While cybersecurity professionals are certainly aware of the growing threat posed by sharing data with third parties, many seem to lack the urgency required to address this challenge. If there is one work-related New Year’s resolution I’d like CISOs to make as we enter 2020, it’s to give the challenge of third-party cyber risk the attention it needs. In fact, I no longer see this as optional or as an extension of an enterprise risk … More
The post CISOs: Make 2020 the year you focus on third-party cyber risk appeared first on Help Net Security.
The proliferation of real-time payments platforms, including person-to-person (P2P) transfers and mobile payment platforms across Asia Pacific, has increased fraud losses for the majority of banks. FICO recently conducted a survey with banks in the region and found that 4 out of 5 (78 percent) have seen their fraud losses increase. Further to this, almost a quarter (22 percent) say that fraud will rise significantly in the next 12 months, with an additional 58 percent … More
The post More authentication and identity tech needed with fraud expected to increase appeared first on Help Net Security.
BigID, the leader in personal data privacy and protection, announced their Discovery-In-Depth technology to provide organizations with unprecedented visibility and insight into personal and crown jewel data. The new technology builds on BigID’s patented Correlation technology for finding any Personal Information (PI) and sensitive data, across any data store or pipeline, and correlating it back to a person so as to address critical CCPA and GDPR use cases like personal data rights. It introduces three … More
Citrix Systems and FireEye announced the launch of a new tool for detection of compromise in connection with the previously announced CVE-2019-19781 vulnerability, which affects certain versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, and two older versions of Citrix SD-WAN WANOP. This tool is freely accessible in both the Citrix and FireEye GitHub repositories. The free tool is designed to allow customers to run it locally against their Citrix instances and receive a … More
The post Citrix Systems and FireEye introduce new tool for detection of compromise appeared first on Help Net Security.
Keysight Technologies, a leading technology company that helps enterprises, service providers and governments accelerate innovation to connect and secure the world, announced the addition of new machine learning (ML) features in the Hawkeye active network monitoring platform from Ixia, a Keysight business. The addition of machine learning enables Hawkeye to help enterprises shorten outages and improve network uptime by quickly detecting, identifying and resolving network anomalies. As the volume and velocity of raw network and … More
The post Ixia adds new ML features in the Hawkeye active network monitoring platform appeared first on Help Net Security.
HiveIO announced version 8.0 of Hive Fabric, an intelligent virtualization solution that provides high-performing, scalable technology that removes complexity in the data center and delivers a seamless IT experience. The new version provides protection for virtual machines (VMs) and user data with its Disaster Recovery (DR) capability by seamlessly integrating with cloud storage. Hive Fabric 8.0 also incorporates advanced business intelligence (BI) tools into Hive Sense – a capability that proactively notifies HiveIO of an … More
The post HiveIO updates Hive Fabric with added data protection, backup to the cloud, and app insights appeared first on Help Net Security.
Entersekt described the latest implementations of its authentication technology in Europe’s DACH region. The fintech firm announced that Netcetera, a payments technology specialist and long-standing regional partner, has implemented the system for Bank-Verlag, which builds and operates secure digital services on behalf of Germany’s banks, among other things. Two major Austrian card issuers are also deploying the technology. Entersekt’s authentication solution allows consumers to approve their e-commerce payments with one touch of their banks’ mobile … More
The post Bank-Verlag signs up for 3-D Secure authentication solution from Entersekt and Netcetera appeared first on Help Net Security.
The Mastercard Center for Inclusive Growth and The Rockefeller Foundation announced data.org as a platform for partnerships that will continue to build the field of data science for social impact. This is the next chapter of a $50 million commitment Mastercard and the Rockefeller Foundation made last year to launch a transformational model for philanthropy. As part of the announcement, data.org launched a new $10 million impact challenge to crowdsource scalable and sustainable data science … More
The post Mastercard and The Rockefeller Foundation unveil new platform for data science partnerships appeared first on Help Net Security.
Technology innovators Syniverse and AiRXOS, a wholly owned subsidiary of GE Aviation, announced they are working together to protect the skies by providing a communications infrastructure that manages drones and other unmanned aerial vehicles operating at low altitudes. The collaboration offers network security for the drone’s Unmanned Traffic Management system so that critical data, notifications, photos and HD video are transmitted over a secure network with protection from cyberattacks. From matters of national defense video … More
The post Syniverse and AiRXOS to provide a communications infrastructure that manages drones appeared first on Help Net Security.
Intelligent Waves, an end-to-end information technology government solutions provider, announced that it was awarded a competitive, single award indefinite-delivery/indefinite-quantity (IDIQ) contract with the Defense Information Systems Agency (DISA). The contract called Enhanced Mobile Satellite Services (EMSS) Global Logistical Services Management Contract (ELOG) has a lifecycle value of $48 million and a 1-year base with 4-year options. EMSS provides deployed warfighters and partnering agencies with global communication services through a dedicated, EMSS-controlled satellite gateway that leverages … More
The post DISA awards Intelligent Waves with the global satellite communications contract appeared first on Help Net Security.
STACK INFRASTRUCTURE, the data center company built from the ground up to address the technology infrastructure needs of rapidly scaling enterprises and hyperscale businesses, and Peterson Companies, one of the largest privately-owned real estate development companies in the DC region, announced plans to develop a data center campus in Manassas, Virginia. The 125-acre, multi-phase development will eventually offer more than 250 MW of critical load for flexible build-to-suit facilities to serve large data center users … More
The post STACK INFRASTRUCTURE and Peterson Companies to develop a data center campus in Manassas, VA appeared first on Help Net Security.
