Daily Archives: September 2, 2019

The Information Technology industry’s major cybersecurity challenges

Estimated reading time: 3 minutes

The Information Technology (IT) sector has snowballed into an extremely profitable and revenue-generating entity in a relatively small amount of time. IT is single-handedly responsible to initiate and implement digitalization ensuring that a very large amount of information gets converted from a manual to a digital format. The industry’s involvement, especially in the avenues of processing data has automatically made it a sought-after target for cyber attackers.

Typically, cybercriminals like to target industries where the repercussion of a cyberattack will be immense and the stolen data will be valuable. By targeting the IT sector, they naturally suffice their purpose of attacking large industries with a huge workforce – something that can impact an entire nation’s economy.

The growing threat is confirmed by the numbers itself – according to Seqrite’s Quarterly Threat Report from the second quarter of 2019, IT/ITES companies were the fourth largest target for cyberattacks at 6.15% of the total malware attacks for that quarter.

But this risk can be significantly averted if the IT sector empowers itself to tackle this growing threat. The first step is assessment and hence, the IT sector must ensure it is in the position to deal with some of the biggest cybersecurity threats that plague this sector.

  1. Skills gap

According to a recent workforce assessment survey, 59% of organizations had vacant cybersecurity positions – Frost & Sullivan forecasts a shortfall of 1.5 million by 2020 globally. This statistic sharply illustrates a major problem the IT sector is facing when it comes to cybersecurity; the daunting and ever-increasing skills gap.

Skilled cybersecurity personnel are in huge demand but the supply doesn’t seem to keep up. That is why organizations in the IT sector must keep exploring ways to overcome the skills gap by investing in regular training and upskilling programs.

  1. MaaS as an Advanced Persistent Threat

As per the analysis of Seqrite’s annual threat reports, it is predicted that the evolution of RaaS (Ransomware as a Service) which is a form of MaaS (Malware as a Service) is pointing towards the future possibility of an ‘As a Service model’ for Advanced Persistent Threats (APTs).

What this would hypothetically mean is that malware authors could quite likely pivot to searching for generic loopholes in high-profile sectors like IT/ITES. These could then be sold as a well-organized attack vector to those willing to pay. Governments or anti-state actors could take use of APT as a service to get information or infiltrate different departments of IT companies.

  1. Data breach

Remember the huge Equifax data breach in 2017? Apart from major reputational and operational damage, it was also responsible for major financial setbacks.

Recent reports suggest that the American organization will have to pay about $700 million as part of a global settlement over the data breach. Recent, Indian IT company Wipro also admitted that they had suffered a high-profile data breach.

Companies in the information technology sector must take cognizance of this growing threat as the amount of valuable data they possess makes them very vulnerable to this threat.

  1. Insider Threats

The IT sector witnesses a constant flux of employees – an endless cycle of attrition and hiring. Employees, current and previous, are instrumental in many instances of accidental or purposeful data leaks. This phenomenon is commonly known as insider threats.

Insider threats pose a major problem for the IT sector, thanks to the number of people with access to confidential data. Employees may switch between different projects for different clients which means they have access to confidential client information.

If this information gets leaked either advertently or inadvertently, it could pose a huge problem for their respective companies.

Keeping all these threats in mind, it is imperative that the IT sector embraces the challenge and keeps upgrading its cybersecurity solutions. They can consider investing in solutions like Seqrite’s Endpoint Security (EPS), a simple and comprehensive platform to protect enterprise networks from advanced threats, and Unified Threat Management (UTM), a one-stop solution for all enterprise security needs.

The post The Information Technology industry’s major cybersecurity challenges appeared first on Seqrite Blog.

Feds Allege Adconion Employees Hijacked IP Addresses for Spamming

Federal prosecutors in California have filed criminal charges against four employees of Adconion Direct, an email advertising firm, alleging they unlawfully hijacked vast swaths of Internet addresses and used them in large-scale spam campaigns. KrebsOnSecurity has learned that the charges are likely just the opening salvo in a much larger, ongoing federal investigation into the company’s commercial email practices.

