Leaked employee passwords open up Fortune 500 companies to hackers

Leaked employee passwords

 

It’s one thing when your iCloud account with personal photos gets hacked. It’s another when your Fortune 500 company has a data breach because your office credentials were leaked online.

At 221 of the Fortune 500 companies, Fortune magazine’s list of the the top 500 U.S. public corporations ranked by gross revenue, employees’ credentials are posted publicly online for hackers to steal and reuse in cyberattacks, according to new research from the web intelligence firm Recorded Future.

Corporations, especially highly sensitive targets like Fortune 500 companies, spend a great deal on securing their networks against hackers, but that could be for naught if an employee carelessly uses his office credentials to sign up for, say, a gaming forum.

The sensitive information can be found on forums and text repositories like Pastebin, which are fertile ground for username and password dumps. Researchers at Recorded Future scoured approximately 600,000 websites for credentials posted between Jan. 1 and Oct. 8, 2014. During their analysis, they found at least one username/password combination at 44% of the Fortune 500 companies, leaving those companies vulnerable to hackers who could use the data to break into networks or mount phishing and social engineering attacks, Recorded Future CEO and cofounder Christopher Ahlberg told Mashable.

These credential dumps are outside the companies’ control, Ahlberg said. The data likely come from third party sites — not from breaches of companies’ servers — where an employee used a corporate email to sign up for something. In the past few years, for example, hackers have breached websites and services like Adobe and Forbes.

One caveat is that there is no way to know whether the password used on a third-party site matches the employee’s password used on his corporate account. In other words, Fortune 500 employees’ information may be posted online — but it doesn’t necessarily that information will lead to a successful compromise.

“It’s a coin flip whether or not these credentials taken from third party sites are valid,” Scott Donnelly, the lead researcher on the report, told Mashable. “But when there’s 10 or 20 from a particular company, then odds are you’ve got one that’s valid.”

Below, the breakdown of the 221 companies listed in the report:

Leaked employee passwords open up Fortune 500 companies to hackers

companies

But having an employee’s username and password isn’t necessarily enough — hackers need to know where to use them. In some cases, Recorded Future also found that the webmail login pages of some utility companies are easily searchable on Google, which makes those companies even more vulnerable if an employee’s credentials are compromised.

The report doesn’t name names — either of companies or individuals — and Recorded Future has not notified any of the companies yet, according to Ahlberg and Donnelly. The goal of their research, they said, is to show that big companies are not immune to huge password leaks.

We’ve seen evidence of that lately.

Two weeks ago, a hacker claimed to have dumped 7 million Dropbox usernames and credentials. In a separate instance in early September, 5 million usernames and passwords appeared on a Russian forum (that information likely came from various earlier hacks, though). And in August, a security firm claimed to have found $1.2 billion credentials stolen by Russian hackers, though the firm’s report has been contested.

The issue with these dumps, even when they don’t involve services like Gmail or Dropbox, is the same: the danger of password reuse. If you always reuse the same password, a hacker doesn’t need to breach Google to obtain your Gmail password; instead, he can get it from your Fantasy Football forum. That’s why Facebook announced last week that it has been actively scouring sites that host dumped credentials to notify users if their password had been compromised.

Ahlberg and Donnelly warn that even more companies have probably been compromised, but those employees’ credentials have not been posted publicly.

“We have a pretty good coverage of the underbelly of the web, but these are just the public posts,” Donnelly said. “We’re highlighting how easy it is for somebody to just open the door and exploit a company because the information is sitting out there. But most certainly, there’s information that’s yet to be published.”


SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://mashable.com/

Banking Sector Leads In Global Data Leakage – Infowatch Report

Data Leakage The banking and financial services industry is at high risk for data leakage with over 40 per cent of leaked personal data globally, according to the Infowatch Global Data Leakage Report 2014.

Infowatch Group is the global leader in data leakage protection solutions.

Its Chief Executive Officer, Natalya Kaspersky, said the industry was involved in the leakage of 313 million personal data attributed to 135 cases reported last year.

“Although healthcare segment recorded a higher number of cases, the personal data compromised were much lower in volume compared to the banking and finance sector at 58 million,” she said during her presentation via webinar today.

She said the type of data breached was led by information breach, followed by data fraud and exceeding access rights.

The way data was being leaked was also changing, she said, from the traditional paper or hard copy to a more sophisticated way through browsers and cloud.

Kaspersky said data leakage might soon overtake other threats when it comes to financial and reputation damage to an organisation.

“It is the consumers which are being put at risk when organisations did not put enough precautions to prevent leaks, as the report revealed that 92 per cent of information leaked are personal data,” she added.

Meanwhile, Infowatch Asia Pacific/Malaysia Regional Head, Renga Nathan, said the awareness on the importance of data leakage protection in Malaysia was still very low probably due to the lack of enforcement in terms of Personal Data Protection Act.

