Daily Archives: April 14, 2018

Trustwave Global IT Security Report Summarised

Posted on by

Hackers have moved away from simple point-of-sale (POS) terminal attacks to more refined assaults on corporations’ head offices.

An annual report from security firm Trustwave out today highlighted increased sophistication of web app hacking and social engineering tactics on the part of miscreants.

Half of the incidents investigated involved corporate and internal networks (up from 43 per cent in 2016) followed by e-commerce environments at 30 per cent. Incidents affecting POS systems decreased by more than a third to 20 per cent of the total. This is reflective of increased attack sophistication, honing in on larger service providers and franchise head offices and less on smaller high-volume targets in previous years.

In corporate network environments, phishing and social engineering at 55 per cent was the leading method of compromise followed by malicious insiders at 13 per cent and remote access at 9 per cent. “CEO fraud”, a social engineering scam encouraging executives to authorise fraudulent money transactions, continues to increase, Trustwave added.

Targeted web attacks are becoming prevalent and much more sophisticated. Many breach incidents show signs of careful planning by cybercriminals probing for weak packages and tools to exploit. Cross-site scripting (XSS) was involved in 40 per cent of attack attempts, followed by SQL Injection (SQLi) at 24 per cent, Path Traversal at 7 per cent, Local File Inclusion (LFI) at 4 per cent, and Distributed Denial of Service (DDoS) at 3 per cent.

Last year also witnessed a marked increase, up 9.5 per cent, in compromises at businesses that deliver IT services including web-hosting providers, POS integrators and help-desk providers. A breach of just one provider opens the gates to a multitude of new targets. In 2016 service provider compromises did not even register in the statistics.

Although down from the previous year, payment card data at 40 per cent still reigns supreme in terms of data types targeted in a breach. Surprisingly, incidents targeting hard cash was on the rise at 11 per cent mostly due to fraudulent ATM transaction breaches enabled by compromise of account management systems at financial institutions.

North America still led in data breaches investigated by Trustwave at 43 per cent followed by the Asia Pacific region at 30 per cent, Europe, Middle East and Africa (EMEA) at 23 per cent and Latin America at 4 per cent. The retail sector suffered the most breach incidences at 16.7 per cent followed by the finance and insurance industry at 13.1 per cent and hospitality at 11.9 per cent.

Trustwave gathered and analysed real-world data from hundreds of breach investigations the company conducted in 2017 across 21 countries. This data was added to billions of security and compliance events logged each day across the global network of Trustwave operations centres, along with data from tens of millions of network vulnerability scans, thousands of web application security scans, tens of millions of web transactions, penetration tests and more.

All the web applications tested displayed at least one vulnerability with 11 as the median number detected per application. The majority (85.9 per cent) of web application vulnerabilities involved session management allowing an attacker to eavesdrop on a user session to seize sensitive information.

Source: Gosh, these ‘hacker’ nerds are only getting more sophisticated • The Register

Facebook Blames a ‘Bug’ for Not Deleting Your Seemingly Deleted Videos

Posted on by

Did you ever record a video on Facebook to post directly to your friend’s wall, only to discard the take and film a new version? You may have thought those embarrassing draft versions were deleted, but Facebook kept a copy. The company is blaming it on a “bug” and swears that it’s going to delete those discarded videos now. They pinkie promise this time.

Last week, New York’s Select All broke the story that social network was keeping the seemingly deleted old videos. The continued existence of the draft videos was discovered when several users downloaded their personal Facebook archives—and found numerous videos they never published. Today, Select All got a statement from Facebook blaming the whole thing on a “bug.” From Facebook via New York:

We investigated a report that some people were seeing their old draft videos when they accessed their information from our Download Your Information tool. We discovered a bug that prevented draft videos from being deleted. We are deleting them and apologize for the inconvenience. We appreciate New York Magazine for bringing the issue to our attention.

It was revealed last month that the data-harvesting firm (and apparent bribery consultants) Cambridge Analytica had acquired the information of about 50 million Facebook users and abused that data to help President Trump get elected. Specifically, the company was exploiting the anger of voters through highly-targeted advertising. And in the wake of the ensuing scandal, people have been learning all kinds of crazy things about Facebook.

Facebook users have been downloading some of the data that the social media behemoth keeps on them and it’s not pretty. For example, Facebook has kept detailed call logs from users with Android phones. The company says that Android users had to opt-in for the feature, but that’s a bullshit cop-out when you take a look at what the screen for “opting in” actually looks like.

Source: Facebook Blames a ‘Bug’ for Not Deleting Your Seemingly Deleted Videos

T-Mobile Austria stores passwords as plain text

Posted on by

A customer was questioning if rumors that T-Mobile Austria was storing customer passwords in plain text, leaving the credentials like sitting ducks for hackers. Whoever was manning T-Mobile Austria’s Twitter account confirmed that this was the case, but that there was no need to worry because “our security is amazingly good.”

That line is going to bite T-Mobile Austria in the backside, if or when they next get hacked. To be fair, it’s late at night in Europe and the Twitter account was probably being handled by an overworked social media worker, but it’s not a good look. Especially when people started digging further and found various security shortcomings. The whole thread is a mind job.

But that doesn’t excuse the plain-text password storage.

Source: T-Mobile Austria stores passwords as plain text, Outlook gets message crypto, and more • The Register

‘Big Brother’ in India Requires Fingerprint Scans for Food, Phones and Finances

Posted on by

NEW DELHI — Seeking to build an identification system of unprecedented scope, India is scanning the fingerprints, eyes and faces of its 1.3 billion residents and connecting the data to everything from welfare benefits to mobile phones.

Civil libertarians are horrified, viewing the program, called Aadhaar, as Orwell’s Big Brother brought to life. To the government, it’s more like “big brother,” a term of endearment used by many Indians to address a stranger when asking for help.

For other countries, the technology could provide a model for how to track their residents. And for India’s top court, the ID system presents unique legal issues that will define what the constitutional right to privacy means in the digital age.

To Adita Jha, Aadhaar was simply a hassle. The 30-year-old environmental consultant in Delhi waited in line three times to sit in front of a computer that photographed her face, captured her fingerprints and snapped images of her irises. Three times, the data failed to upload. The fourth attempt finally worked, and she has now been added to the 1.1 billion Indians already included in the program.

[…]

The poor must scan their fingerprints at the ration shop to get their government allocations of rice. Retirees must do the same to get their pensions. Middle-school students cannot enter the water department’s annual painting contest until they submit their identification.

In some cities, newborns cannot leave the hospital until their parents sign them up. Even leprosy patients, whose illness damages their fingers and eyes, have been told they must pass fingerprint or iris scans to get their benefits.

The Modi government has also ordered Indians to link their IDs to their cellphone and bank accounts. States have added their own twists, like using the data to map where people live. Some employers use the ID for background checks on job applicants.

[…]

Although the system’s core fingerprint, iris and face database appears to have remained secure, at least 210 government websites have leaked other personal data — such as name, birth date, address, parents’ names, bank account number and Aadhaar number — for millions of Indians. Some of that data is still available with a simple Google search.

As Aadhaar has become mandatory for government benefits, parts of rural India have struggled with the internet connections necessary to make Aadhaar work. After a lifetime of manual labor, many Indians also have no readable prints, making authentication difficult. One recent study found that 20 percent of the households in Jharkand state had failed to get their food rations under Aadhaar-based verification — five times the failure rate of ration cards.

Source: ‘Big Brother’ in India Requires Fingerprint Scans for Food, Phones and Finances – The New York Times