Prior to its acquisition, Adconion offered digital advertising solutions to some of the world’s biggest companies, including Adidas, AT&T, Fidelity, Honda, Kohl’s and T-Mobile. Amobee, the Redwood City, Calif. online ad firm that acquired Adconion in 2014, bills itself as the world’s leading independent advertising platform. The CEO of Amobee is Kim Perell, formerly CEO of Adconion.

In October 2018, prosecutors in the Southern District of California named four Adconion employees — Jacob Bychak, Mark ManoogianPetr Pacas, and Mohammed Abdul Qayyum —  in a ten-count indictment on charges of conspiracy, wire fraud, and electronic mail fraud. All four men have pleaded not guilty to the charges, which stem from a grand jury indictment handed down in June 2017.

‘COMPANY A’

The indictment and other court filings in this case refer to the employer of the four men only as “Company A.” However, LinkedIn profiles under the names of three of the accused show they each work(ed) for Adconion and/or Amobee.

Mark Manoogian is an attorney whose LinkedIn profile states that he is director of legal and business affairs at Amobee, and formerly was senior business development manager at Adconion Direct; Bychak is listed as director of operations at Adconion Direct; Quayyum’s LinkedIn page lists him as manager of technical operations at Adconion. A statement of facts filed by the government indicates Petr Pacas was at one point director of operations at Company A (Adconion).

According to the indictment, between December 2010 and September 2014 the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.

The government alleges the men sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.

“Members of the conspiracy would use the fraudulently acquired IP addresses to send commercial email (‘spam’) messages,” the government charged.

HOSTING IN THE WIND

Prosecutors say the accused were able to spam from the purloined IP address blocks after tricking the owner of Hostwinds, an Oklahoma-based Internet hosting firm, into routing the fraudulently obtained IP addresses on their behalf.

Hostwinds owner Peter Holden was the subject of a 2015 KrebsOnSecurity story titled, “Like Cutting Off a Limb to Save the Body,” which described how he’d initially built a lucrative business catering mainly to spammers, only to later have a change of heart and aggressively work to keep spammers off of his network.

That a case of such potential import for the digital marketing industry has escaped any media attention for so long is unusual but not surprising given what’s at stake for the companies involved and for the government’s ongoing investigations.

Adconion’s parent Amobee manages ad campaigns for some of the world’s top brands, and has every reason not to call attention to charges that some of its key employees may have been involved in criminal activity.

Meanwhile, prosecutors are busy following up on evidence supplied by several cooperating witnesses in this and a related grand jury investigation, including a confidential informant who received information from an Adconion employee about the company’s internal operations.

THE BIGGER PICTURE

According to a memo jointly filed by the defendants, “this case spun off from a larger ongoing investigation into the commercial email practices of Company A.” Ironically, this memo appears to be the only one of several dozen documents related to the indictment that mentions Adconion by name (albeit only in a series of footnote references).

Prosecutors allege the four men bought hijacked IP address blocks from another man tied to this case who was charged separately. This individual, Daniel Dye, has a history of working with others to hijack IP addresses for use by spammers.

For many years, Dye was a system administrator for Optinrealbig, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra.

Optinrealbig’s CEO was the spam king Scott Richter, who later changed the name of the company to Media Breakaway after being successfully sued for spamming by AOL, MicrosoftMySpace, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.

Dye has been charged with violations of the CAN-SPAM Act. A review of the documents in his case suggest Dye accepted a guilty plea agreement in connection with the IP address thefts and is cooperating with the government’s ongoing investigation into Adconion’s email marketing practices, although the plea agreement itself remains under seal.

Lawyers for the four defendants in this case have asserted in court filings that the government’s confidential informant is an employee of Spamhaus.org, an organization that many Internet service providers around the world rely upon to help identify and block sources of malware and spam.

Interestingly, in 2014 Spamhaus was sued by Blackstar Media LLC, a bulk email marketing company and subsidiary of Adconion. Blackstar’s owners sued Spamhaus for defamation after Spamhaus included them at the top of its list of the Top 10 world’s worst spammers. Blackstar later dropped the lawsuit and agreed to paid Spamhaus’ legal costs.

