Daily Archives: May 24, 2019

Snapchat staff used internal tools to spy on users

Snapchat internal staff has allegedly abused their role in the company to spy on Snapchat users using and internal tools and steal data.

Snapchat is a multimedia messaging app that makes pictures, videos, and messages (snaps) available for a short time before they become inaccessible to their recipients. Initially, it was only allowing person-to-person photo sharing, but now it also implements users’ “Stories” of 24 hours of chronological content. As of February 2018, Snapchat has 187 million daily active users.

Snapchat has internal tools that allow employees to access consumer data, and unfortunately, these tools have been abused by the internal staff.

The news was first reported by Motherboard that learned of abuses of the tools by “multiple” members to spy on users.

“Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users, Motherboard has learned.” reports Motherboard.

Current and former employees, along with a cache of internal company emails obtained by Motherboard, demonstrates the abuse of internal tools to access user data. Employees were able to access location information, personal information, including phone numbers, email addresses, and snaps.

Multiple sources and emails referred to an internal tool called SnapLion that was originally used to gather information on users in response to valid law enforcement requests (i.e. court order or subpoena). 

A former employee told Motherboard that SnapLion provides “the keys to the kingdom,”


Over time the use of the SnapLion tool was extended to other departments, including security staff, and a team called “Customer Ops.”

The information obtained by Motherboard demonstrates that Snapchat failed in implementing the concept of least privilege to limit access based on what are the effective needs of members according to their jobs.

The good news is that Snapchat today implements stricter controls for data access, but it was not true in the past. Moreover, SnapLion and other internal tools did not implement a satisfactory level of logging to track what data employees accessed. 

“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.” reads a spokesperson’s statement sent to Motherboard via email.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Snapchat, privacy)

The post Snapchat staff used internal tools to spy on users appeared first on Security Affairs.

A Brief Look At The Shade Ransomware (2019 variant)

2019 is shaping up as a year when ransomware infection frequency declined by orders of magnitude, compared to the year 2017 when such malware variant made headlines for causing trouble for millions globally. It was very hard not to notice the everyday news about a firm or a public agency becoming the newest victim of ransomware and their struggle with the ransom demand (the money the victims have to pay to restore their files). Of course, that does not mean that news about company X becoming a ransomware target, it still happens but very far few in-between.

Some other ransomware was too old, predated WannaCry for years, but making a comeback this year, 2019. This scenario is what Shade ransomware is exhibiting at the moment, last known active in the wild five years ago in 2014 by Kaspersky Labs. Palo Alto’s Unit42 team meanwhile detected some instances of its resurrection in the United States, India, Thailand, Canada, and Japan.

“Recent reports of malspam pushing Shade ransomware have focused on distribution through Russian language emails. However, Shade decryption instructions have always included English as well as Russian text. The Shade ransomware executable (EXE) has been remarkably consistent. All EXE samples we have analyzed since 2016 use the same Tor address at cryptsen7f043rr6.onion as a decryptor page. The desktop background that appears during an infection has been the same since Shade was first reported as Troldesh in late 2014,” explained Brad Duncan, Unit 42’s Threat Intelligence Analyst.

The way Shade ransomware spreads are no different from any contemporary malware of our time. The sample Shade ransomware examined by Unit 42 was proliferating using spam emails. The strongest campaign for this ransomware infection was when there was a huge number of spam emails way back Feb 2019. These emails had an attached pdf or a compressed zip file, with the body of the email describing the attachment as a billing statement from the victim’s service provider.

The pdf or zip file attached aren’t normal files, but just a launcher for executing a malicious Javascript code that will download the actual Shade malware from the command and control servers. The payload itself has not seen any significant changes compared to the Shade variant that Kaspersky Labs first examined in 2014. Once the Shade payload is downloaded, it is executed automatically by the script contained in the zip/pdf file – this is when the encryption of files and generation of text-based warning notification occurs.

The wallpaper set by the user will be replaced by a black background with red text announcing the infection saying: “Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.”

Unlike the previous iteration of Shade ransomware, the newer variant has a direct destination, as the most number of infection cases are in the United States, it was previously wreaking havoc in India, Thailand and Japan’s Windows-based computers. There is also visible indications that certain sectors of specific geographical location are targeted, with victims usually from the telecommunications, wholesale/retail and education industries. Unit 42’s hypothesis points to non-Russian speaking countries as the most vulnerable of receiving spam emails carrying Shade malware.

Also, Read:

Beware of 10 Past Ransomware Attacks

Two Nasty No-Ransom “PewDiePie” Ransomwares, Trouble For Many

Georgia County Hit by Ransomware, Shells out $400,000

The post A Brief Look At The Shade Ransomware (2019 variant) appeared first on .

First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

First American Financial Corp. Image: Linkedin.

Santa Ana, Calif.-based First American is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in more than $5.7 billion in 2018.

Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he’d had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.

And this would potentially include anyone who’s ever been sent a document link via email by First American.

KrebsOnSecurity confirmed the real estate developer’s findings, which indicate that First American’s Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents.

Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers. Ben Shoval, the developer who notified KrebsOnSecurity about the data exposure, said that’s because First American is one of the most widely-used companies for real estate title insurance and for closing real estate deals — where both parties to the sale meet in a room and sign stacks of legal documents.

“Closing agencies are supposed to be the only neutral party that doesn’t represent someone else’s interest, and you’re required to have title insurance if you have any kind of mortgage,” Shoval said.

“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business. You give them all kinds of private information and you expect that to stay private.

Shoval shared a document link he’d been given by First American from a recent transaction, which referenced a record number that was nine digits long and dated April 2019. Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time, indicating the document numbers may have been issued sequentially.

The earliest document number available on the site – 000000075 — referenced a real estate transaction from 2003. From there, the dates on the documents get closer to real time with each forward increment in the record number.

A redacted screenshot of one of many millions of sensitive records exposed by First American’s Web site.

As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings. By 2 p.m. ET Friday, the company had disabled the site that served the records. It’s not yet clear how long the site remained in its promiscuous state.

First American wouldn’t comment on the overall number of records potentially exposed via their site, or how long those records were publicly available. But a spokesperson for the company did share the following statement:

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

I should emphasize that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).

Nevertheless, the information exposed by First American would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

Armed with a single link to a First American document, BEC scammers would have an endless supply of very convincing phishing templates to use. A database like this also would give fraudsters a constant feed of new information about upcoming real estate financial transactions — including the email addresses, names and phone numbers of the closing agents and buyers.

As noted in past stories here, these types of data exposures are some of the most common yet preventable. In December 2018, the parent company of Kay Jewelers and Jared Jewelers fixed a weakness in their site that exposed the order information for all of their online customers.

In August 2018, financial industry giant Fiserv Inc. fixed a bug reported by KrebsOnSecurity that exposed personal and financial details of countless customers across hundreds of bank Web sites.

