Author Archives: Hilary Tuttle

About Hilary Tuttle

Hilary Tuttle is the managing editor of the Risk Management Monitor and Risk Management magazine.
Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

The Rise of Malvertising

Posted on by

malvertising cyber security

LAS VEGAS—One of the hottest topics in cyberthreat detection right now is the rise of malvertising, online advertising with hidden malware that is distributed through legitimate ad networks and websites. On Monday, Yahoo! acknowledged that one of these attacks had been abusing their ad network since July 28—potentially the biggest single attacks, given the site’s 6.9 billion monthly visits, security software firm Malwarebytes reported.

In the first half of this year the number of malvertisements has jumped 260% compared to the same period in 2014, according a new study released at the Black Hat USA conference here today by enterprise digital footprint security company RiskIQ. The sheer number of unique malvertisements has climbed 60% year over year.

“The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware,” said James Pleger, RiskIQ’s director of research. “There are a number of reasons for this development, including the fact that malvertisements are difficult to detect and take down since they are delivered through ad networks and are not resident on websites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users.”

How does malvertising work—and why is it taking off right now? “The rise of programmatic advertising, which relies on software instead of humans to purchase digital ads, has generated unprecedented growth and introduced sophisticated targeting into digital ad networks,” the company explained. “This machine-to-machine ecosystem has also created opportunities for cyber criminals to exploit display advertising to distribute malware. For example, malicious code can be hidden within an ad, executables can be embedded on a webpage, or bundled within software downloads.”

The study also noted that, in 2014, there was significantly more exploit kit activity (which silently installs malware without end user intervention) than fake software updates that require user consent. In 2015, however, fake software updates have surpassed exploit kits as the most common technique for installing malware. Fake Flash updates have replaced fake antivirus and fake Java updates as the most common method used to lure victims into installing various forms of malware including ransomware, spyware and adware.

buy zyprexa online familyvoicesal.org/resources/images/jpg/zyprexa.html no prescription pharmacy

Last week, enterprise security firm Bromium also released a new study focused on the rising threat of malvertising, finding that these Flash exploits have increased 60% in the past six months and the growth of ransomware families has doubled every year since 2013.

“For the last couple of years, Internet Explorer was the source of the most exploits, but before that it was Java, and now it is Flash; what we are witnessing is that security risk is a constant, but it is only the name that changes,” said Rahul Kashyup, senior vice president and chief security architect at Bromium. “Hackers continue to innovate new exploits, new evasion techniques and even new forms of malware—recently ransomware—preying on the most popular websites and commonly used software.”

One of the riskiest aspects of these exploits is that users do not have to be accessing sites that seem remotely suspect to be exposed. According to Bromium’s research, more than 58% of malvertisments were delivered through news websites (32%) and entertainment websites (26%). Notable websites unknowingly hosting malvertising included cbsnews.com, nbcsports.com, weather.com, boston.com and viralnova.com, the firm reported.

With that in mind, IT and cybersecurity teams have to adapt to meet these new threats, which are evolving far faster than detection tools, including antivirus, behavioral analysis, network intrusion detection, and the basic safe browsing guidelines issued to employees regarding their use of work devices.

“The key takeaway from this report is that, at large, the Internet is increasingly becoming ‘untrustworthy.’ Attackers are now using popular websites to launch malware via online ads, which makes things difficult for IT security teams,” explained Rahul Kashyup, SVP and chief security architect at Bromium. “This risk should be well understood and factored in for any organization while building a ‘defense-in-depth’ security stack. Regular patching and updates definitely help to limit the exposure to potential attacks, but that might not be feasible for large organizations.

buy prevacid online familyvoicesal.org/resources/images/jpg/prevacid.html no prescription pharmacy

It is advisable to evaluate non-signature based technologies that can thwart such attacks in a reliable way and prevent infections on end-user devices.

buy singulair online familyvoicesal.org/resources/images/jpg/singulair.html no prescription pharmacy

According to Bromium, the websites that most frequently serve as malvertising attack sources are:

malvertising attack sources

Potholes Cost NYC $27.6 Million in Settlements Per Year

Posted on by

potholes infrastructure municipal risk

Earlier this month, the transportation research group TRIP found that more than 80% of the major roads and highways in the New York City and Newark metropolitan areas were in poor or mediocre condition—the country’s seventh worst ranking among cities with more than 500,000 residents. According to the report “Pothole City: A Data-Driven Look at NYC Roadways,” released yesterday by New York City Comptroller Scott M. Stringer, this crumbling infrastructure has cost the city’s taxpayers over $138 million in the past six years—an average of $27.6 million per year.

