Feb 28 2011

Does hacker insurance make your business a bigger liability?

Category: Cyber InsuranceDISC @ 11:44 am

by Davey Winder

It’s a scenario that every small online business fears: site security is compromised, hackers steal customer data including credit-card details, and your brand and your reputation are left in ruins. No wonder then, that many small online businesses are looking to insure against hackers and the resulting financial impact of a security breach. But is insurance really the answer and could it even be part of the problem?

The insurance brokers are, naturally, presenting such insurance as pure common sense. A chap who works in the insurance business used car insurance as a counter argument to my suggestion that surely the best IT security insurance policy was to remain secure in the first place.

“We all appreciate the need for car insurance” he told me. “No matter how careful a driver you may think you are. The simple fact is that you never know when a drunken idiot is going to crash into you”.

The argument being, as with all insurance policies, you are paying a premium to cover you for that worst-case scenario should it ever happen. “When it comes to online security,” Mr Insurance assured me, “the chances of the worst-case scenario becoming a reality are increasing day by day, as criminals develop ever more sophisticated methods of hacking your site. To not insure against the risk of being hacked is bad business, and that’s the bottom line”.

“Unlike driving a car, running a secure web business is pretty much about how safe you are, rather than how unsafe other people are”

To read the reamining article …..

How to manage the gaps of Cyber Insurance

Tags: hacker, Hacking, Insurance, Security, Small business


Jan 06 2010

Automated polls not hack-proof

Category: Information SecurityDISC @ 3:39 pm

6 machines
Image by Valerie Reneé via Flickr

By Andreo Calonzo

The system that will be used in the May 2010 automated elections is not hack-proof, but adequate safeguards are in place to protect the results from hackers, the Commission on Elections (Comelec) assured Wednesday.

“I am not saying that the system cannot be hacked. No system is 100-percent hack-proof. I am just saying that we have made sure that the system will not be hacked,” Comelec spokesperson James Jimenez said.

Jimenez gave the assurance after three government Web sites were hacked in less than two weeks, the latest of which was that of the National Disaster Coordinating Council (NDCC).

Last week, the Web sites of the Department of Health (DOH) and the Department of Social Welfare and Development (DSWD) were also victimized by hackers.

Jimenez said the system to be used in the coming automated elections would operate on a “virtual private network,” making it difficult for hackers to bypass the system’s security mechanisms.

“It’s like trying to rob a house, but you don’t even know where its exact location is,” he said in Filipino.

Jimenez also explained that the “real time” transmission of the results would make hacking more difficult.

“Our machines transmit for only two minutes. That’s too fast. In order to actually decode the data, it will take you something like three years. If you only have two minutes to do it, you do not have enough time,” he said.

But Jimenez conceded that hacking could happen at the municipal level. “The possibility of hacking is greatest at the municipal level, because it is the one most visible to the public.”

He said to prevent this, the poll body would use two other independent servers, one to a central server and another to a server assigned to media groups, accredited citizens’ arm and political parties.

“If you hack the municipal server, and if you hack the municipal server results, you are not hacking the reports of the other servers,” he said.

“If one report is hacked, this doesn’t mean that you have hacked everything. In fact, if one report is hacked, the tampering becomes more evident because there are other reports to contradict it,” he added.

An American company, Systest Laboratories in Colorado, is currently verifying the security and accuracy of the source code to be used in the automated counting machines, according to Comelec commissioner Gregorio Larrazabal. – KBK/RSJ, GMANews.TV

Tags: automated pollling machine, Colorado, Department of Health, Department of Social Welfare and Development, DSWD, hacker, Hacking, National Disaster Coordinating Council, Polling place, Seattle, United States, Voting


Dec 28 2009

Hackers’ attacks rise in volume, sophistication

Category: Information SecurityDISC @ 6:41 pm

digital-hijack


Year in review for online security attacks – 2009 is going to be known as a year of change in tactics of exploitation, rather than creating more new tools in hacker’s community. They are utilizing social media as a tool to exploit and using built-in trust in social media to their advantage. That’s why stealing social media accounts are considered as a treasure trove in hacker’s community to spread malwares (rogue anti-virus) which helps them to steal personal and private information. This perhaps was another reason why social media community was busy in 2009 changing their security and privacy policy on a frequent basis. Do you think, as social media grow, so does the threat to personal and private information?.


At the same time 2009 comes to an end with a bang with an appointment of Howard Schmidt by Obama’s administration as a cybersecurity coordinator. A great choice indeed but why it took them a whole year to make this important decision. This indecision will cost them, no matter how you look at it. Now hopefully the current administration is going to keep the politics aside and take his recommendations seriously to make up for the lost time.

