Category Archives: News and Events

Article: Data Breaches Skyrocketing In NY, A Million People Exposed

Via: Patch.com

“The reported number of data breaches jumped 60 percent in 2016, mostly by hackers. See tips on how to protect yourself.

Data breaches, mostly by hackers, are skyrocketing, according to a new report from the state Attorney General.

In 2016, the personal records of 1.6 million New Yorkers were exposed as data breaches jumped 60 percent over the previous year. Social Security and financial information were the primary targets.

‘In 2016, New Yorkers were the victims of one of the highest data exposure rates in our state’s history,” said Attorney General Eric Schneiderman in an announcement about the data. “The total annual number of reported security breaches increased by 60% and the number of exposed personal records tripled. Hacking is increasingly prevalent – making it all the more important for companies and citizens alike to take precaution when sharing and storing personal data. It’s on all of us to guard against those who try to use our personal information for harm – as these breaches too often jeopardize the financial health of New Yorkers and cost the public and private sectors billions of dollars.’

Four times out of 1o, the data breach was because someone hacked in from outside. Another 14 percent of the time, the breach was by a skimming device. Only 1.48 percent of the time was it due to theft of something like a phone or computer.

It wasn’t always personally and maliciously targeted, though. This past year, employee negligence, namely the inadvertent exposure of records, accounted for 24 percent of breaches.

And what personal records were most exposed?

The most frequently acquired information in 2016 was Social Security numbers and financial account information, which together accounted for 81 percent of breaches in New York. Other records such as driver’s license numbers (8 percent), date of birth (7 percent) and password/account information (2 percent) together accounted for 1,284,037 of exposed personal records in 2016.

While they get big headlines, mega-breaches were not all that common in 2016, Schneiderman’s office said.

On October 12, 2016, Newkirk Products, Inc., a business associate of Capital District Physicians’ Health Plan, Inc., CDPHP Universal Benefits, Inc., and Capital District Physicians’ Healthcare Network, Inc., reported exposing the personal health information of 761,782 New Yorkers. The next largest breach, reported on January 13, 2016, was at HSBC bank. It exposed the financial, personal, and social security information of 251,201 New Yorkers. Additionally, breaches at Eddie Bauer and Emblem Health reportedly affected 60,205 and 55,664 New Yorkers in August and November, respectively.

The Attorney General’s Office suggests that consumers guard against threats in these ways:

  • Create Strong Passwords for Online Accounts and Update Them Frequently. Use different passwords for different accounts, especially for websites where you have disseminated sensitive information, such as credit card or Social Security numbers.
  • Carefully Monitor Credit Card and Debit Card Statements Each Month. If you find any abnormal transactions, contact your bank or credit card agency immediately.
  • Do Not Write Down or Store Passwords Electronically. If you do, be extremely careful of where you store passwords. Be aware that any passwords stored electronically (such as in a word processing document or cell phone’s notepad) can be easily stolen and provide fraudsters with one-stop shopping for all your sensitive information. If you hand-write passwords, do not store them in plain sight.
  • Do Not Post Any Sensitive Information on Social Media. Information such as birthdays, addresses, and phone numbers can be used by fraudsters to authenticate account information. Practice data minimization techniques. Don’t overshare.
  • Always Be Aware of the Current Threat Landscape. Stay up to date on media reports of data security breaches and consumer advisories.”

Source: http://patch.com/new-york/ossining/data-breaches-skyrocketing-ny-million-people-exposed-ag

Multifactor Authentication Enrollment

Vulnerability Discovered in Cisco’s WebEx Extension for Chrome, Firefox and Internet Explorer

Cisco has recently disclosed a vulnerability in its WebEx extensions for Google Chrome, Firefox and Internet Explorer. This vulnerability affects all Windows machines that have the WebEx extension installed. If this vulnerability is not addressed, an attacker could execute remote code onto your computer.

If you use WebEx, an application for online meetings, with Google Chrome, it is vital that you update to version 1.0.7, the latest extension. Cisco continues to work on similar updates for Firefox and Internet Explorer. Until these updates are released, we advise you to remove those extensions from your Firefox and Internet Explorer browsers. See below for instructions.

To check for and update the Cisco WebEx Chrome extension:

  1. Open your Google Chrome browser.

  2. Type chrome://extensions into the address bar and hit Enter.

  3. Scroll down until you see the entry for the Cisco WebEx extension (extensions are organized alphabetically).

    • If the Cisco WebEx extension is not present or the version number for the WebEx Extension is 1.0.7, there is nothing more you need to do.

