Posts

MyDiamo_BI

Bringing Encryption to Healthcare, Penta Security Systems Partners with Eventi Telematici

MyDiamo, Penta Security Systems’ high performing column-level encryption solution, will be bundled together with Eventi Telematici’s software solutions to enhance the security of healthcare products and services across the globe.

bi_img_4

Penta Security Systems Inc., a leader in web, IoT, and data security solutions and services, has established a strategic partnership with Eventi Telematici, an Italian software solutions provider that provides cancer data analysis products and services to medical organizations across the globe. This partnership will combine MyDiamo’s column-level database encryption capabilities alongside their existing line of cloud and on-premise solutions. In the wake of recent hackings that affected major health organizations in various parts of Europe, there is a crucial lesson to be learned about safeguarding sensitive medical data. Because healthcare institutions hold databases storing medical records of millions of patients, a database encryption solution is necessary to protect this confidential data at all times.

Furthermore, regulatory laws now require corporations and organizations to strengthen data protection as is the case with the EU’s General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA). Addressing these requirements, Penta Security Systems offers database encryption solutions that work in various types of environments. With a large majority of organizations utilizing open source database management systems (DBMS), MyDiamo has been specifically designed to serve as a safe and reliable DBMS encryption solution for open source database environments.

This partnership will provide Eventi Telematici with the opportunity to bundle MyDiamo with its solutions to be sold to clients. The advantages to MyDiamo are many; as one of the few encryption solutions for open source DBMS such as MySQL, MariaDB, and PostgreSQL, MyDiamo offers column-level encryption, which allows end users to selectively encrypt columns in databases. It provides access control and separate encryption keys for each encrypted column. This partial encryption capability known as granular encryption enables user-specific control on encrypted column values rather than encrypting entire databases.

What this means for end users is a major performance advantage since encryption and decryption by column is possible, speeding up information retrieval. MyDiamo offers an efficient encryption solution with a seamless installation process without service interruption. “Healthcare institutions in particular should implement an encryption solution to ensure the confidentiality of sensitive patient data and to keep in line with existing regulations, especially when, with MyDiamo, there is no need to encrypt entire databases. For this reason, we anticipate other IT solution providers that handle private data to look into bundling their services with high quality encryption solutions,” said DS Kim, Chief Strategy Officer at Penta Security Systems.

This year Penta Security Systems celebrates two decades of IT expertise and will continue to serve the security needs of a global clientele with web application firewall, encryption, and single sign-on solutions.

 

1484806777641_1_111339 (1) (1) (1)

The Blockchain Hype

blockchain hype blog post title

With technology advances a-plenty – what’s going to be the next revolutionary technological development?

Big data? The Internet of Things (IoT)? Nope.

It’s going to be the blockchain

With more than 25 countries investing in the technology, and $1.3 billion invested – it looks like individuals, companies, and governments alike are putting their eggs in the blockchain basket.

The public blockchain is, simply put, a digital ledger where digital transactions are recorded publicly. Most widely-known for its use with cryptocurrencies like the Bitcoin, blockchain technology has enabled peer-to-peer transactions to be conducted without a banking system middle man, thereby challenging the power of banks to control currency. However, the applications of blockchain go far beyond cryptocurrency transactions to include supporting all kinds of informational exchange.

The idea of the blockchain is revolutionary because it allows for transparency and a new way of organizing the millions of transactions that society now handles on a daily basis. Its workings are defined perfectly by its name: transactions are recorded in “blocks” and placed chronologically in “chains.” Once a block is complete of transactions, a new block is added on and chained. Therefore, when the chain gets longer and longer, it becomes nearly impossible for hackers to penetrate it for scams, defacement, or theft. With security at maximum – what is there to worry about?

But let’s cut to the chase. Is blockchain technology secure? The short answer is, yes — yes it is.

The long answer is: Maybe. It depends on your perspective.

Time is (not) of the essence

First, there are many who complain about issues in terms of transaction verification. Because the blockchain is a distributed ledger, every block of transactions must compete to be added to the chain. This is done through a consensus process of selecting blocks contributed by miners who solve complex mathematical equations in the fastest time to receive a reward. This process can be sped up by paying an added fee, bumping up the transaction, but the average wait can be upwards of 40 minutes. In rare cases, it may take days for a transaction to be verified. Just so you can see how slow that time is: MasterCard’s 2012 report claimed that its network could take upwards to 160 million transactions every hour, with average response time of 130 milliseconds per transaction.

The duration of the wait is not only a cumbersome issue in terms of service, it’s also a security issue – a lot can happen in 40 minutes, and most people aren’t interested in being patient in exchange for reassurance in security.

Where are my keys?

