Hacking

SPOTLIGHT ON SECURITY

Las Vegas Captures Ransomware Crown

Las Vegas is arguably the gambling capital of the world, but it’s also the king city for ransomware, based on recent research.

Among the world’s nations, the United States ranked highest in ransomware incidents, according to a Malwarebytes report on the prevalence and distribution of extortion apps. The area of the country that logged the most incidents was the Las Vegas-Henderson, Nevada, region.

Nevada cities led the nation in overall ransomware detections, most detections per individual machine, and most detections per population, according to the report, which is based on an analysis of half a million ransomware incidents.

Las Vegas’ attraction to tourists and conference goers may be what attracts digital bandits.

“When people go to conferences, they’re using their laptops on WiFi networks that may not be completely trusted,” explained Adam Kujawa, head of malware intelligence at Malwarebytes.

Coupled with the relaxed atmosphere of the city, that can make users more vulnerable to vehicles delivering ransomware.

“When people are having a good time, they let their guard down,” Kujawa told TechNewsWorld.

Rust Belt Targeted

Although Las Vegas topped the list for ransomware detections, half of the top 10 ransomware cities were found in the Rust Belt: Detroit, Michigan; Ohio cities Toledo, Columbus and Cleveland; and Fort Wayne, Indiana.

A lack of security awareness and misplaced trust may have contributed to the high rate of detections in that region.

“They’re less security-aware than people living in larger metropolitan areas,” Kujawa said. “People are also more likely to fall for phishing attacks, which is one of the primary methods of malware distribution.”

Ransomware has been a scourge over the past two years, but that will change in the coming months as the security industry finds new ways to block ransomware, suggested Nima Samad, a Malwarebyes data science analyst who also worked on the report.

“Within the next year or two, we’ll see a dramatic decrease — at least in the kind of ransomware we’re seeing right now,” he told TechNewsWorld.

Teflon Security

Friction is the great enemy of e-commerce. Consumers do not respond well to any delays doing what they want to do online. That’s why so many shopping carts are abandoned before shoppers pull the trigger on a purchase.

More than two out of three carts (68.81 percent) are deserted by shoppers, according to the Baymard Institute.

Friction creates a ticklish problem for security teams, because protecting merchants and consumers from fraud can create friction. Ideally, the best security scheme is one that gives consumers their cake and lets them eat it, too — one that offers maximum protection but is invisible to shoppers.

Such a trend is occurring in global financial institutions, where adoption of passive risk assessment systems is growing. Those systems assess the risk of a consumer’s session with a financial institution, using a basket of factors about that session.

What’s particularly beneficial about the systems is that they continually authenticate the author of the session. Typically, once a user provides a name and password, they become “trusted,” and their activity after login is ignored.

With risk assessment systems, users are monitored constantly. Even if they use a correct name and password, risky online behaviors will be flagged, and action taken to authenticate their identities.

Useless Passwords

“You can essentially authenticate and re-authenticate a user all the time by looking for things that are anomalous,” explained Dan Ingevaldson, CTO of Easy Solutions.

There can be anomalies in how a browser is used or in the way a visitor logs in compared to the past, or in the makeup of the device used in a session.

However, it’s important to understand that these passive systems deal in probability. They tell you what the probability is that a particular session is risky.

“Very confident predictions can be made that one session is related to another. That’s really helpful. It can make things like stolen passwords unusable to attackers,” Ingevaldson explained.

“We’re going to see a lot more of these systems in 2017,” he predicted.

Beyond Compliance

Software development is in a state of transition. More and more organizations are getting apps to market faster and with better quality using technologies like DevOps, Agile and continuous improvement. Those technologies aren’t just changing software development — they’re changing the security industry, too.

The days of making security purchases solely for compliance reasons are fading fast.

“Plenty of security purchases were made to check off some compliance boxes, and it was hoped that the product would also deliver some real value,” noted Zane Lackey, chief security officer at Signal Sciences.

With the adoption of DevOps and its emphasis on speed and quality, organizations are starting to demand more from security vendors.

“Buyers are getting fed up with vendors not delivering on their promises,” Lackey told TechNewsWorld.

As part of that value equation, security vendors need to shed a role many of them have had for years.

“Security has always acted as this gatekeeper and blocker. Now buyers don’t want to know, ‘how does this slow me down less?’ but ‘how does this enable me to move faster?'” Lackey pointed out.

“Security can’t be a compliance checkbox that just slows everything down,” he emphasized. “It needs to add real value and help me move faster as an organization.”

