breach
35 TopicsCVE-2013-3587 in Version 14.1.
Hello, A Security Audit asked for CVE-2013-3587. I came over this Info: https://support.f5.com/csp/article/K14634 but this is until Version 13, we're running Version 14.1 Does anyone know, how to mitigate this? Or does anyone know, how to handle http compression? There are some (for me) confusing docs on F5381Views0likes1CommentIdentity Theft: Not So Scary Anymore?
This article originally appeared on F5.com on 10.20.15. With Halloween in our rearview mirror and the holiday shopping season upon us, a couple surveys are out examining our fears and in particular, our concerns about identity theft. Apparently, ID theft is not so scary anymore - like entering a haunted house for the hair-raising screams but walking out with nervous giggles. Over at Bankrate.com, only 54% of surveyed tricksters says they are somewhat or very frightened of ID theft. That's down 80% from those who expressed the same level of concern back in 2008. Almost half, 43%, claim they have little or no fear, trouncing the 19% who were brave in 2008. This is all while the overall victim count remains at similar levels - 12.5 million in 2008 verses 12.7 million in 2014 according to Javelin Strategy & Research. As far as knowing someone who has been hit, 46% say they or a friend has been a victim compared to 34% in 2008. They chalk it up to people being desensitized to breaches due to the almost weekly confessions of data intrusions. The general feeling is that if large retailers, health care providers and credit agencies can't keep my data safe, how can I. More of those same folks however are also following some good advice of shredding sensitive documents (72%), checking their credit report regularly (56%), avoiding insecure WiFi (54%) and almost 20% have frozen their credit files. These are all good ways to help you worry less. And Chapman University published their Survey of American Fears, Wave 2 (2015) examining the fears of average Americans. The domains of fear include areas like crime, natural and man made disasters, personal anxieties, environment, technology and others. Along with the corruption, terrorism and warfare, identity theft comes in at 39.6% and credit card fraud sits at 36.9%. Both in the Top 10. So, while ID theft is still one of our top fears, by the time you get to Nightmare on Identity Street 4, Freddy isn't so freighting and you have some tools to deal with him. Besides, your insecure connected kettles could be exposing your WiFi passwords without your knowledge. Now that's scary! ps Related Survey: More Americans say 'boo' to the ID theft boogeyman America’s Top Fears 2015 Connected kettles boil over, spill Wi-Fi passwords over London The Breach of Things The Reach of a Breach 5 Stages of a Data Breach Technorati Tags: identity theft,breach,privacy,crime,fears,silva,fraud Connect with Peter: Connect with F5:240Views0likes0CommentsIs Your DNS Vulnerable?
This article originally appeared on F5.com on 7.29.15. A recent report from The Infoblox DNS Threat Index (in conjunction with Internet Identity) shows that phishing attacks has raised the DNS threat level to a record high of 133 for second quarter of 2015, up 58% from the same time last year. The biggest factor for the jump is the creation of malicious domains for phishing attacks. Malicious domains are all those very believable but fake sites that are used to mimic real sites to get you to enter sensitive details. You get a phishing email, you click the link and get sent to a financial site that looks and operates just like your real bank site. If you're fooled and enter your credentials or other personal information, you could be giving the bad guys direct access to your money. These sites can also pretend to be corporate portals to gather employee credentials for future attacks. Along with the malicious domains, demand for exploit kits also helped propel the DNS threat. Exploit kits are those wonderful packaged software that can run, hidden, on websites and load nasty controls and sniffers on your computer without you even knowing. The Infoblox DNS Threat Index has a baseline of 100, which is essentially the quarterly averages over 2013 and 2014. In the first quarter 2015, the threat index jumped to 122 and then another 11 ticks for Q2 2015, hitting the high mark. Phishing was up by 74% in the second quarter and Rod Rasmussen, CTO at IID, noted that they saw a lot of phishing domains put up in the second quarter. You'd think after all these years this old trick would die but it is still very successful for criminals and with domain names costing less than $20 and available in minutes, it is a cheap investment for a potentially that big score. DNS is what translates the names we type into a browser (or mobile app, etc.) into an IP address