Month: March 2017
By: Tara Seals US/North America News Reporter, Infosecurity Magazine
It’s tax season again, the most wonderful time of the year for the US government, and taxpayer attitudes about identity theft are leaving much of the public vulnerable.
In its second annual Tax Season Risk Report, CyberScout, most Americans (58%) are not worried about tax fraud in spite of federal reports of 787,000 confirmed identity theft returns in 2016, totaling more than $4 billion in potential fraud.
Only 35% of taxpayers demand that their preparers use two-factor authentication, which is far more secure than a single password, to protect their clients’ personal information. The majority (56.5%) were not sure whether their preparer would follow this best practice, were not offered it or didn’t require it.
Also, half of all taxpayers (50%) who use a tax service weren’t sure how to evaluate them, chose someone online or didn’t screen them beforehand, leaving the taxpayer vulnerable to scams.
On the at-home front, less than a fifth (18%) use an encrypted USB drive, a secure way to save important documents like tax worksheets, W-2s, 1099s or 1040s. Another 38% either store tax documents on their computer’s hard drive or in the cloud, both approaches that are susceptible to a variety of hacks. And, the majority (51%) of taxpayers who expect a refund check in the mail have not taken precautions such as a locked mailbox, putting their check at risk of theft.
More than half (57%) of consumers will file in March, April or later than the April 15 deadline, giving tax fraudsters plenty of time to impersonate them online and steal their refunds.
“We’ve reached an extreme level of cybercrime where identity theft has become the third certainty in life. In tax season, it is crucial that everyone remain vigilant and on high alert to avoid tax related identity theft or phishing schemes,” said Adam Levin, founder and chairman of CyberScout, making a seasonal joke. “Tax season is one of the most common times for identity fraud to take place, making it even more important for consumers to take the proper safety measures.”
One of the safest ways for consumers to file their 2016 tax return is to file online directly with the Internal Revenue Service (IRS). Unfortunately, less than half of taxpayers (48%) rely on and trust online tax services. Nearly a quarter (24%) of respondents do not trust online tax services because they think they are unsafe, a misperception that can lead to exposure.
CyberScout recommends the following techniques for consumers to protect themselves:
Always use long and strong passwords.
Never authenticate yourself to anyone who contacts you online or by phone, since the IRS will never contact you by those methods.
Use direct deposit of refunds into your bank account or a locking mailbox for mailed refunds.
Monitor and protect your accounts and elements of your personal identity online and in social media. It’s easy for hackers to figure out answers to security questions from social media.
“In order to reduce the risk of becoming a tax identity theft victim, consumers need to follow the 3Ms: Minimize their risk of exposure, monitor your accounts and your personal identity, and know how to manage the damage,” noted Levin. “If the worst happens, victims of identity theft should turn to organizations they trust, including their insurance provider, financial services institution, or the HR department of their employer, who offer low-cost or free cyber-protection services to protect and restore stolen identities.”
Spam sucks. But as Information Age stated, scammers love it — mostly because it works. Despite increasing awareness of spam email, campaigns attackers still find success, especially during popular holidays or in the wake of news-making headlines about data compromise or security failures.
But thanks to some bad data backup techniques, one prolific spammer group known as River City Media (RCM) compromised their own servers and let security researchers grab an inside look at day-to-day scam operations.
CSO Online explained that security pros are familiar with RCM — the company bills itself as a legitimate marketing agency, but at one point was sending out more than 1 billion emails per day in an effort to grab and leverage consumer email addresses and personal data. The company uses a number of methods to obtain this information, including CoReg, which sees users signing up for a notification service or email newsletter and then having their address shared — without permission — among spam producers.
RCM also leveraged warm-up accounts, which are email addresses owned by the company that won’t report its chain of spam emails. Once they’ve sent enough messages, legitimate email service providers or affiliate programs mark them as “not spam” and provide access to the internet at large.
Another tactic? Aged domains. These older senders are naturally more trustworthy than newly created email addresses, making it easier to slip spam past filters.
To achieve their billions of emails per day mark, RCM also used a type of Slowloris attack. They opened multiple connections with a Gmail server and then sent fragmented response packets very slowly, all while requesting new connections. This stressed the server without disabling it, making it seem like the action isn’t really a spam attack.