RDC, the global leader in risk intelligence compliance screening, announced it has entered into a definitive agreement to be acquired by Moody’s Corporation. The RDC acquisition positions Moody’s Analytics’ Bureau van Dijk (BvD), a leading provider of business intelligence and company data, to expand its range of data solutions, creating a global leader in anti-money laundering (AML) and know your customer (KYC) data and due diligence services. It will deepen Moody’s experience and expertise as … More
The post Moody’s acquires RDC to expand its range of data solutions appeared first on Help Net Security.
Splunk, provider of the Data-to-Everything Platform, announced it has appointed Kristen Robinson as the company’s first Chief People Officer. Robinson, who will play a critical role in accelerating Splunk’s continued transformation journey, has more than 25 years of experience pioneering people strategies at high growth companies and building diverse and inclusive organizations. Robinson will report to Doug Merritt, President and CEO, Splunk. Her start date is January 23, 2020. “What sets Kristen apart is her … More
The post Kristen Robinson joins Splunk as Chief People Officer appeared first on Help Net Security.
Onapsis, the leader in business application protection, announced the appointment of Dave DeWalt as Vice Chairman to its board of directors. The strategic addition to the Onapsis board immediately follows the company closing a record year of progress, highlighted by 157% year-over-year growth in new annual recurring revenue, 257% growth in expansion revenue, and 90% gross retention rate. Additionally, the Onapsis Research Labs continues to showcase commitment to business-critical application vulnerability research, having discovered and … More
The post Onapsis appoints Dave DeWalt as Vice Chairman to its board of directors appeared first on Help Net Security.
Point-of-Sale Breach Targets U.S. Cannabis Industry
Late last month, researchers discovered a database owned by the company THSuite that appeared to contain information belonging to roughly 30,000 cannabis customers in the U.S. With no authentication, the researchers were able to find contact information as well as cannabis purchase receipts, including price and quantity, and even scanned copies of employee and government IDs. Though many of the records were for recreational users, medical patients were also involved in the breach, which could prompt additional investigations regarding HIPAA violations.
Ransomware Attack Shuts Down Florida Libraries
At least 600 computers belonging to the library system of Volusia County, Florida were taken offline after falling victim to an unconfirmed ransomware attack. While the libraries were able to get 50 computers back up and running, many of their core functionalities are still offline for the time being. Though officials still have not confirmed that ransomware was the cause of the shutdown, the attack is similar to ones targeting multiple California libraries less than a week earlier.
UK Government Allows Gambling Firms Access to Children’s Data
The Information Commissioner’s Office (ICO) was recently informed of a data breach that could affect nearly 28 million students in the UK. A gambling firm was apparently given access to a Department for Education database by a third-party vendor to complete age and ID verification, though it is unclear just how much information they were gathering. Both firms and the Department for Education have begun examining this breach to determine if this requires a full GDPR investigation.
International Law Enforcement Efforts Take Down Breach Dealer Site
In a combined effort from multiple law enforcement agencies in the U.S. and Europe, two individuals who operated a site that sold login credentials from thousands of data breaches were arrested. Immediately following the arrests, the domain for WeLeakInfo was taken down and all related computers were seized by police, who then promptly put up an official press release and request for any additional info on the site or owners. WeLeakInfo, which boasted access to over 12 billion records, was originally hosted by a Canadian company, but was quick to employ Cloudflare to continue their nefarious dealings privately.
UPS Store Exposes Customer Data
Roughly 100 UPS Stores across the U.S. fell victim to a phishing attack that compromised sensitive customer information over the last four months. This incident stems from a malicious phishing attack that allowed some individuals to compromise store email accounts, which then allowed access to any documents that had been exchanged between the accounts and customers, from passports and IDs to financial info. Fortunately, UPS has already begun contacting affected customers and is offering two years of credit and identity monitoring.
A point-of-sale system vendor that serves U.S. medical and recreational cannabis dispensaries left an unprotected database containing sensitive information about three clients and 30,000 of their customers exposed to the internet, researchers say.
Experts found online an unsecured database owned by THSuite and used by point-of-sale systems in medical and recreational marijuana dispensaries.
Data leak continues to be a frequent issue suffered by companies, news of the day is the discovery of an unsecured database owned by THSuite and used by point-of-sale systems in medical and recreational marijuana dispensaries across the United States.
The archive was stored in an unsecured S3 bucket, it was discovered by researchers from VPNMentor and impacted 30,000 people.
The use of marijuana for medical purposes is legal in some US states and THSuite offers business process management software services to cannabis dispensary owners and operators.
The dispensaries collect large quantities of sensitive information in order to comply with state laws. THSuite solutions simplify this process and implement an effective
“Over 85,000 files were leaked in this data breach, including over 30,000 records with sensitive PII. The leak also included scanned government and company IDs stored in an Amazon S3 bucket through the Amazon Simple Storage Service.” reads the analysis published by VPNmentor.
“In the sample of entries we checked, we found information related to three marijuana dispensaries in different locations around the US: Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company. Examples of these entries can be found below.”
Experts pointed out that the data leak might have affected many more dispensaries, likely all THSuite clients and their customers were impacted.
Exposed records include full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts.
The database also included details about Amedicanna’s inventory and sales, experts found the list of transactions containing the following data:
- Patient name and medical ID number
- Employee name
- Cannabis variety purchased
- Quantity of cannabis purchased
- Total transaction cost
- Date received, along with an internal receipt ID
The leaked data also included scanned government and employee IDs.
The exposure for medical marijuana patients, and
Patients may face negative
“Under HIPAA regulations, it’s a federal crime in the US for any health
Below the timeline for the THSuite data leak:
- Date discovered: December 24, 2019
- Date owners contacted: December 26, 2019
- Date Amazon AWS contacted: January 7, 2020
- Date database closed: January 14, 2020
(SecurityAffairs – THsuite, data leak)
The post THSuite data leak exposes cannabis users information appeared first on Security Affairs.
