Hole in the Cloud Service Bucket: Dow Jones Data Exposed

Hole in the Cloud Service Bucket: Dow Jones Data Exposed.
But many organizations inadvertently misconfigure their buckets to allow “public” or semi-public access, which can result in data being exposed.
On Sunday, Dow Jones said that about 2.2 million customers’ details were exposed due to an Amazon S3 bucket misconfiguration. “We were made aware that certain Dow Jones/WSJ subscriber and Risk & Compliance content was over-exposed on Amazon Cloud (not the open internet),” a Dow Jones spokeswoman tells Information Security Media Group.
Amazon says that by default, however, data stored using AWS is only accessible to the account holder.
Verizon, Others, Also Cite User Error Vickery continues to discover firms that have failed to lock down their buckets by using tools developed by UpGuard that are designed to guess internet addresses of exposed data.
Last week, Verizon blamed user error for a misconfiguration problem that resulted in a public-facing bucket exposing data for between 6 million and 14 million Verizon customers.
In April, discount brokerage firm Scottrade blamed the AWS S3 bucket exposure of 20,000 customers’ details on user error.
In a statement, Scottrade said that one of its third-party vendors, Genpact, “uploaded a data set to one of its cloud servers that did not have all security protocols in place,” thus leaving it exposed.
Long-Standing Problem Back in 2013, researchers at security firm Rapid7 reviewed 12,328 Amazon S3 buckets and found that 1,951 of them – 15 percent – were publicly accessible.

Think Tank: Is AI the Future of E-commerce Fraud Prevention?

There’s a lot of debate about what Artificial Intelligence really means, and how we should feel about it.
As Gartner says in “A Framework for Applying AI in the Enterprise,” “The artificial intelligence acronym ‘AI’ might more appropriately stand for ‘amazing innovations’ that do what we thought technology couldn’t do.” One way and another, we’re talking about “smart machines” — machines that are trained on existing, historical data, and use that to make accurate deductions or predictions about examples with which they’re presented.
2) Personalization: The experience can be tailored to each customer in ways that were not an option when companies had to configure/design the experience for everyone at once (or maybe have a few versions based on geographies).
All of this makes me unpopular with e-commerce fraud prevention systems.
I was a fraud prevention analyst myself, back in the time before AI was an option.
I know exactly how hard these transactions are to get right, from the human perspective.
I know how long it can take to review a transaction, and that as an analyst the tendency is always to play it safe — even if that means sending a good customer away.
AI is the future of e-commerce fraud prevention.
It brings scale, accuracy and adaptivity to improve customer experience, block fraud and increase sales.
Better fraud prevention is about to become standard.

Bad Code Library Triggers Devil’s Ivy Vulnerability in Millions of IoT Devices

Bad Code Library Triggers Devil’s Ivy Vulnerability in Millions of IoT Devices.
The vulnerability, dubbed Devil’s Ivy, was identified by ​researchers at Senrio, who singled out high-end security cameras manufactured by Axis Communications.
Those companies are part of the ONVIF Forum, an unofficial international consortium of hardware vendors.
Researchers believe bad code used in a software library responsible for the bug originated from the ONVIF Forum, which is responsible for maintaining software and networking protocols used by members.
Next, researchers say, the adversary can send a specially crafted payload of data that allows a remote unauthenticated user to execute code on vulnerable devices.
The attacker then sends the specially crafted payload that triggers the buffer stack overflow which leads to custom code execution,” said M. Carlton, VP of research with Senrio, in an interview with Threatpost.
With some other security devices and other general applications of gSOAP it may not be as big of a problem,” Tanji said.
A scan of the internet using Shodan had revealed 14,700 of Axis’s cameras vulnerable to Devil’s Ivy.
Senrio recommends patching, but also keeping security devices off the public internet and behind a firewall.
However, security experts have long warned the amount of insecure software tied to reused third-party libraries is staggering.