Just Desserts for Poor Data Backup
As Computerworld noted, somebody at RCM forgot to properly lock down their data backup, in turn allowing MacKeeper security researcher Chris Vickery to infiltrate their servers and see exactly how they do business. The result was evidence of nearly 1.4 billion compromised email accounts tied to real names, IPs and even physical addresses.
Vickery discovered that despite the company only employing around a dozen people, it managed to leverage a combination of “automation, years of research and a fair bit of illegal hacking techniques” to blast out billions of emails, Computerworld reported.
In a bit of poetic justice, RCM frontman Alvin Slocombe sent out an internal email in February asking staff to change their Skype and HipChat passwords for fear that the company had been hacked. Instead, someone improperly configured their Rsync server and made it possible for Vickery to walk right in and look around.
It’s a rare case of things good right for the good guys, but it’s also a wake-up call: With less than 20 people, RCM managed to rank in the top 10 on the Register of Known Spam Operations (ROSKO) database maintained by Spamhaus. The company also used a variety of techniques to keep consumers on the hook and generate new leads.
The takeaway for companies and consumers? Don’t underestimate the power of spam. While scam operators are prone to mistakes just like everyday users, they’ve got the advantage with easy access to share, compromise and continually blast email addresses worldwide. A look behind the curtain reveals both sound and fury and it makes it patently obvious: Email remains the key battleground for solid network security.
Most hackers claim they can break target systems in under 12 hours.
It also takes less than a day in total to finish the job and steal valuable data.
According to new research, the majority of hackers claim they can break through cybersecurity defenses and infiltrate their target’s systems within hours.
At ITG, we provide your business with a comprehensive network security audit that outlines potential vulnerabilities. Our approach provides your company with an outline of potential security threats, and addresses security risks pertinent to your business.
In a confidential survey of 70 professional hackers and penetration testers conducted at the DEFCON conference this year in Las Vegas, Nevada, 17 percent of hackers claimed it would take them no longer than two hours to breach a target. More than half of the respondents said they changed their tactics with every target, but traditional countermeasures such as firewalls and antivirus programs rarely proved to be a barrier. However, when it comes to endpoint security, modern solutions are considered a more effective way of preventing attacks.
ITG provides modern solutions and will help you deal with these potential intruders. Our external and internal scans evaluate your company’s ability to protect its network infrastructure, applications, endpoints and users from any network security breach. We use comprehensive intrusion detection services that provide your business with an effective means of anticipating emerging security risks and preventing unauthorized access to critical systems and valuable information.
Consider this: Almost two-thirds of hackers, 65 percent in total, said their biggest frustration is that most organizations did not bother to fix the vulnerabilities and security weaknesses they discovered. Isn’t it time you addressed your network vulnerabilities? Contact ITG for a free assessment 518.479.3881 or email@example.com.
We have the network security expertise to help you plan, install, optimize and manage the complex network infrastructure that enables your critical business applications.
As the FBI has been expanding and retooling its approach to cyber investigations, Director James Comey stresses need for CISOs to engage with the bureau.
By Kenneth Corbin, Freelance Writer, CIO | MAR 9, 2017 6:21 AM PT
CHESTNUT HILL, Mass. — FBI Director James Comey has tough words for private sector firms that won’t engage with federal law enforcement authorities on cybersecurity, an area where the bureau has been dramatically expanding its investigation and prosecution efforts.
In a keynote address at a cybersecurity conference at Boston College, Comey lamented that most incidents of intrusion and attacks against U.S. businesses go unreported. But when a victim does report a breach to the FBI, such as the damaging attack against Sony in 2014 that was attributed to North Korea, agents will have a much easier time investigating and helping businesses mitigate the damage if they are already somewhat familiar with the target’s systems.
FBI chief calls for private sector to help battle cybercrime
As the FBI has been expanding and retooling its approach to cyber investigations, Director James Comey stresses need for CISOs to engage with the bureau.
Sony had taken the time to get to know us,” Comey said, describing a rapid response to that incident where agents with a baseline familiarity with Sony’s systems could hit the ground running.
“If you are the chief information security officer [CISO] of a private enterprise, and you don’t know someone at every single FBI office where you have a significant facility, you’re not doing your job. Know that you’re pushing on an open door,” Comey said. “We’re not looking to know your private information, but we need to know you in a way so we can help you in a difficult circumstance.”
