New research found that these outdated systems, which may not be encrypted or even documented, were more susceptible to threats.
By analyzing publicly available federal spending and security breach data, the researchers found that a 1% increase in the share of new IT development spending is associated with a 5% decrease in security breaches.
“In other words, federal agencies that spend more in maintenance of legacy systems experience more frequent security incidents, a result that contradicts a widespread notion that legacy systems are more secure,” the paper found. The research paper was written by Min-Seok Pang, an assistant professor of management information systems at Temple University, and Huseyin Tanriverdi, an associate professor in the Information, Risk and Operations Department at the University of Texas at Austin.
“Maybe the conventional wisdom that legacy systems are secure could be right,” said Pang, in an interview. But the integration of these systems “make the whole enterprise architecture too complex, too messy” and less secure, he said.
Federal agencies have seen a rapid increase in security incidents, the paper points out, citing federal data assembled by the Government Accountability Office. From 2006 through 2014, the number of reported security incidents increased by more than 1,100 percent, or from 5,503 to 67,168. An incident can cover a range of activities, such as a denial of service, successfully executed malicious code, and breaches that give intruders access.
One of the largest federal system breaches occurred in 2015, when hackers gained access to some 18 million records at the Office of Personnel Management.
Tony Scott, the former federal CIO under President Barack Obama, told lawmakers at a hearing last year that nearly three quarters of IT budgets are spent maintaining legacy systems.
“These systems often pose significant security risks, such as the inability to utilize current security best practices, including data encryption and multi-factor authentication, which make them particularly vulnerable to malicious cyber activity,” Scott said.
The U.S., overall, has more than 3,400 IT professionals employed to maintain legacy programming languages, a U.S. House committee was told after the OPM breach.
If the federal government doesn’t modernize its systems, Pang said it may see more large breaches similar to the OPM hack.
In the absence of modernization, Pang said that effective IT governance “mitigates security risks of the legacy systems.” It also recommended moving systems to the cloud.
Pang said the government needs to pass the Modernizing Government Technology Act. That legislation, which was approved by the House last year, would have boosted IT spending by about $9 billion from 2017 to 2021 had it reached the president’s desk.
Verizon Communications Inc reconfirmed plans to acquire Yahoo Inc’s core business for $4.48 billion, lowering its original offer by $350 million in the wake of two massive cyber attacks at the internet company.
The closing of the deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The No. 1 U.S. wireless carrier had been trying to persuade Yahoo to amend the terms of the agreement following the attacks.
Verizon and Yahoo signed the deal on Sunday evening after weeks of talks that included calls with Yahoo CEO Marissa Mayer and a meeting between Verizon CEO Lowell McAdam and Yahoo director Tom McInerney in New York earlier this month to agree on the amount of the price reduction, a person involved in the talks said.
The two sides had an agreement in principle about a week earlier that included a liability sharing agreement, something that Verizon decided early on that it needed to reach a deal.
Verizon conducted brand studies and found that Yahoo’s reputation was holding up after the hacks, the person said. The company decided to proceed in part because it continued to believe that the deal made strategic sense and that users were loyal and engaged.
The companies said on Tuesday they expect the deal to close in the second quarter. The data breach may delay some integration of Yahoo with Verizon after the closing, the person said.
The deal brings to Verizon Yahoo’s more than 1 billion users and a wealth of data it can use to offer more targeted advertising. Verizon will combine Yahoo’s advertising technology tools as well as its search, email and messenger assets with its AOL unit, purchased for $4.4 billion in 2015.
Verizon’s shares rose 0.3 percent to $49.33 in afternoon trading, while Yahoo’s shares were up 0.8 percent at $45.48.
Under the amended terms, Yahoo and Verizon will split cash liabilities related to some government investigations and third-party litigation related to the breaches.
Yahoo, however, will continue to be responsible for liabilities from shareholder lawsuits and SEC investigations.
Yahoo said in December that data from more than 1 billion user accounts was compromised in August 2013, making it the largest breach in history.
This followed the company’s disclosure in September that at least 500 million accounts were affected in another breach in 2014.
Verizon Communications Inc is close to an updated deal to purchase Yahoo Inc’s core internet business for $250 million to $350 million less than the original agreed price of $4.83 billion, according to a source briefed on the matter.