When people talk about the blockchain, you’ll also hear the word “bitcoin” quite often – but don’t interchange these two terms, as they’re two very different ideas. The blockchain is a decentralized ledger, a database of transactions. Bitcoin is a form of virtual currency, or the preferred terminology “cryptocurrency” (encrypted currency). Bitcoin or ether, another cryptocurrency, are used in transactions that are noted on the blockchain. The currency is stored in a virtual “wallet” that will store and manage these currencies.

To make transactions, private keys (which many store in virtual wallets) are a necessity. Now, private keys are a completely separate entity from the blockchain, making security a bit more difficult to ensure. Despite the myriad of “must-do, top security tips” articles out there, many are still foolish in the way they store or remember their private keys. By choosing to save their keys in an unsafe digital or physical location, it no longer matters how secure the blockchain itself is – breach is still possible with a legitimate, albeit stolen, private key.

On top of possible theft, there’s the issue of the loss of a private key. Just like one may be able to lose a physical car key, private keys can also be lost. The loss isn’t a failure of the blockchain technology, but a result of the user’s misaction. This is a huge area of concern within the public blockchain, as some put the value of lost bitcoins at over $948 million.

Old habits don’t die hard

The reality of blockchain is that in order to truly deliver on the “revolution” in terms of economy, the traditional structures of government, financial institutions, and societal ideas of transactions will have to change.The most hyped up “security issue” with the blockchain technology was in 2016, when the Decentralised Autonomous Organisation (the DAO), an investment fund relying on the Ethereum platform, had 3.6 million “ether” (a cryptocurrency unit of the ethereum blockchain) stolen from them by a hacker who exploited a vulnerability in their system. With multiple heists, the DAO ended up losing around $150 million.

Now, did this mean that the blockchain technology isn’t secure? Not necessarily – the technology itself was and is secure, and strong cryptography is used to make sure that assets are transferred safely. Units of ether are also traceable, meaning that even if the hacker were to try to re-sell his goods, it would be flagged right away. Within the DAO, payouts also take a few weeks – which gave the DAO developers a bit more time to figure out how to remedy the hack. The damage was, however, done in terms of the credibility of the blockchain and the DAO. Ethereum enthusiasts were not fans of the incident, and it caused many to raise their eyebrows at the idea of a public ledger.

The future of the blockchain

So we can see that the “issues” deal more with the applications rather than the technology itself. But the reality is that resolving the security issues, albeit secondary from the actual technology of the blockchain, takes time and effort as public blockchains need acceptance by the community that is utilizing it in order to have any value within the social construct. Will the blockchain technology still catch on? Not only will it catch on, it’s already taking the world by storm. With the gargantuan amounts of money (both physical and virtual) being invested, this isn’t a hype that looks short lived. It still helps to keep in mind that no matter how secure a technology is, the applications surrounding the technology may still need quality security.

e-commerce-402822_1280 (1)

Holiday Cyber Security Tips – Santa, Sales… but what about Security?

From Black Friday to New Year’s Eve…

It’s that time of year again. Halloween is over and after the candy wrappers have been hidden and the costumes have gone on clearance, storefronts get ready for the holiday season. Starting with Thanksgiving and Black Friday, all the way to Christmas and New Year’s Eve, it’s a prime time to get your shopping done. In fact, statistics say that 19.2% of annual sales come from the holiday season. However, have you ever thought, “Wow, I’d really appreciate some holiday cyber security tips right about now!”…? Well, if you haven’t – you really should be.

e-commerce-402822_1280 (1)

It’s now easier than ever – shopping can be done at the click of a mouse or a touch of the finger on an iPhone. Nearly half of all shopping during the holiday season is done online – so you might not even have to face the horrid crowds of Black Friday. However, while you’re giddy about the possible steals, hackers might be celebrating for a completely different reason.

S is for Santa, Sale, and Security

40% of annual online fraud happens during the last three months of the year, according to Rurik Bradbury, a marketing executive at e-commerce security company Trustev. It’s an easy time to take advantage of customers who are eager to grab deals and get their Christmas shopping out of the way. Sales and Santa seem much more enticing than Security, and even the most security-conscious of people are duped into being carefree with their personal information.

However, we care about your security, so here are 5 tips to remember using SANTA during your shopping trips.

S – SSL?

To shop online, one must go to a website or a web application, so when connecting, make sure that you’re connecting to a site using SSL. SSL stands for Secure Sockets Layer, and it works by creating a secure connection through encryption.

How do you know the site you’re visiting uses SSL? Two steps: first, make sure that the url uses HTTPS and not HTTP (check in your browser bar), and second, see if your browser bar has a lock by the URL.

