Kaspersky Security Firm Admits it Was Hacked

kasperskyKaspersky, one of the largest cyber-security firms in the world confirmed that it had been hacked.

According to the company, the sophisticated attack stayed away from user information and focused instead on Kaspersky’s own systems and intellectual property. The company has since fixed the hole that allowed for the attack. Kaspersky Lab CEO and founder Eugene Kaspersky wrote, “We discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploded several zero-day vulnerabilities, and we’re quite confident that there’s a nation state behind it.”

What’s troubling is how many e-commerce business owners can see a company like Kaspersky get hacked and still blindly believe that hackers will somehow deem their company unfit or unworthy to hack. PCI compliant vulnerability scans are now required for any company that accepts credit cards. But some companies still only scan their sites quarterly instead of daily, fully aware that hundreds of new vulnerabilities are discovered each and every month.

Kaspersky dubbed this attack Duqu 2.0. It’s named after a specific series of malware called Duqu, which was considered to be related to the Stuxnet attack that targeted states like Iran, India, France, and the Ukraine in 2011.

The attackers behind Duqu 2.0 were hoping to infiltrate Kaspersky’s networks to learn more about its services, the blog post revealed. It added that the group behind Duqu 2.0 “also spied on several prominent targets.” The hackers, in their attempt to infiltrate Kaspersky, clued the company into the next generation spying technologies hackers are developing.  “They’ve now lost a very expensive technologically-advanced framework they’d been developing for years.”

FBI Asks Apple to Create Hacker-Friendly Software

FBI Apple iPhone Software WarBy now you have heard about the potentially dangerous security issues that could arise should Apple do as requested by the FBI to build a new software, a backdoor into the iPhone – specifically built to can break the encryption system which protects the personal information of every iPhone user.

According to Bruce Sewell, Apple’s chief lawyer in his statement to a congressional committee today that “the FBI is asking Apple to weaken the security of our products. Hackers and cyber criminals could use this to wreak havoc on our privacy and personal safety. It would set a dangerous precedent for government intrusion on the privacy and safety of its citizens.” In essence, if Apple creates this software, our private information would be vulnerable to the government if we deserve it and to hackers if we don’t. To the iPhone user, having Apple create the software is a lose-lose situation. Aren’t hackers doing enough damage online? It’s hard enough for business owners to scan their sites for vulnerabilities that might be accessible to hackers. Such scans, now required to achieve Payment Card Industry (PCI) compliance, ensure our security as consumers as well as the safety of the business owner’s proprietary content. If Apple creates the requested software, no one will be safe from the possibility of getting their phone hacked into. 

When this all started, the FBI argued that all it wanted was access to one little iPhone – but an important iPhone – as it belonged to a terrorist. But if that was the case, it isn’t the case now. Sewell reminded people of this in his opening statement, saying that “building that software tool would not affect just one iPhone. It would weaken the security for all of them.” He continues, “the US government has spent tens of millions of dollars through the Open Technology Fund and other US government programs to fund strong encryption. The Review Group on Intelligence and Communications Technology, convened by President Obama, urged the US government to fully support and not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software.” Encryption is necessary. App developers and app users alike welcome it as our last-ditch effort to keep our privacy and security safe. Sewell says that Apple has “been using it in our products for over a decade. As attacks on our customers’ data become increasingly sophisticated, the tools we use to defend against them must get stronger too. Weakening encryption will only hurt consumers and other well-meaning users who rely on companies like Apple to protect their personal information.”

Forcing Apple to create this software could damage the security of our freedoms and liberties we hold so dear and make us even more vulnerable to thieves and terrorists. Mandating a backdoor encryption software is a very bad idea. It would just give hackers one more income stream and give government even more access into our personal lives.

Read more here.

What to Do When Your Website Gets Hacked

WebsiteWhen you come to realize, too late, that protecting your site and your customers’ information with Trust Guard, the leader in website security and verification, would have been a good idea, there are a few things you can do to recover.

Following the five-step plan provided here could help make the recovery process easier and less expensive.

  1. Find out what happened. Get the full picture including how the hackers got in, which computers and accounts were compromised, which data was accessed or stolen and whether any other parties (such as customers or business partners) were affected. This can be expensive, but working with your internet service provider or website host could help. The best route may be to contact your local, county or state police computer crimes unit and the FBI, which can do forensic analyses and valuable guidance for the future.

  2. Seek legal advice. If you do not have a cyber-insurance policy with an experienced attorney, you may need to hire one to navigate the legal issues, like contacting your customers and/or employees when hackers gain access to their personal information, in response to the security breach.

    You may also need to contact your state authorities – including state authorities in other states where individual customers/employees/partners may have been affected. There could be liability lawsuits, which is why obtaining legal representation would be a good idea.

  3. Communicate honestly with anyone that was affected or who may have been affected by the hacker’s security breach. Let them know what happened and what you are doing to remedy the situation and what they may need to do. This is important not just for the legal ramifications for not doing so, but also because your entire business is at risk – including your reputation as a legitimate business. In an attempt to salvage your relationship with your customers, partners and/or employees after being hacked, keep talking with them as soon as it happens and often during the rebuilding process.

  4. Eliminate the problem and potential of future hacks. It might be necessary to reformat or get rid of infected computers. You also might have to shut down your website while the vulnerabilities used by the hackers are being repaired. By sure to restore the breached data with clean back-ups and consider purchasing new computers.