Representatives for Spamhaus declined to comment for this story. Responding to questions about the indictment of Adconion employees, Amobee’s parent company SingTel referred comments to Amobee, which issued a brief statement saying, “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”

ONE OF THE LARGEST SPAMMERS IN HISTORY?

It appears the government has been investigating Adconion’s email practices since at least 2015, and possibly as early as 2013. The very first result in an online search for the words “Adconion” and “spam” returns a Microsoft Powerpoint document that was presented alongside this talk at an ARIN meeting in October 2016. ARIN stands for the American Registry for Internet Numbers, and it handles IP addresses allocations for entities in the United States, Canada and parts of the Caribbean.

As the screenshot above shows, that Powerpoint deck was originally named “Adconion – Arin,” but the file has since been renamed. That is, unless one downloads the file and looks at the metadata attached to it, which shows the original filename and that it was created in 2015 by someone at the U.S. Department of Justice.

Slide #8 in that Powerpoint document references a case example of an unnamed company (again, “Company A”), which the presenter said was “alleged to be one of the largest spammers in history,” that had hijacked “hundreds of thousands of IP addresses.”

A slide from an ARIN presentation in 2016 that referenced Adconion.

There are fewer than four billion IPv4 addresses available for use, but the vast majority of them have already been allocated. In recent years, this global shortage has turned IP addresses into a commodity wherein each IP can fetch between $15-$25 on the open market.

The dearth of available IP addresses has created boom times for those engaged in the acquisition and sale of IP address blocks. It also has emboldened scammers and spammers who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

In May, KrebsOnSecurity broke the news that Amir Golestan — the owner of a prominent Charleston, S.C. tech company called Micfo LLC — had been indicted on criminal charges of fraudulently obtaining more than 735,000 IP addresses from ARIN and reselling the space to others.

KrebsOnSecurity has since learned that for several years prior to 2014, Adconion was one of Golestan’s biggest clients. More on that in an upcoming story.

If You Have to Ask How Much a Data Breach Costs, You Can’t Afford One

According to IBM Security’s 2019 Cost of a Data Breach Report, the average time to identify and contain a breach was a whopping 279 days, and it took even longer to discover and deal with a malicious attack. The average cost of an incident was $3.9 million, and the average cost per record, $150.

A malicious hacker can do serious damage to an organization. Breaches are not a cheap date. Capital One estimated the first-year cost of its recent breach would be $100-150 million. Add to that figure the aggregate cost of as many as 30 other companies suspected hacker Paige Thompson may have hit, and it should be abundantly clear that the damage that can be racked up by just one sociopath is astounding. Equifax was recently ordered to pay $700 million in damages for its megabreach, a figure many derided as a wrist slap.

By now, it shouldn’t be news that the probability of a breach or data compromise hitting your company, or one you do business with, is right up there with two more familiar likelihoods; namely, death and taxes. Likewise, the particular cause of a data breach or compromise is about as predictable as our individual approaches to death and taxes.

You need look no further than very recent news to illustrate the point.

U.K.-based Suprema sells a security tool used by organizations worldwide, including law enforcement. It allows users to control access in high security environments. It’s called Biostar 2, and it failed, leaking fingerprints, photographs, facial recognition data, names, addresses, passwords, and employment history records. Reports say 23 gigabytes of data containing 30 million records were in the wind, including data used by London’s Metropolitan Police, Power World Gyms, Global Village and Adecco Staffing. The cause, human error. The cost here is twofold. Fingerprints in the wind stay in the wind. They can’t be changed. There is no way to put a price on that, but at $150 per record, we might spitball and put it around $4.5 billion.

In other news, an FDNY employee flouted department data security policy by downloading data on a personal, unencrypted hard drive that subsequently went missing. The drive contained sensitive personal information and protected health information associated with more than 10,000 people treated or taken to the hospital by the department’s EMS. It was reported there were also nearly 3,000 Social Security numbers possibly exposed. This leak “only” comes in at a potential cost of around $1.5 million using the $150 a record estimate in the 2019 Cost of a Data Breach Report published by IBM Security. The cost of this unnecessary diversion is of course unknowable.