In July 2018, identity theft protection service LifeLock corrected an information disclosure flaw that exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness exposing millions of customer names, email and physical addresses, birthdays and partial credit card numbers.

How Hackers Access Direct Deposit Paycheck — And What to Do About It

Getting your paycheck deposited directly into your bank account seems like a handy solution but in some cases. hackers can access them.

Getting your paycheck deposited directly into your bank account seems like a handy solution because you don’t have to pick up the check from your workplace and take it to the bank to deposit it. It works well in many cases but is not immune to hackers.

Hackers Do a Payroll Diversion Through Phishing

A direct deposit paycheck hack involves getting the necessary details from the victim through a phishing scheme. According to a statement about from the FBI’s Internet Crime Complaint Center (IC3), cybercriminals orchestrate the phishing attempt — which the FBI calls a “payroll diversion” — to get the details for a person’s online payroll account.

Once successful, the hacker changes the account details for the direct deposit payments to an account they control. The FBI notes that the hacker’s account often connects to a prepaid credit card instead of a traditional bank account. Moreover, the cybercriminal applies a rule so that the rightful direct deposit recipient does not get a notification about the account change.

An Increasingly Attempted Hack

This method hackers use likely won’t come as a surprise when you consider a few recent statistics about phishing. When PhishLabs published findings from its most recent report, it revealed that phishing attacks in 2018 went up by 40.9%. Plus, in 83.9% of cases, hackers aimed to get user credentials for various services, including payment-related ones.

And, the PhishLabs report showed 98% of the phishing emails that made it past enterprise-level email security controls did not contain malware. A different phishing study from Barracuda explained why hackers don’t need malware to cause damage. Instead, they use social engineering to pose as a person or company that the victim knows and responds to without question.

Those efforts fall into the business email compromise (BEC) category. Barracuda’s study examined 3,000 such attacks. It found that 60% percent did not contain links. But, they often had personalized information such as the victim’s name or a question related to the person’s work.

Even worse, hackers tweaked the email addresses to make them appear as being from legitimate people in the company. Typically, the hackers set up accounts with free email services and create accounts containing a real employee’s name. That’s enough genuine information for the recipients to act without looking at the rest of the email address too closely.

Trustwave covered BEC payroll hacks in a blog post and mentioned that cybercriminals often make the phishing emails seem to originate from a company’s CEO and go to a human resources or accounting manager, or someone else with the ability to alter an employee’s direct deposit account information. The hackers also perform research to determine which parties have the authority to make such changes before sending the emails.

Payroll Companies and Employers Can Commit Fraud Too

Most of the content here focuses on cybercriminals going through the process to steal direct deposit details. But, that’s not the only kind of payroll fraud that could happen. Unfortunately, some payroll companies that enterprises work with have bad actors in them that figure out various ways to keep workers from their money. Or, the employers themselves give false information about the number of employees on the payroll.

One incident committed by a payroll company in Australia resulted in the equivalent of a $122.5 million USD tax fraud. That incident is a strong reminder that whether companies have employees only in the U.S. or working elsewhere in the world, it’s crucial to do business with a trustworthy vendor who knows the global business realm. Choosing a United States-headquartered company is also smart due to the security and protection that U.S. jurisdiction offers.

How to Stay Safe From Payroll Diversion Fraud

Statistics from 2016 indicate 82% of Americans receive their paychecks via direct deposit. So, it’s not surprising that hackers try this paycheck diversion tactic. Knowing the information here, what can you do to stay safe and increase the chances of having access to your money as expected?

Firstly, if you are in a position of authority and get a request from someone asking for a direct deposit account change, don’t respond to the email in an act of blind trust. If possible, contact that person through another method, such as by phone or approaching them in person to verify that they truly sent the message. Do the same if someone from payroll emails you asking for your direct deposit details to “update their records.”

Another thing you can do is check the structure of the email. As mentioned earlier, the emails used for this kind of BEC trick normally have at least one component that’s not quite right. For example, it may have a person’s name but come from a free email service instead of the company domain.

It’s also ideal at a company level if employees get educated about how to recognize this kind of fraud and get information about the steps they should go through if they receive suspicious emails of any kind. For example, they could forward any strange emails about payroll details or otherwise to the IT department for further review.

Think Before You Act

Getting paid on time is a top concern for most people. But, even if you get an email that insists you need to provide the requested details to avoid payment delays, it’s best to investigate further before responding.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

About the author

about paycheck

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Paycheck, cybercrime)

The post How Hackers Access Direct Deposit Paycheck — And What to Do About It appeared first on Security Affairs.

The GDPR – One Year Later

A couple of weeks ago, one famous lawyer blogged about an issue frequently discussed these days: the GDPR, one year later.

The sky has not fallen. The Internet has not stopped working. The multi-million-euro fines have not happened (yet). It was always going to be this way. A year has gone by since the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) became effective and the digital economy is still going and growing. The effect of the GDPR has been noticeable, but in a subtle sort of way. However, it would be hugely mistaken to think that the GDPR was just a fad or a failed attempt at helping privacy and data protection survive the 21st century. The true effect of the GDPR has yet to be felt as the work to overcome its regulatory challenges has barely begun.”[1]

It’s true that since that publication, the CNIL issued a €50 million fine against Google,[2] mainly for lacking a clear and transparent privacy notice. But even that amount is purely negligible compared to the fact that just three months before that, Google had been hit with a new antitrust fine from the European Union, totaling €1.5 billion.

So, would we say that despite the sleepless nights making sure our companies were ready to comply with privacy, privacy pros are a bit disappointed by the journey? Or what should be our reaction, as privacy pros, when people around us ask, “Is your GDPR project over now?”

Well, guess what? Just like we said last year, it’s a journey and we are just at the start of this voyage. But in a world where cloud has become the dominant way to access IT services and products, it might be useful to highlight a project to which the GDPR gave birth, the EU Cloud Code of Conduct.[3]

Of course, cloud existed prior to the GDPR and many regulators around the world had given guidance well before the GDPR on how to tackle the sensitivity and the risks arising from outsourcing IT services in the cloud.[4] But before the GDPR, most cloud services providers (CSPs) were inclined to attempt to force their customers (the data controllers) to “represent and warrant” that they would act in compliance with all local data laws, and that they had all necessary consents from data subjects to pass data to the CSP processors pursuant to the services. This scenario, although not sensible under EU data protection law, was often successful, as the burden of non-compliance used to lie solely with the customer as controller.

The GDPR changed that in Recital 81, making processors responsible for the role they also play in protecting personal data. Processors are no longer outside the ambit of the law since “the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing.

The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.”[5]

With the GDPR, processors must implement appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure, or access.

And adherence to an approved code of conduct may provide evidence that the processor has met these obligations, which brings us back to the Cloud Code of Conduct. One year after the GDPR, the EU Cloud Code of Conduct General Assembly reached a major milestone in releasing the latest Code version that has been submitted to the supervisory authorities.

