Tag: cyber security

By Simnikiwe Mzekandaba for ITWeb

Some cyber security experts say the South African Revenue Service’s (SARS’s) decision to introduce a Web browser that supports defunct Adobe Flash Player has “severe” cyber security implications.

Citizens have also taken to social media to express their dismay at the revenue service’s decision to roll out a browser that enables Flash Player.

This week, SARS announced the release of an alternate SARS browser solution, as it tries to deal with the aftermath of the delay in migrating all eFiling forms from Adobe Flash to its chosen HTML5 platform.

In its statement, the tax collecting agency says taxpayers will be able to complete and submit the Flash-based forms not migrated to HTML5, in the interim, while it completes the migration.

“The SARS browser enables access to all eFiling forms, including those that require Adobe Flash, thus maintaining compliance with your filing obligations.”

SARS adds that existing Web browsers such as Chrome and Edge will continue to work for all forms already migrated.

Desperate measures
Even though software company Adobe announced in July 2017 that it will stop supporting Flash Player post 31 December 2020, SARS has been behind in completing the migration process.

As a result of the disruption caused by the migration holdup, last week the taxman said it would implement some remedial actions to assist taxpayers still experiencing issues.

At the time, the taxman didn’t point to a SARS browser among its list of solutions to deal with the disruption caused by the discontinuation of Adobe Flash, but has now indicated its availability.

Cyber security and small business expert Hennie Ferreira says SARS is obviously desperate for a solution; however, the current solution is not safe.

“Flash Player is no longer a secure technology and any solution that involves using Flash Player is not secure. I think SARS is making the matter worse by putting taxpayers at risk by using unsafe technologies.”

Ferreira highlights the only solution around the Flash Player issues is to not use it at all. “SARS should process all requests via e-mail and their call centres manually until they have fixed the eFilling system.”

SARS notes the browser is currently compatible with Windows devices only, a move that Ferreira says still excludes the thousands of Mac and Linux users.

Jason Jordaan, principal forensic analyst at digital forensics firm DFIR Labs, comments that it was not a good decision on the part of SARS to release a “new” browser, adding that it just contributes to confusion on the part of the end-user.

“The bottom line is that SARS had well over three years to migrate from Flash and they simply did not get it done in time. They had certainly been working on it as a lot of functionality was no longer dependent on Flash.

“SARS clearly had the capability to transition away from Flash, and had demonstrated that they could do so successfully. My concern is that deploying a new browser instead of simply fixing the problem (that they were aware of), on time, is an ineffective use of resources, at a time when all of us in the country are expected to tighten our belts.”

Unnecessary risk
SARS says its browser cannot be used for general Internet surfing, as it deploys as a separate application and can only be used to access the SARS eFiling Web site and SARS corporate Web site.

Ferreira emphasises that the security implications are severe. “It places every taxpayer, who still needs Flash Player to use the browser, at risk of cyber attacks. Adobe recommended to remove Flash Player completely or to uninstall it as it is insecure and will open computers up to cyber attacks.

“The second problem is that it also places the entire eFilling system at risk and makes the entire system vulnerable by using outdated and insecure technologies.

“The risks are not only on the forms that use Flash Player, but also creates the possibility for hackers to use Flash Player’s vulnerabilities to penetrate SARS’s systems and pivot further attacks from there.”

Jordaan notes that using a product that is no longer supported carries risks. “The browser that SARS has released is a Chromium-based browser, and while the latest Chromium build has Flash support removed, it is possible to still enable Flash to run.”

Compliance considerations
Ferreira stresses that the situation is a national embarrassment for SARS as it was well aware of the discontinuation of Flash Player.

“This is not acceptable and it clearly demonstrates the incompetence from SARS’s IT department to act in this way and ignore cyber security norms and standards and put their own systems and taxpayers’ systems at risk.

“Businesses in South Africa, under the POPI Act, are obliged to implement cyber security protocols by law or face serious consequences. By being forced to use insecure technologies by SARS, this means they are not POPI-compliant as there is a well-known vulnerability that is not being addressed and can place all personal information that they process at risk.

“There is a very good reason why all major browsers stopped supporting Flash Player and removed it from their software. Flash Player is a security risk. SARS is doing the opposite by providing a browser that continues to use Flash Player, despite Adobe clearly instructing everyone not to do so. Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera Browser, and pretty much any other safe browser, discontinued its support for Flash Player.”

