Facebook Breathes Sigh of Relief as Google+ Glitch Draws Regulator Attention

A couple weeks back we reported that Facebook was in the cross-hairs of regulators and litigants around the world as a result of their latest breach. Well this week some of that unwanted attention was turned from Facebook to rival Google.

Google+ Attains “Me Too” Status with Breach

Google+ was a failed Facebook “me too” attempt from Google that never worked well, never threatened Facebook for market share and finally through its own security flaws finally reached parity or perhaps even bested Facebook at some level.

Should Have Shut it Down a Long Time Ago

The flaw, first brought to the public’s attention in an article on WSJ.com last week would have never happened had Google parent company Alphabet, Inc. performed some product line pruning years ago. It’s been clear for years to even the most casual observer that Google+ was a flop and would never gain widespread acceptance or use.

Instead, Google found itself with a 500,000 user vulnerability from 2015 until discovered earlier this year and decided to try to cover it up “in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.”  To their credit, Google fixed the breach immediately upon finding it, they just hoped no one would ever learn about its prior existence.

The Flaw

A Google internal review team discovered the API vulnerability which impacted approximately 500,000 accounts. The flaw allowed the API to grant access to information on a user’s profile which hadn’t been marked as public. Google sources state that access was granted to information such as name, occupation and age. Phone numbers and other more personal information stored on your Google account remained safe. We can only hope that this is true since all of your Google related properties from Gmail, to contacts to AdWords and YouTube are all linked together.

Taking Heat

The flaw, by today’s standards seems rather benign and spun correctly; Google might have come away smelling like the proverbial rose. Instead by covering it up they are drawing some serious heat from Congress.

  • Senators John Thune, Roger Wicker, and Jerry Moran, want answers. The trio sent a letterto Google CEO Sundar Pichai requesting information about the nature of the company’s response to the discovery of the glitch.
  • Senator Chuck Grassley (R-Iowa) wrote directly to Google CEO Sundar Pichaion Friday. Grassley pressed on why Google had declined to participate in earlier Congressional hearings in April that focused on Facebook.

Konsultek’s Take

Social networks such as Google+ and Facebook pose a tremendous threat to the privacy of individuals and corporations who choose to use them. The use of a single Google login to access multiple properties means that the breach of a singular system, in fact, represents the breach of potentially hundreds. Extreme caution with social media has always been advised and this latest breach drives that home. While convenient, using shared credentials for access should be avoided as a security best practice.

 

 

The Only Certainties in Life are Death, Taxes and Cybercrime!

Today is the last day to file your federal income taxes. And the looming 12:00 a.m deadline has thousands, if not millions of citizens stressing out and more susceptible to phishing scams than usual.


Every good cybercriminal knows this and they are working overtime churning out fake emails from the IRS and other taxing authorities in the hopes of snagging victims, stealing valuable information and ultimately,  making some money.

IRS Phishing PSA

For those of you who stumble across this blog post hoping to find a quick answer to the question “How do I know if this email from the IRS is real?” here is the quick answer.
The IRS will NEVER ask you to send along personally identifiable information such as your social security number or bank account details. So, if you are looking at an email that purports to be from the IRS and it is asking for this information it is a fake, phishing email and you should discard it ASAP!

IRS Issues Scam Warning

The prevalence of phishing scams this tax season prompted the IRS to issue a warning on March 17, 2017.
In the warning the IRS urged both tax professionals and taxpayers to be on guard against suspicious activity.Two scams were highlighted in the warning. In the first, which targets tax preparers, a fake email is sent to the preparer, (ostensibly from the client) asking the preparer to change the refund destination, often to a pre-paid debit card.The second scam targets users of tax preparation software or similar services. Users receive emails from these entities asking them to update their online accounts.Of course, those nostalgic for the good old days should be happy to know that telephone scams are still plentiful with the “IRS” robo-calling with urgent messages that require immediate action.

From Phishing to Malware

The purpose of these phishing emails is often not to directly collect account information but rather to install malware that can then access all the information stored on the infected device and even hijack the camera. That, according to www.zscaler.com.