The Code describes a set of requirements that enable CSPs to demonstrate their capability to comply with GDPR and international standards such as ISO 27001 and 27018. It also proves that the GDPR has marked a strong shift in the contractual environment.

In this new contractual arena, a couple of things are worth emphasizing:

  • The intention of the EU Cloud Code of Conduct is to make it easier for cloud customers (particularly small and medium enterprises and public entities) to determine whether certain cloud services are appropriate for their designated purpose. It covers the full spectrum of cloud services (SaaS, PaaS, and IaaS), and has an independent governance structure to deal with compliance as well as an independent monitoring body, which is a requirement of GDPR.
  • Compliance to the code does not in any way replace the binding agreement to be executed between CSPs and customers, nor does it replace the right for customer to request audits. It introduces customer-facing versions of policies and procedures that allow customers to know how the CSP works to comply with GDPR duties and obligations, including policies and processes around data retention, audit, sub-processing, and security.

The Code proposes interesting tools to enable CSPs to comply with the requirements of the GDPR. For instance, on audit rights, it states that:

“…the CSP may e.g. choose to implement a staggered approach or self-service mechanism or a combination thereof to provide evidence of compliance, in order to ensure that the Customer Audits are scalable towards all of its Customers whilst not jeopardizing Customer Personal Data processing with regards to security, reliability, trustworthiness, and availability.”[6]

Another issue that often arises when negotiating cloud agreements: engaging a sub-processor is permissible under the requirements of the Code, but it requires—similar to the GDPR—a prior specific or general written authorization of the customer. A general authorization in the cloud services agreement is possible subject to a prior notice to the customer. More specifically, the CSP needs to put in place a mechanism whereby the customer is notified of any changes concerning an addition or a replacement of a sub-processor before that sub-processor starts to process personal customer data.

The issues highlighted above demonstrate the shift in the contractual environment of cloud services.

Where major multinational CSPs used to have a minimum set of contractual obligations coupled with minimum legal warranties, it is interesting to note how the GDPR has been able to drastically change the situation. Nowadays, the most important cloud players are happy to demonstrate their ability to contractually engage themselves. The more influential you are as a cloud player, the more you have the ability to comply with the stringent requirements of the GDPR.


[1] Eduardo Ustaran – The Work Ahead. https://www.linkedin.com/pulse/gdpr-work-ahead-eduardo-ustaran/

[2] https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc

[3] https://eucoc.cloud/en/detail/news/press-release-ready-for-submission-eu-cloud-code-of-conduct-finalized/

[4] https://acpr.banque-france.fr/node/30049

[5] Article 40 of the GDPR

[6] Article 5.6 of the Code

The post The GDPR – One Year Later appeared first on McAfee Blogs.

NSA Hawaii

Recently I've heard Edward Snowden talk about his working at the NSA in Hawaii as being "under a pineapple field." CBS News recently ran a segment on that NSA listening post on Oahu.

Not a whole lot of actual information. "We're in office building, in a pineapple field, on Oahu...." And part of it is underground -- we see a tunnel. We didn't get to see any pineapples, though.

Snapchat: Claims of Employees Spying “Inaccurate”

Snapchat: Claims of Employees Spying "Inaccurate"

In response to news that multiple Snapchat employees abused their privileged access to spy on users, reported by Motherboard, the social media platform said the allegations are false.

“Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses,” Motherboard wrote on May 23.

Whether accurate or not, "the incident highlights the risks posed by insider threats. Most of the employees are busy doing their day-to-day jobs but a handful have malicious intent thus causing harm to the organizations they work for,” said Mayank Choudhary, senior vice president at ObserveIT.

“As in the case of Snapchat where a few users with elevated access were able to take their own and consumers’ data easily. Existing security controls did not pick this up, given most of the technology is focused on protecting the company from external threats. It’s high time that organizations focus on insider threats with platforms that help customers known the whole story, protect IP quickly, easily and reliably.”

However, the Motherboard report states that how any access might have been abused or which system was used remains unknown. Pointing out that the spying happened 'several years ago,' the story does note that one tool, SnapLion, is capable of accessing user data, according to multiple anonymous sources.

“Any perception that employees might be spying on our community is highly troubling and wholly inaccurate,” a Snapchat spokesperson wrote in an email to Infosecurity.

“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have, including data within tools designed to support law enforcement. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination.”

Threat Roundup for May 17 to May 24

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 17 and May 24. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.


The post Threat Roundup for May 17 to May 24 appeared first on Cisco Blog.

Moody’s Downgrading of Equifax Is a Message to Boards

Moody's Downgrading of Equifax Is a Message to Boards

While affirming Equifax’s senior unsecured rating at Baa1 and short-term rating at Prime-2, Moody’s Investor Services downgraded the company’s outlook from stable to negative due to the 2017 cyber-attack.

“The outlook revision to negative reflects weaker operating performance and credit metrics than originally expected following the cybersecurity breach in 2017,” the May 17 rating action notice stated.

"Free cash flow may remain around only $150 million per year for a few years, or less than half of annual free cash flow prior to the breach," said Edmond DeForest, Moody's vice president and senior credit officer. "Diminished free cash flow limits Equifax's ability to reduce its financial leverage," he continued.

Infosecurity Magazine reached out to Equifax for comment in reaction to the news that was reported May 23 by CNBC. An Equifax spokesperson wrote in an email, “Moody’s affirmed our Baa1 senior unsecured rating and the short-term rating at Prime-2.  Any questions about the outlook change should be directed to Moody’s. EFX remains solidly investment grade and the revision in Moody’s outlook will not impact our internal investments, including new products, our $1.25bn EFX2020 technology and security advancements, or future acquisitions.”

According to CNBC, a Moody’s spokesperson said the downgrade is significant because “it is the first time that cyber has been a named factor in an outlook change.”

The news isn’t all that surprising to industry experts who have long been saying that cybersecurity is a boardroom issue. “Everyone is in business with a single goal, which is to make money. This includes the bad guys, except that they want to make their money by preventing someone else from doing the same,” said Laurence Pitt, strategic security director, Juniper Networks.

Because cyber-risk is integral to business risk, boards will likely see this downgrade as a clear message in a language they can understand, said Steve Durbin, managing director of the Information Security Forum.

“For quite some time, I have been encouraging both the insurance industry and credit rating agencies to take cyber risk into account when setting policy pricing and assessing company value. Moving forward, this should become the norm since cyber-risk is so integral to business risk that an assessment of business health without taking cyber risk and a company’s resilience into account will become meaningless. For the cybersecurity industry, this supports what many have been advocating for some time – that cyber is a business issue and must be taken seriously by boards.”