Since last year, Verizon had been trying to persuade Yahoo to amend the terms of the acquisition agreement to reflect the economic damage from two cyber attacks. A source told Reuters that the deal, which could come as soon as this week, will entail Verizon and Yahoo sharing the liability from potential lawsuits related to the data breaches.
Another person familiar with the situation said the price cut was likely to be around $250 million, a figure that Bloomberg reported earlier on Wednesday.
A representative from Verizon declined to comment. Yahoo did not immediately respond to requests for comment.
“Maybe this isn’t quite as much of a discount as initially thought, but it’s at least something,” said Dave Heger, senior equity analyst at Edward Jones.
Verizon hopes to combine Yahoo’s search, email and messenger assets, as well as advertising technology tools, with its AOL unit, which Verizon bought in 2015 for $4.4 billion. Verizon has been looking to mobile video and advertising for new sources of revenue outside an oversaturated wireless market.
But Sunnyvale, California-based Yahoo has been under scrutiny by federal investigators and lawmakers since disclosing the largest known data breach in history in December, months after disclosing a separate hack.
The U.S. Securities and Exchange Commission has launched a probe into whether Yahoo should have disclosed the breaches, which occurred in 2013 and 2014, sooner, according to a report in the Wall Street Journal last month.
On Wednesday, Yahoo sent a warning to users whose accounts may have been accessed by intruders between 2015 and 2016, as part of a data security issue related to the breach it disclosed in December. A person familiar with the matter said notifications have gone out to a mostly final list of users.
These concerns of consumers should also alarm businesses: Consumers are willing to switch to another bank, medical center or retailer if they feel their personal information is threatened, the survey found.
“Consumers can exact punishment for data breaches or mishandled data by changing buyer behavior or shifting loyalty,” said Sean Pike, an analyst at IDC, in a statement. The survey, released last week, polled 2,500 U.S. consumers about their privacy concerns across four verticals: Financial services, healthcare, retail and government.
Younger consumers, aged 18 to 35, were more concerned for their privacy than older consumers, aged 36 to 50, the survey found. The younger age group also had a 56% likelihood of switching business providers based on an impending hacker threat, compared to 53% for the older group. Meanwhile, women were more likely to switch than men, by a difference of 8 percentage points, for an impending hacker threat.
If a breach affected them directly, 78% of all consumers said they would switch to another business from the one where the breach occurred.
IDC said that with retail businesses, many consumers are not aware of the amount or kinds of information that retailers collect. Such information can include the items a shopper has bought and at what time of day, and even how long a customer lingers in a store.
The survey found that shoppers increasingly are willing to evaluate a store’s track record for protecting personal information. “It is in a retailer’s best interest to define what information they are tracking firmly and clearly, and to provide consumers methods to manage those preferences,” IDC’s report said. “Retailers who do not take consumer data protection seriously may find that they permanently lose customers to competitors that offer more transparency and manageability of their Personally Identifiable Information.”
For the healthcare sector, IDC’s survey found that increasing numbers of ransomware attacks will impact consumer confidence for a particular provider. New guidance under HIPAA (the health Insurance Portability and Accountability Act) notes that ransomware attacks like those at Hollywood Presbyterian Medical Center and Kansas Heart Hospital are considered security incidents that could lead to finding a breach of federal Protected Health Information.
The $4.8 billion deal was originally slated to close in the first quarter, but that was before Yahoo reported two massive data breaches that analysts say may scrap the entire deal.
Although Yahoo continues to work to close the acquisition, there’s still work required to meet closing the deal’s closing conditions, the company said in an earnings statement, without elaborating.
Verizon has suggested that the data breaches, and the resulting blow to Yahoo’s reputation, might cause it to halt or renegotiate the deal.
In September, Yahoo said a “state-sponsored actor” had stolen details from at least 500 million user accounts in late 2014. As if that weren’t enough, the company reported another breach in December, this one dating back to August 2013 and involving 1 billion user accounts.
Both breaches were detected months after Verizon announced last July that it would buy the ailing internet company. Reportedly, Yahoo is facing an investigation from the U.S. Securities and Exchange Commission over whether the breaches should have been reported to investors earlier.
The breaches may have shaken confidence in Yahoo’s internet business. But the company has since taken measures, such as password resets, to secure user accounts.
Nevertheless, some user accounts are still vulnerable. On Monday, Yahoo said 90 percent of its daily active users were protected from the breach. That leaves another 10 percent potentially exposed.