The Zscaler ThreatLabZ team has detected a rise in Java-based remote access Trojan variants — jRATs — which give attackers a backdoor into a victim’s system and can be capable of remotely taking control of the system once it’s infected. Malware authors are using numerous tactics to entice unsuspecting users to open infected attachments, which arrive as malicious JAR files. Most recently, we’ve seen filenames such as “IRS Updates.jar” and “Important_PDF.jar,” claiming to contain important tax deadline information from the IRS.

Security is a 24X7X365 Job

Today it’s tax filing, tomorrow the scam will focus on something else. It appears that cybercriminals never sleep and never take a day off. Somewhere in the world there is always someone or some bot attempting to fleece unsuspecting individuals and organizations. I think we have finally “progressed” as a society to the point when we can confidently say that the only things certain in life are death, taxes and cybercrime!

McAfee an Independent Security Company Again!

This week McAfee became an independent security company for the first time since it was acquired by Intel in 2010.

The newly independent McAfee has an enterprise value of $4.2 billion, down from the $7.62 billion price tag that Intel paid.

Intel will retain a 49% ownership in McAfee with the remaining 51% being owned by private equity firm TPG Capital.

McAfee, arguably the world’s oldest and one of the largest pure security firms on the planet has over 7,500 employees worldwide and a substantial war chest of security IP including over 1,200 security related patents.

The newly independent McAfee should be better positioned to help its private and enterprise level clients deal with the rapidly evolving cyber-threat landscape.

In an interview with VentureBeat, McAfee’s Chief Technology Officer, Steve Grobman said “he believes both Intel and McAfee will be able to focus on their businesses better as separate companies. He said that cybersecurity is changing fast, and the company needs to think about challenges such as ransomware, the weaponization of data, and political leaks of digital information.”

In his letter to the public dated 4/3/17, McAfee CEO, Christopher Young states “Today, a new McAfee is born. One that promises customers cybersecurity outcomes, not fragmented products. One that vows to move this industry forward by working with competitors, not just partners. And, one that offers employees a calling, not simply a career.”

Konsultek  Welcomes McAfee Back

At Konsultek we are always looking to bring our customers the best solutions on the planet. We look forward to seeing what the newly independent McAfee can bring to the market in the way of innovative and world class solutions.

 

Just 1 in 5 Financial Institutions Confident they can Detect a Data Breach

Yet, Consumers Implicitly Trust Them According to a CapGemini Report

According to the CapGemini report, while banks and financial institutions enjoy an extraordinary 83% positive level of trust in the cybersecurity of their systems, just 1 in 5 banking executives surveyed are “highly confident in their ability to detect a breach, let alone defend against it.”

For comparison, e-commerce firms enjoy just a 28% positive level of trust while telecom companies and retailers score a paltry 13%.

The full CapGemini Report Can be downloaded here

Trust is a HUGE Factor In Consumer Choice

According to the report authors, trust in an institution’s ability to protect private data and provide a secure environment is a significant factor for 65% of consumers when choosing which bank to do business with.

And yet, while approximately 25% of all financial institutions have reported being a victim of some level of hack only 3% of consumers believe that their own financial institution has ever been breached. It would seem that indeed there is a “trust halo” being enjoyed by banks that the numbers suggest they do not deserve.

If this halo were to become tarnished banks could be in trouble. According to the report 74% of consumers would switch their bank or insurer if they became aware of a breach.

GPDR Regulations Will Likely Drive Transparency

The GPDR regulations set to be introduced next year should drive more transparency and quicker reporting of breaches and this may result in some tarnished halos.

“When GDPR is introduced and all breaches are likely to be made public soon after they occur, many people will be in for a surprise,” said Zhiwei Jiang, Global Head of Financial Services, Insights & Data at Capgemini. “The introduction of GDPR legislation next year is a prime opportunity for business transformation for banks and insurers to become the digital fortresses consumers believe them to be.”

Konsultek Knows Security

From financial institutions to university and healthcare organizations, Konsultek builds customized security solutions that protect networks and the data they house. If you are interested in learning exactly how your network may be vulnerable just give us a call and we’ll discuss how we can find your vulnerabilities before they are found by cybercriminals and hackers.

 

Half of Americans Skeptical that Government & Social Media Secure Personal Information

A recent survey conducted by the Pew Research Center found that roughly half are not confident that the companies and organizations they do business with on a daily basis are keeping their personal information secure.