Breach Diary

  • Dec. 26. PakWheels, an automotive classified website, notifies its users that their personal data is at risk after its server was breached by an unknown third party.
  • Dec. 27. Three Chinese citizens charged by United States of engaging in conspiracies to commit insider trading, wire fraud and computer intrusion in an indictment filed in federal court in Manhattan.
  • Dec. 27. New Hampshire’s Department of Health and Human Services says confidential information of as many of 15,000 people who received department services is at risk after unauthorized access to them by a patient at the state’s psychiatric hospital.
  • Dec. 27. Global encryption software market will be US$2.5 billion by 2021, Allied Market Research forecasts.
  • Dec. 28. InterContinental Hotel Group, which operates more than 5,000 hotels worldwide, says it’s investigating reports of a possible data breach at a small number of its hotels located in the United States.
  • Dec. 28. The Organization for Security Cooperation in Europe, which monitors the Ukraine-Russian conflict, says it suffered a data breach that compromised the security of its computer network.
  • Dec. 29. Nevada takes its marijuana portal offline after a data breach exposed confidential information on some 12,000 applications for cards used to obtain medical marijuana.
  • Dec. 29. FBI and U.S. Department of Homeland Security issue joint report detailing the tools and infrastructure used by Russian intelligence services to compromise and exploit networks and infrastructure associated with the recent U.S. election, as well as a range of U.S. government, political and private sector entities.
  • Dec. 29. Hong Kong Airlines apologizes to its customers for flaw in its Android app that allowed personal information of more than 100 passengers to be viewed by other usrs of the app.
  • Dec. 30. President Barrack Obama expels from the United States 35 suspected Russian spies for “malicious cyber activity and harassment” in connection with Russia’s attempt to influence the 2016 presidential election.
  • Dec. 31. Potomac Healthcare Solutions accidentally exposed to the public Internet confidential information on scores of psychologists and other healthcare professionals deployed within the U.S. military’s Special Operations Command, MacKeeper security researcher Chris Vickery says.

Upcoming Security Events

  • Jan. 9. 2017 Predictions: Authentication, Identity & Biometrics in a Connected World. 11 a.m. ET. Webinar by BioConnect. Free with registration.
  • Jan. 11. Double Yahoo Breach: Nothing You Can Do About It, But Learn. 3 p.m. ET. Webinar by ITSPmagazine. Free with registration.
  • Jan. 12. 2017 Trends in Information Security. 11 a.m. ET. Webinar by 451 Research. Free with registration.
  • Jan. 12. What Does the Massive Yahoo Hack Mean for Your Company? 1 p.m. ET. Webinar by Viewpost. Free with registration.
  • Jan. 12. The Rise of Malware-Less Attacks: How Can Endpoint Security Keep Up? 1 p.m. ET. Webinar by Carbon Black. Free with registration.
  • Jan. 12. FTC PrivacyCon. Constitution Center, 400 7th St. SW, Washington, D.C. Free.
  • Jan. 13. How the Heck Did They Miss It? Lessons to Learn from the Yahoo Breach. 1 p.m. ET. Webinar by Acalvio Technologies.
  • Jan. 13. I Heart Security: Developing Enterprise Security Programs for Millennials. 5 p.m. ET. Webinar by NCC Group. Free with registration.
  • Jan. 13-14. BSides San Diego. National University, Spectrum Business Park Campus, 9388 Lightwave Ave., San Diego. Tickets: $30 (includes T-shirt).
  • Jan. 16. You CAN Measure Your Cyber Security After All. 1 p.m. ET. Webinar by Allure Security Technology. Free with registration.
  • Jan. 26. The True State of Security in DevOps and Expert Advice On How to Bridge the Gap. 1 p.m. ET. Webinar by HPE and Coveros. Free with registration.
  • Jan. 31. Using GDPR To Your Advantage To Drive Customer Centricity and Trust. 5 a.m. ET. Webinar by Cognizant. Free with registration.
  • Feb. 4. BSides Huntsville. Solutions Complex building, Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Tickets: $10.
  • Feb. 4. BSides Seattle. The Commons Mixer Building, 15255 NE 40th St., Redmond, Washington. Tickets: $15, plus $1.37 fee.
  • Feb. 12-13. BSides San Francisco. DNA Lounge/SF BuzzWorks, 375 11th St., San Francisco. General Admission: $35; with electronic pass, $110.
  • Feb. 13-17. RSA USA Conference. Moscone Center, San Francisco. Full Conference Pass: before Nov. 11, $1,695; before Jan. 14, $1,995; before Feb. 11, $2,395; after Feb. 10, $2,695.
  • Feb. 21. Top Trends That Will Shape Your Cybersecurity Strategy in 2017. 11 a.m. ET. Webinar by vArmour, American University, TruSTAR and Cryptzone.
  • Feb. 25. BSides NoVa. CIT Building, 2214 Rock Hill Rd.#600, Herndon, Virginia. Tickets: conference, $25; workshops, $10.
  • Feb. 28. Key Steps to Implement & Maintain PCI DSS Compliance in 2017. 1 p.m. ET. Webinar by HPE Security.
  • March 2. Enabling Trust Throughout the Customer Journey. 10 a.m. PT. Webinar by Iovation. Free with registration.
  • March 28-31. Black Hat Asia. Marinia Bay Sands, Singapore. Registration: before Jan. 28, S$1,375; before March 25, S$1,850; after March 24, S$2,050.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels