The government of India has a contentious relationship with cryptocurrency. Currently, the country’s Supreme Court is working to come up with a verdict in the ongoing dispute between exchanges and the Reserve Bank of India (RBI), which had ordered that all banks and financial institutions have no dealings with crypto exchanges or traders. Yet the government is an active, albeit unknowing, participant in cryptocurrency mining, although such a situation has only recently come to light.

Government Websites Hacked

Shakil Ahmed, Anish Sarma, and Indrajeet Bhuyan are three security researchers who have combed through government websites. They found that hundreds of government websites in India have been compromised with cryptojacking malware and are being used for crypto mining.

The researches started with AP government websites due to the fact that they receive 1.6 million visitors a month. Security researcher Indrajeet Bhuyan notes:

Hackers target government websites for mining cryptocurrency because those websites get high traffic and mostly people trust them. Earlier, we saw a lot of government websites getting defaced (hacked). Now, injecting cryptojackers is more fashionable as the hacker can make money.

The security researchers notified one chief minister about their findings. Yet they found that the sites were still running the malware a week later.

Cryptojacking in India

The team of researchers found that the cryptojacking malware affected more than government websites. More than 119 public websites have also been found to be compromised. A popular choice for the malware is Coinhive, which is normally used to mine Monero.

In fact, cryptojacking is becoming so prevalent that India comes in at number two in countries with internet-connected devices being hijacked for illicit crypto mining. The country, with its ‘s 13,500 infected home routers, only lags behind Brazil for the dubious distinction.

Rajesh Maurya, regional vice-president of Fortinet, says:

Crypto mining activity is becoming a very big business in India. This technology is most effective on illegal video-streaming websites where people stay for hours watching movies or TV series.

Fortinet recently released a report that found cryptojacking to be an expanding enterprise. They found that 13 percent of all organizations in the fourth quarter of 2013 were infected by cryptojacking malware. The percentage jumped up to 28 percent of companies in the first quarter of 2018.

One would expect that crypto mining malware is here to stay. While Google and other app stores have banned apps that feature any kind of cryptocurrency mining, cryptojacking will likely continue to rise. Hackers can easily slip the script onto websites and begin generating revenue that is instantly transferred anywhere in the world. Such ease of use, profits, and lack of any real consequences will ensure that such hacking will not stop, or even slow down, any time soon.

Source: https://www.livebitcoinnews.com/government-websites-in-india-hacked-for-crypto-mining/
Author: Jeffrey Francis

The post Government Website in India Hacked by Crypto Mining appeared first on Identity Insider.

It takes a little thinking, but upon doing so one comes to see that the field of IAM (a subset of the field of Cybersecurity) is not your typical industry. While there are sales and profits to be made, enterprises that endeavor to be providers in this space must realize that they are providing a morally-essential service. From businesses to other businesses, to customers, and to the public, the fundamental purpose of IAM is to protect against crime. We are not selling Rolexes and Rolls Royces here – we are guardians of the people and their right to privacy and security. As such, IdentityInsider has assessed the industry’s landscape and found it very wanting.

Let’s start with establishing an informal code of ethics for this industry.

We are fighting crime here. Our opponents are criminals. As such, the industry must strive to be constantly responsive to developments in the world of hacking. It must strive to pool its resources to improve the solutions that can serve and protect.

Even the ‘best’ in the industry fail dismally at this. Reports from some lesser known IAM organizations have shown us that the ‘free flow of information’ that would create an environment of healthy competition (an ethical concept in any industry – data and identity security apart) and improve solutions for consumers, is non-existent. It seems that organizations such as Okta and Centrify have configured their websites to not provide data such as Whitepapers to their competitors. Attempting to download (or even purchase their solutions) using a company email address from a competitor results in a vague system error.

Come on! We are not even talking about protecting confidential company information here! The same white sheet is available freely if you sign up with an email address that does not belong to one of these companies. Okta and Centrify (and others) know that they cannot (and should not) stop others from reading this information but have chosen to not be upfront about their refusal to participate ethically in the industry. Instead, they make competitors falsify information to get the data. It is apparent that they do not truly care about fighting cyber-crime at all costs. Instead, a derived sense of superiority and a hostile attitude seem to be their philosophies.

Overcharging the Innocent

Another awful trend is the sinful pricing of most IAM solutions. We have interviewed the industry and found that healthy profits can be made by charging microfractions of the prices prevalent in the industry. This is especially true with the advent of IAM in the Public Cloud. It is all intellectual property and selling solutions without implementation costs next to nothing (once the initial R&D costs are covered.) IdentityInsider is not saying that these companies should turn into charity organizations, but there is tremendous scope for being better citizens and having self-respect.