Interestingly enough, social media sites and the federal government came in dead last when it came to cyberprotection confidence! Perhaps those surveyed never had a Yahoo mail account?

The rather comprehensive report also highlights these rather disturbing figures:

41% of Americans have encountered fraudulent charges on their credit cards.

35% have received notices that some type of sensitive information (like an account number) had been compromised.

16% say that someone has taken over their email accounts, and 13% say someone has taken over one of their social media accounts.

15% have received notices that their Social Security number had been compromised.

14% say that someone has attempted to take out loans or lines of credit in their name.

6% say that someone has impersonated them in order to file fraudulent tax returns.

And beyond these specific experiences, roughly half of Americans (49%) feel that their personal information is less secure than it was five years ago.

Think about these figures as you enjoy the Super Bowl this Sunday with friends and family. Statistically speaking, if you are enjoying your Super Bowl viewing experience with 9 other adults the Pew findings mean that roughly:

  • 4 of your fellow game watchers experienced fraudulent credit card charges
  • At least 3 of your fellow game watchers have been notified that some sensitive personal information has been  leaked
  • Probably 1 perhaps 2 have had their Social Security numbers compromised!

Protecting Networks 24X7, Even on Game Day

At Konsultek we build custom security solutions for organizations of all sizes across virtually every area of interest. When you are ready to take your security to the next level or to outsource it someone who has the experience and resources your need please pick up the phone and give us a call.

 

James Comey and Nigerian Spam

Woke up today to find this gem in the mailbox. Who knew that the FBI and the Central Bank of Nigeria would be looking for me!

This email is entertaining for a couple of reasons (at least!) beyond the alleged working relationship between Mr. Comey and the Central Bank of Nigeria.

Take a look at the portions highlighted with blue text! First a warning that “you should ignore any message that does not come from the above email address and phone number for security reasons.”

Next, look at Mr. Comey’s email address. I would have thought that after all the email scandals in Washington that Mr. Comey would not be using an AOL  email address for such important and sensitive business!

Re: Urgent January Notice…….

From: James B. Comey, Jr., <fbidirector@openmailbox.org> 

Jan 18 at 12:37 PM

OFFICE OF THE EXECUTIVE DIRECTOR,

MR. JAMES B. COMEY, JR,

FEDERAL BUREAUOF INVESTIGATION,

935 Pennsylvania Avenue, NW

Washington, D.C. 20535-0001. USA.

Attention: Beneficiary,After proper investigations, we, the Federal Bureau of investigation (FBI) discovered that your impending (over-due contract) payment with Central Bank of Nigeria is 100% legal and has been approved for release to you.

We recently had a meeting with the Executive Governor of the Central Bank of Nigeria, in the person of Mr Godwin Emefiele and other top officials of the concerned Ministries regarding your case and we were made to understand that your files have been held in abeyance pending on when you personally apply for the claim.

Investigations also revealed that a lady, by name Mrs. Joan B Melvin from New York has already contacted Central Bank of Nigeria with a power of attorney and some documents, which stipulated that you have mandated her to claim your fund of US$25,000,000.00 (Twenty Five Million United States Dollars) on your behalf due to your ill health.

In view of this, we have been urged to warn US citizens who have received information pertaining to their outstanding contract payment to be very careful and not to be a victim of ugly circumstance. In case you are already dealing with anybody or office of the Central Bank of Nigeria, you are strictly advised to STOP further communication with them in your best interest and thereby contact the real office of the Central Bank of Nigeria via the below information:

 

NAME: MR. GODWIN EMEFIELE

OFFICE ADDRESS: Central Bank of Nigeria,Central Business District,

Cadastral Zone, Abuja, Federal.

Capital Territory, Nigeria.

Email: central.bnk0015@aol.com

NOTE: In your best interest, you should ignore any message that does not come from the above email address and phone number for security reasons. And to enable the Central Bank of Nigeria to process and release the fund to you, you are required to re-confirm your full details such as

FULL NAMES: __________________________________

CITY: _________________________

STATE: __________________________________

ZIP: ______________COUNTRY: _______________________

SEX: _______________AGE: __________________

TELEPHONE NUMBER: _____________________

Ensure that you follow the Central Bank of Nigeria due process as enshrined in the International Banking Secrecy Act to avoid any form of discrepancy, which may hinder your fund transfer.Thanks for your understanding and cooperation as we earnestly await your urgent response.