    If hackers exploited a software flaw, apply a patch from the software maker that fixes the problem or implement a recommended way to work around it. If passwords were stolen, secure the accounts, then set new, more complex passwords.

  5. Begin the rebuilding process as quickly as possible. Trust Guard can run a security scan that can search for vulnerabilities that the hackers used to access your site. Using the scan’s report, you can repair the security holes and secure your site so that it never happens again. They can also continue to run periodic scans to keep your site safe from new vulnerabilities as they arise. There are more than 75,000 vulnerabilities scanned by Trust Guard.

    It’s important to put the technologies and policies in place to fend off future attacks from hackers. Consider designating one computer on your system for online banking only – meaning that it would do no internet surfing or email communication that could expose your site to malware that is designed specifically for financial fraud.

Every day small and large companies alike get hacked because they don’t use a company like Trust Guard to scan their site for security threats used by hackers to access their sites. If you don’t use Security Scanned services, there is more than an 85% chance that your website is vulnerable to hackers. If you are one of the 85 out of 100 sites that gets hacked, utilizing these steps could minimize the costs and challenges of trying to rebuild your business.

The Simplest Way to Guarantee System Security: It’s Not a Product –It’s a Setting!

Default AllowWe are all familiar with the idea of “garbage in, garbage out”. This neat little couplet reminds us to be careful with what we download to and install on our computer’s hard disk. Using the human body as a metaphor for computer technology is not new. I’d like to expand on this metaphor to explain an important concept we would all benefit from understanding. Your system security may depend on it!

Imagine I have a fictitious friend Bob. He will eat anything that is placed in front of him. He will not only eat any food item, including exotic offerings such as fried arachnids and bovine testicles, tongues and brains but he will also eat things that were never intended for consumption, such as wood chips, smooth rocks and colorful plastics, etc.. There is nearly nothing he would not eat; in fact he would eat something from every category of items found on planet Earth. Bob is on a default permit diet. His rule is that he will eat literally anything once and only after eating something does it get placed on a list of things he will no longer eat, if he desires to place it there. As a result of his extreme diet, he is a frequent customer of his local emergency room and his insurance provider has dropped him as a client. He is at high risk of any number of illnesses and requires surgery on a pretty regular basis. How long can Bob sustain this?

Bob is now growing older and no longer wants to live with the pains and financial consequences of a dangerous diet so his “do not eat” list is becoming extensive. It includes food items which are growing mold, items with sharp edges, things harder than his teeth and anything with explosive or flammable properties. He doesn’t rule out any complete category but painstakingly writes down every item that is not yet listed. Though Bob doesn’t show much evidence of learning from his mistakes, he is very organized and appears to be capable of remembering all of the items on his list. Needless to say, maintaining, adding to and memorizing the list takes up much of his time and energy and does not ever guarantee he will always avoid another catastrophic gastric event from eating something he has not yet identified to be bad for him. Now would be a good time to identify that Bob, based on this behavior is not sane. Most would agree that this sort of approach would not be sustainable over time. Eventually, Bob will pay for this method with his life.

This is an admittedly extreme and graphic example but this is what your computer’s firewall is doing right now. It is set to default permit, which means that the door is open to everything, except for those which are on a very long list of things to block. I imagine many of you are asking why they are set up that way. The answer is that default permit is easy and cheap, at least at first. Programmers and administrators use default permit because they can roll out the new software or network quickly without spending money and time on front-end quality. They can do it because, at this point, nobody expects it –most people are not even aware of the alternative.

Stepping back into our dietary metaphor, for just a moment, might be helpful. You and I can quickly see that most people use a much more intelligent approach to deciding what we will and will not eat. Most people have an unwritten list of things they like to eat and will only cautiously add new items to it. If there were people actively trying to poison our food, we might actually take the time to write the list down. In this scenario we would have a “Default Deny” approach. In other words, we would only permit those things on our list, which, by the way, is a very short list compared to the one Bob had to maintain. In addition, our default deny list (the list of things to allow) could be truncated with things like, “I will eat chicken as long as the head is not still attached and the feathers are removed and never when it has been sitting out all day or has been undercooked”. This would allow for whole categories of items to be allowed as long as they met our predetermined criteria –not every single item would need to be listed. Consider, though, that even if every item were listed for both types of lists, the allow list would be infinitesimal compared to the mammoth deny list. So, if we set up our computers similarly to the way we choose our diets, we would avoid all those metaphorical treatment regimes, emergency surgeries, painful and bewildering maladies and probable organ transplants.

Food ListWhat is the moral of this story? Rather than spending all the time, money and headache listing and blocking all of the “badness” that does exist and will multiply in the world, simply take the time to list all of the “goodness” you want to allow and nothing else will be permitted to run. This sounds simplistic and there is a lot of background work required with such an approach but that but that’s the basic idea. Using default permit and enumerating badness is, by its nature, problematic and will never result in fully dependable security. Taking the time to enumerate goodness and setting your system to default deny is the only way to ensure security.

Now that we’ve identified the issue, how do we change our settings? Those directions will be specific to your system, firewall and network (if you have one), so I won’t attempt to give that information. If you’d like to look into setting up your firewall to default deny, you can check out this article for starters:

https://securosis.com/blog/network-security-fundamentals-default-deny/