The U.S. Treasury Department is proposing to collect more information from banks and financial markets about the cybersecurity risks they face to help ensure the security of financial infrastructure.
Hackers used a remote access Trojan (RAT) associated with Iran-linked APT groups in recent attacks on a key organization in the European energy sector.
Security experts from Recorded Future reported that a backdoor previously used in attacks carried out by an Iran-linked threat actor was used to target a key organization in the European energy sector.
The malware is the PupyRAT backdoor, it is a “multi-platform (Windows, Linux, OSX, Android), multi-function RAT and post-exploitation tool mainly written in Python” that can give the attackers full access to the victim’s system.
The PupyRAT backdoor is an open-source piece of malware available on GitHub, it was used in past campaigns associated with the Iran-linked APT groups like APT33 (also known as Elfin, Magic Hound and HOLMIUM), COBALT GYPSY, and APT34 (aka OilRIG).
The above groups were involved in past attacks on organizations in the energy sector worldwide.
Now experts from Recorded Future identified malicious traffic between PupyRAT install and the command and control (C&C) server identified by the experts. The communication involved a mail server for a European energy sector organization and took place between November 2019 and at least January 5, 2020.
“Using Recorded Future remote access trojan (RAT) controller detections and network traffic analysis techniques, Insikt Group identified a PupyRAT command and control (C2) server communicating with a mail server for a European energy sector organization from late November 2019 until at least January 5, 2020.” reads the analysis published by Recorded Future. “While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion.”
The researchers were not able to attribute the attack to Iran-linked APT groups, anyway, their analysis highlights that the targeted organization had a role in the coordination of European energy resources.
Experts suggest to monitor for sequential login attempts from the same IP against different accounts, use a password manager and set strong, unique passwords
“Although this commodity RAT, PupyRAT, is known to have been used by Iranian threat actor groups APT33 and COBALT GYPSY, we cannot confirm whether the PupyRAT controller we identified is used by either Iranian group.” concludes the report. “Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe.”
(SecurityAffairs – Iran, hacking)
The post Iran-Linked PupyRAT backdoor used in recent attacks on European energy sector appeared first on Security Affairs.
The FBI's Internet Crime Complaint Center has issued an alert warning that fraudsters are using spoofed job application portals and websites to steal personal information, including payment card details, from would-be applicants.
Ray Felch // SOFTWARE DEFINED RADIO: RF Signal Replay Techniques Disclaimer: Be sure to use a faraday bag or cage before transmitting any data so you don’t accidentally break any laws by illegally transmitting on regulated frequencies. Additionally, intercepting and decrypting someone else’s data is illegal, so be careful when researching your traffic. Preface: Recently, […]
The Azure security team is pleased to announce that the Azure Security Benchmark v1 (ASB) is now available. ASB is a collection of over 90 security best practices recommendations you can employ to increase the overall security and compliance of all your workloads in Azure.
The ASB controls are based on industry standards and best practices, such as Center for Internet Security (CIS). In addition, ASB preserves the value provided by industry standard control frameworks that have an on-premises focus and makes them more cloud centric. This enables you to apply standard security control frameworks to your Azure deployments and extend security governance practices to the cloud.
ASB v1 includes 11 security controls inspired by, and mapped to, the CIS 7.1 control framework. Over time we’ll add mappings to other frameworks, such as NIST.
ASB also makes it possible to improve the consistency of security documentation for all Azure services by creating a framework where all security recommendations for Azure services are represented in the same format, using the common ASB framework.
ASB includes the following controls:
- Network security
- Logging and monitoring
- Identity and access control
- Data protection
- Vulnerability management
- Inventory and asset management
- Secure configuration
- Malware defense
- Data recovery
- Incident response
- Penetration tests and red team exercises
Documentation for each of the controls contains mappings to industry standard benchmarks (such as CIS), details/rationale for the recommendations, and link(s) to configuration information that will enable the recommendation.
ASB is integrated with Azure Security Center allowing you to track, report, and assess your compliance against the benchmark by using the Security Center compliance dashboard. It has a tab like those you see below. In addition, the ASB impacts Secure Score in Azure Security Center for your subscriptions.
ASB is the foundation for future Azure service security baselines, which will provide a view of benchmark recommendations that are contextualized for each Azure service. This will make it easier for you to implement the ASB for the Azure services that you’re actually using. Also, keep an eye out our release of mappings to the NIST and other security frameworks.
Send us your feedback
We welcome your feedback on ASB! Please complete the Azure Security Benchmark feedback form. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
While digital transformation is critical to business innovation, delivering security to cloud-first, mobile-first architectures requires rethinking traditional network security solutions. Some businesses have been successful in doing so, while others still remain at risk of very costly breaches.
MAN Energy Solutions, a leader in the marine, energy, and industrial sectors, has been driving cloud transformation across their business. As with any transformation, there were challenges—as they began to adopt cloud services, they quickly realized that the benefits of the cloud would be offset by poor user experience, increasing appliance and networking costs, and an expanded attack surface.
In 2017, MAN Energy Solutions implemented “Blackcloud”—an initiative that establishes secure, one-to-one connectivity between each user and the specific private apps that the user is authorized to access, without ever placing the user on the larger corporate network. A virtual private network (VPN) is no longer necessary to connect to these apps. This mitigates lateral movement of bad actors or malware.
This approach is based on the Zero Trust security model.
Understanding the Zero Trust model
In 2019, Gartner released a Market Guide describing its Zero Trust Network Access (ZTNA) model and making a strong case for its efficacy in connecting employees and partners to private applications, simplifying mergers, and scaling access. Sometimes referred to as software-defined perimeter, the ZTNA model includes a “broker” that mediates connections between authorized users and specific applications.