    • If the version number is not equal to 1.0.7, check the Developer mode box in the top right corner of the page.

      • This will reveal a button in the top right corner called Update extensions now. Click the Update extensions now button.

      • Once the update runs, the WebEx extension version should be 1.0.7.

To remove the extension from Firefox:

  1. Open your Mozilla Firefox browser.

  2. Type about:addons into the address bar and hit enter.

  3. On the sidebar select Extensions.

  4. Scroll down until you see the entry for the Cisco WebEx extension (extensions are organized alphabetically).

  5. Click remove.

  6. Restart your browser.

To remove the extension from Internet Explorer:

  1. Open your Internet Explorer browser.

  2. Press ALT + X to open the menu.

  3. Click Manage Add-ons

  4. Under Show, select All Add-Ons.

  5. Scroll down until you see the entry for the Cisco WebEx extension (extensions are organized alphabetically).

  6. Click remove.

  7. Restart your browser.

The UISO advises you to stay up to date with the latest OS, application, and security updates, which can be found on Fordham IT’s UISO social media sites.

For any IT security concerns, contact IT Customer Care at 718-817-3999 or HelpIT@fordham.edu.

For more information on the vulnerability visit Cisco’s advisory post. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex

Article: Hacked Yahoo Data Is for Sale on Dark Web

“Some time around August 2013, hackers penetrated the email system of Yahoo, one of the world’s largest and oldest providers of free email services. The attackers quietly scooped up the records of more than 1 billion users, including names, birth dates, phone numbers and passwords that were encrypted with an easily broken form of security.

The intruders also obtained the security questions and backup email addresses used to reset lost passwords — valuable information for someone trying to break into other accounts owned by the same user, and particularly useful to a hacker seeking to break into government computers around the world: Several million of the backup addresses belonged to military and civilian government employees from dozens of nations, including more than 150,000 Americans.

No one knows what happened to the data during the next three years. But last August, a geographically dispersed hacking collective based in Eastern Europe quietly began offering the whole database for sale, according to Andrew Komarov, chief intelligence officer at InfoArmor, an Arizona cybersecurity firm, who monitors the dark corners of the internet inhabited by criminals, spies and spammers. Three buyers — two known spammers and an entity that appeared more interested in espionage — paid about $300,000 each for a complete copy of the database, he said.

The attack, which Yahoo disclosed on Wednesday, is the largest known data breach of a company. And neither Yahoo nor the public had any idea it had occurred until a month ago, when law enforcement authorities came to the company with samples of the hacked data from an undisclosed source.

Yahoo still does not know who broke into its systems in 2013, how they got in or what they did with the data, the company said Wednesday. It has made more progress tracking down a separate hacking episode in 2014, which compromised 500 million email accounts and was disclosed in September. The company has said it believes the 2014 attack was sponsored by a government entity but has not identified it.

The Federal Bureau of Investigation said in a statement that it was investigating the Yahoo breach. Attorney General Eric T. Schneiderman of New York also said his office was in touch with Yahoo to examine the circumstances of the data breach.

Security experts and former government officials warned that the real danger of the Yahoo attack was not that hackers gained access to Yahoo users’ email accounts, but that they obtained the credentials to hunt down more lucrative information about their targets wherever it resided across the web.

“This wasn’t an attack against Yahoo, but rather reconnaissance to launch other campaigns,” said Oren Falkowitz, a former analyst at the National Security Agency who now runs Area 1, a Silicon Valley security start-up.

“Inactive or not, a billion user accounts and hashes means attackers have a golden key for new phishing attacks,” he said. In a phishing attack, a hacker often poses as a trusted contact and tries to induce the recipient of an email to click on a malicious link or share sensitive information.

Users routinely ignore advice to use different passwords for their different accounts across the web, which means a stolen Yahoo user name and password could open the door to more sensitive information in online-banking, corporate or government email accounts.

Mr. Komarov said the group that hacked Yahoo in 2013, which he calls Group E, appeared to be motivated by money, not politics. It is believed to have broken into the systems of major American internet companies like LinkedIn, Myspace, Dropbox and Tumblr, as well as foreign-owned services like VKontakte, a Russian social network similar to Facebook.

Group E sometimes sells complete copies of the data, Mr. Komarov said. It also combines information from different hacking forays into a master database. Like a corporate marketer, it peddles chunks of the data to spammers seeking to reach specific audiences, like middle-aged women who live in certain ZIP codes. It sometimes operates through intermediaries.

