Monthly Archives: January 2016

Charles Leaver – By Using Continuous Monitoring Experian Will Be Able To Learn From Past Errors

Written By Josh Applebaum And Presented By Charles Leaver Ziften CEO

Experian Need To Learn from Mistakes Of The Past And Implement A Constant Monitoring System

Working in the security industry, I’ve always felt my job was hard to explain to the average person. Over the last couple of years, that has actually altered. Regrettably, we are seeing a new data breach announced every couple of weeks, with much more that are kept private. These breaches are getting front page attention, and I can now discuss to my friends exactly what I do without losing them after a couple of sentences. However, I still question what it is we’re gaining from all of this. As it turns out, numerous companies are not learning from their own mistakes.

Experian, the global credit reporting company, is a company with a lot to learn. A number of months ago Experian revealed it had discovered its servers had actually been breached and that consumer data had actually been stolen. When Experian revealed the breach they assured customers that “our consumer credit database was not accessed in this breach, and no credit card or banking information was obtained.” Although Experian put in the time in their announcement to reassure their clients that their monetary info had not been stolen, they further elaborated on what data in fact was stolen: clients’ names, addresses, Social Security numbers, birth dates, driver’s license numbers, military ID numbers, passport numbers, and extra information utilized in T- Mobile’s own credit assessment. This is frightening for 2 reasons: the first is the type of data that was stolen; the second is the fact that this isn’t really the very first time this has actually occurred to Experian.

Although the cyber criminals didn’t walk away with “payment card or banking information” they did walk away with individual data that could be exploited to open brand-new charge card, banking, and other monetary accounts. This in itself is a factor the T-Mobile customers included should be concerned. However, all Experian clients ought to be a little anxious.

As it turns out, this isn’t the first time the Experian servers have actually been jeopardized by cyber attackers. In early 2014, T-Mobile had announced that a “reasonably small” number of their customers had their individual details stolen when Experian’s servers were breached. Brian Krebs has a really well-written post about how the hackers breached the Experian servers the very first time, so we won’t get into too much information here. In the very first breach of Experian’s servers, hackers had made use of a vulnerability in the organization’s support ticket system that was left exposed without initially requiring a user to validate before utilizing it. Now to the frightening part: although it has actually ended up being widely known that the cyber attackers made use of a vulnerability in the organization’s support ticket system to gain access, it wasn’t until right after the second hack that their support ticket system was shut down.

It would be hard to believe that it was a coincidence that Experian chose to take down their support ticket system mere weeks after they announced they had been breached. If this wasn’t a coincidence, then let’s ask: what did Experian learn from the first breach where customers got away with delicate customer data? Businesses who save their clients’ delicate info ought to be held responsible to not only secure their consumers’ data, but if also to guarantee that if breached they patch the holes that are discovered while investigating the attack.

When companies are examining a breach (or possible breach) it is essential that they have access to historic data so those investigating can try to piece back together the puzzle of how the attack unfolded. At Ziften, we provide a solution that enables our customers to have a continuous, real time view of everything that happens in their environment. In addition to providing real-time visibility for finding attacks as they happen, our constant monitoring solution records all historical data to enable clients to “rewind the tape” and piece together what had taken place in their environment, no matter how far back they need to look. With this new visibility, it is now possible to not only learn that a breach took place, but to also find out why a breach took place, and ideally learn from past errors to keep them from happening once again.


Charles Leaver – Poor Security Probably Most Likely Factor In UCLA Health Data Breach

Written By Craig Hand And Presented By Ziften CEO Charles Leaver

UCLA Health Data Breach Likely Due To Inferior Security

UCLA Health announced on July 17th 2015 that it was the victim of a health data breach affecting as much as 4.5 million healthcare clients from the 4 healthcare facilities it runs in the Southern California region. According to UCLA Health authorities, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed but no evidence yet suggests that the data was taken. This data went as far back as 1990. The authorities also specified that there was no proof at this time, that any charge card or monetary data was accessed.

“At this time” is key here. The info accessed (or potentially stolen, its definitely hard to know at this moment) is practically great for the life of that individual and possibly still beneficial past the death of that individual. The details readily available to the perpetrators consisted of: Names, Addresses, Phone numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical procedures performed, and test outcomes.

Little is known about this data breach like so many others we find out about however never ever hear any genuine information on. UCLA Health found unusual activity in segments of their network in October of 2014 (although access potentially began one month earlier), and instantly called the FBI. Lastly, by May 2015 – a full 7 months later on – detectives stated that a data breach had actually taken place. Again, officials claim that the enemies are probably extremely sophisticated, and not in the country. Lastly, we the public get to hear about a breach a complete two months later on July 17, 2015.

It’s been said many times before that we as security experts need to be right 100% of the time, while the cyber criminals only need to discover that 1% that we may not be able to correct. Based on our research about the breach, the bottom line is UCLA Health had poor security practices. One reason is based upon the basic fact that the data accessed was not encrypted. We have had HIPAA now for some time, UCLA is a well-regarded bastion of Higher Education, yet still they failed to secure data in the most basic ways. The claim that these were highly sophisticated individuals is likewise suspect, as up until now no real proof has been disclosed. After all, when is the last time that a company that has been breached claimed it wasn’t from an “advanced” cyber attack? Even if they claim they have such proof, as members of the public we will not see it in order to vet it correctly.