A – Ask the owner

Whether you’re shopping online or heading to some offline stores this holiday season, never hesitate to ask the owner or the site administrator about their security practices. Vendors are required to be PCI compliant if they’re handling payment of any kind – so make sure they can prove that to you as their valued customer.

N – No Wi-Fi

It might be tempting not to use any of your sacred cellular data when browsing through the store catalogs. However, make sure that you’re being careful with what network you are connecting to. Wi-Fi networks aren’t always secure and hackers can easily access personal or financial information on a public network.

T – Try Credit

While debit might seem like the safe idea to be financially savvy, to be security-savvy it’s a different issue. Credit cards are safer options because you don’t have to pay your bill immediately. This lets you as the buyer review what you’ve purchased. And fortunately many banks have fraud insurance so you’re not charged for some hacker’s wrongdoing.

A – Aim for what you know

Unfortunately, you could follow all these steps and still be vulnerable to attack. However, applying these steps and sticking to what you know can reduce your risks significantly. The holiday season isn’t the time to go to a website you’ve never visited before. It’s definitely not the right time to try a brand new payment method.

holiday cyber security deal for cyber monday by cloudbric gold signTake Charge of Your Holiday Cyber Security

It’s too bad that hackers take one of the happiest times of the year to try to wreak havoc on others’ finances and data. However, it’s best to be cautious so that your merriment won’t be disturbed.

To help your holiday season stay merry, here’s a bonus tip for you online site owners. Get a website protection service. And the great thing about the holiday season is that security companies are the most aware. They know the vulnerabilities of sites and the mischievous nature of hackers during the season.

Services like Cloudbric are offering one month of free service for its users. However, remember that it’s up to 100GB of traffic if you sign up on Cyber Monday. So take a cue and mark it on your calendar so you can spend your holidays worry free!

Happy (early) holidays!

CMS

What Does ‘Website’ Mean to CMS Users?

The definition and concept of website will invariably differ depending on the demographic you’re questioning. Defined literally, a website is a connected group of pages on the internet that use unique addresses and routes on the network, which are based on internet protocols. But who can actually understand this kind of explanation? CMS has become the leading solution to building a website with relative ease, and has become a second home for bloggers worldwide. 

Some of the most widely used CMS tools include WordPress, Joomla, and Drupal. CMS users that depend on these tools must take a closer look at some important issues we will address.

CMS

Chances are you have one of these open right now.

Whereas business owners are going to view websites as a platform for making money, the typical CMS user is thinking more about everyday concepts like social media, news, or the latest baseball game. Whether you’re browsing the news to check out newsfeeds filled with baby pictures and your now happily married friends, chances are your criteria for a good website is going to greatly differ from that of, say, a CEO. Let’s take a look at 3 criteria that the average CMS user might take into consideration when certifying a website as fresh.

1. Content

Well, I think this one is a no-brainer. With the massive amount of available websites providing the latest content, it’s crucial to provide the most engaging and innovative content in order to retain visitors. Let’s face it, people today are extremely lazy and have an attention span of a few seconds. SEO is the name of the game.

Social media has become a huge player today and it’s here to stay due to its ability to provide constant and up to date breaking news from around the world. Sites like Buzzfeed and Upworthy also serve as valuable resources as they compile some eye catching and often times incredible stories to read about.

2. Speed, Ease of Use

Again, back to the short attention span that plagues the current generation. If a website is difficult to navigate or inundated by those irritating popups and ads, chances are users won’t be back. It’s like meeting a potential partner or going in for an interview. The first impression is the name of the game.

If a website takes 5 minutes to load, it’s like being 5 minutes late to an interview. It just shows that you don’t care or you didn’t make the proper preparations. By the way, if you’re still using IE please download Chrome or Firefox now.

3. Active Community

Reddit and Quora are two of the most popular communities around. The beauty of Reddit is that it is built on subreddits. This effectively allows you to navigate straight to the type of content you want to browse. Or you can simply navigate to the front page. Then you can browse the most popular posts regardless of category.

It’s a solid way to keep up with news as well. You can discover things or find an interest in something that you may not even knew existed. This is effective because people don’t want to have to root through irrelevant information (at least to them) in order to access the desired information.

Regardless of Demographic, Everybody Needs Website Security

As a whole, CMS users tend to look at websites in a more laid back manner rather than their strictly business oriented counterparts. However, this doesn’t take away from the fact that website security is of the utmost importance. Many CMS users tend to think that their site is safe since it’s not established or serves as an appealing targets. However, it’s these smaller up and coming sites that are often targeted. This is due to their highly visible vulnerabilities.