Banking Trojan Infections Dominated In Q1 2019

Kaspersky Lab, the research arm of Kaspersky, an antivirus vendor has revealed that the first quarter of 2019 saw the double growth of banking trojan cases globally compared to the last quarter of 2018. Cybercriminals have switched their focus on banking trojan after the shutdown of the very popular Coinhive cryptojacking service last March 2019. With the focus towards profit, ransomware infections are slowly declining while operating system mitigations are lessening cryptocurrency malware’s infection vectors.

“In Q1 2019, Kaspersky Lab detected a 58% increase in modifications of banking Trojan families, used in attacks on 312,235 unique users. Banking Trojans grew not only in the number of different samples detected, but their share of the threat landscape increased as well. In Q4 2018, mobile banking Trojans accounted for 1.85% of all mobile malware; in Q1 2019, their share reached 3.24%,” explained Victor Chebyshev, Kaspersky’s Lead of Research Development team.

Banking trojans of 2019 are highly modular, with new features added on-the-fly by their respective authors. Kaspersky detected that for the first quarter of 2019 alone, 29,841 variants of banking trojans were discovered. That is a sizable increase from just 18,501 discovered variants in the 4th quarter of 2018.

“As is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected,” added Chebyshev.

Kaspersky is expecting that the mobile platform is the segment that will be mostly hit. This is given because users today tend to perform more computing with their mobile device compared to a full fledged computer.

“The rapid rise of mobile financial malware is a troubling sign, especially since we see how criminals are perfecting their distribution mechanisms. For example, a recent tendency is to hide the banking Trojan in a dropper – the shell that is supposed to fly to the device under the security radar, releasing the malicious part only upon arrival,” concluded Chebyshev.

Also, Read:

The All-New Kronos Banking Trojan Discovered

Multimedia Editing Software Hacked to Spread Banking Trojan

Redaman Banking Trojan of 2015 Resurrects, Targets Russian Email Users

How Protect Your Android Device From The Mobile Banking Trojan

The post Banking Trojan Infections Dominated In Q1 2019 appeared first on .

APT Increasingly Targets Canadian Orgs

APT Increasingly Targets Canadian Orgs

Canadian organizations are being warned that they are increasingly becoming the targets of cyber-threats, with researchers discovering nearly 100 malicious email campaigns that have been specifically targeting Canadian audiences, according to new research from Proofpoint.

The emails were customized for either Canadian organizations or a more general Canadian audience, a May 23 blog post said. One feature included in these malicious emails is the use of fraudulent branding from notable Canadian companies, researchers said. Malicious actors are also leveraging “French-language lures and geo-targeted imposter attacks for ensnaring corporate credentials and banking info.”

Historically Canada is included in threats targeting the entire North American region, though most of these threats are typically  focused on the US. Based on prior activity, researchers observed these campaigns believed to be the work of the advanced persistent threat (APT) group TA542.

“Much of this is due to Emotet. TA542, the primary actor behind Emotet, is known for the development of lures and malicious mail specific to given regions. However, we also saw customization ranging from French-language lures to brand abuse from a number of actors geo-targeting Canada,” according to the blog post.

Threat actors are also leveraging Ursnif, an information-stealing Trojan used largely to compromise online banking websites. In addition to Emotet and Ursnif, researchers are tracking activity involving other malware strains known as IcedID, The Trick, GandCrab, Danabot, Formbook and Dridex.

When it first appeared back in 2014, Emotet was mostly seen targeting Western European banks. In these more recent campaigns, “Proofpoint researchers observed stolen branding from several notable Canadian companies and agencies including major shipping and logistics organizations, national banks, and large government agencies. Top affected industries in Canada include financial services, energy/utilities, manufacturing, healthcare, and technology.”

Researchers warned that while these ubiquitous phishing attacks and business email compromises (BECs) may be targeting Canada in this particular campaign, “other forms of imposter attacks remain ongoing threats, both internationally and in Canada.”

Google Glitch Left Passwords Unprotected for 14 Years

Google announced a glitch that stored unencrypted passwords belonging to several business customers, a situation that had been exploitable since 2005.

In a blog post released this week, the company admitted the passwords of “some” of its G Suite customers had been stored on internal servers without cryptographic protection, also known as a hash.

“This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident,” announced the blog.

While the unprotected passwords were, according to Google, still protected within their “secure encrypted infrastructure,” the amount of time the issue went undetected is cause for concern for many security experts.

“[E]ven if it’s only internal it still creates a substantial privacy and security concern,” said TrustedSec CEO David Kennedy to Wired Magazine.

Google has begun contacting system administrators whose organizations would have been affected by the glitch to encourage them to change their passwords.

The post Google Glitch Left Passwords Unprotected for 14 Years appeared first on Adam Levin.

Cyber News Rundown: Banking Trojan Closes Ohio Schools

Reading Time: ~2 min.

Banking Trojan Shuts Down Ohio School District

After the discovery of the banking Trojan known as Trickbot, an Ohio school district was forced to cancel school since they were unable to fully disinfect the networks before classes resumed the following Monday. Preliminary reports have concluded that no students were responsible for the attack, as it appears to have started its data-gathering on a computer belonging to the district treasurer’s office. In order for classes to resume normally, the IT staff for the district had to re-format nearly 1,000 affected computers. 

GetCrypt Spreading Through RIG Exploit Kits

Another ransomware variant, GetCrypt, has been spotted in the wild that spreads itself across systems by redirecting visitors to a compromised website to a separate page hosting an exploit kit. After checking for several Eastern European languages, the ransomware begins encrypting all files on the system and displays a standard ransom note. In addition to removing all available shadow copies from the computer, GetCrypt also appends all encrypted files with a randomized, four-character string based on the CPUID of the device itself.

Google Assistant Logs All Online Purchases

It was recently discovered that Google’s Assistant, released last year, keeps a log of all online purchases for which a receipt was sent to the user’s Gmail account. The “Payments” page on a user’s Google account shows transactions, flight and hotel reservations, and other purchases made up to several years prior, even showing the cost, date, and time of the purchase.

Forbes Joins List of Magecart Victims

It was revealed late last week that Forbes had fallen victim to a Magecart attack possibly affecting anyone who made a purchase on the site during that time. Fortunately, the researcher who discovered the attack quickly notified both Forbes and the domain owner, resulting in a swift removal of the malicious payment card skimmer from the highly-trafficked site. It’s likely that Forbes became a victim after another vendor in their supply chain was compromised.

Australian IT Contractor Arrested for Cryptomining

An IT contractor working in Australia was arrested after being caught running cryptomining software on government-owned computers, which netted him over $9,000 in cryptocurrency. The charges encompass misuse of government systems by making modifications to critical functions and security measures for personal gain while in a position of trust. By making these changes, this contractor could have exposed a much larger portion of the network to malicious actors who take advantage of misconfigured settings to access company data.

The post Cyber News Rundown: Banking Trojan Closes Ohio Schools appeared first on Webroot Blog.

