The most common errors identified in professional DNS audits

3 auditors
Going down?

Image by Thinkstock

Recent DNS outages should serve as a wake-up call that DNS is critical to business infrastructure. When your DNS infrastructure goes down, so does your web site, email, and other services, which may result in lost revenue and a negative brand perception. Many organizations are challenged by the cost and complexity of managing a DNS infrastructure because best practices may change over time, resulting in errors and inefficiencies. Chris Roosenraad, director of DNS Services at Neustar, shares some of the most common errors observed during audits of its customer’s DNS infrastructure and the best practices you can take to ensure you are maximizing your DNS performance to minimize potential downtime.

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Security

The 4 biggest healthcare IT headaches

To avoid violating regulations, which could result in tens of thousands of dollars (or more) of fines and negative publicity, healthcare providers must ensure that their facilities are in compliance and be constantly on the lookout for security threats.

And “while the governance of information causes headaches for IT leaders across all industries, when it comes to healthcare, the myriad of confidentiality and privacy concerns for CIOs and health information management administrators creates added complexity,” says Ken Mortensen, data protection officer at InterSystems. One slip-up and “IT leaders risk exposing [sensitive] health information, or, even worse, contributing to an unfortunate patient outcome.”

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Security

4 ways blockchain is the new business collaboration tool

While blockchain may have cut its teeth on the cryptocurrency Bitcoin, the distributed electronic ledger technology is quickly making inroads across a variety of industries.

That’s mainly because of its innate security and its potential for improving systems operations all while reducing costs and creating new revenue streams.

David Schatsky, a managing director at consultancy Deloitte LLP, believes blockchain’s diversity speaks to its versatility in addressing business needs, but “the impact that blockchain will have on businesses in various industries is not yet fully understood.”

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Security

Connecting with work from the road? Here’s how to stay safe

Every company has workaholics who can’t leave their duties behind when heading out on vacation. They’re kind of worker who, if the hotel doesn’t have Wi-Fi, will rush to the closest coffee shop or eatery to stay connected, check email and jump onto a video conference call.

Those are the kinds of insecure wireless networks that make IT security managers nervous.

And for good reason. Public Wi-Fi networks at cafes and coffee shops are open to, and can be accessed by, anyone, according to mobile security vendor iPass. They require neither security keys and passphrases nor firewall protection. That leaves employees vulnerable to man-in-the-middle attacks.

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Security

Amazon Video UK Adds 40 Live Broadband TV Streaming Channels

Competition between the Internet video streaming giants is hotting up after Amazon Video added 40 live TV and on-demand channels (e.g. Discovery, Eurosport) to their £79/year or £7.99/month ‘Prime’ service, although the catch is that you have to pay an extra monthly fee for each (from £1.49). On the surface the move appears like it could […]

Read more here:: ISPreview

Should SaaS Companies Publish Customers Lists?

A screenshot of a phishing lure used to target Workday customers.

A few weeks back, HR and financial management firm Workday.com sent a security advisory to customers warning that crooks were sending targeted malware phishing attacks at customers. At the same time, Workday is publishing on its site a list of more than 800 companies that use its services, making it relatively simple for attackers to chose their targets. This post examines whether it makes sense for software-as-a-service (SaaS) companies to publish lists of their customers when those customers are actively under siege from phishers impersonating the SaaS provider.

At its most basic, security always consists of trade-offs. Many organizations find a natural tension between marketing and security. The security folks warn that publishing too much information about how the company does business and with whom makes it way too easy for phishers and other scammers to target your customers.

A screenshot of a phishing lure used to target Workday customers.

The marketing folks, quite naturally, often have a different perspective: The benefits of publishing partner data far outweigh the nebulous risks that someone may abuse this information.

So the question is, at what point does marketing take a backseat to security at SaaS firms when their customers are being phished? Is it even reasonable to think that determined attackers would be deterred if they had to pore through press releases and other public data to find a target list?

When I first approached Workday in researching this column, I did so in regard to an alert they emailed customers earlier this month. In the alert, Workday warned that customers using single-factor authentication to access Workday were being targeted by email phishing campaigns. The company said there was no evidence to suggest the phishing a result of the Workday service or infrastructure, but rather it was the result of phishing emails where individuals at customer organizations shared login credentials with a malicious third party. In short, they’d been phished.

Workday advised customers to take advantage of the company’s two-factor authentication systems, and to enable secondary approvals for all important transactions.

