a free trial today!

splitting_axe3

Soon-To-Be Ex-CEOs: Lose Data In Hacks, Get The Axe.

The aftermath of the Ashley Madison hack that aired the details of its 37 million users has been anything but pretty. News of divorces, lawsuits, and even suicide relating to the hack are being reported on a daily basis, and in a completely understandable move, Ashley Madison’s parent company CEO no longer holds his title.

Noel Biderman, the Founder of Ashley Madison, stepped down on August 28. Although the press release states that he left the company in a ‘mutual agreement’, it’s a statement that really leaves you wondering if that’s how it really went down.

One thing’s for certain: if not for the hack, Noel would still be running the company he founded, which reported a $115 million profit last year.

Regardless of what kind of business Ashley Madison is, Biderman clearly put a great deal of effort into making the company what it is today. For more than 14 years, it has been a company that he literally created from the ground up. And then, he witnessed how quickly hard work can come crashing down based on over less than 30 gigabytes of information leaked.

And he’s far from being the only one.

Noel-Biderman

Ashley Madison’s ex-CEO, Noel Biderman

As many have seen or heard many times over, Target’s ex-CEO, Gregg Steinhafel, resigned shortly after the notorious Target data breach that has cost the company $148 million, and counting.

Ten years ago, such a thing would have been unheard of. Punishment for a breach would go right over the heads of the executive management, and strike at the hearts of their IT security teams.

Today, whilst IT security team members still get the axe when things turn to custard, the ultimate sacrifice must be made by the people where the buck stops — the CEO and the executive team.

The lesson for all CEOs and founders: Allowing a huge data breach happen is now a big enough of a mistake to cost you your job, even if you’re the one who started the company to begin with.

The general public will light their torches and brandish their pitchforks at your castle gates. Your supporters will dwindle in number, and soon you will be forced to make a decision — leave the company with some of your dignity intact, or wait for your board members to hit the eject button.

What’s Changed?

So why have data breaches become a blunder worth punishing the head of a company for? The biggest reason is the scale of breaches have grown exponentially- losing millions of records has become commonplace, and if a million people lose their personal information thanks to a mistake made by your company, that’s a million of your customers you just aggravated.

Another reason is the amount of attention hacking receives from the media. For weeks prior, the Ashley Madison story was making headlines all around the world, and once the leak went public it was covered endlessly by every news source. Its not as easy to brush the issue under the carpet like it was many years ago.

 

An 'Ashley Madison' google search now shows a flood of news stories surrounding the hack, to the point where it's hard to find a link to the actual website.

An ‘Ashley Madison’ google search now shows a flood of news stories surrounding the hack, to the point where it’s hard to find a link to the actual website.

 

How to Avoid Being Next

The obvious solution is to simply avoid losing data. However, it’s really not as easy as it sounds. Many companies see thousands of inbound attacks daily- you can defend as much as you want, but the sad truth that it only takes one attacker to break in to bring your entire fortress crashing down.

The less obvious but much more critical solution is to avoid, as far as possible, storing any information worth stealing. In Ashley Madison’s case, accounts that should have been deleted, as well as email logs from years prior had no place on their systems. The more sensitive data you hold on to, the more you stand to lose in a data breach.

Today’s Security professionals are promoting a new strategy: If you don’t need it, don’t store it. Because if  an outsider does find a way into your IT network (and statistically speaking, they will find a way), then your valuable data assets in storage will be reduced to a bare minimum. Furthermore, if your security team have taken the right steps and focussed on protecting what remaining information you do need to store with Encryption, or other obfuscation technologies, there’s hopefully little to zero data left that’s easy to steal.

So our message to all you CEO’s out there — listen to your security guys. They too have a vested interest in your longevity.

But if you don’t and the worst case happens, they can always leave and get another job. You on the other hand won’t be able to escape being seen as ultimately responsible for a very public data breach, regardless of who internally was at fault.

If you’re wondering how much easily stealable data you have right now, Try Enterprise Recon out for free, and get started on cleaning up your systems.
(Image sources: 1, 2)

2000px-US-FederalTradeCommission-Seal.svg

US Companies, Are You Ready For Even More Brutal Data Breach Consequences?

In May, IBM and Ponemon Institute released a study on the cost of a data breach, and found startling statistics:

  • Average cost per lost record is $217.
  • Average total cost of a data breach is $6.5 million.

And, as if the one-two punch of monetary and reputation loss a data breach hits you with is not enough, the Federal Trade Commission (FTC) is now ready to pounce on you with a vicious (but much needed) body blow if you have poor cybersecurity.

For example, the FTC filed a complaint in 2012 against Wyndham Hotels for failure to protect the consumer information of more than 600,000 of its guests.