Another all too familiar way companies get got is by proxy. Choice Hotels recently reported the compromise of 700,000 guest records, which were exposed when a vendor copied their data. The mismanaged data was subsequently discovered by a hacker and held for a ransom, a request the hotel reportedly ignored. Ironically, the data had been on the server to test a “security offering” so there was nothing to ransom since the data was only copied from a server that was still controlled by the company. (That said, ransomware continues to be a very real threat, and it relies for the most part on employee error.)

Honda had a comprised database with more than 134 million records, and the Electronic Entertainment Expo, or E3 as it is popularly known, leaked press badge information that included names, phone numbers and home addresses of attendees, and do you know what these entities as well as all of the aforementioned organizations did not do? They didn’t do cyber right.

We all need to listen to the wisdom of The Office’s Dwight Schrute who said, “Whenever I’m about to do something, I think, ‘Would an idiot do that?’ And if they would, I do not do that thing.” True that’s easier said than done, and Schrute is a fictionalized proof of that. Human error is not the only threat to a company, but it is the most persistent one. Many of the hit parade of hacks were avoidable, but without an organizational culture predicated on staying safe, it’s hard to make must progress in the war against stupid mistakes.

Data breaches and compromises are expensive, result in an enormous amount of collateral everyday life damage and are more common than inter-relationship bickering. As with love spats and their aftermaths, there is always room for improvement. While it is folly to believe that any company can be made 100% hack or leak proof, they can become harder-to-hit targets. Security can be baked into all processes–from onboarding to new product launches to the storing of key data. They are more avoidable than one might be led to believe, but it requires a sea change in attitude and more importantly a complete change in the way everything digital is done with security always foremost in any given process.

The post If You Have to Ask How Much a Data Breach Costs, You Can’t Afford One appeared first on Adam Levin.

Why Is a Data Classification Policy Absolutely Important?

Today, data is a valuable commodity. Without it, company executives cannot make well-informed decisions, marketers won’t understand their market’s behavior, and people will have a hard time finding each other over social media platforms. But not all data are equal, which is why companies must have a data classification policy in place to safeguard the important and sensitive data.

What Is a Data Classification Policy?

Data classification policy is an organizational framework aimed at guiding employees on how to treat data. During the creation of a data classification policy, categories for data are created to help the company distinguish which data are considered confidential and which are considered public.

A data classification policy applies to all kinds of data acquired by the company. Both digital and written data must be inspected with equal importance and classified appropriately according to the data classification policy.

Data Classification Policy and Cyber Security

When it comes to cybersecurity and risk management against unexpected data breaches, data classification policies play an important role.

Data classification policies help rank-and-file employees, as well as C-level management, identify which set of data must be treated with utmost care. A well-crafted data classification policy would view corporate decisions as strictly confidential, and such highly-sensitive information must be secured with the highest possible form of encryption.

Data policies also shed light on what data are considered public, personal, confidential, and sensitive. Each classification is given a different level of security under the policy, and each data set is given to key personnel for compilation, collection, and storage.

Because of the nature of the policy, data classification plays a supporting role in a company’s cybersecurity program, making it harder for corporate spies to retrieve valuable company data. The data classification policy must also provide details on where the data should be stored and who has authority to retrieve them.

Data Classification Services

Information security firms know how risky data theft is for companies, especially for Fortune 500 companies that have a large volume of sensitive data. That’s why many information security companies offer data classification services to help companies reduce their overall vulnerability.

Data security experts provide data classification services that include tools, training, and collaboration with clients in the creation of a data classification program. Many data classification services build the data classification policy from the ground up and help with the implementation of the policy. They also conduct security checks to help ensure that the level of security does not fall.

Conclusion

With companies receiving a large volume of data every day, it’s difficult for company employees and managers to stop and think about how a piece of data must be classified and handled. Without a clear and well-structured policy in place, employees are left to decide how data are stored and managed.

If you believe in the importance of data security, then having a well-structured data classification policy and availing data classification services from data security experts will give your company the data protection it needs to prevent heavy damages in case of a data breach.