That database of 1 billion Yahoo accounts, Mr. Komarov said, is still for sale, although current bids are coming in at $20,000 to $50,000 since the data is much less valuable now that Yahoo has changed the passwords.”

Source: http://www.nytimes.com/2016/12/15/technology/hacked-yahoo-data-for-sale-dark-web.html?_r=2

Article: 1 Billion Yahoo Accounts Stolen

“Yahoo has suffered another hack.

The company disclosed today that it has discovered a breach of more than one billion user accounts that occurred in August 2013. The breach is believed to be separate and distinct from the theft of data from 500 million accounts that Yahoo reported this September.

Troublingly, Yahoo’s chief information security officer Bob Lord says that the company hasn’t been able to determine how the data from the one billion accounts was stolen. ‘We have not been able to identify the intrusion associated with this theft,’ Lord wrote in a post announcing the hack.

‘The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,’ Lord added.

Yahoo was alerted to the massive breach by law enforcement and has examined the data with the help of outside forensic experts. The data does not appear to include payment details or plaintext passwords, but it’s still bad news for Yahoo account holders. The hashing algorithm MD5 is no longer considered secure and MD5 hashes can easily be looked up online to discover the passwords they hide.

Yahoo says it is notifying the account holders affected in the breach. Affected users will be required to change their passwords.

Yahoo also announced today that its proprietary code had been accessed by a hacker, who used the code to forge cookies that could be used to access accounts without a password. ‘The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies,’ Lord said, adding that he believed the attack was launched by a state-sponsored actor.

Today’s revelations add to Yahoo’s long string of security problems. Yahoo employees reportedly knew of the intrusion that led to the theft of data from 500 million users as early as 2014, but the company did not announce the breach until this September. What Yahoo executives knew about the breach, and when they knew it, have been crucial questions in Verizon’s ongoing acquisition of Yahoo. Yahoo did not disclose the first breach until several months after the deal was announced.”

“What can users do to protect their account?

  • Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account;
  • Review all of your accounts for suspicious activity;
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
  • Avoid clicking on links or downloading attachments from suspicious emails; and
  • Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.”

Sources: https://techcrunch.com/2016/12/14/yahoo-discloses-hack-of-1-billion-accounts/

https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users

Article: How to protect yourself while online shopping for the holidays

A recent article from Mashable provides researched geared towards protecting yourself online while shopping for the holidays:

—Begin—

With many retailers offering internet-only promotions to go along with their in-store doorbusters, more Americans than ever seem to be choosing to stay home to take advantage of the best deals of the season.

Research from Visa projects an 18 percent increase in online holiday spending this year, which follows 16 percent growth over the 2015 season from the year before. That uptick in 2015 resulted in about $11 billion of online sales over the five-day Thanksgiving weekend period (Thanksgiving Day through Cyber Monday). That’s why it’s essential that shoppers protect themselves and their personal information more than ever in 2016. Especially since “25 percent of all security breaches [are] taking place in the retail sector,” said Experts Exchange COO Gene Richardson in a statement to Mashable.

As a former head of the data security teams of IBM, Charles Schwab and Motorola, Richardson has extensive experience advising companies and consumers alike on how to avoid fraud and protect their identities online.

With that in mind, he’s assembled a set of helpful online shopping safety tips:

1. Ensure that the website address is secure and has a valid encryption certificate. It will usually display a “locked, green” indicator in front of the website name. If it doesn’t have that, it does not have a higher level of security that has been guaranteed by a known entity like Verisign, Symantec and others.

2. Ensure your system has the most recent recommended system and security patches.

3. Always use a credit card that is not tied directly to your personal bank account(s), even if you are using PayPal, Bitcoin or some other payment method.

4. Never give anything other than name, address and phone number. You should not need to answer security or privacy questions when making a purchase or checking out. If they ask, see if you can checkout as a “guest” instead.

5. Monitor your credit through a third party for identify theft and have SMS and email alerts sent to you immediately.

6. Set-up alerts with your credit card company that send both SMS and emails when any purchases are made and the credit card was not scanned (meaning, it wasn’t in someone’s hand when the charge was made). Set them as low as $25 per purchase. Also, set-up alerts for total purchases over $500 in a billing period to protect multiple $24.99 purchases. And if possible, a maximum amount of purchases allowed in a billing period such as $1500 before card will get declined.

7. Ensure that you have a reputable Antivirus program running on your computer and that your browser has an Ad blocking plug-in.