so that the resource can be found on the internet. It is one of the most important components to a functioning internet and as I've noted on several occasions, something you really do not think about until it isn't working...or is hacked. Second to http, DNS is one of the most targeted protocols and is often the source of many attacks. This year alone, the St. Louis Federal Reserve suffered a DNS breach, Malaysia Airlines' DNS was hacked, and Lenovo.com to name a few. In addition, new exploits are surfacing targeting vulnerable home network routers to divert people to fake websites and DNS DDoS is always a favorite for riff-raff. Just yesterday 3 people were sent to prison in the DNS Changer Case. With more insecure IoT devices coming on line and relying on DNS for resolution, this could be the beginning of a wave of DNS related incidents. But it doesn't have to be. DNS will become even more critical as additional IoT devices are connected and we want to find them by name. F5 DNS Solutions, especially DNSSEC solutions, can help you manage this rapid growth with complete solutions that increase the speed, availability, scalability, overall security and intelligently manages global app traffic. At F5 we are so passionate about DNS hyperscale and security that we are now even more focused with our new BIG-IP DNS (formerly BIG-IP GTM) solution. ps @psilvas Related: Phishing Attacks Drive Spike In DNS Threat The growing threat of DDoS attacks on DNS Infoblox DNS Threat Index Hits Record High in Second Quarter Due to Surge in Phishing Attacks Infoblox DNS Threat Index Eight Internet of Things Security Fails Intelligent DNS Animated Whiteboard (Video) CloudExpo 2014: The DNS of Things (Video) DNS Doldrums Technorati Tags: breach,dns,f5,phishing,securitymalware,threats,silva Connect with Peter: Connect with F5:266Views0likes0CommentsIs 2015 Half Empty or Half Full?
With 2015 crossing the half way point, let's take a look at some technology trends thus far. Breaches: Well, many databases are half empty due to the continued rash of intrusions while the crooks are half full with our personal information. Data breaches are on a record pace this year and according to the Identity Theft Resource Center (ITRC), there have been 400 data incidents as of June 30, 2015. One more than this time last year. And, 117,576,693 records had been compromised. ITRC also noted a 85% increase in the number of breaches within the banking sector. From health care to government agencies to hotel chains to universities and even Major League Baseball, breaches and attacks are now a daily occurrence. Cloud: Who would've thought back in 2008 that this cloud thing would now be half full? Over the last couple years, the 'cloud' has become a very viable option for organizations large and small. It is becoming the platform for IoT and many organizations such as Google and GE are now moving critical corporate applications to the cloud. While hybrid is the new normal remember, The Cloud is Still just a Datacenter Somewhere. DNS: While IPv4 addresses are now completely empty, DNS seems to be half to almost full in 2015. DNS continues to be a target for attackers along with being an enabler for IoT. It is so important that Cisco recently acquired OpenDNS to help fight IoT attacks and the courts got a guilty plea from an Estonian man who altered DNS settings on infected PCs with the DNSChanger malware. I think of DNS as a silent sufferer - you really don't care about it until it doesn't work. Start caring this year. Internet: Full but still growing. As noted above, IPv4 addresses are gone. Asia, Europe, Latin America and now North America have run out of IPv4 addresses and have exhausted their supplies. If you're wondering how to handle this glass, F5 has some awesome 4to6 and 6to4 solutions. IoT: Things, sensors and actuators are all the buzz and are certainly half full for 2015. At this time last year, IoT was at the top of the Gartner Hype Cycle and it has certainly not disappointed. Stories abound about Internet of Things Security Risks and Challenges, 10 of the biggest IoT data generators, the Top 10 Worst Wearable Tech Devices So Far, The (Far-Flung) Future Of Wearables, along with the ability to Smell Virtual Environments and if We Need Universal Robot Rights, Ethics And Legislation. RoboEthics, that is. Mobile: We are mobile, our devices are mobile and the applications we access are now probably mobile also. Mobility, in all it's connotations, is a huge concern for enterprises and it'll only get worse as we start wearing our connected clothing to the office. The Digital Dress Code has emerged. Mobile is certainly half full and there is no empting it now. Privacy: At this point with all the surveillance, data breaches, gadgets gathering our daily data and our