The Zero Trust model grants application access based on identity and context of the user, such as date/time, geolocation, and device posture, evaluated in real-time. It empowers the enterprise to limit access to private apps only to the specific users who need access to them and do not pose any risk. Any changes in context of the user would affect the trust posture and hence the user’s ability to access the application.
Access governance is done via policy and enabled by two end-to-end, encrypted, outbound micro-tunnels that are spun on-demand (not static IP tunnels like in the case of VPN) and stitched together by the broker. This ensures apps are never exposed to the internet, thus helping to reduce the attack surface.
As enterprises witness and respond to the impact of increasingly lethal malware, they’re beginning to transition to the Zero Trust model with pilot initiatives, such as securing third-party access, simplifying M&As and divestitures, and replacing aging VPN clients. Based on the 2019 Zero Trust Adoption Report by Cybersecurity Insiders, 59 percent of enterprises plan to embrace the Zero Trust model within the next 12 months.
Implement the Zero Trust model with Microsoft and Zscaler
Different organizational requirements, existing technology implementations, and security stages affect how the Zero Trust model implementation takes place. Integration between multiple technologies, like endpoint management and SIEM, helps make implementations simple, operationally efficient, and adaptive.
Microsoft has built deep integrations with Zscaler—a cloud-native, multitenant security platform—to help organizations with their Zero Trust journey. These technology integrations empower IT teams to deliver a seamless user experience and scalable operations as needed, and include:
Azure Active Directory (Azure AD)—Enterprises can leverage powerful authentication tools—such as Multi-Factor Authentication (MFA), conditional access policies, risk-based controls, and passwordless sign-in—offered by Microsoft, natively with Zscaler. Additionally, SCIM integrations ensure adaptability of user access. When a user is terminated, privileges are automatically modified, and this information flows automatically to the Zscaler cloud where immediate action can be taken based on the update.
Microsoft Endpoint Manager—With Microsoft Endpoint Manager, client posture can be evaluated at the time of sign-in, allowing Zscaler to allow or deny access based on the security posture. Microsoft Endpoint Manager can also be used to install and configure the Zscaler app on managed devices.
Azure Sentinel—Zscaler’s Nanolog Streaming Service (NSS) can seamlessly integrate with Azure to forward detailed transactional logs to the Azure Sentinel service, where they can be used for visualization and analytics, as well as threat hunting and security response.
Implementation of the Zscaler solution involves deploying a lightweight gateway software, on endpoints and in front of the applications in AWS and/or Azure. Per policies defined in Microsoft Endpoint Manager, Zscaler creates secure segments between the user devices and apps through the Zscaler security cloud, where brokered micro-tunnels are stitched together in the location closest to the user.
If you’d like to learn more about secure access to hybrid apps, view the webinar on Powering Fast and Secure Access to All Apps with experts from Microsoft and Zscaler.
Rethink security for the cloud-first, mobile-first world
The advent of cloud-based apps and increasing mobility are key drivers forcing enterprises to rethink their security model. According to Gartner’s Market Guide for Zero Trust Network Access (ZTNA) “by 2023, 60 percent of enterprises will phase out most of their remote access VPNs in favor of ZTNA.” Successful implementation depends on using the correct approach. I hope the Microsoft-Zscaler partnership and platform integrations help you accomplish the Zero Trust approach as you look to transform your business to the cloud.
For more information on the Zero Trust model, visit the Microsoft Zero Trust page. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post Microsoft and Zscaler help organizations implement the Zero Trust model appeared first on Microsoft Security.
A new report into the state of ransomware at the tail end of 2019 has revealed that things aren’t getting any better.
Read more in my article on the Tripwire State of Security blog.
A new report into the state of ransomware at the tail end of 2019 has revealed that things aren’t getting any better. In Q4 of 2019, according to the new study published by security firm Coveware, the average ransom payment more than doubled – reaching $84,116, up from $41,198 in Q3 of 2019. Coveware’s report […]… Read More
The post Ransomware: The average ransom payment doubled in just three months appeared first on The State of Security.
Your trip into work today might be delayed by slippery roads, dense fog, and a Citrix vulnerability.
US Cybersecurity Agency Issues Emotet Warning
America's Cybersecurity and Infrastructure Security Agency (CISA) issued a warning yesterday after observing an increase in the number of targeted cyber-attacks that utilize Emotet.
Emotet functions as a modular botnet that can steal data, send malicious emails, and act as a dropper, downloading and installing a wide range of malware onto a victim's computer. This sophisticated strain of malware was developed by threat group TA542.
CISA said: "Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information."
The agency warned that such an attack could result in the loss of money and of proprietary information as well as cause "disruption to operations and harm to reputation."
CISA advised users and system administrators to block email attachments such as .dll and .exe, which are commonly associated with malware, and to block any email attachments that cannot be scanned by antivirus software.
Further protection measures suggested by CISA are to implement firewalls, an antivirus program, and a formalized patch management process.
To stop a virus from running rampant around your network, CISA recommended segmenting and segregating networks and functions.
The warning comes a week after cybersecurity firm Proofpoint announced that Emotet was back and causing trouble with a new campaign after taking what appeared to be a Christmas break. Researchers spotted Emotet going after targets in the pharmaceutical industry in the US, Canada, and Mexico on January 13.
By Tuesday, the attackers had widened their net to go after victims in multiple industries in Australia, Austria, Germany, Hong Kong, Italy, Japan, Singapore, South Korea, Spain, Switzerland, Taiwan, and the United Arab Emirates.
"Based on past activity and what our researchers are seeing, organizations around the globe should take Emotet’s return seriously," wrote researchers. "On Monday alone we saw nearly three quarters of a million messages and they’re already fast approaching one million messages total."
