Report: Hackers Take Less than 6 Hours on Average to Compromise Targets

Report: Hackers Take Less than 6 Hours on Average to Compromise Targets

Most hackers can compromise a target in less than six hours, according to a survey of hackers and penetration testers released Tuesday by security awareness training firm KnowBe4.

The Black Report was compiled from 70 surveys taken at Black Hat USA and Defcon, and shows that phishing is the preferred method for 40 percent of hackers. A further 43 percent said they sometimes use social engineering, while only 16 percent do not use social engineering at all. Forty percent sometimes use vulnerability scanners, 60 percent use open-source tools, and just over 20 percent use custom tools for hacking.

A majority of those surveyed (53 percent) said they sometimes encounter systems they are unable to crack, while 9 percent say they never do, and 22 percent said they “rarely” encounter such targets. KnowBe4 chief hacking officer Kevin Mitnick performs penetration testing with a separate company (Mitnick Security), with a 100 percent success rate. Mitnick will present the keynote address at the upcoming HostingCon Global 2017 in Los Angeles. [Register now for HostingCon Global and save $100 on your all-access pass]

Once they have gained access to a system, one in three penetration testers said their presence was never detected, and only 2 percent say they are detected more than half of the time. Exfiltrating data after a compromise takes less than 2 hours for 20 percent of respondents, and two to six hours for 29 percent, while 20 percent take longer than 12 hours.

See also: Pentagon Hires Hackers to Target Sensitive Internal Systems

When asked about effective protection against breaches, endpoint protection was named by 36 percent of those surveyed, while 29 percent identified intrusion detection and prevention systems.  Only 2 percent consider anti-virus software an obstruction to hacking networks.

One-quarter of those surveyed said their advice to corporate boards would be to recognize that it is inevitable that they will be hacked, it is only a question of when it will happen. Roughly the same number urged boards to consider the return on investment in security, while 10 percent said boards should realize that detection capability is much more important than deflection capability.

KnowBe4 also commissioned a study from Forrester on the Total Economic Impact of breaches to put numbers to the potential return on investment (ROI) of security spending. The study is available from the KnowBe4 website.

See also: Data Breaches Hit Record in 2016 as DNC, Wendy’s Co. Hacked

Source: TheWHIR

Nearly Half of Developers Worldwide Are Android-First: Report

Nearly Half of Developers Worldwide Are Android-First: Report

Almost half of professional developers now consider Android to be their primary platform, according to research from VisionMobile. The latest edition of its semi-annual State of the Developer Nation Q3 2016 report also shows a strong correlation between the developers cloud and desktop platform of choice.

Based on responses of over 16,000 developers globally, the VisionMobile Developer Economics survey shows that 47 percent of developers are Android-first, a seven percent increase which gives it a 79 percent mindshare among mobile developers. The increased attention came almost directly at the expense of iOS, which fell from the primary platform of 39 percent to only 31 percent of developers in only 6 months.

READ MORE: AWS Sweetens Developer Pitch with Cloud9 Acquisition

The increasing influence of markets and developers in the Eastern hemisphere, where Android leads iOS significantly, could be part of the reason for the shift. The end of the conflict between Google and Oracle over their Android java development kits very late 2015 may also have had an effect.

In addition to mobile platforms, the report focuses on desktop and cloud developer “tribes,” the IoT market, and the new technologies attracting developer attention.

Among Windows classic developers, 36 percent primarily use C# for cloud development, as opposed to only 2 percent of Linux-first developers and 3 percent of macOS developers, according to the report.

SEE ALSO: Cloud: Understanding Sizing and Capacity Requirements Driven by IoT

The ratio of new IoT developers fell drastically from half a year ago to 22 percent, after falling somewhat from Q2 2015 to Q4 2105, from 57 to 47 percent, respectively. The main target of IoT developers is the Smart Home, which was also the fastest growing IoT application, up by 6 to 48 percent. Ericsson has estimated that there will be 3 billion IoT devices in North America alone by 2021, which represents a lot of work for developers.

RELATED: Bsquare’s IoT Software Stack Helps Developers Link Devices to the AWS Cloud

The next big thing, judging by developer interest, is data science and machine learning, which 41 percent are involved with in some way, one-third of those professionally. Just under one-quarter of developers are working with augmented and virtual reality, mostly as a hobby or side-project.

Source: TheWHIR

Want Your ISP to Respect Your Privacy? It May Come at a Cost

Want Your ISP to Respect Your Privacy? It May Come at a Cost

Comcast has filed an argument (PDF) this week with the FCC to allow it to charge broadband users more to offset the burdens of maintaining their privacy. The FCC is considering new rules for Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, which would require ISPs to disclose what information is tracked and sold, as well to provide a way for users to opt out of such tracking.

Advertisers have complained that consumers could end up with less privacy protections while large volumes of content move behind paywalls, while consumer advocates have argued that the proposed rules simply move the FCC closer to the stronger privacy protection consumers were entitled to under FTC regulation, before broadband providers were reclassified as common carriers for regulation purposes last year.

READ MORE: FCC Open Internet Rules Upheld in Federal Court

“A bargained-for exchange of information for service is a perfectly acceptable and widely used model throughout the U.S. economy, including the Internet ecosystem, and is consistent with decades of legal precedent and policy goals related to consumer protection and privacy,” Comcast wrote to the FCC. The company also claims that blocking its plan “would harm consumers by, among other things, depriving them of lower-priced offerings.”

AT&T is already using this model to charge users of its gigabit broadband service a $30 (or more) add-on charge to opt out of a tracking program called, without any obvious irony in the promotional material, “Internet Preferences.”

In the most recent Who Has Your Back report from the Electronic Frontier Foundation (EFF), which measures the privacy practices of major internet companies and service providers, Comcast earned three out of a possible five stars. The report recommends Comcast adopt a stronger policy around providing users with notice about government data requests.

Source: TheWHIR

Security Researchers Allege Russian Ecommerce Firm Turns Blind Eye to Crime

Security Researchers Allege Russian Ecommerce Firm Turns Blind Eye to Crime

Russian ecommerce shop provider Deer.io is allowing dark web activity out in the open, according to a report from threat intelligence and security analysis firm Digital Shadows.

What is the difference between this case and any other where a customer uses a web host to carry out criminal activity? Digital Shadows alleges that the majority of Deer.io shops sell stolen products or breached data, and that the company advertises on hacker and cybercrime forums.

SEE ALSO: Snowden Blasts Russia’s Proposed Anti-Terror Laws

Cybercriminal Tessa88, who distributed credentials breached from LinkedIn and MySpace, is associated with the shop darkside.global, which is hosted by Deer.io, Digital Shadows says. Softpedia found a reference to Deer.io-hosted cybercrime in Russian media, but there are no indications of law enforcement investigations.

Deeri.io offers secure and anonymous hosting, site building, DDoS protection, and automatic payment systems. It also offers customer service and product development for 500 rubles ($8). It warns hosted shops not to sell illegal goods, provides a “report site” method, and Digital Shadows reports evidence that it will remove products like credit card details.

READ MORE: Organization Calls for the Development of Tools to Monitor the Dark Web

Digital Shadows notes that there are non-criminal businesses hosted by Deer.io, even if it is hard to call “tennis score prediction” a “legitimate product.” However, bulk bot-registered social media accounts, hijacked social media accounts, popularity-faking tools for social media, and stolen bank accounts are much more common. The company also advertises with “well-known criminal forums” Xeksek, AntiChat, Zloy, and Exploit, and seems to encourage sites to do the same.

“Deer.io works according to the laws of the Russian Federation. Our clients can create shops that do not violate the laws of the Russian Federation. We block shops that sell drugs/stolen bank accounts. We will also block any shop if requested by Roskomnadzor or the competent authorities of the Russian Federation,” Deer.io told Softpedia in a response to the report.

Perhaps most troubling is the conclusion of Digital Shadows that Deer.io represents another service lowering the barrier to cybercrime entry, as DDoS-as-a-Service and exploit kits for sale have done.

A report from Trend Micro in late 2015 called the criminal internet activity in North America a “glass tank” for its obviousness.

Source: TheWHIR

VeriSign: 12 Million Domains Registered in Q1 2016

VeriSign: 12 Million Domains Registered in Q1 2016

The total number of registered domains across all TLDs reached 326.4 million, growing 12 million, or 3.8 percent from Q4 2015, according to the Q1 2016 Domain Name Industry Brief from VeriSign. Year-over-year registrations increased by 32.4 million, or 11 percent.

The number of internet sites redirecting to popular social media and ecommerce sites rose significantly over the past year.

SEE ALSO: New TLDs Growing as Over 3 Million Domain Names Added in Q3: VeriSign

VeriSign processed 10 million new .com and .net registrations in the quarter, up from 8.7 million in the first quarter of 2015.

The number of .com and .net sites redirecting to LinkedIn increased by 35 percent, while the number leading to Amazon.com, Etsy, Facebook and Twitter were all between 23 and 30 percent. The number of sites redirecting to Chinese social media site Weibo jumped 49 percent.

The report cites DN Journal aftermarket sale price tracking, which shows the top 10 .com domain names resold for an average of $315,800 in Q1 2016. Two years ago Sedo reported the third highest price for a public .com domain sale in the first half of 2014 was $320,000 for malls.com.

VeriSign’s daily DNS query load increased by 0.5 percent, but the peak actually decreased by 2.7 percent, though the year-over-year query load increased by 3.5 and 14.2 percent, respectively. By contrast, the query load jumped by 8 percent as a daily average and 225 percent at peak from Q2 to Q3 2015, resulting in 4.8 and 86.4 percent year-over-year increases.

Source: TheWHIR

Nearly Half of All Corporate Data is Out of IT Department's Control

Nearly Half of All Corporate Data is Out of IT Department's Control

Many organizations are not responding to the continuing spread of “Shadow IT” and cloud use with appropriate governance and security measures, and more than half do not have a proactive approach, according to research released Tuesday. The 2016 Global Cloud Data Security Study, compiled by the Ponemon Institute on behalf of Gemalto, shows that nearly half of all cloud services (49 percent) and nearly half of all corporate data stored in the cloud (47 percent) are beyond the reach of IT departments.

The report is drawn from a survey of more than 3,400 IT and IT security practitioners from around the world. It shows only 34 percent of confidential data on SaaS is encrypted, and members of the security team are only involved in one-fifth of choices between cloud applications and platforms.

READ MORE: Shadow IT: Embrace Reality – Detect and Secure the Cloud Tools Your Employees Use

IT departments are making gains in visibility, with 54 percent saying the department is aware of all cloud applications, platforms, and infrastructure services in use, up from 45 percent two years ago. Also, the number of respondents saying it is more difficult to protect data using cloud services fell from 60 to 54 percent, however those gains were offset by more broadly reported challenges in controlling end-user access.

“Cloud security continues to be a challenge for companies, especially in dealing with the complexity of privacy and data protection regulations,” Dr. Larry Ponemon, chairman and founder, Ponemon Institute said. “To ensure compliance, it is important for companies to consider deploying such technologies as encryption, tokenization or other cryptographic solutions to secure sensitive data transferred and stored in the cloud.”

The number of companies storing customer data in the cloud is increasing, with nine percent more organizations reporting the practice than in 2014, despite 53 percent still saying that is where it is most at risk.

Almost three-quarters say encryption and tokenization are important, and even more think it will be important over the next two years. However, almost two-thirds (64 percent) said their company does not have policies requiring safeguards like encryption for certain cloud applications.

Seventy-seven percent say managing identities is harder in the cloud than on-premises, yet only 55 percent have adopted multi-factor authentication.

“Organizations have embraced the cloud with its benefits of cost and flexibility but they are still struggling with maintaining control of their data and compliance in virtual environments,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “It’s quite obvious security measures are not keeping pace because the cloud challenges traditional approaches of protecting data when it was just stored on the network. It is an issue that can only be solved with a data-centric approach in which IT organizations can uniformly protect customer and corporate information across the dozens of cloud-based services their employees and internal departments rely every day.”

The report recommends organizations set comprehensive policies for data governance and compliance, as well as guidelines for sourcing cloud services, and cloud data storage rules.

A study released in June by Alert Logic indicated that workloads were subject to the same security operations strategy regardless of the infrastructure they are on.

Source: TheWHIR

ZENEDGE Launches Single IP Protection for DDoS Mitigation

ZENEDGE Launches Single IP Protection for DDoS Mitigation

ZENEDGE launched Single IP Protection to general availability on Tuesday at HostingCon to provide enterprise-class network DDoS mitigation to organizations with smaller networks.

Network DDoS mitigation traditionally requires Border Gateway Protocol for routing decisions, which means they only work on networks with a minimum class C subnet including 254 usable and 256 total IP addresses, according to the company.

READ MORE: Evolution of DDoS Protection, and the Modern Opportunity

With the new offering, ZENEDGE assigns clients a DDoS-protected IP address range from its IP pool. It establishes a GRE tunnel to route traffic between the companies servers and the ZENEDGE protected IP network, and then directs new traffic through ZENEDGE via a DNS change.

“ZENEDGE serves many gaming companies, SaaS providers and organizations who are hosting their solutions in a colocated data center or in the cloud,” Leon Kuperman, CTO of ZENEDGE said in a statement. “While these organizations operate smaller networks and don’t control their routers, they are nevertheless consistently targeted with volumetric DDoS attacks.”

SEE ALSO: DDoS Attack Victims Have 82 Percent Chance of Being Hit Again: Report

The company says gaming companies and others using proprietary protocols, UDP, VPN, or non-standard TCP ports.

With network layer DDoS attacks costing up to $40,000 per hour according to a 2015 report, the solvency of smaller organizations without protection could be at risk.

ZENEDGE received $4 million in a Series B funding round late last year.

Source: TheWHIR

Rogers Communications Launches Canadian Public Cloud with OVH

Rogers Communications Launches Canadian Public Cloud with OVH

Canadian telecom Rogers Communications has launched a public cloud service to provide IaaS to businesses in Canada. Through a partnership with OVH, Rogers will offer a range of customizable cloud storage and computing options, hosted in OVH’s Canadian data centers and backed by Rogers cybersecurity and 24×7 service.