VA Makes Progress on Improving Cybersecurity, but More Work Lies Ahead

For the 18th year in a row, the VA could not avoid having cybersecurity designated a material weakness, but a recent inspector general’s report details how the department has made clear and significant progress on improving its security posture.
“VA has made progress developing policies and procedures but still faces challenges implementing components of its agencywide information security continuous monitoring and risk management program to meet” the requirements of the Federal Information Security Modernization Act (FISMA) of 2014, the report from the VA’s Office of Inspector General states.
The VA says it has made progress on all of the recommendations and is asking the IG’s office to close 18 of them, Federal News Radio reports.
Additionally, the VA has continued to put in place IT governance, risk, and compliance tools to improve processes for assessing, authorizing, and monitoring the security posture of VA systems.
The agency has also put in place an enhanced audit log collection and analysis tool, the report notes.
VA also needs to continue to address deficiencies that exist within access and configuration management controls across all facilities.” More Security Progress Is Needed at VA Despite the progress, the report still found “continuing significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems.” VA has not fully put in place security standards on all servers, databases, and network devices, resulting in weaknesses in access and configuration management controls, the report found.
VA Deputy Inspector General Linda Halliday told Federal News Radio that her office will continue to review the department’s progress in improving its cybersecurity.
“When the OIG receives evidence of appropriate corrective action, we will generally close that recommendation,” she said.
“As VA provides documentation to support the corrective actions taken on any recommendation, we will review it and make the determination on whether we can close that recommendation.
Further, we continue to assess VA’s progress in implementing corrective actions and their ability to sustain improvements impacting VA information security posture during our annual FISMA review in the following year.”

A beginner’s guide to the dark web

Here’s a quick guide to the deep web, the dark web, and what you’ll find when you get there.
What is the dark web?
There are basically three parts to the world wide web: surface web, deep web, and dark web.
The surface web is everything that’s publicly available and accessible through search or typing a URL into your browser.
The dark web, however, is a totally different beast—a tiny fraction of the web that is only accessible through specialized software such as the Tor browser.
Who uses the dark web?
The website was shut down in 2013 and its founder is serving a life sentence in prison.
The most famous tool to get on the dark web is the Tor browser.
These are websites that are exclusively available on the dark web and can’t be accessed through normal browsers.
Screenshot via Tor Project Tor enables you to access all the other surface and deep websites with the added benefit that it anonymizes your browser traffic by encrypting it and deflecting it across several computers—called Tor nodes—before sending it to its destination.

Bank Heists Possible Due To Flawed Code

The most common vulnerabilities relate to flaws in mechanisms for identification, authentication, and authorization of users with two in three remote banking applications vulnerable to brute force attacks.
Applications developed by third party vendors had on average twice as many vulnerabilities as applications developed in-house.
33% of online banking applications had vulnerabilities that made it possible to steal money, and in 27% of applications, an attacker could access sensitive client information.
Mobile banking applications also have issues with an attacker able to intercept or brute force user credentials to one in three apps.
Two thirds of the vulnerabilities found within automated banking systems were critical, some even allowing administrative server access.
With this level of access, an attacker could conduct fraudulent transactions yet remain unnoticed.
The possibilities for such fraudulent transactions are practically limitless: attackers could create new accounts, change their balance, or create counterfeit payment transfers to other institutions.
Vulnerabilities in source code can be avoided at the development stage.
Positive Technologies is a leading provider of vulnerability assessment, compliance management and threat analysis solutions to more than 1,000 global enterprise clients.
Study & Research Positive Technologies applications authentication and authorization automated banking systems banking banking applications brute force fraudulent transactions mobile banking online banking online banking applications positive technologies remote banking applications three remote banking three remote banking applications twice as many vulnerabilities two in three remote two in three remote banking vulnerabilities within automated banking within automated banking systems

These 10 US states have the highest rate of malware infections in the country

These 10 US states have the highest rate of malware infections in the country.
Does where you live have anything to do with how likely you are to experience a malware attack?
A new look at more than 1.5 million malware infections in the US compares rates of infection for the first six months of 2017—and found significant differences across the 50 states.
Computer users in New Hampshire are most at risk—its rate of malware infections was 201% higher than the national average—according to the report, released by Enigma Software Group (ESG), who, it should be noted, make anti-malware programs.
Here are the 10 US states with the highest malware rates, and the % higher than the national average: New Hampshire (201%) Colorado (143%) Virginia (80%) New Jersey (64%) Oregon (25%) New York (24%) Montana (24%) Missouri (23%) Arizona (18%) Maine (17%) The report looks at several forms of malware, including adware, rogue, anti-spyware, ransomware—which, although highly damaging, only accounted for 1% of malicious programs in 2016, according to a recent report—and nuisance-ware, which is not as severe as other malware, but can impede workplace productivity by installing unwanted programs and slowing down computer speeds.
Some general trends emerge from the report.
The good news?
Overall, malware infections have dropped every month since the beginning of the year, with infections in June 2017 31% lower than in January.
SEE: Information Security Certification Training Bundle (TechRepublic Academy) “Regardless of where you live, it’s always important to stay vigilant for infections all the time,” said ESG spokesperson Ryan Gerding in a press release.
Overall malware infections have dropped every month since the beginning of the year, with infections in June 2017 31% lower than in January.