All good advice, but I also challenged the company that it maybe wasn’t the best idea to also publish a tidy list of more than 800 customers on its Web site. I also noted that Workday’s site makes it simple to find an HTML template for targeted phishing campaigns. Just take one of the companies listed on its site and enter the name in the Workday Sign-in search page. Selecting Netflix from the list of Workday customers, for example, we can find Netflix’s login page:

Netflix's sign-in page at Workday.com.

Netflix’s sign-in page at Workday.com.

That link opens up a page that allows Netflix customers to login to Workday using Google’s OAuth system for linking third-party apps to Google accounts. It’s a good thing we haven’t recently seen targeted phishing attacks that mimic this precise process to hijack Google accounts.

Oh wait, something very similar just happened earlier this month. In the first week of May, phishers began sending Google Docs phishing campaigns via Gmail disguised as an offer to share a document. Recipients who fell for the ruse ended up authorizing an app from Google’s OAuth authentication interface — i.e., handing crooks direct access to their accounts.

Before I go further, let me just say that it is not my intention to single out Workday in this post: There are plenty of other companies in its exact same position. The question I want to explore is at what point does marketing get trumped by security? For me, the juxtaposition between Workday’s warning and its priming the pump for phishers at the same time seemed off.

Workday wasn’t swayed by my logic, and they referred me to a marketing industry analyst for the finer points of that perspective. Michael Krigsman, a tech industry analyst and host at cxotalk.com, said he often advises smaller companies that may be less sophisticated in their marketing strategies to publish a list of customers on their home pages.

“Even when it comes to larger companies like Workday, they’re selling so many seats that this information is highly public knowledge and very easy to get,” Krigsman said. “If you’re interested in Workday’s customer lists, for example, you can easily find that out because Workday puts out press releases, their customers put out press releases, and this gets picked up in the trade press.”

WHERE I COME FROM

Fair enough, I said, and then I explained my historical perspective on this topic. Ever since I broke a series of stories about breaches at major retailers like Target, Home Depot, Neiman Marcus and Michaels, I’ve been inundated with requests from banks and credit unions to help them figure out which merchants were responsible for credit and debit card fraud that was costing them huge financial losses.

They sought my help in figuring this out because Visa and MasterCard have contractual ways to help banks recover a portion of the funds lost to credit card breaches if the financial institutions can show that specific fraud was traced back to cards all used at the same breached merchant.

As a result, I’ve spent a great deal of my time over the past few years helping these financial institutions find out for themselves which of their cards were breached at which merchants — pointing them to underground forums where — if they so chose — they could buy back a small number of cards and look to see if any of those had a commonality (known in financial industry parlance as a “common point of of purchase” or CPP).

I’ve never sought nor have I received remuneration for any of this assistance. However, one could say that this assistance has paid off in the form of tips about CPPs from various financial industry sources that — in the aggregate — strongly point to breaches at major retailers, hotels and other establishments where credit card transactions are plentiful and traditionally not terribly well protected.

But even financial institution fraud analysts who are adept at doing CPP analysis on cards for sale in the underground markets can be blind to the breach whose only commonality is a third-party provider — such as a credit card processor or a vendor that sells and maintains point-of-sale devices on behalf of other businesses.

Nine times out of ten, when a financial institution can’t figure out the source of a breach related to a batch of fraudulent credit card transactions, the culprit is one of these third-party POS providers. And in the vast majority of cases, a review of the suspect POS provider shows that they list every one of their customers somewhere on their site.

Unsurprisingly, Russian malware gangs that specialize in deploying POS-based malware to record and transmit card data from any card swiped through the cash register very often target POS providers because it is the easiest way into the cash registers at customer stores. Interview the individual store managers who operate compromised tills — as I have on more occasions that I care to count — and what you invariably find is that the malware got on their POS systems because an employee received an email mimicking the POS provider and clicked a booby-trapped link or attachment.

Read more here:: KrebsOnSecurity

Syncing individual privacy to global cybersecurity

While most pundits agree that Trump’s first hundred days in office were underwhelming on the legislative front, he did manage to pass a measure on internet privacy that caused quite a stir in the media. This would be the rollback of privacy regulations that prevent ISPs (internet service providers) from selling user browsing history to third parties. As soon as the measure appeared likely to make it to the president’s desk, article after article was written decrying the development. Sensational headlines spelled out the end of the internet as we know it, a complete surrender of our personal data to big corporations, and social media was aflame with cries of “the end of privacy.”