Alejandro Martínez-Cabrera, SF Chronicle

Security experts describe the typical hacker of 2009 as more sophisticated, prolific and craftier than ever. If anything, criminals will be remembered by the sheer number of attacks they unleashed upon the Web.

While the year didn’t see many technological leaps in the techniques hackers employ, they continued to expand their reach to every corner of the Internet by leveraging social media, infiltrating trusted Web sites, and crafting more convincing and tailored scams.

Although there were a handful of firsts – like the first iPhone worm – most attacks in 2009 were near-identical to tactics used in prior years, changing only in the victims they targeted and their level of sophistication.

One of the most preoccupying trends was personalized attacks designed to steal small and medium business owners’ online banking credentials. The scheme was particularly damaging because banks take less responsibility for the monetary losses of businesses than of individual consumers in identity theft cases.

In October, the FBI estimated small and medium businesses have lost at least $40 million to cyber-crime since 2004.

Attacks continued to plague larger organizations. The Wall Street Journal reported on Tuesday that the FBI was investigating the online theft of tens of millions of dollars from Citigroup, which has denied the incident.

Alan Paller, director of research at the SANS Institute, said criminals shifted the focus of their tactics from developing attack techniques to improving the social engineering of their scams.

“It’s not the tools but the skills. That’s a new idea,” he said.

One example is rogue antivirus schemes, which often trick computer users with a fake infection. Criminals then obtain their victims’ credit card information as they pay for a false product, all the while installing the very malicious software they were seeking to repel.

Even though these scams have been around for several years, they have become more a popular tactic among criminals because they pressure potential victims into making on-the-spot decisions.

“People have been told to look out for viruses and want to do the right thing. There’s security awareness now, but the criminals are taking advantage of their limited knowledge,” said Mike Dausin, a researcher with network security firm TippingPoint’s DVLabs.

Chester Wisniewski, senior adviser for software security firm Sophos, said social networks also continued to be an important target for attackers. Despite Facebook and Twitter’s efforts to beef up their security, it has become a common tactic for scammers to hijack Facebook accounts and post malicious links on the walls of the victim’s friends or distribute harmful content through tweets.

“We haven’t had this before – a place where all kinds of people go and dump their information, which makes it very valuable for criminals,” Wisniewski said. “It’s kind of a gold mine for identity thieves to get on people’s Facebook account.”

Using PDFs
Another common ploy was malicious software that piggybacked on common third-party applications like Adobe PDFs and Flash animations.

Although Adobe scrambled this year to improve its software update procedures and roll out patches more frequently, criminals have increasingly exploited the coding flaws in Adobe products in particular because of their ubiquity and the abundance of vulnerable old code, said Roel Schouwenberg, senior virus analyst at Kaspersky Lab.

By using ad networks or taking advantage of exploitable Web programming errors to insert malicious content, criminals cemented their presence in legitimate Web sites and made 2009, according to anti-malware firm Dasient, the year of the “drive-by download,” in which users only have to visit a compromised Web site to become infected.

An October report from the San Jose company estimated that 640,000 legitimate Web sites became infected in the third quarter of 2009, compared with 120,000 infected sites during the same period of 2008.

Damaging reputations
The trend was not only a security threat for consumers, but also stood to damage the reputation and traffic of the victimized Web sites. In September, a fake antivirus pop-up made its way into the New York Times’ Web site by infiltrating the company’s ad network.

Researchers also noted a high volume of attacks disguised as content related to popular news items – anything from Michael Jackson to the swine flu – to coax Web users into downloading malicious content. This closing year also saw a handful of notorious politically motivated online attacks, and the issue of national cybersecurity continued to gain prominence.

On Dec. 18, Twitter’s home page was defaced by hackers calling themselves the “Iranian Cyber Army,” although authorities said there was no evidence they were in fact connected to Iran. An August attack on a Georgian blogger also indirectly affected the popular microblogging site and brought it down for several hours.

In July, several U.S. and South Korean government Web sites went offline after being hit by a denial-of-service attack that South Korea has attributed to a North Korean ministry. U.S. defense officials revealed in April that hackers have stolen thousands of files on one of the military’s most advanced fighter aircrafts.

“Now it’s in the agenda of every government to pay attention to the cyberworld,” Schouwenberg said.

Security coordinator
On Tuesday, the White House announced the appointment of Howard A. Schmidt as the Obama administration’s new cybersecurity coordinator. Schmidt occupied a similar post under the Bush administration.

Even though crime continued to evolve into a more organized and compartmentalized operation this year, experts believe a new White House administration conscientious of threats and partnerships between law enforcement agencies and security firms offer encouraging signs for next year.