McAfee Playing an Ever Growing Role in Tackling Disinformation and Ensuring Election Security

As Europe heads to the polls this weekend (May 23-26) to Members of the European Parliament (“MEPs”) representing the 28 EU Member States, the threat of disinformation campaigns aimed at voters looms large in the minds of politicians. Malicious players have every reason to try to undermine trust in established politicians, and push voters towards the political fringes, in an effort to destabilise European politics and weaken the EU’s clout in a tense geopolitical environment.

Disinformation campaigns are of course not a new phenomenon, and have been a feature of public life since the invention of the printing press. But the Internet and social media have given peddlers of fake news a whole new toolbox, offering bad actors unprecedented abilities to reach straight into the pockets of citizens via their mobile phones, while increasing their ability to hide their true identity.

This means that the tools to fight disinformation need to be upgraded in parallel. There is no doubt that more work is needed to tackle disinformation, but credit should also go to the efforts that are being made to protect citizens from misinformation during elections.  The European Commission has engaged the main social media players in better reporting around political advertising and preventing the spread of misinformation, as a complement to the broader effort to tackle illegal content online. The EU’s foreign policy agency, the External Action Service, has also deployed a Rapid Alert System involving academics, fact-checkers, online platforms and partners around the world to help detect disinformation activities and sharing information among member states of disinformation campaigns and methods, to help them stay on top of the game. The EU has also launched campaigns to ensure citizens are more aware of disinformation and improving their cyber hygiene, inoculating them against such threats.

But adding cybersecurity research, analysis and intelligence trade craft to the mix is a vital element of an effective public policy strategy.  And recently published research by Safeguard Cyber is a good example of how cybersecurity companies can help policymakers get to grips with disinformation.

The recent engagement with the European Commission think-tank, the EPSC, and Safeguard Cyber is a good example of how policymakers and cyber experts can work together, and we encourage more such collaboration and exchange of expertise in the months and years ahead.  McAfee Fellow and Chief Scientist Raj Samani told more than 50 senior-ranking EU officials in early May that recent disinformation campaigns are “direct, deliberate attacks on our way of life” that seek to disrupt and undermine the integrity of the election process.  And he urged policy makers that the way to address this is to use cyber intelligence and tradecraft to understand the adversary, so that our politicians can make informed decisions on how best to combat the very real threat this represents to our democracies. In practice this means close collaboration between best-in-class cybersecurity researchers, policymakers and social media players to gain a deeper understanding of the modus operandi of misinformation actors and respond more quickly.

As the sceptre of disinformation is not going to go away, we need a better understanding the actors involved, their motivations and most importantly, the rapidly changing technical tools they use to undermine democracy.  And each new insight into tackling disinformation will be put to good use in elections later this year in Denmark, Norway, Portugal, Bulgaria, Poland and Croatia and Austria.

The post McAfee Playing an Ever Growing Role in Tackling Disinformation and Ensuring Election Security appeared first on McAfee Blogs.

US DoJ’s superseding indictment charges Assange with violating Espionage Act

The United States Department of Justice charges WikiLeaks founder Julian Assange with 18 counts on the alleged violation of the Espionage Act.

A federal grand jury returned an 18-count superseding indictment that charges WikiLeaks founder Julian Assange with counts related to illegally obtaining and disclosing classified information.

British authorities arrested Assange on April 11 at the Ecuadorian Embassy in London after Ecuador withdrew asylum after seven years. Assange was arrested in London on a US warrant charging him over his alleged role in a massive leak of military and diplomatic documents in 2010.

A federal grand jury returned an 18-count superseding indictment today charging Julian P. Assange, 47, the founder of WikiLeaks, with offenses that relate to Assange’s alleged role in one of the largest compromises of classified information in the history of the United States.” reads the DoJ.

“The superseding indictment alleges that Assange was complicit with Chelsea Manning, a former intelligence analyst in the U.S. Army, in unlawfully obtaining and disclosing classified documents related to the national defense.”

Wikileaks founder is currently facing extradition to the United States for his role in one of the largest compromises of classified information in the history of the United States. He published thousands of classified diplomatic and military documents on WikiLeaks in 2010.


Early May, Julian Assange has been sentenced to 50 weeks in prison for breaching his bail conditions in 2012 and finding asylum into Ecuador’s London embassy for more than seven years.

The superseding indictment charges Assange on 17 new counts under the Espionage Act, it accuses him of obtaining and unlawfully publishing classified documents related to the national defense

This is the first time that the US DoJ charges people under the 102-year-old Act that persecutes the disclosure of national defense information that could be used against the United States.

“After agreeing to receive classified documents from Manning and aiding, abetting, and causing Manning to provide classified documents, the superseding indictment charges that Assange then published on WikiLeaks classified documents that contained the unredacted names of human sources who provided information to United States forces in Iraq and Afghanistan, and to U.S. State Department diplomats around the world. “continues the DoJ, ” These human sources included local Afghans and Iraqis, journalists, religious leaders, human rights advocates, and political dissidents from repressive regimes.  According to the superseding indictment, Assange’s actions risked serious harm to United States national security to the benefit of our adversaries and put the unredacted named human sources at a grave and imminent risk of serious physical harm and/or arbitrary detention. “

The indictment also states that the Wikileaks founder had “repeatedly encouraged sources with access to classified information to steal and provide it to Wikileaks to disclose.”

In response to the indictment, WikiLeaksFreedom of the Press Foundation, the American Civil Liberties Union (ACLU) raised concerns about the implications of the charges on press freedom and the First Amendment because Assange is considered by many a journalist.

Anyway, Assistant Attorney General for National Security John Demers declared that Assange should not be considered a journalist.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Wikileaks, Assange)

The post US DoJ’s superseding indictment charges Assange with violating Espionage Act appeared first on Security Affairs.

Germany Talking about Banning End-to-End Encryption

Der Spiegel is reporting that the German Ministry for Internal Affairs is planning to require all Internet message services to provide plaintext messages on demand, basically outlawing strong end-to-end encryption. Anyone not complying will be blocked, although the article doesn't say how. (Cory Doctorow has previously explained why this would be impossible.)

The article is in German, and I would appreciate additional information from those who can speak the language.

EDITED TO ADD (6/2): Slashdot thread. This seems to be nothing more than political grandstanding: see this post from the Carnegie Endowment for International Peace.

This Week in Security News: Tax Scams and Spam Emails

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how criminals can use tax deadlines for social engineering schemes and redirection URLs in spam emails to sidestep spam filters.

Read on:

Beware Tax Scams and Sextortion Blackmail Attempts as Email Scams Worsen

Criminals often use the April 15th tax filing deadline in the United States for social engineering schemes to make victims share their credentials, money and personal information – costing 12,000 victims a total of $63 million in 2018.

Singapore Updates Guidelines on Data Breach Notifications and Accountability

Expected to be part of the upcoming amendment to Singapore’s data protection law, the new guidelines state that businesses must take no more than 30 days to investigate a suspected breach and notify the authorities 72 hours after completing their assessment of the breach.

