Last week, the Open Web Application Security Project (OWASP) released further evidence that the vulnerabilities of years passed were the same as they are today. OWASP released the 2013 edition of the Top 10 Web Application Vulnerabilities. Below is a list with a comparison to the 2010 Top 10 list:

-A1 Injection
-A2 Broken Authentication and Session Management (was formerly 2010-A3)
-A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)
-A4 Insecure Direct Object References
-A5 Security Misconfiguration (was formerly 2010-A6)
-A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged -to form 2013-A6)
-A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
-A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)
-A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)
-A10 Invalidated Redirects and Forwards

As you can see, the changes to the Top 10 list are minimal with only a few attack vectors swapping places. A simple Google search will display millions of websites that are potentially vulnerable to the most common exploit, SQL injection.

Ask yourself: “Am I vulnerable?” If so, do you know how to fix it? Don’t go through the process alone. Contact Reclamere today!

The Problem

As more consumer-grade mobile devices enter the work environment, the sophistication and proliferation of malware and other threats will inevitably grow. One security company predicts over a 300 percent rise in malicious and non-secure Android-based apps in 2013 alone, from over 300,000 to in excess of a million by year’s end.

Potential solutions

Endpoint encryption – A key strategy employed to protect against loss of stolen devices, unauthorized access, or data breaches is the use of comprehensive encryption. Software automatically encrypts your enterprise’s data wherever your staff may be using it. Encryption of data on removable media occurs — including on USB drives, DVDs, and CDs. ‘Data at rest’ is also encrypted on both desktops and laptops. Essentially, data in files and folders is encrypted at endpoints throughout your enterprise.

Endpoint protection and scanning speed – As virtualization and ‘big data’ trends continue, the speed with which the scanning of mountains of data can occur comes into play. Multiply the number of potential scans by the time needed for each scan, and the productivity issue becomes apparent.

Cloud-based endpoint protection – Hosted security solutions now exist that can, for example, protect not only desktops, laptops, and servers, but tablets and even point-of-sale machines as well. Continuous cloud-based protection is well-positioned to successfully intercept new threats as they appear.

Conclusion

The proliferation of tablets, smartphones, and other mobile devices provides those with malicious intent more points-of-entry than ever before. The race is sure to continue between ‘hacktivists,’ for example, and Internet security specialists. More sophisticated attacks will result in more advanced responses. It is incumbent upon any company to balance its enthusiastic embrace of mobile devices for increased productivity with an equally enthusiastic embrace of the latest security measures available.

For further insights into how your specific needs can be addressed, please contact us.

Phishing

Fraudulent emails that attempt to get personal information are nothing new. It is important to ensure that screening software is installed to review email before it arrives in the employee’s inbox. This will not only reduce phishing but the number of spam emails employees must waste their time deleting.

Employees should also be trained on how to spot fraudulent emails. Identity thieves are learning and changing tactics all the time, and software is not going to catch everything. Employees who understand what to look for will be able to report any phishing emails they receive and prevent others from sharing personal information.

Spyware

Fraudulent emails are also one way for identity thieves to get spyware into the computer systems of a business. These programs may run in the background and gather personal information without anyone knowing until it is too late. Having anti-spyware programs installed can often prevent this type of invasion. But again, programmers are always learning and trying new things. Training employees on how to properly use the internet is essential in preventing spyware attacks.

Mobile Devices

Smartphones and tablets exploded into the business world in 2012 and will continue to grow in use throughout 2013. While these devices are small, easy to use and portable, they are also a security risk. Employees who have mobile devices may:

• Transmit data over unsecured networks
• Not secure the device with password protection
• Lose the device
• Download apps that have spyware

Many users don’t think about a smartphone or tablet as a security risk because it isn’t a computer. However these devices do connect to the internet and this opens them up to the same security risks as a desktop or laptop.

Users don’t think about data security the same way when they use a smartphone or a tablet, but they can learn. A few simple precautions can ensure data on these portable devices is secure.

• Enable password protections.
• Verify all networks are secure before sending any information.
• Install the same spyware/malware/virus protections on company laptops onto all mobile devices.
• Maintain physical contact to avoid theft.
• Don’t save passwords, PIN’s or account information in email contacts or notebook. Use a password protected word document instead.

Educating users to be mindful of any internet-connected device as a potential data breach risk will help maintain data security.

Dumpster Diving

Some identity thieves still go through the trash looking for information. Many companies already shred documents that have business data, but don’t remind employees to shred documents that have personal data as well. Documents that contain birthdays, family names, addresses, old passwords, credit card numbers or bank names can all be used by identity thieves. They can find several documents with different pieces of information and put it all together to recreate an identity. Encourage employees to shred all documents, no matter how harmless they may seem.

And don’t forget computer hard drives and other media.  “Digital Dumpster Diving” is done at computer shows, auctions, purchasing from eBay, or buying equipment from government sales.  Make sure that all data is properly destroyed before getting rid of old computers.

Email, spyware, mobile devices and dumpster diving are just some of the ways identity thieves can get information.  To learn more about improving data security to prevent identity theft, contact us.