An example is the Conficker Work Group, an international industry coalition that joined to mitigate the spread of the Conficker worm. The group also collaborates with law enforcement agencies by providing them with forensic information.

“It’s the first time I’ve seen such partnership between countries. Typically it’s the Wild West and nobody is in charge of anything. Now it’s clear there’s a lot more international collaboration,” Dausin said.

Tags: antivirus, cybersecurity coordinator, Denial-of-service attack, facebook, hacker, howard schmidt, Identity Theft, iPhone, Law enforcement agency, Malware, Michael Jackson, South Korea, Twitter


Dec 04 2009

Five ways to lose your identity

Category: Identity TheftDISC @ 2:42 pm

beconstructive12

By Jaikumar Vijayan
The rush by shoppers to the Web makes the season a great time for online retailers. It’s also a great time for hackers looking to steal data and money from the unwary millions expected to search for great deals online.

Checkout huge savings on Today’s Hot Deals on Information Security Solutions for the holidays

The growth of holiday hackers has annually prompted security analysts, identity theft awareness groups, and various government agencies to come up with lists of precautions that consumers can take to avoid becoming a victim of online fraud. Such lists can prove a benefit to consumers, but unfortunately some people ignore it.

Below are the identity theft awareness tips which can help maximize your exposure to online fraud.

Tip No. 1: Open all attachments from strangers and click on all embedded links in such e-mail messages. Such actions remain one of the most effective ways to provide thieves with personal information and financial data. All a hacker needs to do is find computer users who instinctively open e-mail messages from strangers, even those who write in a foreign language. The action can open the door to keystroke loggers, rootkits, or Trojan horse programs. Crooks can also easily install backdoors to easily steal data without attracting any attention. Once installed, hackers gain unfettered access to personal data and can even remotely control and administer systems from anywhere.

Tip No. 2: Respond to Dr. (Mrs.) Mariam Abacha, whose name is used by many hackers who say they have close friends and relatives in Nigeria who have recently been widowed or deposed in a military coup and need your help to get their millions of dollars out of the country. Users are told they will undoubtedly be rewarded for helping to get their “well-packed trunk boxes” full of cash out of Nigeria. And to make sure to provide bank account information, login credentials, date of birth, and mother’s maiden name so that they can wire the reward directly into a checking account in time for the holidays.

Tip No. 3: Install a peer-to-peer file-sharing client on your PC and configure it so all files, including bank account, Social Security, and credit card numbers, along with copies of mortgage and tax return documents, are easily available to anyone on the same P2P network. Your personal data will stream over the Internet while you check out what songs you can download for free without getting sued by the RIAA.

Tip No. 4: Come up with passwords that are easy to crack. It saves hackers from spending too much time and effort trying to access your PC. Clever sequences such as “123456” and “abcdef” and your firstname.lastname all make fine, easy-to-remember default passwords for you and for hackers. For maximum exposure, keep passwords short, don’t mix alphabets and numerals, and use the same password for all accounts.

Tip No. 5: Avoid installing the latest anti-malware tools and security updates. Keeping operating systems properly patched and anti-virus and anti-spyware tools updated make life hard for hackers. Users can help them out by making sure their anti-virus software and anti-spyware tools are at least 18 months out of date or by not using them at all. Either way, it’s very likely that your computer will be infected with a full spectrum of malware.

For additional tips on how to shop securely on Christmas and holidays season:
How to shop safely online this Christmas
Identity theft tip-off countermeasure and consequence | DISC

Please comment below regarding any other new and emerging threat which needs to be addressed during holiday’s season?

Reblog this post [with Zemanta]

Tags: antivirus, Christmas and holiday season, Computer security, Credit card, File sharing, hacker, Identity Theft, Malicious Software, Malware, Online shopping, Personal computer, Security, shop safely, shop securely, Spyware, threats, trojan, Trojan horse


Nov 30 2009

Hackers steal credit-card numbers from restaurant customers

Category: pci dss,Security BreachDISC @ 2:44 am


Here we have another unnecessary credit card data breach in a small organization which resulted in a loss of customers data demonstrating poor baseline security of small organization in this case a restaurant. Small organizations are not ready for PCI Compliance. Checkout why PCI Compliance is essential and why small merchants have to comply. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.

Contact DISC for any question

By Theodore Decker
THE COLUMBUS DISPATCH

Diners who frequent a popular Downtown restaurant should review their charge-card statements because hackers broke into its computer system to loot debit- and credit-card numbers, police said today.