Regardless, a web application firewall is a must. Look no further, as Cloudbric is here as your one stop security service to ensure all that painstakingly created content doesn’t fall into the wrong hands. Get started today!

format preserving encryption data security sample vendor

Cited by Gartner in 2016 Hype Cycle for Data Security

Listed as sample vendors for FPE and Database Encryption, Penta Security receives attention for its developments

format preserving encryption data security sample vendorSeoul, Korea: Penta Security Systems Inc., a leading Web and Data security provider in the Asian-Pacific region, announced that it has been listed as a sample vendor for two technologies, Format Preserving Encryption (FPE) and Database Encryption, in the Gartner 2016 Hype Cycle for Data Security.[1] Each year, Gartner, Inc. publishes visual representations of maturity and adoption of various technologies and applications. It cites vendors that are relevant to business development in the particular field. Within the last year, numerous corporations and entities worldwide have had their data breached. This further highlights the need for data security and encryption technologies.

Database Encryption

In 2016’s Hype Cycle for Data Security, Penta Security was cited as a sample vendor for Database Encryption. Database Encryption is in the early stages of mainstream in terms of maturity. Penta Security’s Head of Planning, Duk Soo Kim stated, “After research and development over the course of many years, we’re pleased to see the technology becoming increasingly prevalent in the market. As the industry continues to develop and mature, we will most certainly be keeping up with the latest in database encryption technology.”

FPE (Format Preserving Encryption)

Additionally, Penta Security was listed under Format Preserving Encryption as a sample vendor. Still largely a new field, FPE allows for encrypted data to maintain its structure with minimal modifications. While previously less utilized, its adoption has become more widespread due to NIST (National Institute of Standards and Technology) establishing secure FPE implementation standards. Regarding this listing in the Hype Cycle, Kim remarked, “Technology and security are constantly changing and being challenged. Therefore, being named as a sample vendor for a technology like FPE confirms that we are implementing technologies taken on by early adapters, not just traditionally utilized.”

Penta Security is a leading vendor for data security solutions, including its encryption solution, D’Amo. By using FPE technology, D’Amo allows for implementation of encryption technology to sensitive data fields without modification to schema in the database environment.  With businesses having their data become increasingly more complicated in their mission-critical applications (such as ERP, CRM, HRM), continued attention to data security practices is crucial.

Disclaimer:

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About Penta Security:

With over 19 years of IT security expertise, Penta Security Systems Inc. (CEO/Founder Seokwoo Lee) is recognized by Frost & Sullivan as 2016’s Asian Cyber Security Vendor of the Year. For more information on Penta Security and its encryption technology, please visit www.pentasecurity.com. For partnership inquiries, please email info@pentasecurity.com.


[1] Gartner, Hype Cycle for Data Security, 2016 by Brian Lowans, July 13, 2016: https://www.gartner.com/doc/3371735/hype-cycle-data-security-

cyber security movies and popcorn with ticket stubs red and white

Top 5 Cyber Security Movies

With the rise in cyber security-related occurrences in the general media, it only makes sense that it would spill over into entertainment. For example, the 2016 releases of “Jason Bourne” or “Now You See Me 2” both deal with the issues of privacy in the cyber realm in some form or another. But this isn’t new, by any means. The possibilities are endless on film. In fact, cyber security movies have been around ever since the very beginning of the digital era.

Screenwriters and directors have constantly been exploring the “What if” moments of privacy. What if the government is watching us? What if there’s a chip that can unlock all devices? What if, what if, what if? And although it might seem like the directors are being unrealistic, what’s surprising is that many of the films that have been made in the past contain technologies that now in the present we utilize!

So today on the blog, let’s take a look at some general and industry-favorites to compare the past and future:

The Top 5 Cyber Security Movies that you need to see right now!

1. Sneakers (1992)

No, the title does not refer to a type of athletic shoes. A movie about a group of nerds that are spies, they are chased by government men after discovering a cyber attack program that can penetrate any security system. Nowadays, we can imagine such things but back in the early 90s, a software like that was unthinkable.

This movie is worth watching, especially as it stars Robert Redford, Sidney Poitier and Dan Aykroyd, it contains mixed genres of action, drama, and even some comedy (I mean, after all, it is a Dan Aykroyd movie). It’s underrated but a favorite among the IT-enthusiasts.

2. The Net (1995)

Sometimes you’re a spy out to expose the government, and sometimes it’s the other way around. This 1995 Sandra Bullock film is centered on the main character, Angela Bennett. A low-key computer geek, Angela is the unfortunate victim of government-aided identity theft, just because she happened upon a floppy disk (remember those?) containing government-surveillance plans.

Again, identity theft was a topic that was still strange and foreign back in the mid-90s, but nowadays we hear on the news daily about which company had their data breached.

