Week 05: System and User Enumeration

Biometric Skimmers Pose Emerging Threat To ATMs

September 26, 2016 by Marcus A. Wilson 3 Comments

I came across this article today that discussed how banks are aggressively moving towards bio-metric authentication methods while cyber criminals are already coming up and testing ways to defeat these. For the last few years banks have been trying to find another authentication method to protect their pin authenticated ATMs from skimmers. The banks have started to install fingerprint, facial, and palm nerve scanners on ATMs to provide an additional layer of security. Criminals are already implementing ways to fool these scanners. It can be very concerning if your bio-metric security is compromised since you cannot just change it like a password.

It’s a perfect example of how difficult it is to stay ahead of the cyber crime. Bio-metrics technology has been around for quite some time but is just beginning to be rolled out for this use and we already have to determine what’s next from here.

http://www.darkreading.com/bank-systems-and-tech/biometric-skimmers-pose-emerging-threat-to-atms/d/d-id/1326987?

SWIFT Moves to Combat Inter-Bank Fraud

September 25, 2016 by Ahmed A. Alkaysi Leave a Comment

I posted an article about how SWIFT was going to start punishing their customer banks by disclosing the bank’s security gap in order to get them to comply. Well it looks like SWIFT is now trying to provide these banks with data reports to “supplement its customers’ existing fraud reports.” These reports include an Activity Report and Risk Reports. It will contain “a snapshot view” of the day’s “messaging activity against which to detect unusual pattern.” Basically, these reports will contain the “messaging activity” data for the bank, and it will be compared to the data currently in the bank’s system. If there is a large discrepancy between the bank’s data and the report that SWIFT sends them, their might have been a cyber attack that altered that banks data. I don’t know if these reports will be any effective, but I guess its a start. By the time the reports show any abnormal pattern, the bank could have already lost millions of dollars due to a hack.

http://www.securityweek.com/swift-moves-combat-inter-bank-fraud

How Hacked Cameras Are Helping Launch The Biggest Attacks The Internet Has Ever Seen

September 25, 2016 by Shain R. Amzovski 1 Comment

Brian Krebs is a reporter who does stories on cyber attackers that attack for profit. In his line of work, he is often subject to several threats. He has had SWAT teams show up at his house before, and death threats in the form of flowers. Most recently, his website was the subject of a DDoS attack, sending 600-700 gigabits per second of internet traffic. The security company protecting his site, Prolexic, had to stop supporting his website because it was the subject of so many attacks. His site is now back up and running with Google’s Project Shield. It is meant to protect activists from DDoS attacks. Hackers are using unsecured devices from the Internet of Things, (IoTs) to launch this attacks. A botnet of 25,000 CCTV cameras was being used to launch attacks across the world.

http://www.forbes.com/sites/thomasbrewster/2016/09/25/brian-krebs-overwatch-ovh-smashed-by-largest-ddos-attacks-ever/#14c6c9eb6fb6

97% of Top 1,000 Orgs Suffer Credential Compromise

September 25, 2016 by Mengxue Ni 2 Comments

Digital Shadows has found that, for the largest 1,000 organizations in the world, there are more than 5 million leaked credentials. The company said in blog-for companies that were the victims of breaches, there are clear reputational, brand and financial implications. The breaches impacting the global 1,000 companies that most were heists at LinkedIn and Adobe-both services that employees can be expected to sign up to with their work accounts. The high level of corporate credentials in the 360 million stolen from MySpace. Gaming sites and dating sites also affected organizations.

The report also found that the UK is one of the most affected regions in the world-with an average of 9,000 average leaked credentials per company. Whilst many claimed breaches are often simply copies and reposts of previously leaked database this number is lower than expected-only around 10% of claimed breached credentials are duplicated.

Social media and BYOD are the biggest internal security threats for every organization because it is hard to control and monitor every employee. For LinkedIn and Adobe, I can understand why there is a high chance to get your work account from it. I was surprised that dating and gaming sites also threat organizations. One thing that I can think to mitigate the risk of leakage is warning your employees not to use their work account and email in any other website, not even for LinkedIn. Other than this, social media is still a great external threat for any organizations.

link: http://www.infosecurity-magazine.com/news/97-of-top-1000-orgs-suffer/

Your Biggest Cybersecurity Weakness Is Your Phone

September 24, 2016 by Ioannis S. Haviaras 4 Comments

Chief Information Officers should start making sure that mobile devices on their network as secure as possible. In this article Larry Dignan, describes that the biggest threat to corporate security stems from employees bringing their own devices on the network. Its not necessarily the devices that aren’t secure its the people that own the devices that are negligent. Many people still do not have PIN codes on their devices and if users were to open spam on their phone many devices automatically download messages in their entirety allowing for malware to install itself. CISOs must implement BYOD policies and enforce mandatory PIN codes and software that allows remote wiping if a phone were to be lost. Since the internet of things is become more prevalent people need to be aware that the more devices they have connecting to the internet the more vulnerable they are. Dignan says that devices should have auto-lock enabled, should be kept within sight at all times and to have auto-discover Bluetooth turned off. This is some of the advice he gives to securing devices in an organization. He also states that malware will get more significant in the years to come as more and more devices become available to hackers on the internet.

Article: https://hbr.org/2016/09/your-biggest-cybersecurity-weakness-is-your-phone