Archive for January, 2016

Chuck Leaver – Past Mistakes Mean That Experian Should Learn And Implement Continuous Monitoring

Written By Josh Applebaum And Presented By Charles Leaver Ziften CEO

Experian Need To Learn from Mistakes Of The Past And Implement A Constant Monitoring Service

Operating in the security sector, I’ve constantly felt my work was hard to explain to the average individual. Over the last couple of years, that has altered. Sadly, we are seeing a new data breach revealed every couple of weeks, with much more that are kept private. These breaches are getting front page headlines, and I can now discuss to my friends exactly what I do without losing them after a few sentences. Nevertheless, I still question what it is we’re gaining from all of this. As it turns out, many businesses are not learning from their own errors.

Experian, the international credit reporting company, is a company with a lot to learn. A number of months ago Experian revealed it had discovered its servers had been breached and client data had been stolen. When Experian announced the breach they assured clients that “our consumer credit database was not accessed in this breach, and no payment card or banking information was obtained.” Although Experian took the time in their statement to assure their customers that their monetary details had actually not been stolen, they further elaborated on what data in fact was stolen: consumers’ names, addresses, Social Security numbers, birth dates, driving license numbers, military ID numbers, passport numbers, and extra information used in T- Mobile’s own credit assessment. This is frightening for 2 reasons: the first is the type of data that was taken; the second is the fact that this isn’t the first time this has occurred to Experian.

Although the hackers didn’t walk away with “credit card or banking info” they did walk away with individual data that could be exploited to open new payment card, banking, and other financial accounts. This in itself is a reason the T-Mobile customers involved should be concerned. Nevertheless, all Experian consumers must be a little nervous.

As it ends up, this isn’t really the first time the Experian servers have actually been compromised by hackers. In early 2014, T-Mobile had revealed that a “reasonably small” number of their consumers had their individual details stolen when Experian’s servers were breached. Brian Krebs has a really well-written blog post about how the hackers breached the Experian servers the very first time, so we won’t get into excessive detail here. In the first breach of Experian’s servers, hackers had actually made use of a vulnerability in the company’s support ticket system that was left exposed without first needing a user to authenticate prior to utilizing it. Now to the frightening part: although it has become commonly known that the hackers made use of a vulnerability in the organization’s support ticket system to provide access, it wasn’t until soon after the second hack that their support ticket system was closed down.

It would be hard to imagine that it was a coincidence that Experian chose to take down their support ticket system just weeks after they announced they had been breached. If this wasn’t a coincidence, then let’s ask: what did Experian find out from the very first breach where customers got away with sensitive consumer data? Companies who save their consumers’ sensitive info must be held accountable to not just secure their clients’ data, however if also to ensure that if breached they patch the holes that are discovered while investigating the cyber attack.

When companies are investigating a breach (or potential breach) it is imperative that they have access to historic data so those investigating can try to piece back together the puzzle of how the attack unfolded. At Ziften, we provide a system that permits our customers to have a constant, real time view of the whole picture that occurs in their environment. In addition to supplying real time visibility for identifying attacks as they happen, our continuous monitoring system records all historic data to enable consumers to “rewind the tape” and piece together exactly what had actually happened in their environment, regardless of how far back they need to look. With this brand-new visibility, it is now possible to not only discover that a breach occurred, but to also learn why a breach occurred, and ideally learn from past mistakes to keep them from happening again.

Chuck Leaver – The Same Old Story With The UCLA Health Data Breach

Written By Craig Hand And Presented By Ziften CEO Charles Leaver

UCLA Health Data Breach Probably Down To Poor Security

UCLA Health revealed on July 17th 2015 that it was the victim of a health data breach affecting as many as 4.5 million healthcare customers from the four medical facilities it runs in the Southern California region. As stated by UCLA Health officials, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed however no evidence yet suggests that the data was stolen. This data went as far back as 1990. The authorities likewise specified that there was no proof at this time, that any credit card or financial data was accessed.

“At this time” is essential here. The info accessed (or possibly stolen, its definitely difficult to understand at this point) is practically great for the life of that person and potentially still beneficial past the death of that individual. The info readily available to the criminals consisted of: Names, Addresses, Contact numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical treatments performed, and test outcomes.

Little is known about this cyber attack similar to lots of others we find out about but never ever hear any real information on. UCLA Health discovered uncommon activity in sectors of their network in October of 2014 (although access potentially started one month previously), and immediately called the FBI. Finally, by May 2015 – a complete 7 months later on – investigators specified that a data breach had taken place. Once again, officials declare that the enemies are most likely highly advanced, and not in the country. Finally, we the general public get to become aware of a breach a complete 2 months later on July 17, 2015.

It’s been said numerous times previously that we as security professionals need to be correct 100% of the time, while the cyber criminals just have to find that 1% that we may not be able to remedy. Based on our investigation about the breach, the bottom line is UCLA Health had inferior security practices. One reason is based upon the simple fact that the data accessed was not encrypted. We have had HIPAA now for a while, UCLA is a well-regarded bastion of Higher Education, yet still they failed to safeguard data in the easiest methods. The claim that these were highly sophisticated people is also suspect, as up until now no genuine evidence has actually been produced. After all, when is the last time that an organization that has been breached declared it wasn’t from an “sophisticated” attack? Even if they declare they have such evidence, as members of the general public we won’t see it in order to vet it properly.