3. Hackers (1995)

This next film can be a bit hit or miss with a techno soundtrack and bizarre plot and graphics, but somehow the movie is endearing. The main character is Dade Murphy, a hacking prodigy who at 11 is arrested and charged for causing a 7-point drop in the NYSE. He is barred by the state from using the Internet until his 18th birthday. The day he hits 18, of course he goes online and finds a new group of hacker friends. Of course situations go awry as they mess with the wrong crowd.

As far as cyber security movies go, this one is a bit on the comically quirky side. However, it’s worth a watch as it portrays these situations in a rather facetious light.

4. WarGames (1983)

The earliest film in our top 5 list, this classic was a game changer in the industry. Starring Matthew Broderick as a genius kid who hacks into the NORAD (North American Aerospace Defense Command) system to impress his girl.

While it’s a simple plot, this was the 80s and the Cold War tensions were in full force. It’s said that after watching the movie President Reagan was actually concerned to see if this was really possible. The response? Yes, it was. The movie actually directed the government to secure its computer technology, even in the times of modem dial-up Internet.

5. Enemy of the State (1998)

Probably the most action-filled movie in the list, this Will Smith flick is about a lawyer who stumbles upon some NSA information. The movie shows surveillance technology being used in any and every way imaginable. Again, the technologies seen in the movie are making or already have made their way onto the scene. It definitely gives a taste of how technology can have a detrimental effect on privacy (or the lack of it).

Now quite honestly, the cyber security movies on this list vary. Some are a bit on the fantastical side while others are more realistic. But all in all, you can see through the plots and responses to these films that security has no boundaries. Not in terms of time or even industry is cyber security limited.

Movies will continue to be made in the future. It’s easy to dismiss plots as unrealistic and mere creation of a director or writer’s mind. But when we take a look at these movies from the past, we can see that perhaps it’s not that much of a stretch after all.

cafe using public wifi on a laptop

Public Wi-Fi: Stranger Danger

Progress in the IT world have led to a good amount of changes in the past decade. Nowadays, we’re surrounded by technology and it’s a part of our everyday lives. One of these technologies that we don’t even give much thought to anymore is public Wi-Fi.

It certainly has made life a lot easier. We don’t have to consistently rely on the quickly-disappearing amounts of cellular data we have on our mobile phones. Especially in Korea, one of the most connected countries in the world in terms of network infrastructure and #1 in terms of internet speed, free public Wi-Fi is thought of as a given. It’s a win-win situation: Businesses will get more foot traffic from tourists or residents who are seeking a location with a Wi-Fi connection and entertainment, and customers will be connected to the Internet for free without the need to use their precious cellular data.

But the issue here is this: is public Wi-Fi really safe?

Cafes are often a popular place for students and freelancers alike because they provide nice ambiance, open spaces, and most of the time – free Wi-Fi. Many cafes have their Wi-Fi passwords on display at the counter, or written on the receipt. Most of the time it’s something easy like “1234567.” However, when a simple string of characters is on display, it’s no longer fulfilling its original duty of acting as a “secret code” to access a device.

And the fact is that there has been an increase in the hacking of public wireless routers as of late. The most prevalent of these hacking methods is called “wireless sniffing.” Just as the name suggests, wireless sniffers are specifically created to “sniff out” data on wireless networks. A sniffer is a piece of software or hardware that intercepts data when it’s transmitted. This decodes data so that it’s readable for humans.  If a wireless sniffer accesses your connection, your ID or password may be found, or your device could be infected with malware.

Awareness of Public Wi-Fi Security Issues

This is all anxiety-causing information, but we started to wonder two things in terms of application to the real-world. First, how is the security at some of the well-known establishments providing Wi-Fi ? And second, were providers (at cafes, bookstores, etc.) and users aware of security (or the lack thereof) for public Wi-Fi?  

public wifi infographic regarding cafesin seoul

The Public Wi-Fi “Provider”

After surveying 20-odd establishments, we categorized them into three levels of security. In terms of “high” level, authorization and authentication was required in order to gain access. For “average,” a different password was set from the original factory settings, and for “low” – no changes had been made to the router since the point of purchase. Not surprisingly, we found that the larger chains offered higher measures of security than the domestic brands. Independent cafes rarely had the level of security necessary to secure a Wi-Fi connection.public wi-fi awareness by providers of routers

We then conducted a short interview with either the employee behind the counter or the branch manager and found that many locations don’t regularly upgrade their firmware. Upgrading your firmware regularly makes sure that your router is stable and optimized to take on the traffic. Although it can be a tedious process, it’s a necessity. And while some locations changed their password after buying the router, it was often a simple password. Additionally, none of the establishments had been changing their passwords regularly.