8. Ensure that the network your computer/device is on is secure and you know who has access to your network. This is usually done with your router. You want to lock down your router so that traffic can be initiated from the inside-out but you do not want traffic to be initiated from the outside-in. If you are using a WiFi connection, make sure that network is also secure and requires a password to join. If it is a public WiFi network that doesn’t require a password, then the traffic coming from your device can be monitored and stolen.

9. Any passwords that you use should be strong, hard to guess ones. Or, even better, hard to guess, but easy to remember.

10. Don’t click on unfamiliar links to sites advertising sales, coupons, etc.

11. Use two-factor authentication/verification, if it is offered.

Mobile Concerns

To stay safe while shopping on your phone or tablet, be sure to follow these tips, according to RiskIQ:

1. Only download apps from official app marketplaces like Google Play or Apple’s App Store.

2. Be wary of applications that ask for suspicious permissions, like access to contacts, text messages, administrative features, stored passwords, or credit card info.

3. Check out the background of an app before downloading. Research the developer and be cognizant of the spelling of brand names.

4. Make sure to take a deep look at each app. New developers, or developers that leverage free email services (e.g., @gmail) for their developer contact, can be enormous red flags — threat actors often use these services to produce mass amounts of malicious apps in a short period. Also, poor grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.

Common Sense

Just like any other time of the year, a deal found online over Thanksgiving weekend that seems too good to be true might be just that.

In addition to Richardson’s first tip about web page encryption certificates, always check website addresses after following links on Twitter, Facebook or even Google to be sure you haven’t been redirected. Legitimate retailers will almost always be determined by the “S” in HTTPS at retail sites.

Finally, keep your personal and financial information close at hand. Never provide anything until you’ve done your homework on a site or app, and even then never input anything until you’ve selected your purchase and are checking out.

With a measured approach to online shopping, you can dodge the in-store lines and the security risks this holiday season.

—End—
Source: http://mashable.com/2016/11/21/online-shopping-safety-black-friday-cyber-monday/#6OHl_1zRaqql

Article: Post-Election Spear Phishing Campaigns

A recent article warns of election related spear-phishing and malware infected emails.

—Begin—

In the wake of the 2016 United States Presidential Election, not even six hours after Donald Trump became the nation’s President-Elect, an advanced persistent threat (APT) group launched a series of coordinated and well-planned spear phishing campaigns.

These e-mails came from a mix of attacker created Google Gmail accounts and was appears to be compromised e-mail accounts at Harvard’s Faculty of Arts and Sciences (FAS). These e-mails were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies. Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged. The last attack claimed to be a link to a PDF download on “Why American Elections Are Flawed.”

The post-election attacks launched by the Dukes on November 9 were very similar to previous attacks seen from the Dukes in both 2015 and 2016. The PowerDuke malware, first seen in August 2016, was once again used in these most recent attacks. Three of the five attack waves contained links to download files from domains that the attackers appear to have control over. The other two attack contained documents with a malicious macros embedded within them. Each of these different attack waves were slightly different from one another and are detailed below.

Attack Wave 1: eFax – The “Shocking” Truth About Election Rigging
Attack Wave 2: eFax – Elections Outcome Could Be revised [Facts of Elections Fraud]
Attack Wave 3: Why American Elections Are Flawed

—End—

More information can be found at: https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

Article: Free Tools to Remove Ransomware Infections From Your PC

“Ransomware, a variety of malware which encrypts user files and demands payment in return for a key, has become a major threat to businesses and the average user alike.

Coming in a variety of forms, ransomware most often compromises PCs through phishing campaigns and fraudulent emails. Once a PC is infected, the malware will encrypt, move, and potentially delete files, before throwing up a landing page demanding a ransom in Bitcoin.

Demands for payment can range from a few to thousands of dollars. However, giving in and paying the fee not only further funds the development and use of this malware, but there is no guarantee any decryption keys given in return will work.

It is estimated that ransomware attacks cost more than $1 billion per year.

The No More Ransom Project, launched by the National High Tech Crime Unit of the Netherlands’ police, Europol, Kaspersky, and Intel Security, is a hub for victims to find out how to remove infections — and how to prevent themselves becoming infected in the future.

Unfortunately, not every type of ransomware has been cracked by research teams. Time and vulnerabilities which can be exploited by cybersecurity experts are required, and so some ransomware families do not have a solution beyond wiping your system clean and using backup data.