Watch Hackers Take Over a Segway With Someone On It

But when Kilbride investigated the security behind those features, he found vulnerabilities that an attacker could exploit to bypass the hoverboard’s safety protections from afar, and take control of the device. “I was surprised that the exploits were as accessible as they were.
Easy Access The Segway MiniPro app uses Bluetooth to connect to the vehicle itself.
While analyzing the communication between the app and the Segway scooter itself, Kilbride noticed that a user PIN number meant to protect the Bluetooth communication from unauthorized access wasn’t being used for authentication at every level of the system.
He also discovered that the hoverboard’s software update platform didn’t have a mechanism in place to confirm that firmware updates sent to the device were really from Segway (often called an “integrity check”).
This meant that in addition to sending the scooter commands, an attacker could easily trick the device into installing a malicious firmware update that could override its fundamental programming.
In this way an attacker would be able to nullify built-in safety mechanisms that prevented the app from remote-controlling or shutting off the vehicle while someone was on it. “The app allows you to do things like change LED colors, it allows you to remote-control the hoverboard and also apply firmware updates, which is the interesting part,” Kilbride says.
The GPS feature known as “Rider Nearby” acted as a sort of social platform for finding other MiniPro owners, but it’s easy to see how publicly available, persistent location tracking could be abused.
As part of addressing Kilbride’s findings Segway discontinued the feature.

Rona customer victim of credit card fraud says retailer should have called police

Rona customer victim of credit card fraud says retailer should have called police.
Rogers Media uses cookies for personalization, to customize its online advertisements, and for other purposes.
By continuing to use our service, you agree to our use of cookies.
Close Create a new password We’ll send you a link to create a new password.
{* backButton *} {* createAccountButton *} {* /registrationForm_radio *} Your Verification Email Has Been Sent Check your email for a link to reset your password.
Sign in Create a new password We’ve sent an email with instructions to create a new password.
Enter your email below and we’ll send you another email.
{* #resendVerificationForm *} {* traditionalSignIn_emailAddress *} {* submitButton *} {* /resendVerificationForm *} Close Sign In / Sign Up With your existing account from Facebook Twitter Yahoo!
With her full name, address and credit card number in the hands of the man, she said she and the employee quickly realized it was a theft.
“They said that they didn’t want their staff to be in harms way, they had to protect their staff but I didn’t ask them to do anything with the perpetrator, just to call the police.” A Rona spokesperson said the retail giant is still gathering details to confirm the facts, but told CityNews proper protocol was followed that night when the employee immediately cancelled the order after speaking with Suzanne, and advised her to report the incident.

Information Security Management System: How to Know When You Need One

Information security management systems are essential for Australian businesses of all sizes to meet diversifying security challenges.
If you are part of this 29% of vulnerable organisations, your business must consider implementing an information security management system that includes formalised information security policies.
If your business does not have any established security policies, including a staff education program, your company is at risk of data loss.
In January, Prime Minister Malcolm Turnbull stated in relation to new measures to protect Australian cyber security, that “awareness is the most important first step.” Financial institutions, telecommunication companies, hospitals, health centres, and governmental bodies, or any other businesses that are required to protect sensitive or personal data, must address information security with the utmost importance.
However, even the retail industry obtain large customer databases, which have the ability to cause irreversible damage if leaked.
Attention needs to be devoted to information security risks within the office, and proactive protection often begins with your employees.
Phishers and cyber criminals may target unprotected employees, obtaining personal and professional information through social media, email networks, and over the phone.
Cyber security training will assist your staff in recognising covert security threats as they appear, and responding according to policy.
You Are Not Compliant With ISO 27001 The security responsibilities of businesses fall under one fundamental principle, including confidentiality, integrity, and availability.
Without an information security management system compliant with the ISO 27001 standard, businesses leave themselves vulnerable and may suffer legal, financial and reputational damages.