Among the information stolen in the breaches were names, email addresses, telephone numbers, hashed passwords and security questions and answers meant to protect the accounts.
Yahoo said in a November 2016 quarterly filing that it was “cooperating with federal, state and foreign” agencies, including the SEC, that were seeking information and documents about a “security incident and related matters.”
The SEC is investigating whether two massive data breaches at Yahoo should have been reported sooner to investors, the Wall Street Journal reported on Sunday, citing people familiar with the matter.
Yahoo has faced pointed questions about exactly when it knew about a 2014 cyber attack it announced in September that exposed the email credentials of half a billion accounts.
In December, Yahoo said it had uncovered yet another massive cyber attack, saying data from more than 1 billion user accounts was compromised in August 2013.
The SEC issued requests for documents in December, as it probes whether the technology company’s disclosures about the cyber attacks complied with civil securities laws, the people said, according to the Journal.
Securities industry rules require companies to disclose cyber breaches to investors. Although the SEC has long-standing guidance on when publicly traded companies should report hacking incidents, companies that have experienced known breaches often omit those details in regulatory filings, according to a 2012 Reuters investigation.(reut.rs/2dblx5S)
Democratic U.S. Senator Mark Warner asked the SEC in September to investigate whether Yahoo and its senior executives fulfilled obligations to inform investors and the public about the 2014 hacking attack.
The disclosures from Yahoo about both breaches came after the company agreed to sell its main business to Verizon Communications Inc in July, triggering questions about whether the deal would still be viable and, if so, at what price.
The malware has targeted Russian-speaking users so far, but its authors have also created an English version of their decryption portal, suggesting they will likely expand their attacks to other countries soon.
Spora stands out because it can encrypt files without having to contact a command-and-control (CnC) server and does so in a way that still allows every victim to have a unique decryption key.
Traditional ransomware programs generate an AES (Advanced Encryption Standard) key for every encrypted file and then encrypts these keys with an RSA public key generated by a CnC server.
The problem with reaching out to a server on the internet after installation of ransomware is that it creates a weak link for attackers. For example, if the server is known by security companies and is blocked by a firewall, the encryption process doesn’t start.
Some ransomware programs can perform so-called offline encryption, but they use the same RSA public key that’s hard-coded into the malware for all victims. The downside with this approach for attackers is that a decryptor tool given to one victim will work for all victims because they share the same private key as well.
The Spora creators have solved this problem, according to researchers from security firm Emsisoft who analyzed the program’s encryption routine.
The malware does contain a hard-coded RSA public key, but this is used to encrypt a unique AES key that is locally generated for every victim. This AES key is then used to encrypt the private key from a public-private RSA key pair that’s also locally generated and unique for every victim. Finally, the victim’s public RSA key is used to encrypt the AES keys that are used to encrypt individual files.
In other words, the Spora creators have added a second round of AES and RSA encryption to what other ransomware programs have been doing until now.
Lynda.com, the online learning subsidiary of LinkedIn, has reset passwords for some of its subscribers after it discovered recently that an unauthorized external party had accessed a database containing user data.
The passwords of close to 55,000 affected users were reset as a precautionary measure and they have been notified of the issue, LinkedIn said in a statement over the weekend.
The professional network is also notifying about 9.5 million Lynda.com users who “had learner data, but no protected password information,” in the breached database. “We have no evidence that any of this data has been made publicly available and we have taken additional steps to secure Lynda.com accounts,” according to the statement.
In a notice to users, Lynda.com said that the database breach could have included some of the users’ Lynda.com learning data, such as contact information and courses viewed. It added that it was warning users out of an abundance of caution.
The company said in a reply on Twitter that it was taking the issue very seriously and was working with law enforcement.
Lynda.com was acquired by LinkedIn for $1.5 billion in a cash and stock deal. The parent was in turn acquired by Microsoft this month after meeting regulatory approval from the European Union for the all-cash transaction worth US$26.2 billion.
“We believe that it is the largest Google account breach to date,” the security firm said in blog post.
The malware, called Gooligan, has been preying on devices running older versions of Android, from 4.1 to 5.1, which are still used widely, especially in Asia.
Gooligan masquerades as legitimate-looking Android apps. Checkpoint has found 86 titles, many of which are offered on third-party app stores, that contain the malicious coding.
Of the 1 million Google accounts breached, 19 percent were based in the Americas, 9 percent in Europe, while 57 percent were in Asia, according to Checkpoint.
