MongoDB Hacks Lead to Many Data Breaches

Many data breaches are the result of the failure to take even the most basic precautions. Here are several that have been reported in the past:

  •  Garage sale bargains: One garage sale customer purchased a filing cabinet packed with personal data including Social Security numbers and home addresses.
  •  Sensitive data transported in an employee’s car: An organization held its annual drill to assess its data breach preparedness. Yet instead of using test data, the actual data was left in an employee’s car overnight and stolen most likely along with the owner’s favorite Rick Ashley CD.
  •  Thumb drive on a key chain: Flash drives are great portable devices, but they don’t belong on key rings especially when the data isn’t encrypted. It makes you wonder which cost more, the replacement key fob or the data breach!

It would be nice if these were isolated events, but the truth is that for many, security is still an afterthought. Just consider databases, they continue to be one of the most popular targets for cyber criminals. Yet, some administrators fail to implement even the most basic controls to secure them. As an example, older versions of MongoDB don’t enforce any kind of authentication which is a scary thought, given that the MongoDB software has had over 20 million downloads. Since earlier this year, there has been thousands of these default install, unsecured MongoDBs targeted for attack. A quick search on Shodan returns many potential targets.

The attackers simply exploit the lack of authentication, delete the original database, and hold a copy of it for ransom.

This same technique was also used to breach CloudPets database and steal more than one million records from over 800,000 accounts. Much of the breached information involved hundreds of thousands of minor children’s data, including their names, genders, and birth-dates.

What’s the cost of these types of mistakes? The 2016 Ponemon Institute data breach study reports that the average consolidated total cost is $4 million dollars per breach. HIPAA violations can be up to a maximum penalty of $1.5 million dollars per breach. Under the Federal Trade Commission Act, organizations that fail to abide by commitments of the E.U. Privacy Shield Principles can be subject to penalties of up to $40,000 dollars per violation or $40,000 dollars per day.

Implementing basic controls such as changing default passwords, encrypting data, and patching systems can go a long way towards providing a minimum level of security. Sometimes “Small Things” can prevent “Big Problems!”

Posted in Cyber security, IT and Computer Security, Privacy, Ransomware | Tagged , , , , , , , | Leave a comment

Ethical Hacking Reveals Holes In Cloud Security

When your virtual or cloud based network has security holes in it, if somebody doesn’t already know about it, it won’t belong before somebody does. Cloud based services are becoming a big target for cyber criminals. These criminals have the time and ability to scan large portions of the Internet simply looking for vulnerabilities in random company networks. Sometimes these exposures can be from the provider itself.  An example of this can be seen with Cloudflare, which exposed user data from 3,400 websites in February of this year due to the way Cloudflare parsed HTML.

Sadly, it would almost be nice if these cyber criminals where the ones that we actually had to worry about the most. Advanced persistent threats (APT’s) are another real concern. These adversaries can be determined, efficient and ultimately devastating to not only your company, but your employees, your clients and company data.

It can be difficult for individuals within your company to really explore all of the ways that an outside source can (and will) attempt to exploit your security. That’s why it’s important for you to try to find a method of discovering theses holes in your security before they become a data breach. And if you’re trying to fight against hackers, who better than a company of ethical hacking professionals to show you the loopholes in your system?

The “crack” team at Superior Solutions can try their very best to crack into your system, but the difference is that they won’t do anything once they get in there. When you know you can trust your service provider, in this case: hackers, you know that you can trust the product they provide. Targeted reviews against your cloud based infrastructure and network will help you have a better understanding how malicious hackers and cyber criminals will act, react and carry out on devastating attacks against your company.

Contact us today.

Posted in Cyber security, Ethical Hacking, Hacking | Tagged , , , , | Leave a comment

IRS Tax Scams to Watch Out For in 2017

News Studio Michael Gregg Interview Cyber

Michael Gregg Cyber Security Interview

Tax Season is here and that means it’s time to watch out for hackers, scammers, and criminals. Criminals will be targeting your tax return. Michael Gregg was interviewed by Fox News on the tax scams of 2017. Mr. Gregg warned viewers to watch out for the these three types of IRS tax scams in 2017:

  1. Tax refund fraud: Criminals will steal your personal data in order to file fake tax returns on your behalf, thereby stealing your refund.
  2. Identity theft: Criminals will impersonate the IRS, threaten taxpayers with fines and penalties, in order to trick them into disclosing sensitive personal information which they can use for future frauds and financial theft.
  3. Financial theft: Criminals will impersonate the IRS to trick taxpayers into making payments directly to them, via credit card, wire transfer, etc.