The city’s failure to prioritize and effectively manage repairs of potholes on city roads has resulted in 12,268 property damage defective roadway claims and 5,913 personal injury defective roadway claims between fiscal years 2010 and 2015. Of the claims filed, 1,549 property damage claims were settled at a cost of nearly $1.5 million, while 2,681 personal injury claims were settled to the tune of $136.3 million.

The city’s potholes, Stringer said, are a “persistent and pervasive” problem that “deflate tires, break axles and twist ankles, often at a significant financial cost to the city.” His findings are part of an initiative introduced last year called ClaimStat Alert, which aims to identify patterns in claims made against the city in an attempt to reduce the amount paid in settlements, the New York Times reported.

In February 2014, Mayor Bill de Blasio and Department of Transportation Commissioner Polly Trottenberg announced a series of steps to try to improve pothole maintenance, including weekly “pothole blitzes,” citywide targeted repaving, an asphalt engineering technology challenge, and an emphasis on impact prevention. Yet the difficult winter proved quite a challenge.  The average time to close a pothole work order in the first four months of FY 2015 was 6.7 days—nearly triple the 2.4 days during the same period in FY 2014, according to the report. The city stated that, while repair times were “atypically high” through the first quarter of FY 2015, they were “returning to normal levels by October 2014.” Stringer’s report did note, however, “to its credit, the DOT filled over 74,000 potholes (arterials and local streets) in the first four months of FY 2015, a 60% increase over the same period in FY 2014.”

The severe winters felt by the whole Northeast have correlated closely with the number of pothole claims—a predictor many cities may need to weigh more heavily when making weather preparations and budgets.

Snowfall and pothole claims

But patching does not present the best long-term investment of city funds, Stringer said. While the city has initiatives to make patching more efficient, the report said “a more cost-effective, long-term solution may be a complete reconstruction of certain city streets.”

Other financial drains due to road conditions include improperly restored streets and intersections following utility work, milled roadways and hummocks. The comptroller’s office recommended several municipal risk management tactics to tackle these potential claims generators, including:

  • Re-evaluating DOT protocols to ensure that restoration work conducted after street work is properly done. While private companies and utility providers such as Consolidated Edison and Verizon are required by the New York City Administrative Code 18 to maintain the area 12 inches around manholes, vaults and plates flush with the road surface, restoration work following construction sometimes does not match that standard. In addition, the NYPD should also perform spot checks to make sure that contractors performing street work in their precincts have proper permits.
  • Roadways are generally paved in a two-step process. A layer of the old roadway is scrapped off (milling), followed by the introduction of a layer of new asphalt. When the street is milled, it presents a hazard to pedestrians and vehicles using the roadway, and yet there is often a delay in repaving roadway. DOT should examine the extent of these delays and modify its procedures to insure that milled roadways are repaved as soon as possible.
  • Hummocks are variations in road conditions where asphalt is pushed up in a wave-like shape. In many cases, parked buses cause this condition on account of their weight and design. Given the trip hazard posed by hummocks, DOT should work with the MTA and private bus companies to explore the feasibility of using different pavement that is less likely to result in hummock conditions where buses commonly park.

For more about the public risk management challenges of roadways and bridges, check out Caroline McDonald’s article “A Bridge Too Far: Repairing America’s Aging Infrastructure,” from Risk Management magazine.

Morpho Hacker Group Targets Intellectual Property

Posted on by

With the highly-publicized rise in cyberbreaches, we have seen hackers break into systems for a variety of reasons: criminal enterprises simply stealing money, thieves gathering Social Security or credit card numbers to sell on the black market, state-sponsored groups taking confidential information, and malicious actors taking passwords or personal data to use to hit more valuable targets. Now, another group of financially-motivated hackers has emerged with a different agenda that may have even riskier implications for businesses.

According to a new report from computer security company Symantec, a group it calls Morpho has attacked multiple multibillion-dollar companies across an array of industries in pursuit of one thing: intellectual property. While it is not entirely clear what they do with this information, they may aim to sell it to competitors or nation states, the firm reports. “The group may be operating as ‘hackers for hire,’ targeting corporations on request,” Symantec reported. “Alternatively, it may select its own targets and either sell stolen information to the highest bidder or use it for insider trading purposes.”

Victimized businesses have spanned the Internet, software, pharmaceutical, legal and commodities fields, and the researchers believe the Morpho group is the same one that breached Facebook, Twitter, Apple and Microsoft in 2013.

Symantec does not believe the group is affiliated with or acting on behalf of any particular country as they have attacked businesses without regard for the nationality of its targets. But, as the New York Times reported, ” the researchers said there were clues that the hackers might be English speakers — their malicious code is written in fluent English — and they named their encryption keys after memes in American pop culture and gaming. Researchers also said the attackers worked during United States working hours, though they conceded that might just be because that is when their targets are most active.”

