Monthly Archives: January 2016

Experian Have To Learn From Past Errors And Continuous Monitoring Will Help – Charles Leaver

Written By Josh Applebaum And Presented By Charles Leaver Ziften CEO

Experian Have to Learn from Past Errors And Implement A Constant Monitoring Service

Operating in the security sector, I have actually always felt my job was hard to explain to the average individual. Over the last couple of years, that has changed. Sadly, we are seeing a brand-new data breach revealed every few weeks, with much more that are kept secret. These breaches are getting front page attention, and I can now explain to my friends what I do without losing them after a couple of sentences. Nevertheless, I still question exactly what it is we’re gaining from all of this. As it turns out, lots of companies are not learning from their own errors.

Experian, the international credit reporting company, is a company with a lot to learn. Numerous months ago Experian revealed it had discovered its servers had been breached and that consumer data had actually been stolen. When Experian announced the breach they reassured clients that “our consumer credit database was not accessed in this breach, and no credit card or banking information was acquired.” Although Experian took the time in their statement to assure their consumers that their financial information had actually not been taken, they further elaborated on what data really was taken: customers’ names, addresses, Social Security numbers, date of birth, driving license numbers, military ID numbers, passport numbers, and extra information utilized in T- Mobile’s own credit evaluation. This is scary for two reasons: the first is the type of data that was stolen; the 2nd is the fact that this isn’t the first time this has taken place to Experian.

Although the cyber criminals didn’t leave with “credit card or banking information” they did walk away with individual data that could be exploited to open brand-new credit card, banking, and other monetary accounts. This in itself is a reason the T-Mobile clients involved ought to be concerned. Nevertheless, all Experian customers ought to be a little nervous.

As it ends up, this isn’t the first time the Experian servers have actually been compromised by cyber attackers. In early 2014, T-Mobile had actually announced that a “reasonably small” number of their customers had their personal details stolen when Experian’s servers were breached. Brian Krebs has a really well-written article about how the hackers breached the Experian servers the first time, so we won’t enter into too much information here. In the very first breach of Experian’s servers, hackers had exploited a vulnerability in the company’s support ticket system that was left exposed without first needing a user to confirm before utilizing it. Now to the scary part: although it has become widely understood that the hackers used a vulnerability in the company’s support ticket system to gain access, it wasn’t till soon after the second hack that their support ticket system was shut down.

It would be hard to imagine that it was a coincidence that Experian chose to close down their support ticket system mere weeks after they announced they had been breached. If this wasn’t a coincidence, then let’s ask: what did Experian find out from the first breach where customers got away with sensitive client data? Businesses who save their customers’ sensitive information ought to be held responsible to not only protect their clients’ data, however if also to ensure that if breached they plug up the holes that are discovered while investigating the attack.

When companies are examining a breach (or possible breach) it is necessary that they have access to historical data so those investigating can try to piece back together the puzzle of how the cyber attack unfolded. At Ziften, we provide a system that permits our clients to have a continuous, real-time view of everything that takes place in their environment. In addition to offering real-time visibility for detecting attacks as they take place, our continuous monitoring service records all historic data to enable customers to “rewind the tape” and piece together exactly what had actually taken place in their environment, no matter how far back they have to look. With this new visibility, it is now possible to not only discover that a breach took place, but to also find out why a breach took place, and hopefully learn from previous errors to keep them from happening once again.


Are You Ready To Learn The Lessons From The UCLA Health Data Breach? – Charles Leaver

Written By Craig Hand And Presented By Ziften CEO Charles Leaver

UCLA Health Data Breach Likely Due To Inferior Security

UCLA Health revealed on July 17th 2015 that it was the victim of a health data breach impacting as much as 4.5 million healthcare clients from the 4 medical facilities it runs in the Southern California area. As stated by UCLA Health authorities, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed but no evidence yet indicates that the data was stolen. This data went as far back as 1990. The authorities likewise mentioned that there was no evidence at this time, that any charge card or financial data was accessed.

“At this time” is crucial here. The information accessed (or perhaps taken, its definitely hard to know at this moment) is essentially good for the life of that individual and potentially still useful past the death of that individual. The info offered to the perpetrators included: Names, Addresses, Contact numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical treatments carried out, and test results.

Little is understood about this cyber attack like so lots of others we discover but never ever hear any real details on. UCLA Health discovered unusual activity in sections of their network in October of 2014 (although access potentially started one month previously), and instantly called the FBI. Lastly, by May 2015 – a complete 7 months later – detectives specified that a data breach had actually happened. Once again, authorities claim that the hackers are more than likely highly sophisticated, and not in the USA. Lastly, we the public get to hear about a breach a full 2 months later on July 17, 2015.

It’s been stated lots of times previously that we as security professionals have to be certain 100% of the time, while the bad guys only have to discover that 1% that we may not be able to remedy. Based on our investigation about the breach, the bottom line is UCLA Health had inferior security practices. One reason is based on the basic reality that the accessed data was not encrypted. We have actually had HIPAA now for a while, UCLA is a well-regarded bastion of Higher Education, yet still they failed to protect data in the easiest ways. The claim that these were highly sophisticated individuals is likewise suspicious, as up until now no genuine evidence has actually been disclosed. After all, when is the last time that a company that has been breached claimed it wasn’t from an “sophisticated” cyber attack? Even if they declare they have such proof, as members of the general public we won’t see it in order to verify it properly.