On occasion, it certainly can get interesting. In the year 2000, the FBI got two Russian hackers to come to the U.S., ostensibly for job interviews. Once within American borders, the agency tracked their computer usage and identified passwords. Specialists successfully collected evidence from the Russians’ computers.

One challenge in the United States is that federal law restricts seizures to items that have obvious value as evidence. This sometimes presents a challenge when digital media is involved, as it is often not possible to ascertain evidentiary value until the media is thoroughly examined.

Forensic investigations must be particularly sensitive to chain of custody and related matters. In the past, attorneys have sometimes argued, occasionally with success, that digital evidence is inherently unreliable because it can theoretically be altered.

Not surprisingly, mobile device forensics is quickly gaining traction as a sub-specialty of computer forensics. Unlike computers, mobile devices typically have a built-in communication system and proprietary storage methods.

In mobile forensics, the recovery of deleted data is usually not the focus of the investigation. Rather, simple data analysis is common. For example, SMS data may be studied. However, a unique aspect of mobile forensics lies in taking advantage of the GPS capability built into many mobile devices. Logs are generated by each cell tower or site as transmissions are passed from one “cell” to another. Such a log can provide valuable forensic information regarding the period of time the unit was tracked within that particular cell.

Another unique aspect of mobile forensics is the fact that most cell phones continually receive radio traffic whether they are in use or not. As a result, it may be necessary to place such equipment in a Faraday shield at the time of seizure so as to prevent further radio traffic to the device that could undo vital evidence.

For best practices forensic investigations, look to Reclamere. Please contact us today.

Having thus gained access to a trusted Gmail account, the hacker escalated the attack, sending several more of the same phishing emails to other staff members on May 6th. These emails were more believable, since they came from a trusted account, and someone with access to all of The Onion’s media accounts was tricked into giving away their login credentials. That individual had also made the mistake of using the same credentials for all of those accounts.

The Onion quickly discovered that at least one of their social media accounts had been compromised, and promptly sent out a company-wide email instructing all employees to change their passwords. The hackers responded with a duplicate email which included a link to the account for the recipient’s convenience and of course, that link actually went to the same page as the first one they had sent. At that point, The Onion forced a password change for all accounts since it was unclear which ones were compromised, and that finally ended the siege.

In the final analysis, The Onion staff made two critical errors, which demonstrates that even the savviest denizens of the web can occasionally fall victim to social engineering. The first, and most egregious, error was clicking on a link in an email, which was then compounded by giving away login credentials at the linked page. The potential dangers of such a mistake couldn’t be more clearly illustrated than they were in this case.

The second error was both less common and less insidious, but as was demonstrated above, can cause an attack to be escalated well beyond its initial scope. Using identical login credentials on more than one site will exacerbate a breach by spreading it to all of the accounts whose credentials are the same, because a hacker with compromised credentials will first try them everywhere he thinks they may work. Of course, without the initial breach, this would be impossible, but security is only as strong as its weakest link, so prudence dictates that measures should be taken to contain potential exploits and escalations before they occur whenever possible.

For more information about data breach investigations and other cyber-security related issues, please read our blog regularly. Also, if we can address any of your cyber-security concerns or issues, please contact us at your convenience.

It is mind-blowing the amount of personal information people willingly put online, without thinking twice about the detriment it could cause.  It is not an uncommon practice to write a program that searches for indicators of people going on vacation or people putting credit card information online. For example, the twitter account @needadebitcard finds people that post pictures of their credit cards online and re-tweets them; the website PleaseRobMe.com searches for Foursquare check-ins; the python script cree.py grabs geolocation from images posted to social media and track users and plots their movements on Google maps.

In an attempt to raise awareness, I did some quick research to see what kind of information a ‘privacy-conscious’ person, like myself, may inadvertently be leaving behind to be forever engraved on the Internet.

First, I downloaded a browser add-on called Collusion.  This program creates a chart of all the websites that collect personal information as you surf the Internet. I turned it on for approximately 15 minutes and did normal, everyday tasks such as check my e-mail and catch up on the news.

 One of the cool things about Collusion is that you can highlight a specific page to show all the sites data was sent to.  Below is the web that was created by reading the news on the LA TIMES website:

Note: I did NOT log into Facebook during this time.

The top 10 results from a Google search of my name and hometown, gave my name, address, phone number, job title, and the names of everyone in my home, along with more sensitive information such as my approximate household, the approximate value of my house, a satellite view of where my house was located, and personal pictures of myself, son, and friends.

All of this information was gathered in approximately 30 minutes. When I talk to people about the data leakage in our society, a common rebuttal is “so what? I have nothing to hide.”

Well, in a mere 30 minutes, I was able to gather the answers to the most common password reset security questions. I found my mother’s name; so, a little research on her would reveal her maiden name. Also, it is reasonable to suggest that finding an old address that revealed ‘what street I grew up on’ would be just as simple to find.  In more serious terms, I have obtained enough information to easily gain and exploit data by phishing, infecting a computer, and/or stealing bank account information.

This is scary stuff!  I am careful about the information I put online, but with a few simple searches, I easily found enough information about myself that would allow someone to cause real havoc.