This mass of messages, although large, isn’t the highest volume the researchers have ever seen from the TA542 group. Previously, researchers have seen the threat actors send over one million messages in just one day.
US County Suffers Two Cyber-attacks in Three Weeks
Albany County in the state of New York has been struck by two separate cyber-attacks in three weeks.
A five-figure ransom in Bitcoin was paid by Albany County Airport Authority (ACAA) earlier this month after their servers became infected with ransomware on Christmas day.
Airport CEO Philip Calderone said that the authority caught the virus from a company called LogicalNet, which, rather ironically, ACAA had hired to provide cybersecurity services. The attack came to light after LogicalNet reported that its management services network had been breached.
Calderone told Times Union: "We have severed our relationship with LogicalNet."
According to Times Union, while the airport's insurer reimbursed the authority for the rest of the undisclosed ransom payment, the airport authority is seeking to recover the $25,000 deductible it paid on its insurance policy from LogicalNet.
Three weeks later, on January 15, the Albany County town of Colonie was hit by a cyber-attack that took the town's computer system and email offline. Many departments were still experiencing problems on Friday.
Town spokesperson Sara Wiest said on Friday that the town was still trying to determine the exact nature of the attack. Wiest added that all the town's data had been backed up prior to the incident, allowing many departments to continue working despite not having access to the computer system.
In a forced return to last century's communication methods, the town sent out a news release regarding the cyber-attack via fax on Friday morning.
The release stated that there was no indication that any personal data had been compromised and reassured the public that the town's health and safety services were still functioning.
"These types of situations happen in a lot of different places and municipalities and they appear to be similar," said Colonie town supervisor Paula Mahan. "It’s happening in a lot of places and it’s something we have to get used to."
In March 2019, the City of Albany spent $300,000 in new servers, security software upgrades, firewall insurance, and other cybersecurity improvements after being hit by a ransomware attack. Fortunately, the city was able to fall back on its daily backups of mission-critical systems, and no ransom was paid.
On January 22, 2020, Microsoft reported a security breach that involved one of its customer databases. Between December 5 and December 31, 2019, a change made to the database’s network security group contained misconfigured security rules that allowed the exposure of data.
Microsoft did not specify how many records were compromised, however, according to Comparitech, 250 million Microsoft customer service and support records ended up being visible on the web.
The databases were discovered by Bob Diachenko, a security researcher, who notified Microsoft immediately. Within 24 hours, all servers were secured.
Kudos to MS Security Response team – I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve. https://t.co/PPLRx9X0h4
— Bob Diachenko (@MayhemDayOne) January 22, 2020
No malicious parties are known to have accessed the data during the time it was exposed.
What kind of data was exposed?
According to Diachenko, most of the personally identifiable information, such as email aliases, contract numbers, and payment information was redacted. However, many records, like customer email addresses, IP addresses, locations, descriptions of CSS claims and cases, Microsoft support agent emails, case numbers, or Internal notes marked as “confidential” contained plain text data.
In the blog post, Microsoft acknowledged that some data may have remained unredacted under certain conditions. For example, if an email address was written in a non-standard format (name “XYZ @contoso com” vs “XYZ@contoso.com”), the data may have been visible.
Microsoft’s response and action
After the incident, Microsoft took immediate action, apologized to its customers, and began notifying them.
Here are the measures they took to prevent future similar events:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.
How to protect yourself from potential future scams
If you’re a Microsoft customer, you may become a target of scammers trying to impersonate Microsoft’s official staff. Thus, make sure you don’t fall for these scams and read the advice I’ve included below on how you can stay safe.
Do not engage with tech support scammers pretending to work for Microsoft
Surely, Microsoft tech support scams are not new. Even one of Heimdal’s employees received a fake IT support phone call a while ago but recognized it was a scam right away. You can read the full story here and even listen to the phone call recording if you are interested.
Of course, the main piece of advice, in this case, would be not to provide any information about yourself or allow the scammer to remotely access your computer.
Do not open phishing emails pretending to be from Microsoft
Now that the Microsoft data breach incident has been made public, it will be a great time for malicious actors to start sending email phishing campaigns. They may try trick you into entering your Microsoft credentials so you can “reset” them afterward. In the past, we spotted a Microsoft phishing campaign that targeted Office365 users, with pages masquerading as official Microsoft and OneDrive pages.
In short, do not open these emails or click on the malicious links and you’ll be safe. And if you’d like to add an extra layer of safety in your organization, give our DNS filtering solution, Thor Foresight Enterprise, a try.
If you want to learn more about phishing (and spear-phishing, in particular) you may want to go through our complete guide. At the same time, here you can find out all you need to know about how social engineering tactics work.
The post SECURITY ALERT: Microsoft Accidentally Exposed 250 Million Customer Support Records appeared first on Heimdal Security Blog.
As part of their ISO 27001 compliance, organisations must conduct management reviews to address any emerging information security trends and to ensure that their ISMS (information security management system) works as intended.
Unfortunately, there’s a mistaken belief that the review is only necessary as part of the certification audit. That couldn’t be further from the truth, as we explain in this blog.
The purpose of the ISO 27001 management review
Management reviews give senior staff the opportunity to evaluate the effectiveness of their organisation’s ISMS and make any changes that could boost its ability to protect sensitive information.
The criteria for an effective ISMS will have been addressed as part of your work conforming with Clause 4 of ISO 27001, which covers the organisation and its context, the requirements of interested parties, the scope of the ISMS and risk management.
The management review also gives you the opportunity to inform senior staff of any changes or revisions that have been made to the day-to-day workings of the ISMS.
What the management review should cover
Clause 9.3 of ISO 27001 outlines what your management review should cover.