Also Read,

Defining Data Classification

Common Sense Ways Of Handling Data, Digital Or Not

Key Factors for Data – Centric Data Protection

The post Why Is a Data Classification Policy Absolutely Important? appeared first on .

5G Dangers: What are the Cybersecurity Implications?

5G is no longer technology of the future, but a current reality. Entire markets have already started to switch to 5G, which marks the beginning of a new era. This is the only technology created so far with a huge potential to elevate the use of the Internet of Things (IoT), foster an environment of interconnectivity, and sustain economic growth. 5G will bring along a plethora of benefits, such as increased data speed, lower latency on network response time, and higher reliability. However, at the same time, new cybersecurity threats are likely to arise. This is why your business must be ready to face the 5G dangers.

Your company’s and customers’ sensitive data could be compromised due to cyber-attacks in a 5G world. What’s more, your connected IoT devices could be affected too, each and every one of them being likely to pose security risks for your entire network. And once IoT devices are overridden by cybercriminals, they can wreak havoc in your organization and even cause physical damage.

What is 5G?

First of all, let’s try to understand more about the 5G technology and why it can be so dangerous for your business from a cybersecurity standpoint.

The “G” stands for “Generation”. In the simplest terms, the higher the number close to the letter “G”, the higher the speed and the lower the latency. Here is a quick comparison between the 5 Generations:

1G 2G 3G 4G 5G comparison

Source: Adaptation after “A Review of Wireless Mobile Technology”, published in the International Journal of Science and Research (IJSR).

At some point, 5G will most probably replace the existing 4G networks. According to Ericsson’s Mobility Report released in June 2019, 5G subscriptions will reach 1.9 billion by the end of 2024, making up over 20% of all mobile subscriptions at that time. So while we’re still quite early in the game, it is not too soon to start thinking about the 5G implications for your business, both positive and negative.

How will your business benefit from 5G?

Let’s start off with evaluating the potential benefits. As we transition to the 5G technology, your business can expect better use of resources and improvement of your daily operations and communication. More specifically, here are the main areas your business will benefit from once you’ll start using 5G:

#1. Increased network speed

As I’ve pointed out above, the first benefit that comes to mind is the high speed supported by the network, which will increase your employees’ productivity once they will be able to complete tasks much faster.

#2. Better communication

The virtual communication and collaboration will certainly be improved as well. Also, cutting-edge communication methods that involve VR and AR will be successfully sustained by the powerful 5G network.

#3. The IoT network will be taken to the next level

5G will seamlessly connect all the devices that make up your IoT network. This aspect will enable tremendous opportunities for IoT uses, ranging from drones, self-driving cars, VR and AR equipment, and other emerging technologies.

#4. More innovation

The 5G technology will most likely become a catalyst for innovation. In major industry verticals such as healthcare, automotive, and manufacturing we will witness technology advancements that have never been seen before.

#5. Reduced costs and energy consumption

The 5G technology will supposedly reduce the core network consumption by 90% and extend the battery life of your devices aims to extend device battery life ten times.

Organizations are impatient to use 5G

According to a survey recently released by Gartner, two-thirds of organizations are planning to deploy 5G by 2020. Yet apparently, businesses want to embark on the 5G journey faster than communication vendors can provide it. Furthermore, they are planning to use 5G networks mainly for IoT communications, with operational efficiency as key driver.

Gartner has also stated that, by 2022, half of the communication vendors which have completed commercial 5G deployments will not be able to monetize their back-end technology infrastructure investments. This will not be possible due to the fact that systems will not completely meet the 5G use case requirements.

“Most CSPs will only achieve a complete end-to-end 5G infrastructure on their public networks during the 2025-to-2030 time frame — as they focus on 5G radio first, then core slicing and edge computing,” said Sylvain Fabre, senior research director at Gartner.

Initially, communication service providers will focus on consumer broadband services, which may delay investments in edge computing and core slicing. And the latter are much more valuable and relevant to the 5G technology.

Security flaws in 5G enable various types of attacks

As pointed out by security researchers during Black Hat 2019, a security flaw in 5G allows Man-in-the-Middle (MiTM) attacks. It seems that security protocols and algorithms for 5G are now being ported from 4G standard and experts have discovered that this can allow device fingerprinting for targeted attacks and MiTM assaults.