Between 30 and 50 people have reported fraudulent charges on their accounts, and Columbus detectives said that anyone who used a charge card at Tip Top Kitchen and Cocktails in July or August is at risk.

Detective Wyatt Wilson of the Columbus police fraud/forgery unit said police began linking reports of credit-card fraud in October. Cross-checking the victims’ accounts revealed Tip Top, which is on E. Gay Street, as a common denominator, he said.

The hackers have been traced to an overseas Internet address, and no Tip Top employees are involved, police said. Wilson said the business was as much a victim as its customers were.

The hackers found a weak point in the restaurant’s computer defenses, wormed their way in, and installed “malware” that stripped the numbers, he said.

The restaurant has fixed the problem, but customers who charged anything there in July or August should contact their credit-card companies or banks, cancel their cards and get new ones, even if they haven’t been victimized yet, police said.

New fraud reports have rolled in periodically until a few days ago, Wilson said, indicating that the card numbers are still in criminal circulation.

Elizabeth Lessner, the restaurant’s owner, said she has been told by investigators that the breach might have been the work of high-level hackers in Russia, and she wondered whether it was connected to a global case that surfaced this year.


Most of the small companies have trouble justifying their investments when it comes to security. At the same time PCI DSS for the “brick & mortar” merchants have been a blessing for security firms who sell hardware solutions to small merchants. The problem is these hardware point solution does not address the business issues of a small merchant on daily basis.
This is why small merchants need to build a security program and the in-house expertise with training and help of outside consultant to understand business issues related to information security clearly. You mature this process over time with an ongoing effort and full management support.
Do you think it’s time for small merchants to take information security seriously as a business limiting risk?

Prevent and Protect from Credit Card Fraud and Scams

httpv://www.youtube.com/watch?v=YS_jCET-YFA&feature=related

Reblog this post [with Zemanta]

Tags: Banking Services, Business, Credit card, crime, Financial services, fraud, hacker, Information Security, Malware, Payment Card Industry Data Security Standard, Point of sale, Police, Security


Oct 23 2009

‘China using elite hacker community to build cyber warfare capability’

Category: CybercrimeDISC @ 4:44 pm

The Hacker Files
Image via Wikipedia

Hacking: The Art of Exploitation

London, Oct 23 (ANI): The Communist regime in China with the help of a elite hacker community is building its cyber warfare capabilities and appears to be using a long-term computer attack campaign to collect US intelligence.

An independent study released by a congressional advisory panel found cases that suggested that China’s elite hacker community has ties to Beijing, although there is no substantial proof.

The commission report details a cyber attack against a US company several years ago that appeared to either originate in or came through China and was similar to other incidents also believed to be connected to that country, The Telegraph reports.

The data from company’s network was being sent to multiple computers in the US and overseas, according to an analysis done by the company over several days.

The report contends that the attackers targeted specific data, suggesting a very coordinated and sophisticated operation by people who had the expertise to use the high-tech information.

An Internet Protocol (IP) address located in China was used at times during the episode, the paper reports.

The Chinese Government is said to view such cyber prowess as critical for victory in future conflicts, similar to the priority on offensive cyber abilities stressed by some US officials.

Potential Chinese targets in the US would likely include Pentagon networks and databases to disrupt command and control communications, and possibly corrupt encrypted data, the report says. (ANI)

Reblog this post [with Zemanta]

Tags: chinese hacker, cyberwarfare, elite hacker, hacker, hacker files, uber hacker


Oct 17 2008

SmartPhone and Security

Category: Information Security,Smart PhoneDISC @ 1:53 am

Mobile spyware is malicious software which is used to spy and control mobile devices (BlackBerry, PDAs, Windows Mobile and Cell Phones). Mobile spyware will not only intercept the message between two devices but also determine the location of the device. Basically, mobile spyware software is installed on a mobile device to spy on them.

Small businesses are usually not equipped to handle these threats. Just like laptops and desktops – mobile devices need security controls like antivirus, personal firewall, encryption and VPN to provide needed level of protection. Small businesses need to be aware of the security threats, like they might think that they are installing a game, which might very well be a key logger (logs your key strokes) or trojan software.

[TABLE=6]

Hackers on the move, WSJ August 11, 2008 by Roger Cheng – where he writes about more companies are letting employees use their personal smart phone at work and the security experts warns about the present threats in the industry. http://online.wsj.com/article/SB121803418845416977.html

Tips to safeguard your smartphone
httpv://www.youtube.com/watch?v=S64J4BCCoi4


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: antivirus, encryption, hacker, intercept, key logger, malicious, mobile phone, mobile spyware, personal firewall, roger cheng, security controls, security expert, spy, threats, trojan, vpn, wsj