constant need to tell the world what we're doing every second, this is probably bone dry. Pardon, half empty, sticking to the theme. That's what I got so far and I'm sure 2015's second half will bring more amazement, questions and wonders. We'll do our year in reviews and predictions for 2016 as we all lament, where did 2015 go? There is that old notion that if you see a glass half full, you're an optimist and if you see it half empty you are a pessimist. Actually, you need to understand what the glass itself was before the question. Was it empty and filled half way or was it full and poured out? There's you answer! ps Related: It's all contained within the blog. Technorati Tags: f5,breach,security,cloud,dns,iot,mobile,2015,silva,empty or full Connect with Peter: Connect with F5:1.1KViews0likes2CommentsHealthcare in the Crosshairs
Is Healthcare the new Target? Recently I've received a number of 'I am writing to inform you that we were the target of a sophisticated cyber attack and some of your personal information may have been accessed by the attackers..' letters for myself and my family. I especially hate the ones that start, 'To the parents of...' because my daughter has a rare genetic condition. You probably got one of these letters too since the Anthem breach could have disclosed medical records for as many as 80 million people. Medical identity theft is big business and has become a huge target over the last few years. The attackers are not really interested in that sprained ankle or those 25 stitches from last summer. They want the personally identifiable information. Names, addresses, birthdays, and social security numbers. Stuff you can actually use to open accounts, commit insurance fraud and create fake identities - using real information. Healthcare info also goes for a premium on black market sites. One expert noted that recently that at one underground auction, a patient medical record sold for $251 while credit cards are selling at .33 cents. With all the recent retail breaches, credit cards have flooded the underground, plus they can get cancelled quickly. I also know that fraudsters are already trying to entice people with fake emails and calls regarding the breaches - I've gotten a bunch of them recently. More than ever, do not click the email link unless you're expecting something. The interesting phenomenon for me is all the identity theft protection offerings from various credit bureaus. One breach, sign up here...another breach, sign up there. It is important to take advantage of the services to stay alert on your identity but you also have to include the very same sensitive info that was just compromised to yet another entity. I'm waiting on the breach of one of these identity protection sites. I mean the thieves must be thinking, 'well, we missed them in the medical grab but maybe we can get them through the protection app.' According to Ponemon Institute, about 90% of healthcare organizations have reported at least one data breach over the last two years with most due to employee negligence or system flaws but more, as we've seen recently, are due to criminal behavior. Certainly, there will be more of these healthcare hiccups in the coming years especially with the push to digitize medical records. Great for patient access but a huge risk for unauthorized peeks. With the Premera breach hot on Anthem's heels, I hope providers are getting the message that the bad guys are coming for ya. ps Related Massive breach at health care company Anthem Inc Anthem Data Breach: Potential Game Changer for Healthcare Health care data breaches have hit 30M patients and counting Data Breach at Anthem May Forecast a Trend Premera breach: Are hackers targeting more health records as credit card companies improve security? The Hacker Will See You Now Lost Records a Day Shows Doctors are Blasé The Top 10, Top 10 Predictions for 2015 . Technorati Tags: healthcare,records,pii,breach,patient,silva,security,privacy,f5,medical Connect with Peter: Connect with F5:300Views0likes0CommentsThe Breach of Things
Yet another retailer has confessed that their systems were breached and an untold number of victims join the growing list of those who have had their data was stolen. This one could be bigger than the infamous Target breach. I wonder if some day we'll be referring to periods of time by the breach that occurred. 'What? You don't remember the Target breach of '13! Much smaller than the Insert Company Here Breach of 2019!' Or almost like battles of a long war. 