The researchers have tied Morpho to attacks against 49 different organizations in more than 20 countries, deploying custom hacking tools that are able to break into both Windows and Apple computers, suggesting it has plenty of resources and expertise. The group has been active since at least March 2012, the report said, and their attacks have not only continued to the present day, but have increased in number. “Over time, a picture has emerged of a cybercrime gang systematically targeting large corporations in order to steal confidential data,” Symantec said.

Morpho hacking victims by industry

Morpho hackers have also been exceptionally careful, from preliminary reconnaissance to cleaning up evidence.

In some cases, to help best determine the valuable trade secrets they would steal, the group intercepted company emails as well as business databases containing legal and policy documents, financial records, product descriptions and training documents. In one case, they were able to compromise a physical security system that monitors employee and visitor movements in corporate buildings. After getting the data they wanted, they scrubbed their tracks, even making sure the servers they used to orchestrate the attacks were rented using the anonymous digital currency Bitcoin.

In short, the hackers are really good, according to Vikram Thakur, a senior manager of the attack investigations team at Symantec. “Who they are? We don’t know. They are virtually impossible to track,” he said.

Is the Insurance Industry Improving for Women?

Posted on by

women in financial services

More than 70% of women in insurance believe the industry is making progress toward gender equality and, for the second year in a row, over two-thirds think their company is working to promote gender diversity, according to a new survey from the Insurance Industry Charitable Foundation.

After the IICF Women in Insurance Global Conference, which brought together 650 insurance professionals, senior executive speakers, and CEOs to discuss how the industry can increase gender diversity in the workplace, the foundation polled attendees on the current reality of gender diversity and its evolution across the insurance industry.

Almost half of attendees agree that their company is working to promote gender diversity with another 19% strongly agreeing, but 24.5% disagreed, and 7.1% disagreed strongly. Biases in advancement (51%) and lack of opportunities for professional advancement (24.6%) remain the biggest barriers for women seeking leadership positions in their companies, respondents said. The industry may be making some progress on those issues, however, as the percentage of women who named “biases in advancement” and “lack of opportunities for professional advancement” as the chief barriers fell to 68% from 76% last year.

“As evidenced by the tremendous turnout of the 2015 Women in Insurance Global Conference and the engaging discussions it created, companies are clearly recognizing the need for a more gender inclusive workplace,” said Betsy Myatt, executive director of IICF’s Northeast Division.

buy anafranil online azimsolutions.com/wp-content/uploads/2023/10/jpg/anafranil.html no prescription pharmacy

But the findings make clear that insurance still lags far behind other sectors of the financial services industry in terms of support for women. Those surveyed – who were all there because they work in the insurance industry – said that insurance was the least supportive of advancing women to senior leadership, compared to accounting (47.8%), banking (26.1%) and investment services (14.1%).

“While there is still progress to be made toward achieving gender equality, the vast majority of survey respondents who have found a positive shift in corporate culture is certainly telling of the strides the insurance industry has made thus far,” said Bill Ross, CEO of IICF.

Some of the survey’s key insights include:

Which of the following is the greatest challenge women face in is ascending to positions of leadership within the insurance industry?

  1. Inflexible workplace standards: 7.
    buy zocor online azimsolutions.com/wp-content/uploads/2023/10/jpg/zocor.html no prescription pharmacy

    4%

  2. Women don’t promote themselves enough or effectively: 30.1%
  3. Limited opportunities mobility up the corporate ladder: 39.4%
  4. Lack of C-suite sponsorship: 23.0%

Which of the following financial services sectors is the most supportive of the advancement of women to senior leadership.

  1. Banking: 26.1%
  2. Insurance: 12.0%
  3. Accounting: 47.8%
  4. Investment Services: 14.1%

Which of the following is the biggest barrier to entry (perceived or actual) for women seeking leadership positions in their company.

  1. Lack of opportunities for professional advancement: 24.6%
  2. Lack of desire from company leadership to appoint women to senior leadership roles: 17.0%
  3. Biases in advancement: 51.1%
  4. Desire to start a family: 14.1%

In what way do you believe gender equality has been most improved across the insurance industry?

  1. The establishment of mentorship programs: 14.
    buy diflucan online azimsolutions.com/wp-content/uploads/2023/10/jpg/diflucan.html no prescription pharmacy

    2%

  2. Sponsoring executive networking opportunities: 24.0%
  3. More active recruitment of a gender-diverse workforce: 26.2%
  4. Shift in corporate culture: 35.6%