Comey described a multi-pronged initiative underway at the FBI to crack down on cybercrimes that involves recruiting and hiring more cyber experts, improving engagement with outside partners — including the private sector — and rethinking the bureau’s traditional approach to working cases. The bureaus is also working to bolster deterrence both through hardening systems that might be targeted and winning convictions in more criminal cases.
[ Related: FBI’s top 10 most wanted cybercriminals ]
Comey also indicated that he intends to serve out the remaining 6 1/2 years of his term, despite speculation that he might step down amid tensions with the White House.
He did not address his reported request for the Justice Department to issue a statement refuting President Trump’s assertion that his campaign had been wiretapped by former President Obama, nor the unfolding probe into Russian hacking of political targets during the election. Comey participated in a brief question-and-answer session with audience members following his keynote address, but did not take questions from reporters.
A spectrum of threats, an ‘evil layer cake’
He did offer that nation-states comprise the most dangerous enemies in the “stack” of cyber adversaries, followed by multi-national hacking syndicates, insider threats, hacktivists and terrorists, the least menacing element of what Comey calls “an evil layer cake.”
“The reason I put them at the bottom of the stack is that terrorists are adept at using the internet to communicate, to recruit, to proselytize, but they have not yet turned to using the internet as a tool of destruction in the way that logic tells us certainly will come in the future,” Comey said.
Regardless of what type of actor initiates the attack, the FBI is looking at cyber events in a fundamentally different way than conventional crimes that have a clear physical location. If a pedophile is under investigation for crimes in San Francisco, say, the San Francisco field office of the FBI would handle the case. Not so with cyber. Comey said that the bureau is assigning those cases, where the perpetrators could be up the street or halfway around the world, to the field offices that best demonstrate “the chops” to handle specific cyber investigations. So even if a bank in New York was the victim of a cyberattack, the field office in Little Rock, Ark., potentially could take the lead on the case, with support from other offices that might need to conduct investigative work on the physical premises.
“Whichever field office has demonstrated the best ability on that, we’re going to give it to that field office,” Comey said. “This has a not-unintended consequence of creating competition within the FBI.”
Private sector has edge for hiring top cyber talent, money
In addition to reorienting the bureau’s internal approach, Comey said that the FBI is trying to step up its recruiting efforts to bring in the next wave of cyber experts, though he acknowledges that competing with private-sector for top talent is a perennial challenge.
“Here’s the challenge we face: we cannot compete with you on dough,” Comey said. “The pitch we make to people is come be part of this mission. Come be part of something that is really hard, that is really stressful, that does not pay a lot of money, that does not offer you a lot of sleep. How awesome does that sound? The good news is there’s a whole lot of people — young people — who want to be part of that kind of mission, who want to be part of doing good for a living.”
But the difficulties in winning over converts to the bureau’s mission are also tied up in a deeper problem, the same perception of the government as an adversary — or at least something to be avoided — that has clouded relations with some in the private sector.
[ Related: FBI v. Apple: One year later, it hasn’t settled much ]
Comey wants to dispel the notion of the FBI as “the man,” in the Big Brother sense.
“We have to get better at working with the private sector,” he said, decrying firms that are subject to a ransomware attack who opt to pay the ransom and enlist a security consultant to help clean up the mess without alerting law-enforcement authorities.
“That is a terrible place to be,” he said. “It is a great thing to hire the excellent private-sector companies that are available to do attribution and remediation, but if the information is not shared with us, we will all be sorry. Because you’re kidding yourself if you think I’ll just remediate this thing and it will go away, because it will never go away.”
Paying ransoms, he argues, only emboldens the criminals, and keeping details of the breach in-house hinders law-enforcement authorities from tracking down the perpetrators.
Plea to tech companies to resist outfitting products with unbreakable, default encryption
Comey put in another plug for tech companies to resist the impulse to outfit their products with unbreakable, default encryption, recalling the highly publicized showdown between the FBI and Apple, while calling for all parties in the debate to resist the urge to resort to “bumper-stickering” the other side and rejecting the suggestion of an inherent tradeoff between privacy and security as a false choice.
“It is short-sighted to conclude that our interests are not aligned in this,” he said. “We all value privacy. We all value security. We should never have to sacrifice one for the other.”