So, ask yourself, how much data are you leaking online? What about your co-workers? Your supervisors? Your high-level executives? How much sensitive data are you and your organization leaking?

The days of technical exploits are coming to an end. The latest, biggest data breaches occur through simple social engineering and phishing attacks.  To put your organization to the test, the Reclamere Data Security Experts can help demonstrate the impact social engineering could have on your organization.

A zombie is (paraphrasing dictionary.com) the body of a dead person given the semblance of life, usually for some evil purpose (eg, eating your brains). The key for our purposes here is that something we thought was gone and never to be heard from again, has come back to haunt and/or devour us.

There are myriad instances where data that was thought to have been properly disposed of has come back to cause all sorts of problems to organizations and individuals, and these incidents get very expensive, very quickly. So how do we prevent this zombie that is our data from coming back and devouring our profits?

Many organizations think it is enough to simply delete files or reformat drives. This is the equivalent of a shot to the kneecap or chest. While it may slow it down, its not going to kill the undead. The only sure, bullet-in-the-head solution, is to use a professional zombie killer, like Reclamere, who will offer you a 100% guarantee that you will never see that data again.

To learn more about Reclamere and our zombie killing – or – data destruction services, visit our website at www.reclamere.com.

What are HIPAA requirements with regard to plans for data loss & recovery?

Providers are required to establish a contingency plan to deal with emergencies or events that impact EHR systems, as detailed in HIPAA Part 164.308(a)(7)(i). The disaster recovery requirements are demanding and challenging for most companies, but compliance is attainable.

What considerations are relevant when providers are developing data backup plans and disaster recovery plans?

Essentially, HIPAA requires the use of regularly scheduled, updated living documents.  This is to ensure that as requirements and methodologies evolve, contingency plans are reviewed and updated accordingly.

Contingency plan documents structured simply to comply with HIPAA is inadequate. Specifics must be outlined with regards to responsible parties, possible vendors, software, and hardware. Collectively, all efforts must yield a fully comprehensive strategy for disaster recovery.

How have data management backup services evolved and changed over the past decade?

HIPAA mandates are becoming more complex in order to move providers toward respected data management companies. The days of merely duplicating and archiving data are over.  Providers are now expected to comply with expert data management processes and procedures.

What should providers avoid doing when selecting data management expertise?

The most important aspect to consider is that full responsibility for data security can NOT be transferred to a service. Under HIPAA, healthcare providers are ultimately responsible for the security of patient medical data. However, in a contractual relationship, a data security provider does carry some responsibility.

For further assistance in finding efficient and reliable means for meeting HIPAA requirements, please contact us.

HIPAA stands for Health Insurance Portability and Accountability Act. Despite its name, it actually deals with more than just insurance. Basically, this is the law that governs the protection of health information. It is this law that prevents just anyone off the street from walking into your doctor’s office and getting the details of your last prostate exam. It is also the law that fines an insurance company for tossing sensitive information into the trash rather than disposing of it appropriately.

And just because you are not an actual healthcare provider or insurance company, doesn’t mean you can breathe a sigh of relief. The law was recently expanded to include organizations that are business associates of healthcare providers and even subcontractors of that business associate. Any downstream vendors that have any contact with private health information are now affected by this law, including the potentially hefty fines mentioned.

No business can afford to have their bottom line affected like that. Even if the financial impact is not enough to sink your company, the lack of trust from customers due to loss of such sensitive and private information will. That’s why it is so important to do everything in your power to protect data and properly dispose information.  The most effective way to do this is by enlisting the help of a qualified data security expert.

For more information on how HIPAA can impact your company, how you can protect yourself, and perhaps most importantly, protect the private data of innocent consumers.  Please contact us.

This sounds like a movie, but this is real life. The latest release by the hacker collective Hack the Planet (or HTP) details their Internet (mis)adventures of smashing and pillaging servers in order to get ahold of data for nothing more than sheer enjoyment.  MIT, EDUCAUSE, Linode, Nmap, Sucuri, NIST, Wireshark, Sourceforge, Debian, Python, Mercurial, MoinMoin, and Wget are some of the targets most recently compromised.  The scariest part is nobody would ever know about these high-level security breaches if not for HTP releasing a zine bragging about these accomplishments.

As somebody who lurks in the Internet underground, monitors activity, and frequently interacts with some of the HTP hackers, these are the hackers that corporations need to fear. The hackers that can infiltrate a network, camp out for months, and then leave without anybody ever batting an eye; the skilled hackers that steal data, but NEVER brag about it.

Today, it is no longer about if your corporation is going to get hacked; it’s about when will it be hacked. Eventually, you will be compromised. So what can you do?

- Implement a “least privilege” policy where users are only granted the minimal access needed.

- Apply access controls and keep systems updated so that an attacker cannot escalate privileges to administrator-level access.

- Develop an Incident Response Plan to follow when the breach happens to quickly, efficiently expunge the hackers and lock down the network with minimal collateral damage.

- Test your own networks by conducting simulated attacks on your network so that you can patch up your weak points before the “bad guys” get there.

Contact Reclamere today and let us design and/or refine your Incident Response Plan. And if you’re brave enough, let our ethical hackers attempt to infiltrate your network.