 

Posted in Cyber security, IT and Computer Security, Training and Education | Tagged , , , , , , , , | Leave a comment

Tax Scams – Three Ways Hackers Plan to Steal Your Tax Return in 2017

Experts warn that there are several fraudulent tax scams as this year’s tax season begins. Taxpayer data is vulnerable and hackers are using several different techniques in 2017 to target your tax return. Three ways hackers can cash-out on unsuspecting victims include the following:

Target the taxpayer – This is a most common method of attack. One technique is phishing emails that pretending to be from IRS and ask you for personal information or ask you to click on malicious links or open files that are infected. Trojans are another technique; this malware can be used to extract sensitive data from your computer. The best defense is to be careful of emails that you open and keep in mind that hackers typically only need your name, social security number, and birth date to file your taxes.

Phishing email

Phishing Tax Scam Email

Target the tax return preparers – This criminal technique targets the tax preparer. The hacker launches an email campaign that sends phishing emails to tax preparers, posing as a potential client. The email contains a malicious attachment.  By opening the attachment, the tax preparer has installed malware onto his/her computer that can now act as a keylogger and capture social security numbers, birth date, and other data. This is more difficult to defend against as it targets the tax preparation professional.

Target the IRS – While it is true that the IRS has multiple layers of security, no system is perfect. As an example, last year, hackers compromised social security numbers from outside the IRS and used them to generate over 100,000 e-filing pins to file fake returns.

The deadline for your Federal Tax Returns this year is Tuesday, April 18th, and this year, just like previous ones, more people are expected to file their taxes online over the Internet. It is better to file earlier than later. If you are preparing your own tax return, there are many reputable, online tax preparation web sites and packages – TurboTax Online, H&R Block at Home, TaxAct, and others. Regardless of what tax package you use, keep in mind that these software packages collect your personal information. Also, don’t forget that your information is stored on your own computer as well.

Your personal information is extremely valuable to cyber criminals looking to steal your identity and commit identity fraud. Always be sure that you are careful with your personal data. Keep it encrypted, make sure your anti-virus is up-to-date, and be on the alert for phishing tax prep emails in your inbox.

Posted in Cyber security, IT and Computer Security, Training and Education | Tagged , , , , , , , , , | Leave a comment

Snowden Movie Brings Issue of Personal Privacy to the Forefront

Michael Gregg appeared Friday, September 16th on The Fox Morning Show in Houston to talk about the risks to personal privacy that are now occurring because of technology and how these threats will become more advanced and widespread for the foreseeable future. Michael Gregg has been asked to comment on several movies that deal with hacking such as “BlackHat” and the “Snowden” movie that has just been released. One of the issues that is highlighted in the Snowden movie is the ability to remotely access smart phones to spy on individuals. Is this real? Yes, it is!

Michael Gregg Fox News Studio

Michael Gregg Fox News Studio Backstage

Smartphone malware such as Trojans, are growing rapidly which allow hackers to remotely activate a phone’s camera and microphone. We see this type of attack mainly targeting activists and journalists in foreign countries, but it is likely to become widespread among U.S. consumers over the next five to ten years.

Another real threat to online privacy is the growth of the Internet of Things (IoT). These are all of the devices out there from refrigerators, TVs, cars, and medical devices that have new Internet connectivity built in and smart features. The problem is that they’re not developed with security in mind, so it’s relatively easy for someone to hack them. Just imagine someone taking over your smart TVs embedded camera, Internet-connected thermostat, or IoT door locks.

Criminal hackers have become more sophisticated and it appears we are entering into a new age where highly personal and intrusive cyber attacks are becoming far more common. The ability to spy on others in their own homes or harass them by hijacking things within their homes or cars. Cyber extortion, harassment, and identity theft could become much worse than they are today. Cyber crime is now a big industry where even foreign governments are funding hacker groups to harass their enemies. Examples of this can be seem in the hacking of the Clinton campaign, the DNC, and Colin Powell’s emails.

The recent data breaches of state voter registration databases and U.S. Olympic athletes’ medical records by Russian hackers are examples of how U.S. citizens can be caught in the middle of cyber conflicts between the U.S. and other countries. In the years ahead, we could see more instances of consumer data being stolen and dumped on the web by foreign hackers who oppose the U.S. government.

Posted in Cyber security, Ethical Hacking, Hacking, Ransomware, Smart Phone Hacking | Tagged , , , , , | Leave a comment

Ransomware / Data Sabotage – A Growing Threat

Michael Gregg has a new article out on Cyber-ransom that’s featured in the FBI’s Law Enforcement Bulletin. The article examines the growing risk of data sabotage. Ransomware is the perfect, digital weapon for a saboteur as it’s extremely destructive and difficult to remove.

data sabotage Ransonware Jackware

Cyber-ransom is basically a data sabotage threat that has spread quickly over the last several years. Ransomware is known by many names such as Reveton, CryptoLocker, and CryptoWall among others. Regardless the name, the objective is the same, payment!  Attackers instruct those infected to provide payment and only then will the ransomware be removed.