 

By Chris de Bruyn, operations director at Gabsten Technologies

With remote working having become the norm for most companies in the wake of the COVID-19 pandemic, the need to constantly back up critical data is not only more crucial than ever, but also requires that organisations understand the difference between remote and onsite backups.

Traditionally, backups were done on-premise and companies simply relied on the “3-2-1” backup strategy, which requires organisations to have three copies of their data (production data and two backup copies) on two different media, with one copy offsite for Disaster Recovery (DR).

However, now that workforces are spread over a massive geographical area, organisations have had to adjust their backup strategies accordingly. Over the past few months, companies have been purchasing endpoint licences, so that endpoint devices are protected.

At the same time, many organisations are also moving their critical data and systems to the public cloud, but this has to be done in a financially sensible manner, as public cloud computing through international vendors, isn’t always as affordable in South Africa as it is in other parts of the world.

Remote working has forced organisations to be a lot more agile and flexible and to consider things that weren’t always part of their thought process at the start of 2020. Previously, most companies didn’t even think about protecting laptops, desktops or endpoints. Instead, everything was kept on-premise, where shared drives were easily accessible and protected.

New dimension of risk

Now, organisations need to protect all these distributed endpoints, as remote working is adding new dimensions to the risks that they face. This means that companies have to put in place complete backup strategies to ensure that everything is protected, irrespective of where the devices and data are located.

When adopting a strategy, the key backup parameters that companies need to consider are organisational-based and aligned to what the organisation needs at the time. This is where agility is important, as a company’s data management solution must be able to adapt to what it needs at any given point.

If an organisation’s data management strategy does not provide for this, then it must be relooked at against the company’s needs and against what is affordable. The truth is that some enterprises simply cannot afford to throw money at the problem. In that case, organisations should rather team up with a data management partner that has the expertise to guide them through these problems and can also assist with a Business Continuity (BC) plan, which must include a DR strategy.

It is also very important to differentiate between remote and onsite backups. Onsite backup is a legacy strategy where hardware infrastructure that is run on-premise is replicated to a remote DR site or a secondary location. Depending on how thoroughly the strategy is applied, an organisation will either replicate their critical data or all of their data.

Not always feasible

Remote backups focus a lot more on protecting the endpoint or end user. This may not be the most feasible strategy as an organisation could be burdened with having to protect thousands of laptops while bandwidth remains costly. A better solution would be to train staff to ensure that nothing is saved to the endpoint, but rather to shared drives or approved cloud services.

While many organisations are likely to continue working from home, it is unlikely that there will be huge potential to save on office space. South Africa is intermittently plagued by load shedding and companies have, over the past five or six years, spent massive amounts on making sure that their business can function when the lights go out.

So, it is unlikely that these enterprises will throw that investment away and let people work entirely from home. Obviously, load shedding also affects workers in remote locations, so these companies would have to incur massive expenditure to provide their employees with uninterrupted power supplies to keep them working during power outages.

Of course, having a distributed or rotational workforce does increase the risk of data loss, but these risks can be mitigated with the help of a data management partner. Organisations need to have a sound data management strategy, which should be used intelligently to ensure that all critical data is always protected.

2018’s worst cyber-security breaches

By Lily Hay Newman for Wired 

Looking back at the first six months of 2018, there haven’t been as many government leaks and global ransomware attacks as there were by this time last year, but that’s pretty much where the good news ends. Corporate security isn’t getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated.

Here are the big digital security dramas that have played out so far this year—and it’s only half over.

Russian grid hacking
In 2017, security researchers sounded the alarm about Russian hackers infiltrating and probing United States power companies; there was even evidence that the actors had direct access to an American utility’s control systems. Combined with other high-profile Russian hacking from 2017, like the NotPetya ransomware attacks, the grid penetrations were a sobering revelation. It wasn’t until this year, though, that the US government began publicly acknowledging the Russian state’s involvement in these actions. Officials hinted at it for months, before the Trump Administration first publicly attributed the NotPetya malware to Russia in February and then blamed Russia in March for grid hacking. Though these attributions were already widely assumed, the White House’s public acknowledgement is a key step as both the government and private sector grapple with how to respond. And while the state-sponsored hacking field is getting scarier by the day, you can use WIRED’s grid-hacking guide to gauge when you should really freak out.