Considering that there isn’t enough divulged info about the breach, its difficult to determine if any system would have assisted in finding the breach quicker rather than later. Nevertheless, if the breach began with malware being delivered to and executed by a UCLA Health network user, the possibility that Ziften could have helped in discovering the malware and potentially stopping it would have been reasonably high. Ziften might have likewise alerted on suspicious, unknown, or understood malware as well as any communications the malware may have made in order to spread internally or to exfiltrate data to an external host.

When are we going to learn? As we all understand, it’s not a matter of if, but when, companies will be attacked. Smart organizations are getting ready for the inescapable with detection and response services that mitigate damage.


Ziften Endpoint Security Would Have Discovered Adult Friend Finder Data Breach In Time – Charles Leaver

Written By Chuck McAuley And Presented By Charles Leaver Ziften CEO

Endpoint Security Is The Very Best Friend For Adult Friend Finder

Adult Friend Finder, an online “dating service” and its affiliates were hacked in April. The leaked info consisted of credit card numbers, usernames, passwords, dates of birth, address details and individual – you understand – choices. What’s typically not highlighted in these cases is the monetary value of such a breach. Numerous would argue that having an e-mail address and the associated data might be of little worth. However, much the same way metadata collection offers insight to the NSA, this kind of information provides cyber attackers with plenty of leverage that can be utilized against the general public. Spear phishing becomes a lot easier when enemies not only have an e-mail address, however likewise area, language, and race. The source IP addresses gathered can even supply exact street locations for cyber attacks.

The attack approach deployed in this example was not released, however it would be fair to presume that it leveraged a kind of SQL Injection attack or comparable, where the information is wormed out of the back-end database through a defect in the webserver. Another possible methodology could have been hijacking ssh keys from a compromised admin account or github, but those have the tendency to be secondary most of the time. In either case, the database dump itself is 570 megabytes, and presuming the data was exfiltrated in a couple of large transactions, it would have been very obvious on a network level. That is, if Adult Friend Finder were utilizing a solution that offered visibility into network traffic.

Ziften ZFlow ™ allows network visibility into the cloud to capture aberrant data transfers and credit to specific executing procedures. In this case, the administrator would have had two chances to observe the abnormality: 1) At the database level, as the data was extracted. 2) At the webserver level, where an unusual amount of traffic would be sent out to a specific address. Organizations like Adult Friend Finder must acquire the essential endpoint and network visibility required to secure their consumers’ individual data and “hook up” with a company like Ziften.


OPM Breach Causes Biometric Data Compromise That Affected Millions – Charles Leaver

Written By Mike Hamilton And Presented By Ziften CEO Charles Leaver


Increased Security Protection of Personal and Biometric Data Is Needed Following OPM Breach



Recently, I needed to go through a relatively extensive background check process. At the time it was among those circumstances where you sign into the website, provide your social security number, a plethora of delicate info about you and your family, and trust the government (and their contractors) to take care of that personal data.

As I got home the other evening and sat down to start composing this article, I took a look at the stack of mail laying on my desk and noticed one of those envelopes with the perforated edges that generally include sensitive info.

Of course, you need to open those types of envelopes. Unfortunately at that time all my worst concerns had become a reality.

What I discovered was my very own letter detailing that basically every sensitive piece of details one may wish to know about me – along with comparable information on 21 million other Americans – was accessed throughout the OPM breach.




Oh, and incidentally, there’s the problem that my biometric identity was likewise jeopardized:




At this moment, although “federal professionals” believe that it’s no big deal, my iPhone disagrees with them. Bruce Schneier composed an exceptional piece on this, so I won’t belabor the points he makes. However at some time we all need to ask some tough questions:

When is this going to stop?

Who is accountable for stopping it?

Who is going to actually stop it?

Who is going to be held responsible when breaches occur?

These types of breaches are why we at Ziften are so passionately developing our next-generation security tools. While we as a security community may never ever completely stop or prevent these kinds of breaches from taking place, maybe we can make them a lot harder and time consuming. At the end of the day, till the community states “enough is enough” this is going to continue to occur every day.

Ashley Madison Data Breach Shame Could Have Been Prevented With Ziften Endpoint Security – Charles Leaver

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO

Life is Too Short to Not Implement Endpoint Security.

Ashley Madison’s tagline is “Life is short. Have an affair.” It appears security falls a bit short at the company, nevertheless, as countless client records were publicized for the whole world to see in a current cyber attack. Publicly, there are just theories regarding who precisely infiltrated the outrageous operation. It could have been an insider. Other parties, for example the notorious hacking group Impact Team, are declaring success over the red-lettered organization. However what is apparent is the publicly-published list of 32 million user identities. Furthermore, CEO Noel Biderman lost his job, and the business is tackling an overwhelming variety of legal claims.

It has been discovered that bots were interacting with users, and the user population consisted of just a small number of females. In a farcical style, the website still mentions it received a “Trusted Security Award” and offers complete confidentiality for its users. Their claim of “Over 42,705,000 confidential members!” on the home page is as disgraceful as the service itself. The taken list of users is so easily available that third parties have actually already created interactive websites with the names and addresses of the revealed cheaters. Per Ashley Madison’s media page, they “right away implemented a comprehensive investigation utilizing leading forensics experts and other security professionals to determine the source, methodology, and scope of this event.” If Ashley Madison had actually been more proactive in their approaches of endpoint security, they could have potentially been notified of the cyber attack and stopped it prior to data could have been taken.

Advanced endpoint security and forensic applications – such as those provided by Ziften – could have possibly prevented this organization from the shame it has endured. Not only could Ziften have actually alerted security personnel of the suspicious network activity in the middle of the night of an attack, but it could have prevented a range of actions on the database from being carried out, all while letting their security group sleep a little easier. Life is too short to let security concerns keep you awake at night.