It said a laptop used by a Hewlett Packard Enterprise Services employee working on a U.S. Navy contract was hacked. Hewlett Packard informed the Navy of the breach on Oct. 27 and the affected sailors will be notified in the coming weeks, the Navy said.
“The Navy takes this incident extremely seriously – this is a matter of trust for our sailors,” Chief of Naval Personnel Vice Admiral Robert Burke said in a statement.
Burke said the investigation of the breach was in its early stages.
“At this stage of the investigation, there is no evidence to suggest misuse of the information that was compromised,” the Navy said.
Over 412 million accounts on dating and entertainment website FriendFinder Networks have reportedly been exposed, the second time that the network has been breached in two years, according to a popular breach notification website.
The websites that have been breached include adultfriendfinder.com, described as the “world’s largest sex and swinger community,” which accounted for over 339.7 million of the 412 million accounts exposed, LeakedSource said Sunday.
Other network sites that had user accounts exposed were cams.com with 62.6 million exposed, penthouse.com with 7 million, stripshow.com with 1.4 million, icams.com with about 1 million and an unidentified website adding 35,372 users whose accounts were exposed.
The sites were hacked in October through a local file inclusion vulnerability on FriendFinder Networks that was reported at about the same time by a researcher. Soon after disclosing the vulnerability, the researcher, who used the Twitter handle 1×0123 and is also known as Revolver, stated on Twitter that the issue was resolved, and “…no customer information ever left their site,” according to CSO’s Salted Hash.
FriendFinder did not immediately comment. The network, however confirmed to ZDNet that it identifed and fixed a vulnerability that “was related to the ability to access source code through an injection vulnerability.”
LeakedSource said it found that passwords were stored in plain visible format or using the weak SHA1 hashed (peppered) algorithm, increasing the possibility of their misuse. LeakedSource claimed it had cracked over 99 percent of all the passwords from the databases to plain text.
It also found that about 15 million users had an email in the format of: email@example.com@deleted1.com, suggesting that information on users who earlier tried to delete their accounts was still around.
The FriendFinder Networks hack, if confirmed, would outstrip that of Myspace in its impact. The exposure of an estimated 360 million accounts of Myspace users was reported earlier this year. The FriendFinder hack also has the potential of being more embarrassing for a number of users, because of the sensitive transactions on its sites.
Law enforcement authorities on Monday also “began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data,” the company said in a regulatory filing to the U.S. Securities and Exchange Commission. Yahoo said it would “analyze and investigate the hacker’s claim.” It isn’t clear if this data is from the 2014 hack or from another breach.
Forensic experts are also investigating whether an intruder, which it believes is the same “state-sponsored actor” responsible for the security incident, “created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information,” according to the filing.
“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access…,” the company said in the filing Wednesday.
A source familiar with the matter described the investigation as ongoing and said via email it wasn’t yet clear “who knew what/when/what they shared to whom if at all.”
The person also said that the company does not believe it is currently possible for the attackers to forge valid Yahoo Mail cookies.
Yahoo disclosed in late September that the account information was stolen in 2014 by what it described as a state-sponsored actor, though some security experts said it could have been done by a criminal hacker or group of hackers working on their own.
The disclosure of the hack followed an announcement by Verizon Communications that it planned to acquire Yahoo’s operating business for $4.8 billion, but the communications company has said it is evaluating whether the hack had a material impact. Yahoo said in the filing that there are risks that as a result of facts relating to the security incident, Verizon may seek to terminate or renegotiate the terms of its purchase.
The company is facing 23 proposed consumer class-action lawsuits following the hack both in the U.S. and abroad. The company recorded expenses of $1 million related to the hack in the quarter ended Sept. 30.
The stolen records are up for sale on TheRealDeal, a darknet marketplace that offers illegal goods. For 3 bitcoins, or $1,824, anyone can buy them.
The hacker, known as peace_of_mind, has claimed to have previously sold login credentials for LinkedIn and Tumblr users.
In a brief message, peace_of_mind said the Yahoo database came from a Russian group that breached LinkedIn and Tumblr, in addition to MySpace.
In the case of the Yahoo accounts, the database “most likely” comes from 2012, the hacker said. Copies of the stolen Yahoo database have already been bought, peace_of_mind added.