Rogers Public Cloud provides fast implementation and provisioning, real-time data and capacity and IP monitoring through its web portal, according to an announcement this week. It also touts its public cloud as offering environmental benefits due to the OVH data center’s cooling mix of 30 percent outside air and 70 percent liquid.

SEE ALSO: CIRA Report: IT Leaders Struggle to Find Qualified IT Pros in Canada

“Businesses that have made the transition to the cloud quickly realize the significant financial and operational advantages, but the reality is that Canadian customers do not have enough options for simple, cost effective cloud computing solutions,” Mark Schrutt, Research Vice President, Services and Enterprise Applications, IDC said in a statement. “New services like Rogers Public Cloud will make it easier for businesses to adopt cloud solutions and could ultimately foster more innovation as customers get access to more efficient, cost-effective IT as-a-service solutions.”

Rogers operates 17 data centers in Canada, and will run its public cloud from four Tier III certified locations in Calgary, Edmonton, Toronto, and Ottawa, ensuring consistent uptime and availability, the company said.

SEE ALSO: Amazon Plans First Cloud Data Centers in Canada

France-based OVH entered the Canadian market with a data center in Montreal in 2013. The company became a platinum sponsor of the Let’s Encrypt project late last year.

The Canadian government has been considering additional data protection measures for some time, but is not expected to introduce major regulatory changes applying to cloud services in the near future.

Source: TheWHIR

Final Updates as Industry Prepares for HostingCon Global 2016

Final Updates as Industry Prepares for HostingCon Global 2016

The exhibit hall at HostingCon Global 2016 New Orleans is sold out, and the exhibitors, along with the Networking Lounge and the Plesk Charging Station, will fill the Exhibit Hall B of the Ernest N. Morial Convention Center during the conference and trade show which runs from July 24-27, 2016.

The expo hall will also be the site of several new networking events for 2016, including Monday night’s Opening Reception, as well as networking breakfasts on both Tuesday and Wednesday.

The HostingCon App (for Android or iOS) is available now, and All Access Pass holders can use the HostingCon Connect app to scout out potential partners and customers and set up meetings.

At this point #HostingCon is buzzing with friends in the industry connecting ahead of the show next week.

As you pack for the big event, you can familiarize yourself with keynote speaker Andrew Blum and his quest to broaden understanding of the internet by watching his Ted Talk.

The 2016 edition of HostingCon Global is shaping up to be the biggest and best in its 12-year history. By size, quality, and staying power, HostingCon Global is the top vendor neutral conference and trade show for the web hosting and cloud services industry. Register today if you haven’t already; it’s a show not to be missed!

Source: TheWHIR

Report: Privileged Account Management a Joke at Many Organizations

Report: Privileged Account Management a Joke at Many Organizations

Half of all organizations fail to audit privileged account activity, according to a report by Cybersecurity Ventures and Thycotic. The companies co-sponsored the 2016 State of Privileged Account Management report which shows that although companies say they recognize the importance of securing privileged accounts, practices are often stuck in the past.

The report is based on a Privileged Password Vulnerability Benchmark survey, which showed that 76.5 percent of companies consider privileged account management (PAM) security a high priority, and 60 percent have PAM-related regulatory requirements, yet 7 out of 10 do not require approval for creating new privileged accounts.

READ MORE: HostingCon Global 2016 Countdown: New Trends in Web Application Security

“Weak privileged account management is a rampant epidemic at large enterprises and governments globally,” Steve Morgan, founder and CEO at Cybersecurity Ventures said in a statement. “Privileged accounts contain the keys to the IT kingdom, and they are a primary target for cybercriminals and hackers-for-hire who are launching increasingly sophisticated cyber-attacks on businesses and costing the world’s economies trillions of dollars in damages. We expect the needle on automated (PAM) solutions adoption to move fairly quickly into the 50 percent range over the next two years.”

Three out of 10 organizations allow accounts and passwords to be shared; three out of 10 have no formal password controls, and four out of 10 use the same security for privileged and standard accounts.

SEE ALSO: Report: Cloud Requires New Approach to Security Operations

Nearly one in five organizations have never changed the default passwords on their privileged accounts, and while many of the report’s findings are unsettling, this practice is so obviously negligent that one has to wonder about possible legal ramifications. Clients, partners, and shareholders of any given business should have assurances that it will not be brought to a standstill and suffer major losses from a years-old “admin” password.

Only 10 percent of those surveyed have implemented commercial automated PAM security, perhaps in part because 30 percent say they have not communicated the importance of following IT security policies to stakeholders.

The PAM report also puts a new spin on previous reports like the Ping Identity study from late 2015 which showed enterprise employees often share credentials for devices they do work on with family members and commonly reuse passwords. If the organization neglects basic credential controls, it is unrealistic to expect employees to pick up the slack.

Source: TheWHIR