Your first order of business is to revisit any ongoing actions that you decided upon in previous management reviews.
For example, you might have requested statistical analysis related to certain practices, or decided to adjust a process. Now is the time to check them and get further comment.
Next, you should discuss any external or internal issues that are relevant to the ISMS.
‘Internal and external issues’ is a phrase introduced in Clause 4.1 of ISO 27001, and refers to things that could affect your sensitive information.
Internal issues include things related to information assets, people, products and systems, whereas external issues might include political problems, economic fluctuations and new technologies.
The third item on your agenda is the overall performance of your ISMS. You should focus on:
- Areas of the ISMS that aren’t working as intended;
- Actions you’ve taken to address previously identified weaknesses;
- The ongoing monitoring of your ISMS’s performance;
- Audit results and the fulfilment of information security objectives;
- Feedback from interested parties;
- Results of your risk assessment and the status of the risk treatment plan; and
- Opportunities for continual improvement.
Who should attend the management review?
As the name suggests, senior management should play a key role. This might take the form of an ‘ISMS board’ – i.e. a group of senior staff that is tasked with overseeing information security issues.
The ISMS board generally includes the CISO and other executives, along with department heads who oversee the handling of large volumes of sensitive information.
How often should management reviews be conducted?
You are required to conduct a management review at least once a year, and more frequently if there are any material changes that could affect your ISMS.
However, we suggest holding meetings more regularly than this, because you’ll have a lot to cover and will find that information security issues evolve quickly.
How frequently you hold meetings is up to you – but we think quarterly or monthly get-togethers are more suitable.
Getting the most out of the management review
Here are some tips to help you get started:
Keep attendees to a minimum
You don’t need to fill the room to get as many opinions as possible. You’re better off with a small group of people whose insight you value.
Attendees can consult with colleagues outside of the meeting if they need further advice or information – and you can invite people as needed– but this isn’t the time for an organisation-wide discussion.
Keep management reviews and management meetings separate
Senior staff probably already meet up on a regular basis to address the day-to-day operations of the organisation, but don’t fall into the trap of thinking you can slide your management reviews into these meetings.
If you do, you’ll find that issues are conflated or that information security concerns are pushed aside in favour of more urgent business matters.
ISO 27001 requires you to document the content and results of your management reviews, so someone will need to keep minutes.
This isn’t simply to prove that you’ve been holding meetings. It helps remind you of any topics that came up and the decisions you made regarding them.
Provide a summary
Attendees often find it helpful to have a brief round-up of what was discussed in addition to the minutes, which can be hard to navigate if you’re looking for a summary of a specific issue.
Summaries are best produced soon after the meeting has finished, so the person producing it still has all the information fresh in their mind. They can then circulate the write-up in an email.
Learn more about risk management
Discover what risk management entails with our Certified ISO 27005 ISMS Risk Management Training Course.
In three days, you’ll gain the skills and knowledge needed to implement and maintain a risk management programme based on the best practices outlined in ISO 27005 and other risk management techniques.
Over Half of Organizations Were Successfully Phished in 2019
An annual report into the virulence of phishing scams has found that more than half of organizations dealt with at least one successful phishing attack in 2019.
The 2020 "State of the Phish" report, by cybersecurity and compliance firm Proofpoint, was produced using data from nearly 50 million simulated phishing attacks sent by Proofpoint to end users over a one-year period. In addition, researchers combed through third-party survey responses from more than 600 information security professionals and analyzed the fundamental cybersecurity knowledge of more than 3,500 working adults in the US, Australia, France, Germany, Japan, Spain, and the UK.
Among the key findings, 55 percent of surveyed organizations dealt with at least one successful phishing attack in 2019, and infosecurity professionals reported a high frequency of social engineering attempts across a range of methods.
Other forms of attack reflect cyber-criminals' continued focus on compromising individual end users. Spear-phishing attacks were reported by 88 percent of organizations worldwide, while 86 percent reported business email compromise (BEC) attacks and social media attacks.
Phishing via text/SMS, also known as smishing, struck 84 percent of organizations, while 83 percent reported experiencing voice phishing, or "vishing." Malicious USB drops had caused problems for 81 percent of organizations surveyed.
On a more positive note, the sixth annual "State of the Phish" report revealed that equipping individuals with instructions on how to avoid taking the phishers' bait garnered good results. Seventy-eight percent of organizations reported that security awareness training activities resulted in measurable reductions in phishing susceptibility.
“Effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission,” said Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint.
“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”
Proofpoint researchers noted an increase in the volume of reported phishing messages and identified a trend toward more targeted, personalized attacks carried out over bulk campaigns.
The volume of reported messages jumped significantly year on year, with end users reporting more than nine million suspicious emails in 2019, an increase of 67 percent over 2018.
Citrix and FireEye have teamed up to provide sysadmins with an IoC scanner that shows whether a Citrix ADC, Gateway or SD-WAN WANOP appliance has been compromised via CVE-2019-19781. Finding evidence of compromise By now it should be widely known that CVE-2019-19781 – aka “Shitrix” – is a real and present danger: exploits for it abound and attackers are using them, while we wait for fixes for all affected devices to be released. Though the … More
The post IoC Scanner shows if Citrix appliances have been compromised via CVE-2019-19781 appeared first on Help Net Security.
New Vancouver Space Becomes One of Six Regional Mastercard Innovation Centers on Thursday unveiled a new computer hub situated in Vancouver, Canada at the restored Old Stock Exchange building where NuData is also based. It is one of six world centers of technology and will develop cyber solutions for the global ecosystem for payments. Certain hubs are based in New York, St. Louis, Mumbai, Dublin and Melbourne, Pune Vadodara.