“In Malaysia, the penetration of such solutions is only about ten per cent, while in the banking sector only 30 per cent have that kind of protection,” he said.

However, there has been an increasing awareness whereby more organisations are now putting in more budget allocations to extend their data protection to leakage solutions.


SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.bernama.com.my/

Is It Time to Review Your Data Monitoring Policy?

computer data monitoringThe relationship between workers, their devices and company material can be hazardous if left unmonitored.

Did your employer review their BYOD or employee monitoring policies with you during your onboarding process? Or, has your company’s leadership team made any changes to their policy as cellphones and other mobile devices have been allowed access to company email and files?

As more mobile devices enter the workplace, employers have started extending their data monitoring policies to worker’s personal technology. Although employee monitoring is not a new concept and is often expected in the office, there is a strong aversion to cellphone monitoring, especially among millennials.

Need for Education

According to a nationwide study by TechnologyAdvice Research, more than a third of office workers don’t know their employers’ data monitoring policies.

“The responses suggest a need for greater transparency or education efforts among company management about monitoring policies in order to keep employees engaged and maintain trust in company policies and values,” said TechnologyAdvice Managing Editor Cameron Graham, the study’s author. About 20 percent of respondents were unaware of whether their activity was monitored, while 15.6 percent were aware that their computer use was monitored somehow, but were unsure of the specifics.

Employee Sentiment on Being Monitored

There is a major split in how employees feel about computer monitoring as opposed to mobile device monitoring in the workplace. “Employees seem fairly comfortable in general with employers tracking their computer use at work, considering only 19 percent of respondents said they often or sometimes worry about their employer viewing their Internet history,” said Graham.

But 64.3 percent of office employees stated they would be at least somewhat uncomfortable with their cellphone being monitored during work hours. This is especially true for millennial respondents, who reported being more uncomfortable with cellphone monitoring, but were also found to be less likely to know how they were being monitored.

“There is a clear concern when it comes to employers tracking cellphone use, which respondents viewed as a greater concern than keylogging software or video surveillance,” Graham said. “That fear of cellphone monitoring doesn’t seem to be based on negative experiences, though, with roughly just 1 in 20 employees saying they’ve been questioned about such use.”

BYOD Policy Concerns

Millennials are poised to make up 44 percent of the work population by 2025, yet are the least likely to know the details of employee monitoring policies, despite expressing more concern about mobile device privacy than other age group. As this younger demographic moves into the workforce, employers will likely face growing challenges over Bring Your Own Device (BYOD) policies and mobile device monitoring.

“Involving all relevant parties in policy creation could help ease concerns over monitoring, and strike a balance in maintaining control over company information while discouraging insecure device use,” said Graham.


Recommend

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.datamation.com/

5 IT Shortcuts That Put Your Company’s Data at Risk

computers
IT departments looking to save time and money shouldn’t be doing so at the expense of their data protection. A study from the University of Texas revealed that 43% of companies suffering from catastrophic data loss close and never reopen, and 51% close within two years.

Backup solutions provider Unitrends warns IT professionals about five common data protection shortcuts that could put their company’s data — and even their jobs — at risk.

Ignoring Hardware Failures

Hardware failures are the leading cause of data loss. Though most IT professionals don’t completely disregard hardware that is failing to back up company data and systems, many do often ignore the fact that certain backup mediums have high failure rates, such as tape or a SAN or NAS storage device that is used as both the source and target of a backup. To reduce the risk of hardware failures, move data from primary storage to a separate, secondary storage device. Disk-to-disk backup is the best approach, as it’s more reliable than tape and still ensures a physically separate secondary storage set that can survive hardware and system failures.

Trusting Co-workers to Follow Policies

The reality is that employees aren’t always great at following company policies, and even when they do, mistakes still happen. The best defenses against human error are automation and retention. Automation enables automatic execution and strict enforcement of created policies and procedures, and retention enables data recovery, regardless of whether the data loss is noticed right away or weeks later.

Underestimating Cybercriminals

By now, most companies have at least basic security solutions, such as firewalls and anti-virus software, in place to defend against malware. But cybercriminals are becoming very adept at breaking through traditional cyberdefenses. IT professionals should evaluate their infrastructure, identify areas of vulnerability and implement advanced security solutions to overcome them. These solutions include web monitoring software for safe Internet usage, end-point protection for bring-your-own-device management and a sandbox to fight targeted attacks. From a backup perspective, the best approach is to operate backup and disaster-recovery solutions on a non-Windows operating system. Windows has long been one of cybercriminals’ favorite targets, and running protection software on an operating system that is relentlessly under attack just doesn’t make sense.