R&D and Offerings that Do Not Reflect Needs

Here’s another sad truth that we discovered. It seems that organizations frequently pay millions for IAM solutions that never get fully implemented. An organization may buy a solution for millions of dollars, see a 1 or 2 year implementation time, and find that only 5 applications have been integrated at the end of this period. Upon probing, we found that this occurs because vendors are selling solutions to companies that have not been built for them. They are instead engineering products that can be sold to as many customers as possible. These products are bloated in features (typically fitting the use cases only of large enterprises with big wallets) and therefore in their cost. They are also not designed for specific use cases (or in general, for smaller companies), and many (often fatal) obstacles are found in the implementation process when they try to fit a square peg into a round hole.

The (Sad) State of the IAM Landscape

A good standard to judge a vendor – particularly in an industry such as IAM that must have a strong ethical foundation– is whether they cater to the existing needs of organizations by securing them as they are, or simply try to sell generic products (sometimes seemingly cutting-edge). Unfortunately, the IAM industry is full of vendors looking for just another business opportunity. They create solutions that are responses to the trending IT landscape (eg. Public Cloud), without a care for the actual situation of potential customers. They tell you that cloud is the future (so what if it is?), and that you must migrate to it to avail their solutions.

The Lowest Common Denominator Must be Served

The biggest example of this behavior is the complete lack of Single Sign-On and Provisioning support in the industry for thick-client apps. All kinds of organizations still rely heavily on thick-client apps such as ERPs (SAP etc.) and other device specific apps (like in manufacturing). It is both too expensive, and sometimes a poor idea in terms of security to migrate. It is often safer to have a local, on-premise server and app installation than to have it on a Public Cloud. The industry has chosen to completely ignore this blatant need, claiming that ‘the cloud is the future’ and because that’s where they feel the real money is.

Wake Up IAM – You are Servants

Organizations are currently getting the short end of the stick from the IAM industry. The sharks that have taken over the vendor landscape only really seem to care about bottom lines and not about providing proper security, ease of access, and integrating admin security functions to protect people the best they can from cyber-threats.

Here at IdentityInsider we are 100% committed to this vision, urge vendors to do the same, and hope we can make the world at large more aware about the state of this industry so that they can choose their vendors with wisdom. A company that does not care about proper security does not care about you. If they do not care about you, they cannot protect you.

The post Shady Ethics in the IAM Industry appeared first on Identity Insider.

Recent trends in this area reflect the mainstreaming of IAM into the business. My colleagues and I have seen this manifested in five important ways, and we expect these trends to continue in the coming year. Each of these areas represents an opportunity for chief information security officers (CISOs) to take advantage of recent trends.

1. Chief Marketing Officers and Chief Operating Officers Are Asking for IAM Data

What do Google, Facebook, Twitter and other companies value most? What have they gotten very good a collecting? The answer is information about their user base. They know who we are, when we’re active and all about our browsing habits. They use this to create targeted advertising and have monetized it.

Not all companies are interested in monetizing user behaviors for advertising, but most companies can benefit from better understanding their users. While an IAM solution can’t provide all of this, it can provide the most elemental data point: who the user is — their identity.

We have recently seen CMOs and COOs asking chief information officers (CIOs) for information about users. Basic demographic information is available in a user directory, and that is a good start, but they want more. They want session and website access information. Being able to understand who a user is (first and last name, email, phone number) and track their behaviors from their login across their full user session, requires data from the user directory and the web access management solution. They want to compile these, together with user behavior analytics systems, to understand specific usage patterns.

For example, for an auto parts retailer, data could reveal that approximately 50 auto repair shops in the Greater Denver area are frequently abandoning their cart after viewing brake fluid on their site. This trend could be driven by a competitor offering a lower price or more options. Without this level of analysis, and without knowing who the users are and where they are located, this type of conclusion isn’t possible.

Opportunity for Security

This appears to be a net-new demand that hasn’t reached critical mass. It presents an opportunity to CISOs, because the CMO and COO may have funding available for IAM initiatives and could influence the board or others executives to make IAM a priority. This unlikely partnership also offers CISOs the opportunity to evangelize the other benefits of IAM, namely increased security and operational efficiency.

2. Insider Threats Can Be Identified and Stopped

Big data is here, and it’s starting to be leveraged by IAM teams. By compiling access logs and events from servers, networking devices, middleware, IDS/IPS, vulnerability management solutions, and applications, it’s possible to correlate these activities and identify trends. These can represent terabytes of data. Enter the big data solutions and security-specific tools.

