Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.
Big items to consider: As devices and things get more connected, privacy becomes harder to achieve. Forbes points out the age of data in corporate culture and how some companies are monitoring bathroom use and healthcare data, which leaves the question of where does privacy fit into all of this? Trustwave security firm is being sued for a “woefully inadequate” forensics investigation. Symantec security researchers have identified a new malware that can defeat two-factor authentication. A new phishng campaign called LostPass has found a way to mimic the actual LostPass error code and trick people into accepting the phishing campaign.
Looking at trends in the sharing economy, companies like Uber have built an entire industry on the use of data-driven algorithms, with employment and pricing decisions based purely on the cold hard calculus of data. What might happen when this data-driven mindset reaches the world of healthcare? In the corporate pursuit of maximizing employee productivity it is not a far stretch to imagine a world in which companies use the results of all of this medical data to optimize the lives of its employees to squeeze every bit of work it can from them.
A Las Vegas-based casino operator has sued security firm Trustwave for conducting an allegedly “woefully inadequate” forensics investigation that missed key details of a network breach and allowed credit card thieves to maintain their foothold during the course of the two-and-a-half-month investigation. The complaint provides a rare glimpse inside the confidential world of security incident response and underscores the consequences when investigations don’t have the results customers expect. As a result of the follow-on breaches, Affinity was required to obtain the second PCI forensics report from Mandiant and to pay additional assessments so banks could reissue credit cards.
Two-factor authentication is an important way to help keep your online accounts safe — but it’s not perfect. It requires an extra layer of proof before anyone trying to log in gets access to an account. After the password is entered correctly, a temporary code known as a one-time password (OTP) is sent to the account owner’s smartphone. The code is then entered to complete the login process. That way, even if the user’s password is guessed, stolen, or cracked, the attacker can’t get into the account without physical access to the paired phone. But if the attacker is able to smuggle rogue software onto a user’s smartphone, they can defeat two-factor. Researchers at cybersecurity firm Symantec have discovered malware that can steal OTP codes and use this to hijack a user’s accounts. (The malware was previously reported on by The Register.)
This system, like many others, is not invulnerable to phishing campaigns — the use of fraudulent emails and Web pages which appear legitimate, but are used solely to steal information and install malware. The LostPass phishing campaign works because “LastPass displays messages in the browser that attackers can fake,” according to the researcher. “Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference,” Cassidy noted. “It’s pixel-for-pixel the same notification and login screen.”