Celebrating the Next Generation of Technology Innovators

Trend Micro and its venture capital arm Trend Forward Capital held a pitch-off competition for ambitious start-ups, where office automation company Roby won the $10,000 Forward Thinker Award.

Millions of Instagram Influencers Had Their Private Contact Data Scraped and Exposed

A massive AWS-hosted database containing contact information of millions of Instagram influencers, celebrities and brand accounts was found online exposed and without a password, allowing anyone to look inside.

Trickbot Watch: Arrival via Redirection URL in Spam

Trend Micro discovered a variant of the Trickbot banking trojan using a redirection URL in a spam email to sidestep spam filters that may block Trickbot at the onset.

Florida Governor Announces Cybersecurity Review Following Election Hacking Revelations

The state of Florida will conduct a cybersecurity review into election security for every county in the state after it was revealed two counties were hacked during the 2016 election.

Ryuk Ransomware Shows Diversity in Targets, Consistency in Higher Payouts

Ransomware’s persistence is best embodied by a relatively new breed of ransomware, Ryuk, which has been making waves recently with multiple incidents occurring over the past year.

TalkTalk Admits New Failings in 2015 Data Breach Notification

UK telecom company TalkTalk has admitted that it failed to notify 4,545 customers affected by the cyberattack in 2015 that exposed personal details of more than 150,000 customers.

Cyberextortionists Wipe Over 12,000 MongoDB Databases

Over the past three weeks, over 12,000 MongoDB databases have been deleted, with attackers from hacking group Unistellar demanding ransom in return for their restoration.

What are some of the warning signs of spam that you look for in your emails? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.


The post This Week in Security News: Tax Scams and Spam Emails appeared first on .

Android Users Spammed With Fake Missed Call Alerts

Scammers abuse the notifications and push APIs on Android devices to send spam alerts that are customized to look like a missed call.

Both APIs are used on mobile devices for push notifications – short messages intended to re-engage the user. Messages can be triggered by a local application or server.

“The Notifications API lets us display notifications to the user. It is incredibly powerful and simple to use. Where possible, it uses the same mechanisms a native app would use, giving a completely native look and feel,” reads the description for the Notifications API.

Chrome’s icon change by the scammer

The Lookout’s KI Phishing Service has intercepted a phishing campaign that is currently sending messages to mobile users with a custom icon for the app that triggers the alert. In this case, it’s Google Chrome.

To hide the origin, the fraudsters changed the browser icon to display “missed call” as if it were a missed call notification. The message indicates that the user has an iPhone XS waiting for them.

This is powerful social engineering because users often rely on visual indicators to identify the source of a warning.

Jeremy Richards, a security researcher at Lookout, in a statement to BleepingComputer said “Scammers are looking to take advantage of the fact that we’re primed to identify certain icons we normally associate with system messages (in this case the icon of the telephone),”.

It is important to note that the message will only be displayed if the victim accepts notifications from the spam domain. This means that sites that have gained the trust of the user can be used for this type of phishing campaign.

The following is a brief list of domains that send spam via mobile device push notifications:

  • getitfree-samples.com
  • click4riches.info
  • consumertestconnect.com
  • foundmoneyguide.com
  • yousweeps.com

Not all notification spam uses this trick to change the browser icon. However, they contain messages tempting enough to make a few victims.

Same approach for desktops

Richards saw this activity on Android phones. Indeed, push notifications for Safari on iOS are currently not fully supported. However, the same approach is also suitable for the desktop. Safari and Chrome support web notifications can be used to create a fake card. If you quickly read the text and look at the Slack icon, you can easily convince the user to click on the alert and go to a phishing site that collects user credentials.

On mobile devices, the same warning is even more believable because of the name of Chrome, the app that triggers the alert, and the domain that sends spam. If the Chrome icon is changed, there is little evidence of tampering with the message because only the browser name and domain indicate the attempted fraud.

Peter Beverloo – Google software engineer has created a notification generator to test how a push card that appears on desktops and mobile devices. The tool allows you to enter a custom title and text for the message and add a selection of images like; icon, badge, picture, and actions.

Related Resources:

Simple Mitigation Tips For Securing Android E-Readers

Top Five Antivirus Apps for Your Android Smartphone

4 Most Recognizable Android Antimalware Apps You Can Install Today

How To Open Exe Files On Android Phones

First 5 Things To Do After Activating A New Android Device

The post Android Users Spammed With Fake Missed Call Alerts appeared first on .

Adding a Recovery Phone Number Blocks 100% of Automated Bot Attacks, Finds Google

Google found that users who add a recovery phone number to their accounts effectively block 100 percent of automated bot attacks by doing so. The tech giant arrived at this finding after teaming up with New York University and the University of California, San Diego to investigate the efficacy of basic account hygiene in preventing […]… Read More

The post Adding a Recovery Phone Number Blocks 100% of Automated Bot Attacks, Finds Google appeared first on The State of Security.

GDPR: Security Pros Believe Non-Compliance is Rife

GDPR: Security Pros Believe Non-Compliance is Rife

Most IT security professionals believe GDPR non-compliance is commonplace, as the landmark data protection legislation turns one tomorrow, according to Infosecurity Europe.

Over 6400 industry practitioners responded to a Twitter poll run by the leading cybersecurity event, which runs from June 4-6.

Some 68% said they thought many organizations have likely not taken the GDPR seriously enough, while nearly half (47%) claimed regulators are being too relaxed when it comes to enforcement.

Recent research indicates that regulator the Information Commissioner’s Office (ICO) has investigated 11,468 data breach cases between May 2018 and March this year, but just 0.25% have led to monetary fines.

On the plus side, only a little over a third (38%) Infosecurity Europe respondents said GDPR compliance efforts had hindered other cybersecurity plans.

Mark Taylor, partner at Osborne Clarke, claimed that organizations are now turning their attention to the “practicalities of compliance,” but that complications are starting to emerge for multi-nationals.

“First, within a large group, it can be hard to accurately determine the various roles — i.e. data controller and data processor — which the group members have under GDPR. This is important because it determines the relative responsibilities of the group members, and which regulator has jurisdiction over them,” he explained.

“Second, the local laws supplementing GDPR across Europe have adopted variations of GDPR to a greater extent than we might have ideally hoped for. So while GDPR has made international compliance easier, it hasn’t unfortunately made it a one-size-fits-all approach everywhere.”

Taylor also argued that regulators in different jurisdictions are taking a different approach to enforcement.

“Looking forward, I think that enforcement activity will step up, with companies that are undertaking higher-risk processing likely to be most at risk,” he added.

Chronicle’s study reveals CAs that issued most certificates to sign malware samples on VirusTotal

Most of the digital certificates used to sign malware samples found on VirusTotal have been issued by the Certificate Authority (CA) Comodo CA.

Most of the digital certificates used to sign malware samples found on VirusTotal in 2018 have been issued by the Certificate Authority (CA) Comodo CA (aka Sectigo).