The payments business has long proactively maintained that the end customer has a positive service by having its merchants protect their websites. “The Vancouver center,” said Sasha Krstic, Canadian president of Master card, “will help us meet the growing demand for technology solutions to reduce the cost of cyber-attacks, enable today’s connected devices to become tomorrow’s secure payment devices, and address the growing vulnerabilities associated with the Internet of Things.”
The contribution by Mastercard is an extra $510 million. “This will make Canada a world leader in cybersecurity and help us tackle the cost of cybercrime in Canada — an estimated $3 billion a year”, said the Minister of Innovation, Science and Industry Navdeep Bains.
The centre, in particular in Vancouver, will boost technology employment with just under 400 new jobs. In the USA, Mastercard is a member of the CyberSecurity Talent Program-a private / public program that lets top safety candidates take off student loans and secure jobs. Since this includes federal participation in the United States, it does not apply in Canada. Nonetheless, Mastercard said, “as the system expands, we are looking for ways to extend into other nations.” When contemplating how the new university center would better use the Canadian expertise. “We’re talking about it absolutely,” the company told.
“Leveraging the tech talent in Vancouver and collaborating with Canadian universities is part of our plans for the center — although, at this stage, we do not have any specific program details to share.” The organization said, however, that the new Center would enable 100 students to be developed, as well as new roles for software engineers, data scientists, project managers, analysts, producers. Mastercard purchased NuData in 2017.
Brighterion, headquartered in San Francisco, protects artificial intelligence and machine learning technologies against real-time fraud and cyber-threats. It was also purchased in 2017 by Mastercard.
In late 2019, Mastercard announced that it had agreed to acquire the risk management company RiskRecon, a salt lake city based on the UT system.
The post Mastercard Opens New Center and Intelligence in Canada appeared first on .
This is new from Reuters:
More than two years ago, Apple told the FBI that it planned to offer users end-to-end encryption when storing their phone data on iCloud, according to one current and three former FBI officials and one current and one former Apple employee.
Under that plan, primarily designed to thwart hackers, Apple would no longer have a key to unlock the encrypted data, meaning it would not be able to turn material over to authorities in a readable form even under court order.
In private talks with Apple soon after, representatives of the FBI's cyber crime agents and its operational technology division objected to the plan, arguing it would deny them the most effective means for gaining evidence against iPhone-using suspects, the government sources said.
When Apple spoke privately to the FBI about its work on phone security the following year, the end-to-end encryption plan had been dropped, according to the six sources. Reuters could not determine why exactly Apple dropped the plan.
The Shlayer trojan accounted for approximately 30 percent of all of Kaspersky Lab’s malware detections for the macOS platform in 2019. Kaspersky Lab revealed on Securelist that Shlayer has been the most common threat to target its macOS userbase for the past two years. During that time, one in 10 of the security firm’s macOS […]… Read More
The post Shlayer Trojan Accounted for 30 Percent of Detections for macOS in 2019 appeared first on The State of Security.
Databases containing 14 years’ worth of customer support logs were publicly accessible with no password protection
The post Microsoft exposed 250 million customer support records appeared first on WeLiveSecurity
Emotet malware alert: The U.S. Cybersecurity and Infrastructure Security Agency says it's been "tracking a spike" in targeted Emotet attacks, and urges all organizations immediately put in place defenses to not just avoid infection, but also detect lateral movement in their networks by hackers.
Cisco has released another batch of security updates and patches for a variety of its offerings, including many of its security solutions. Security fixes for security solutions Among the security holes plugged is CVE-2019-16028, a critical authentication bypass vulnerability affecting the Cisco Firepower Management Center – a device that provides visibility into an organization’s network and allows admis to centrally manage critical Cisco network security solutions. “The vulnerability is due to improper handling of Lightweight … More
The post It’s time to patch your Cisco security solutions again appeared first on Help Net Security.
Citrix has announced that it has teamed up with security researchers at FireEye to produce a free forensic tool which can help your business hints for potential Indicators of Compromise related to the CVE-2019-19781 vulnerability.
Over 2000 WordPress Sites Hit by Malicious Redirects
The number of infections spiked last week, with hackers exploiting vulnerabilities in various plugins, including Simple Fields and the CP Contact Form with PayPal, the security vendor explained in a blog post.
Among the domains registered as part of the campaign are gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com and admarketresearch[.]xyz.
“We encourage website owners to disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices.”
The attackers have also been observed abusing/wp-admin/ features to create fake plugin directories that contain more malware, for example by uploading zip compressed files using the /wp-admin/includes/plugin-install.php file to upload and unzip a compressed fake plugin into /wp-content/plugins/.
The two most common fake plugin directories spotted by Sucuri are /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php.
The firm has seen over 2000 infected sites thus far compromised in this campaign.
WordPress is by far the biggest culprit when it comes to hacked website platforms. It accounted for 90% of compromised websites spotted by Sucuri in 2018, up from 83% in 2018. There was a big drop to Magento (4.6%) and Joomla (4.3%) in second and third.
Data on 30,000 Cannabis Users Exposed in Cloud Leak
Tens of thousands of cannabis users in the US have had their personal information leaked by a misconfigured cloud bucket, according to researchers.
Over 85,000 files including more than 30,000 records with sensitive personally identifiable information (PII) were exposed when software firm THSuite apparently left an Amazon Web Services (AWS) S3 bucket unsecured.
THSuite provides software that helps cannabis dispensaries collect the large volumes of sensitive user info they need to comply with state laws.
At least three clients were affected in the privacy snafu: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company.
Exposed PII included names, home and email addresses, dates of birth, phone numbers, medical ID numbers and much more, according to vpnMentor.
As such, the leak affected both medical cannabis users and those who bought the plant for recreational purposes.