How can this happen exactly? The 5G network is comprised of base stations, or cells, that cover a certain area. They connect to the cloud, and the latter connects to the base network. In order for the connection to be possible, 5G devices send information to the base station. The station then sends it to the chain for authentication to the core network. The information delivered includes details such as “whether or not voice calling is enabled, SMS ability, vehicle to vehicle communication (V2V) support, what frequency bands are being used, the device category, […] radio requirements”.

During the same Black Hat conference, researchers revealed that in 5G, as with 4G, the device capability information is sent to the base station before any security measures are applied to the connection. Basically, the traffic is encrypted from the endpoint to the base station, but since the device capabilities are sent before the encryption is applied, they can still be read in plain text. And this enables multiple types of attack, like Mobile network mapping (MNmap), bidding down, and battery drain on the narrowband Internet of Things (NB IoT) devices.

The research team that unveiled this threat was capable of creating a map of devices connected to a certain network and list very specific details like device manufacturer, operating system, version, model, allowing them to precisely categorize a device as an Android or iOS, IoT or a phone, car modem, router, etc. And this flaw opens the gate to targeted attacks against specific devices.

Attackers can intercept calls and track phone locations

Researchers have also discovered three security flaws in both 4G and 5G, which can be exploited to intercept phone calls and track the locations of cell phone users. And the scary part is that academics are saying that anyone with a little knowledge of cellular paging protocols will be able to conduct this kind of attack.

the torpedo attack 5G

Image source: TechCrunch – The Torpedo attack — or “TRacking via Paging mEssage DistributiOn.

The 5G Dangers for Your Company

Now, imagine what a negative impact 5G could have on your business. First of all, it will certainly enable more entry points for cyberattacks. And while the level of connectivity and speed between your interconnected IoT devices will increase, multiple opportunities for malicious actors to break into your systems will unfold. Thus, you might witness attacks at a scale never seen before.

What’s more, the 5G technology could also lead to botnet attacks, which will spread at a much higher speed than the current networks allow it. Attackers could also use botnets to initiate Distributed-Denial-of-Service attacks.

How can you avoid 5G threats?

With the rapid development of IoT and 5G, It’s crucial for you to evaluate your overall security strategy before your organization starts adopting the 5G technology. As with any emerging technology, 5G will generate new use cases that will need appropriate cybersecurity measures. Thus, it’s mandatory for you to deploy 5G networks with security measures in mind.

Conclusion

Extreme outcomes of security breaches are likely to happen due to 5G security flaws. And they can prove to be both expensive and disastrous. This brings us to the most critical aspect that security experts should begin with, namely the fact that 5G networks must have, first of all, built-in security measures in place. But the first important step will remain to identify the security regulations that the 5G technology truly needs, coupled with strict cybersecurity rules and regulations imposed to 5G network providers.

The post 5G Dangers: What are the Cybersecurity Implications? appeared first on Heimdal Security Blog.

Chinese deepfake app Zao sparks privacy row after going viral

Critics say face-swap app could spread misinformation on a massive scale

A Chinese app that lets users convincingly swap their faces with film or TV characters has rapidly become one of the country’s most downloaded apps, triggering a privacy row.

Related: The rise of the deepfake and the threat to democracy

In case you haven't heard, #ZAO is a Chinese app which completely blew up since Friday. Best application of 'Deepfake'-style AI facial replacement I've ever seen.

Here's an example of me as DiCaprio (generated in under 8 secs from that one photo in the thumbnail) pic.twitter.com/1RpnJJ3wgT

Continue reading...

Uighurs in China were target of two-year iOS malware attack – reports

Android and Windows devices also targeted in campaign believed to be state-backed

Chinese Uighurs were the target of an iOS malware attack lasting more than two years that was revealed last week, according to multiple reports.

Android and Windows devices were also targeted in the campaign, which took the form of “watering hole attacks”: taking over commonly visited websites or redirecting their visitors to clones in order to indiscriminately attack each member of a community.

Related: China’s hi-tech war on its Muslim minority

Continue reading...