Chronicle’s security researchers have analyzed submissions May 7, 2018, and May 7, 2019 discovering that out of a total of 3,815 signed malware samples, 1,775 were signed using a digital certificate issued by Comodo RSA Code Signing CA. 

Vxers use to sign the code of their malware to avoid detection of some security systems.

Malware authors are taking advantage of this inherited trust model to purchase certificates directly or via resellers and their signed code is considered reliable until the ravocation of the certificate by the CA.

At the moment, the researchers note, the only real tool to combat certificate abuse is the revocation of that certificate, a process through which the CA says the certificate is no longer trustworthy, and which introduces a delay in which the signed malware may be considered “trusted”.

“The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs) , which have the backing of a trusted parent CA.” reads the study published by Chronicle. “This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers. Whether purchased directly or indirectly, due diligence into customers appears to be lacking.”

The investigation conducted by Chronicle experts focused on signed Windows PE Executable files uploaded to VirusTotal. The researchers filtered out a large number of samples, all the samples with less than 15 aggregate detections were excluded along with grayware files.

Chronicle calculated the distinct number of samples signed with digital certificates issued by the different CA.

Comodo issued the largest number of signed samples, at 1,775, with Thawte at 509, VeriSign at 261, Sectigo (formerly Comodo) at 182, Symantec at 131, and DigiCert at 118.

“CAs who signed certificates of 100 or more malware samples account for nearly 78%of signed samples uploaded to VirusTotal.” continues Chronicle.

digital certificates signed malware

Experts explained that at the time of the analysis (May 8th, 2019), 21% of samples had their certificates revoked, a circumstance that confirms that CAs are taking some action to contrast the abuses. It is important to consider that the revocation of a certificate is reflected in the VirusTotal dataset after the signed sample has been rescanned after the revocation request by the responsible CA.

“While malware abusing trust is not a new phenomenon, the popular trend of financially motivated threat actors buying code signing certificates illuminates the inherent flaws of trust based security. Signed payloads are no longer solely within the domain of nation-state threat actors stealing code signing certificates from victims; they are readily accessible to operators of crime focused malware.” concludes the expert. “The impact is amplified by the scope and scale of typical crimeware campaigns. Expect to see signed malware reported more frequently.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – malware, digital certificates)

The post Chronicle’s study reveals CAs that issued most certificates to sign malware samples on VirusTotal appeared first on Security Affairs.

US charges Assange with 17 counts under Espionage Act

The US Department of Justice has hit WikiLeaks founder Julian Assange with 17 charges related to illegally obtaining, receiving and disclosing classified information related to the national defense. He is charged with violating the Espionage Act. The conspiracy to commit computer intrusion charge revealed in April, when Assange was arrested in London after having been carried out of Ecuador’s Embassy following the country’s asylum revocation, has been incorporated in this batch of charges. US government … More

The post US charges Assange with 17 counts under Espionage Act appeared first on Help Net Security.

IoT Attacks Cost UK Firms Over £1bn

IoT Attacks Cost UK Firms Over £1bn

Cyber-attacks on IoT devices could cost the UK economy over £1 billion each year, according to new research from Irdeto.

The Dutch security vendor polled IT security decision makers at UK organizations in the transport, manufacturing and health sectors, finding that attacks on connected kit caused losses of £244,000 on average.

Along with the headline costs, over half of respondents claimed to have suffered downtime in the past year as a direct result of IoT attacks. Two-fifths (41%) said customer data had been compromised in these raids.

This could present a major compliance challenge if GDPR regulators judge the victim organizations haven’t taken suitable steps to protect customer data. It could also lead to attrition: a third (33%) of respondents said they’d lost customers and 29% claimed their brand's reputation had taken a hit.

Attacks on IoT devices can also have an impact on the physical world, given the increasingly vital role they play in a range of sectors: from drug infusion pumps to connected cars.

Worryingly, 28% of organizations told Irdeto they suffered compromised end-user safety as a result of attacks in the cyber domain.

Irdeto VP of strategic partnerships, Steeve Huin, argued that unsecured IoT endpoints are like low-hanging fruit for cyber-criminals.

“It’s clear that, if not addressed, a lack of IoT security could pose a serious financial threat to the wider UK economy. With so many devices entering the market, and being deployed in critical businesses, the need for improved security measures is without question,” he added.

“Connected device manufacturers must move away from the traditional mindset of ‘build, ship and forget’ and ensure that devices are secure from the very point of design, incorporating multiple layers of security as well as offering regular health checks and software updates. If unsure, consumers should also ask their manufacturers about device security and appropriate measures to keep their information secure.”

This should be easier to do in the future, once the government has introduced a new law designed to improve IoT security.

Announced at the start of May, the proposals aim to improve baseline security standards among manufacturers, and require retailers to add a label to each product explaining whether it has met the standards or not.

Assange Hit with New 18-Count Indictment

Assange Hit with New 18-Count Indictment

The US authorities have slapped Julian Assange with a new 18-count indictment on charges relating to illegally obtaining, retaining and disclosing classified information via WikiLeaks.

The indictment supersedes an earlier charge of hacking the Pentagon, and has drawn criticism from advocates of press freedom.

It could also make the UK Home Secretary’s decision to extradite the Wikileaks co-founder more difficult, given that the revelations published by the whistle-blowing site were ostensibly done so in the public interest — something that Assange’s lawyers argue should be covered by the First Amendment anyway.

The charges relate to hundreds of thousands of secret diplomatic cables and other documents related to US wars in Afghanistan and Iraq.

They allege that the 47-year-old conspired with whistleblower Chelsea Manning, a former army intelligence analyst, to obtain and then publish the documents, harming national security.

Crucially, the published trove contained unredacted names of US informants in Iraq and Afghanistan, and US State Department ‘diplomats’ globally, potentially putting them at risk, the DoJ claimed.

It listed 90,000 Afghanistan war-related “significant activity” reports, 400,000 Iraq war-related reports, 800 Guantanamo Bay detainee assessment briefs, and 250,000 US Department of State cables.

The indictment also contains the original charge, that Assange agreed to crack a password hash stored on US Department of Defense computers connected to the Secret Internet Protocol Network (SIPRNet).

If found guilty, Assange faces 10 years behind bars for each count, amounting to a total of 175 years.

Last month, Assange was arrested at the Ecuadorian embassy in London after the Metropolitan Police were invited in following the Ecuadorian government’s termination of asylum. He had been holed up there since 2012 after breaching the terms of his bail.

New online gambling rules might increase the likelihood of data breaches

The UK introduced new rules intended to make online gambling safer earlier this month, but there are concerns that they have created additional information security risks.

Under the new requirements, which came into effect on 7 May, anyone who registers for an online gambling site needs to provide proof of their age, name and address. However, this could be an extra incentive for cyber criminals to target gambling organisations, as the additional personal details alongside financial data is a potent combination for conducting fraud.