If this is not bad enough, security experts are discussing the theoretical concept of Jackware. While this is currently theoretical, cyber security researchers foresee the day when ransomware may migrate to automobiles. The idea is that hackers would disable cars until victims pay. You can read more about that here: Five Ways Your Car Can Be Hacked

Posted in Cyber security, Ethical Hacking, Hacking, Ransomware | Tagged , , , , , , | Leave a comment

How Data Brokers Threaten Your Privacy and Resell Your Information

Data brokers are buying, sharing and selling your information online.  While you have probably never heard of these companies…. they know all sorts of information about you and have most likely added you into a category such as: Financially Challenged, Democrat, Republican, Expectant Parent, or even Bible Lifestyle.

That’s not all they know. Their database of information includes address, property ownership, income, criminal records, family members, and even hobbies. If you have searched for something on the Internet or make online purchases data brokers know it.

From smart phone apps that spy on you to wearable’s and fitness trackers that record your every heartbeat, more and more of you personal data is tracked and resold to data brokers. Michael Gregg’s new article explores how data brokers threaten consumer privacy.  Read more about this topic at Michael Gregg‘s  Huffington Post article.

Posted in Cyber security, Hacking, IT and Computer Security, Privacy | Tagged , , , , , , , | Leave a comment

The US / Russian Simmering Cyberwar

Russia’s cyber assault on the US election is one of the most provocative acts we have seen against the US from a cyber prospective. It should be clear that cyberwar is an effective tool for Russia’s military and political goals. How should we respond… Read more of Michael’s new article on Huffington Post.

 

Posted in Cyber security, Ethical Hacking, IT and Computer Security | Tagged , , , , , , , | Leave a comment

Is Windows 10 Spying On You or Simply Building a Better User Experience?

Microsoft has come under fire from privacy advocates because many end-users feel that Window 10 is way too intrusive.  While it is true that much of this data is used to enhance user experience, Microsoft’s lack of transparency isn’t doing much to dispel the notion that they are spying on end users, gathering much more personal information than needed, and making it way too difficult to opt out. If you’re wondering what kind of data Microsoft collects from Windows 10 users, it includes:

  • Personal information about your browsing habits and what you’re doing on your computer
  • It borrows bandwidth from your computer without asking for shared downloads, much like a peer to peer network
  • Per the end user license agreement (EULA), it can scans for illegal games (xbox)
  • Forced updates

To get a better idea of what Microsoft is doing with Windows 10, you’ll need to read the end user agreement. It’s about 12,000 words, so you may want to have your lawyer handy as you are going through it!

If you want to reduce the amount of spying that Windows does, you will need to open Settings and click on Privacy. There, you’ll need to navigate through 13 different screens to disable the first layer of data collection. You will also need to visit https://choice.microsoft.com to opt out of personalized ads. This won’t keep you from seeing ads; it’ll simply block ads targeting you based on your browsing history.

Even after all of these changes, Windows 10 will continue to send information to Microsoft. To further block its ability to spy on you, consider downloading Windows 10 Tracking Disable Tool from Majorgeeks.com. This tool blacklists many of the IP’s that Windows 10 sends the tracking data to. To further reduce data aggregation Windows 10 users should also consider installing ghostery from www.ghostery.com.

So, while you can reduce the amount of spying that Windows 10 does by default, the OS is designed in such a way to make the process very difficult for the average user which is unnecessary.

Posted in Hacking, IT and Computer Security, rogueware | Tagged , , , , , , , , | Leave a comment

Why Ethical Hackers Are In Strong Demand

Ethical hackers are in strong demand because modern cyber attacks can be highly focused, targeting your online assets and intellectual property. Especially in this BYOD (bring your own device) era, security breaches must be avoided. It’s like a hole in the wall of your office or a hole in the fence at your property line. The malicious hacker get easy entry. If it is your proprietary data that they are helping themselves to, losses can mount quickly.

Then, there are those Internet vandals too, known as hacktivist. Hackers doing critical damage just for the fun of it, hacktivist are despised in the real world; they should be online as well. Again, cyber security experts can set up a line of defense before the vandals , the hackers, ever attack.

And, these guards can step in to repair damage after its occurred as well. They can plug the hole in the fence before it completely gives way. And, just as that miscreant may leave footprints as he makes a hasty retreat, cyber criminals may leave a trail as well.

Why not take steps to stop the troublemakers before they ever arrive at your online address? There is no better place to be pro-active than in cyber-security. It is possible to hire experts that can test for vulnerabilities in your cloud-based and other systems.

Avert a potential disaster, and enjoy peace-of-mind that will allow uninterrupted attention to growing your enterprise.

For further assistance, either before or after the fact, please contact us today.

Posted in Cyber security, Ethical Hacking, Hacking, Training and Education | Tagged , , , , , , | Leave a comment