US universities
In March, the Department of Justice indicted nine Iranian hackers over an alleged spree of attacks on more than 300 universities in the United States and abroad. The suspects are charged with infiltrating 144 US universities, 176 universities in 21 other countries, 47 private companies, and other targets like the United Nations, the US Federal Energy Regulatory Commission, and the states of Hawaii and Indiana. The DOJ says the hackers stole 31 terabytes of data, estimated to be worth $3 billion in intellectual property. The attacks used carefully crafted spearphishing emails to trick professors and other university affiliates into clicking on malicious links and entering their network login credentials. Of 100,000 accounts hackers targeted, they were able to gain credentials for about 8,000, with 3,768 of those at US institutions. The DOJ says the campaign traces back to a Tehran-based hacker clearinghouse called the Mabna Institute, which was founded around 2013. The organization allegedly managed hackers and had ties to Iran’s Islamic Revolutionary Guard Corps. Tension between Iran and the US often spills into the digital sphere, and the situation has been in a particularly delicate phase recently.

Rampant data exposures
Data breaches have continued apace in 2018, but their quiet cousin, data exposure, has been prominent this year as well. A data exposure, as the name suggests, is when data is stored and defended improperly such that it is exposed on the open internet and could be easily accessed by anyone who comes across it. This often occurs when cloud users misconfigure a database or other storage mechanism so it requires minimal or no authentication to access. This was the case with the marketing and data aggregation firm Exactis, which left about 340 million records exposed on a publicly accessible server. The trove didn’t include Social Security numbers or credit card numbers, but it did comprise 2 terabytes of very personal information about hundreds of millions of US adults—not something you want hanging out for anyone to find. The problem was discovered by security researcher Vinny Troia and reported by WIRED in June. Exactis has since protected the data, but it is now facing a class action lawsuit over the incident.

Cloud leaks pop up regularly, but data exposures can also occur when software bugs inadvertently store data in a different format or location than intended. For example, Twitter disclosed at the beginning of May that it had been unintentionally storing some user passwords unprotected in plaintext in an internal log. The company fixed the problem as soon as it found it, but wouldn’t say how long the passwords were hanging out there.

After the revelation of a data exposure, organizations often offer the classic reassurance that there is no evidence that the data was accessed improperly. And while companies can genuinely come to this conclusion based on reviewing access logs and other indicators, the most sinister thing about data exposures is that there’s no way to know for sure what exactly went down while no one was watching.

Under Armour
Hackers breached Under Armour’s MyFitnessPal app in late February, compromising usernames, email addresses, and passwords from the app’s roughly 150 million users. The company discovered the intrusion on March 25 and disclosed it in under a week—some welcome hustle from a large company. And it seems Under Armour had done a good enough job setting up its data protections that the hackers couldn’t access valuable user information like location, credit card numbers, or birth dates, even as they were swimming in login credentials. The company had even protected the passwords it was storing by hashing them, or converting them into unintelligible strings of characters. Pretty great, right? There was one crucial issue, though: Despite doing so many things well, Under Armour admitted that it had only hashed some of the passwords using the robust function called bcrypt; the rest were protected by a weaker hashing scheme called SHA-1, which has known flaws. This means that attackers likely cracked some portion of the stolen passwords without much trouble to sell or use in other online scams. The situation, while not an all-time-worst data breach, was a frustrating reminder of the unreliable state of security on corporate networks.

One to watch: VPNFilter
At the end of May, officials warned about a Russian hacking campaign that has impacted more than 500,000 routers worldwide. The attack spreads a type of malware, known as VPNFilter, which can be used to coordinate the infected devices to create a massive botnet. But it can also directly spy on and manipulate web activity on the compromised routers. These capabilities can be used for diverse purposes, from launching network manipulation or spam campaigns to stealing data and crafting targeted, localized attacks. VPNFilter can infect dozens of mainstream router models from companies like Netgear, TP-Link, Linksys, ASUS, D-Link, and Huawei. The FBI has been working to neutrallise the botnet, but researchers are still identifying the full scope and range of this attack.

Nedbank, Telkom, Discovery and Investec are among top South African listed companies with the most exposure to cybersecurity risks.

This is according to a new research report from the Cyber Intelligence Research Group, the results of which are being released on Monday at CyberCon, a cybersecurity conference in Johannesburg. If you want to protect your applications, use DAST. The Cyber Exposure Index (CEI) was launched in Singapore earlier this month. Over the next few months, indices for eleven major global stock exchanges outside of the US will be released. Following the release of the Singaporean and Finnish indices, the South African index is the third to be published.