'The Breach of 2013 was a turning point in the fight against online crime,' or some other silly notion. On top of that, a number of celebrity's private photos, stored in the cloud (of course), were privately stolen. I'm sorry but if you are going to take private pictures of yourself with something other than a classic Polaroid, someone else will eventually see them. Almost everything seems breach'able these days. Last year, the first toilet was breached. The one place you'd think you would have some privacy has also been soiled. Add to that televisions, thermostats, refrigerators and automobiles. And a person's info with a dangerous hug. Companies are sprouting up all over to offer connected homes where owners can control their water, temperature, doors, windows, lights and practically any other item, as long as it has a sensor. Won't be long until we see sensational headlines including 'West Coast Fridges Hacked...Food Spoiling All Over!' or 'All Eastern Televisions Hacked to Broadcast old Gilligan's Island Episodes!' As more things get connected, the risks of a breach obviously increase. The more I thought about it, I felt it was time to resurrect this dandy from 2012: Radio Killed the Privacy Star for those who may have missed it the first time. Armed with a mic and a midi, I belt out, karaoke style, my music video ‘Radio Killed the Privacy Star.’ Lyrics can be found at Radio Killed the Privacy Star. Enjoy. ps Related The Internet of Sports Is IoT Hype For Real? Internet of Things OWASP Top 10 Uncle DDoS'd, Talking TVs and a Hug Welcome to the The Phygital World The DNS of Things Technorati Tags: breach,things,iot,data,privacy,target,photos,f5,silva,security,video Connect with Peter: Connect with F5:366Views0likes0CommentsFear and Loathing ID Theft
Do you avoid stores that have had a credit card breach? You are not alone. About 52% of people avoid merchants who have had a data breach according to a recent Lowcards survey. They surveyed over 400 random consumers to better understand the impact of identity theft on consumer behavior. 17% said they or a family member was a victim of identity theft over the last year with half the cases being credit card theft. 94% said they are more concerned or equally concerned about ID theft. They estimate that there were 13.5 million cases of credit card identity theft in the United States over the last 12 months. These concerns are also changing the way some people shop. Over half (56%) are taking extra measures to protect themselves from identity theft. Some of these behaviors include using a debit card less (28%), using cash more (25%), ordering online less (26%) and checking their credit report more (38%). These are all reasonable responses to the ever challenging game of protecting your identity and is important since 89% of security breaches and data loss incidents could have been prevented last year, according to the Online Trust Alliance's 2014 Data and Breach Protection Readiness Guide. The game is changing however, and mobile is the new stadium. Let's check that scoreboard. Most of the security reports released thus far in 2014, like the Cisco 2014 Annual Security Report and the Kaspersky Security Bulletin 2013 show that threats to mobile devices are increasing. We are using them more and using them for sensitive activities like shopping, banking and storing personally identifiable information. It is no wonder that the thieves are targeting mobile and getting very good at it. Kaspersky's report talks about the rise of mobile botnets and the effectiveness since we never shut off our phones. They are always ready to accept new tasks either from us or, a foreign remotely controlled server with SMS trojans leading the pack. Mobile trojans can even check on the victim's bank balance to ensure the heist is profitable and some will even infect your PC when you USB the phone to it. Distribution of exploits in cyber-attacks by type of attacked application I guess the good news is that people are becoming much more aware of the overall risks surrounding identity theft and breaches but will the convenience and availability of mobile put us right back in that dark alley? Mobile threats are starting to reach PC proportions with online banking being a major target and many of the potential infections are delivered via SMS messages. Sound familiar? Maybe we can simply cut and replace 'PC' with 'Mobile' on all those decade old warnings of: Watch what you click! ps Related Some consumers changing habits because of data breach, ID theft worries, report finds LowCards Exclusive Study: Identity Theft Concerns Shifting Shopping Habits of Americans Kaspersky Security Bulletin 2013. Overall Statistics for 2013 Mobile Payments and Devices Under Attack An SMS Trojan with Global Ambitions Mobile Malware Milestone Mobile Threats Rise 261% in Perspective Nine Security Best Practices You Should Enforce Technorati Tags: mobile,shopping,breach,malware,idtheft,behavior,silva,trojan Connect with Peter: Connect with F5:253Views0likes0CommentsWill the Cloud Soak Your Fireworks?