On Monday, Yahoo said it was “aware” that the stolen database was on sale, but it neither confirmed nor denied that the records were real.
“Our security team is working to determine the facts,” the company said in an email.
Back in 2012, Yahoo reported a breach, but of only 450,000 accounts. A hacking group called D33ds Company had claimed responsibility, but Yahoo said that most of the stolen passwords were invalid.
It’s unclear if that hack is connected with this sale of 200 million accounts. Other security researchers have also noticed a Russian hacker known as “the Collector” selling tens of millions of email logins from Yahoo, Gmail and Hotmail.
Peace_of_mind has posted a sample of the stolen Yahoo database, which includes user email addresses, along with passwords that have been hashed using the MD5 algorithm.
Those passwords could easily be cracked using a MD5 decrypter available online. The database also contains backup email addresses, as well as the users’ birth dates.
IDG News Service tried several email addresses from the stolen records and noticed that Yahoo’s login page recognized them and then asked for a password. However, other emails addresses were no longer valid.
Although Yahoo hasn’t confirmed the breach, users should still change their passwords, said Adam Levin, chairman of security firm IDT911, in an email.
In addition, users should make sure they aren’t using the same passwords across Internet accounts, he added.
Microsoft is mandating the hardware changes in a bid to improve Windows security, as it incorporates support for TPM 2.0 into the Windows 10 Anniversary Update, which will be rolled out from 2 August.
TPM 2.0 is an international standard led by the Trusted Computing Group. It provides a secure area to store authentication keys built in to the hardware of the device. The TPM 2.0 function can be firmware-based, integrated into the silicon or a module in the device.
The standard provides cryptographic features embedded in silicon and into the device, and supports new authentication modes and algorithms, including SHA-2 and SHA-256.
A number of Windows 10 features, including BitLocker, Credential Guard, Measured Boot, Device Health Attestation and Virtual Smartcard, all require TPM, and their security ought to be improved by TPM 2.0.
TPM 2.0 needs to be built in to devices as follows:
An ‘endorsement key’ certificate must be pre-provisioned to the device’s TPM when it is built, and capable of being retrieved on first boot-up.
It must ship with SHA-2 cryptographic hash functions in the platform configuration register, a memory location in the TPM.
It must support for the TPM2_HMAC command.
The forthcoming Anniversary Update to Windows 10 will complete the work that Microsoft has done to support TPM 2.0 in the operating system. It will be shipped from 2 August and auto-updated to all Windows 10 devices. Prior to this, Windows 10 had supported only version 1.0 of the TPM.
Part of Microsoft’s plan is to push the Windows Hello authentication security, which uses biometrics to log users in, across all Windows 10-based devices. The security system supports face, fingerprint and iris recognition, enabling users to log-in with just a glance, at least in theory.
Windows Hello is being integrated into Microsoft PCs, smartphones and tablets, along with the Xbox games console and the HoloLens augmented reality headset.
Intel Security, Kaspersky Lab and Europol have teamed up to launch a new initiative designed to educate people about the threat of ransomware and offer keys that can unlock devices without having to pay the fraudsters.
The No More Ransom portal, which also has the backing of the Dutch National Police, has been put together in response to the rising threat from ransomware which had almost one million victims in Europe last year.
The portal will contain material designed to educate users about the threat of ransomware and where it comes from, but it is the access to some 160,000 keys that is most notable. These cover numerous ransomware strains, most notably the Shade trojan that emerged in 2014. This is a particularly nasty ransomware spread via websites and infected email attachments.
However, the command and control servers for Shade that stored the decryption keys were seized by law enforcement, and the keys were given to Kaspersky and Intel Security.
These have now been entered into the No More Ransom portal so that victims can access their data without paying the criminals.
Jornt van der Wiel, security researcher with Kaspersky’s global research and analysis team, explained that the portal will help people to take a stand against the rise of ransomware.
“The biggest problem with crypto-ransomware today is that when users have precious data locked down they readily pay criminals to get it back. That boosts the underground economy, and we are facing an increase in the number of new players and the number of attacks as a result,” he said.
“We can only change the situation if we coordinate our efforts to fight against ransomware. The appearance of decryption tools is just the first step on this road.”
Raj Samani, EMEA chief technology officer at Intel Security, echoed this sentiment. “This collaboration goes beyond intelligence sharing, consumer education and takedowns to actually help repair the damage inflicted on victims,” he said.
“By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment.”