Since there isn’t enough disclosed info about the breach, its tough to figure out if any system would have helped in finding the breach quicker rather than later on. However, if the breach started with malware being delivered to and executed by a UCLA Health network user, the likelihood that Ziften might have helped in finding the malware and potentially stopping it would have been fairly high. Ziften could have likewise alerted on suspicious, unknown, or known malware as well as any interactions the malware might have made in order to spread internally or to exfiltrate data to an external host.

When are we going to learn? As all of us understand, it’s not a matter of if, however when, organizations will be breached. Smart organizations are preparing for the inevitable with detection and response systems that reduce damage.

Chuck Leaver – Adult Friend Finder Hack Avoidable With Superior Endpoint Security

Written By Chuck McAuley And Presented By Charles Leaver Ziften CEO

Endpoint Security Is The Best Friend For Adult Friend Finder

Adult Friend Finder, an online “dating service” and its affiliates were hacked in April. The leaked information consisted of credit card numbers, usernames, passwords, dates of birth, address details and personal – you understand – preferences. Exactly what’s often not highlighted in these cases is the monetary value of such a breach. Many would argue that having an e-mail address and the associated data might be of little worth. Nevertheless, the same way metadata collection supplies insight to the NSA, this type of info offers enemies with lots of leverage that can be used against the general public. Spear phishing becomes a lot much easier when opponents not only have an e-mail address, but likewise place, language, and race. The source IP addresses collected can even provide exact street locations for attacks.

The attack method released in this instance was not publicized, but it would be reasonable to assume that it leveraged a sort of SQL Injection attack or similar, where the data is wormed out of the back-end database through a defect in the webserver. Another possible methodology could have been pirating ssh keys from a jeopardized admin account or github, but those tend to be secondary in many cases. Either way, the database dump itself is 570 Mb, and assuming the data was exfiltrated in a few big transactions, it would have been extremely obvious on a network level. That is, if Adult Friend Finder were utilizing a service that provided visibility into network traffic.

Ziften ZFlow ™ enables network visibility into the cloud to capture aberrant data transfers and credit to particular executing processes. In this case, the administrator would have had 2 chances to see the problem: 1) At the database level, as the data was extracted. 2) At the web server level, where an abnormal quantity of traffic would be sent to a specific address. Organizations like Adult Friend Finder ought to get the necessary endpoint and network visibility required to secure their clients’ personal data and “hook up” with a business like Ziften.

Chuck Leaver – Biometric Data Compromised In OPM Breach

Written By Mike Hamilton And Presented By Ziften CEO Chuck Leaver



Increased Security Protection of Personal and Biometric Data Required After OPM Breach




Just recently, I had to go through a fairly substantial background check process. At the time it was among those circumstances where you sign into the portal, offer your social security number, a myriad of delicate info about you and your household, and trust the government (and their specialists) to take care of that personal data.

As I got back home the other evening and sat down to start writing this article, I looked at the stack of mail sitting on my desk and noticed one of those envelopes with the perforated edges that normally include sensitive details.

Naturally, you need to open those kinds of envelopes. Sadly at that time all of my worst fears had come true.

Exactly what I discovered was my very own letter detailing that basically every sensitive piece of details one might wish to know about me – as well as similar information on 21 million other Americans – was accessed during the OPM breach.


Oh, and by the way, there’s the issue that my biometric identity was likewise compromised:





At this point, even though “federal specialists” believe that it’s no big deal, my iPhone disagrees with them. Bruce Schneier composed an outstanding piece on this, so I won’t belabor the points he makes. But at some point we all need to ask some hard questions:

When is this going to stop?

Who is accountable for stopping it?

Who is going to really stop it?

Who is going to be held responsible when breaches happen?

These kinds of breaches are why at Ziften we are so passionately building our next-generation security tools. While we as a security community may never ever entirely stop or avoid these kinds of breaches from taking place, perhaps we can make them so much harder and time consuming. When you think about it, until the community says “this has to stop” this is going to continue to happen every day.

Chuck Leaver – Ashley Madison Breach Could Have Been Prevented With Better Endpoint Security


Written By Michael Vaughn And Presented By Chuck Leaver Ziften CEO


Life is Too Short to Not Implement Endpoint Security.

Ashley Madison’s tagline is “Life is short. Have an affair.” It seems security falls very short at the business, nevertheless, as millions of client records were publicized for the whole world to see in a recent cyber attack. Openly, there are only theories regarding who exactly infiltrated the scandalous operation. It could have been an inside job. Other parties, for example the infamous hacking group Impact Team, are claiming triumph over the red-lettered organization. However what appears is the publicly-published list of 32 million user identities. Additionally, CEO Noel Biderman lost his job, and the business is tackling an overwhelming number of lawsuits.

It has actually been discovered that bots were interacting with users, and the number of users included just a small number of women. In a near-comedic fashion, the site still specifies it received a “Trusted Security Award” and offers total confidentiality for its users. Their claim of “Over 42,705,000 confidential members!” on the home page is as outrageous as the service they provide. The taken list of users is so easily available that 3rd parties have actually currently developed interactive sites with the names and addresses of the exposed cheaters. Per Ashley Madison’s media page, they “right away launched a thorough investigation using premier forensics specialists and other security experts to determine the origin, methodology, and scope of this occurrence.” If Ashley Madison had actually been more proactive in their approaches of endpoint security, they could have possibly been informed of the breach and stopped it before data could have been taken.

Advanced endpoint security and forensic applications – for example those offered by Ziften – might have possibly prevented this business from the humiliation it has actually had to deal with. Not only could Ziften have notified security officers of the suspect network activity in the middle of the night of an attack, but it might have prevented a range of actions on the database from being performed, all while letting their security group sleep a little better. Life is too short to let security concerns keep you awake during the night.