Most cafes will have a simple password (or no password at all) because it’s more convenient. However, a few simple steps can set you on the right track to begin protecting your establishment. After all, a business needs to look at customer loyalty and long-term growth. That isn’t going to happen if you or your customers are hacked.

 4 easy steps to secure the public Wi-Fi of your establishment:

  1. Change the ID and password from the default factory settings regularly.
  2. Secure your Wi-Fi by changing settings to WPA (Wi-Fi Protected Access), rather than WEP (Wireless Encryption Protocol). WEP has issues of static encryption keys, making it easier to access..
  3. Block remote access
  4. Update firmware regularly

The Public Wi-Fi “User”

We went on to interview customers who were utilizing the public Wi-Fi at the cafes to get their views on security. However, we were surprised by the users because the knowledge of security issues was better than that of the providers. Although Wi-Fi users are sometimes aware that it may be unsafe, because it’s free and convenient, they ignore the risks and access the network anyway.

So what are the basic steps you can take that won’t take too much of your time/money?

public wi-fi awareness by users

4 Cautionary Steps for Using Public Wi-Fi

  1. Turn off sharing on your computer – make sure that remote login is not possible.
  2. Consider using a VPN (Virtual Private Network) when connecting to public Wi-Fi. Because it will encrypt your data, it can help prevent criminals from sniffing.
  3. Avoid sites that take your ID and password (i.e. banking, online shopping).
  4. Go to a cafe or public Wi-Fi hotspot where you know the security measures the provider takes.

But in all honesty, public Wi-Fi will never be “safe” in the sense that it will be void of any security risks.

And if you must…

It’s not realistic to say that all public Wi-Fi must disappear. In the digitized 21st century, connectivity is inevitable. In fact, it’s already happening. So the best thing you can do as a user and provider is to be cautious. Have these steps ready to execute. Extra steps are also possible with a firewall, anti-malware products, etc. But remember, the first step is the most important.

ddos attack net of thieves over a computer desk

DDoS Top 6: Why Hackers Attack

Lately, it seems like the companies that haven’t had their web and cyber security compromised are in the minority.

Many are hit hard by web vulnerability attacks. Specifically we see an increase in DDoS (Distributed Denial of Service) attacks. With DDoS, the attacker’s main goal is to make your website inaccessible using botnets. Botnets are basically an army of connected devices that are infected with malware. Your website’s server becomes overloaded and exhausted of its available bandwidth because of this army. Much of the time, the attack doesn’t usually even breach your data or go over any security parameters.

So if it’s not to breach your data, why would someone go through the effort to shut down your website? There are a multitude of reasons, but today we’ll look at the top 6 reasons for a Distributed Denial of Service Attack.

1. Some (not-so) friendly competition

As more and more enterprises are taking their storefronts to the cyber world – there is also competition within the cyber world.

In fact, in a recent survey nearly half the responding businesses said that they believed that their competitors were launching DDoS attacks in order to disrupt services. After all, if your competition’s website is down, all the traffic will come to your website instead. Additionally, your competition’s brand image is tarnished, giving positive associations to your company instead.

Even if an entrepreneur may not be skilled in hacking, DDoS attacks are now available for hire, and attacks can be executed for a fairly low price on the dark market.

2. DDoS for Hacktivism

As we’ve noted, DDoS attacks aren’t necessarily about taking data. It can be used to strongly voice an opinion – any opinion. Voicing your opinion on the Web can have a bigger and faster effect than if you were to attend an in-person rally or strike. DDoS is often used to show support or opposition regarding a certain topic. It could be political (see below), but also for/against businesses or banks, ethical concerns, or even an online game.

3. All about politics

A subset of reason #2, DDoS attacks can also happen between countries or governments. The Web is the newest battlefield. DDoS attack victims can be government websites. While the sites could have been attacked by apolitical hackers, many do believe that governments or political parties often attack each other using the DDoS method.

As most governments rely on the Web to communicate and run their country, this has proven to be an effective method to show political opposition.

4. Seeking their revenge

An extremely common reason for DDoS attacks, this situation could apply to businesses, individuals, as well as governments. Not necessarily to give an opinion, attacks are used to seek revenge on your enemy. There’s no need to get your hands dirty at all.

For example, there have been increasing instances of previous employees hiring DDoS attacks on the dark market to seek revenge on their former employers. We’ve previously written on internal data breaches by present or past employees, but this is yet another form of when one person holds a grudge and it affects an entire company.