The result? The U.S. Court of Appeals has spoken: the FTC is given regulatory power to punish companies that do not act in accordance with safe data security practices.

The FTC’s Chairwoman, Edith Ramirez, issued this firm statement after the ruling:

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

How exactly the FTC intends to punish companies at this point is unclear. But, it could be anything from heavy fines to a probational period of intensive audits.

While some may feel that the FTC is kicking companies that are already down, it’s clear that more penalties are required for companies that do not make an effort to protect the private information of their consumers.

Are you protecting your customers?

While the fines and penalties for data breaches can easily cripple or even shut down a small to mid-sized business, some larger organizations can not only bear the brunt of a data breach, but shrug it off and resume business as usual.

And because they do not feel anything more than a prick from a data breach, they see no reason to work harder at securing their networks.

Some companies even think it’s cheaper and simpler to just get hacked, claim on insurance and move on.

These companies fail to see the impact that breaches have on their customer’s personal lives, who are at risk of having their personal details leaked. As seen in the recent Ashley Madison hack, in extreme cases, data breaches can affect individuals on a deep enough level to cause them to take their own lives.

Hopefully the penalties to be dealt out by the FTC will give companies the extra incentive they need to work hard at keeping their networks secure.

verizon 2

Verizon Data Breach Incident Report 2015 Summary

 

The Verizon DBIR is one of the annual scriptures read by data security enthusiasts worldwide, and this year’s offering is no different.

The report is packed full with meticulously-gathered, mind-blowing statistics, and yet presented in a light-hearted tone with pop culture references ranging from gangster rap to Disney musicals.

Here are a few highlights from the DBIR we found to be the most interesting.

Phishing

While phishing is nothing new or unfamiliar, some findings released in the DBIR were interesting, to say the least.

To further evade detection, phishing campaigns have evolved to incorporate installation of malware as the second stage of the attack.

Just how well does phishing work?

Today, a glaring 23% of phishing email recipients open phishing messages, and 11% of them click on attachments. Of the 23% who opened the emails, half of them did it within an hour of receiving the email.

A campaign of just 10 e-mails yields a greater than 90% chance that at least one person will fall victim to the scam.

Not only do phishing emails work well, they work fast. The median time it takes for the first click to come through is 1 minute, 22 seconds.

Can Phishing Emails Be Stopped?
verizon3In light of such discouraging statistics, it’s hard to see the point in investing in data security.

Why should you spend large amounts of money on antiviruses and firewalls, if it’s so incredibly likely that one negligent employee making one false click is going to bring your walls crashing down?

The good news is, there are a few ways to help prevent the risk of getting hooked. The DBIR recommends better email filtering, to help filter out phishing emails that make it into user in-boxes. Also encouraged is acquiring improved detection and response capabilities.

However, the most effective way cited is through awareness and training, which can reduce the number of people that fall victim to a phish to (potentially) less than 5%.

Common Vulnerabilities and Exposures (CVEs)

In late 2013, a list of the 500 most common vulnerabilities and exposures was made. Looking back on that list, 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

Worse still, hackers are exploiting vulnerabilities from as far back as 1999, which shows that they are aware that these old exploits are still an easy way into many systems.

Patch Hard, Patch Fast

There is a clear need for all organisations to patch vulnerabilities as they come, and to do so quickly.

While it’s true that some vulnerabilities are more high-priority than others (97% of the exploits observed in 2014 were caused by just ten of the 500 CVEs listed), you cannot call your network secure unless you are certain it has zero vulnerabilities to exploit.

Make sure that your company has in its employ someone to stay on top of what the latest vulnerabilities and threats are, and is able to quickly apply patches when necessary.

Aside from phishing attacks, vulnerability exploits are some of the easiest ways for hackers to gain access to your systems. To quote the DBIR directly: “[there is a] need for all those stinking patches on all your stinking systems.”

Miscellaneous Tidbits

  • 5 malware events occur every second.
  • Mobile devices are not as at risk as we thought- only 0.03% of mobile devices are infected with truly malicious exploits.
  • Verizon seems to have given up on trying to figure out the cost per record in data breaches. Instead they have developed this table which gives a rough estimate on how much you can expect to spend on a data breach based on the number of records you lost:

verizon1

Another Year, Another Great Report

This year’s DBIR, as usual, did not disappoint. A lot of the findings have been game changing- IT security professionals are going to be less likely to bring up the cost per record in a data breach, or talk about the dire need for mobile data security.

But regardless of how such statistics may change, good data security practices remains a constant. In other words: keep up to date with the latest trends, and understanding your data.

While we did pick out our favorite parts of the Verizon DBIR, pretty much all of it is interesting and worth a read, which you may do so here.

(Image sources: 1, 2)