Historically this has been very successful for external threats, which have very little identity data context. It has been proven to be effective when someone penetrates the exterior or malware is deployed. CISOs now have visibility and the ability to respond, sometimes within minutes. There is now a broad realization that internal users (specifically internal privileged accounts) have much more value to attackers when compromised. So, we are now being asked how to leverage this data to identify and respond to internal threats — for events that do contain identity information.

Opportunity for Security

Security in this area can be achieved through four essential activities. Technologically, all the tools are available. Now it’s time to use them.

1. Identify your most valued assets (e.g., data, applications, etc.).
2. Identify and integrate privileged user repositories to understand who these users are.
3. Collect activities on critical infrastructure in the central security intelligence and event management (SIEM) solution.
4. Identify expected activities for each user type and create runbook use cases to respond to events that are outside of these.

3. Cloud-Based IAM Solutions Have Reached a Critical Level of Maturity

In the years leading up to now, I have seen multiple solutions created, startups enter the industry, big companies try to bring their solutions to the cloud, and a lot of them failed to achieve their stated capabilities. Not only was the technology not ready, but also companies were not generally interested. There was a rare situation in which business demand and technology solutions have developed in parallel.

It is still true that companies will need to adopt a set of standard capabilities per the 80/20 rule. Fortunately, the number and flexibility of those standard capabilities has become robust among the market leaders. Product vendors see this trend, and the product investment funding is clearly becoming cloud first.

It’s important to note that some cloud-based IAM vendors have a focus area. Few cover all aspects of IAM — and therefore have some limitations. This is where it’s really important to understand the four subdomains of IAM: identity data; identity management; access governance; and access enforcement. Some vendors focus on federation and authentication. Some are great at directory replication within a homogeneous platform. Some specialize in provisioning and deprovisioning.

Administration interfaces — those complex, fat-client or command-line tools so common with on-premises solutions — are now replaced with dynamic and intuitive web-based tools in cloud-based IAM solutions. They have point-and-click configurations and wizards. They allow almost all aspects of administration to be conducted by customer administrator users.

Just as important as the use cases available is the integration capabilities. On-premises IAM solutions have the advantages of installed connectors, a broad range of network protocols, custom code capabilities and nearly unlimited bandwidth. The leading cloud-based IAM vendors are addressing this too by adopting dedicated network connectivity to go beyond the LDAPS/ JDBC protocols, and leveraging application programming interfaces (APIs) for integration. Software-as-a-service (SaaS) operational services have also expanded so features that aren’t yet administered by web-based tools can be configured with a change request ticket to the SaaS operations team.

Perhaps the most important reasons to adopt cloud-based IAM solutions are stability, flexible capacity and operational cost reductions. These are no longer considered differentiators between SaaS vendors; they are often more stable than on-premises solutions and certainly more expandable. The cost advantage still needs to be evaluated on a company-by-company basis, and many factors affect that calculation. But in my experience, I have yet to see a cloud-based IAM solution cost more to implement or operate than a comparable on-premises solution.

Opportunity for Security

Adopting a cloud-based IAM solution is not something to be taken lightly, especially if there are significant investments in on-premises licenses, infrastructure and operations. If these investments exist, the next upgrade or expansion cycle is the time to look at moving to cloud-based IAM. Doing so makes it possible to adopt standardized solutions, simplify operations and reduce operational cost, all while using the leading-edge technology.

4. Regulatory Compliance and Audit Enablement Is No Longer a Burning Platform

With the current level of IAM maturity, most companies have reached an equilibrium of automated IAM technology and manual processes for audit and regulatory compliance. The pendulum has certainly swung back and forth over the past 15 years, and a lot of work has been done to get here. Now, the demand for technology and process changes have declined. This isn’t to say the work is complete or that everyone is happy — I doubt any company would say they have the optimal solution.

Most companies have either reached a point of diminishing returns on their investments toward audit and regulatory compliance needs, or they simply have no funding available. A few companies are pulling back from their complex RBAC models and automated separate of duties (SoD) policies because they have realized the cost and complexity of maintaining them. Others have found manual processes are sufficient for audit purposes and less expensive — especially when using offshore teams — than integrating to the nth level with technology.

Still, other companies have IAM shelfware. They bought solutions and are paying for annual maintenance, but the cost to implement, integrate and operate are too expensive in the current business environment. There is a fundamental truth that IAM affects almost every area of IT and most back-office business processes. This makes a comprehensive deployment expensive and time-consuming. And in spite of the move toward cloud-based IAM, that fundamental truth hasn’t changed.