5. A precursor for something bigger

On New Year’s Eve of 2015, BBC was reportedly attacked with a DDoS attack measuring over 600 Gbps, beating out the previously set record of 334 Gbps. The attackers who claimed responsibility, New World Hacking, said that it was simply “testing.” More recently, the hacking group PoodleCorp took responsibility for shutting down the trending Pokemon Go game using the DDoS attack and they claimed that they were also testing for something on a larger scale.

A hacker may be preparing for something new like the above two cases, or they may be using the attack as a distraction for a larger attack, hoping that they won’t be found out. This is one case where the attack may be used indirectly for a security breach.

6.Some plain ol’ fun?

And lastly, sometimes there’s really no rhyme or reason to why DoS or DDoS attacks happen.

There’s a misconception that there is a specific reason behind all attacks. However, this is simply not the case. Many hackers get an adrenaline rush from hacking into a system or a website, no matter how big or how small it may be.


Therefore, there’s the responsibility as the individual user or as the CIO/CTO of a company to ensure that security measures are being taken. One needs to prepare for an attack because no one is ever exempt from the chances of an attack.

So what are these security measures I speak of? In my opinion, the most essential step you can take is to protect yourself with a WAF (Web Application Firewall). By using WAF services like Cloudbric or a WAF like WAPPLES, you can make sure your website is continuously protected.

For more information on Cloudbric (full service website security provided for free if your website’s bandwidth is under 4GB/month), check out their website and find out more about WAPPLES, the WAF they use for their service.

pokemon go and pikachu dolls

Authorization, Authentication, and Pokemon-Go

When I opened up my news feed last week, 80% of the updates and news headlines were about the phenomenon that is Pokémon-Go.

For those of you that have no idea what this is, Pokemon-Go is a game that was started by a Google internal startup called Niantic. Within the game you can use AR (augmented reality) to catch, battle, and train Pokémon (fictional animals, or “pocket monsters”) throughout the real world.

The game has millions of users on both Android and iOS devices, and the numbers will continue to increase. This isn’t surprising as much of the millennial population grew up watching the cartoon, playing the video game, and collecting the merchandise like there was no tomorrow.

Despite the excitement of it all, unfortunately, some issues have come up as there have been muggings by criminals at popular game meetup locations and trespassing at memorial sites like the Holocaust museum. Furthermore, the story has taken a new turn as it has now stepped into the realm of cyber security.

The Authorization Problem

The (potentially catastrophic) problem of this game is regarding Authorization and Authentication. These two concepts are often mixed up, but let’s explore them a bit within the context of the game itself.

Authentication verifies who you are – that you’re not a robot trying to access the game. In order to do this, the game application requires you to authorize Niantic to access your information. Authorization happens just once, but that one-time authorization determines how much information you’re granting the application.

So the problem for this game ultimately lies in the authorization. You can authenticate your account via two ways within the application: through a pokemon.com account or through your Google account. Then normally, Google would show the level of permissions the application requires. However, before July 12, when authenticating through your Google account, when you clicked the button it automatically switched to the log-in screen meaning full permissions was handed over automatically – that means that all of your information related to the Google account were handed over to Niantic.

“Well, I’m just going to play the game. So it should be ok.”

But this kind of mindset is why it’s so dangerous to buy into the trend. The reality is, because this is your Google account, your account may contain payment information, your address, and your passwords. Millions have signed off their information to the application, and thus the database is now becoming a prime target for hackers.

Did Niantic mean for this to happen? Probably not – it was an oversight, and the error was corrected on July 12. Now, the application requires limited permissions, so that it will only maintain your basic information. If download the application now, you get this:

pokemongo-release

But the game isn’t over, because when there is data of any kind (even if it’s limited), there is value. The game is at 10 million accounts now, and experts say that when they hit 20-25 million records there is no doubt that there will be a data breach.

So, Pokemon Go or No?

Realistically, people will continue to play the game, and it’s likely to make its way into other parts of the world. What can you as the player/user do to protect your information?

First, be aware of the authorization you’re granting applications when following this kind of phenomenon. When an application first comes onto the scene, there’s a lot that can go wrong. It may have vulnerabilities that have yet to be discovered, and malware-infected versions that have been released.

Second, ask for transparency as the user. Any company, especially one that requires so much of your information, should openly state what security measures it is taking. As stated before, Niantic probably didn’t mean for this to happen. However, as AR and VR (virtual reality) are becoming increasingly prevalent within technology, more and more companies may inadvertently or intentionally seek higher levels of permissions in order to access your information. However, when society as a whole demands transparency, this can be mitigated to a significant degree.

Lastly and perhaps most importantly, stay safe in real life. Augmented reality, virtual reality – none of it matters if you’re not aware in physical reality of what’s going on.