“Medical patients have a legal right to keep their medical information private for good reason. Patients whose personal information was leaked may face negative consequences both personally and professionally,” the researchers argued.
“Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual.”
The revelations may also harm recreational users, especially if their employer prohibits cannabis use, they continued. The database apparently included scanned copies of government and employee IDs.
From a cybercrime perspective, the data trove would also offer a potentially lucrative opportunity for hackers to craft convincing phishing emails, texts and calls, and launch follow-on identity fraud attempts.
The researchers found the exposed database via a simple scan on December 24 last year. After contacting its owners on December 26 the problem was finally mitigated on January 14 2020.
Cloud misconfigurations like this remain a major source of cyber-related risk for organizations around the world. VpnMentor alone has been able to find millions of user records leaked by the likes of cosmetic giant Yves Rocher, Best Western Hotels and Canadian telco Freedom Mobile.
Be extra careful when looking for a job online, the Internet Crime Complaint Center (IC3) warns: cybercriminals are using fake job listings to trick applicants into sharing their personal and financial information, as well as into sending them substantial sums of money. “While hiring scams have been around for many years, cyber criminals’ emerging use of spoofed websites to harvest PII and steal money shows an increased level of complexity. Criminals often lend credibility to … More
The post Cybercriminals using fake job listings to steal money, info from applicants appeared first on Help Net Security.
Microsoft accidentally internet-exposed 250 million customer support records stored in five misconfigured Elasticsearch databases, for three weeks. While the company rapidly locked them down after being alerted, it's an embarrassing gaff for the technology giant, which has pledged to do better.
UN Wants US Probe into Bezos-Saudi Phone Hack
The United Nations has called for a US-led investigation into the alleged hacking of Jeff Bezos’s mobile phone by the crown prince of Saudi Arabia, Mohammed bin Salman.
The bombshell allegations, which broke on Wednesday, suggest that spyware was deployed via an MP4 file sent from a WhatsApp account belonging to the prince. The two had apparently met and exchanged phone numbers a month before the alleged attack on May 1 2018.
According to the analysis by UN special rapporteurs Agnes Callamard and David Kaye, “massive and unprecedented” exfiltration of data followed the initial spyware deployment, with data egress from the device jumping suddenly by 29,156% to 126 MB and then continuing undetected for months after.
“The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group's Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials,” the UN analysis continued.
“This would be consistent with other information. For instance, the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well-documented and is the subject of a lawsuit by Facebook/WhatsApp against NSO Group.”
The NSO Group has “unequivocally” denied the claims.
It’s claimed that the Saudis targeted the world’s richest man Bezos because of his ownership of the Washington Post, whose columnist Jamal Khashoggi wrote in highly critical terms of the crown prince. He is believed to have been assassinated on a visit to the Saudi embassy in Turkey on October 2 2018.
In November 2018 and February 2019, the crown prince’s WhatsApp account is also said to have sent messages revealing details of Bezos’s affair, months before it became public knowledge.
“The information we have received suggests the possible involvement of the crown prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia,” argued the special rapporteurs.
“The alleged hacking of Mr. Bezos's phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the crown prince in efforts to target perceived opponents.”
The case also highlights the devastating impact of legitimate cross-border spyware sales from private companies to authoritarian governments, the UN argued.
“Surveillance through digital means must be subjected to the most rigorous control, including by judicial authorities and national and international export control regimes, to protect against the ease of its abuse,” it said.
“It underscores the pressing need for a moratorium on the global sale and transfer of private surveillance technology.”
It will be some cause for concern for Bezos and his personal security team that the attack went undetected for so long.
“For high value targets, the best protection is to compartmentalize how apps are used. For example, they might use WhatsApp or Signal for communicating with external contacts, and Teams for communicating with internals,” argued F-Secure principal researcher, Jarno Niemelä.
“It makes sense to separate use by device, I recommend communicating with external contacts with a different device to the one that you use for handling critical matters such as 2 factor authentication apps. It is also important to review application permissions regularly to deny access to apps that have fallen out of use.”
A hospital gets hacked because of an ex-employee’s grudge, robocalls are on the rise, and we share a scary story about the future of facial recognition.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Michael Hucks.
An expert discovered that over 250 million Microsoft customer support records might have been exposed along with some personally identifiable information.
The popular researcher Bob Diachenko found an unprotected database containing over 250 million customer support records along with some personally identifiable information. The unprotected archive was containing support requests submitted to the tech giant from 2005 to December 2019.
“Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics.” reads the post published by Microsoft. “While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”
Microsoft confirmed that Customer Service and Support” (CSS) records were exposed online due to a misconfigured server containing logs of conversations between the support team and its customers.
Microsoft secured the database on December 31, 2019, it also added that it is not aware of malicious use of the data.
Microsoft explained that the database was redacted using automated tools to remove the personally identifiable information of its customers, but in some sporadic cases, this information was not removed because there was not a standard format.
- Customer email addresses
- IP addresses
- Descriptions of CSS claims and cases
- Microsoft support agent emails
- Case numbers, resolutions, and remarks
- Internal notes marked as “confidential”
“Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.”
Technical support logs frequently expose VIP clients, their internal architectures, such kind of data could be used by cyber criminals to compromise the customers’ systems.
The company started notifying impacted customers, below the timeline of the data leak:
- December 28, 2019 – The databases were indexed by search engine BinaryEdge
- December 29, 2019 – Diachenko discovered the databases and immediately notified Microsoft.
- December 30-31, 2019 – The tech giant secured the servers and data.
Diachenkoand Microsoft continued the investigation and remediation process.
- Jan 21, 2020 – Microsoft disclosed additional details about the exposure as a result of the investigation.
The post 250 Million Microsoft customer support records and PII exposed online appeared first on Security Affairs.