Read more here:: Avast

Private Eye Allegedly Used Leaky Goverment Tool in Bid to Find Tax Data on Trump

Grand jury findings in a sealed case against Louisiana private investigator Jordan Hamlett.

In March 2017, KrebsOnSecurity warned that thieves who perpetrate tax refund fraud with the U.S. Internal Revenue Service were leveraging a widely-used online student loan tool to find critical data on consumers that allows them to claim huge refunds with the IRS in someone else’s name. This week, it emerged that a Louisiana-based private investigator is being charged with using the same online tool to glean tax data on then-presidential candidate Donald J. Trump.

A story today at Diverseeducation.com points to court filings in the U.S. District Court for the Middle District of Louisiana, in which local private eye Jordan Hamlett is accused by federal prosecutors of abusing an automated tool at the U.S. Department of Education website that is designed to make it easier for families to complete the Education Department’s Free Application for Federal Student Aid (FAFSA) — a lengthy form that serves as the starting point for students seeking federal financial assistance to pay for college or career school.

Grand jury findings in a sealed case against Louisiana private investigator Jordan Hamlett.

In November 2016, Hamlett — the owner of Baton Rouge-based Averlock Investigations — was indicted on felony charges of trying to glean then President-Elect Trump’s “adjusted gross income,” or AGI, using the FAFSA online tool. In the United States, the AGI is an individual’s total gross income minus specific deductions. Diverse Education’s Jamaal Abdul-Alim cites sources saying the accused may have been trying to get Trump’s tax records.

In any event, he failed, according to prosecutors. Last month, the IRS announced that the Education Department was disabling the FAFSA lookup tool because it was being abused by tax fraudsters.

According to Diverse Education, hints about the case against Hamlett came out last week in an IRS oversight hearing before the U.S. House committee on oversight and government reform. At that hearing, “Timothy P. Camus, deputy inspector general for investigations at the Treasury Inspector General for Tax Administration, or TIGTA, alluded to the Hamlett case but did not mention Hamlett by name, nor did he indicate that then-presidential candidate Trump was the target,” Abdul-Alim writes. “Instead, Camus only mentioned that TIGTA ‘detected an attempted access to the AGI of a prominent individual.’”

Attempts to reach Hamlett for comment have been unsuccessful so far, and the complaint against him remains sealed. However, KrebsOnSecurity obtained a response on Nov. 10, 2016 from U.S. Attorney J. Walter Green that lays out the basic facts in the case. A copy of that document is here (PDF).

It’s interesting to note that this wasn’t the first time U.S. government authorities detected someone trying to access Trump’s AGI information. According to the government’s response, the alleged unauthorized attempt at Trump’s AGI data being attributed to Hamlett occurred on Sept. 13, 2016.

In TIGTA Deputy Inspector General Camus’ testimony to the House committee (PDF), he said his office detected a second attempt to access the same “prominent individual’s” AGI data via the FAFSA online lookup in November 2016, although the testimony doesn’t say whether that attempt was successful.

Amazingly, it wasn’t until an IRS employee on February 27, 2017 complained that he had his own tax refund filed on his behalf because thieves abused the FAFSA tool that the IRS moved to restrict online access to the service, according to response to committee questioning from IRS Chief Information Officer S. Gina Garza.

The government doesn’t say in its pleadings why the accused was allegedly unsuccessful in obtaining President Trump’s AGI data. It could be that the Social Security number he had for Trump wasn’t correct; or, the account may have been flagged prior to the alleged attempt.

In any event, I want to take this opportunity to remind readers to assume that the static facts about who you are — including your income, date of birth, Social Security number, and a whole host of other information you may consider private — are likely at risk thanks to well-intentioned but nonetheless poorly secured third-party services that leak this data if the impersonator has but a few data points with which to work.

And of course these data points are for sale via a myriad places in the Dark Web for less than the Bitcoin equivalent of a regular coffee at Starbucks. On this front I’m reminded of the case of ssndob[dot]ru, a now-defunct identity theft service that held this data on more than 200 million Americans.

That service was used to look up the name, address, previous address, phone number, Social Security number and date of birth on some of America’s top public figures and celebrities — data that was later published on a doxing site called exposed[dot]su. The victims of exposed[dot]su included then First Lady Michelle Obama; then-director of the FBI Robert Mueller; an former U.S. Attorney General Eric Holder.

Exposed[dot]su was built with the help of identity information obtained and/or stolen from ssndob[dot]ru.

Exposed[dot]su was built with the help of identity information obtained and/or stolen from ssndob[dot]ru.

Read more here:: KrebsOnSecurity