However, researchers are cracking more types of ransomware every month and there are a number of tools available which give victims some hope to retrieve their files.

The No More Ransom Project offers a quick way to find out what sort of ransomware is on your PC . Alternatively, the Malware Hunter Team runs the ID Ransomware online service which can also be used to identify infections.”

You can find a range of tools and software made available by researchers to scour your PC clean of the most common types of infection as well as links to the the No More Ransom Project and Malware Hunter Team’s ID Ransomware online service in the article.

Source:http://www.zdnet.com/article/remove-ransomware-infections-from-your-pc-using-these-free-tools/

Cyber Security Awareness Month LearnIT Sessions

Cyber Security is a growing area of concern to many organizations as well as individuals. With the growing number of cyber based attacks, it is imperative as members of the Fordham community that we identify some possible threats and understand the simple steps we can take daily to protect ourselves as well as our university.

To share our knowledge on the subject and to discuss certain topics, we will be holding two LearnIT sessions. One will be October 13th at 1:00 p.m at Lincoln Center in room LL304 and the other will be on October 14th at 2:00 p.m. at Rose Hill in the Walsh Library within Flom Auditorium. Topics we will be discussing include, phishing (the process in which a malicious actor attempts to trick you into sharing sensitive information with them), compromises and what to do, password safety tips, ransomware (the process in which a malicious actor locks your data or device and demands payment for the keys), mobile device safety and much more.

Article: 500 Million Yahoo Accounts Stolen

“Yahoo confirmed on Thursday data “associated with at least 500 million user accounts” have been stolen in what may be one of the largest cybersecurity breaches ever.

The company said it believes a “state-sponsored actor” was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement.

Yahoo urges users to change their password and security questions and to review their accounts for suspicious activity.

The silver lining for users — if there is one — is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.

Yahoo is working with law enforcement to learn more about the breach.

“The FBI is aware of the intrusion and investigating the matter,” an FBI spokesperson said. “We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals.”

A large-scale data breach was first rumored in August when a hacker who goes by the name of “Peace” claimed to be selling data from 200 million Yahoo users online. The same hacker has previously claimed to sell stolen accounts from LinkedIn  and MySpace.

Yahoo originally said it was “aware of a claim” and was investigating the situation. Nearly two months later, it turns out the situation is even worse.

“This is massive,” said cybersecurity expert Per Thorsheim on the scale of the hack. “It will cause ripples online for years to come.”

U.S. Sen. Richard Blumenthal called for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.”

“If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust,” he said in a statement.

Here are steps to take to secure your online accounts.

Change passwords often

Yahoo is asking anyone who hasn’t changed their password since 2014 to update it. This is good advice for everyone: Passwords should be changed often. You won’t always get a timely notice from a company that an account was compromised — and sometimes it might not even know about a hack until much later. In this case, it took two years for the company to confirm the breach.

Never use the same password twice

Never use the same password twice. If hackers get the password for one of your online accounts, they can try to use it to access your other accounts that take the same credentials.

Pick better passwords

Consider using a phrase instead of single words that are more easily guessed. Don’t go for common phrases like cliches: Pick a combination of words that don’t go together — i.e. rather than “herecomesthesun,” go for something like “wombatbootsparade”.

Avoid using common passwords like 1-2-3-4-5-6 or p-a-s-s-w-o-r-d, and include a mixture of numbers, letters and characters.

Update those security questions

If you forget a password, using security questions is an easy way to gain access back into your own account — its not like you’ll ever forget your mom’s maiden name. But some Yahoo security answers and questions were a part of the breach. The company has already disabled any unencrypted security answers on its accounts.

If you frequently use the same security questions and answers for other online accounts, you’ll want to change those, as well. Attackers could use the information taken from Yahoo to obtain access to other online accounts that contain even more sensitive information.

Avoid choosing the obvious questions and don’t provide answers that are easy to find online through Google searches, social media sites or old Live Journal entries.

Be alert

The company is urging users to look through their Yahoo accounts (email, calendar, groups, etc.) for any signs of suspicious activity. Although it doesn’t say what to look for, start by checking outgoing emails.

Be extra careful about clicking on links or opening downloads from unknown email addresses. If anyone emails asking for your password, it’s a red flag — even if it looks like it’s coming from a legitimate place like Yahoo or a bank. Never share any account information or passwords over email.”

Sources: http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/

http://money.cnn.com/2016/09/22/technology/yahoo-hack-password-tips/index.html?iid=SF_LN