Our weekly application security news roundup for April 25 to April 29 2016 features the 2016 Verizon report on data braches, details on the Bangladesh Central Bank breach and a breach at Qatar’s largest bank. Read on for details on the following headlines:
The 2016 iteration of Verizon's annual Data Breach Investigations Report was released this week, providing data around industry and hacking trends.
For the 2016 report, Verizon pulled data from most major security vendors and found that hackers still chose to target companies primarily for financial gains, relied on tried-and-true hacking methods like phishing, and attacked businesses with even greater frequency than before. There were also signs of rising trends in threats to security, such as ransomware and nation-state attacks.
Highlights included data around the type of attacks that are most commonly used by attackers — according to Dark Reading, "Stolen credentials top the list of threat action types among attacks that used legitimate credentials, followed by malware, phishing, and keyloggers."
In addition to Verizon’s own incident response investigation data, 65 organizations including law enforcement agencies, the U.S. Department of Homeland Security and numerous security vendors contributed data to the report.
Details have emerged around February's breach of Bangladesh Central Bank, based on research from BAE Systems. It seems attackers were able to access the bank's software through vulnerabilities in SWIFT, a universally used banking technology.
According to Reuters, "The new evidence suggests that hackers manipulated the Alliance Access server software, which banks use to interface with SWIFT's messaging platform, in a bid to cover up fraudulent transfers that had been previously ordered. The findings from BAE and SWIFT do not explain how the fraudulent orders were created and pushed through the system. That remains a key mystery in ongoing probes into the heist."
SWIFT, a cooperative owned by 3,000 financial institutions, confirmed to Reuters that it was aware of malware targeting its client software. A spokesperson said SWIFT today released a software update to thwart the malware, along with a special warning for financial institutions to scrutinize their security procedures.
According to a study released today from Gartner, IoT security is just hitting its stride and will continue to grow over the coming years.
Per CRN, "A quarter of cyber-attacks will involve the Internet of Things by 2020, according to Gartner, which said security spending in this area may take a while to take off. The analyst expects worldwide spending on IoT security to initially be "moderate", increasing by 23.7 percent to $348m this year, before rising to $547m in 2018."
The report then goes on to say that IoT security will gain real momentum after 2020, as a result of market adoption and improved skills. In addition, Gartner predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT.
The news was also covered by InformationWeek.
Qatar's largest bank is investigating a security breach that appears to have exposed sensitive personal data for what could be hundreds of customers, including employees of international broadcaster Al-Jazeera and potentially senior government officials.
According to ABC, "Qatar National Bank acknowledged in an emailed statement Wednesday that it was looking into "an alleged data breach" after a file containing the purported account information began circulating online. The bank did not say whether information in the files was legitimate or if its network had been breached, citing a policy of not commenting on reports shared on social media."
The data contains bank customers' bank logins, passwords, security questions and answers, as well as Qatari national identification numbers, phone numbers and email addresses.