This week in the States, the Nation celebrates it's Independence and many people will be attending or setting off their own fireworks show. In Hawaii, fireworks are shot off more during New Year's Eve than on July 4th and there is even Daytime Fireworks now. Cloud computing is exploding like fireworks with all the Oooooooo's and Ahhhhhhh's of what it offers but the same groan, like the traffic jam home, might be coming to an office near you. Recently, Ponemon Institute and cloud firm Netskope released a study Data Breach: The Cloud Multiplier Effect, indicating that 613 IT and security professionals felt that deploying resources in the cloud triples the probability of a major breach. Specifically, a data breach with 100,000+ customer records compromised, the cost would be just over $20 million, based on Ponemon Institute’s May 2014 'Cost of a Data Breach'. With a breach of that scale, using cloud services may triple the risk of a data breach. It's called the 'cloud multiplier effect' and it translates to a 3% higher risk of a data breach for every 1% increase in the use of cloud services. So if you had 100 cloud services, you would only need to add 25 more to increase the possibility of a data breach by 75%, according to the study. 69% of the respondents felt that their organizations are not proactive in assessing what data is too sensitive to be stored in the cloud and 62% said that the cloud services their companies are using are not fully tested to make sure they are secure. Most, almost three-quarters, believed they would not even be notified of a breach that involved lost or stolen intellectual property/business confidential or even customer data. Not a lot of confidence there. The security respondents felt around 45% of all software applications used by the company were cloud based yet half of those had no IT visibility. This comes at a time when many organizations are looking to the cloud to solve a bunch of challenges. At the same time, this sounds a lot like the cloud concerns of year's past - security and risk - plus this is the perception of...not necessarily the reality of what's actually occurring. It very well could be the case - with all the parts, loss of control, out in the wild, etc - that the risk is greater. And I think that's the point. The risk. While cloud does offer organizations amazing opportunities, what these people are saying is that companies need to do a better job at the onset, in the beginning and during the evaluations, to understand the risk of the type(s) of data getting sent to the cloud along with the specific cloud service that holds it. It has only been a few years that the cloud has been taken seriously and from the beginning there have been grumblings about the security risks and loss of control. Some cloud providers have addressed many of those concerns and organizations are subscribing to services or building their own cloud infrastructure. It is where IT is going. But still,as with any new technology bursting with light, color and noise, take good care where and when you light the fuse. ps Related Cloud computing triples probability of major data breach: survey Cloud Could Triple Odds of $20M Data Breach Cloud Triples A Firm’s Probability of Data Breach The future of cloud is hybrid ... and seamless CloudExpo 2014: Future of the Cloud Surfing the Surveys: Cloud, Security and those Pesky Breaches Cloud Bursting Reference Architecture Technorati Tags: f5,cloud,security,risk,silva,survey,breach,fireworks,july 4 Connect with Peter: Connect with F5:350Views0likes0CommentsThe Reach of a Breach
It comes as no surprise that the CEO of Target has resigned in the wake of their massive data breach. The 2nd executive, if I remember correctly, to resign due to the mishap. Data breaches are costly according to the most recent Ponemon 2014 Cost of Data Breach Study: United States and the main reason for the steep increase in costs is 'the loss of customers following the data breach due to additional expenses required to preserve the organization's brand and reputation.' The cost of each lost or stolen record, on average, increased from $188 to $201 per record from 2012 to 2013 - a 9% increase. But that's not all, In 2013, there appeared to be 'an abnormal churn rate' of 15% of customers abandoning companies, especially those in financial services, hit by a breach says Ponemon. I'm always curious about that. I usually avoid stores that have been recently compromised wondering if something is lingering yet think, they gotta be on high alert, especially with law enforcement involved. Maybe it's as safe as it ever will be. A recent Courion survey of IT security executives showed that 78% of respondents say they're anxious about the possibility of a data breach at their organization. If there were a massive security breach at these companies, 58.8% said 