Visit www.pentasecurity.com for more information on other web and data security products, news, and blog posts.

ddos attack net of thieves over a computer desk

XSS: The Con-Artist

“XSS” is an acronym you hear often in the field of information security. It’s a relatively common attack for both the client and the server. Acronyms can make you think that it’s a bit more hi-tech and complicated than it really is. But at the root of it, XSS is basically a con-artist, waiting for his next ploy.

What is XSS?

Short for Cross Site Scripting, this web vulnerability is a type of injection where the attacker inserts script (oftentimes JavaScript) into a page. The script is not sanitized and allowed to remain in the browser – meaning the script can execute as if the administrator had written it.

There could be a variety of consequences: It could alter the display, modify the browser, or even steal your session cookie and sign in as an administrator, which could give complete control over to a hacker.

But I use the word “could” because there’s a lot of variety and uncertainty when it comes to the XSS vulnerability: what the consequences can be, when they can happen, and to what extent they reach. So let’s make it a bit easier to process.

Think of the XSS vulnerability as a con artist’s latest trick. You never go out looking for a con-artist, but some way or another, they get you right where they want you.

Non-Persistent XSS: the Pickpocket Scam

Pickpocketing is the oldest trick in the book, proven to work time and time again. It’s become a common and simple way for attackers to get their target. The pickpocket may approach you as the “nice stranger” who’s asking for directions on the street. But their hand reaches to take your wallet from your pocket while you’re explaining directions. Though the pickpocket targeted you, when the ordeal is done and your money is gone, it’s as if it never happened.

non-persistent xss chart

It’s the same with Non-Persistent XSS, the most common type of XSS. An attacker will inject script that’s targeted and contains malicious script. You click it, and fall for the trap. But just like with a pickpocket, when the code is injected and you have been fooled, none of what happened goes to the server. The website will simply execute the script and reflect it back to your browser, and the cookies will go to the attacker. Immediacy and the lack of detectability are the highlights of these non-persistent XSS attacks.

Persistent XSS: The ATM Skimmer

On the other side, Persistent XSS is much less common. While it has the potential of causing more significant damage, it can also be found out and remedied quicker. Think of an ATM skimmer. A skimmer is an electronic device that is placed within or outside an ATM. It takes the information that a customer may put into the ATM. The difference? While the skimmer may look the same as the ATM that the customer uses on a daily basis, it is copying all information and relaying it to the con-artist. It’s non-targeted, so everyone who uses the ATM will be affected without discrimination.

Like the ATM skimmer, the website may look the same as it usually does after the malicious script has been injected. It is saved by the server and then displayed on normal pages. All users who are browsing the website will be subject to the XSS. It will be affected over and over again.  In fact, this is why this type of XSS vulnerability is much more dangerous. Damage can be done to a wider breadth of users without anyone knowing that there is anything amiss.
PERSISTENT xss

Fortunately, because this type of XSS takes place on a server – if someone is able to spot the unwelcome script, it can be remedied. In the case of the skimmer, perhaps the ATM maintenance crew notices that there is a bar code missing, or a warranty seal that’s in the wrong place. They can take quick and urgent steps to make sure that the skimmer is removed.

XSS Exploits in Real Life

XSS-affected websites can suffer from a variety of issues. Unfortunately, websites with a large number of active users are often affected through both persistent and non-persistent XSS. Recently, a Persistent XSS vulnerability was found on PayPal’s website. This would have allowed for hackers to inject code resulting in a malicious payload, potentially opening up attacks for its 150 million customers. Thankfully, the company was notified of the vulnerability before any negative impact. But of course, there are companies that aren’t so lucky.

Hackers will always find popular websites, big or small, to execute their attacks, so what can you do to protect your website?

  • Source Code Analysis: Source code analysis tools are used to find security flaws by going through source code line by line. Ideally, this tool will be used before the website goes live. This way, problems can be re-mediated before any issues arise.
  • Vulnerability Scanners: There are security scanners that will identify vulnerabilities like XSS. Although they’re not perfect (because they’re not optimized for your website or application specifically), they can allow you to find the most obvious vulnerabilities to clean up.
  • Web Application Firewall: Web Application Firewalls or WAFs follow rule-sets to detect or block anything suspicious. WAFs will normally prevent attacks such as XSS and SQLi as part of their rule-set. Make sure that your WAF is one that has low false positive rates. That’s it! You’re well on your way to having a safer, cleaner website.

Which method is the most effective? As I always say, there’s no perfect way to escape any form of web attack. But the best thing you can do is follow the points above like a process. Source code analysis tools will scan for flaws before anything goes live. Vulnerability scanners will then look for further issues as the website is up. A WAF will block the attempts that manage to slip through the cracks. Unfortunately, nothing is foolproof. But risk can always be reduced and controlled.