The big caveat to this is the General Data Protection Regulation (GDPR). While few companies are taking action at the moment, and it’s not perfectly clear what the IAM implications are, it’s clear we will all need to look at how we enable users to manage their identity data under this regulation. I expect this to be a significantly different situation in six months to a year!

Opportunity for Security

While SOX, HIPPA, GLBA and other regulatory programs are not disappearing (perhaps changing, but not being eliminated), they are no longer a leading driver of funding to IAM programs. This is not to say no one is asking or new regulations aren’t coming. In fact, internal audit teams and application owners are still burdened with onerous access recertification processes. Further, other demand is backfilling for that drop in demand, so we still see an upward trend in IAM investment. CISOs can still rely on internal audit and business unit stakeholders to advocate and help with funding for IAM initiatives by building a coalition.

5. The Explosion of Federation

Federation and federated single sign-on (SSO) is now the standard mechanism to provide SSO across application domains. It’s practically a necessity to connect with SaaS providers. This has been the case for a number of years, and federation was one of the most rapidly adopted standards. But it has recently reached a new threshold: It is becoming the default authentication mechanism within companies and across applications. This is due to a number of factors, such as the proliferation and maturity of SSO tools, native support for SAML within large software packages and the adoption of SaaS applications.

It’s also important to remember that federation partnerships have become a very simple configuration to add. In most SSO tools, they can be added in a few minutes via a wizard-like interface. With this small investment and a little testing, these connections can be added and changed easily. There are even some companies that allow business users to manage federations for their applications without security team participation. The close relatives of federation, OAuth and social media-based authentication are gaining acceptance as well, but they are not yet at the same critical mass.

For many companies, the sheer number and criticality of federation partnerships have become unwieldy. Five years ago, a company might have had two or four federation partnerships. But today it can be in the hundreds, with copies of the same partnership on the same endpoint system, used by different business units. Managing hundreds of configurations can be challenging, so I have been coaching companies to treat federation partnerships with the same diligence and change management control as their other mission-critical systems.

Opportunity for Security

When a technology reaches this level of adoption and maturity, it’s an opportunity to eliminate older technologies, mandate federation as the SSO standard for technology deployments and codify the change control process for SSO integrations. If a security team can achieve these things, they are well-positioned to leverage offshore or outsourced resources to manage these configurations. This allows the core security team to refocus on more pressing and complex issues.

While many changes in the security domain make our lives more difficult, the changing IAM landscape continues to improve business outcomes, improve the user experience and increase operational efficiency.

Source: securityintelligence.com
Author: Brett Valentine, Associate Partner, IBM

The post Current Trends in Identity and Access Management: July 2017 appeared first on Identity Insider.

The post Say Goodbye to Passwords, the Future of Authentication is Here appeared first on Identity Insider.

The post 4 Benefits of a World with Less Privacy appeared first on Identity Insider.

The 142GB MongoDB account was hosted on Amazon Web Services (AWS) infrastructure in the US and belonged to global document recognition and content capture software developer ABBYY, according to former Kromtech man Bob Diachenko.

Unfortunately, the account was left totally unprotected, with no password or log-in, meaning anyone with internet access could theoretically have gained entry.

“The biggest concern was the fact MongoDB in question also contained a large chunk of scanned documents (more than 200,000 contracts, NDAs, memos, letters and other internal documentation, properly OCR’d and stored) which apparently were stored by ABBYY partners using their administration console,” he explained.

The firm’s head of information security replied to Diachenko’s email requesting more info.

“Database access has been disabled soon after I sent him the IP address (two days after my initial notification), but questions still remain as of how long it has been left without password/login, who else got access to it and would they notify their customers on the incident,” he added.

A statement sent to the researcher following the incident claimed the “temporary data breach” affected just one of the developer’s customers, and that a “full corrective security review of our infrastructure, processes and procedures” has been undertaken.

ABBYY lists major global companies and governments among its customer base, including Deloitte, McDonald’s, Volkswagen and the Reserve Bank of Australia.

The firm is fortunate Diachenko found the trove of documents rather than online attackers who last year twice ran major campaigns in which data was stolen from exposed servers before being ransomed. It’s believed tens of thousands of victims were involved.

Source: www.infosecurity-magazine.com
Author: Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine

The post Unprotected MongoDB Account Exposes 200K Files appeared first on Identity Insider.

The post Adding ‘I Am’ to IAM appeared first on Identity Insider.

The post The IoT’s Perplexing Security Problems appeared first on Identity Insider.

The post Don’t Be So Sure AI Is Cybersecurity’s Silver Bullet appeared first on Identity Insider.

The post 261,000 cryptocurrency investor details leaked in Atlas Quantum hack appeared first on Identity Insider.