'protecting the privacy of our customers' would be top priority and 62.7% would lament about 'negative publicity affecting the company brand' due to the breach. Maybe that's the problem. They're more worried about their image than they are of protecting our info. It's the 58.8% you want to shop at. Reaching for more, Symantec’s Internet Security Threat Report (ISTR), Volume 19, shows a big change in cybercriminal habits, revealing the bad guys are plotting for months before pulling off the huge heists – instead of popping quick hits with smaller bounty. One big is worth fifty small. In 2013, there was a 62% uptick in the number of data breaches exposing more than 552 million identities. That's about 10% of the planet's population, give-or-take. And finally, there have been a few companies that have gone out of business due to a leakage but a few months ago a data breach also closed some Seattle area Catholic schools. According to the Seattle Archdiocese, at least three Roman Catholic parishes and the Archdiocese’s chancery offices had been targeted by a tax-fraud scheme. In order to allow those who were victims time to contact the appropriate institutions during school hours, they cancelled classes. How's that for reach. ps Related: 2014 Cost of Data Breach Study (pdf) A Decade of Breaches Breaches expose 552 million identities in 2013 Data Breaches 9% More Costly in 2013 Than Year Before Why the Target Data Breach May Have Been a Great Thing, According to Wells Fargo & Co and Bank of America Corp Data Breaches: Worse for Your Image than a Dead Body in the Parking Lot 78 Percent of IT Security Execs Worry About Data Breaches Data breach to close some area Catholic schools Friday Technorati Tags: breach,target,data_loss,ponemon,security,identity theft,f5,silva Connect with Peter: Connect with F5:352Views0likes0CommentsA Decade of Breaches
Whales Not Included Being from the Hawaiian Islands, the annual gathering of the Kohola (humpback whales) is always a spectacular view. They can get over half their body out of the water and administer a cannonball body slam splash like you've never seen before. Most of the internet thinks they breach to either see what's up (so to speak), let other whales know they are around (if the haunting squeal isn't doing it) and most common, to relieve the body of lice, parasites and barnacles. While nature's breaches are unmatched, many internet security breaches are run of the mill leakages. The Verizon 2014 Data Breach Investigation Report (DBIR) found that over the last 10 years, 92% of the 100,000 security incidents analyzed can be traced to nine basic attack patterns. The patterns identified are: Miscellaneous errors like sending an email to the wrong person Crimeware (malware aimed at gaining control of systems) Insider/privilege misuse Physical theft or loss Web app attacks Denial of service attacks Cyberespionage Point-of-sale intrusions Payment card skimmers The really cool thing about the 9 attack patterns is that Verizon has also charted the frequency of incident classification patterns per industry vertical. For instance, in financial services 75% of the incidents come from web application attacks, DDoS and card skimming while retail, restaurants and hotels need to worry about point-of-sale intrusions. Utilities and manufacturing on the other hand get hit with cyber-espionage. Overall across all industries, only three threat patterns cover 72 percent of the security incidents in any industry. Once again, no one is immune from a breach and while media coverage often focuses on the big whales, the bad guys are not targeting organizations because of who they are but because a vulnerability was found and the crooks decided to see if they could get more. This means that companies are not doing some of the basics to stay protected. For the 2014 analysis, there were 1,367 confirmed data breaches and 63,437 security incidents from 50 global companies. For the most part, the fixes are fairly basic: Use strong authentication, patch vulnerabilities quickly and encrypt devices that contain sensitive information. I've barely scratched the surface of the report and highly suggest a through reading. ps Related Verizon 2014 Data Breach Investigations Report Identifies More Focused, Effective Way to Fight Cyberthreats Verizon Data Breach Investigations Report Verizon's data breach report: Point-of-sale, Web app attacks take center stage DBIR: Poor Patching, Weak Credtials Open Door To Data Breaches Bricks (Thru the Window) and Mortar (Rounds) Surfing the Surveys: Cloud, Security and those Pesky Breaches Targets of Opportunity Unplug Everything! Photo: Protected Resouces Division, Southwest Fisheries Science Center, La Jolla, California. Technorati Tags: f5,dbir,breach,attack,cyber,verizon,ddos,security,silva Connect with Peter: Connect with F5:279Views0likes0Comments