Playing the Odds

Despite data-loss horror stories, many companies still don’t have disaster-recovery plans in place to protect information from natural and man-made disasters. And many of the companies that do have set plans have just one general set of guidelines that apply to all disaster situations. A strong plan focuses on people, infrastructure and processes, and clearly outlines how each is affected in different disaster scenarios.

Failing to Test Disaster-Recovery Plans

Failure to test disaster-recovery plans, or testing them on an infrequent basis, can greatly increase the risk of data loss in the event of a disaster. Since IT infrastructure evolves daily, thorough testing must be done on a consistent schedule that allows it to be adopted as yet another standard business practice.


Recommend

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://mashable.com/

There’s a way to scam Apple Pay and identity thieves are starting to use it

Instead of breaking Apple Pay‘s built-in security, identity thieves are taking advantage of lax rules for card activation from banks. In other words, crooks are loading stolen banking information on new iPhones and then using Apple Pay to purchase high-price items, according to the report.

Apple Pay

Banks are supposed to verify all cards that are loaded onto Apple Pay. But some provision card use simply by confirming the last four digits of social security numbers, for example.

In particular, Apple Stores are being targeted. They, of course, accept Apple Pay and offer high-value, in-demand Apple products. The Guardian charts total losses from Apple Pay as “already running into the millions,” citing “industry sources.”

Apple Pay works using near-field communication at payment terminals. Its transactions utilize more-secure tokenized payments, and buyers have to verify their purchases with Apple’s Touch ID fingerprint sensor. The combination of encrypted payments and biological verification is supposed to offer a good deal more security than typical magnetic strips — the problem here is how evildoers can manipulate bank card provisions.

Apple is standing its ground, saying that Apple Pay itself is extremely secure — it is the banks’ verification methods that are being called into question. It is not an Apple-exclusive problem, either, since this sort of verification rests in the hands of banks. .

“Apple Pay is designed to be extremely secure and protect a user’s personal information,” an Apple spokesperson told Mashable. “During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.”

Apple’s mobile payment competitors face the same problem, according to mobile payments blogDrop Labs

Two big problems with cybersecurity are authentication and the “false sense of security” that comes with strong cryptography, Patrick Nielsen, senior security researcher at Kaspersky Lab, told Mashable. Apple Pay’s security is strong, but thieves can find other, weaker links involved in the process, such as the banks.

“All these kinds of new technologies will have growing pains,” Nielsen said in an email. “The best way to solve this particular issue, though, would be to stop thinking of social security numbers as something that’s privileged and secret, and therefore not grant access (to use the credit card like a physical card, in this case) based on that knowledge alone.”


Recommend

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://mashable.com/

Companies did not learn from LuxLeaks

Nearly three months after the first LuxLeaks report was published for Luxembourg, companies are still leaving themselves vulnerable to data breaches, suggest two Allen & Overy Senior Associates.

LuxLeaks

Senior Associate in Employment Law Gilles Dall’Agnol has keenly observed the reactions of companies to the two reports, which revealed tax agreements with international companies made by big four companies in Luxembourg.

“I think that LuxLeaks, for all its negative consequences, has had the effect of increasing awareness about the topic of data security,” he said.

As a result of the scandal, he says he expects to see the role of information security officers strengthened, along with the introduction of specific policies and mechanisms, such as whistleblowing structures. Meanwhile, he says companies will be more reluctant to outsource data security responsibilities.

However, Catherine Di Lorenzo, Allen & Overy Senior Associate in IP/IT and data protection law, said that many companies are failing to address a key question when securing tangible evidence of a data breach: are they authorised to monitor or screen employees’ emails?

“With respect to such screening, probably the most important part you have to know is that screening qualifies as employee monitoring which is only permissible if certain data protection rules have been complied with,” Ms Di Lorenzo explained, adding: “The data protection steps cannot be retroactively applied, which means if you’ve a suspicion to do with an email in which client data might have been sent, as you did not comply with data protection rules, the employer cannot simply go and screen the employee’s account.”

A company carrying out monitoring while having failed to comply with these rules exposes itself and its managers to criminal liability. In addition, evidence collected in this way is likely to be considered inadmissible in court.

This means, in other words, that a dismissal of an employee based solely on evidence collected in this way is likely to be ruled as abusive.

“If a company has not complied with the data protection rules, it should not even be carrying out a screening as this would itself qualify as a criminal offence. If the company does the screening anyway and finds something, it will most likely not be able to use it.

“It’s a disaster if you find yourself in such a situation,” Ms Di Lorenzo said, adding: “Compliance with data protection rules costs just one or two days’ work. But it is simply an element of corporate housekeeping everybody has neglected for a long time.”

Mr Dall’Agnol adds that in many such cases, companies do not have another choice but to make a criminal complaint without carrying out screening or employment law sanctions and leave it to the prosecutor to find the evidence.


Recommend

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.wort.lu/