Because there isn’t really enough revealed details about the breach, its difficult to identify if any service would have assisted in finding the breach sooner rather than later on. However, if the breach began with malware being delivered to and executed by a UCLA Health network user, the likelihood that Ziften could have helped in discovering the malware and potentially stopping it would have been fairly high. Ziften could have likewise notified on suspicious, unidentified, or understood malware along with any communications the malware might have made in order to spread internally or to exfiltrate data to an external host.

When are we going to learn? As all of us understand, it’s not a matter of if, however when, companies will be attacked. Smart organizations are getting ready for the inevitable with detection and response solutions that mitigate damage.


Charles Leaver – Adult Friend Finder Preventable By Using Better Endpoint Security

Written By Chuck McAuley And Presented By Charles Leaver Ziften CEO

Endpoint Security Is The Very Best Friend For Adult Friend Finder

Adult Friend Finder, an online “dating service” and its affiliates were hacked in April. The breached info included credit card numbers, usernames, passwords, birth dates, address details and personal – you know – choices. What’s often not highlighted in these cases is the monetary worth of such a breach. Numerous would argue that having an email address and the associated data might be of little worth. Nevertheless, the same way metadata collection provides insight to the NSA, this type of info provides attackers with lots of leverage that can be utilized against the public. Spear phishing ends up being a lot much easier when opponents not only have an e-mail address, but also location, language, and race. The source IP addresses collected can even offer exact street locations for cyber attacks.

The attack method released in this instance was not released, however it would be reasonable to presume that it leveraged a kind of SQL Injection attack or comparable, where the info is wormed out of the back-end database through a defect in the web server. Another possible methodology might have been hijacking ssh keys from a jeopardized admin account or github, however those tend to be secondary most of the time. In either case, the database dump itself is 570 Mb, and presuming the data was exfiltrated in a couple of big transactions, it would have been very obvious on a network level. That is, if Adult Friend Finder were utilizing a service that offered visibility into network traffic.

Ziften ZFlow ™ makes it possible for network visibility into the cloud to catch aberrant data transfers and attribute to particular executing procedures. In this case, the administrator would have had two chances to discover the problem: 1) At the database level, as the data was extracted. 2) At the web server level, where an abnormal amount of traffic would be sent out to a specific address. Organizations like Adult Friend Finder should gain the necessary endpoint and network visibility required to protect their customers’ individual data and “hook up” with a business like Ziften.


Charles Leaver – Biometric Data Comprised By OPM Breach The Personal Impact

Written By Mike Hamilton And Presented By Ziften CEO Charles Leaver


Greater Security of Personal and Biometric Data Required Following OPM Breach



Recently, I had to go through a relatively extensive background check process. At the time it was among those situations where you sign into the portal, provide your social security number, a plethora of sensitive information about you and your household, and trust the federal government (and their contractors) to look after that individual data.

As I got home the other night and took a seat to begin composing this blog post, I took a look at the stack of mail laying on my desk and saw one of those envelopes with the perforated edges that usually consist of sensitive information.

Naturally, you need to open those types of envelopes. Unfortunately at that moment all my worst concerns had come to life.

Exactly what I discovered was my very own letter detailing that essentially every delicate piece of information one might wish to know about me – along with similar info on twenty one million other Americans – was accessed during the OPM breach.




Oh, and by the way, there’s the problem that my biometric identity was also compromised:





At this point, although “federal experts” think that it’s not a major issue, my iPhone disagrees with them. Bruce Schneier composed an outstanding piece on this, so I won’t belabor the points he makes. But eventually we all need to ask some difficult questions:

When is this going to cease?

Who is accountable for stopping it?

Who is going to actually stop it?

Who is going to be held accountable when breaches occur?

These kinds of breaches are why at Ziften we are so passionately building our next-generation security tools. While we as a security community may never entirely stop or avoid these kinds of breaches from happening, perhaps we can make them a lot harder and time consuming. When you think about it, till the community says “this has to stop” this is going to continue to take place every day.

Charles leaver – Ziften Endpoint Security Could Have Saved Ashley Madison From Breach Embarrassment

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO

Life is Too Short to Not Implement Endpoint Security.

Ashley Madison’s tagline is “Life is short. Have an affair.” It appears security falls very short at the business, however, as millions of client records were publicized for the entire world to see in a recent cyber attack. Openly, there are just theories regarding who precisely infiltrated the outrageous operation. It might have been an inside job. Other parties, for example the notorious hacking group Impact Team, are claiming success over the red-lettered company. But exactly what is apparent is the publicly-published list of 32 million user identities. Furthermore, CEO Noel Biderman lost his position, and the company is tackling an insurmountable number of lawsuits.

It has been discovered that bots were interacting with users, and the number of users included just a small number of women. In a farcical fashion, the website still specifies it was a winner of a “Trusted Security Award” and provides complete discretion for its users. Their claim of “Over 42,705,000 confidential members!” on the homepage is as disgraceful as the service they provide. The taken list of users is so easily accessible that 3rd parties have currently produced interactive websites with the names and addresses of the revealed cheaters. Per Ashley Madison’s media page, they “right away launched an extensive investigation utilizing the top forensics specialists and other security specialists to identify the source, methodology, and impact of this incident.” If Ashley Madison had been more proactive in their methods of endpoint security, they could have potentially been alerted of the cyber attack and stopped it before data could have been stolen.

Advanced endpoint security and forensic applications – for example those provided by Ziften – could have possibly prevented this business from the shame it has had to deal with. Not only might Ziften have alerted security officers of the suspicious network events in the middle of the night of an attack, but it might have avoided a range of actions on the database from being carried out, all while letting their security group sleep a little easier. Life is too short to let security issues keep you awake at night.