Best Regards,

James B. Comey, Jr.,

Federal Bureau of Investigation

J. Edgar Hoover Building,

935 Pennsylvania Avenue,

NW Washington, D.C

E-mail: jjbcomeyjr@aol.com

 

An Interview with a Hacker

TechRepublic.com published an interesting interview last week with the hacker Kapustkiy, part of the hacking group New World Hackers.

It’s a quick and interesting interview that covers his life from the early days of hacking as a teen to where he stands today, a member of New World Hacking (NWH) which he considers to be the most elite hacking group at the moment.

 

 

 

 

Here are some of the highlights:

He Makes Money as  Pen Tester, Not as a Hacker

Kapustkiy refers to himself as “penetration tester”. “I wanted to make money [with my skills], so I do bug bounties.”

“I’ll try to find vulnerabilities (most of the time XSS) in websites of my country and I help the administrators to fix them or I’ll report the vulnerable so they could do it on their own. PS: I only spend time on finding vulns in big websites like banks or universities.”

Pen Tester or Hacker? Which is it?

“A lot people are asking me these kind of questions and the reason that I describe myself as a Security Pentester instead of a hacker is, because I like to help websites to improve their security so they are secured. I have always put my focus on Web/Network Security instead of other stuff. A ”hacker” is in my opinion someone who has knowledge with everything.”

Database Bug Exploitation is His Specialty

He considers what he does “not hard at all” and “easy to learn. His inspiration came during his teen years when he read an article about LulzSec (one of his favorite hacking teams) and how they used simple attacks such as SQL injection.

Impressed by NWH Talent

After claiming to be behind the hacking of some high-profile embassies he reached out to NWH hoping to apply to their team. As he puts it “Other groups are good, he said, “but not as skilled as [New World Hackers].” NWH claimed responsibility for the crippling botnet attack that utilized IoT devices to bring a swath of the East Coast Internet providers late last year.

Is What He Does Legal?

“In my opinion, it is legal when you only leak a little bit database to make them aware of it. Also report the vulnerable always and let them know that you try to help them.”

Happy Customers

Kapustkiy offered up screenshots of ostensibly happy clients to TechRepublic who conducted the interview via encrypted applications that allowed the hacker to remain anonymous.

“The thing that motivates me a lot is that administrators appreciate that I try to improve their security better. I got a ”thank you” of the Indian Embassy and the Italian Government and I was very proud of myself that they have fixed the vulnerable.

Hacker or Pen Tester, Konsultek Has You Covered

By identifying weaknesses in your network security before they are discovered by external actors, Konsultek can build a custom security solution to close the gaps and prevent future breaches. If your organization is unclear as to how best protect your valuable information assets please give us a call. We’re here to help.

 

 

2016 DARPA Grand Cyber Challenge

One of the most interesting and also underreported Cyber activities of 2016 had to be DARPA’s Grand Cyber Challenge.

Beginning with a call for competitors all the way back in 2013, the challenge held on August 4th, 2016, was the world’s first all-computer Capture the Flag tournament. Out of all the entrants, just seven prototype systems made the final cut and competed in the ultimate information security showdown.

 

Machine Security Experts vs. Human Security Experts

The big benefit of machine security “experts” is that they are incredibly fast and almost instantaneously scalable. Their downfall of course is that they lack inherent expertise. The primary benefit of human security experts is that they have inherent expertise but are slow (as compared to machines) and lack scalability.

The goal of the DARPA challenge was to move the world of infosec towards a world where machines would have both inherent expertise as well as speed and scalability.

Set in Vegas complete with a cool looking stage, color commentary and enough power to run a city block, the DARPA challenge looked more like a pro-gaming event than a Department of Defense research project.

Ultimately though, the hype and sizzle of the show did not disappoint as all 7 machine contenders demonstrated “skills” normally found only in experienced human security engineers.

The Future is Machine AND Human Security Experts

The future of information security will rely upon both human and machines and you can bet that Konsultek will be there. As early adopters of the most cutting edge security technologies, Konsultek’s team of engineers have been and will continue to be at the forefront of security. We look forward to serving you in 2017 and beyond!

 

© Copyright 2018 Konsultek