In the ICT sector, those scoring a 4 included Telkom, MTN and EOH. Mix Telematics, Vodacom, Huge Group, Mustek, Adapt IT, Blue Label Telecoms and Naspers all scored 3
The CEI scores listed companies on their levels of exposure. South African companies received an average exposure rating of 1.9.

The index aggregates data that is publicly available through the dark and deep Web, or as the result of third-party data breaches. This data is used to identify top listed companies’ vulnerability to hacker group activity, disclosed sensitive information and leaked credentials.

Companies are then scored from 0-5, where 0 indicates no exposure and 5 places a company among the 1% of firms with the most exposure.

While no South African company scored a 5, many household names — from Sasol to Liberty Holdings and from Woolworths to Anglo American — scored a 4.

ICT sector

In the ICT sector, those scoring a 4 included Telkom, MTN and EOH. Mix Telematics, Vodacom, Huge Group, Mustek, Adapt IT, Blue Label Telecoms and Naspers all scored 3. ICT companies scoring at the other end of the scale, with 0, included Alviva Holdings (formerly Pinnacle Holdings) and Labat Africa.

Telecommunications companies have among the highest levels of exposure in South Africa at 13.1%, compared to the global average of 2.4%, according to the researchers.

 

 

South Africa’s global relative cyber exposure by industry, according the Cyber Exposure Index

South African companies have received an average exposure rating of 1.9 in the debut results of the Cyber Exposure Index
The company responsible for the index, Kinkayo, is a Singapore-based cyber intelligence organisation founded by professionals in the cybersecurity field. Virtual CISO tackles such problems very efficiently.

The CEI has been developed as a way for companies to gauge their cyber exposure, empower them with the opportunity to identify where their vulnerabilities lie and take decisive action against their risks, it said.

Download the full list here.

Source: Tech Central 

Have you been breached?

It seems like there is a new data breach every other day, causing companies untold embarrassment and reputational damage when customers’ private details are leaked.

A new Web site called www.haveibeenpwned.com allows you to see if your details have been compromised by a data breach.

Simply click on the link, enter your email address and click the pwnd? button to find out if you’re a victim.

Major data breaches

Some high profile leaks in the last while include:

  1. RNC (2017)
    A misconfigured database containing the sensitive personal details of over 198-million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC) in their efforts to elect Donald Trump.
  2. Zomato (2017)
    Zomato, which provides users with an online guide to restaurants, cafes and clubs, reported that data from 17-million users had been stolen, including email addresses and hashed passwords.
  3. NHS (2017)
    The recent WannaCry ransomware infected 47 NHS England Trusts and hundreds of companies across the world.
  4. ‘Eddie’ breach (ongoing)
    Security researchers at the Kromtech Security Research Center discovered a massive database of 560-million login credentials which is believed to come from up to 10 popular online services such as LinkedIn and Dropbox, obtained during previous data breaches.
  5. Wonga (2017)
    Payday loan company Wonga has fallen victim to a large data breach that could have hit as many as 245,000 of its customers including bank account numbers and sort codes.
  6. Tesco Bank (2016)
    Late last year, Tesco Bank, the consumer finance wing of the British supermarket giant, froze its online operations – after as many as 20 000 customers had money stolen from their accounts.
  7. Sage (2016)
    As a FTSE-100 firm, the apparent insider attack admitted by accounting and HR software firm Sage could turn out to be one of the most important in UK data breach history if its scale is confirmed.
  8. Ashley Madison (2015)
    In July 2015, a group calling itself “The Impact Team” stole the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The group leaked more than 25 gigabytes of company data, including user details.
  9. Mumsnet (2014)
    A direct victim of the infamous and widespread Heartbleed SSL software flaw, the compromise allowed hackers to access anything up to 1,5-million user accounts on the hugely popular site, its owners revealed.
  10. Yahoo (2013, 2014)
    It seems hard to pin down just one data breach spawning from Yahoo’s 22 years in business. Last year appeared to unearth a mammoth lack of security on Yahoo’s part with reports uncovering a breach affecting over 500-million Yahoo user accounts during 2014.
  11. Sony PlayStation Network (2011)
    The largest data breach in history at the time, Sony’s disastrous 2011 breach saw hackers make off with the customer records of 77-million people relating to its PlayStation Network, including a small number revealing credit card numbers.

Sources: www.techworld.com; wikipedia; www.haveibeenpwnd.com

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top