Why are gambling operators asking for this information?

Previously, it had been possible to create an account with a gambling operator without having to verify your identity and date of birth. You would only need to provide this information if you were trying to withdraw money from your account.

The new rules require gambling operators to confirm this information before users deposit funds or access free-to-play games. According to the Gambling Commission, operators can generally find the necessary information by matching the details that users give to them with existing databases.

However, it adds that “there may be occasions when this information is not enough to be sure who you are. For example, if information has been spelt wrongly or people with similar names live at the same address.

“In these situations you may be asked to provide copies of documents that prove who you are. This could include passports, driving licences and household bills.”

These checks are primarily intended to ensure the user is old enough to gamble, but they can also help operators see whether the user has self-excluded from the gambling company’s site and that they aren’t using criminal proceeds.

They are also part of a wider move to better regulate the gambling industry. The UK recently cut the maximum bet on fixed-odds betting terminals from £100 to £2 and is now turning its attention to gambling on credit. In a report published last year, the Gambling Commission said it would consider “whether gambling on credit should continue to be permitted” as it “increases the risk that consumers will gamble more than they can afford”.

Culture Secretary Jeremy Wright has called on banks and bookmakers to meet to discuss gambling industry regulations. “Protecting people from the risks of gambling-related harm is vital and all businesses with connections to gambling – be that bookmakers, social media platforms or banks – must be socially responsible,” he said.

“The government will not hesitate to act if businesses don’t continue to make progress in this area and do all they can to ensure vulnerable people are protected.”

Is your personal data at risk?

Any time a system requires organisations to access more personal data, the risks associated with that information increase. The risk of data breaches also increases whenever financial records are involved, because they are more valuable to cyber criminals.

Whereas most personal data is worth only what someone is willing to pay for it on the dark web, financial information can be used to access funds directly. In many instances, all crooks need to do is transfer and then launder the money. This tactic has become increasingly popular in recent years as the value of personal data decreases on the dark web due to the surplus in supply.

Depending on the additional information that online gambling companies use to verify an account, crooks could potentially have a route into users’ bank accounts. At the very least, they’ll probably have enough information to launch a sophisticated phishing attack.

As such, it’s essential that gambling operators introduce appropriate technical and organisational measures to protect the information they obtain to verify a user’s identity.

Want to know whether your organisation is doing enough?

You can learn everything you need to stay secure by reading our free green paper: Gambling Commission Annual Security Audits – Increase your odds.

This paper is essential reading for any gambling operator that wants to ensure their organisation complies with the Gambling Commission’s remote gambling and software technical standards. It covers the security requirements you need to meet and offers guidance on the steps you should take to pass your audit.

Find out more >>

The post New online gambling rules might increase the likelihood of data breaches appeared first on IT Governance Blog.

Facebook says it took down 2.19 billion accounts in Q1 2019

Social network giant Facebook revealed it recently disabled billions of accounts operated by “bad actors” and that five percent of active accounts are fake.

The news is disconcerting, but sincerely not so surprising, Facebook announced it recently disabled billions of accounts operated by “bad actors” and that five percent of its active accounts are fake.

Facebook released its third Community Standards Enforcement Report, covering Q4 2018 and Q1 2019 that provides an estimate of its efforts in fighting the abuse of the social network platform and actions to identify and taken accounts managed by threat actors.

Data is impressive, the company disabled 2.19 billion accounts in the first quarter of 2019, the number if doubled respect the number of accounts blocked in the prior quarter.

“The amount of accounts we took action on increased due to automated attacks by bad actors who attempt to create large volumes of accounts at one time,” Facebook said,

“We disabled 1.2 billion accounts in the fourth quarter of 2018 and 2.19 billion in the first quarter of 2019. We’ll continue to find more ways to counter attempts to violate our policies,”


Facebook apparently disabled the accounts because they have been created by imposters through automated processes.

Facebook also highlighted its the progress made in battling hate speech, its systems were able to automatically detect 65 percent of the content removed before needing someone to report it. This represents great success respect the previous year, with an increase of 24% in automatic detection.

In Q1 2019, Facebook took down four million posts with a content classified as hate speech.

“In the first quarter of 2019, we took down 4 million hate speech posts and we continue to invest in technology to expand our abilities to detect this content across different languages and regions.” continues Facebook.


Additional data are included in the report, enjoy it!

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Fake accounts, social network)

The post Facebook says it took down 2.19 billion accounts in Q1 2019 appeared first on Security Affairs.

TalkTalk’s Databreach Made Secret, Exposed In A Google Search

Having the Google search engine is a blessing for many people who are searching for answers to whatever questions they may have. However, for the telecommunication conglomerate TalkTalk, having Google is a nightmare, as their data breach that they kept secret from their customers was inadvertently exposed by just a simple Google Search. An estimated 4,545 customer records were discovered by just a Google Search, which TalkTalk tried to hide from the public.

Styling itself as: “We do what’s right. We’re also passionate about keeping our teams engaged, happy and proud to work here. It’s all about empowering customers through great TalkTalk technology, and great TalkTalk people.” With leaving the customers in the dark, the company may be subjected to a penalty by the United Kingdom.

The data breach issue was not disclosed by the conglomerate, and it was also unreported to the ICO (UK”s Information Commissioner’s Office), which according to law should receive all reports of data breaches in accordance to the Data Protection Act of 1998. It was later found out through a Google search that the data leak includes personally identifiable information like customer full name, birthdate, address, account numbers, financial information, and contact information. Due to the news blackout fiasco, TalkTalk was forced to issue letters of apology to the affected customers of the 2015 data breach, the origin of the data came from the conglomerate’s own database.

“The 2015 incident impacted 4% of TalkTalk customers and at the time, we wrote to all those impacted. In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud. A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologize. 99.9 percent of customers received the correct notification in 2015. On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss,” explained a TalkTalk representative.

Security experts expressed their concern of companies not being honest when it comes to the welfare of their customers. Even though bad for the reputation of the company at first, customers will appreciate if companies that encounter trouble can face the music by being honest with their customers.

Related Resources:

Ways to Prevent Healthcare Data Breaches

Human Error: The Reason behind 88% of all UK Data Breaches

The Top 10 Worst Data Breaches of all Time

Six Critical Mistakes That Could Lead to Data Security Breaches

The post TalkTalk’s Databreach Made Secret, Exposed In A Google Search appeared first on .

How mainstream media coverage affects vulnerability management

For better or for worse, mainstream media is increasingly covering particularly dangerous, widespread or otherwise notable security vulnerabilities. The growing coverage has made more people aware of the risks and of the need to keep their various devices (software) up-to-date and, with the increased digitization of our everyday lives, I would say that’s a definitive plus. But among those people are also partners and regulators, and executives and boards of directors who may demand their … More

The post How mainstream media coverage affects vulnerability management appeared first on Help Net Security.